CISA Summary V1.0

Christian Reina, CISSP

CISA summary

Version 1.0

This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author. 2010 ‐ Christian Reina, CISSP.

Dom

ain 1 – IT Governance

“Collection of top-down activities intended to control the IT organization from a strategic perspective.”

Policy Priorities Standards Vendor Management Program/Project Management

IT Strategy Committee Advise board of directors on strategies. Balanced Scorecard Measure performance and effectiveness.

Business contribution: Perception from Non-IT executives

User: Satisfaction Operational excellence: downtime, defects, support

tickets Innovation: increase IT value w/ innovation

Information Security Governance Roles and responsibilities

Board of Directors: risk appetite and risk management Steering Committee: Operational strategy for security

and risk management CISO: conducting risk assessment, developing security

policy, vulnerability management, incident management, compliance

Employees: Comply with policies Enterprise Architecture (EA) Map business functions into the IT environment as a model. Activities to ensure business needs are met Zachman Model IT Systems and environments are described at a high, functional level, and then in increasing detail DFD Illustrate the flow of information

Risk Management Seek, identify, and manage risk.

Accept Mitigate Transfer Avoid

Risk Management Program

Objectives: reduce costs, incidents Scope Authority: Executive level of commitment Resources: Policies, processes, procedures, and records

Risk Management Process

1. Asset Identification: Equipment, information, records, reputation, personnel

o Grouping Assets o Sources of asset data: Interviews, IT

systems, Online data o Organizing data: Business process,

Geography, OU, Sensitivity, Regulated 2. Risk Analysis

o Threat analysis: All threats with realistic opportunity of occurrence

o Vulnerability Identification: Ranked by severity or criticality

o Probability analysis: Requires research to develop best guesses

o Impact analysis: Study of estimating the impact of specific threats on specific assets

o Qualitative: Subjective using numeric scale o Quantitative:

Asset Value (AV) Exposure Factor (EF) Single Loss Expectancy (SLE): AV

x EF Annualized rate of occurrence

(ARO) Annualized loss expectancy (ALE):

SLE x ARO 3. Risk Treatments

o Risk Mitigation o Risk Transfer o Risk Avoidance o Risk Acceptance o Residual Risk

IT Management Practices

1. Personnel Management a. Hiring: Background check, Employee Policy

Manual, Job Description b. Employee Development: Training,

Performance evaluation, Career path c. Mandatory vacations: Audit, cross training,

reduced risk d. Termination e. Transfers and reassignments

2. Sourcing a. Insource b. Outsource: risks, SLA, policy, governance

(service level agreements, change management, security, quality, audits), SaaS

3. Change Management a. Request b. Review c. Approve d. Perform change e. Verify change

4. Financial Management a. Develop b. Purchase c. Rent

5. Quality Management a. Software development b. Software acquisition c. Service desk d. IT operations e. Security f. Standards:

i. ISO 9000: Superseded by ISO 9001:2008 Quality Management System

ii. ISO 20000: IT Service Management for organization adopting ITIL

iii. ITIL 1. Service Delivery 2. Control Processes 3. Release Processes 4. Relationship Processes 5. Resolution Processes

6. Security Management a. Security Governance b. Risk Assessment c. Incident Management d. Vulnerability Management e. Access and Identity management f. Compliance management

Dom

ain 1 – IT Governance

g. BCP 7. Performance Management

a. COBIT b. SEI CMMI

Roles and Responsibilities

1. Executive Management: CIO, CTO, CSO, CISO, CPO 2. Software Development: Architect, Analyst, developer,

programmer, tester 3. Data Management: architect, DBA, analyst 4. Network Management: architect, engineer,

administrator, telecom 5. Systems Management: architect, engineer, storage,

systems administrator 6. Operations: manager, analyst, controls analyst, data

entry, media librarian 7. Security Operations: architect, engineer, analyst,

account management, auditor 8. Service Desk: Help desk, technical support

Segregation of Duties Controls

1. Transaction authorization 2. Split custody 3. Workflow: extra approval 4. Periodic reviews

Auditing IT Governance

1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f. Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i. Quality management documents

2. Reviewing Contracts a. Service levels b. Quality levels c. Right to audit d. 3rd party audit e. Conformance to policies, laws, regulations f. Incident notification g. Liabilities h. Termination terms i. Protection of PII

3. Reviewing Outsourcing a. Distance b. Lack of audit contract terms c. Lack of cooperation

main 2 – The Audit Process

Assess and evaluate the effectiveness of IT AUDIT MANAGEMENT The Audit Charter: Define roles and responsibilities. Sufficient authority The Audit Program: scope, objectives, resources, procedures Strategic Audit Planning:

Factors: Business goals and objectives, Initiatives, market conditions, changes in technology, regulatory requirements.

Changes in Audit Activities: New internal audits, new external audits, increase in audit scope, impact on business process

Resource planning: Budget and manpower Audit and Technology: Continue learning about new technologies Audit Laws and Regulations:

Characteristics: Security, Integrity, Privacy Computer Security and Privacy Regulations:

o Categories: Computer trespass, protection of sensitive information, collection and use of information, law enforcement investigative powers

o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits, fines, prosecution

“An organization should take a systematic approach to determine the applicability of regulations as well as the steps required to attain compliance and remain in this state. “ US Regulations:

Access Device Fraud 1984 Computer Fraud and Abuse Act 1984 Electronic Communications Act 1986 Electronic Communications Privacy Act (ECPA) 1986 Computer Security Act 1987 Computer Matching and Privacy Protection Act 1988 Communications Assistance for Law Enforcement Act

(CALEA) 1994 Economic and Protection of Proprietary Information Act

1996 Health Insurance Portability and Accountability Act

(HIPPA) 1996 Children’s Online Privacy Protection Act (COPPA) 1998 Identity Theft and Assumption Deterrence Act 1998 Gramm-Leach-Bliley Act 1999 Federal Energy Regulatory Commission (FERC)

Provide Appropriate Tools Required to Intercept and Obstruct Terrorism Act (PATRIOT) 2001

Sarbanes-Oxley Act 2002 Federal Information Security Management Act (FISMA)

2002 Controlling the Assault of Non-Solicited Pornography

and Marketing Act (CAN-SPAM) 2003 California Privacy Act SB1386 2003 Identity Theft and Assumption Deterrence Act 2003 Basel II 2004 Payment Card Industry Data Security Standard (PCI-

DSS) 2004 North American Electric Reliability Corporation (NERC)

1968/2006 Massachusetts Security Breach Law 2007

Canadian Regulations:

Interception of Communications Section 184 Unauthorized Use of Computer, Section 342.1 Privacy Act 1983 Personal Information Protection and Electronic

Documents Act (PIPEDA) European Regulations

Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981

Computer Misuse Act (CMA) 1990 Directive on the Protection of Personal Data 2003

European Union Data Protection Act (DPA) 1998 Regulation of Investigatory Powers Act 2000 Anti-Terrorism Crime and Security Act 2001 Privacy and Electronic Communications Regulations

2003 Fraud Act 2006 Police and Justice Act 2006

Other Regulations

Cybercrime Act 2001 Australia Information Technology Act 2000 India

ISACA AUDITING STANDARS Code of Ethics:

Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.

2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.

3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.

4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.

6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them.

7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Audit Standards

S1, Audit Charter S2, Independence S3, Professional Ethics and Standards S4, Professional Competence S5, Planning S6, Performance of Audit Work S7, Reporting S8, Follow-up Activities S9, Irregularities and Illegal Acts S10, IT Governance S11, Use of Risk Assessment in Audit Planning S12, Audit Materiality S13, Use the Work of Other Experts S14, Audit Evidence S15, IT Controls S16, E-Commerce

Audit Guidelines

G1, Using the Work of Other Auditors G2, Audit Evidence Requirement G3, Use of Computer-Assisted Audit Techniques

(CAATs) G4, Outsourcing of IS Activities to Other Organizations G5, Audit Charter G6, Materiality Concepts for Auditing IS G7, Due Professional Care G8, Audit Documentation

Dom

ain 2 – The Audit Process

G9, Audit Considerations for Irregularities and Illegal Acts

G10, Audit Sampling G11, Effect of Pervasive IS Controls G12, Organizational Relationship and Independence G13, Use of Risk Assessment in Audit Planning G14, Application Systems Review G15, Planning G16, Effect of Third Parties on an Organization’s IT

Controls G17, Efect of Nonaudit Role on the IS Auditor’s

Independence G18, IT Governance G19, Irregularities and Illegal Acts G20, Reporting G21, Enterprise Resource Planning (ERP) Systems

Review G22, Business to Consumer (B2C) E-Commerce

Review G23, SDLC Review G24, Internet Banking G25, Review of VPN G26, Business Process Reengineering (BRP) Review G27, Mobile Computing G28, Computer Forensics G29, Post-implementation Review G30, Competence G31, Privacy G32, BCP G33, General Consideration on the Use of the Internet G34, Responsibility, Authority, and Accountability G35, Follow up Activities G36, Biometric Controls G37, Configuration Management G38, Access Controls G39, IT Organization G40, Review of Security Management Practices

Audit Procedures

P1, Risk Assessment P2, Digital Signature and Key management P3, IDS P4, Viruses P5, Control Risk Self-Assessment P6, Firewall P7, Irregularities and Illegal Acts P8, Security Assessment (Pen test, vulnerability

analysis) P9, Encryption

P10, Business Application Change Control P11, Electronic Funds Transfer

RISK ANALYSIS

Evaluating Business Processes Identifying Business Risks Risk Mitigation Countermeasures Assessment Monitoring

INTERNAL CONTROLS

Control Classification o Types: Technical, Administrative, Physical o Classes: Preventative, Detective, Deterrent,

Corrective, Compensating, Recovery o Categories: Manual, Automatic

Internal Control Objectives: Statements of desired outcomes from business operations. Protection of IT assets, Availability of IT systems

o IS Control Objectives: Protection of information from unauthorized personnel, Integrity of Operating Systems

General Computing Controls: GCCs are controls that apply across all applications and services. Passwords are encrypted, Strong passwords

IS Controls: Each GCC is mapped to a specific IS control on each system type.

PERFORMING AN AUDIT

Formal Planning: o Purpose o Scope o Risk Analysis o Audit procedures o Resources o Schedule

Types o Operational o Financial o IS audit o Administrative o Compliance o Forensic o Service provider o Pre-audit

Compliance vs. Substantive Testing o Compliance: Determine if control procedures

have been properly designed and implemented and operating properly.

o Substantive: Determine accuracy and integrity of transactions that flow through processes and information systems

Audit Methodology o Audit Subject o Audit Objective o Audit type o Audit Scope o Pre-Audit planning o Audit SoW o Audit Procedures o Communication plan o Report preparation o Wrap-up o Post-audit Follow-up

Audit Evidence o Independence of the evidence provider o Qualifications of the evidence provider o Objectivity o Timing

Gathering Evidence o Org Chart o Review dept and project charters o Review 3rd party contracts o Review IS policies and procedures o Review IS Standards

Dom

ain 2 – The Audit Process

o Review IS documentation o Personnel Interviews o Passive observation

Observing Personnel o Real tasks o Skills and experience o Security awareness o Segregation of Duties

Sampling o Statistical: Reflect the entire population o Judgmental: Subjectively selects samples

based on established criteria o Attribute: Samples are examined and a

specific attribute is chosen o Variable: Determine the characteristic of a

given population to determine total value o Stop-or-go: Sampling can stop at the earliest

possible time due to low risk and rate of exceptions

o Discovery: Trying to find at least one exception in a population

o Stratified: Create different classes and review one attribute common to all classes

Computer-Assisted Audit: CAATs help examine and evaluate data across complex environments

Reporting Audit Results o Cover letter o Intro o Summary o Description o Listing of systems and processes examined o Listing of interviewees o Listing of evidence obtained o Explanation of sampling technique o Description of findings and recommendations

Audit Risk o Control risk: undetected error by an internal

control o Detection risk: IS auditor will overlook errors o Inherent risk: Inherent risks exist independent

of the audit. o Overall audit risk: summation of all of the

residual risks o Sampling risk: sampling technique will not

detect Materiality: A monetary threshold in financial audits

CONTROL SELF-ASSESSMENT Methodology used by an organization to review key business objectives, and the key controls designed to manage those risks.

Advantages o Risks detected earlier o Improvement of internal controls

o Ownership of controls o Improved employee awareness o Improved relationship between

departments and auditors Disadvantages

o Mistaken as a substitute for internal audit o May be considered extra work o May be considered an attempt by an

auditor to shrug off responsibilities o Lack of employee involvement has no

results Life Cycle

o Identify and assess risks o Identify and assess controls o Develop questionnaire or workshop o Analyze completed questionnaire o Control remediation o Awareness training

Dom

ain 3 – IT LifeCycle Managem

ent

Organization’s methodologies and practices for the development and management of software, infrastructure, and business processes. PORTFOLIO AND PROGRAM MANAGEMENT: A program is an organization of many large, complex activities, and can be thought of as a set of projects that work to fulfill one or more key business objectives or goals.

Starting a Program: o Program charter o Identification of available resources

Running a Program: o Monitoring project schedules o Managing project budgets o Managing resources o Identifying and managing conflicts o Creating status reports

Project Portfolio Management o Executive sponsor o Program manager o Project manager o Start and end dates o Names of participants o Objectives or goals that the project supports o Budget o Resources o Dependencies

Business Case development o Business problem o Feasibility study results o High-level project plan o Budget o Metrics o Risks

PROJECT MANAGEMENT

Organizing Projects Direct report: Project team leader Influencer: Influence members but

does not manage them directly Pure project: Given authority Matrix: Authority over each project

team member o Initiating a project

Developing Project Objectives o Object Breakdown Structure (OBS): Visual

representation of the system, software, or application, in a hierarchical form.

o Work Breakdown Structure (WBS): Logical representation of the high-level and detailed tasks that must be performed to complete the project.

Managing Projects o Managing the project schedule o Recording task completion o Running project meetings o Tracking project expenditures o Communicating project status

Project Roles and Responsibilities o Senior management: support the approval of

the project o IT steering committee: Commission the

feasibility study, approve project o Project manager o Project team members o End-user management: Assign staff to the

project team. Support development of cases o End users o Project sponsor: define project objectives,

provide budget o Systems development management o System developers o Security manager o IT Operations

Project Planning Task identification Task estimation Task resources Task dependencies Milestone tracking Task tracking

o Estimating and sizing software projects Object Breakdown Structure (OBS) Work Breakdown Structure (WBS) Source Lines of Code (SLOC):

accurate estimate based on previous analysis for the time to develop a program.

COCOMO: Constructive Cost Model method for estimating software development projects

Function Point Analysis (FPA):

time-proven estimation technique for larger software projects. It studies the detailed design specifications for an application program and counts the number of user inputs, user outputs, user queries, files, and external interfaces.

Other costs: development tools, workstations, servers, software licenses, network devices, training, equipment

o Scheduling Project Tasks: Critical phase Gantt Chart Program Evaluation and Review

Technique (PERT) Critical path Methodology (CPM): It

is important to identify the critical path in a project, because this allows the project manager to understand which tasks are most likely to impact the project schedule and to determine when the project will finally conclude.

Timebox Management: A period in which a project must be completed.

o Project Records: Project plans Project changes Meetings agendas and minutes Resource consumption Task information

o Project Documentation: Helps users, support staff, IT operations, developers, and auditors

o Project Change Management: The procedures for making changes to the project should be done in two basic steps:

The project team should identify the specific use, impact, and remedy. Make a formal request

This change request should be presented to management along with its impact. Management should make a decision.

o Project closure Project debrief Project documentation archival Management review Training Formal turnover to users,

operations and support o Methodologies

Project Management Body of Knowledge (PMBOK): Process based

Processes: o Inputs o Techniques o Outputs

Dom


ent

Process groups Initiating Planning Executing Controlling and

monitoring Closing

o Projects IN Controlled Environments (PRINCE2): Project management framework

Starting up a project (SU) Planning (PL) Initiating a project (IP) Directing a project (DP) Controlling a stage (CS) Managing product delivery (MP) Managing Stage Boundaries (SB) Closing a project (CP) Scrum: Iterative and incremental

process most commonly used to project manage an agile software development effort.

Scrum master: this is the project manager

Product owner: This is the customer

Team Users Stakeholders Managers

SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)

1. Feasibility Study: Determine whether a specific change or set of changes in business processes and underlying applications is practical to undertake.

o Time required to develop / acquire software o A comparison between the cost of developing

the application vs buying o Whether an existing system can meet the

business need o Whether the application supports strategic

business objectives o Whether a solution can be developed that is

compatible with other IT systems o The impact of the proposed changes to the

business on regulatory compliance o Whether future requirements can be met by

the system 2. Requirements: Characteristics of a new application or

changes being made. o Business functional requirements: Must have

to support the business o Technical requirements and standards: Use

the same basic technologies already in use as well as formal technical standards.

o Security and Regulatory Requirements: Authentication Authorization

Access control Encryption Data validation Audit logging Security operational requirements

o DR/BCP Requirements o Privacy Requirements o RFP Process: Request For Proposal

Requirements Vendor financial stability Product roadmap Experience Vision References Questions for clients:

Satisfaction with installation

Satisfaction with migration

Satisfaction with support Satisfaction with long-

term roadmap What went well What did not go well

Contract negotiation Closing the RFP

3. Design: A top down approach 4. Development:

Coding the application Developing program and system

level documents Developing user procedures Working with users Developing in a software

acquisition setting: Customizations Interfaces of other

systems Authentication Reports

Debugging Correct operations Input validation Proper output validation Resource usage

Source Code Management (SCM) Protection Control Version control Recordkeeping

5. Testing

o Unit testing: by developers during the coding phase. Should be a part of the development of each module in the application.

o System testing: end to end testing. Includes interface testing, migration testing.

o Functional testing: Verification of functional requirements

o User Acceptance Testing (UAT): In most cases, it is a formal step to find out if organization accepts the software developed by a 3rd party.

o Quality Assurance Testing (QAT): 6. Implementation

o Planning: Prepare physical space for

production systems Build production systems Install application software Migrate data

o Training: End users Customers Support staff Trainers

o Data migration Record counts Batch totals Checksums

o Cutover Parallel Geographic Module by module Roll-back

o Rollback Planning 7. Post Implementation

o Implementation review System adequacy Security review Issues ROI

o Software maintenance

Development Risks o Application inadequacy o Project risk o Business inefficiency o Market changes

Development Approaches and Techniques

o Agile Development o Prototyping

Dom


ent

o Rapid Application Development (RAD) o Data Oriented System Development (DOSD) o Object-Oriented System Development (OO) o Component based development: CORBA,

DCOM, SOA o Web-Based Application Development: HTML,

SOAP, XML o Reverse Engineering

System Development Tools

o Computer-Aided Software Engineering (CASE)

Upper CASE: requirements gathering, DFDs, interfaces

Lower CASE: Creation of program source code and data schemas

o Fourth Generation Languages INFRASTRUCTURAL DEVELOPMENT AND IMPLEMENTATION

1. Review of existing architecture 2. Requirements

a. Business functional requirements b. Technical requirements and standards c. Security and regulatory requirements d. Privacy requirements

3. Design a. Procurement

4. Testing 5. Implementation 6. Maintenance

MAINTAINING INFORMATION SYSTEMS Change Management Process

Change request Change review Perform change Emergency changes

Configuration Management

Recovery: stored independent of the systems themselves

Consistency: It will simplify administration, reduce mistakes, and result in less unscheduled downtime.

BUSINESS PROCESSES Business Process Life Cycle (BPLC)

1. Feasibility study 2. Requirements definition 3. Design

4. Development 5. Testing 6. Implementation 7. Monitoring 8. Post-implementation

Benchmarking a Process

Plan Research Measure and observe Analyze Adapt: understand the fundamental reasons why other

organizations’ measurements are better than its own. Improve

Capability Maturity Models

Software Engineering Institute Capability Maturity Model (SEI CMM)

o Initial o Repeatable o Defined o Managed o Optimizing

Capability Maturity Model Integration (CMMI): An aggregation of these other models into an overall maturity model.

ISO 15504: Software Process Improvement and Capability dEtermination (SPICE).

o Level 0 incomplete o Level 1 performed o Level 2 managed o Level 3 established o Level 4 predictable o Level 5 optimizing

APPLICATION CONTROLS Input Controls

Authorization o User access controls o Workstation identification o Approved transactions and batches o Source documents

Input validation o Type checking o Range and value checking

o Existence o Consistency o Length o Check digits o Spelling o Unwanted characters o Batch controls

Error handling o Batch rejection o Transaction rejection o Request re-input

Processing Controls

Editing Calculations

o Run-to-run totals o Limit checking o Batch totals o Manual recalculation o Reconciliation o Hash values

Data file controls o Data file security o Error handling o Internal and external labeling o Data file version o Source files o Transaction logs

Processing errors

Output Controls

Controlling special forms Report distribution and receipt Reconciliation Retention

Dom


ent

AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Project Management

Auditing the Feasibility Study

Auditing Requirements

Auditing Design

Auditing Software Acquisition

Auditing Development

Auditing Implementation

Auditing Post-Implementation

Auditing Change Management

Auditing Configuration Management

AUDITING BUSINESS CONTROLS Identify the key processes in an organization and to understand the controls that are in place or should be in place that govern the integrity of those processes AUDITING APPLICATION CONTROLS Transaction Flow

Observations

Dom


ent

Data Integrity Testing: Used to confirm whether an application properly accepts, processes, and stores information. Testing Online Processing Systems:

Auditing Applications

Continuous Auditing: Several techniques are available to perform online auditing:

Dom

ain 4 – IT Service Delivery & Infrastructure

IT organizations are effective if their operations are effective. IT organizations are service organizations – their existence is to serve the organization and support its business processes. INFORMATION SYSTEMS OPERATIONS

Management and control of operations o Process and procedures o Standards o Resource allocation o Process management

IT Service management (ITSM) o Service desk o Incident mgt o Problem mgt o Change mgt o Configuration mgt o Release mgt: ITIL terms used to describe

SDLC. Used for changes in a system such as:

Incidents and problem resolution Enhancements Subsystem patches and changes

o Service-level mgt o Financial mgt o Capacity mgt

Periodic measurements Considering planned changes Understanding long-term strategies Changes in technology

o Service continuity mgt o Availability mgt

Effective change mgt Effective application testing Resilient architecture Serviceable components

Infrastructure Operations o Running scheduled jobs o Restarting failed jobs/processes o Facilitating backup jobs o Monitoring systems/apps/networks

Monitoring Software Program Library Management: System that

is used to store and manage access to an organization’s application source and object code

o Access and authorization controls

o Program checkout o Program check in o Version control o Code analysis

Quality Assurance Security Management

o Policies, procedures, processes, and standards

o Risk Assessments o Impact analysis o Vulnerability management

INFORMATION SYSTEMS HARDWARE

Computer usage o Types: supercomputer, mainframe, midrange,

server, desktop, laptop, mobile o Uses: app server, web server, file server, db

server, print server, test server, thin client, thick client, workstation

Computer architecture o CPU: CISC (Complex Instruction Set

Computer), RISC (Reduced Instruction Set Computer), Single processor, Multi-processor

o Bus: PCI, PC Card, MBus, Sbus o Main Storage o Secondary Storage: Program storage, data

storage, temporary files, OS, virtual memory, o Firmware: Flash, EPROM, PROM, ROM,

EEPROM o I/O and Networking o Multi-computer: Blade computers, grid

computing, server clusters, virtual servers Hardware maintenance Hardware monitoring

INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE

Computer Operating Systems Access to peripherals Storage mgt Process mgt Resource allocation Communication Security

o OS Virtualization o Clustering: using special software o Grid Computing: a form of distributed

computing

o Cloud Computing: dynamically scalable and usually virtualized

Data Communication Software File Systems: Directories, files, FAT, NTFS, HFS

(Hierarchical File System) ISO 9660 (CD-ROM, DVD), UDF (Universal Disk Format)

Database Management Systems o Relational DB Management (rDBMS):

Primary key, one or more indexes, referential integrity, Encryption, Audit logging, access controls,

o Object Database (ODBMS): Represented as objects, Data and the programming method are contained in an object,

o Hierarchical Database : Top-down Media Management System: Tape management

systems (TMS) or Disk Management Systems (DMS) Utility software

o Software and data design o Software development o Software testing o Security testing o Data management o System health o Network

NETWORK INFRASTRUCTURE

Network Architecture o Physical network architecture o Logical network architecture o Data flow architecture o Network standards and services

Types of networks o Personal Area Network (PAN): up to 3 meters

and use to connect peripherals for use by an individual

o LAN o Campus Area Network (CAN) o Metropolitan Area Network (MAN) o WAN

Network-based Services: email, print, file storage, remote access, directory, terminal emulation, time synch, network authentication, web security, anti-malware, network management

Network Models o OSI: Application, presentation, session,

transport, network, data link, physical o TCP/IP: Link, internet, transport, application

Network Technologies o LAN

Physical topology: Star, Ring, Bus

Dom


Cable types: Shield twisted pair

(STP), screened unshielded twisted pair (S/UTP), screened shielded twisted pair (S/STP), unshielded twisted pair (UTP)

Other types: Fiber, coaxial, serial

Network Transport protocols Ethernet: Broadcast or

shared medium, collision avoidance

o ATM: Synchronous network. Connection oriented link-layer protocol.

o Token Ring o Universal Serial Bus o FDDI: Fiber distributed data interface. Range

up to 200km and capable of 200mb/sec o WAN

MPLS SONET Frame Relay ISDN X.25

o Wireless Wi-Fi Bluetooth Wireless USB NFC (Near Field Communication):

extremely short distance radio frequencies that are commonly used for merchant payment applications.

IrDA: Infrared Data Association. TCP/IP Protocols

o Link Layer / network access layer ARP (Address resolution) RARP (Reverse address

resolution) OSPF (Open Shortest Path First) L2TP (Layer 2 Tunneling Protocol) PPP Media Access Control (MAC)

o Internet Layer / Layer 3 IP ICMP IGMP IPSec

o Internet Layer IP Addresses, subnets, masks,

gateway, classless and classful networks.

o Transport Layer TCP UDP

o Application layer File Transfer Protocols

FTP FTPS SFTP SCP Rcp

Messaging protocols SMTP POP IMAP NNTP

File and directory sharing protocols NFS RPC

Session protocols TELNET rlogin SSH HTTP HTTPS

Management protocols SNMP NTP

Directory service protocols DNS LDAP X.500

Global Internet: Email, IM, VPN, WWW Network Management

o Tools Network management systems Network management agents Incident management systems Protocol analyzers Sniffers

Networked Applications o Client–Server o Web-based

AUDITING IS INFRASTRUCTURE AND OPERATIONS

Auditing IS Hardware o Standards: procurement stds o Maintenance: records, service contracts o Capacity: system’s capacity monitoring

o Change mgt: requested, reviewed prior to approval

Auditing OSs o Standards: written stds o Maintenance and support: support contracts o Change mgt o Configuration mgt: tools, recordkeeping,

config processes o Security mgt: hardening

Auditing File Systems o Capacity: storage o Access control

Auditing DB Management Systems o Configuration mgt: centrally controlled o Change mgt: changes should be consistent

and systematic o Capacity mgt: ability to support business

processes o Security mgt: access controls, logs

Auditing Network Infrastructure o Network architecture o Security architecture o Standards o Change mgt o Capacity mgt o Configuration mgt o Administrative access management o Network components o Log management o User access management

Auditing Network Operating Controls o Network operating procedures o Restart procedures o Troubleshooting procedures o Security controls o Change management

Auditing computer operations o System configuration standards o System build procedures o System recovery procedures o System update procedures o Patch management o Daily tasks o Backup o Media control o Monitoring

Auditing Data Entry o Data entry procedures o Input verification o Batch verification

Dom


o Correction procedures

Auditing Lights-Out operations o Remote administration procedures o Remote monitoring procedures

Auditing Problem Management Operations o Problem management policy and processes o Problem management records o Problem management timelines o Problem management reports o Problem resolution o Problem recurrence

Auditing Monitoring Operations o Monitoring plan o Problem log o Preventative maintenance o Management review and action

Auditing Procurement o Requirements definition: functional, technical,

and security requirements approved by management. Policies, procedures, and records.

o Feasibility studies

Dom

ain 5 – Inform

ation Asset Protection

INFORMATION SECURITY MANAGEMENT

Aspects o Executive support o Policies and procedures o Security Awareness o Security monitoring and auditing o Incident response o Corrective and preventive action.

Roles and responsibilities o Executive mgt: support and overall

responsibility for asset protection o Security steering committee: approval of

security policies, risk related matters. o CISO: development and enforcement of

policy and asset protection o Chief privacy officer o Security auditor: monitoring and testing

security controls o Security administrator o Security analyst: implementing security policy

by designing and improving security controls and processes

o Systems analyst: by designing application software that includes adequate controls

o Software developers: coding applications that include controls to prevent application misuse or bypass of controls

o Managers o Asset owners: responsible for protection and

integrity of assets o Employees

Asset Inventory and Classification o Hardware o Information

Access Control o AC Management: request, review,

segregation of duties, transfer, termination o Logs

Privacy o PII: DL, SSN, Passport, phone, address,

DoB, Accounts 3rd Party Management

o 3rd Party access countermeasures: logs, video, access controls, logical access, audits

o Legal agreements: liabilities, controls required, nondisclosure, security training, steps for a security breach, steps to be taken to reduce the likelihood of data loss caused by a disaster, right to inspect, compliance, destroy copies of information on request.

HR Security o Screening o Agreements o Job descriptions o Transfer and termination o Contractors and temps

Computer Crime o Roles

Target of a crime Instrument of a crime Support of a crime

o Categories Military Political Terrorist Financial Business Grudge Amusement

o Perpetrators Hackers Cybercriminals Spies Terrorists Script kiddies Social engineers Employees Former employees Knowledgeable outsiders Service providers employees

Security Incident Management o Incident Response

Planning Detection Initiation Evaluation Eradication Remediation Closure Post-Incident Review

o Testing Incident Response Document review Walkthrough Simulation

o Incident prevention Vulnerability monitoring

Patch management System hardening IDS

o Chain of custody: Identification Preservation Analysis Presentation

LOGICAL ACCESS CONTROLS: Subject access controls are in place to determine the identity of the subject. Service access is used to control the types of messages that are allowed to pass through a control point.

Models o MAC: Mandatory Access Control: Access to

objects by subjects o DAC: Discretionary Access Control: Owner of

an object is able to determine how and by whom the object may be accessed.

Threats o Malware o Eavesdropping o Logic bombs o Scanning attacks

Vulnerabilities o Unpatched systems o Default system settings o Default passwords o Incorrect permissions settings o Application logic

Points of Entry o Exposure to malware o Eavesdropping o Open access

Identification, Authentication, and Authorization o Identification: asserting an identity without

providing any proof of it. o Authentication: Subject asserts an identity,

but some proof of the subject’s identity is required

o Authorization: System determines resource access to the subject

User account provisioning o Factors: user location, system limitations,

data sensitivity o Risks: Finding a password, eavesdropping

Two Factor authentication: Digital certificates, smart cards, tokens

Something you are: Biometrics such as hand print, fingerprint, palm vein, voice, facial scan, handwriting, iris scan

o Measurement variances: False reject rate, False accept rate, crossover error rate

Dom

ain 5 – Inform


Reduced Sign On: changing from stand alone application authentication to centralized authentication like LDAP, RADIUS, Active Directory

Single Sign On: one login authentication for multiple authorized applications

Access Control Lists: common way to administer access controls

Protecting Information o Access controls o Access Logging o Backups

Automated tools Protection of backup data Offsite backup media storage Restoration testing Media inventory

Patch Management Vulnerability Management

o Subscribing to security alerts o Scanning o Patch management o Corrective action process

System Hardening: remove services, change functions to unique system function, changed default password, non-predictable passwords, reduce privileges, eliminate interserver trust

Managing User Access o User Access Provisioning: Risk of errors

can be devastating for an organization o Termination: Some safeguards are

needed like review of terminated employee’s actions before and after, periodic reviews, and review logs

o Transfers: Risk is privilege creep o Password management: provisioning,

lockout, forgotten passwords. Password length, complexity, expiration, reuse, rechange

Protecting Mobile Devices: Encryption, strong access control, remote destruct, hardening, logical locking system, physical locking system

NETWORK SECURITY CONTROLS

Network Security o Threats: access by unauthorized persons,

spoofing, eavesdropping, malware, DoS, access bypass, MITM

o Countermeasures: User authentication controls, machine authentication controls, anti-malware, encryption, switched networks, IDS/IPS

Securing Client-Server Applications o Access controls: strong authentication o Interception of client-server

communication: Network encryption o Network Failure o Change management o Disruption of client software updates

o Stealing data Securing Wireless Networks

o Threats and vulnerabilities Eavesdropping War driving and chalking Encryption Spoofing

o Countermeasures Obscure SSID Stop SSID broadcast Reduce transmit power MAC filtering WPA Require VPN Change default passwords Patches

Protecting Internet Communications o Threats and vulnerabilities

Eavesdropping Network analysis: reconnaissance

phase of some bigger effort Targeted attacks Malware Masquerading: forge messages that

have the appearance of originating elsewhere.

DoS Fraud

o Countermeasures Firewalls Honeypots and Honeynets IDS Change management and

configuration management Incident management Security awareness training

Encryption o Terms:

Plaintext Ciphertext Hash function Message digest Digital signature Algorithm Decryption Encryption key Cryptanalysis Key length Block cipher Stream cipher Initialization Vector (IV): random

number to begin encryption process Symmetric encryption Asymmetric encryption Key exchange Nonrepudiation

o Private Key Cryptosystem: Symmetric cryptography

Challenges Key exchange: Out of

band method is required. Scalability

o Public Key Cryptosystem: Asymmetric cryptosystem

Key pair: public and private keys Message security: no need to

establish and communicate symmetric encryption keys through a secure channel.

Verifying public keys: Certificate authority Email address Key fingerprint: retrieve

the public key and calculate the key fingerprint.

o Hashing and Message Digests o Digital Signatures: Seals a message or file

using the sender’s identity o Digital Envelopes: Combining private and

public o Public Key Infrastructure (PKI):

Digital certificates Certificate Authority (CA) Registration Authority (RA) Certificate Revocation List (CRL) Certification Practice Statement

(CPS) o Key Management

Key generation: system must be highly protected, isolated, and used by a few people. System should include some randomness

Key protection Key custody: policies, processes,

and procedures regarding the management of keys.

Key rotation: only when one of the following occurs:

Key compromise Key expiration Rotation of staff

Key disposal o Encryption applications

SSL/TLS S-HTTP S/MIME SSH

Dom

ain 5 – Inform


SET Voice over IP (VoIP)

o Threats and vulnerabilities Eavesdropping Spoofing Malware DoS Toll fraud

o Protecting: IDS, access management, firewalls, hardening, malware controls

Private Branch Exchange (PBX) o Threats and vulnerabilities

Default passwords on administrator console

Dial-in modem Toll fraud Espionage

o Countermeasures Administrative access control Physical access control Regular log review

Malware o Threats and vulnerabilities

Viruses Worms Trojan horses Spyware Root kits Bots Missing patches Unsecure configuration Faulty architecture Faulty judgment Spam Phishing DoS

o Anti-Malware Administrative controls Spam policy Business related internet No removable media No downloading No personally owned computers

o Anti-Malware Technical controls Anti-malware on email servers On workstations On web servers Centralized malware console

IDS Spam filters Blocking use of removable media

Information Leakage o Countermeasures

Outbound email filters Block removable media Blocking internet access Tighter access controls Access logging Job rotation Periodic background checks

ENVIRONMENTAL CONTROLS

Threats and vulnerabilities o Electric power vulnerabilities

Spike: sharp increase Inrush: sudden increase Noise: presence of other

electromagnetic signals Dropout: momentary loss Brownout: sustained drop Blackout: complete loss

o Physical environment vulnerabilities Temperature Humidity Dust and dirt Smoke and fire Sudden unexpected movement

Countermeasures o Electric power

UPS Electric generator Dual power feeds Power distribution unit (PDU)

o Temperature and humidity controls: HVAC o Fire Prevention, detection, and suppression

controls Prevention:

Combustibles: stored away Cleanliness Electrical equipment

maintenance Detection: pull down stations, manual

alarms, detectors Suppression:

Types: wet pipe, dry pipe, pre-action, deluge, inert gas

Classes: o A: wood, paper

o B: liquids and gases

o C: electrical o D: combustible

metals o K: cooking oils

and fats PHYSICAL SECURITY CONTROLS

Threats and vulnerabilities o Theft o Sabotage o Espionage o Covert listening devices o Tailgating o Propped doors o Poor visibility

Countermeasures o Keycard systems o Cipher locks o Fences, walls, and barbed wire o Bollards and crash gates o Video o Visual notices o Bug sweeping o Guards o Guard dogs

AUDITING ASSET PROTECTION

Security Management o Policies, processes, procedures, and

standards o Records o Training o Data ownership and management o Data custodians o Security administrators o New and existing employees

Logical Access controls o Network access paths

IT infrastructure Network architecture and access

documentation o User Access Controls

User access controls: authentication, bypass, access violations, user account lockout, IDS/IPS, shared accounts, dormant accounts, system accounts

Password management: password standards, account lockout, access to encrypted passwords

Dom

ain 5 – Inform


Password vaulting o User access provisioning:

Access request process Access approvals Segregation of duties (SOD) Access reviews

o Employee terminations Termination process Timeliness Access reviews Contractor access and termination

o Access logs Access log controls Centralized access logs Access log protection Log review Log retention

o Investigative procedures Policies and procedures Computer crime investigations Computer forensics

o Internet points of presence Search engines: what information is

available Social networking sites: what

others are saying Online sales sites: what’s being

sold Domain names

Network Security Controls o Architecture review

Diagrams Documents Support of business objectives Compliance with security policy Comparison of documented vs

actual o Network access controls

User authentication: Active Directory, LDAP

Firewalls IDS Remote access Dial-up modems

o Change management Change control policy Change logs Change control procedures Emergency changes Rolled-back changes Linkage to SDLC: change

management and SDLC

Alert management Penetration testing Application scanning Patch management

Environmental Controls o Power conditioning o Backup power o HVAC o Water detection o Fire detection and suppression o Cleanliness

Physical Controls o Siting and Marking

Proximity to hazards o Physical access controls

Physical barriers Surveillance Guards and dogs Keycard systems

Dom

ain 6 – BC & DR

DISASTERS

Types o Natural: Earthquakes, volcanoes, landslides,

avalanches, wildfires, tropical cyclones, tornadoes, windstorms, lighting, ice storms, hail, flooding, tsunamis, pandemic, extraterrestrial impacts

o Man-Made: Civil disturbances, Utility outages, materials shortages, fires, hazardous materials spills, transportation accidents, security events, terrorism and wars

o How they affect organizations Direct damage: earthquakes etc Utility outage Transportation Services and supplier shortage Staff availability Customer availability

BCP Process

Develop Policy: formal policy included in the overall governance model

BCP and COBIT Controls o Develop IT continuity framework o Conduct business impact analysis o Develop and maintain IT continuity plans o Identify and categorize IT resources based on

recovery objectives o Define and execute change control

procedures to ensure IT continuity plan is current

o Regularly test IT continuity plan o Develop follow-on action plan from test

results o Plan and conduct IT continuity training o Plan IT services recovery and resumption o Plan and implement backup storage and

protection o Establish procedures for conducting post-

resumption reviews Business Impact Analysis (BIA)

Inventory Key processes and systems Statement of impact: qualitative or quantitative

description of the impact if the process or system were incapacitated for a time

Criticality Analysis: study of each system and process, a consideration of the impact on the organization if it is incapacitated, the likelihood of incapacitation, and the estimated cost of mitigating the risk or impact of incapacitation. (risk analysis)

Establishing key targets Recovery Time Objective (RTO): Time from onset of an

outage until the resumption of service. ** An organization could establish two RTO targets, one for partial capacity and one for full capacity.

Recovery Point Objective (RPO): Time for which recent data will be irretrievably lost in a disaster. For critical transactions it is measure in minutes.

Developing Recovery Strategies and Plans Strategies:

o Site options: Hot, warm, cold, mobile, reciprocal (at another company)

o Recovery and resilience technologies RAID: Redundant Array of

Independent Disks RAID-0: stripped RAID-1: mirror RAID-4: Data stripping.

RAID 4-5 allows for failure of one disk without losing information

RAID-6: Withstands failure of any two disks drives in the array.

SAN: Storage Area Network

NAS: Network Attached Storage.

o Replication: Disk storage system Operating system Database management system Transaction management system Application

o Server clusters o Network connectivity and services

Redundant network connection Redundant network services

o Backup and restoration Plans

o Evacuation procedures o Disaster declaration procedures

Core team Declaration criteria Pulling the trigger: any single core

member Next Steps: Declaration will trigger

other response procedures. False alarms

o Responsibilities: injured, caring for family members, transportation unavailable, out of the area, communications, fear

Emergency Response: evacuation, first aid, firefighting

Command and Control (Emergency Management)

Scribe: Document the important events during disaster response operations

Internal Communications External communications Legal and compliance Damage assessment Salvage Physical security Supplies Transportation Network Network services Systems Databases Data and records Applications Access management Information security Off-site storage User hardware Training Relocation Contract Information

o Recovery procedures: should be hand in hand with the technologies that may have been added to IT systems to make them more resilient

o Continuing Operations o Restoration procedures o Considerations:

Availability of personnel Emergency supplies Communications: identifying Critical

personnel, suppliers, customers, and other parties, call trees, wallet cards

Transportation o Documentation

Supporting project documents Analysis documents: BIA, RTP,

RPO, Criticality analysis Response documents: Business

recovery plan, Occupant emergency plan (OEP), Emergency communications plan, contact lists, DR plan,

Dom

ain 6 – BC & DR

Continuity of operations plan

(COOP), Security incident response plan (SIRT)

Test and review documents Testing Recovery Plans

Test preparation: schedule, facilities, scripting, participants, recordkeeping, contingency plan,

Document review Walkthrough Simulation Parallel test Cutover test Documenting results Improving recovery and continuity plans

Training Personnel: Document review, participation in walkthroughs, participation in simulations, participation in parallel and cutover tests

Hard copy of plan Soft copy of plan Online access Wallet cards

Maintaining Recovery and Continuity Plans Auditing Business Continuity and Disaster Recovery: An audit of an organization’s BC program is a top-down analysis of key business objectives and a review of documentation and interviews to determine whether the BC strategy and program details support those key business objectives.

o Reviewing Business Continuity and Disaster Recovery Plans

o Reviewing Prior Test Results and Action Plans

o Evaluating off-site storage o Evaluating alternate processing facilities o Interviewing key personnel o Reviewing service provider contracts o Reviewing insurance coverage

CISA Summary V1.0

Documents

Transcript of CISA Summary V1.0