Information Security Management Audit/Assurance … · Web viewInformation Security Management...

Information Security ManagementAudit/Assurance Program

Information Security Management Audit/Assurance Program

ISACA®

With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA offers the Business Model for Information Security™ (BMIS™) and the IT Assurance Framework™ (ITAF™). It also developed and maintains the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

DisclaimerISACA has designed and created Information Security Management Audit/Assurance Program (the “Work”) primarily as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.

Reservation of Rights © 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected] site: www.isaca.org

ISBN 978-1-60420-156-7Information Security Management Audit/Assurance Program

CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.

© 2010 ISACA. All rights reserved.

http://www.isaca.org/


ISACA wishes to recognize: AuthorNorm Kelson, CISA, CGEIT, CPA, CPE Interactive Inc., USA

Expert ReviewersBok Hai Suan, CISM, CGEIT, SingaporeKerrie Douglas, CISA, CGEIT, Six Sigma Green Belt, DaVita, USAGbadamosi Folakemi Toyin, CGEIT, APDM, CGRC-IT, CICA, CIPM, Flooky-Tee Computers, NigeriaAnuj Goel, Ph.D., CISA, CGEIT, Citigroup, Inc., USAMichael Lloyd Jones, CISA, CIA, CISSP, FLMI, BMO Financial Group, CanadaPrashant Khopkar, CISA, CA, USARaul Millan, CISA, CISM, CCSE, CEH, CISSP, Consultores de Seguridad Informatica, PanamaPhilippe Rivest, TransForce, CanadaVinoth Sivasubramanian, ABRCCIP, CEH, ISO 27001 LA, UAE Exchange Center LLC, UAE Babu Srinivas, CISA, CISM, SP AusNet, Australia Vikrant V. Tanksale, CISA, ACWA, CMA, ALBahja Industrial Holdings LLC, OmanBart van Lodensteijn, CISA, CGEIT, Ordina Consultancy B.V., The NetherlandsJeff Warren, CISM, JPW Consult, Australia

ISACA Board of DirectorsEmil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International PresidentHitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice PresidentJose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice PresidentChristos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice PresidentRolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice PresidentRobert E. Stroud, CGEIT, CA Technologies, USA, Vice PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice PresidentRia Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice PresidentEverett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International PresidentLynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International PresidentGregory T. Grocholski, CISA, The Dow Chemical Co., USA, DirectorTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, DirectorHoward Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, DirectorJeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee

Knowledge BoardGregory T. Grocholski, CISA, The Dow Chemical Co., USA, ChairMichael Berardi Jr., CISA, CGEIT, Nestle USA, USAJohn Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, SingaporeJose Angel Pena Ibarra, CGEIT, Alintec S.A., MexicoJo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, AustraliaJon Singleton, CISA, FCA, Auditor General of Manitoba (retired), CanadaPatrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, FranceKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA

Guidance and Practices CommitteeKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, ChairKamal Dave, CISA, CISM, CGEIT, Hewlett-Packard, USAUrs Fischer, CISA, CRISC, CIA, CPA (Swiss), SwitzerlandRamses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, SpainPhillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USARavi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India Anthony P. Noble, CISA, CCP, Viacom Inc., USASalomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico



Frank Van Der Zwaag, CISA, CISSP, Westpac, New Zealand, New ZealandISACA and ITGI Affiliates and SponsorsAmerican Institute of Certified Public AccountantsASIS InternationalThe Center for Internet SecurityCommonwealth Association for Corporate Governance Inc.FIDA InformInformation Security ForumInformation Systems Security Association Institut de la Gouvernance des Systèmes d’InformationInstitute of Management Accountants Inc.ISACA chaptersITGI JapanNorwich UniversitySolvay Brussels School of Economics and ManagementUniversity of Antwerp Management SchoolAnalytix Holdings Pty. Ltd.BWise B.V.Hewlett-PackardIBMProject Rx Inc.SOAProjects Inc.Symantec Corp.TruArx Inc.

Table of Contents

Table of Contents...........................................................................................................................................3I. Introduction..........................................................................................................................................3II. Using This Document............................................................................................................................3IV. Assurance and Control Framework......................................................................................................3V. Executive Summary of Audit/Assurance Focus...................................................................................3VI. Audit/Assurance Program.....................................................................................................................3

1. Planning and Scoping the Audit......................................................................................................32. Information Security Management..................................................................................................33. Information Security Operations......................................................................................................34. Information Security Technology Management..............................................................................3

VII. Maturity Assessment.............................................................................................................................3VIII. Assessment Maturity vs. Target Maturity.............................................................................................3

I. Introduction

OverviewISACA has developed the IT Assurance Framework TM (ITAFTM) as a comprehensive and good-practice-setting model. ITAF provides standards that are designed to be mandatory and are the guiding principles under which the IT audit and assurance profession operates. The guidelines provide information and direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide direction in the application of IT audit and assurance processes.

PurposeThe audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use



by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF, in section 2200—General Standards. The audit/assurance programs are part of ITAF, section 4000—IT Assurance Tools and Techniques.

Control FrameworkThe audit/assurance programs have been developed in alignment with the ISACA COBIT framework—specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance Management.

Many organizations have embraced several frameworks at an enterprise level, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries. Enterprises seek to integrate control framework elements used by the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these columns to align with the enterprise’s control framework.

IT Governance, Risk and Control IT governance, risk and control are critical in the performance of any assurance management process. Governance of the process under review will be evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues are evaluated as steps in the audit/assurance program. Controls are the primary evaluation point in the process. The audit/assurance program identifies the control objectives and the steps to determine control design and effectiveness.

Responsibilities of IT Audit and Assurance ProfessionalsIT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter expertise to adequately review the work performed.

II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing and executing a review. Details regarding the format and use of the document follow.

Work Program StepsThe first column of the program describes the steps to be performed. The numbering scheme used provides built-in work paper numbering for ease of cross-reference to the specific workpaper for that section. The physical document was designed in Microsoft® Word. The IT audit and assurance professional is encouraged to make modifications to this document to reflect the specific environment under review.

Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g., 1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the



purpose for the substeps.

Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the program, the audit/assurance program describes the audit/assurance objective is described—the reason for performing the steps in the topic area; the specific controls follow. Each review step is listed below the control. These steps may include assessing the control design by walking through a process, interviewing, observing or otherwise verifying the process and the controls that address that process. In many cases, once the control design has been verified, specific tests need to be performed to provide assurance that the process associated with the control is being followed.

The maturity assessment, which is described in more detail later in this document, makes up the last section of the program.

The audit/assurance plan wrap-up—those processes associated with the completion and review of work papers, preparation of issues and recommendations, report writing, and report clearing—has been excluded from this document since it is standard for the audit/assurance function and should be identified elsewhere in the enterprise’s standards.

COBIT Cross-referenceThe COBIT cross-reference provides the audit and assurance professional with the ability to refer to the specific COBIT control objective that supports the audit/assurance step. The COBIT control objective should be identified for each audit/assurance step in the section. Multiple cross-references are not uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to the development process. COBIT provides in-depth control objectives and suggested control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or the IT Assurance Guide: Using COBIT for good-practice control guidance.

COSO ComponentsAs noted in the introduction, COSO and similar frameworks have become increasingly popular among audit/assurance professionals. This ties the assurance work to the enterprise’s control framework. While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance professionals use the framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has been included in this document and is a bridge to align IT audit/assurance with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control components within their report and summarize assurance activities to the audit committee of the board of directors.

For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is possible, but generally not necessary, to extend this analysis to the specific audit step level.

The original COSO internal control framework contained five components. In 2004, COSO was revised as the Enterprise Risk Management (ERM) Integrated Framework and was extended to eight components. The primary difference between the two frameworks is the additional focus on ERM and integration into the business decision model. ERM is in the process of being adopted by large enterprises. The two frameworks are compared in figure 1.



Figure 1—Comparison of COSO Internal Control and ERM Integrated FrameworksInternal Control Framework ERM Integrated Framework

Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.

Internal Environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.Event Identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.

Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, and, thus, risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.

Risk Assessment: Risks are analyzed, considering the likelihood and impact, as a basis for determining how they could be managed. Risk areas are assessed on an inherent and residual basis.

Risk Response: Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Control Activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

Information and Communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.

Information and Communication: Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.

Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.

Monitoring: The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.

Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.

The original COSO internal control framework addresses the needs of the IT audit and assurance professional: control environment, risk assessment, control activities, information and communication, and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/ assurance programs. As more enterprises implement the ERM model, the additional three columns can be added, if relevant. When completing the COSO component columns, consider the definitions of the components as described in figure 1.


http://www.coso.org/aboutus.htm


Reference/HyperlinkGood practices require the audit and assurance professional to create a workpaper for each line item, which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be used to cross-reference the audit/assurance step to the workpaper that supports it. The numbering system of this document provides a ready numbering scheme for the workpapers. If desired, a link to the work paper can be pasted into this column.

Issue Cross-referenceThis column can be used to flag a finding/issue that the IT audit and assurance professional wants to further investigate or establish as a potential finding. The potential findings should be documented in a workpaper that indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).

CommentsThe comments column can be used to indicate the waiving of a step or other notations. It is not to be used in place of a workpaper describing the work performed.

III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire to understand how their performance compares to good practices. Audit and assurance professionals must provide an objective basis for the review conclusions. Maturity modeling for management and control over IT processes is based on a method of evaluating the enterprise, so it can be rated from a maturity level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software development.

The IT Assurance Guide: Using COBIT, Appendix VII—Maturity Model for Internal Control, seen in figure 2, provides a generic maturity model showing the status of the internal control environment and the establishment of internal controls in an enterprise. It shows how the management of internal control, and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an optimized level. The model provides a high-level guide to help COBIT users appreciate what is required for effective internal controls in IT and to help position their enterprise on the maturity scale.

Figure 2—Maturity Model for Internal ControlMaturity Level Status of the Internal Control Environment Establishment of Internal Controls0 Non-existent There is no recognition of the need for internal control.

Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and incidents.

There is no intent to assess the need for internal control. Incidents are dealt with as they arise.

1 Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities.

There is no awareness of the need for assessment of what is needed in terms of IT controls. When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessment addresses only the actual incident.

2 Repeatable but Intuitive

Controls are in place but are not documented. Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritized or consistent. Employees may not

Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist. An informal workshop approach, involving IT managers and the team involved in the process, is used to define an adequate approach to controls for the process and to



Figure 2—Maturity Model for Internal ControlMaturity Level Status of the Internal Control Environment Establishment of Internal Controls

be aware of their responsibilities. motivate an agreed-upon action plan.

3 Defined Controls are in place and adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control.

Critical IT processes are identified based on value and risk drivers. A detailed analysis is performed to identify control requirements and the root cause of gaps and to develop improvement opportunities. In addition to facilitated workshops, tools are used and interviews are performed to support the analysis and ensure that an IT process owner owns and drives the assessment and improvement process.

4 Managed and Measurable

There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.

IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally.

5 Optimized An enterprise-wide risk and control program provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements.

Business changes consider the criticality of IT processes and cover any need to reassess process control capability. IT process owners regularly perform self-assessments to confirm that controls are at the right level of maturity to meet business needs and they consider maturity attributes to find ways to make controls more efficient and effective. The organization benchmarks to external best practices and seeks external advice on internal control effectiveness. For critical processes, independent reviews take place to provide assurance that the controls are at the desired level of maturity and working as planned.

The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and assurance professional can address the key controls within the scope of the work program and formulate an objective assessment of the maturity levels of the control practices. The maturity assessment can be a part of the audit/assurance report and can be used as a metric from year to year to document progression in the enhancement of controls. However, it must be noted that the perception of the maturity level may vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s concurrence before submitting the final report to management.

At the conclusion of the review, once all findings and recommendations are completed, the professional assesses the current state of the COBIT control framework and assigns it a maturity level using the six-level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity model. As a further reference, COBIT provides a definition of the maturity designations by control objective. While this approach is not mandatory, the process is provided as a separate section at the end of the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity assessment be made at the COBIT control level. To provide further value to the client/customer, the professional can also obtain maturity targets from the client/customer. Using the assessed and target maturity levels, the professional can create an effective graphic presentation that describes the achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page of the document (section VIII), based on sample assessments.

IV. Assurance and Control Framework

ISACA IT Assurance Framework and StandardsITAF section 3630.7—Information Security Management is of primary relevance to the audit/ assurance of information security management. However, information security management is pervasive throughout



the IT organization and its functional responsibility. Components of information security are also included in the following ITAF sections: 3410—IT Governance 3425—IT Information Strategy 3427—IT Information Management 3450—IT Processes 3630—Auditing IT General Controls

ISACA Controls FrameworkCOBIT is a framework for the governance of IT and supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout enterprises.

Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT audit/assurance with good practices as developed by the enterprise.

COBIT IT process DS5 Ensure systems security, from the Deliver and Support (DS) domain, is the primary control framework and addresses good practices for ensuring security of corporate information. Secondary COBIT processes are cross-referenced within the audit/assurance program.

The COBIT areas for this evaluation include: DS5.1 Management of IT security—Manage IT security at the highest appropriate organizational

level, so the management of security actions is in line with business requirements. DS5.2 IT security plan—Translate business, risk and compliance requirements into an overall IT

security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.

DS5.3 Identity management—The information security function has defined policies and monitors activities relating to unique user identification; authentication mechanisms; user access rights according to job definition; and documented, appropriate authorization and approval mechanisms.

DS5.4 User account management—The information security function has established policies and monitoring procedures that address: requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. The process includes an approval procedure outlining the data or system owner granting the access privileges and applies to all users, including administrators (privileged users) and internal and external users, for normal and emergency cases.

DS5.5 Security testing, surveillance and monitoring—Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.

DS5.6 Security incident definition—The security incident management process is defined and monitored by the information security function, and an incident response team has been established and is operationally effective.

DS5.7 Protection of security technology—Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.

DS5.8 Cryptographic key management—Policies and procedures are in place to organize the generation, change, revocation, destruction, distribution, certification, storage, entry, use and



archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure.

DS5.9 Malicious software prevention, detection and correction—Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the enterprise to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

DS5.10 Network security—Information security management is included in the selection, implementation and approval of security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.

DS5.11 Exchange of sensitive data—Information security has approved policies concerning the exchange of sensitive transaction data through a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and nonrepudiation of origin. All incidents involving the exchange of sensitive data are reported through the incident reporting system and are directed to the CIRT team.

Information security management is an integral part of the entire IT infrastructure. The Information Security Management Audit/Assurance Program cross-references numerous COBIT domains and processes. These sections appear in the COBIT cross-reference of the audit/assurance program. For the purposes of reporting, information security is a component of these areas, but the scope of the assessment would be too limited to include these sections in the summary of the information security management assessment.

Refer to the ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, 2007, for the related control practice value and risk drivers.

V. Executive Summary of Audit/Assurance Focus

Information Security ManagementInformation security is an essential component of governance and management that affects all aspects of entity-level controls. Audit and assurance professionals include appropriate information security evaluations throughout their audit universe. However, the process of assessing the design and operating effectiveness of information security management does not receive the focus it requires. The information security management function is responsible for the governance, policy, enforcement, monitoring and innovation necessary for the modern business to establish cost-effective information security processes, while providing adequate information security assurance within the risk appetite and budget of the organization.

The information security management function provides: Management direction, including policy creation, involvement in significant information security

strategies, establishment of and adherence to an information security architecture, and alignment of information security strategies with business strategies

Management oversight and execution of essential information security operations. The former focuses on routine operations that affect information security, including access control; user identity management; and configuration management of other security building blocks, including intrusion detection and penetration testing systems, antimalware, and other processes. The latter includes information security incident management and security forensics.

Management of information security technologies utilized within the organization



Business Impact and RiskInformation security touches all aspects of the business environment. Failure to implement adequate information security could result in the following operational issues: Security breaches, both detected and undetected Exposure of information Breach of trust with other enterprises Violations of legal and regulatory requirements Inadequate physical security measures Unauthorized external connections to remote sites Disclosure of corporate assets and sensitive information accessible to unauthorized parties Systems and data that are prone to malware Damage to the enterprise’s reputation Financial loss

The risks associated with inadequate information security management include: Information security strategies not aligned with IT or business requirements Information security value (cost-benefit) structure not aligned with business needs or goals Undefined or confusing information security accountability Noncompliance with internal and external requirements Ineffective use of financial resources allocated to information security Information security not included in portfolio selection and maintenance and/or architecture design

resulting in ineffective, inefficient or misguided information security solutions Information security not monitored and policies not applied uniformly with varying enforcement

Information security is about minimizing exposures, based upon risk management. Failure to implement and monitor risk mitigation processes in one area may compromise the entire organization.

Objective and ScopeObjective—The information security management audit/assurance review will: Provide management with an assessment of the effectiveness of the information security management

function Evaluate the scope of the information security management organization and determine whether

essential security functions are being addressed effectively

It is not designed to replace or focus on audits that provide assurance of specific configurations or operational processes.

Scope—The review will focus on: Information Security Management—Processes associated with governance, policy, monitoring,

incident management and management of the information security function Information Security Operations Management—Processes associated with the implementation of

security configurations Information Security Technology Management—Processes associated with the selection and

maintenance of security technologies

To ensure a comprehensive audit of information security management, it is recommended that the following audit/assurance reviews be performed prior to the execution of the information security management review and that appropriate reliance be placed on these assessments:



Identity management Security incident management Network perimeter security Systems development Project management IT risk management Data management Vulnerability management

Minimum Audit SkillsInformation security management addresses many IT processes. Since the focus is on the management of information security, the audit and assurance professional should have the requisite knowledge of the scope and requirements of information security, governance of IT and the information security components therein, information security components of IT architecture, risk management, and the direct information security processes. In addition, this audit/assurance program addresses organizational human resource reporting, management planning and senior management interfaces. Therefore, it is recommended that the audit and assurance professional conducting the assessment have the requisite experience and organizational relationships to effectively execute the assurance processes.


VI. Audit/Assurance Program

Audit/Assurance Program StepCOBIT Cross-

reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1. PLANNING AND SCOPING THE AUDIT1.1 Define audit/assurance objectives.

The audit/assurance objectives are high level and describe the overall audit goals.1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program.1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan

and charter.1.2 Define boundaries of review.

The review must have a defined scope. The reviewer should understand the information security organization and function, and prepare a proposed scope, subject to a later risk assessment. 1.2.1 Obtain and review the information security organization chart and/or current job descriptions.1.2.2 Obtain the information security organization charter (or a purpose, goals and objectives

statement).1.2.3 Obtain and review any previous audit reports with remediation plans. Identify open issues and

assess updates of documents with respect to these issues.1.2.4 Identify limitations and/or constraints affecting the audit of information security.

1.3 Identify and document risks.The risk assessment is necessary to evaluate where audit resources should be focused. In most enterprises, audit resources are not available for all processes. The risk-based approach assures utilization of audit resources in the most effective manner.1.3.1 Identify the business risk associated with information security with business owners and key

stakeholders.1.3.2 Verify that the business risks are aligned, rated or classified with information security criteria

such as confidentiality, integrity or availability.1.3.3 Review previous audits of information security management and/or information security

operations.1.3.4 Determine whether issues identified previously have been remediated.1.3.5 Evaluate the overall risk factor for performing the review.1.3.6 Based on the risk assessment, identify changes to the scope. 1.3.7 Discuss the risks with IT management, and adjust the risk assessment.



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1.3.8 Based on the risk assessment, revise the scope.

1.4 Define the change process.The initial audit approach is based on the reviewer’s understanding of the operating environment and associated risks. As further research and analysis are performed, changes to the scope and approach may result.1.4.1 Identify the senior IT assurance resource responsible for the review.1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance

program, and the authorizations required.1.5 Define assignment success.

The success factors need to be identified. Communication among the IT audit/assurance team, other assurance teams and the enterprise is essential.1.5.1 Identify the drivers for a successful review (this should exist in the assurance function’s

standards and procedures).1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement.

1.6 Define the audit/assurance resources required.The resources required are defined in the introduction to this audit/assurance program.1.6.1 Determine the audit/assurance skills necessary for the review.1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end dates)

required for the review.1.7 Define deliverables.

The deliverable is not limited to the final report. Communication between the audit/assurance teams and the process owner is essential to assignment success.1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due

dates for responses or meetings, and the final report.1.8 Communications

The audit/assurance process must be clearly communicated to the customer/client. 1.8.1 Conduct an opening conference to:

Discuss the review objectives with the information security management assessment Identify documents and information security resources required to effectively perform the review Establish timelines and deliverables

2. INFORMATION SECURITY MANAGEMENT



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

2.1 Management of IT Security Audit/Assurance Objective: Manage IT security at the highest appropriate organizational level so that the management of security actions is in line with business requirements.2.1.1 Governance

Control: Processes are in practice to assure applicable management oversight of the information security function.

PO4DS5.1ME4

x x x

2.1.1.1 Determine whether a security steering committee exists with representation from key functional areas, including internal audit, HR, finance, operations, IT security and legal.

2.1.1.2 Obtain the security steering committee charter.2.1.1.3 Determine whether the committee membership is aligned with the organization and the

information security stakeholders.2.1.1.4 Obtain the minutes of selected steering committee meetings.2.1.1.5 Determine whether the committee members regularly attend committee meetings. 2.1.1.5.1 2.1.1.5.2 2.1.1.5.3 2.1.1.5.4 2.1.1.5.5 2.1.1.5.6 2.1.1.5.7 2.1.1.5.8 2.1.1.5.9

2.1.1.6 Inquire whether and confirm that a security management communication process exists that informs the board, business and IT management of the status of information security.

2.1.1.7 Review the security steering committee charter to identify the communication plan and reporting relationships. Determine whether a common language (i.e., COBIT’s information criteria) is in the communication plan and that the reporting lines are clearly established.

2.1.1.8 Select several board meeting dates, obtain the information security presentations, and determine the board-level discussions relating to information security.

2.1.1.9 Inquire whether and confirm that an adequate organizational structure and reporting line for information security exist, and assess whether the security management and administration functions have sufficient authority.

2.1.1.10 Based on the organization chart of the information security organization, determine whether the structure provides for the information security function to report to and interface with the upper levels of management.

2.1.1.11 Determine whether the placement of the information security function provides for



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

appropriate independence, objectivity and authority over its constituencies to be effective.

2.1.1.12 Determine whether subordinate organizational hierarchy is adequate to provide appropriate policy definition and monitoring.

2.1.2 Risk Assessment Control: Risk assessments are regularly conducted to prioritize information security initiatives and ensure alignment with business risks.

PO9DS5.2ME4

x x x

2.1.2.1 Determine whether a process exists to prioritize proposed security initiatives and directives, including required levels of policies, standards and procedures.

2.1.2.2 Obtain recent risk assessment documents.2.1.2.3 Determine whether the risk assessment has been utilized and addresses reasonable

risks.2.1.2.4 Determine whether the risk assessment is aligned with the IT risk assessment, if one

exists, and the enterprise risk methodology, if one exists.2.1.2.5 Test the design of the risk assessment for completeness, relevancy, timeliness and

measurability.2.1.3 Policies

Control: Policies are created according to a defined format and are distributed following a distribution list based on subject matter and relevance, and the scope of the policies are appropriate to ensure that the information security is adequate to address the risk tolerance.

PO4PO6PO9

DS5.2ME3ME4

x x x x

2.1.3.1 Determine whether and confirm that an information security charter exists. 2.1.3.1.1 2.1.3.1.2 2.1.3.1.3 2.1.3.1.4 2.1.3.1.5 2.1.3.1.6 2.1.3.1.7 2.1.3.1.8 2.1.3.1.9

2.1.3.2 Review and analyze the charter to verify that it refers to the organizational risk appetite relative to information security and that the charter clearly includes: Scope and objectives of the security management function Responsibilities of the security management function Compliance and risk drivers

2.1.3.3 Inquire whether and confirm that the information security policies cover the responsibility and accountability of the board, executive management, line management, staff members and all users of the enterprise IT infrastructure and that it



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

refers to detailed security standards and procedures.2.1.3.4 Inquire whether and confirm that detailed security policies, standards and procedures

exist. Examples of policies, standards, procedures and best practices concerning these topics (COBIT, ISO27001/2) include: Security compliance policy Management risk acceptance (security noncompliance acknowledgement) External communications security policy Firewall policy E-mail security policy An agreement to comply with IS policies Laptop/desktop computer security policy Internet usage policy

2.2 IT Security Plan Audit/Assurance Objective: Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures, together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.2.2.1 Security Plan Integration

Control: Information security requirements are integrated into other processes.PO1PO2PO3PO4PO6PO9AI1AI2DS1DS2DS4

DS5.2DS9DS12DS13

x x x



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

ME3ME4

2.2.1.1 Determine whether a process exists to integrate information security requirements and implementation advice from the IT security plan into the development of service level agreements (SLAs) and operating level agreements (OLAs) (Refer to COBIT DS1 and DS2).

2.2.1.2 Review the SLAs and OLAs for an information security focus. Determine whether the information security function had been involved in the development of these SLAs/OLAs.

2.2.1.3 Determine whether a process exists to integrate information security requirements and implementation advice from the IT security plan into automated solution (AI1) and application (AI2) requirements.

2.2.1.4 Obtain systems development methodology documentation and determine whether information security involvement and review are required by the policies and procedures.

2.2.1.5 Select several high-risk and/or high-profile development projects. Obtain requirements documentation, and determine whether information security requirements were included in the project requirements documentation.

2.2.1.6 Determine whether information security resources were regularly involved in key information security decisions at appropriate points in the process.

2.2.1.7 Determine whether a process exists to integrate information security requirements and implementation advice from the IT security plan into the IT infrastructure components (AI3).

2.2.1.8 Obtain the IT infrastructure plan.2.2.1.9 Determine whether the information security function is involved in the development of

the security components of the IT infrastructure.2.2.1.10 Determine whether the IT infrastructure team and the information security function

routinely interface on common initiatives.2.2.1.11 Determine whether the IT security plan addresses: IT tactical plans (PO1) data

classification (PO2), technology standards (PO3), HR/user access policies, i.e., segregation of duties, key personnel, contractors (PO4), security and control policies



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

(PO6), risk management (PO9), and external compliance requirements (ME3). 2.2.1.12 Obtain and review the IT security plan2.2.1.13 Determine whether enterprise information security baselines for all major platforms

are commensurate with the overall IT security plan, whether the baselines have been recorded in the configuration baseline (DS9) central repository and whether a process exists to periodically update the baselines based on changes in the plan.

2.2.1.14 Determine that information security issues are included in the IT continuity plan.2.2.2 Security Plan Maintenance

Control: The security plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.

AI2AI3DS4

DS5.2DS9DS12DS13

x x

2.2.2.1 Determine the effectiveness of the collection and integration of information security requirements into an overall IT security plan that is responsive to the changing needs of the organization.

2.2.2.2 Determine whether the appropriate triggers are built into the interfaces between IT, business units and the information security organization to ensure that there is timely notification of a need to update the information security plan.

2.2.2.3 Determine whether a process exists to periodically update the IT security plan and whether the process requires appropriate levels of management review and approval of changes

2.2.2.4 Determine the review process for updating the IT security plan; consider: Quality of documentation including security policies Approval process of changes Job functions involved in the review process

3. INFORMATION SECURITY OPERATIONS3.1 Identity Management

Audit/Assurance Objectives: The information security function has defined policies and monitors activities relating to the following:



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable.

Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented

business needs and that job requirements are attached to user roles. Ensure that user access rights are requested by user management, approved by system owners

and implemented by the person responsible for security. Ensure that information security operations functions maintain user roles and access rights in a

central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.

3.1.1 Identity Management Control: The information security function has established identity management policies and monitoring functions.

DS5.3DS11.6DS12ME4

x x

3.1.1.1 Determine the role of the information security function relating to identity management. If the information security function establishes policy and monitors enforcement, the remainder of this section needs to be reviewed from a definition and monitoring perspective. If the information security function also performs the information security operations, the assessment must include the tests of the operational follow-through.

3.1.1.2 Determine whether security policies require users and system processes to be uniquely identifiable and systems to be configured to enforce authentication before access is granted.

3.1.1.3 If policies require predetermined and preapproved roles to grant access, determine whether the policies require the roles to clearly delineate responsibilities based on least privileges and ensure that the establishment and modification of roles are approved by process owner management.

3.1.1.4 Determine whether appropriate policies and monitoring have been implemented to control access provisioning and whether authentication control mechanisms are utilized for controlling logical access across all users, system processes and IT resources for in-house and remotely managed users, processes and systems.



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.1.2 Identity Management OperationsControl: Identity management policies are enforced, and appropriate review processes are in place to evaluate their operating effectiveness.

DS5.3ME1ME2ME3

x x x

3.1.2.1 Determine whether a previous audit/assurance assessment of the identity management system has been performed.

3.1.2.2 If an audit/assurance assessment has been performed recently, as defined by internal audit procedures, review the findings of that review, and determine whether additional findings, including failure to complete previous open recommendations, are appropriate.

3.1.2.2.1 If an assessment has not been performed, consider using the ISACA Identity Management Audit/Assurance Program to complete a detailed review.

3.1.2.2.2 If an assessment has been performed, but not within the internal audit definition of “recent,” consider reperforming key control process to update the assessment and provide current findings.

3.1.2.3 Determine whether the information security function performs annual assessments of identity management operations and receives timely reports/scorecards of identity management operations activities.

3.1.2.4 Determine whether the information security function has routinely monitored and evaluated the effectiveness of identity management operations.

3.2 Account ManagementAudit/Assurance Objective: The information security function has established policies and monitoring procedures that address: requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. The process includes an approval procedure outlining the data or system owner granting the access privileges and applies to all users, including administrators (privileged users); internal and external users; normal and emergency cases; and system, shared and generic accounts.3.2.1 User Account Management Policy

Control: The information security function has established policies and monitoring procedures to ensure the effectiveness of user account management controls.

PO4DS5.4ME3ME4

x x x



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.1.1 Obtain the information security policy addressing user account management.3.2.1.2 Determine whether procedures exist to periodically assess and recertify system and

application access and authorities.3.2.1.3 Determine whether access control procedures exist to control and manage system and

application rights and privileges according to the organization’s security policies and compliance and regulatory requirements.

3.2.1.4 Determine whether user provisioning policies, standards and procedures extend to all system users and processes, including vendors, service providers and business partners.

3.2.1.5 Determine whether a data classification policy is in place.3.2.1.5.1 Ensure that the protection controls implemented are adequate for the

classification of data (refer to the classification of data policy).3.2.1.5.2 Determine whether the data classification affecting information security is

reviewed periodically.3.2.1.5.3 Determine whether systems, applications and data have been classified by

levels of importance and risk and whether process owners have been identified and assigned.

3.2.2 User Account Management Operations Control: The information security function monitors the control effectiveness of user account management operations on a timely basis and reports the operating efficiency and effectiveness.

DS5.4ME1ME2 x x x

3.2.2.1 Obtain management reports for user account management.3.2.2.2 Assess the level of information security oversight for the operational aspects of user

account management.3.2.2.3 Determine whether a previous audit/assurance assessment of the user account

management has been performed.3.2.2.3.1 If an assessment has been performed recently, as defined by internal audit

procedures, review the findings of that review, and determine whether additional findings, including failure to complete previous open recommendations are appropriate.



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.2.3.2 If an assessment has not been performed, consider using the ISACA User Account Management Audit/Assurance Program to complete a detailed review.


3.3 Security Testing and Monitoring Audit/Assurance Objective: The IT security implementation is tested and monitored in a proactive way. IT security is reaccredited in a timely manner to ensure that the approved enterprise information security baseline is maintained. A logging and monitoring function enables the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.3.3.1 Testing

Control: Routine testing of information-security-related controls is performed in accordance with regulatory requirements and risk assessments that have identified high risk or vulnerable assets.

DS5.5PO9.4PO9.5ME4

x x x

3.3.1.1 Determine whether security baselines exist for all IT resources utilized by the organization.

3.3.1.2 Determine whether the baselines are based upon best practices (COBIT, ISO27001/2 and/or ITIL). If not, determine the rationale for in-house-developed baselines.

3.3.1.3 Determine whether appropriate testing is performed to validate adherence to minimum baselines.

3.3.1.4 Determine whether testing of information security assets are in conformance with compliance requirements.3.3.1.4.1 Determine whether the regulatory compliance requirements have been

documented.3.3.1.4.2 Assess the completeness of the regulatory compliance.3.3.1.4.3 Evaluate whether additional testing is required to be in compliance with

regulatory requirements.3.3.2 Monitoring

Control: Key information security controls are monitored on a regular and timely basis.

PO8DS5.5ME1ME2

x x x



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.3.2.1 Determine whether all organization-critical, higher-risk network assets are routinely monitored for security events.

3.3.2.2 Determine whether the IT security management function has been integrated within the organization’s project management initiatives to ensure that security is considered in all IT projects.

3.4 Security Incident Management Audit/Assurance Objective: The security incident management process is defined and monitored by the information security function, and an incident response team has been established and is operationally effective.3.4.1 Incident Management Definition

Control: An incident management policy has been established that defines the classification of information security incidents and the actions to be executed when an information security incident is identified, and the process has been communicated to units who are first responders.

DS5.6DS8ME4

x x x

3.4.1.1 Determine whether the security incident management process appropriately interfaces with key organization functions, including the help desk, external service providers and network management.

3.4.1.2 Evaluate whether the security incident management process includes the following key elements: Event detection and classification Correlation of events and evaluation of threat/incident Resolution of threat, or creation and escalation work order Criteria for initiating the organization’s incident response process Who has authority to declare an incident Escalation procedures Verification and required levels of documentation of the resolution Postremediation analysis Work order/incident closure

3.4.2 Incident Management Response Team Control: A CIRT has been established; manages emergencies; and reports the existence, cause and effect, damage assessment, and closure to the information security function.

DS5.6DS8ME2ME3

x x x



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.4.2.1 Determine whether a CIRT exists to recognize and effectively manage security incidents. The following areas should exist as part of an effective CIRT process: Incident handling—General and specific procedures and other requirements to

ensure effective handling of incidents and reported vulnerabilities Vendor relations—The role and responsibilities of vendors in incident prevention

and follow-up, software flaw correction, and other areas Communications—Requirements, implementation and operation of emergency and

routine communications channels among key members of management Legal and criminal investigative issues—Issues driven by legal considerations and

the requirements or constraints resulting from the involvement of criminal investigative organizations during an incident

Constituency relations—Response center support services and methods of interaction with constituents, including training and awareness, configuration management, and authentication

Research agenda and interaction—Identification of existing research activities and requirements and rationale for needed research relating to response center activities

Model of the threat—Development of a basic model that characterizes potential threats and risks to help focus risk reduction activities and progress in those activities

External issues—Factors that are outside the direct control of the enterprise (e.g., legislation, policy, procedural requirements), but that could affect the operation and effectiveness of enterprise activities

Postincident evaluation—CIRT assessment of incident response and recommended changes to the CIRT process

3.4.3 Incident Management Response Team MonitoringControl: The information security function actively monitors CIRT activities and reports incidents and appropriate analyzes direct reports.

PO8DS5.6ME1ME2

x x x

3.4.3.1 Obtain the incident logs for a representative period of time.3.4.3.2 Trace a representative sample of incidents per the incident/problem reporting system to

the CIRT management documentation to determine that all security-related incidents have been reported to the CIRT.

3.4.3.3 Review the CIRTs for a representative period. Determine that: © 2010 ISACA. All rights reserved.


reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

The response was timely The incident severity met the conditions for the response The remediation process closed the issue A risk assessment was performed, and a reasonable remediation process was

executed An impact assessment was completed Escalation procedures, including the notification of affected parties, management

and legal authorities were completed in conformance with the escalation policy The summary of activities was reported to the appropriate governance committees

3.4.4 Incident Management Assessment Control: Perform an assurance assessment of the security incident management processes.

PO8DS5.6ME1

x x

3.4.4.1 Determine whether a previous audit/assurance assessment of the incident management process has been performed.3.4.4.1.1 If an assessment has been performed recently, as defined by internal audit

procedures, review the findings of that review and determine whether additional findings, including failure to complete previous open recommendations are appropriate.

3.4.4.1.2 If an assessment has not been performed, consider using the ISACA Incident Management Audit/Assurance Program to complete a detailed review.

3.4.4.1.3 If an assessment has been performed, but within the internal audit definition of “recent” consider reperforming key control process to update the assessment and provide current findings.

4. INFORMATION SECURITY TECHNOLOGY MANAGEMENT4.1 Protection of Security Technology

Audit/Assurance Objective: The information security processes ensure that security-related technology is resistant to tampering, and that documentation is only accessible to authorized individuals.4.1.1 Security Technology Policy

Control: The information security function has defined the policies governing specific access control processes.

DS5.7DS9

DS11.2DS12ME4

x x



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.1.1.1 Inquire whether and confirm that policies and procedures have been established to address security breach consequences (specifically to address controls to configuration management, application access, data security and physical security requirements).

4.1.1.2 Obtain the policies concerning security breaches.4.1.1.3 Determine whether appropriate disciplinary measures have been defined.4.1.1.4 Inquire whether and confirm that the policies require annual management reviews of

security features for physical and logical access to files and data.4.1.1.5 Obtain the policies documentation. 4.1.1.6 Determine whether the policies require management reviews of security features.4.1.1.7 Determine how the management review is documented and reported.4.1.1.8 Determine how follow-up activities are addressed.4.1.1.9 Inquire whether and confirm that the policies require security design features that

facilitate password rules (e.g., maximum length, characters, expiration, reuse).4.1.1.10 Obtain the policies for password rules.4.1.1.11 Determine whether the policies are appropriate.4.1.1.12 Determine whether data classification and job function sensitivity are a component of

and affect the security design process.4.1.2 Security Technology Monitoring

Control: Information security monitors the security technology processes to ensure adherence.DS5.7ME1ME2

x x x

4.1.2.1 Inspect security reports generated from system tools preventing network penetration vulnerability attacks.

4.1.2.2 Verify that information security monitors information security processes that report access authorization and approvals.

4.1.2.3 Verify that information security policy monitors the regular management reviews of security features for physical and logical access to files and data.

4.1.2.4 Verify that information security receives summary reports of the activities controlling granting and approving access and logging unsuccessful attempts, lockouts, authorized access to sensitive files and/or data, and physical access to facilities. Verify that the information security function investigates repeat offenders and high-risk situations.



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.2 Cryptographic Key ManagementAudit/Assurance Objective: Policies and procedures are in place to organize the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure.4.2.1 Key Management

Control: Key management systems are implemented to protect sensitive information and to implement mutual authentication.

DS5.8 x

4.2.1.1 Determine whether an encryption key management role has been established to manage the process of reviewing, distributing and disposing of keys.

4.2.1.1.1 Determine whether this role is segregated from other responsibilities and has a trained backup.

4.2.1.2 Assess whether controls over private keys exist to enforce their confidentiality and integrity. Consideration should be given to the following: Storage of private signing keys within secure cryptographic devices Private keys not exported from a secure cryptographic module Private keys backed up, stored and recovered only by authorized personnel using

dual control in a physically secured environment4.2.1.3 Determine whether a defined key life cycle management process exists. The process

should include: Minimum key sizes required for the generation of strong keys Use of required key generation algorithms Identification of required standards for the generation of keys Purposes for which keys should be used and restricted Allowable usage periods or active lifetimes for keys Acceptable methods of key distribution Key backup, archival and destruction

4.3 Malicious Software Prevention, Detection and Correction Audit/Assurance Objective: Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.3.1 Malicious Software Prevention, Detection and Correction PolicyControl: Policies have been implemented to prevent, detect and remove malicious software.

PO6DS2

DS5.9ME1ME2

x x x x

4.3.1.1 Inquire whether and confirm that a malicious software prevention policy is established, documented and communicated throughout the organization.

4.3.1.2 Ensure that policies address the implementation of automated controls to provide virus protection and that violations are appropriately communicated.

4.3.1.3 Inquire whether and confirm that policies require that protection software be centrally distributed (version and patch-level) using a centralized configuration and change management process.

4.3.1.4 Determine whether information security patch management implementation adheres to manufacturer and external/outsourced provider requirements/recommendations.

4.3.2 Malicious Software Prevention, Detection and Correction Operating Effectiveness Control: Monitoring processes have been established to report the effectiveness of and incidents occurring from malicious software.

PO6DS5.9ME1ME2

x x x

4.3.2.1 Inquire whether key staff members are aware of the malicious software prevention policy and their responsibility for ensuring compliance.

4.3.2.2 From a sample of user workstations, observe whether a virus protection tool has been installed and includes virus definition files and the last time the definitions were updated.

4.3.2.3 Review the distribution process against a known, up-to-date inventory to determine the operating effectiveness.

4.3.2.4 Determine the review and evaluation process by information security to monitor the operating effectiveness of the malicious software filtering process.

4.3.2.4.1 Verify whether there are processes in place for the information security function to assess the competency and training of the malware team to ensure that current threats are addressed.

4.3.2.4.2 4.3.2.4.3 4.3.2.4.4 4.3.2.4.5 4.3.2.4.6 4.3.2.4.7 4.3.2.4.8 4.3.2.4.9 4.3.2.4.10

4.3.2.5 Review the filtering process to determine operating effectiveness, or review the



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

automated process established for filtering purposes.4.3.2.6 Determine whether routine internal/external vulnerability scans are performed.

4.3.2.6.1 Review the evaluation/assessment process of the scan results. 4.3.2.6.2 4.3.2.6.3 4.3.2.6.4 4.3.2.6.5 4.3.2.6.6 4.3.2.6.7 4.3.2.6.8 4.3.2.6.9 4.3.2.6.10

4.3.2.7 Determine whether penetration testing is performed. 4.3.2.8 4.3.2.9 4.3.2.10 4.3.2.11 4.3.2.12 4.3.2.13 4.3.2.14 4.3.2.15 4.3.2.16 4.3.2.7.1 Review the evaluation/assessment process of the penetration testing results. 4.3.2.17 4.3.2.18 4.3.2.19 4.3.2.20 4.3.2.21 4.3.2.22 4.3.2.23 4.3.2.24 4.3.2.25

4.4 Network Security Audit/Assurance Objective: Information security management is included in the selection, implementation and approval of security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.4.4.1 Network Security

Control: Information security management is actively involved and approves network security policies.

DS1DS5.10

DS9ME2ME3ME4

x x x

4.4.1.1 Inquire whether and confirm that network security policies (e.g., provided services, allowed traffic, types of connections permitted) have been established with the approval of and monitored by the information security function.

4.4.1.2 Determine whether a previous audit/assurance assessment of the network perimeter process has been performed.4.4.1.2.1 If an assessment has been performed recently, as defined by internal audit

procedures, review the findings of that review, and determine if additional findings, including failure to complete previous open recommendations, are appropriate.

4.4.1.2.2 If an assessment has not been performed, consider using the ISACA Network Perimeter Audit/Assurance Program to complete a detailed review.


4.4.1.3 Inquire whether and confirm that information security policies have been implemented



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol

Envi

ronm

ent

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

such that corporate data is classified according to exposure level and classification scheme (e.g., confidential, sensitive).

4.4.1.4 Determine that sensitive data incidents have been reported to information security management.

4.4.1.4.1 Scan the problem log, identifying sensitive data incidents.4.4.1.4.2 Trace the incident through the CIRT process to management reports.

4.5 Exchange of Sensitive Data Audit/Assurance Objective: Information security has approved policies concerning exchange of sensitive transaction data through a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and nonrepudiation of origin. All incidents involving the exchange of sensitive data are reported through the incident reporting system and are directed to the CIRT team.4.5.1 Exchange of Sensitive Data

Control: Information security management is actively involved and approves exchange of sensitive data policies.

DS5.11 x x x

4.5.1.1 Inquire whether and confirm that policies addressing data transmissions outside the organization require an encrypted format prior to transmission.

4.5.1.2 Inquire whether and confirm that information security policies have been implemented such that corporate data are classified according to exposure level and classification scheme (e.g., confidential, sensitive).

4.5.1.3 Determine that sensitive data incidents have been reported to information security management.

4.5.1.4 Scan the problem log, identifying sensitive data incidents.4.5.1.5 Trace the incident through the CIRT process to management reports.


VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance review, and the reviewer’s observations, assign a maturity level to each of the following COBIT control practices.

COBIT Control Practice

Assessed Maturity

Target Maturity

ReferenceHyper-link

Comments

DS5.1 Management of IT Security1.Define a charter for IT security, defining for the security management function:

Scope and objectives for the security management function Responsibilities Drivers (e.g., compliance, risk, performance)

2. Confirm that the board, executive management and line management direct the policy development process to ensure that the IT security policy reflects the requirements of the business

3. Set up an adequate organisational structure and reporting line for information security, ensuring that the security management and administration functions have sufficient authority. Define the interaction with enterprise functions, particularly the control functions such as risk management, compliance and audit.

4. Implement an IT security management reporting mechanism, regularly informing the board and business and IT management of the status of IT security so that appropriate management actions can be taken.

DS5.2 IT Security Plan1. Define and maintain an overall IT security plan that includes:

A complete set of security policies and standards in line with the established information security policy framework

Procedures to implement and enforce the policies and standards Roles and responsibilities Staffing requirements Security awareness and training Enforcement practices Investments in required security resources

2. Collect information security requirements from IT tactical plans (PO1), data classification (PO2), technology standards (PO3), security and control policies (PO6), risk management (PO9), and external compliance requirements (ME3) for integration into the overall IT security plan.

3. Translate the overall IT security plan into enterprise information security baselines for all



Assessed Maturity

Target Maturity

ReferenceHyper-link

Comments

major platforms and integrate it into the configuration baseline (DS9).4. Provide information security requirements and implementation advice to other processes,

including the development of SLAs and OLAs (DS1 and DS2), automated solution requirements (AI1), application software (AI2), and IT infrastructure components (AI3).

5. Communicate to all stakeholders and users in a timely and regular fashion on updates of the information security strategy, plans, policies and procedures.

DS5.3 Identity Management1. Establish and communicate policies and procedures to uniquely identify, authenticate and

authorise access mechanisms and access rights for all users on a need-to-know/need-to-have basis, based on predetermined and preapproved roles. Clearly state accountability of any user for any action on any of the systems and/or applications involved.

2. Ensure that roles and access authorisation criteria for assigning user access rights take into account: Sensitivity of information and applications involved (data classification) Policies for information protection and dissemination (legal, regulatory, internal policies

and contractual requirements) Roles and responsibilities as defined within the enterprise The need-to-have access rights associated with the function Standard but individual user access profiles for common job roles in the organisation Requirements to guarantee appropriate segregation of duties

3. Establish a method for authenticating and authorising users to establish responsibility and enforce access rights in line with sensitivity of information and functional application requirements and infrastructure components, and in compliance with applicable laws, regulations, internal policies and contractual agreements.

4. Define and implement a procedure for identifying new users and recording, approving and maintaining access rights. This needs to be requested by user management, approved by the system owner and implemented by the responsible security person.

5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in, people out, people change). Grant, revoke and adapt user access rights in co-ordination with human resources and user departments for users who are new, who have left the organisation, or who have changed roles or jobs.

DS5.4 User Account Management1. Ensure that access control procedures include but are not limited to:

Using unique user IDs to enable users to be linked to and held accountable for their actions

Awareness that the use of group IDs results in the loss of individual accountability and



Assessed Maturity

Target Maturity

ReferenceHyper-link

Comments

are permitted only when justified for business or operational reasons and compensated by mitigating controls. Group IDs must be approved and documented

Checking that the user has authorisation from the system owner for the use of the information system or service, and the level of access granted is appropriate to the business purpose and consistent with the organisational security policy

A procedure to require users to understand and acknowledge their access rights and the conditions of such access

Ensuring that internal and external service providers do not provide access until authorisation procedures have been completed

Maintaining a formal record, including access levels, of all persons registered to use the service

A timely and regular review of user IDs and access rights2. Ensure that management reviews or reallocates user access rights at regular intervals using a

formal process. User access rights should be reviewed or reallocated after any job changes, such as transfer, promotion, demotion or termination of employment. Authorisations for special privileged access rights should be reviewed independently at more frequent intervals.

DS5.5 Security Testing, Surveillance And Monitoring1. Implement monitoring, testing, reviews and other controls to:

Promptly prevent/detect errors in the results of processing Promptly identify attempted, successful and unsuccessful security breaches and

incidents Detect security events and thereby prevent security incidents by using detection and

prevention technologies Determine whether the actions taken to resolve a breach of security are effective

2. Conduct effective and efficient security testing procedures at regular intervals to: Verify that identity management procedures are effective Verify that user account management is effective Validate that security-relevant system parameter settings are defined correctly and are in

compliance with the information security baseline Validate that network security controls/settings are configured properly and are in

compliance with the information security baseline Validate that security monitoring procedures are working properly Consider, where necessary, obtaining expert reviews of the security perimeter

DS5.6 Security Incident Definition1. Describe what a security incident is considered to be. Document within the characteristics a

limited number of impact levels to allow commensurate response. Communicate and



Assessed Maturity

Target Maturity

ReferenceHyper-link

Comments

distribute this information, or relevant parts thereof, to identified people who need to be notified.

2. Ensure that security incidents and appropriate follow-up actions, including root cause analysis, follow the existing incident and problem management processes.

3. Define measures to protect confidentiality of information related to security incidents.

DS5.7 Protection Of Security Technology1. Ensure that all hardware, software and facilities related to the security function and controls,

e.g., security tokens and encryptors, are tamperproof.2. Secure security documentation and specifications to prevent unauthorised access. However,

do not make security of systems reliant solely on secrecy of security specifications.3. Make the security design of dedicated security technology (e.g., encryption algorithms)

strong enough to resist exposure, even if the security design is made available to unauthorised individuals.

4. Evaluate the protection mechanisms on a regular basis (at least annually) and perform updates to the protection of the security technology, if necessary.

DS5.8 Cryptographic Key Management1. Ensure that there are appropriate procedures and practices in place for the generation, storage

and renewal of the root key, including dual custody and observation by witnesses.2. Make sure that procedures are in place to determine when a root key renewal is required

(e.g., the root key is compromised or expired).3. Create and maintain a written certification practice statement that describes the practices that

have been implemented in the certification authority, registration authority and directory when using a public-key-based encryption system.

4. Create cryptographic keys in a secure manner. When possible, enable only individuals not involved with the operational use of the keys to create the keys. Verify the credentials of key requestors (e.g., registration authority).

5. Ensure that cryptographic keys are distributed in a secure manner (e.g., offline mechanisms) and stored securely, that is: In an encrypted form regardless of the storage media used (e.g., write-once disk with

encryption) With adequate physical protection (e.g., sealed, dual custody vault) if stored on paper

6. Create a process that identifies and revokes compromised keys. Notify all stakeholders as soon as possible of the compromised key.

7. Verify the authenticity of the counterparty before establishing a trusted path.

DS5.9 Malicious Software Prevention, Detection And Correction1. Establish, document, communicate and enforce a malicious software prevention policy in the



Assessed Maturity

Target Maturity

ReferenceHyper-link

Comments

organisation. Ensure that people in the organisation are aware of the need for protection against malicious software, and their responsibilities relative to same.

2. Install and activate malicious software protection tools on all processing facilities, with malicious software definition files that are updated as required (automatically or semi-automatically).

3. Distribute all protection software centrally (version and patch-level) using centralised configuration and change management.

4. Regularly review and evaluate information on new potential threats.5. Filter incoming traffic, such as e-mail and downloads, to protect against unsolicited

information (e.g., spyware, phishing e-mails).

DS5.10 Network Security1. Establish, maintain, communicate and enforce a network security policy (e.g., provided

services, allowed traffic, types of connections permitted) that is reviewed and updated on a regular basis (at least annually).

2. Establish and regularly update the standards and procedures for administering all networking components (e.g., core routers, DMZ, VPN switches, wireless).

3. Properly secure network devices with special mechanisms and tools (e.g., authentication for device management, secure communications, strong authentication mechanisms). Implement active monitoring and pattern recognition to protect devices from attack.

4. Configure operating systems with minimal features enabled (e.g., features that are necessary for functionality and are hardened for security applications). Remove all unnecessary services, functionalities and interfaces (e.g., graphical user interface [GUI]). Apply all relevant security patches and major updates to the system in a timely manner.

5. Plan the network security architecture (e.g., DMZ architectures, internal and external network, IDS placement and wireless) to address processing and security requirements. Ensure that documentation contains information on how traffic is exchanged through systems and how the structure of the organisation’s internal network is hidden from the outside world.

6. Subject devices to reviews by experts who are independent of the implementation or maintenance of the devices.

DS5.11 Exchange Of Sensitive Data1. Determine by using the established information classification scheme how the data should be

protected when exchanged.2. Apply appropriate application controls to protect the data exchange.3. Apply appropriate infrastructure controls, based on information classification and technology

in use, to protect the data exchange.


VIII. Assessment Maturity vs. Target Maturity

This spider graph is an example of the assessment results and maturity target for a specific company.


Information Security Management Audit/Assurance … · Web viewInformation Security Management...

Documents

Transcript of Information Security Management Audit/Assurance … · Web viewInformation Security Management...