C

h
r
i
s
t
i
a
n

R
e
i
n
a
,

C
I
S
S
P

C
I
S
A

s
u
m
m
a
r
y

V
e
r
s
i
o
n

1
.
0

Thisdocumentmaybeusedonlyforinformational,trainingandnoncommercialpurposes.Youarefreetocopy,distribute,publishandalterthisdocumentundertheconditionsthatyougivecredittotheoriginalauthor.
2010ChristianReina,CISSP.

D
o
m
a
i
n

I
T

G
o
v
e
r
n
a
n
c
e

Collection of top-down activities intended to control the IT
organization from a strategic perspective.
Policy
Priorities
Standards
Vendor Management
Program/Project Management

IT Strategy Committee
Advise board of directors on strategies.

Balanced Scorecard
Measure performance and effectiveness.
Business contribution: Perception from Non-IT
executives
User: Satisfaction
Operational excellence: downtime, defects, support
tickets
Innovation: increase IT value w/ innovation

Information Security Governance
Roles and responsibilities
Board of Directors: risk appetite and risk management
Steering Committee: Operational strategy for security
and risk management
CISO: conducting risk assessment, developing security
policy, vulnerability management, incident
management, compliance
Employees: Comply with policies

Enterprise Architecture (EA)
Map business functions into the IT environment as a model.
Activities to ensure business needs are met

Zachman Model
IT Systems and environments are described at a high, functional
level, and then in increasing detail

DFD
Illustrate the flow of information

Risk Management
Seek, identify, and manage risk.
Accept
Mitigate
Transfer
Avoid

Risk Management Program
Objectives: reduce costs, incidents
Scope
Authority: Executive level of commitment
Resources:
Policies, processes, procedures, and records

Risk Management Process

1. Asset Identification: Equipment, information, records,
reputation, personnel
o Grouping Assets
o Sources of asset data: Interviews, IT
systems, Online data
o Organizing data: Business process,
Geography, OU, Sensitivity, Regulated
2. Risk Anal ysis
o Threat anal ysis: All threats with realistic
opportunity of occurrence
o Vulnerability Identification: Ranked by
severity or criticality
o Probability analysis: Requires research to
develop best guesses
o Impact anal ysis: Study of estimating the
impact of specific threats on specific assets
o Qualitati ve: Subjective using numeric scale
o Quantitati ve:
Asset Value (AV)
Exposure Factor (EF)
Single Loss Expectancy (SLE): AV
x EF
Annualized rate of occurrence
(ARO)
Annualized loss expectancy (ALE):
SLE x ARO
3. Risk Treatments
o Risk Mitigation
o Risk Transfer
o Risk Avoidance
o Risk Acceptance
o Residual Risk

IT Management Practices

1. Personnel Management
a. Hiring: Background check, Employee Policy
Manual, J ob Description
b. Employee Development: Training,
Performance evaluation, Career path
c. Mandatory vacations: Audit, cross training,
reduced risk
d. Termination
e. Transfers and reassignments
2. Sourcing
a. Insource
b. Outsource: risks, SLA, policy, governance
(service level agreements, change
management, security, quality, audits), SaaS
3. Change Management
a. Request
b. Review
c. Approve
d. Perform change
e. Verify change
4. Financial Management
a. Develop
b. Purchase
c. Rent
5. Quality Management
a. Software development
b. Software acquisition
c. Service desk
d. IT operations
e. Security
f. Standards:
i. ISO 9000: Superseded by ISO
9001:2008 Quality Management
System
ii. ISO 20000: IT Service
Management for organization
adopting ITIL
iii. ITIL
1. Service Delivery
2. Control Processes
3. Release Processes
4. Relationship Processes
5. Resolution Processes
6. Security Management
a. Security Governance
b. Risk Assessment
c. Incident Management
d. Vulnerability Management
e. Access and Identity management
f. Compliance management


D
o
m
a
i
n

I
T

G
o
v
e
r
n
a
n
c
e

g. BCP
7. Performance Management
a. COBIT
b. SEI CMMI


Roles and Responsibilities

1. Executi ve Management: CIO, CTO, CSO, CISO, CPO
2. Software Development: Architect, Analyst, developer,
programmer, tester
3. Data Management: architect, DBA, analyst
4. Network Management: architect, engineer,
administrator, telecom
5. Systems Management: architect, engineer, storage,
systems administrator
6. Operations: manager, analyst, controls analyst, data
entry, media librarian
7. Security Operations: architect, engineer, analyst,
account management, auditor
8. Service Desk: Help desk, technical support

Segregation of Duties Controls
1. Transaction authorization
2. Split custody
3. Workflow: extra approval
4. Periodic reviews


Auditing IT Governance

1. Reviewing Documentation and Records:
a. IT Charter, strategy
b. IT org chart
c. HR/IT performance
d. HR promotion policy
e. HR manuals
f. Life-cycle processes and procedures
g. IT operations procedures
h. IT procurement process
i. Quality management documents
2. Reviewing Contracts
a. Service levels
b. Quality levels
c. Right to audit
d. 3
rd
party audit
e. Conformance to policies, laws, regulations
f. Incident notification
g. Liabilities
h. Termination terms
i. Protection of PII

3. Reviewing Outsourcing
a. Distance
b. Lack of audit contract terms
c. Lack of cooperation






m
a
i
n

T
h
e

A
u
d
i
t

P
r
o
c
e
s
s

Assess and evaluate the effectiveness of IT

AUDIT MANAGEMENT

The Audit Charter: Define roles and responsibilities. Sufficient
authority

The Audit Program: scope, objectives, resources, procedures

Strategic Audit Planning:
Factors: Business goals and objectives, Initiatives,
market conditions, changes in technology, regulatory
requirements.
Changes in Audit Activities: New internal audits, new
external audits, increase in audit scope, impact on
business process
Resource planning: Budget and manpower

Audit and Technology: Continue learning about new
technologies

Audit Laws and Regulations:
Characteristics: Security, Integrity, Privacy
Computer Security and Privacy Regulations:
o Categories: Computer trespass, protection of
sensitive information, collection and use of
information, law enforcement investigative
powers
o Consequences: Loss of reputation,
competitive advantage, sanctions, lawsuits,
fines, prosecution

An organization should take a systematic approach to determine
the applicability of regulations as well as the steps required to
attain compliance and remain in this state.

US Regulations:
Access Device Fraud 1984
Computer Fraud and Abuse Act 1984
Electronic Communications Act 1986
Electronic Communications Privacy Act (ECPA) 1986
Computer Security Act 1987
Computer Matching and Privacy Protection Act 1988
Communications Assistance for Law Enforcement Act
(CALEA) 1994
Economic and Protection of Proprietary Information Act
1996
Health Insurance Portability and Accountability Act
(HIPPA) 1996
Childrens Online Privacy Protection Act (COPPA) 1998
Identity Theft and Assumption Deterrence Act 1998
Gramm-Leach-Bliley Act 1999
Federal Energy Regulatory Commission (FERC)

Provide Appropriate Tools Required to Intercept and
Obstruct Terrorism Act (PATRIOT) 2001
Sarbanes-Oxley Act 2002
Federal Information Security Management Act (FISMA)
2002
Controlling the Assault of Non-Solicited Pornography
and Marketing Act (CAN-SPAM) 2003
California Privacy Act SB1386 2003
Identity Theft and Assumption Deterrence Act 2003
Basel II 2004
Payment Card Industry Data Security Standard (PCI-
DSS) 2004
North American Electric Reliability Corporation (NERC)
1968/2006
Massachusetts Security Breach Law 2007

Canadian Regulations:
Interception of Communications Section 184
Unauthorized Use of Computer, Section 342.1
Privacy Act 1983
Personal Information Protection and Electronic
Documents Act (PIPEDA)

European Regulations
Convention for the Protection of Individuals with Regard
to Automatic Processing of Personal Data 1981
Computer Misuse Act (CMA) 1990
Directive on the Protection of Personal Data 2003
European Union
Data Protection Act (DPA) 1998
Regulation of Investigatory Powers Act 2000
Anti-Terrorism Crime and Security Act 2001
Privacy and Electronic Communications Regulations
2003
Fraud Act 2006
Police and J ustice Act 2006

Other Regulations
Cybercrime Act 2001 Australia
Information Technology Act 2000 India

ISACA AUDITING STANDARS

Code of Ethics:

Members and ISACA certification holders shall:

1. Support the implementation of, and
encourage compliance with, appropriate
standards, procedures and controls for
information systems.
2. Perform their duties with objectivity, due
diligence and professional care, in
accordance with professional standards and
best practices.

3. Serve in the interest of stakeholders in a
lawful and honest manner, while maintaining
high standards of conduct and character, and
not engage in acts discreditable to the
profession.
4. Maintain the privacy and confidentiality of
information obtained in the course of their
duties unless disclosure is required by legal
authority. Such information shall not be used
for personal benefit or released to
inappropriate parties.
5. Maintain competency in their respective fields
and agree to undertake only those activities,
which they can reasonably expect to
complete with professional competence.
6. Inform appropriate parties of the results of
work performed; revealing all significant facts
known to them.
7. Support the professional education of
stakeholders in enhancing their
understanding of information systems security
and control.


Audit Standards

S1, Audit Charter
S2, Independence
S3, Professional Ethics and Standards
S4, Professional Competence
S5, Planning
S6, Performance of Audit Work
S7, Reporting
S8, Follow-up Activities
S9, Irregularities and Illegal Acts
S10, IT Governance
S11, Use of Risk Assessment in Audit Planning
S12, Audit Materiality
S13, Use the Work of Other Experts
S14, Audit Evidence
S15, IT Controls
S16, E-Commerce

Audit Guidelines

G1, Using the Work of Other Auditors
G2, Audit Evidence Requirement
G3, Use of Computer-Assisted Audit Techniques
(CAATs)
G4, Outsourcing of IS Activities to Other Organizations
G5, Audit Charter
G6, Materiality Concepts for Auditing IS
G7, Due Professional Care
G8, Audit Documentation

D
o
m
a
i
n

T
h
e

A
u
d
i
t

P
r
o
c
e
s
s

G9, Audit Considerations for Irregularities and Illegal
Acts
G10, Audit Sampling
G11, Effect of Pervasive IS Controls
G12, Organizational Relationship and Independence
G13, Use of Risk Assessment in Audit Planning
G14, Application Systems Review
G15, Planning
G16, Effect of Third Parties on an Organizations IT
Controls
G17, Efect of Nonaudit Role on the IS Auditors
Independence
G18, IT Governance
G19, Irregularities and Illegal Acts
G20, Reporting
G21, Enterprise Resource Planning (ERP) Systems
Review
G22, Business to Consumer (B2C) E-Commerce
Review
G23, SDLC Review
G24, Internet Banking
G25, Review of VPN
G26, Business Process Reengineering (BRP) Review
G27, Mobile Computing
G28, Computer Forensics
G29, Post-implementation Review
G30, Competence
G31, Privacy
G32, BCP
G33, General Consideration on the Use of the Internet
G34, Responsibility, Authority, and Accountability
G35, Follow up Activities
G36, Biometric Controls
G37, Configuration Management
G38, Access Controls
G39, IT Organization
G40, Review of Security Management Practices

Audit Procedures

P1, Risk Assessment
P2, Digital Signature and Key management
P3, IDS
P4, Viruses
P5, Control Risk Self-Assessment
P6, Firewall
P7, Irregularities and Illegal Acts
P8, Security Assessment (Pen test, vulnerability
analysis)
P9, Encryption

P10, Business Application Change Control
P11, Electronic Funds Transfer

RISK ANALYSIS

Evaluating Business Processes
Identifying Business Risks
Risk Mitigation
Countermeasures Assessment
Monitoring

INTERNAL CONTROLS


Control Classification
o Types: Technical, Administrative, Physical
o Classes: Preventative, Detective, Deterrent,
Corrective, Compensating, Recovery
o Categories: Manual, Automatic
Internal Control Objecti ves: Statements of desired
outcomes from business operations. Protection of IT
assets, Availability of IT systems
o IS Control Objectives: Protection of
information from unauthorized personnel,
Integrity of Operating Systems
General Computing Controls: GCCs are controls that
apply across all applications and services. Passwords
are encrypted, Strong passwords
IS Controls: Each GCC is mapped to a specific IS
control on each system type.

PERFORMING AN AUDIT

Formal Planning:
o Purpose
o Scope
o Risk Analysis
o Audit procedures
o Resources
o Schedule
Types
o Operational
o Financial
o IS audit
o Administrative
o Compliance
o Forensic
o Service provider
o Pre-audit
Compliance vs. Substanti ve Testing
o Compliance: Determine if control procedures
have been properly designed and
implemented and operating properly.
o Substantive: Determine accuracy and
integrity of transactions that flow through
processes and information systems
Audit Methodology
o Audit Subject
o Audit Objective
o Audit type
o Audit Scope
o Pre-Audit planning
o Audit SoW
o Audit Procedures
o Communication plan
o Report preparation
o Wrap-up
o Post-audit Follow-up
Audit Evidence
o Independence of the evidenceprovider
o Qualifications of the evidence provider
o Objectivity
o Timing
Gathering Evidence
o Org Chart
o Review dept and project charters
o Review 3
rd
party contracts
o Review IS policies and procedures
o Review IS Standards


D
o
m
a
i
n

T
h
e

A
u
d
i
t

P
r
o
c
e
s
s

o Review IS documentation
o Personnel Interviews
o Passive observation
Observing Personnel
o Real tasks
o Skills and experience
o Security awareness
o Segregation of Duties
Sampling
o Statistical: Reflect the entire population
o J udgmental: Subjectively selects samples
based on established criteria
o Attribute: Samples are examined and a
specific attribute is chosen
o Variable: Determine the characteristic of a
given population to determine total value
o Stop-or-go: Sampling can stop at the earliest
possible time due to low risk and rate of
exceptions
o Discovery: Trying to find at least one
exception in a population
o Stratified: Create different classes and review
one attribute common to all classes
Computer-Assisted Audit: CAATs help examine and
evaluate data across complex environments
Reporting Audit Results
o Cover letter
o Intro
o Summary
o Description
o Listing of systems and processes examined
o Listing of interviewees
o Listing of evidence obtained
o Explanation of sampling technique
o Description of findings and recommendations
Audit Risk
o Control risk: undetected error by an internal
control
o Detection risk: IS auditor will overlook errors
o Inherent risk: Inherent risks exist independent
of the audit.
o Overall audit risk: summation of all of the
residual risks
o Sampling risk: sampling technique will not
detect
Materiality: A monetary threshold in financial audits

CONTROL SELF-ASSESSMENT
Methodology used by an organization to review key business
objectives, and the key controls designed to manage those risks.

Advantages
o Risks detected earlier
o Improvement of internal controls

o Ownership of controls
o Improved employee awareness
o Improved relationship between
departments and auditors
Disadvantages
o Mistaken as a substitute for internal audit
o May be considered extra work
o May be considered an attempt by an
auditor to shrug off responsibilities
o Lack of employee involvement has no
results
Life Cycle
o Identify and assess risks
o Identify and assess controls
o Develop questionnaire or workshop
o Analyze completed questionnaire
o Control remediation
o Awareness training


D
o
m
a
i
n

I
T

L
i
f
e

C
y
c
l
e

M
a
n
a
g
e
m
e
n
t

Organizations methodologies and practices for the development
and management of software, infrastructure, and business
processes.

PORTFOLIO AND PROGRAM MANAGEMENT:

A program is an organization of many large, complex activities,
and can be thought of as a set of projects that work to fulfill one or
more key business objectives or goals.

Starting a Program:
o Program charter
o Identification of available resources
Running a Program:
o Monitoring project schedules
o Managing project budgets
o Managing resources
o Identifying and managing conflicts
o Creating status reports
Project Portfolio Management
o Executive sponsor
o Program manager
o Project manager
o Start and end dates
o Names of participants
o Objectives or goals that the project supports
o Budget
o Resources
o Dependencies
Business Case development
o Business problem
o Feasibility study results
o High-level project plan
o Budget
o Metrics
o Risks

PROJECT MANAGEMENT

Organizing Projects
Direct report: Project team leader
Influencer: Influence members but
does not manage them directly
Pure project: Given authority
Matrix: Authority over each project
team member
o Initiating a project
Developing Project Objecti ves
o Object Breakdown Structure (OBS): Visual
representation of the system, software, or
application, in a hierarchical form.
o Work Breakdown Structure (WBS): Logical
representation of the high-level and detailed
tasks that must be performed to complete the
project.

Managing Projects
o Managing the project schedule
o Recording task completion
o Running project meetings
o Tracking project expenditures
o Communicating project status
Project Roles and Responsibilities
o Senior management: support the approval of
the project
o IT steering committee: Commission the
feasibility study, approve project
o Project manager
o Project team members
o End-user management: Assign staff to the
project team. Support development of cases
o End users
o Project sponsor: define project objectives,
provide budget
o Systems development management
o System developers
o Security manager
o IT Operations
Project Planning
Task identification
Task estimation
Task resources
Task dependencies
Milestone tracking
Task tracking
o Estimating and sizing software projects
Object Breakdown Structure (OBS)
Work Breakdown Structure (WBS)
Source Lines of Code (SLOC):
accurate estimate based on
previous analysis for the time to
develop a program.
COCOMO: Constructive Cost
Model method for estimating
software development projects

Function Point Analysis (FPA):
time-proven estimation technique
for larger software projects. It
studies the detailed design
specifications for an application
program and counts the number of
user inputs, user outputs, user
queries, files, and external
interfaces.

Other costs: development tools,
workstations, servers, software
licenses, network devices, training,
equipment
o Scheduling Project Tasks: Critical phase
Gantt Chart
Program Evaluation and Review
Technique (PERT)
Critical path Methodology (CPM): It
is important to identify the critical
path in a project, because this
allows the project manager to
understand which tasks are most
likely to impact the project schedule
and to determine when the project
will finally conclude.
Timebox Management: A period in
which a project must be completed.
o Project Records:
Project plans
Project changes
Meetings agendas and minutes
Resource consumption
Task information
o Project Documentation: Helps users, support
staff, IT operations, developers, and auditors
o Project Change Management: The
procedures for making changes to the project
should be done in two basic steps:
The project team should identify the
specific use, impact, and remedy.
Make a formal request
This change request should be
presented to management along
with its impact. Management
should make a decision.
o Project closure
Project debrief
Project documentation archival
Management review
Training
Formal turnover to users,
operations and support
o Methodologies
Project Management Body of
Knowledge (PMBOK): Process
based
Processes:
o Inputs
o Techniques
o Outputs

D
o
m
a
i
n

I
T

L
i
f
e

C
y
c
l
e

M
a
n
a
g
e
m
e
n
t

Process groups
Initiating
Planning
Executing
Controlling and
monitoring
Closing
o Projects IN Controlled Environments
(PRINCE2): Project management framework
Starting up a project (SU)
Planning (PL)
Initiating a project (IP)
Directing a project (DP)
Controlling a stage (CS)
Managing product delivery (MP)
Managing Stage Boundaries (SB)
Closing a project (CP)
Scrum: Iterative and incremental
process most commonly used to
project manage an agile software
development effort.
Scrum master: this is the
project manager
Product owner: This is
the customer
Team
Users
Stakeholders
Managers

SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)

1. Feasibility Study: Determine whether a specific
change or set of changes in business processes and
underlying applications is practical to undertake.
o Time required to develop / acquire software
o A comparison between the cost of developing
the application vs buying
o Whether an existing system can meet the
business need
o Whether the application supports strategic
business objectives
o Whether a solution can be developed that is
compatible with other IT systems
o The impact of the proposed changes to the
business on regulatory compliance
o Whether future requirements can be met by
the system
2. Requirements: Characteristics of a new application or
changes being made.
o Business functional requirements: Must have
to support the business
o Technical requirements and standards: Use
the same basic technologies already in use
as well as formal technical standards.
o Security and Regulatory Requirements:
Authentication
Authorization

Access control
Encryption
Data validation
Audit logging
Security operational requirements
o DR/BCP Requirements
o Privacy Requirements
o RFP Process: Request For Proposal
Requirements
Vendor financial stability
Product roadmap
Experience
Vision
References
Questions for clients:
Satisfaction with
installation
Satisfaction with
migration
Satisfaction with support
Satisfaction with long-
term roadmap
What went well
What did not go well
Contract negotiation
Closing the RFP
3. Design: A top down approach
4. Development:
Coding the application
Developing program and system
level documents
Developing user procedures
Working with users
Developing in a software
acquisition setting:
Customizations
Interfaces of other
systems
Authentication
Reports
Debugging
Correct operations
Input validation
Proper output validation
Resource usage
Source Code Management (SCM)
Protection
Control
Version control
Recordkeeping
5. Testing

o Unit testing: by developers during the coding
phase. Should be a part of the development
of each module in the application.
o System testing: end to end testing. Includes
interface testing, migration testing.
o Functional testing: Verification of functional
requirements
o User Acceptance Testing (UAT): In most
cases, it is a formal step to find out if
organization accepts the software developed
by a 3
rd
party.
o Quality Assurance Testing (QAT):
6. Implementation
o Planning:
Prepare physical space for
production systems
Build production systems
Install application software
Migrate data
o Training:
End users
Customers
Support staff
Trainers
o Data migration
Record counts
Batch totals
Checksums
o Cutover
Parallel
Geographic
Module by module
Roll-back
o Rollback Planning
7. Post Implementation
o Implementation review
System adequacy
Security review
Issues
ROI
o Software maintenance

Development Risks
o Application inadequacy
o Project risk
o Business inefficiency
o Market changes

Development Approaches and Techniques
o Agile Development
o Prototyping


D
o
m
a
i
n

I
T

L
i
f
e

C
y
c
l
e

M
a
n
a
g
e
m
e
n
t

o Rapid Application Development (RAD)
o Data Oriented System Development (DOSD)
o Object-Oriented System Development (OO)
o Component based development: CORBA,
DCOM, SOA
o Web-Based Application Development: HTML,
SOAP, XML
o Reverse Engineering

System Development Tools
o Computer-Aided Software Engineering
(CASE)
Upper CASE: requirements
gathering, DFDs, interfaces
Lower CASE: Creation of program
source code and data schemas
o Fourth Generation Languages

INFRASTRUCTURAL DEVELOPMENT AND
IMPLEMENTATION

1. Review of existing architecture
2. Requirements
a. Business functional requirements
b. Technical requirements and standards
c. Security and regulatory requirements
d. Privacy requirements
3. Design
a. Procurement
4. Testing
5. Implementation
6. Maintenance

MAINTAINING INFORMATION SYSTEMS

Change Management Process
Change request
Change review
Perform change
Emergency changes

Configuration Management
Recovery: stored independent of the systems
themselves
Consistency: It will simplify administration, reduce
mistakes, and result in less unscheduled downtime.

BUSINESS PROCESSES

Business Process Life Cycle (BPLC)
1. Feasibility study
2. Requirements definition
3. Design

4. Development
5. Testing
6. Implementation
7. Monitoring
8. Post-implementation

Benchmarking a Process
Plan
Research
Measure and observe
Analyze
Adapt: understand the fundamental reasons why other
organizations measurements are better than its own.
Improve

Capability Maturity Models

Software Engineering Institute Capability Maturity Model
(SEI CMM)
o Initial
o Repeatable
o Defined
o Managed
o Optimizing
Capability Maturity Model Integration (CMMI): An
aggregation of these other models into an overall
maturity model.
ISO 15504: Software Process Improvement and
Capability dEtermination (SPICE).
o Level 0 incomplete
o Level 1 performed
o Level 2 managed
o Level 3 established
o Level 4 predictable
o Level 5 optimizing

APPLICATION CONTROLS

Input Controls
Authorization
o User access controls
o Workstation identification
o Approved transactions and batches
o Source documents
Input validation
o Type checking
o Range and value checking

o Existence
o Consistency
o Length
o Check digits
o Spelling
o Unwanted characters
o Batch controls
Error handling
o Batch rejection
o Transaction rejection
o Request re-input

Processing Controls
Editing
Calculations
o Run-to-run totals
o Limit checking
o Batch totals
o Manual recalculation
o Reconciliation
o Hash values
Data file controls
o Data file security
o Error handling
o Internal and external labeling
o Data file version
o Source files
o Transaction logs
Processing errors

Output Controls
Controlling special forms
Report distribution and receipt
Reconciliation
Retention



D
o
m
a
i
n

I
T

L
i
f
e

C
y
c
l
e

M
a
n
a
g
e
m
e
n
t


AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE

Auditing Project Management


Auditing the Feasibility Study


Auditing Requirements



Auditing Design




Auditing Software Acquisition



Auditing Development


Auditing Implementation

Auditing Post-Implementation





Auditing Change Management


Auditing Configuration Management




AUDITING BUSINESS CONTROLS

Identify the key processes in an organization and to understand
the controls that are in place or should be in place that govern the
integrity of those processes

AUDITING APPLICATION CONTROLS

Transaction Flow


Observations







D
o
m
a
i
n

I
T

L
i
f
e

C
y
c
l
e

M
a
n
a
g
e
m
e
n
t

Data Integrity Testing: Used to confirm whether an application
properly accepts, processes, and stores information.

Testing Online Processing Systems:


Auditing Applications


Continuous Auditing: Several techniques are available to
perform online auditing:



D
o
m
a
i
n

I
T

S
e
r
v
i
c
e

D
e
l
i
v
e
r
y

&

I
n
f
r
a
s
t
r
u
c
t
u
r
e

IT organizations are effective if their operations are effective. IT

organizations are service organizations their existence is to
serve the organization and support its business processes.

INFORMATION SYSTEMS OPERATIONS

Management and control of operations
o Process and procedures
o Standards
o Resource allocation
o Process management
IT Service management (ITSM)
o Service desk
o Incident mgt
o Problem mgt
o Change mgt
o Configuration mgt
o Release mgt: ITIL terms used to describe
SDLC. Used for changes in a system such
as:
Incidents and problem resolution
Enhancements
Subsystem patches and changes
o Service-level mgt
o Financial mgt
o Capacity mgt
Periodic measurements
Considering planned changes
Understanding long-term strategies
Changes in technology
o Service continuity mgt
o Availability mgt
Effective change mgt
Effective application testing
Resilient architecture
Serviceable components
Infrastructure Operations
o Running scheduled jobs
o Restarting failed jobs/processes
o Facilitating backup jobs
o Monitoring systems/apps/networks
Monitoring
Software Program Library Management: System that
is used to store and manage access to an
organizations application source and object code
o Access and authorization controls

o Program checkout
o Program check in
o Version control
o Code analysis
Quality Assurance
Security Management
o Policies, procedures, processes, and
standards
o Risk Assessments
o Impact analysis
o Vulnerability management


INFORMATION SYSTEMS HARDWARE

Computer usage
o Types: supercomputer, mainframe, midrange,
server, desktop, laptop, mobile
o Uses: app server, web server, file server, db
server, print server, test server, thin client,
thick client, workstation
Computer architecture
o CPU: CISC (Complex Instruction Set
Computer), RISC (Reduced Instruction Set
Computer), Single processor, Multi-processor
o Bus: PCI, PC Card, MBus, Sbus
o Main Storage
o Secondary Storage: Program storage, data
storage, temporary files, OS, virtual memory,
o Firmware: Flash, EPROM, PROM, ROM,
EEPROM
o I/O and Networking
o Multi-computer: Blade computers, grid
computing, server clusters, virtual servers
Hardware maintenance
Hardware monitoring


INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE

Computer Operating Systems
Access to peripherals
Storage mgt
Process mgt
Resource allocation
Communication
Security
o OS Virtualization
o Clustering: using special software
o Grid Computing: a form of distributed
computing

o Cloud Computing: dynamically scalable and
usually virtualized
Data Communication Software
File Systems: Directories, files, FAT, NTFS, HFS
(Hierarchical File System) ISO 9660 (CD-ROM, DVD),
UDF (Universal Disk Format)
Database Management Systems
o Relational DB Management (rDBMS):
Primary key, one or more indexes, referential
integrity, Encryption, Audit logging, access
controls,
o Object Database (ODBMS): Represented as
objects, Data and the programming method
are contained in an object,
o Hierarchical Database : Top-down
Media Management System: Tape management
systems (TMS) or Disk Management Systems (DMS)
Utility software
o Software and data design
o Software development
o Software testing
o Security testing
o Data management
o System health
o Network

NETWORK INFRASTRUCTURE

Network Architecture
o Physical network architecture
o Logical network architecture
o Data flow architecture
o Network standards and services
Types of networks
o Personal Area Network (PAN): up to 3 meters
and use to connect peripherals for use by an
individual
o LAN
o Campus Area Network (CAN)
o Metropolitan Area Network (MAN)
o WAN
Network-based Services: email, print, file storage,
remote access, directory, terminal emulation, time
synch, network authentication, web security, anti-
malware, network management
Network Models
o OSI: Application, presentation, session,
transport, network, data link, physical
o TCP/IP: Link, internet, transport, application
Network Technologies
o LAN
Physical topology: Star, Ring, Bus


D
o
m
a
i
n

I
T

S
e
r
v
i
c
e

D
e
l
i
v
e
r
y

&

I
n
f
r
a
s
t
r
u
c
t
u
r
e

Cable types: Shield twisted pair
(STP), screened unshielded twisted
pair (S/UTP), screened shielded
twisted pair (S/STP), unshielded
twisted pair (UTP)
Other types: Fiber,
coaxial, serial
Network Transport protocols
Ethernet: Broadcast or
shared medium, collision
avoidance
o ATM: Synchronous network. Connection
oriented link-layer protocol.
o Token Ring
o Universal Serial Bus
o FDDI: Fiber distributed data interface. Range
up to 200km and capable of 200mb/sec
o WAN
MPLS
SONET
Frame Relay
ISDN
X.25
o Wireless
Wi-Fi
Bluetooth
Wireless USB
NFC (Near Field Communication):
extremely short distance radio
frequencies that are commonly
used for merchant payment
applications.
IrDA: Infrared Data Association.
TCP/IP Protocols
o Link Layer / network access layer
ARP (Address resolution)
RARP (Reverse address
resolution)
OSPF (Open Shortest Path First)
L2TP (Layer 2 Tunneling Protocol)
PPP
Media Access Control (MAC)
o Internet Layer / Layer 3
IP
ICMP
IGMP
IPSec
o Internet Layer
IP Addresses, subnets, masks,
gateway, classless and classful
networks.
o Transport Layer
TCP
UDP
o Application layer
File Transfer Protocols

FTP
FTPS
SFTP
SCP
Rcp
Messaging protocols
SMTP
POP
IMAP
NNTP
File and directory sharing protocols
NFS
RPC
Session protocols
TELNET
rlogin
SSH
HTTP
HTTPS
Management protocols
SNMP
NTP
Directory service protocols
DNS
LDAP
X.500
Global Internet: Email, IM, VPN, WWW
Network Management
o Tools
Network management systems
Network management agents
Incident management systems
Protocol analyzers
Sniffers
Networked Applications
o ClientServer
o Web-based


AUDITING IS INFRASTRUCTURE AND OPERATIONS

Auditing IS Hardware
o Standards: procurement stds
o Maintenance: records, service contracts
o Capacity: systems capacity monitoring

o Change mgt: requested, reviewed prior to
approval
Auditing OSs
o Standards: written stds
o Maintenance and support: support contracts
o Change mgt
o Configuration mgt: tools, recordkeeping,
config processes
o Security mgt: hardening
Auditing File Systems
o Capacity: storage
o Access control
Auditing DB Management Systems
o Configuration mgt: centrally controlled
o Change mgt: changes should be consistent
and systematic
o Capacity mgt: ability to support business
processes
o Security mgt: access controls, logs
Auditing Network Infrastructure
o Network architecture
o Security architecture
o Standards
o Change mgt
o Capacity mgt
o Configuration mgt
o Administrative access management
o Network components
o Log management
o User access management
Auditing Network Operating Controls
o Network operating procedures
o Restart procedures
o Troubleshooting procedures
o Security controls
o Change management
Auditing computer operations
o System configuration standards
o System build procedures
o System recovery procedures
o System update procedures
o Patch management
o Daily tasks
o Backup
o Media control
o Monitoring
Auditing Data Entry
o Data entry procedures
o Input verification
o Batch verification


D
o
m
a
i
n

I
T

S
e
r
v
i
c
e

D
e
l
i
v
e
r
y

&

I
n
f
r
a
s
t
r
u
c
t
u
r
e

o Correction procedures
Auditing Lights-Out operations
o Remote administration procedures
o Remote monitoring procedures
Auditing Problem Management Operations
o Problem management policy and processes
o Problem management records
o Problem management timelines
o Problem management reports
o Problem resolution
o Problem recurrence
Auditing Monitoring Operations
o Monitoring plan
o Problem log
o Preventative maintenance
o Management review and action
Auditing Procurement
o Requirements definition: functional, technical,
and security requirements approved by
management. Policies, procedures, and
records.
o Feasibility studies






D
o
m
a
i
n

I
n
f
o
r
m
a
t
i
o
n

A
s
s
e
t

P
r
o
t
e
c
t
i
o
n

INFORMATION SECURITY MANAGEMENT

Aspects
o Executive support
o Policies and procedures
o Security Awareness
o Security monitoring and auditing
o Incident response
o Corrective and preventive action.
Roles and responsibilities
o Executive mgt: support and overall
responsibility for asset protection
o Security steering committee: approval of
security policies, risk related matters.
o CISO: development and enforcement of
policy and asset protection
o Chief privacy officer
o Security auditor: monitoring and testing
security controls
o Security administrator
o Security analyst: implementing security policy
by designing and improving security controls
and processes
o Systems analyst: by designing application
software that includes adequate controls
o Software developers: coding applications that
include controls to prevent application misuse
or bypass of controls
o Managers
o Asset owners: responsible for protection and
integrity of assets
o Employees
Asset Inventory and Classification
o Hardware
o Information
Access Control
o AC Management: request, review,
segregation of duties, transfer, termination
o Logs
Privacy
o PII: DL, SSN, Passport, phone, address,
DoB, Accounts
3
rd
Party Management
o 3
rd
Party access countermeasures: logs,
video, access controls, logical access, audits
o Legal agreements: liabilities, controls
required, nondisclosure, security training,
steps for a security breach, steps to be taken
to reduce the likelihood of data loss caused
by a disaster, right to inspect, compliance,
destroy copies of information on request.

HR Security
o Screening
o Agreements
o J ob descriptions
o Transfer and termination
o Contractors and temps
Computer Crime
o Roles
Target of a crime
Instrument of a crime
Support of a crime
o Categories
Military
Political
Terrorist
Financial
Business
Grudge
Amusement
o Perpetrators
Hackers
Cybercriminals
Spies
Terrorists
Script kiddies
Social engineers
Employees
Former employees
Knowledgeable outsiders
Service providers employees
Security Incident Management
o Incident Response
Planning
Detection
Initiation
Evaluation
Eradication
Remediation
Closure
Post-Incident Review
o Testing Incident Response
Document review
Walkthrough
Simulation
o Incident prevention
Vulnerability monitoring

Patch management
System hardening
IDS
o Chain of custody:
Identification
Preservation
Analysis
Presentation

LOGICAL ACCESS CONTROLS: Subject access controls are in
place to determine the identity of the subject. Service access is
used to control the types of messages that are allowed to pass
through a control point.

Models
o MAC: Mandatory Access Control: Access to
objects by subjects
o DAC: Discretionary Access Control: Owner of
an object is able to determine how and by
whom the object may be accessed.
Threats
o Malware
o Eavesdropping
o Logic bombs
o Scanning attacks
Vulnerabilities
o Unpatched systems
o Default system settings
o Default passwords
o Incorrect permissions settings
o Application logic
Points of Entry
o Exposure to malware
o Eavesdropping
o Open access
Identification, Authentication, and Authorization
o Identification: asserting an identity without
providing any proof of it.
o Authentication: Subject asserts an identity,
but some proof of the subjects identity is
required
o Authorization: System determines resource
access to the subject
User account provisioning
o Factors: user location, system limitations,
data sensitivity
o Risks: Finding a password, eavesdropping
Two Factor authentication: Digital certificates, smart
cards, tokens
Something you are: Biometrics such as hand print,
fingerprint, palm vein, voice, facial scan, handwriting,
iris scan
o Measurement variances: False reject rate,
False accept rate, crossover error rate


D
o
m
a
i
n

I
n
f
o
r
m
a
t
i
o
n

A
s
s
e
t

P
r
o
t
e
c
t
i
o
n

Reduced Sign On: changing from stand alone

application authentication to centralized
authentication like LDAP, RADIUS, Active Directory
Single Sign On: one login authentication for
multiple authorized applications
Access Control Lists: common way to administer
access controls
Protecting Information
o Access controls
o Access Logging
o Backups
Automated tools
Protection of backup data
Offsite backup media storage
Restoration testing
Media inventory
Patch Management
Vulnerability Management
o Subscribing to security alerts
o Scanning
o Patch management
o Corrective action process
System Hardening: remove services, change
functions to unique system function, changed default
password, non-predictable passwords, reduce
privileges, eliminate interserver trust
Managing User Access
o User Access Provisioning: Risk of errors
can be devastating for an organization
o Termination: Some safeguards are
needed like review of terminated
employees actions before and after,
periodic reviews, and review logs
o Transfers: Risk is privilege creep
o Password management: provisioning,
lockout, forgotten passwords. Password
length, complexity, expiration, reuse,
rechange
Protecting Mobile Devices: Encryption, strong
access control, remote destruct, hardening, logical
locking system, physical locking system

NETWORK SECURITY CONTROLS

Network Security
o Threats: access by unauthorized persons,
spoofing, eavesdropping, malware, DoS,
access bypass, MITM
o Countermeasures: User authentication
controls, machine authentication controls,
anti-malware, encryption, switched
networks, IDS/IPS
Securing Client-Server Applications
o Access controls: strong authentication
o Interception of client-server
communication: Network encryption
o Network Failure
o Change management
o Disruption of client software updates

o Stealing data
Securing Wireless Networks
o Threats and vulnerabilities
Eavesdropping
War driving and chalking
Encryption
Spoofing
o Countermeasures
Obscure SSID
Stop SSID broadcast
Reduce transmit power
MAC filtering
WPA
Require VPN
Change default passwords
Patches
Protecting Internet Communications
o Threats and vulnerabilities
Eavesdropping
Network analysis: reconnaissance
phase of some bigger effort
Targeted attacks
Malware
Masquerading: forge messages that
have the appearance of originating
elsewhere.
DoS
Fraud
o Countermeasures
Firewalls
Honeypots and Honeynets
IDS
Change management and
configuration management
Incident management
Security awareness training
Encryption
o Terms:
Plaintext
Ciphertext
Hash function
Message digest
Digital signature
Algorithm
Decryption
Encryption key
Cryptanalysis
Key length
Block cipher
Stream cipher
Initialization Vector (IV): random
number to begin encryption process
Symmetric encryption
Asymmetric encryption
Key exchange
Nonrepudiation

o Private Key Cryptosystem: Symmetric
cryptography
Challenges
Key exchange: Out of
band method is required.
Scalability
o Public Key Cryptosystem: Asymmetric
cryptosystem
Key pair: public and private keys
Message security: no need to
establish and communicate
symmetric encryption keys through
a secure channel.
Verifying public keys:
Certificate authority
Email address
Key fingerprint: retrieve
the public key and
calculate the key
fingerprint.
o Hashing and Message Digests
o Digital Signatures: Seals a message or file
using the senders identity
o Digital Envelopes: Combining private and
public
o Public Key Infrastructure (PKI):
Digital certificates
Certificate Authority (CA)
Registration Authority (RA)
Certificate Revocation List (CRL)
Certification Practice Statement
(CPS)
o Key Management
Key generation: system must be
highly protected, isolated, and used
by a few people. System should
include some randomness
Key protection
Key custody: policies, processes,
and procedures regarding the
management of keys.
Key rotation: only when one of the
following occurs:
Key compromise
Key expiration
Rotation of staff
Key disposal
o Encryption applications
SSL/TLS
S-HTTP
S/MIME
SSH

D
o
m
a
i
n

I
n
f
o
r
m
a
t
i
o
n

A
s
s
e
t

P
r
o
t
e
c
t
i
o
n

SET
Voice over IP (VoIP)
o Threats and vulnerabilities
Eavesdropping
Spoofing
Malware
DoS
Toll fraud
o Protecting: IDS, access management,
firewalls, hardening, malware controls
Private Branch Exchange (PBX)
o Threats and vulnerabilities
Default passwords on
administrator console
Dial-in modem
Toll fraud
Espionage
o Countermeasures
Administrative access control
Physical access control
Regular log review
Malware
o Threats and vulnerabilities
Viruses
Worms
Trojan horses
Spyware
Root kits
Bots
Missing patches
Unsecure configuration
Faulty architecture
Faulty judgment
Spam
Phishing
DoS
o Anti-Malware Administrative controls
Spam policy
Business related internet
No removable media
No downloading
No personally owned computers
o Anti-Malware Technical controls
Anti-malware on email servers
On workstations
On web servers
Centralized malware console

IDS
Spam filters
Blocking use of removable media
Information Leakage
o Countermeasures
Outbound email filters
Block removable media
Blocking internet access
Tighter access controls
Access logging
J ob rotation
Periodic background checks

ENVIRONMENTAL CONTROLS

Threats and vulnerabilities
o Electric power vulnerabilities
Spike: sharp increase
Inrush: sudden increase
Noise: presence of other
electromagnetic signals
Dropout: momentary loss
Brownout: sustained drop
Blackout: complete loss
o Physical environment vulnerabilities
Temperature
Humidity
Dust and dirt
Smoke and fire
Sudden unexpected movement
Countermeasures
o Electric power
UPS
Electric generator
Dual power feeds
Power distribution unit (PDU)
o Temperature and humidity controls: HVAC
o Fire Prevention, detection, and suppression
controls
Prevention:
Combustibles: stored away
Cleanliness
Electrical equipment
maintenance
Detection: pull down stations, manual
alarms, detectors
Suppression:
Types: wet pipe, dry pipe,
pre-action, deluge, inert gas
Classes:
o A: wood, paper

o B: liquids and
gases
o C: electrical
o D: combustible
metals
o K: cooking oils
and fats

PHYSICAL SECURITY CONTROLS

Threats and vulnerabilities
o Theft
o Sabotage
o Espionage
o Covert listening devices
o Tailgating
o Propped doors
o Poor visibility
Countermeasures
o Keycard systems
o Cipher locks
o Fences, walls, and barbed wire
o Bollards and crash gates
o Video
o Visual notices
o Bug sweeping
o Guards
o Guard dogs

AUDITING ASSET PROTECTION

Security Management
o Policies, processes, procedures, and
standards
o Records
o Training
o Data ownership and management
o Data custodians
o Security administrators
o New and existing employees
Logical Access controls
o Network access paths
IT infrastructure
Network architecture and access
documentation
o User Access Controls
User access controls:
authentication, bypass, access
violations, user account lockout,
IDS/IPS, shared accounts, dormant
accounts, system accounts
Password management:password
standards, account lockout, access
to encrypted passwords




D
o
m
a
i
n

I
n
f
o
r
m
a
t
i
o
n

A
s
s
e
t

P
r
o
t
e
c
t
i
o
n

Password vaulting
o User access provisioning:
Access request process
Access approvals
Segregation of duties (SOD)
Access reviews
o Employee terminations
Termination process
Timeliness
Access reviews
Contractor access and termination
o Access logs
Access log controls
Centralized access logs
Access log protection
Log review
Log retention
o Investigative procedures
Policies and procedures
Computer crime investigations
Computer forensics
o Internet points of presence
Search engines: what information is
available
Social networking sites: what
others are saying
Online sales sites: whats being
sold
Domain names
Network Security Controls
o Architecture review
Diagrams
Documents
Support of business objectives
Compliance with security policy
Comparison of documented vs
actual
o Network access controls
User authentication: Active
Directory, LDAP
Firewalls
IDS
Remote access
Dial-up modems
o Change management
Change control policy
Change logs
Change control procedures
Emergency changes
Rolled-back changes
Linkage to SDLC: change
management and SDLC

Alert management
Penetration testing
Application scanning
Patch management
Environmental Controls
o Power conditioning
o Backup power
o HVAC
o Water detection
o Fire detection and suppression
o Cleanliness
Physical Controls
o Siting and Marking
Proximity to hazards
o Physical access controls
Physical barriers
Surveillance
Guards and dogs
Keycard systems











D
o
m
a
i
n

B
C

&

D
R

DISASTERS

Types
o Natural: Earthquakes, volcanoes, landslides,
avalanches, wildfires, tropical cyclones,
tornadoes, windstorms, lighting, ice storms,
hail, flooding, tsunamis, pandemic,
extraterrestrial impacts
o Man-Made: Civil disturbances, Utility outages,
materials shortages, fires, hazardous
materials spills, transportation accidents,
security events, terrorism and wars
o How they affect organizations
Direct damage: earthquakes etc
Utility outage
Transportation
Services and supplier shortage
Staff availability
Customer availability
BCP Process

Develop Policy: formal policy included in the overall
governance model
BCP and COBIT Controls
o Develop IT continuity framework
o Conduct business impact analysis
o Develop and maintain IT continuity plans
o Identify and categorize IT resources based on
recovery objectives
o Define and execute change control
procedures to ensure IT continuity plan is
current
o Regularly test IT continuity plan
o Develop follow-on action plan from test
results
o Plan and conduct IT continuity training
o Plan IT services recovery and resumption
o Plan and implement backup storage and
protection
o Establish procedures for conducting post-
resumption reviews
Business Impact Anal ysis (BIA)
Inventory Key processes and systems
Statement of impact: qualitative or quantitative
description of the impact if the process or system were
incapacitated for a time
Criticality Anal ysis: study of each system and process, a
consideration of the impact on the organization if it is
incapacitated, the likelihood of incapacitation, and the
estimated cost of mitigating the risk or impact of
incapacitation. (risk anal ysis)

Establishing key targets
Recovery Time Objective (RTO): Time from onset of an
outage until the resumption of service. ** An
organization could establish two RTO targets, one for
partial capacity and one for full capacity.
Recovery Point Objective (RPO): Time for which recent
data will be irretrievably lost in a disaster. For critical
transactions it is measure in minutes.
Developing Recovery Strategies and Plans
Strategies:
o Site options: Hot, warm, cold, mobile,
reciprocal (at another company)
o Recovery and resilience technologies
RAID: Redundant Array of
Independent Disks
RAID-0: stripped
RAID-1: mirror
RAID-4: Data stripping.
RAID 4-5 allows for
failure of one disk without
losing information
RAID-6: Withstands
failure of any two disks
drives in the array.
SAN: Storage Area
Network
NAS: Network Attached
Storage.
o Replication:
Disk storage system
Operating system
Database management system
Transaction management system
Application
o Server clusters
o Network connectivity and services
Redundant network connection
Redundant network services
o Backup and restoration
Plans
o Evacuation procedures
o Disaster declaration procedures
Core team
Declaration criteria
Pulling the trigger: any single core
member
Next Steps: Declaration will trigger
other response procedures.
False alarms
o Responsibilities: injured, caring for family
members, transportation unavailable, out of
the area, communications, fear

Emergency Response: evacuation,
first aid, firefighting
Command and Control (Emergency
Management)
Scribe: Document the important
events during disaster response
operations
Internal Communications
External communications
Legal and compliance
Damage assessment
Salvage
Physical security
Supplies
Transportation
Network
Network services
Systems
Databases
Data and records
Applications
Access management
Information security
Off-site storage
User hardware
Training
Relocation
Contract Information
o Recovery procedures: should be hand in
hand with the technologies that may have
been added to IT systems to make them
more resilient
o Continuing Operations
o Restoration procedures
o Considerations:
Availability of personnel
Emergency supplies
Communications: identifying Critical
personnel, suppliers, customers,
and other parties, call trees, wallet
cards
Transportation
o Documentation
Supporting project documents
Analysis documents: BIA, RTP,
RPO, Criticality analysis
Response documents: Business
recovery plan, Occupant
emergency plan (OEP), Emergency
communications plan, contact lists,
DR plan,

D
o
m
a
i
n

B
C

&

D
R

Continuity of operations plan
(COOP), Security incident
response plan (SIRT)
Test and review documents
Testing Recovery Plans
Test preparation: schedule, facilities, scripting,
participants, recordkeeping, contingency plan,
Document review
Walkthrough
Simulation
Parallel test
Cutover test
Documenting results
Improving recovery and continuity plans
Training Personnel: Document review, participation in
walkthroughs, participation in simulations, participation in
parallel and cutover tests
Hard copy of plan
Soft copy of plan
Online access
Wallet cards
Maintaining Recovery and Continuity Plans




Auditing Business Continuity and Disaster Recovery: An audit
of an organizations BC program is a top-down analysis of key
business objectives and a review of documentation and interviews
to determine whether the BC strategy and program details support
those key business objectives.
o Reviewing Business Continuity and Disaster
Recovery Plans
o Reviewing Prior Test Results and Action
Plans
o Evaluating off-site storage
o Evaluating alternate processing facilities
o Interviewing key personnel
o Reviewing service provider contracts
o Reviewing insurance coverage