Beruflich Dokumente
Kultur Dokumente
Domain 5
Domain 5
security policies, standards, procedures
Protection of Information Assets and controls ensure the confidentiality,
integrity and availability (CIA) of
information assets.
©Copyright 2016 ISACA. All rights reserved. 2 © Copyright 2016 ISACA. All rights reserved.
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
5 © Copyright 2016 ISACA. All rights reserved. 6 © Copyright 2016 ISACA. All rights reserved.
Task 5.1
5.4 Evaluate the design, implementation and monitoring of the
data classification processes and procedures for alignment
, procedures and
applicable external requirements.
5.5 Evaluate the processes and procedures used to store,
Evaluate the information security and
retrieve, transport and dispose of assets to determine whether privacy policies, standards and
information assets are adequately safeguarded. procedures for completeness, alignment
with generally accepted practices and
5.6 Evaluate the information security program to determine its
effectiveness and alignment with the
and objectives. compliance with applicable external
requirements.
7 © Copyright 2016 ISACA. All rights reserved. 8 © Copyright 2016 ISACA. All rights reserved.
Key Terms
Key Term Definition Key Term Definition
Privacy The rights of an individual to trust that others will Security awareness The extent to which every member of an enterprise and
appropriately and respectfully use, store, share and dispose every other individual who potentially has access to the
of his/her associated personal and sensitive information
within the context, and according to the purposes, for which Security and the levels of security appropriate to the
it was collected or derived. What is appropriate depends on enterprise
The importance of security and consequences of a lack
reasonable expectations. An individual also has the right to of security
reasonably control and be aware of the collection, use and His/her individual responsibilities regarding security (and
disclosure of his\her associated personal and sensitive act accordingly)
information. This definition is based on the definition for IT security
awareness as defined in Implementation Guide: How to
Make Your Organization Aware of IT Security, European
Security Forum (ESF), London, 1993.
9 © Copyright 2016 ISACA. All rights reserved. 10 © Copyright 2016 ISACA. All rights reserved.
11 © Copyright 2016 ISACA. All rights reserved. 12 © Copyright 2016 ISACA. All rights reserved.
13 © Copyright 2016 ISACA. All rights reserved. 14 © Copyright 2016 ISACA. All rights reserved.
ISMS
An information security management system (ISMS) is a An ISMS is defined in these guidelines and standards:
framework of policies, procedures, guidelines and associated o ISO/IEC 2700X Guidance for managing information
resources to establish, implement, operate, monitor, review, security in specific industries and situations
maintain and improve information security for all types of o ISO/IEC 27000 Defines the scope and vocabulary and
organizations. establishes the basis for certification
o ISO/IEC 27001 Formal set of specifications against
which organizations may seek independent certification of
their information security management system
o ISO/IEC 27002 Structured set of suggested controls to
address information security risk
15 © Copyright 2016 ISACA. All rights reserved. 16 © Copyright 2016 ISACA. All rights reserved.
Information Security
Users External parties security specialist/
administrator advisors
IT developers IS auditors
17 © Copyright 2016 ISACA. All rights reserved. 18 © Copyright 2016 ISACA. All rights reserved.
19 © Copyright 2016 ISACA. All rights reserved. 20 © Copyright 2016 ISACA. All rights reserved.
21 © Copyright 2016 ISACA. All rights reserved. 22 © Copyright 2016 ISACA. All rights reserved.
Security Controls
Some recommended contract terms include: An effective control is one that prevents, detects, and/or
o policy contains an incident and enables recovery from an
o A clear reporting structure and agreed reporting formats event.
o A clear and specified process for change management Controls can be:
o An access control policy
o Arrangements for reporting, notifying and investigating
information security incidents and security breaches
o Service continuity requirements Proactive
o The right to monitor and revoke any activity related to the Safeguards Reactive
Controls that attempt to
assets prevent an incident
Countermeasures
Controls that allow the
detection, containment and
recovery from an incident
23 © Copyright 2016 ISACA. All rights reserved. 24 © Copyright 2016 ISACA. All rights reserved.
25 © Copyright 2016 ISACA. All rights reserved. 26 © Copyright 2016 ISACA. All rights reserved.
27 © Copyright 2016 ISACA. All rights reserved. 28 © Copyright 2016 ISACA. All rights reserved.
o SoD
29 © Copyright 2016 ISACA. All rights reserved. 30 © Copyright 2016 ISACA. All rights reserved.
31 © Copyright 2016 ISACA. All rights reserved. 32 © Copyright 2016 ISACA. All rights reserved.
33 © Copyright 2016 ISACA. All rights reserved. 34 © Copyright 2016 ISACA. All rights reserved.
35 © Copyright 2016 ISACA. All rights reserved. 36 © Copyright 2016 ISACA. All rights reserved.
Blackmail
Embezzlement
37 © Copyright 2016 ISACA. All rights reserved. 38 © Copyright 2016 ISACA. All rights reserved.
39 © Copyright 2016 ISACA. All rights reserved. 40 © Copyright 2016 ISACA. All rights reserved.
41 © Copyright 2016 ISACA. All rights reserved. 42 © Copyright 2016 ISACA. All rights reserved.
43 © Copyright 2016 ISACA. All rights reserved. 44 © Copyright 2016 ISACA. All rights reserved.
45 © Copyright 2016 ISACA. All rights reserved. 46 © Copyright 2016 ISACA. All rights reserved.
availability of information.
application software and the access control system.
47 © Copyright 2016 ISACA. All rights reserved. 48 © Copyright 2016 ISACA. All rights reserved.
49 © Copyright 2016 ISACA. All rights reserved. 50 © Copyright 2016 ISACA. All rights reserved.
51 © Copyright 2016 ISACA. All rights reserved. 52 © Copyright 2016 ISACA. All rights reserved.
How does Task 5.3 relate to each of the following How does Task 5.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K5.9 Knowledge of risk and controls Policies and procedures and additional K5.10 Knowledge of voice The increasing complexity and
associated with the use of mobile and protection mechanisms must be put into communications security (e.g., PBX, convergence of voice and data
wireless devices, including personally place to ensure that data are protected Voice-over Internet Protocol [VoIP]) communications introduces additional
owned devices (bring your own device to a greater extent on portable devices, risk that must be taken into account by
[BYOD]) because such devices will most likely the IS auditor.
operate in environments in which K5.11 Knowledge of network and The IS auditor needs to understand best
physical controls are lacking or Internet security devices, protocols and practices for the implementation of
nonexistent. techniques encryption and the use and application
of security devices and methods for
securing data.
53 © Copyright 2016 ISACA. All rights reserved. 54 © Copyright 2016 ISACA. All rights reserved.
How does Task 5.3 relate to each of the following How does Task 5.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K5.12 Knowledge of the configuration, Firewalls and intrusion detection K5.13 Knowledge of encryption-related Fundamentals of encryption techniques
implementation, operation and systems (IDSs) provide protection and techniques and their uses and the relative advantages and
maintenance of network security critical alert information at borders disadvantages of each must be taken
controls between trusted and untrusted networks. into account by the IS auditor.
The proper implementation and K5.14 Knowledge of public key The IS auditor needs to understand the
maintenance of firewalls and IDSs are infrastructure (PKI) components and relationships between types of
critical to a successful, in-depth security digital signature techniques encryption (symmetric and asymmetric)
program. and their respective algorithms (e.g.,
DES3, RSA) and the basic concepts and
components of PKI in terms of business.
55 © Copyright 2016 ISACA. All rights reserved. 56 © Copyright 2016 ISACA. All rights reserved.
How does Task 5.3 relate to each of the following How does Task 5.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K5.18 Knowledge of risk and controls Understanding how data leakage can K5.19 Knowledge of security risk and The IS auditor should understand that
associated with data leakage occur and the methods for limiting data controls related to end-user computing these tools can be used to create key
leakage from job postings that list the applications that are relied upon by the
specific software and network devices organization but not controlled by the IT
with which applicants should have department.
experience to system administrators K5.21 Knowledge of information system Understanding the methods, techniques
posting questions on technical web sites attack methods and techniques and exploits used to compromise an
environment provides the IS auditor with
a more complete context for
understanding the risk that an enterprise
faces.
57 © Copyright 2016 ISACA. All rights reserved. 58 © Copyright 2016 ISACA. All rights reserved.
How does Task 5.3 relate to each of the following How does Task 5.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K5.22 Knowledge of prevention and The IS auditor needs to understand the K5.26 Knowledge of fraud risk factors The IS auditor should be aware that the
detection tools and control techniques threats posed by malicious code and the related to the protection of information risk of fraud is increased where there is
good practices for mitigating these assets a perceived opportunity.
threats.
K5.23 Knowledge of security testing The IS auditor must have knowledge of
techniques (e.g., penetration testing, how assessment tools can be used to
vulnerability scanning) identify vulnerabilities within the network
infrastructure so that corrective actions
can be taken to remediate risk.
59 © Copyright 2016 ISACA. All rights reserved. 60 © Copyright 2016 ISACA. All rights reserved.
Logical Access
Logical access is the ability to interact with computer For IS auditors to effectively assess logical access
resources, granted using identification, authentication controls, they first need to gain a technical and
and authorization. IT
Logical access controls are the primary means used to environment, including the following security layers:
manage and protect information assets. o Network
IS auditors should be able to analyze and evaluate the o OS platform
effectiveness of a logical access control in accomplishing o Database
information security objectives and avoiding losses o Application
resulting from exposures.
61 © Copyright 2016 ISACA. All rights reserved. 62 © Copyright 2016 ISACA. All rights reserved.
63 © Copyright 2016 ISACA. All rights reserved. 64 © Copyright 2016 ISACA. All rights reserved.
65 © Copyright 2016 ISACA. All rights reserved. 66 © Copyright 2016 ISACA. All rights reserved.
Discretionary
specific information resources (e.g., Log database/data communications Logical access controls that may be configured
system-level application resources access activities for monitoring or modified by the users or data owners
and data). access violations.
access controls Cannot override MACs
(DACs)
Log events.
Act as an additional filter, prohibiting still more
Report capabilities. access with the same exclusionary principle
67 © Copyright 2016 ISACA. All rights reserved. 68 © Copyright 2016 ISACA. All rights reserved.
69 © Copyright 2016 ISACA. All rights reserved. 70 © Copyright 2016 ISACA. All rights reserved.
71 © Copyright 2016 ISACA. All rights reserved. 72 © Copyright 2016 ISACA. All rights reserved.
73 © Copyright 2016 ISACA. All rights reserved. 74 © Copyright 2016 ISACA. All rights reserved.
Internet Security
The IS auditor must understand the risk and security Once enough network information has been gathered,
factors needed to ensure that proper controls are in an intruder can launch an actual attack against a
place when a company connects to the Internet. targeted system to gain control.
Network attacks involve probing for network information. o Examples of active attacks include denial of service
o Examples of passive attacks include network (DoS), phishing, unauthorized access, packet replay,
analysis, eavesdropping and traffic analysis. brute force attacks and email spoofing.
The IS auditor should have a good understanding of the
following types of firewalls:
o Packet filtering
o Application firewall systems
o Stateful inspections
75 © Copyright 2016 ISACA. All rights reserved. 76 © Copyright 2016 ISACA. All rights reserved.
Encryption
The IS auditor should also be familiar with common Encryption generally is used to:
firewall implementations, including: o Protect data in transit over networks from
o Screened-host firewall unauthorized interception and manipulation.
o Dual-homed firewall o Protect information stored on computers from
o Demilitarized zone (DMZ) or screened-subnet firewall unauthorized viewing and manipulation.
The IS auditor should be familiar with the types, features o Deter and detect accidental or intentional alterations
and limitations of intrusion detection systems and of data.
intrusion prevention systems. o Verify authenticity of a transaction or document.
77 © Copyright 2016 ISACA. All rights reserved. 78 © Copyright 2016 ISACA. All rights reserved.
Key encryption elements include: There are two types of encryption schemes:
o Encryption algorithm A mathematically based o Symmetric a unique key (usually referred to as the
function that encrypts/decrypts data decryption.
o Encryption keys A piece of information that is used o Asymmetric the decryption key is different than the one
used for encryption.
by the encryption algorithm to make the encryption or
decryption process unique There are two main advantages of symmetric key systems
over asymmetric ones.
o Key length A predetermined length for the key; the
o The keys are much shorter and can be easily
longer the key, the more difficult it is to compromise remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.
79 © Copyright 2016 ISACA. All rights reserved. 80 © Copyright 2016 ISACA. All rights reserved.
In a public key cryptography system, two keys work Digital signature schemes ensure:
together as a pair. One of the keys is kept private, while o Data integrity Any change to the plaintext
the other one is publicly disclosed. message would result in the recipient failing to
The underlying algorithm works even if the private key is compute the same document hash.
used for encryption and the public key for decryption. o Authentication The recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o Nonrepudiation The claimed sender cannot later
deny generating the document.
The IS auditor should be familiar with how a digital
signature functions to protect data.
81 © Copyright 2016 ISACA. All rights reserved. 82 © Copyright 2016 ISACA. All rights reserved.
83 © Copyright 2016 ISACA. All rights reserved. 84 © Copyright 2016 ISACA. All rights reserved.
85 © Copyright 2016 ISACA. All rights reserved. 86 © Copyright 2016 ISACA. All rights reserved.
processes and procedures for alignment information) that results in the specification of controls for
each level of classification. Levels of sensitivity of data are
assigned according to predefined categories as data are
created, amended, enhanced, stored or transmitted. The
standards, procedures and applicable classification level is an indication of the value or
importance of the data to the enterprise.
external requirements.
87 © Copyright 2016 ISACA. All rights reserved. 88 © Copyright 2016 ISACA. All rights reserved.
89 © Copyright 2016 ISACA. All rights reserved. 90 © Copyright 2016 ISACA. All rights reserved.
91 © Copyright 2016 ISACA. All rights reserved. 92 © Copyright 2016 ISACA. All rights reserved.
Data Leakage
Data leakage involves the unauthorized transfer of sensitive DLPs have three key objectives:
or proprietary information from an internal network to the o Locate and catalog sensitive information stored throughout
outside world. the enterprise.
Data leak prevention is a suite of technologies and associated o Monitor and control the movement of sensitive information
processes that locate, monitor and protect sensitive across enterprise networks.
information from unauthorized disclosure. o Monitor and control the movement of sensitive information
on end-user systems.
93 © Copyright 2016 ISACA. All rights reserved. 94 © Copyright 2016 ISACA. All rights reserved.
95 © Copyright 2016 ISACA. All rights reserved. 96 © Copyright 2016 ISACA. All rights reserved.
Authentication Methods
Some common I&A vulnerabilities include: Authentication Methods
o Weak authentication methods
Logon IDs and Passwords
o Use of simple or easily guessed passwords
Tokens
o The potential for users to bypass the authentication
Biometrics
mechanism
o The lack of confidentiality and integrity for the stored
Multifactor authentication is the combination of more than one
authentication information authentication method.
o The lack of encryption for authentication and Single sign-on (SSO) is the process for consolidating all of an
protection of information transmitted over a network platform-based administration, authentication and
authorization functions into a single centralized administrative
o The
function.
with sharing authentication elements
authentication policies.
97 © Copyright 2016 ISACA. All rights reserved. 98 © Copyright 2016 ISACA. All rights reserved.
99 © Copyright 2016 ISACA. All rights reserved. 100 © Copyright 2016 ISACA. All rights reserved.
101 © Copyright 2016 ISACA. All rights reserved. 102 © Copyright 2016 ISACA. All rights reserved.
103 © Copyright 2016 ISACA. All rights reserved. 104 © Copyright 2016 ISACA. All rights reserved.
105 © Copyright 2016 ISACA. All rights reserved. 106 © Copyright 2016 ISACA. All rights reserved.
107 © Copyright 2016 ISACA. All rights reserved. 108 © Copyright 2016 ISACA. All rights reserved.
How does Task 5.5 relate to each of the following How does Task 5.5 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K5.15 Knowledge of risk and controls The risk of data loss or leakage increase K5.18 Knowledge of risk and controls Understanding the category of data and
associated with peer-to-peer computing, when users employ peer-to-peer and associated with data leakage the respective states it resides in
instant messaging and web-based other collaborative communication through the life cycle will enable the IS
technologies (e.g., social networking, technologies. auditor to determine risk and the
message boards, blogs, cloud appropriate controls.
computing) K5.19 Knowledge of security risk and The IS auditor must determine risk and
K5.17 Knowledge of the processes and In order to control data and information, controls related to end-user computing the appropriate controls needed to
procedures used to store, retrieve, the organization must understand the address end-user computing
transport and dispose of confidential state of its data and information from technologies from BYOD and client
information assets creation, storage, processing and applications to mobile devices (smart
transmission. phones/PDAs).
109 © Copyright 2016 ISACA. All rights reserved. 110 © Copyright 2016 ISACA. All rights reserved.
111 © Copyright 2016 ISACA. All rights reserved. 112 © Copyright 2016 ISACA. All rights reserved.
113 © Copyright 2016 ISACA. All rights reserved. 114 © Copyright 2016 ISACA. All rights reserved.
115 © Copyright 2016 ISACA. All rights reserved. 116 © Copyright 2016 ISACA. All rights reserved.
117 © Copyright 2016 ISACA. All rights reserved. 118 © Copyright 2016 ISACA. All rights reserved.
119 © Copyright 2016 ISACA. All rights reserved. 120 © Copyright 2016 ISACA. All rights reserved.
121 © Copyright 2016 ISACA. All rights reserved. 122 © Copyright 2016 ISACA. All rights reserved.
Key Terms
Key Term Definition Key Term Definition
Chain of custody A legal principle regarding the validity and integrity of Penetration testing A live test of the effectiveness of security defenses through
evidence. It requires accountability for anything that will be mimicking the actions of real life attackers.
used as evidence in a legal proceeding to ensure that it can Security incident A series of unexpected events that involves an attack or
be accounted for from the time it was collected until the time series of attacks (compromise and/or breach of security) at
it is presented in a court of law. one or more sites. A security incident normally includes an
Computer forensics The application of the scientific method to digital media to estimation of its level of impact. A limited number of impact
establish factual information for judicial review. This process levels are defined, and for each, the specific actions
often involves investigating computer systems to determine required and the people who need to be notified are
whether they are or have been used for illegal or identified.
unauthorized activities.
123 © Copyright 2016 ISACA. All rights reserved. 124 © Copyright 2016 ISACA. All rights reserved.
125 © Copyright 2016 ISACA. All rights reserved. 126 © Copyright 2016 ISACA. All rights reserved.
Computer Crimes
How does Task 5.6 relate to each of the following It is important that the IS auditor knows and understands the
knowledge statements? differences between computer crime and computer abuse to
support risk analysis methodologies and related control
Knowledge Statement Connection practices. Examples of computer crimes include:
K5.23 Knowledge of security testing A proactive and holistic security testing
techniques (e.g., penetration testing, program can ensure the correct security Malware,
vulnerability scanning) mechanisms are in place and operating Denial of
Hacking viruses and Fraud
service (DoS)
effectively. worms
K5.24 Knowledge of the processes In order for the IS auditor to evaluate the
related to monitoring and responding to true capabilities of the information
Unauthorized Brute force Malicious
security incidents (e.g., escalation security management program, the IS access Phishing attacks codes
procedures, emergency incident
response team) ability to detect, analyze and respond to
threats regardless of the source.
Network
Packet replay Masquerading Eavesdropping
analysis
Source: ISACA, CISA Review Manual, 26th Edition, figures 5.11 and 5.12
127 © Copyright 2016 ISACA. All rights reserved. 128 © Copyright 2016 ISACA. All rights reserved.
129 © Copyright 2016 ISACA. All rights reserved. 130 © Copyright 2016 ISACA. All rights reserved.
131 © Copyright 2016 ISACA. All rights reserved. 132 © Copyright 2016 ISACA. All rights reserved.
133 © Copyright 2016 ISACA. All rights reserved. 134 © Copyright 2016 ISACA. All rights reserved.
Investigation Techniques
If a computer crime occurs, it is very important that proper
The IS auditor should work with the system software
Computer
analyst to determine if all access is on a need-to-know procedures are used to collect evidence.
access controls basis.
o Damaged evidence can hinder prosecution.
o After a computer crime, the environment and evidence
Computer
access The IS auditor should attempt to access computer must be left unaltered and examined by specialist law
transactions or data for which access is not authorized.
violations The unsuccessful attempts should be identified on enforcement officials.
logging and security reports.
reporting Any electronic document or data may be used as digital
evidence.
Follow-up The IS auditor should select a sample of security An IS auditor may be required or asked to be involved in a
access reports and look for evidence of follow-up and
violations investigation of access violations. forensic analysis to provide expert opinion or to ensure the
correct interpretation of information gathered.
Bypassing The IS auditor should work with the system software
security and analyst, network manager, operations manager and
compensating security administrator to determine ways to bypass
controls security.
135 © Copyright 2016 ISACA. All rights reserved. 136 © Copyright 2016 ISACA. All rights reserved.
Computer Forensics
Identify The IS auditor should give consideration to key elements of
Refers to the identification of information that is
computer forensics during audit planning, including the
available and might form the evidence of an incident following:
o Data protection
Preserve o Data acquisition
Refers to the practice of retrieving identified
information and preserving it as evidence o Imaging
o Extraction
Analyze o Interrogation
Involves extracting, processing and interpreting the o Ingestion/normalization
evidence
o Reporting
Present
Involves a presentation to the various audiences, such
as management, attorneys, court, etc.
137 © Copyright 2016 ISACA. All rights reserved. 138 © Copyright 2016 ISACA. All rights reserved.
139 © Copyright 2016 ISACA. All rights reserved. 140 © Copyright 2016 ISACA. All rights reserved.
141 © Copyright 2016 ISACA. All rights reserved. 142 © Copyright 2016 ISACA. All rights reserved.
143 © Copyright 2016 ISACA. All rights reserved. 144 © Copyright 2016 ISACA. All rights reserved.
145 © Copyright 2016 ISACA. All rights reserved. 146 © Copyright 2016 ISACA. All rights reserved.
Discussion Question
Evaluate the design, implementation and monitoring of The CSIRT of an organization disseminates detailed
the data classification processes and procedures. GREATEST
Evaluate the processes and procedures used to store, concern should be that the users may:
retrieve, transport and dispose of assets. A. use this information to launch attacks.
Evaluate the information security program. B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.
147 © Copyright 2016 ISACA. All rights reserved. 148 © Copyright 2016 ISACA. All rights reserved.
Discussion Question
A hard disk containing confidential data was damaged
beyond repair. What should be done to the hard disk to
prevent access to the data residing on it?
A. Rewrite the hard disk with random 0s and 1s.
B. Low-level format the hard disk.
C. Demagnetize the hard disk.
D. Physically destroy the hard disk.