CISA Student Handout Domain5 PDF

CISA Review Course 26th Edition Domain 5: Protection of Information Assets
Domain 5
Domain 5
security policies, standards, procedures
Protection of Information Assets and controls ensure the confidentiality,
integrity and availability (CIA) of
information assets.
©Copyright 2016 ISACA. All rights reserved. 2 © Copyright 2016 ISACA. All rights reserved.
Domain 5 Domain Objectives

The focus of Domain 5 is the need for protecting The objective of this domain is to ensure that the CISA
information assets through the evaluation of candidate understands the following:
design, implementation and monitoring of o Elements of information security management
controls. o Logical entry points into a system
o Identification and authentication practices
o Network infrastructure security
o Importance of OS and software maintenance
o Environmental exposures
o Risks from mobile devices, social media and cloud
computing
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
©2016. ISACA. All Rights Reserved. 1

On the CISA Exam Domain Tasks

Domain 5 represents 25% of the questions on the CISA 5.1 Evaluate the information security and privacy policies,
exam (approximately 38 questions). standards and procedures for completeness, alignment with
generally accepted practices and compliance with applicable
Domain 5 incorporates six tasks related to the protection
external requirements.
of information assets.
5.2 Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls to determine whether information assets are
adequately safeguarded.
5.3 Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls to verify the confidentiality, integrity and availability of
information.
Task 5.1
5.4 Evaluate the design, implementation and monitoring of the
data classification processes and procedures for alignment
, procedures and
applicable external requirements.
5.5 Evaluate the processes and procedures used to store,
Evaluate the information security and
retrieve, transport and dispose of assets to determine whether privacy policies, standards and
information assets are adequately safeguarded. procedures for completeness, alignment
with generally accepted practices and
5.6 Evaluate the information security program to determine its
effectiveness and alignment with the
and objectives. compliance with applicable external
requirements.

Key Terms
Key Term Definition Key Term Definition
Privacy The rights of an individual to trust that others will Security awareness The extent to which every member of an enterprise and
appropriately and respectfully use, store, share and dispose every other individual who potentially has access to the
of his/her associated personal and sensitive information
within the context, and according to the purposes, for which Security and the levels of security appropriate to the
it was collected or derived. What is appropriate depends on enterprise
The importance of security and consequences of a lack
reasonable expectations. An individual also has the right to of security
reasonably control and be aware of the collection, use and His/her individual responsibilities regarding security (and
disclosure of his\her associated personal and sensitive act accordingly)
information. This definition is based on the definition for IT security
awareness as defined in Implementation Guide: How to
Make Your Organization Aware of IT Security, European
Security Forum (ESF), London, 1993.
Task to Knowledge Statements

How does Task 5.1 relate to each of the following How does Task 5.1 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K5.1 Knowledge of generally accepted The IS auditor must understand key K5.3 Knowledge of the techniques for The IS auditor must understand the
practices and applicable external elements of information security the design, implementation, different types of controls (preventive,
requirements (e.g., laws, regulations) management and the critical success maintenance, monitoring and reporting detective and corrective) and when to
related to the protection of information factors for information security of security controls apply them.
assets management. K5.6 Knowledge of logical access Throughout all IS audits, the IS auditor
K5.2 Knowledge of privacy principles The IS auditor must have an controls for the identification, must have a keen understanding of key
understanding of privacy principles and authentication and restriction of users to elements of logical access controls.
knowledge of privacy laws and authorized functions and data
regulations. The IS auditor must also
understand how compliance is assured.

Security Objectives Information Security Management

Security objectives to meet business requirements
should ensure the following: Information security management is the most critical
o Continued availability of information systems and data factor in protecting information assets and privacy.
o Integrity of the information stored on computer systems and Key elements include:
while in transit
o Confidentiality of sensitive data is preserved while stored and in Senior management
transit leadership, Policies and
Organization
Security awareness
commitment and procedures and education
o Conformity to applicable laws, regulations and standards support
o Adherence to trust and obligation requirements in relation to any

information relating to an identified or identifiable individual (i.e.,
data subject) in accordance with internal privacy policy or Risk management
Monitoring and Incident handling
compliance and response
applicable privacy laws and regulations
o Adequate protection for sensitive data while stored and when in
transit, based on organizational requirements
Source: ISACA, CISA Review Manual 26th Edition, figure 5.2
ISMS
An information security management system (ISMS) is a An ISMS is defined in these guidelines and standards:
framework of policies, procedures, guidelines and associated o ISO/IEC 2700X Guidance for managing information
resources to establish, implement, operate, monitor, review, security in specific industries and situations
maintain and improve information security for all types of o ISO/IEC 27000 Defines the scope and vocabulary and
organizations. establishes the basis for certification
o ISO/IEC 27001 Formal set of specifications against
which organizations may seek independent certification of
their information security management system
o ISO/IEC 27002 Structured set of suggested controls to
address information security risk

ISM Roles Privacy

Information
Privacy means freedom from unauthorized intrusion or
disclosure of information about an individual (also
Executive Security Chief privacy
security steering
management advisory group officer (CPO)
committee
Chief information Information

Management should perform a privacy impact analysis.
Chief security
security officer Process owners asset owners
officer (CSO)
(CISO) and data owners
Information Security
Users External parties security specialist/
administrator advisors
IT developers IS auditors
Human Resources Security

The IS auditor may be asked to support or perform this assessment, Security roles and responsibilities of employees,
which should: contractors and third-party users should be defined and
o Pinpoint the nature of personally identifiable information documented in accordance
associated with business processes.
information security policy.
o Document the collection, use, disclosure and destruction of
personally identifiable information.
o Ensure that accountability for privacy issues exists.
o Identify legislative, regulatory and contractual requirements for
privacy.
o Be the foundation for informed policy, operations and system
design decisions based on an understanding of privacy risk and
the options available for mitigating that risk.

Third Party Access

Human resources-related security practices include the following:
o Security responsibilities should be addressed prior to processing facilities and processing and communication
employment in adequate job descriptions, and in terms and of information must be controlled.
conditions of employment.
o All candidates for employment, contractors and third-party users These controls must be agreed to and defined in a
should be adequately screened, especially for sensitive jobs. contract with the third party.
o Employees, contractors and third-party users of information
processing facilities should sign an agreement on their security
roles and responsibilities, including the need to maintain
confidentiality.
o When an employee, contractor or third-party user exits the
organization, procedures should be in place to remove access
rights and return all equipment.
Security Controls
Some recommended contract terms include: An effective control is one that prevents, detects, and/or
o policy contains an incident and enables recovery from an
o A clear reporting structure and agreed reporting formats event.
o A clear and specified process for change management Controls can be:
o An access control policy
o Arrangements for reporting, notifying and investigating
information security incidents and security breaches
o Service continuity requirements Proactive
o The right to monitor and revoke any activity related to the Safeguards Reactive
Controls that attempt to
assets prevent an incident
Countermeasures
Controls that allow the
detection, containment and
recovery from an incident
Source: ISACA, CISA Review Manual 26th Edition, Figure 5.10

Security Awareness Training Control Methods

An active security awareness program can greatly reduce risk Managerial Controls related to the oversight, reporting, procedures and
by addressing the behavioral element of security through operations of a process. These include policy, procedures,
balancing, employee development and compliance reporting.
education and consistent application of awareness
techniques.
All employees of an organization and third-party users must Technical Controls also known as logical controls and are provided through
the use of technology, piece of equipment or device. Examples
receive appropriate training and regular updates on the include firewalls, network or host-based intrusion detection
systems (IDSs), passwords and antivirus software. A technical
importance of security policies, standards and procedures in control requires proper managerial (administrative) controls to
the organization. operate correctly.
In addition, all personnel must be trained in their specific
responsibilities related to information security. Physical Controls that are locks, fences, closed-circuit TV (CCTV) and
devices that are installed to physically restrict access to a facility
or hardware. Physical controls require maintenance, monitoring
and the ability to assess and react to an alert should a problem be
indicated.
Control Monitoring System Access Permission

To ensure controls are effective and properly monitored, System access permission generally refers to a technical
the IS auditor should: privilege, such as the ability to read, create, modify or delete a
file or data; execute a program; or open or use an external
o Validate that processes, logs and audit hooks have connection.
been placed into the control framework. System access to computerized information resources is
o Ensure that logs are enabled, controls can be tested established, managed and controlled at the physical and/or
and regular reporting procedures are developed. logical level.
o Ensure that control monitoring is built into the control
design. Physical access controls Logical access controls
Restrict the entry and exit of Restrict the logical resources of the
personnel to an area, such as an system (transactions, data, programs,
office building, suite, data center or applications) and are applied when
room, containing information the subject resource is needed.
processing equipment.

System Access Reviews In the Big Picture

Roles should be assigned by the information owner or manager.
Access authorization should be regularly reviewed to ensure they
are still valid.
The IS auditor should evaluate the following criteria for defining The Big
permissions and granting access: Task 5.1 Picture
o Need-to-know Evaluate the information security and
The foundation of
privacy policies, standards and
o Accountability procedures for completeness,
information security is
based on well-aligned
o Traceability alignment with generally accepted
security management
practices and compliance with
o Least privilege applicable external requirements.
policies and procedures.
o SoD
Discussion Question Discussion Question

With the help of a security officer, granting access to data is
the responsibility of:
which of the following attack methods? A. data owners.
A. Piggybacking B. programmers.
B. Dumpster diving C. system analysts.
C. Shoulder surfing D. librarians.
D. Impersonation

Task 5.2 Key Terms

Key Term Definition
Environmental Environmental exposures are due primarily to naturally
Exposures occurring events such as lightning storms, earthquakes,
volcanic eruptions, hurricanes, tornados and other types of
Evaluate the design, implementation,

extreme weather conditions.
maintenance, monitoring and reporting

of physical and environmental controls to
determine whether information assets
are adequately safeguarded.

K5.4 Knowledge of physical and The IS auditor needs to understand the K5.23 Knowledge of security testing
environmental controls and supporting common types of environmental controls techniques (e.g., penetration testing, physical security effectiveness is the
practices related to the protection of and good practices for their deployment vulnerability scanning) methodology used to test the physical
information assets and periodic testing. security controls.
K5.5 Knowledge of physical access The IS auditor must understand physical
controls for the identification, access controls and their potential for
authentication and restriction of users to circumvention.
authorized facilities and hardware

Physical Access Issues Physical Access Controls

Physical access exposures may originate from natural and
Door locks
man-made hazards, and can result in unauthorized access and (cipher, biometric,
Manual or Identification
CCTV
interruptions in information availability. electronic logging badges
bolted, electronic)
Exposures include:
Unauthorized entry Controlled visitor Computer Controlled single

Security guards
access workstation locks entry point
Damage, vandalism or theft to equipment or documents
Copying or viewing of sensitive or copyrighted information
Alteration of sensitive equipment and information

Deadman doors Alarm system
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement
Physical Access Audit

The IS auditor should begin with a tour of the site and The test should include all paths of physical entry, as well as
then test physical safeguards. the following locations:
Physical tests can be completed through visual o Computer and printer rooms
observations and review of documents such as fire o UPS/generator
system tests, inspection tags and key lock logs. o Operator consoles
o Computer storage rooms
o Communication equipment
o Offsite backup storage facility
o Media storage

Environmental Exposures Environmental Controls

Environmental exposures are due primarily to naturally occurring Environmental exposures should be afforded the same level of
events. protection as other types of exposures. Possible controls include:
Common environmental exposures include:
Alarm control Fire alarms and
Power failure panels
Water detectors Fire extinguishers
smoke detectors
Total failure (blackout)
Severely reduced voltage (brownout)
Sags, spikes and surges Fireproof and
Strategically
Electromagnetic interference (EMI) Fire suppression fire-resistant Electrical surge
located computer
systems building and office protectors
Water damage/flooding materials
rooms
Manmade concerns Documented and

Uninterruptible
Terrorist threats/attacks Power leads from Emergency tested BCPs and
power supply/
Vandalism two substations power-off switch emergency
generator
evacuation plans
Equipment failure
Environmental Control Audit In the Big Picture

The IS auditor should first establish the environmental risk by assessing
the location of the data center.
In addition, the IS auditor should verify that the following safeguards are
in place:
The Big
Task 5.2
o Water and smoke detectors
o Strategic and visible location of handheld fire extinguishers
Picture
o Fire suppression system documentation and inspection by fire Physical security
maintenance, monitoring and
environmental controls
department reporting of physical and
are the first line of
environmental controls to determine
o UPS/generator test reports defense in protecting
whether information assets are
o Electrical surge protectors assets from loss.
adequately safeguarded.
o Documentation of fireproof building materials, use of redundant
power lines and wiring located in fire-resistant panels
o Documented and tested emergency evacuation plans and BCPs
o Humidity and temperature controls


Which of the following environmental controls is An IS auditor is reviewing the physical security measures of an
appropriate to protect computer equipment against organization. Regarding the access card system, the IS auditor
short-term reductions in electrical power? should be MOST concerned that:
A. Power line conditioners A. nonpersonalized access cards are given to the cleaning
staff, who use a sign-in sheet but show no proof of
B. Surge protective devices identity.
C. Alternative power supplies B. access
D. Interruptible power supplies and address to facilitate easy return of a lost card.
C. card issuance and rights administration for the cards are
done by different departments, causing unnecessary lead
time for new cards.
D. the computer system used for programming the cards can
only be replaced after three weeks in the event of a
system failure.
Task 5.3 Key Terms

Key Term Definition
Access control The processes, rules and deployment mechanisms that
control access to information systems, resources and
physical access to premises.

Access control list An internal computerized table of access rules regarding
(ACL) the levels of computer access permitted to logon IDs and
maintenance, monitoring and reporting

computer terminals. Also referred to as access control
tables.
of system and logical security controls to Access path The logical route an end user takes to access computerized
verify the confidentiality, integrity and

information. Typically, it includes a route through the
operating system, telecommunications software, selected
availability of information.
application software and the access control system.


Digital signature A piece of information, a digitized form of a signature, that Local area network Communication network that serves several users within a
provides sender authenticity, message integrity and (LAN) specified geographical area. A personal computer LAN
nonrepudiation. A digital signature is generated using the functions as a distributed processing system in which each
-way hash function. computer in the network does its own processing and
Encryption The process of taking an unencrypted message (plaintext), manages some of its data. Shared data are stored in a file
applying a mathematical function to it (encryption algorithm server that acts as a remote disk drive for all users in the
with a key) and producing an encrypted message network.
(ciphertext). Logical access The policies, procedures, organizational structure and
controls electronic access controls designed to restrict access to
computer software and data files.
Network A system of interconnected computers and the
communications equipment used to connect them.

K5.6 Knowledge of logical access The IS auditor needs to understand K5.8 Knowledge of risk and controls The IS auditor needs to understand
controls for the identification, logical access controls as they apply to associated with virtualization of systems the advantages and disadvantages of
authentication and restriction of users to systems that may reside on multiple virtualization and determine whether
authorized functions and data operating system platforms and involve the enterprise has considered the
more than one application system or applicable risk in its decision to adopt,
authentication point. implement and maintain this technology.
K5.7 Knowledge of the security controls The IS auditor needs to understand best
related to hardware, system software practices as they apply to identification
(e.g., applications, operating systems) and authentication.
and database management systems

K5.9 Knowledge of risk and controls Policies and procedures and additional K5.10 Knowledge of voice The increasing complexity and
associated with the use of mobile and protection mechanisms must be put into communications security (e.g., PBX, convergence of voice and data
wireless devices, including personally place to ensure that data are protected Voice-over Internet Protocol [VoIP]) communications introduces additional
owned devices (bring your own device to a greater extent on portable devices, risk that must be taken into account by
[BYOD]) because such devices will most likely the IS auditor.
operate in environments in which K5.11 Knowledge of network and The IS auditor needs to understand best
physical controls are lacking or Internet security devices, protocols and practices for the implementation of
nonexistent. techniques encryption and the use and application
of security devices and methods for
securing data.
K5.12 Knowledge of the configuration, Firewalls and intrusion detection K5.13 Knowledge of encryption-related Fundamentals of encryption techniques
implementation, operation and systems (IDSs) provide protection and techniques and their uses and the relative advantages and
maintenance of network security critical alert information at borders disadvantages of each must be taken
controls between trusted and untrusted networks. into account by the IS auditor.
The proper implementation and K5.14 Knowledge of public key The IS auditor needs to understand the
maintenance of firewalls and IDSs are infrastructure (PKI) components and relationships between types of
critical to a successful, in-depth security digital signature techniques encryption (symmetric and asymmetric)
program. and their respective algorithms (e.g.,
DES3, RSA) and the basic concepts and
components of PKI in terms of business.

K5.18 Knowledge of risk and controls Understanding how data leakage can K5.19 Knowledge of security risk and The IS auditor should understand that
associated with data leakage occur and the methods for limiting data controls related to end-user computing these tools can be used to create key
leakage from job postings that list the applications that are relied upon by the
specific software and network devices organization but not controlled by the IT
with which applicants should have department.
experience to system administrators K5.21 Knowledge of information system Understanding the methods, techniques
posting questions on technical web sites attack methods and techniques and exploits used to compromise an
environment provides the IS auditor with
a more complete context for
understanding the risk that an enterprise
faces.
K5.22 Knowledge of prevention and The IS auditor needs to understand the K5.26 Knowledge of fraud risk factors The IS auditor should be aware that the
detection tools and control techniques threats posed by malicious code and the related to the protection of information risk of fraud is increased where there is
good practices for mitigating these assets a perceived opportunity.
threats.
K5.23 Knowledge of security testing The IS auditor must have knowledge of
techniques (e.g., penetration testing, how assessment tools can be used to
vulnerability scanning) identify vulnerabilities within the network
infrastructure so that corrective actions
can be taken to remediate risk.

Logical Access
Logical access is the ability to interact with computer For IS auditors to effectively assess logical access
resources, granted using identification, authentication controls, they first need to gain a technical and
and authorization. IT
Logical access controls are the primary means used to environment, including the following security layers:
manage and protect information assets. o Network
IS auditors should be able to analyze and evaluate the o OS platform
effectiveness of a logical access control in accomplishing o Database
information security objectives and avoiding losses o Application
resulting from exposures.
Paths of Logical Access

Any point of entry not appropriately controlled can
infrastructure can be gained through the following paths: potentially
o Direct sensitive and critical information resources.
o Local network The IS auditor should determine whether all points of
o Remote entry are identified and managed.
General points of entry to either front-end or back-end
systems occur through network connectivity or remote
access.

Logical Access Exposures Access Control Software

Technical exposures are the unauthorized activities Access control software is used to prevent the
interfering with normal processing. unauthorized access and modification to an
They include: data and the use of system
o Data leakage Involves siphoning or leaking critical functions.
information out of the computer Access controls must be applied across all layers of an
o Wiretapping Involves eavesdropping on information , including networks,
being transmitted over telecommunications lines platforms or OSs, databases and application systems.
o Computer shutdown Initiated through terminals or Each access control usually includes:
personal computers connected directly (online) or o Identification and authentication
remotely (via the Internet) to the computer o Access authorization
o Verification of specific information resources
o Logging and reporting of user activities
Access Control Software Functions Access Control Types

General operating and/or application Database and/or application-level
systems access control functions access control functions Logical access control filters used to validate
Create or change user profiles. Create or change data files and Mandatory access credentials
Cannot be controlled or modified by normal
access controls
Assign user identification and database profiles.
authentication. Verify user authorization at the users or data owners
Apply user logon limitation rules. application and transaction level.
Verify user authorization within the
(MACs) Act by default
Prohibitive; anything that is not expressly
Notification concerning proper use
and access prior to initial login. application. permitted is forbidden
Create individual accountability and Verify user authorization at the field
auditability by logging user level for changes within a database.
activities. Verify subsystem authorization for
Establish rules for access to the user at the file level.
Discretionary
specific information resources (e.g., Log database/data communications Logical access controls that may be configured
system-level application resources access activities for monitoring or modified by the users or data owners
and data). access violations.
access controls Cannot override MACs
(DACs)
Log events.
Act as an additional filter, prohibiting still more
Report capabilities. access with the same exclusionary principle

Network Infrastructure Security LAN Security

The IS auditor should be familiar with risk and exposures related To gain a full understanding of the LAN, the IS auditor
to network infrastructure. should identify and document the following:
Network control functions should:
o Users or groups with privileged access rights
o Be performed by trained professionals, and duties should be
rotated on a regular basis. o LAN topology and network design
o Maintain an audit trail of all operator activities. o LAN administrator/LAN owner
o Restrict operator access from performing certain functions. o Functions performed by the LAN administrator/owner
o Periodically review audit trails to detect unauthorized o Distinct groups of LAN users
activities.
o Computer applications used on the LAN
o Document standards and protocols.
o Procedures and standards relating to network design,
o Analyze workload balance, response time and system
efficiency. support, naming conventions and data security
o Encrypt data, where appropriate, to protect messages from
disclosure during transmission.
Virtualization Client-Server Security

IS auditors need to understand the advantages and A client-server is a group of computers connected by a
disadvantages of virtualization to determine whether the communications network in which the client is the
enterprise has considered the applicable risk in its decision to requesting machine and the server is the supplying
adopt, implement and maintain this technology. machine.
Some common advantages and disadvantages include:
Several access routes exist in a client-server
Advantages Disadvantages
environment.
Decreased server hardware costs. Inadequate host configuration could
Shared processing capacity and storage create vulnerabilities that affect not only
space. the host, but also the guests.
Decreased physical footprint. Data could leak between guests.
Multiple versions of the same OS. Insecure protocols for remote access
could result in exposure of
administrative credentials.

Client- Wireless Security

The IS auditor should ensure that: Wireless security requirements include the following:
o Application controls cannot be bypassed. o Authenticity A third party must be able to verify that
o Passwords are always encrypted. the content of a message has not been changed in
o Access to configuration or initialization files is kept to transit.
a minimum. o Nonrepudiation The origin or the receipt of a specific
o Access to configuration or initialization files are message must be verifiable by a third party.
audited. o Accountability The actions of an entity must be
uniquely traceable to that entity.
o Network availability The IT resource must be
available on a timely basis to meet mission
requirements or to avoid substantial losses.
Internet Security
The IS auditor must understand the risk and security Once enough network information has been gathered,
factors needed to ensure that proper controls are in an intruder can launch an actual attack against a
place when a company connects to the Internet. targeted system to gain control.
Network attacks involve probing for network information. o Examples of active attacks include denial of service
o Examples of passive attacks include network (DoS), phishing, unauthorized access, packet replay,
analysis, eavesdropping and traffic analysis. brute force attacks and email spoofing.
The IS auditor should have a good understanding of the
following types of firewalls:
o Packet filtering
o Application firewall systems
o Stateful inspections

Encryption
The IS auditor should also be familiar with common Encryption generally is used to:
firewall implementations, including: o Protect data in transit over networks from
o Screened-host firewall unauthorized interception and manipulation.
o Dual-homed firewall o Protect information stored on computers from
o Demilitarized zone (DMZ) or screened-subnet firewall unauthorized viewing and manipulation.
The IS auditor should be familiar with the types, features o Deter and detect accidental or intentional alterations
and limitations of intrusion detection systems and of data.
intrusion prevention systems. o Verify authenticity of a transaction or document.
Key encryption elements include: There are two types of encryption schemes:
o Encryption algorithm A mathematically based o Symmetric a unique key (usually referred to as the
function that encrypts/decrypts data decryption.
o Encryption keys A piece of information that is used o Asymmetric the decryption key is different than the one
used for encryption.
by the encryption algorithm to make the encryption or
decryption process unique There are two main advantages of symmetric key systems
over asymmetric ones.
o Key length A predetermined length for the key; the
o The keys are much shorter and can be easily
longer the key, the more difficult it is to compromise remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.

In a public key cryptography system, two keys work Digital signature schemes ensure:
together as a pair. One of the keys is kept private, while o Data integrity Any change to the plaintext
the other one is publicly disclosed. message would result in the recipient failing to
The underlying algorithm works even if the private key is compute the same document hash.
used for encryption and the public key for decryption. o Authentication The recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o Nonrepudiation The claimed sender cannot later
deny generating the document.
The IS auditor should be familiar with how a digital
signature functions to protect data.
Malware In the Big Picture

There are two primary methods to prevent and detect
malware that infects computers and network systems.
o Have sound policies and procedures in place
(preventive controls). The Big
Task 5.3 Picture
o Have technical controls (detective controls), such as Evaluate the design, implementation,
anti-malware software, including:
Evaluation of system
maintenance, monitoring and
security engineering and
reporting of system and logical
Scanners security controls to verify the
architecture ensures the
foundations for ISM are
Behavior blockers
confidentiality, integrity and
in place to meet
availability of information.
organizational goals and
Active monitors objectives.
Integrity CRC checkers

Immunizers
Neither method is effective without the other.


The PRIMARY purpose of installing data leak prevention Neural networks are effective in detecting fraud because
(DLP) software is to control which of the following choices? they can:
A. Access privileges to confidential files stored on A. discover new trends because they are inherently
servers linear.
B. Attempts to destroy critical data on the internal B. solve problems where large and general sets of
network training data are not obtainable.
C. Which external systems can access internal C. attack problems that require consideration of a large
resources number of input variables.
D. Confidential documents leaving the internal network D. make assumptions about the shape of any curve
relating variables to the output.
Task 5.4 Key Terms

Key Term Definition
Authentication The act of verifying the identity of a user and the
Evaluate the design, implementation and

Authentication is designed to protect against fraudulent
logon activity. It can also refer to the verification of the
monitoring of the data classification

correctness of a piece of data.
Data classification The assignment of a level of sensitivity to data (or
processes and procedures for alignment information) that results in the specification of controls for
each level of classification. Levels of sensitivity of data are
assigned according to predefined categories as data are
created, amended, enhanced, stored or transmitted. The
standards, procedures and applicable classification level is an indication of the value or
importance of the data to the enterprise.
external requirements.


K5.16 Knowledge of data classification The IS auditor should understand the K5.18 Knowledge of risk and controls Data classification policies, security
standards related to the protection of process of classification and the associated with data leakage awareness training and periodic audits
information assets interrelationship between data for data leakage are elements that the IS
classification and the need for auditor will want to ensure are in place.
inventorying information assets and K5.25 Knowledge of the processes Measures should be used to preserve
assigning responsibility to data owners. followed in forensics investigation and the integrity of evidence collected and
procedures in collection and provide assurance that the evidence has
preservation of the data and evidences not been altered in any way.
(i.e., chain of custody)
Data Classification Data

In order to have effective controls, organizations must have a The information owner should decide on the appropriate
detailed inventory of information assets. classification, based on
Most organizations use a classification scheme with three to five handling policy.
levels of sensitivity. Data classification should define:
Data classification provides the following benefits: o The importance of the information asset
o Defines level of access controls o The information asset owner
o Reduces risk and cost of over- or under-protecting o The process for granting access
information resources o The person responsible for approving the access rights and
o Maintains consistent security requirements access levels
o Enables uniform treatment of data by applying level-specific o The extent and depth of security controls
policies and procedures Data classification must also take into account legal, regulatory,
o Identifies who should have access contractual and internal requirements for maintaining privacy,
confidentiality, integrity and availability.

Data Leakage
Data leakage involves the unauthorized transfer of sensitive DLPs have three key objectives:
or proprietary information from an internal network to the o Locate and catalog sensitive information stored throughout
outside world. the enterprise.
Data leak prevention is a suite of technologies and associated o Monitor and control the movement of sensitive information
processes that locate, monitor and protect sensitive across enterprise networks.
information from unauthorized disclosure. o Monitor and control the movement of sensitive information
on end-user systems.
DLP Solutions Identification and Authentication

Logical access identification and authentication (I&A) is
the process of establishing and proving identity.
Data at Data in For most systems, I&A is the first line of defense
Data in motion because it prevents unauthorized people (or
rest use
unauthorized processes) from entering a computer
system or accessing an information asset.
Use specific Use an agent to

Use crawlers to Use deep packet
network appliances monitor data
search for and log inspection (DPI) to
or embedded movement
the location of technology to read contents stemming from
specific information
selectively capture actions taken by
sets payload
and analyze traffic end users

Authentication Methods
Some common I&A vulnerabilities include: Authentication Methods
o Weak authentication methods
Logon IDs and Passwords
o Use of simple or easily guessed passwords
Tokens
o The potential for users to bypass the authentication
Biometrics
mechanism
o The lack of confidentiality and integrity for the stored
Multifactor authentication is the combination of more than one
authentication information authentication method.
o The lack of encryption for authentication and Single sign-on (SSO) is the process for consolidating all of an
protection of information transmitted over a network platform-based administration, authentication and
authorization functions into a single centralized administrative
o The
function.
with sharing authentication elements
authentication policies.
Authorization Authorization Issues

Authorization refers to the access rules that specify who
can access what.
Risks Controls
Access control is often based on least privilege, which Denial of service

Malicious third parties
Policy and standards
Proper authorizations
refers to the granting to users of only those accesses Misconfigured Identification and
required to perform their duties. communications software authentication mechanisms
Misconfigured devices on the Encryption tools and
The IS auditor needs to know what can be done with the corporate computing techniques such as use of a
access and what is restricted. infrastructure
Host systems not secured
VPN
System and network
The IS auditor must review access control lists (ACLs). appropriately management
Physical security issues over
An ACL is a register of users who have permission to
use a particular system and the types of access
permitted.

System Logs Review of Access Controls

Audit trail records should be protected by strong access Access controls and password administration are reviewed to
controls to help prevent unauthorized access. determine that:
o Procedures exist for adding individuals to the access list,
The IS auditor should ensure that the logs cannot be changing their access capabilities and deleting them from the
tampered with, or altered, without leaving an audit trail. list.
When reviewing or performing security access follow-up, o Procedures exist to ensure that individual passwords are not
the IS auditor should look for: inadvertently disclosed.
o Passwords issued are of an adequate length, cannot be easily
o Patterns or trends that indicate abuse of access
guessed and do not contain repeating characters.
privileges, such as concentration on a sensitive
o Passwords are periodically changed.
application
o User organizations periodically validate the access capabilities.
o Violations (such as attempting computer file access o Procedures provide for the suspension of user IDs or the
that is not authorized) and/or use of incorrect disabling of systems after a particular number of security
passwords procedure violations.
In the Big Picture Discussion Question
The FIRST step in data classification is to:

A. establish ownership.
The Big B. perform a criticality analysis.
Task 5.4
Evaluate the design, implementation Picture C. define access rules.
and monitoring of the data Data classification, D. create a data dictionary.
classification processes and protection and
procedures for alignment with the management processes
are critical in meeting
procedures and applicable external business and regulatory
requirements. requirements.

Discussion Question Task 5.5

From a control perspective, the PRIMARY objective of
classifying information assets is to:
A. establish guidelines for the level of access controls
that should be assigned.
B. ensure access controls are assigned to all
Evaluate the processes and procedures
information assets. used to store, retrieve, transport and
C. assist management and auditors in risk assessment. dispose of assets to determine whether
D. identify which assets need to be insured against information assets are adequately
losses.
safeguarded.
Key Terms Task to Knowledge Statements

Key Term Definition How does Task 5.5 relate to each of the following
Private branch A telephone exchange that is owned by a private business, knowledge statements?
exchange (PBX) as opposed to one owned by a common carrier or by a
telephone company Knowledge Statement Connection
Voice-over Internet Also called IP Telephony, Internet Telephony and K5.13 Knowledge of encryption-related Through the use of the appropriate
Protocol (VoIP) Broadband Phone, a technology that makes it possible to techniques and their uses encryption techniques, an organization
have a voice conversation over the Internet or over any can protect data throughout the data life
dedicated Internet Protocol (IP) network instead of cycle.
dedicated voice transmission lines
K5.14 Knowledge of public key The auditor needs to evaluate the
infrastructure (PKI) components and manner in which PKI is applied by data
digital signature techniques protection strategies.

K5.15 Knowledge of risk and controls The risk of data loss or leakage increase K5.18 Knowledge of risk and controls Understanding the category of data and
associated with peer-to-peer computing, when users employ peer-to-peer and associated with data leakage the respective states it resides in
instant messaging and web-based other collaborative communication through the life cycle will enable the IS
technologies (e.g., social networking, technologies. auditor to determine risk and the
message boards, blogs, cloud appropriate controls.
computing) K5.19 Knowledge of security risk and The IS auditor must determine risk and
K5.17 Knowledge of the processes and In order to control data and information, controls related to end-user computing the appropriate controls needed to
procedures used to store, retrieve, the organization must understand the address end-user computing
transport and dispose of confidential state of its data and information from technologies from BYOD and client
information assets creation, storage, processing and applications to mobile devices (smart
transmission. phones/PDAs).
Data Access Procedures

Management should define and implement procedures to prevent
How does Task 5.5 relate to each of the following
access to, or loss of, sensitive information when it is stored,
knowledge statements? disposed of or transferred to another user.
Knowledge Statement Connection Such procedures must be created for the following:
K5.21 Knowledge of information system The IS auditor needs to have the ability o Backup files of databases
attack methods and techniques to identify and evaluate controls that are
o Data banks
most effective in preventing or detecting
attacks involving social engineering, o Disposal of media previously used to hold confidential
wireless access and threats originating information
from the Internet.
o Management of equipment sent for offsite maintenance
o Public agencies and organizations concerned with sensitive,
critical or confidential information
o E-token electronic keys
o Storage records

Media Storage Mobile Computing

To help avoid potential damage to media during shipping and Mobile computing refers to devices that are transported or moved
storage, the following precautions must be present: during normal usage, including tablets, smartphones and laptops.
o Keep out of direct sunlight. Mobile computing makes it more difficult to implement logical and
o Keep free of dust. physical access controls.
o Keep free of liquids. Common mobile computing vulnerabilities include the following:
o Minimize exposure to magnetic fields, radio equipment or any o Information may travel across unsecured wireless networks.
sources of vibration. o The enterprise may not be managing the device.
o Do not air transport in areas and at times of exposure to a o Unencrypted information may be stored on the device.
strong magnetic storm. o The device may have a lack of authentication requirements.
o The device may allow for the installation of unsigned
third-party applications.
Mobile Computing Controls Other Data Controls

The following controls will reduce the risk of disclosure of Other technologies that should be reviewed by the IS auditor
sensitive data stored on mobile devices: include:
Technology Threat/Vulnerability Controls
Virus
Device Physical
Tagging Data storage detection and Peer-to-peer Viruses and malware Antivirus and anti-malware
registration security
control computing Copyrighted content Block P2P traffic
Excessive use Restrict P2P exposure
Eavesdropping Establish policies or standards
Acceptable Instant messaging Viruses and malware Antivirus and anti-malware
Encryption Compliance Approval Due care
use policy (IM) Excessive use Encrypt IM traffic
IP address exposure Block IM traffic
Restrict IM usage
Establish policies or standards
Awareness Network Secure Standard Geolocation Social media Viruses and malware Establish clear policies
training authentication transmission applications tracking Undefined content rights Capture and log all communications
Data exposure Content filtering
Excessive use
Secure
Remote wipe BYOD Cloud computing Lack of control and visibility Right to audit the contract
remote
and lock agreement Physical security Restricted contract terms
support Data disposal Encryptions

Voice-Over IP (VoIP) Private Branch Exchange

VoIP has a different architecture than traditional A private branch exchange (PBX) is a sophisticated computer-based
circuit-based telephony, and these differences result in switch that may be thought of as a small, in-house phone company.
significant security issues. Failure to secure a PBX can result in:
o Theft of service
Security is needed to protect two assets the data and
o Disclosure of information
the voice.
o Data modification
Backup communication plans are important because if o Unauthorized access
the computer system goes down, the telephone system o Denial of service
goes down too. o Traffic analysis
The IS auditor should know the design implementation to determine
how an intruder could exploit weaknesses or normal functions.

When reviewing the procedures for the disposal of computers,
which of the following should be the GREATEST concern for the
IS auditor?
A. Hard disks are overwritten several times at the sector
The Big level but are not reformatted before leaving the
Task 5.5 Picture organization.
Evaluate the processes and The IS auditor must B. All files and folders on hard disks are separately deleted,
procedures used to store, retrieve,
transport and dispose of assets to
understand and be able
to evaluate the
and the hard disks are formatted before leaving the
determine whether information acceptable methods for organization.
assets are adequately safeguarded. data management from C. Hard disks are rendered unreadable by hole-punching
creation through
destruction.
through the platters at specific positions before leaving
the organization.
D. The transport of hard disks is escorted by internal security
staff to a nearby metal recycling company, where the hard
disks are registered and then shredded.

Discussion Question Task 5.6

The risk of dumpster diving is BEST mitigated by:
A. implementing security awareness training.
B. placing shred bins in copy rooms.
C. developing a media disposal policy.
D. placing shredders in individual offices. Evaluate the information security
program to determine its effectiveness
strategies and objectives.
Key Terms
Chain of custody A legal principle regarding the validity and integrity of Penetration testing A live test of the effectiveness of security defenses through
evidence. It requires accountability for anything that will be mimicking the actions of real life attackers.
used as evidence in a legal proceeding to ensure that it can Security incident A series of unexpected events that involves an attack or
be accounted for from the time it was collected until the time series of attacks (compromise and/or breach of security) at
it is presented in a court of law. one or more sites. A security incident normally includes an
Computer forensics The application of the scientific method to digital media to estimation of its level of impact. A limited number of impact
establish factual information for judicial review. This process levels are defined, and for each, the specific actions
often involves investigating computer systems to determine required and the people who need to be notified are
whether they are or have been used for illegal or identified.
unauthorized activities.


K5.18 Knowledge of risk and controls The IS auditor must evaluate the data K5.20 Knowledge of methods for One of the most cost-effective security
associated with data leakage categorization and respective controls in implementing a security awareness measures is an employee with
place to mitigate business and program deep-seated security awareness based
regulatory risks. on both training and regular reminders.
K5.19 Knowledge of security risk and With the drive to greater distribution of K5.21 Knowledge of information system The IS auditor needs to be aware of the
controls related to end-user computing computing resources, an attack methods and techniques technical and human vulnerabilities and
risk appetite must be balanced in the IS the techniques used to exploit those
auditor evaluation of end-user vulnerabilities.
computing initiatives.
Computer Crimes
How does Task 5.6 relate to each of the following It is important that the IS auditor knows and understands the
knowledge statements? differences between computer crime and computer abuse to
support risk analysis methodologies and related control
Knowledge Statement Connection practices. Examples of computer crimes include:
K5.23 Knowledge of security testing A proactive and holistic security testing
techniques (e.g., penetration testing, program can ensure the correct security Malware,
vulnerability scanning) mechanisms are in place and operating Denial of
Hacking viruses and Fraud
service (DoS)
effectively. worms
K5.24 Knowledge of the processes In order for the IS auditor to evaluate the
related to monitoring and responding to true capabilities of the information
Unauthorized Brute force Malicious
security incidents (e.g., escalation security management program, the IS access Phishing attacks codes
procedures, emergency incident
response team) ability to detect, analyze and respond to
threats regardless of the source.
Network
Packet replay Masquerading Eavesdropping
analysis
Source: ISACA, CISA Review Manual, 26th Edition, figures 5.11 and 5.12

Security Incident Handling

To minimize damage from security incidents, a formal The IS auditor should:
incident response capability should be established. o Ensure that the CSIRT is actively involved with users
Ideally, an organizational computer security incident to assist them in the mitigation of risk arising from
response team (CSIRT) or computer emergency security failures and also to prevent security
response team (CERT) should be formed with clear lines incidents.
of reporting and responsibilities. o Ensure that there is a formal, documented plan and
that it contains vulnerabilities identification, reporting
and incident response procedures to common,
security-related threats/issues.
Auditing ISM Framework Auditing Logical Access

The IS auditor should review the following elements of the information When evaluating logical access controls, the IS auditor should:
security management framework:
o Obtain a clear understanding of the security risk facing
o Written policies, procedures and standards information processing through a review of relevant
o Logical access security policies documentation, interviews, physical walk-throughs and risk
o Formal security awareness and training assessments.
o Data ownership o Document and evaluate controls over potential access paths into
o Data owners the system to assess their adequacy, efficiency and
o Data custodians effectiveness by reviewing appropriate hardware and software
o Security administrator security features and identifying any deficiencies or
o New IT users redundancies.
o Data users o Test controls over access paths to determine whether they are
o Documented authorizations functioning and effective by applying appropriate audit
o Terminated employee access techniques.
o Security baselines
o Access standards

Auditing Logical Security Testing Techniques

In addition, the IS auditor should do the following when auditing
The IS auditor can use sample cards and keys to
logical access: Terminal cards attempt to gain access beyond what is authorized.
o Evaluate the access control environment to determine if the and keys The IS auditor should follow up on any unsuccessful
attempted violations.
control objectives are achieved by analyzing test results and
other audit evidence.
o Evaluate the security environment to assess its adequacy and
Terminal The IS auditor can inventory terminals to look for
compare it with appropriate security standards or practices and identification incorrectly logged, missing or additional terminals.
procedures used by other organizations.
o Interview the IS manager and security administrator and review
organizational charts and job descriptions. To test confidentiality, the IS auditor can attempt to
guess passwords, find passwords by searching the
o Review access control software reports to monitor adherence to office or get a user to divulge a password.
security policies. Logon IDs and To test encryption, the IS auditor should attempt to
o Review application systems operations manual. passwords view the internal password table.
To test authorization, the IS auditor should review a
sample of authorization documents to determine if
proper authority was provided.
Investigation Techniques
If a computer crime occurs, it is very important that proper
The IS auditor should work with the system software
Computer
analyst to determine if all access is on a need-to-know procedures are used to collect evidence.
access controls basis.
o Damaged evidence can hinder prosecution.
o After a computer crime, the environment and evidence
Computer
access The IS auditor should attempt to access computer must be left unaltered and examined by specialist law
transactions or data for which access is not authorized.
violations The unsuccessful attempts should be identified on enforcement officials.
logging and security reports.
reporting Any electronic document or data may be used as digital
evidence.
Follow-up The IS auditor should select a sample of security An IS auditor may be required or asked to be involved in a
access reports and look for evidence of follow-up and
violations investigation of access violations. forensic analysis to provide expert opinion or to ensure the
correct interpretation of information gathered.
Bypassing The IS auditor should work with the system software
security and analyst, network manager, operations manager and
compensating security administrator to determine ways to bypass
controls security.

Computer Forensics
Identify The IS auditor should give consideration to key elements of
Refers to the identification of information that is
computer forensics during audit planning, including the
available and might form the evidence of an incident following:
o Data protection
Preserve o Data acquisition
Refers to the practice of retrieving identified
information and preserving it as evidence o Imaging
o Extraction
Analyze o Interrogation
Involves extracting, processing and interpreting the o Ingestion/normalization
evidence
o Reporting
Present
Involves a presentation to the various audiences, such
as management, attorneys, court, etc.
Auditing Network Infrastructure Auditing Remote Access

When performing an audit of the network infrastructure, the IS auditor IS auditors should determine that all remote access
should: capabilities used by an organization provide for effective
o Review the following documents:
security of resources.
Network diagrams
This includes:
SLAs
Network administrator procedures o Ensuring that remote access security controls are
Network topology design documented and implemented for authorized users
o Identify the network design implemented. o Reviewing existing remote access architectures for points
o Determine that applicable security policies, standards, procedures and of entry
guidance on network management and usage exist and have been
distributed.
o Testing access controls
o Identify who is responsible for security and operation of Internet
connections.
o Determine whether consideration has been given to the legal problems
arising from use of the Internet.
o Determine whether a vulnerability scanning process is in place.

Penetration Testing Types of Penetration Tests

During penetration testing, an auditor attempts to circumvent the External Refers to attacks and control circumvention attempts on the
security features of a system and exploits the vulnerabilities to testing
gain access that would otherwise be unauthorized.
Internal Refers to attacks and control circumvention attempts on the
testing target from within the perimeter
Blind Refers to the condition of testing when the penetration tester

Additional Discovery
Planning Discovery Attack testing

information systems
Double Refers to an extension of blind testing, because the

Reporting blind administrator and security staff at the target are also not
testing aware of the test
Targeted Refers to attacks and control circumvention attempts on the

testing
are aware of the testing activities
Source: ISACA, CISA Review Manual 26 th Edition, figure 5.22

Which of the following is the BEST way for an IS auditor to
determine the effectiveness of a security awareness and
training program?
The Big A. Review the security training program.
Task 5.6 Picture B. Ask the security administrator.
Evaluate the information security The information security
program to determine its program is the Alpha C. Interview a sample of employees.
D. Review the security reminders to employees.
effectiveness and alignment with the and the Omega for the
organization to realize
objectives. system confidentiality,
integrity and availability.

Discussion Question Domain 5 Summary

Which of the following is the MAIN reason an organization Evaluate the information security and privacy policies,
should have an incident response plan? The plan helps to: standards and procedures.
A. ensure prompt recovery from system outages. Evaluate the design, implementation, maintenance,
B. contain costs related to maintaining DRP capabilities. monitoring and reporting of physical and environmental
C. ensure that customers are promptly notified of issues controls.
such as security breaches. Evaluate the design, implementation, maintenance,
D. minimize the impact of an adverse event. monitoring and reporting of system and logical security
controls.
Discussion Question
Evaluate the design, implementation and monitoring of The CSIRT of an organization disseminates detailed
the data classification processes and procedures. GREATEST
Evaluate the processes and procedures used to store, concern should be that the users may:
retrieve, transport and dispose of assets. A. use this information to launch attacks.
Evaluate the information security program. B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.

Discussion Question
A hard disk containing confidential data was damaged
beyond repair. What should be done to the hard disk to
prevent access to the data residing on it?
A. Rewrite the hard disk with random 0s and 1s.
B. Low-level format the hard disk.
C. Demagnetize the hard disk.
D. Physically destroy the hard disk.
149 © Copyright 2016 ISACA. All rights reserved.

CISA Student Handout Domain5 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CISA Student Handout Domain5 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

CISA Review Course 26th Edition Domain 5: Protection of Information Assets

Domain 5 Domain Objectives

©2016. ISACA. All Rights Reserved. 1

On the CISA Exam Domain Tasks

©2016. ISACA. All Rights Reserved. 2

Task to Knowledge Statements

©2016. ISACA. All Rights Reserved. 3

Security Objectives Information Security Management

o Adherence to trust and obligation requirements in relation to any

©2016. ISACA. All Rights Reserved. 4

ISM Roles Privacy

Chief information Information

Source: ISACA, CISA Review Manual 26th Edition, figure 5.3

Human Resources Security

©2016. ISACA. All Rights Reserved. 5

Third Party Access

Source: ISACA, CISA Review Manual 26th Edition, Figure 5.10

©2016. ISACA. All Rights Reserved. 6

Security Awareness Training Control Methods

Source: ISACA, CISA Review Manual 26th Edition, figure 5.5

Control Monitoring System Access Permission

©2016. ISACA. All Rights Reserved. 7

System Access Reviews In the Big Picture

Discussion Question Discussion Question

©2016. ISACA. All Rights Reserved. 8

Task 5.2 Key Terms

Evaluate the design, implementation,

maintenance, monitoring and reporting

Task to Knowledge Statements

©2016. ISACA. All Rights Reserved. 9

Physical Access Issues Physical Access Controls

Unauthorized entry Controlled visitor Computer Controlled single

Copying or viewing of sensitive or copyrighted information

Alteration of sensitive equipment and information

Abuse of data processing resources

Physical Access Audit

©2016. ISACA. All Rights Reserved. 10

Environmental Exposures Environmental Controls

Manmade concerns Documented and

Environmental Control Audit In the Big Picture

©2016. ISACA. All Rights Reserved. 11

Discussion Question Discussion Question

Task 5.3 Key Terms

Evaluate the design, implementation,

maintenance, monitoring and reporting

verify the confidentiality, integrity and

©2016. ISACA. All Rights Reserved. 12

Key Term Definition Key Term Definition

Task to Knowledge Statements

©2016. ISACA. All Rights Reserved. 13

©2016. ISACA. All Rights Reserved. 14

©2016. ISACA. All Rights Reserved. 15

Paths of Logical Access

©2016. ISACA. All Rights Reserved. 16

Logical Access Exposures Access Control Software

Access Control Software Functions Access Control Types

©2016. ISACA. All Rights Reserved. 17

Network Infrastructure Security LAN Security

Virtualization Client-Server Security

Source: ISACA, CISA Review Manual 26th Edition, figure 5.14

©2016. ISACA. All Rights Reserved. 18

Client- Wireless Security

©2016. ISACA. All Rights Reserved. 19