y 1.0 CISSP - CHRISTIANREINAchristianreina.com/wp-content/uploads/2014/11/CISA-Summary-V1.0.pdf ·...
-
Upload
phungxuyen -
Category
Documents
-
view
215 -
download
1
Transcript of y 1.0 CISSP - CHRISTIANREINAchristianreina.com/wp-content/uploads/2014/11/CISA-Summary-V1.0.pdf ·...
Christian Reina, CISSP
CISA summary
Version 1.0
This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author. 2010 ‐ Christian Reina, CISSP.
Dom
ain 1 – IT Governance
“Collection of top-down activities intended to control the IT organization from a strategic perspective.”
Policy Priorities Standards Vendor Management Program/Project Management
IT Strategy Committee Advise board of directors on strategies. Balanced Scorecard Measure performance and effectiveness.
Business contribution: Perception from Non-IT executives
User: Satisfaction Operational excellence: downtime, defects, support
tickets Innovation: increase IT value w/ innovation
Information Security Governance Roles and responsibilities
Board of Directors: risk appetite and risk management Steering Committee: Operational strategy for security
and risk management CISO: conducting risk assessment, developing security
policy, vulnerability management, incident management, compliance
Employees: Comply with policies Enterprise Architecture (EA) Map business functions into the IT environment as a model. Activities to ensure business needs are met Zachman Model IT Systems and environments are described at a high, functional level, and then in increasing detail DFD Illustrate the flow of information
Risk Management Seek, identify, and manage risk.
Accept Mitigate Transfer Avoid
Risk Management Program
Objectives: reduce costs, incidents Scope Authority: Executive level of commitment Resources: Policies, processes, procedures, and records
Risk Management Process
1. Asset Identification: Equipment, information, records, reputation, personnel
o Grouping Assets o Sources of asset data: Interviews, IT
systems, Online data o Organizing data: Business process,
Geography, OU, Sensitivity, Regulated 2. Risk Analysis
o Threat analysis: All threats with realistic opportunity of occurrence
o Vulnerability Identification: Ranked by severity or criticality
o Probability analysis: Requires research to develop best guesses
o Impact analysis: Study of estimating the impact of specific threats on specific assets
o Qualitative: Subjective using numeric scale o Quantitative:
Asset Value (AV) Exposure Factor (EF) Single Loss Expectancy (SLE): AV
x EF Annualized rate of occurrence
(ARO) Annualized loss expectancy (ALE):
SLE x ARO 3. Risk Treatments
o Risk Mitigation o Risk Transfer o Risk Avoidance o Risk Acceptance o Residual Risk
IT Management Practices
1. Personnel Management a. Hiring: Background check, Employee Policy
Manual, Job Description b. Employee Development: Training,
Performance evaluation, Career path c. Mandatory vacations: Audit, cross training,
reduced risk d. Termination e. Transfers and reassignments
2. Sourcing a. Insource b. Outsource: risks, SLA, policy, governance
(service level agreements, change management, security, quality, audits), SaaS
3. Change Management a. Request b. Review c. Approve d. Perform change e. Verify change
4. Financial Management a. Develop b. Purchase c. Rent
5. Quality Management a. Software development b. Software acquisition c. Service desk d. IT operations e. Security f. Standards:
i. ISO 9000: Superseded by ISO 9001:2008 Quality Management System
ii. ISO 20000: IT Service Management for organization adopting ITIL
iii. ITIL 1. Service Delivery 2. Control Processes 3. Release Processes 4. Relationship Processes 5. Resolution Processes
6. Security Management a. Security Governance b. Risk Assessment c. Incident Management d. Vulnerability Management e. Access and Identity management f. Compliance management
Dom
ain 1 – IT Governance
g. BCP 7. Performance Management
a. COBIT b. SEI CMMI
Roles and Responsibilities
1. Executive Management: CIO, CTO, CSO, CISO, CPO 2. Software Development: Architect, Analyst, developer,
programmer, tester 3. Data Management: architect, DBA, analyst 4. Network Management: architect, engineer,
administrator, telecom 5. Systems Management: architect, engineer, storage,
systems administrator 6. Operations: manager, analyst, controls analyst, data
entry, media librarian 7. Security Operations: architect, engineer, analyst,
account management, auditor 8. Service Desk: Help desk, technical support
Segregation of Duties Controls
1. Transaction authorization 2. Split custody 3. Workflow: extra approval 4. Periodic reviews
Auditing IT Governance
1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f. Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i. Quality management documents
2. Reviewing Contracts a. Service levels b. Quality levels c. Right to audit d. 3rd party audit e. Conformance to policies, laws, regulations f. Incident notification g. Liabilities h. Termination terms i. Protection of PII
3. Reviewing Outsourcing a. Distance b. Lack of audit contract terms c. Lack of cooperation
main 2 – The Audit Process
Assess and evaluate the effectiveness of IT AUDIT MANAGEMENT The Audit Charter: Define roles and responsibilities. Sufficient authority The Audit Program: scope, objectives, resources, procedures Strategic Audit Planning:
Factors: Business goals and objectives, Initiatives, market conditions, changes in technology, regulatory requirements.
Changes in Audit Activities: New internal audits, new external audits, increase in audit scope, impact on business process
Resource planning: Budget and manpower Audit and Technology: Continue learning about new technologies Audit Laws and Regulations:
Characteristics: Security, Integrity, Privacy Computer Security and Privacy Regulations:
o Categories: Computer trespass, protection of sensitive information, collection and use of information, law enforcement investigative powers
o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits, fines, prosecution
“An organization should take a systematic approach to determine the applicability of regulations as well as the steps required to attain compliance and remain in this state. “ US Regulations:
Access Device Fraud 1984 Computer Fraud and Abuse Act 1984 Electronic Communications Act 1986 Electronic Communications Privacy Act (ECPA) 1986 Computer Security Act 1987 Computer Matching and Privacy Protection Act 1988 Communications Assistance for Law Enforcement Act
(CALEA) 1994 Economic and Protection of Proprietary Information Act
1996 Health Insurance Portability and Accountability Act
(HIPPA) 1996 Children’s Online Privacy Protection Act (COPPA) 1998 Identity Theft and Assumption Deterrence Act 1998 Gramm-Leach-Bliley Act 1999 Federal Energy Regulatory Commission (FERC)
Provide Appropriate Tools Required to Intercept and Obstruct Terrorism Act (PATRIOT) 2001
Sarbanes-Oxley Act 2002 Federal Information Security Management Act (FISMA)
2002 Controlling the Assault of Non-Solicited Pornography
and Marketing Act (CAN-SPAM) 2003 California Privacy Act SB1386 2003 Identity Theft and Assumption Deterrence Act 2003 Basel II 2004 Payment Card Industry Data Security Standard (PCI-
DSS) 2004 North American Electric Reliability Corporation (NERC)
1968/2006 Massachusetts Security Breach Law 2007
Canadian Regulations:
Interception of Communications Section 184 Unauthorized Use of Computer, Section 342.1 Privacy Act 1983 Personal Information Protection and Electronic
Documents Act (PIPEDA) European Regulations
Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981
Computer Misuse Act (CMA) 1990 Directive on the Protection of Personal Data 2003
European Union Data Protection Act (DPA) 1998 Regulation of Investigatory Powers Act 2000 Anti-Terrorism Crime and Security Act 2001 Privacy and Electronic Communications Regulations
2003 Fraud Act 2006 Police and Justice Act 2006
Other Regulations
Cybercrime Act 2001 Australia Information Technology Act 2000 India
ISACA AUDITING STANDARS Code of Ethics:
Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
Audit Standards
S1, Audit Charter S2, Independence S3, Professional Ethics and Standards S4, Professional Competence S5, Planning S6, Performance of Audit Work S7, Reporting S8, Follow-up Activities S9, Irregularities and Illegal Acts S10, IT Governance S11, Use of Risk Assessment in Audit Planning S12, Audit Materiality S13, Use the Work of Other Experts S14, Audit Evidence S15, IT Controls S16, E-Commerce
Audit Guidelines
G1, Using the Work of Other Auditors G2, Audit Evidence Requirement G3, Use of Computer-Assisted Audit Techniques
(CAATs) G4, Outsourcing of IS Activities to Other Organizations G5, Audit Charter G6, Materiality Concepts for Auditing IS G7, Due Professional Care G8, Audit Documentation
Dom
ain 2 – The Audit Process
G9, Audit Considerations for Irregularities and Illegal Acts
G10, Audit Sampling G11, Effect of Pervasive IS Controls G12, Organizational Relationship and Independence G13, Use of Risk Assessment in Audit Planning G14, Application Systems Review G15, Planning G16, Effect of Third Parties on an Organization’s IT
Controls G17, Efect of Nonaudit Role on the IS Auditor’s
Independence G18, IT Governance G19, Irregularities and Illegal Acts G20, Reporting G21, Enterprise Resource Planning (ERP) Systems
Review G22, Business to Consumer (B2C) E-Commerce
Review G23, SDLC Review G24, Internet Banking G25, Review of VPN G26, Business Process Reengineering (BRP) Review G27, Mobile Computing G28, Computer Forensics G29, Post-implementation Review G30, Competence G31, Privacy G32, BCP G33, General Consideration on the Use of the Internet G34, Responsibility, Authority, and Accountability G35, Follow up Activities G36, Biometric Controls G37, Configuration Management G38, Access Controls G39, IT Organization G40, Review of Security Management Practices
Audit Procedures
P1, Risk Assessment P2, Digital Signature and Key management P3, IDS P4, Viruses P5, Control Risk Self-Assessment P6, Firewall P7, Irregularities and Illegal Acts P8, Security Assessment (Pen test, vulnerability
analysis) P9, Encryption
P10, Business Application Change Control P11, Electronic Funds Transfer
RISK ANALYSIS
Evaluating Business Processes Identifying Business Risks Risk Mitigation Countermeasures Assessment Monitoring
INTERNAL CONTROLS
Control Classification o Types: Technical, Administrative, Physical o Classes: Preventative, Detective, Deterrent,
Corrective, Compensating, Recovery o Categories: Manual, Automatic
Internal Control Objectives: Statements of desired outcomes from business operations. Protection of IT assets, Availability of IT systems
o IS Control Objectives: Protection of information from unauthorized personnel, Integrity of Operating Systems
General Computing Controls: GCCs are controls that apply across all applications and services. Passwords are encrypted, Strong passwords
IS Controls: Each GCC is mapped to a specific IS control on each system type.
PERFORMING AN AUDIT
Formal Planning: o Purpose o Scope o Risk Analysis o Audit procedures o Resources o Schedule
Types o Operational o Financial o IS audit o Administrative o Compliance o Forensic o Service provider o Pre-audit
Compliance vs. Substantive Testing o Compliance: Determine if control procedures
have been properly designed and implemented and operating properly.
o Substantive: Determine accuracy and integrity of transactions that flow through processes and information systems
Audit Methodology o Audit Subject o Audit Objective o Audit type o Audit Scope o Pre-Audit planning o Audit SoW o Audit Procedures o Communication plan o Report preparation o Wrap-up o Post-audit Follow-up
Audit Evidence o Independence of the evidence provider o Qualifications of the evidence provider o Objectivity o Timing
Gathering Evidence o Org Chart o Review dept and project charters o Review 3rd party contracts o Review IS policies and procedures o Review IS Standards
Dom
ain 2 – The Audit Process
o Review IS documentation o Personnel Interviews o Passive observation
Observing Personnel o Real tasks o Skills and experience o Security awareness o Segregation of Duties
Sampling o Statistical: Reflect the entire population o Judgmental: Subjectively selects samples
based on established criteria o Attribute: Samples are examined and a
specific attribute is chosen o Variable: Determine the characteristic of a
given population to determine total value o Stop-or-go: Sampling can stop at the earliest
possible time due to low risk and rate of exceptions
o Discovery: Trying to find at least one exception in a population
o Stratified: Create different classes and review one attribute common to all classes
Computer-Assisted Audit: CAATs help examine and evaluate data across complex environments
Reporting Audit Results o Cover letter o Intro o Summary o Description o Listing of systems and processes examined o Listing of interviewees o Listing of evidence obtained o Explanation of sampling technique o Description of findings and recommendations
Audit Risk o Control risk: undetected error by an internal
control o Detection risk: IS auditor will overlook errors o Inherent risk: Inherent risks exist independent
of the audit. o Overall audit risk: summation of all of the
residual risks o Sampling risk: sampling technique will not
detect Materiality: A monetary threshold in financial audits
CONTROL SELF-ASSESSMENT Methodology used by an organization to review key business objectives, and the key controls designed to manage those risks.
Advantages o Risks detected earlier o Improvement of internal controls
o Ownership of controls o Improved employee awareness o Improved relationship between
departments and auditors Disadvantages
o Mistaken as a substitute for internal audit o May be considered extra work o May be considered an attempt by an
auditor to shrug off responsibilities o Lack of employee involvement has no
results Life Cycle
o Identify and assess risks o Identify and assess controls o Develop questionnaire or workshop o Analyze completed questionnaire o Control remediation o Awareness training
Dom
ain 3 – IT LifeCycle Managem
ent
Organization’s methodologies and practices for the development and management of software, infrastructure, and business processes. PORTFOLIO AND PROGRAM MANAGEMENT: A program is an organization of many large, complex activities, and can be thought of as a set of projects that work to fulfill one or more key business objectives or goals.
Starting a Program: o Program charter o Identification of available resources
Running a Program: o Monitoring project schedules o Managing project budgets o Managing resources o Identifying and managing conflicts o Creating status reports
Project Portfolio Management o Executive sponsor o Program manager o Project manager o Start and end dates o Names of participants o Objectives or goals that the project supports o Budget o Resources o Dependencies
Business Case development o Business problem o Feasibility study results o High-level project plan o Budget o Metrics o Risks
PROJECT MANAGEMENT
Organizing Projects Direct report: Project team leader Influencer: Influence members but
does not manage them directly Pure project: Given authority Matrix: Authority over each project
team member o Initiating a project
Developing Project Objectives o Object Breakdown Structure (OBS): Visual
representation of the system, software, or application, in a hierarchical form.
o Work Breakdown Structure (WBS): Logical representation of the high-level and detailed tasks that must be performed to complete the project.
Managing Projects o Managing the project schedule o Recording task completion o Running project meetings o Tracking project expenditures o Communicating project status
Project Roles and Responsibilities o Senior management: support the approval of
the project o IT steering committee: Commission the
feasibility study, approve project o Project manager o Project team members o End-user management: Assign staff to the
project team. Support development of cases o End users o Project sponsor: define project objectives,
provide budget o Systems development management o System developers o Security manager o IT Operations
Project Planning Task identification Task estimation Task resources Task dependencies Milestone tracking Task tracking
o Estimating and sizing software projects Object Breakdown Structure (OBS) Work Breakdown Structure (WBS) Source Lines of Code (SLOC):
accurate estimate based on previous analysis for the time to develop a program.
COCOMO: Constructive Cost Model method for estimating software development projects
Function Point Analysis (FPA):
time-proven estimation technique for larger software projects. It studies the detailed design specifications for an application program and counts the number of user inputs, user outputs, user queries, files, and external interfaces.
Other costs: development tools, workstations, servers, software licenses, network devices, training, equipment
o Scheduling Project Tasks: Critical phase Gantt Chart Program Evaluation and Review
Technique (PERT) Critical path Methodology (CPM): It
is important to identify the critical path in a project, because this allows the project manager to understand which tasks are most likely to impact the project schedule and to determine when the project will finally conclude.
Timebox Management: A period in which a project must be completed.
o Project Records: Project plans Project changes Meetings agendas and minutes Resource consumption Task information
o Project Documentation: Helps users, support staff, IT operations, developers, and auditors
o Project Change Management: The procedures for making changes to the project should be done in two basic steps:
The project team should identify the specific use, impact, and remedy. Make a formal request
This change request should be presented to management along with its impact. Management should make a decision.
o Project closure Project debrief Project documentation archival Management review Training Formal turnover to users,
operations and support o Methodologies
Project Management Body of Knowledge (PMBOK): Process based
Processes: o Inputs o Techniques o Outputs
Dom
ain 3 – IT LifeCycle Managem
ent
Process groups Initiating Planning Executing Controlling and
monitoring Closing
o Projects IN Controlled Environments (PRINCE2): Project management framework
Starting up a project (SU) Planning (PL) Initiating a project (IP) Directing a project (DP) Controlling a stage (CS) Managing product delivery (MP) Managing Stage Boundaries (SB) Closing a project (CP) Scrum: Iterative and incremental
process most commonly used to project manage an agile software development effort.
Scrum master: this is the project manager
Product owner: This is the customer
Team Users Stakeholders Managers
SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)
1. Feasibility Study: Determine whether a specific change or set of changes in business processes and underlying applications is practical to undertake.
o Time required to develop / acquire software o A comparison between the cost of developing
the application vs buying o Whether an existing system can meet the
business need o Whether the application supports strategic
business objectives o Whether a solution can be developed that is
compatible with other IT systems o The impact of the proposed changes to the
business on regulatory compliance o Whether future requirements can be met by
the system 2. Requirements: Characteristics of a new application or
changes being made. o Business functional requirements: Must have
to support the business o Technical requirements and standards: Use
the same basic technologies already in use as well as formal technical standards.
o Security and Regulatory Requirements: Authentication Authorization
Access control Encryption Data validation Audit logging Security operational requirements
o DR/BCP Requirements o Privacy Requirements o RFP Process: Request For Proposal
Requirements Vendor financial stability Product roadmap Experience Vision References Questions for clients:
Satisfaction with installation
Satisfaction with migration
Satisfaction with support Satisfaction with long-
term roadmap What went well What did not go well
Contract negotiation Closing the RFP
3. Design: A top down approach 4. Development:
Coding the application Developing program and system
level documents Developing user procedures Working with users Developing in a software
acquisition setting: Customizations Interfaces of other
systems Authentication Reports
Debugging Correct operations Input validation Proper output validation Resource usage
Source Code Management (SCM) Protection Control Version control Recordkeeping
5. Testing
o Unit testing: by developers during the coding phase. Should be a part of the development of each module in the application.
o System testing: end to end testing. Includes interface testing, migration testing.
o Functional testing: Verification of functional requirements
o User Acceptance Testing (UAT): In most cases, it is a formal step to find out if organization accepts the software developed by a 3rd party.
o Quality Assurance Testing (QAT): 6. Implementation
o Planning: Prepare physical space for
production systems Build production systems Install application software Migrate data
o Training: End users Customers Support staff Trainers
o Data migration Record counts Batch totals Checksums
o Cutover Parallel Geographic Module by module Roll-back
o Rollback Planning 7. Post Implementation
o Implementation review System adequacy Security review Issues ROI
o Software maintenance
Development Risks o Application inadequacy o Project risk o Business inefficiency o Market changes
Development Approaches and Techniques
o Agile Development o Prototyping
Dom
ain 3 – IT LifeCycle Managem
ent
o Rapid Application Development (RAD) o Data Oriented System Development (DOSD) o Object-Oriented System Development (OO) o Component based development: CORBA,
DCOM, SOA o Web-Based Application Development: HTML,
SOAP, XML o Reverse Engineering
System Development Tools
o Computer-Aided Software Engineering (CASE)
Upper CASE: requirements gathering, DFDs, interfaces
Lower CASE: Creation of program source code and data schemas
o Fourth Generation Languages INFRASTRUCTURAL DEVELOPMENT AND IMPLEMENTATION
1. Review of existing architecture 2. Requirements
a. Business functional requirements b. Technical requirements and standards c. Security and regulatory requirements d. Privacy requirements
3. Design a. Procurement
4. Testing 5. Implementation 6. Maintenance
MAINTAINING INFORMATION SYSTEMS Change Management Process
Change request Change review Perform change Emergency changes
Configuration Management
Recovery: stored independent of the systems themselves
Consistency: It will simplify administration, reduce mistakes, and result in less unscheduled downtime.
BUSINESS PROCESSES Business Process Life Cycle (BPLC)
1. Feasibility study 2. Requirements definition 3. Design
4. Development 5. Testing 6. Implementation 7. Monitoring 8. Post-implementation
Benchmarking a Process
Plan Research Measure and observe Analyze Adapt: understand the fundamental reasons why other
organizations’ measurements are better than its own. Improve
Capability Maturity Models
Software Engineering Institute Capability Maturity Model (SEI CMM)
o Initial o Repeatable o Defined o Managed o Optimizing
Capability Maturity Model Integration (CMMI): An aggregation of these other models into an overall maturity model.
ISO 15504: Software Process Improvement and Capability dEtermination (SPICE).
o Level 0 incomplete o Level 1 performed o Level 2 managed o Level 3 established o Level 4 predictable o Level 5 optimizing
APPLICATION CONTROLS Input Controls
Authorization o User access controls o Workstation identification o Approved transactions and batches o Source documents
Input validation o Type checking o Range and value checking
o Existence o Consistency o Length o Check digits o Spelling o Unwanted characters o Batch controls
Error handling o Batch rejection o Transaction rejection o Request re-input
Processing Controls
Editing Calculations
o Run-to-run totals o Limit checking o Batch totals o Manual recalculation o Reconciliation o Hash values
Data file controls o Data file security o Error handling o Internal and external labeling o Data file version o Source files o Transaction logs
Processing errors
Output Controls
Controlling special forms Report distribution and receipt Reconciliation Retention
Dom
ain 3 – IT LifeCycle Managem
ent
AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Project Management
Auditing the Feasibility Study
Auditing Requirements
Auditing Design
Auditing Software Acquisition
Auditing Development
Auditing Implementation
Auditing Post-Implementation
Auditing Change Management
Auditing Configuration Management
AUDITING BUSINESS CONTROLS Identify the key processes in an organization and to understand the controls that are in place or should be in place that govern the integrity of those processes AUDITING APPLICATION CONTROLS Transaction Flow
Observations
Dom
ain 3 – IT LifeCycle Managem
ent
Data Integrity Testing: Used to confirm whether an application properly accepts, processes, and stores information. Testing Online Processing Systems:
Auditing Applications
Continuous Auditing: Several techniques are available to perform online auditing:
Dom
ain 4 – IT Service Delivery & Infrastructure
IT organizations are effective if their operations are effective. IT organizations are service organizations – their existence is to serve the organization and support its business processes. INFORMATION SYSTEMS OPERATIONS
Management and control of operations o Process and procedures o Standards o Resource allocation o Process management
IT Service management (ITSM) o Service desk o Incident mgt o Problem mgt o Change mgt o Configuration mgt o Release mgt: ITIL terms used to describe
SDLC. Used for changes in a system such as:
Incidents and problem resolution Enhancements Subsystem patches and changes
o Service-level mgt o Financial mgt o Capacity mgt
Periodic measurements Considering planned changes Understanding long-term strategies Changes in technology
o Service continuity mgt o Availability mgt
Effective change mgt Effective application testing Resilient architecture Serviceable components
Infrastructure Operations o Running scheduled jobs o Restarting failed jobs/processes o Facilitating backup jobs o Monitoring systems/apps/networks
Monitoring Software Program Library Management: System that
is used to store and manage access to an organization’s application source and object code
o Access and authorization controls
o Program checkout o Program check in o Version control o Code analysis
Quality Assurance Security Management
o Policies, procedures, processes, and standards
o Risk Assessments o Impact analysis o Vulnerability management
INFORMATION SYSTEMS HARDWARE
Computer usage o Types: supercomputer, mainframe, midrange,
server, desktop, laptop, mobile o Uses: app server, web server, file server, db
server, print server, test server, thin client, thick client, workstation
Computer architecture o CPU: CISC (Complex Instruction Set
Computer), RISC (Reduced Instruction Set Computer), Single processor, Multi-processor
o Bus: PCI, PC Card, MBus, Sbus o Main Storage o Secondary Storage: Program storage, data
storage, temporary files, OS, virtual memory, o Firmware: Flash, EPROM, PROM, ROM,
EEPROM o I/O and Networking o Multi-computer: Blade computers, grid
computing, server clusters, virtual servers Hardware maintenance Hardware monitoring
INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE
Computer Operating Systems Access to peripherals Storage mgt Process mgt Resource allocation Communication Security
o OS Virtualization o Clustering: using special software o Grid Computing: a form of distributed
computing
o Cloud Computing: dynamically scalable and usually virtualized
Data Communication Software File Systems: Directories, files, FAT, NTFS, HFS
(Hierarchical File System) ISO 9660 (CD-ROM, DVD), UDF (Universal Disk Format)
Database Management Systems o Relational DB Management (rDBMS):
Primary key, one or more indexes, referential integrity, Encryption, Audit logging, access controls,
o Object Database (ODBMS): Represented as objects, Data and the programming method are contained in an object,
o Hierarchical Database : Top-down Media Management System: Tape management
systems (TMS) or Disk Management Systems (DMS) Utility software
o Software and data design o Software development o Software testing o Security testing o Data management o System health o Network
NETWORK INFRASTRUCTURE
Network Architecture o Physical network architecture o Logical network architecture o Data flow architecture o Network standards and services
Types of networks o Personal Area Network (PAN): up to 3 meters
and use to connect peripherals for use by an individual
o LAN o Campus Area Network (CAN) o Metropolitan Area Network (MAN) o WAN
Network-based Services: email, print, file storage, remote access, directory, terminal emulation, time synch, network authentication, web security, anti-malware, network management
Network Models o OSI: Application, presentation, session,
transport, network, data link, physical o TCP/IP: Link, internet, transport, application
Network Technologies o LAN
Physical topology: Star, Ring, Bus
Dom
ain 4 – IT Service Delivery & Infrastructure
Cable types: Shield twisted pair
(STP), screened unshielded twisted pair (S/UTP), screened shielded twisted pair (S/STP), unshielded twisted pair (UTP)
Other types: Fiber, coaxial, serial
Network Transport protocols Ethernet: Broadcast or
shared medium, collision avoidance
o ATM: Synchronous network. Connection oriented link-layer protocol.
o Token Ring o Universal Serial Bus o FDDI: Fiber distributed data interface. Range
up to 200km and capable of 200mb/sec o WAN
MPLS SONET Frame Relay ISDN X.25
o Wireless Wi-Fi Bluetooth Wireless USB NFC (Near Field Communication):
extremely short distance radio frequencies that are commonly used for merchant payment applications.
IrDA: Infrared Data Association. TCP/IP Protocols
o Link Layer / network access layer ARP (Address resolution) RARP (Reverse address
resolution) OSPF (Open Shortest Path First) L2TP (Layer 2 Tunneling Protocol) PPP Media Access Control (MAC)
o Internet Layer / Layer 3 IP ICMP IGMP IPSec
o Internet Layer IP Addresses, subnets, masks,
gateway, classless and classful networks.
o Transport Layer TCP UDP
o Application layer File Transfer Protocols
FTP FTPS SFTP SCP Rcp
Messaging protocols SMTP POP IMAP NNTP
File and directory sharing protocols NFS RPC
Session protocols TELNET rlogin SSH HTTP HTTPS
Management protocols SNMP NTP
Directory service protocols DNS LDAP X.500
Global Internet: Email, IM, VPN, WWW Network Management
o Tools Network management systems Network management agents Incident management systems Protocol analyzers Sniffers
Networked Applications o Client–Server o Web-based
AUDITING IS INFRASTRUCTURE AND OPERATIONS
Auditing IS Hardware o Standards: procurement stds o Maintenance: records, service contracts o Capacity: system’s capacity monitoring
o Change mgt: requested, reviewed prior to approval
Auditing OSs o Standards: written stds o Maintenance and support: support contracts o Change mgt o Configuration mgt: tools, recordkeeping,
config processes o Security mgt: hardening
Auditing File Systems o Capacity: storage o Access control
Auditing DB Management Systems o Configuration mgt: centrally controlled o Change mgt: changes should be consistent
and systematic o Capacity mgt: ability to support business
processes o Security mgt: access controls, logs
Auditing Network Infrastructure o Network architecture o Security architecture o Standards o Change mgt o Capacity mgt o Configuration mgt o Administrative access management o Network components o Log management o User access management
Auditing Network Operating Controls o Network operating procedures o Restart procedures o Troubleshooting procedures o Security controls o Change management
Auditing computer operations o System configuration standards o System build procedures o System recovery procedures o System update procedures o Patch management o Daily tasks o Backup o Media control o Monitoring
Auditing Data Entry o Data entry procedures o Input verification o Batch verification
Dom
ain 4 – IT Service Delivery & Infrastructure
o Correction procedures
Auditing Lights-Out operations o Remote administration procedures o Remote monitoring procedures
Auditing Problem Management Operations o Problem management policy and processes o Problem management records o Problem management timelines o Problem management reports o Problem resolution o Problem recurrence
Auditing Monitoring Operations o Monitoring plan o Problem log o Preventative maintenance o Management review and action
Auditing Procurement o Requirements definition: functional, technical,
and security requirements approved by management. Policies, procedures, and records.
o Feasibility studies
Dom
ain 5 – Inform
ation Asset Protection
INFORMATION SECURITY MANAGEMENT
Aspects o Executive support o Policies and procedures o Security Awareness o Security monitoring and auditing o Incident response o Corrective and preventive action.
Roles and responsibilities o Executive mgt: support and overall
responsibility for asset protection o Security steering committee: approval of
security policies, risk related matters. o CISO: development and enforcement of
policy and asset protection o Chief privacy officer o Security auditor: monitoring and testing
security controls o Security administrator o Security analyst: implementing security policy
by designing and improving security controls and processes
o Systems analyst: by designing application software that includes adequate controls
o Software developers: coding applications that include controls to prevent application misuse or bypass of controls
o Managers o Asset owners: responsible for protection and
integrity of assets o Employees
Asset Inventory and Classification o Hardware o Information
Access Control o AC Management: request, review,
segregation of duties, transfer, termination o Logs
Privacy o PII: DL, SSN, Passport, phone, address,
DoB, Accounts 3rd Party Management
o 3rd Party access countermeasures: logs, video, access controls, logical access, audits
o Legal agreements: liabilities, controls required, nondisclosure, security training, steps for a security breach, steps to be taken to reduce the likelihood of data loss caused by a disaster, right to inspect, compliance, destroy copies of information on request.
HR Security o Screening o Agreements o Job descriptions o Transfer and termination o Contractors and temps
Computer Crime o Roles
Target of a crime Instrument of a crime Support of a crime
o Categories Military Political Terrorist Financial Business Grudge Amusement
o Perpetrators Hackers Cybercriminals Spies Terrorists Script kiddies Social engineers Employees Former employees Knowledgeable outsiders Service providers employees
Security Incident Management o Incident Response
Planning Detection Initiation Evaluation Eradication Remediation Closure Post-Incident Review
o Testing Incident Response Document review Walkthrough Simulation
o Incident prevention Vulnerability monitoring
Patch management System hardening IDS
o Chain of custody: Identification Preservation Analysis Presentation
LOGICAL ACCESS CONTROLS: Subject access controls are in place to determine the identity of the subject. Service access is used to control the types of messages that are allowed to pass through a control point.
Models o MAC: Mandatory Access Control: Access to
objects by subjects o DAC: Discretionary Access Control: Owner of
an object is able to determine how and by whom the object may be accessed.
Threats o Malware o Eavesdropping o Logic bombs o Scanning attacks
Vulnerabilities o Unpatched systems o Default system settings o Default passwords o Incorrect permissions settings o Application logic
Points of Entry o Exposure to malware o Eavesdropping o Open access
Identification, Authentication, and Authorization o Identification: asserting an identity without
providing any proof of it. o Authentication: Subject asserts an identity,
but some proof of the subject’s identity is required
o Authorization: System determines resource access to the subject
User account provisioning o Factors: user location, system limitations,
data sensitivity o Risks: Finding a password, eavesdropping
Two Factor authentication: Digital certificates, smart cards, tokens
Something you are: Biometrics such as hand print, fingerprint, palm vein, voice, facial scan, handwriting, iris scan
o Measurement variances: False reject rate, False accept rate, crossover error rate
Dom
ain 5 – Inform
ation Asset Protection
Reduced Sign On: changing from stand alone application authentication to centralized authentication like LDAP, RADIUS, Active Directory
Single Sign On: one login authentication for multiple authorized applications
Access Control Lists: common way to administer access controls
Protecting Information o Access controls o Access Logging o Backups
Automated tools Protection of backup data Offsite backup media storage Restoration testing Media inventory
Patch Management Vulnerability Management
o Subscribing to security alerts o Scanning o Patch management o Corrective action process
System Hardening: remove services, change functions to unique system function, changed default password, non-predictable passwords, reduce privileges, eliminate interserver trust
Managing User Access o User Access Provisioning: Risk of errors
can be devastating for an organization o Termination: Some safeguards are
needed like review of terminated employee’s actions before and after, periodic reviews, and review logs
o Transfers: Risk is privilege creep o Password management: provisioning,
lockout, forgotten passwords. Password length, complexity, expiration, reuse, rechange
Protecting Mobile Devices: Encryption, strong access control, remote destruct, hardening, logical locking system, physical locking system
NETWORK SECURITY CONTROLS
Network Security o Threats: access by unauthorized persons,
spoofing, eavesdropping, malware, DoS, access bypass, MITM
o Countermeasures: User authentication controls, machine authentication controls, anti-malware, encryption, switched networks, IDS/IPS
Securing Client-Server Applications o Access controls: strong authentication o Interception of client-server
communication: Network encryption o Network Failure o Change management o Disruption of client software updates
o Stealing data Securing Wireless Networks
o Threats and vulnerabilities Eavesdropping War driving and chalking Encryption Spoofing
o Countermeasures Obscure SSID Stop SSID broadcast Reduce transmit power MAC filtering WPA Require VPN Change default passwords Patches
Protecting Internet Communications o Threats and vulnerabilities
Eavesdropping Network analysis: reconnaissance
phase of some bigger effort Targeted attacks Malware Masquerading: forge messages that
have the appearance of originating elsewhere.
DoS Fraud
o Countermeasures Firewalls Honeypots and Honeynets IDS Change management and
configuration management Incident management Security awareness training
Encryption o Terms:
Plaintext Ciphertext Hash function Message digest Digital signature Algorithm Decryption Encryption key Cryptanalysis Key length Block cipher Stream cipher Initialization Vector (IV): random
number to begin encryption process Symmetric encryption Asymmetric encryption Key exchange Nonrepudiation
o Private Key Cryptosystem: Symmetric cryptography
Challenges Key exchange: Out of
band method is required. Scalability
o Public Key Cryptosystem: Asymmetric cryptosystem
Key pair: public and private keys Message security: no need to
establish and communicate symmetric encryption keys through a secure channel.
Verifying public keys: Certificate authority Email address Key fingerprint: retrieve
the public key and calculate the key fingerprint.
o Hashing and Message Digests o Digital Signatures: Seals a message or file
using the sender’s identity o Digital Envelopes: Combining private and
public o Public Key Infrastructure (PKI):
Digital certificates Certificate Authority (CA) Registration Authority (RA) Certificate Revocation List (CRL) Certification Practice Statement
(CPS) o Key Management
Key generation: system must be highly protected, isolated, and used by a few people. System should include some randomness
Key protection Key custody: policies, processes,
and procedures regarding the management of keys.
Key rotation: only when one of the following occurs:
Key compromise Key expiration Rotation of staff
Key disposal o Encryption applications
SSL/TLS S-HTTP S/MIME SSH
Dom
ain 5 – Inform
ation Asset Protection
SET Voice over IP (VoIP)
o Threats and vulnerabilities Eavesdropping Spoofing Malware DoS Toll fraud
o Protecting: IDS, access management, firewalls, hardening, malware controls
Private Branch Exchange (PBX) o Threats and vulnerabilities
Default passwords on administrator console
Dial-in modem Toll fraud Espionage
o Countermeasures Administrative access control Physical access control Regular log review
Malware o Threats and vulnerabilities
Viruses Worms Trojan horses Spyware Root kits Bots Missing patches Unsecure configuration Faulty architecture Faulty judgment Spam Phishing DoS
o Anti-Malware Administrative controls Spam policy Business related internet No removable media No downloading No personally owned computers
o Anti-Malware Technical controls Anti-malware on email servers On workstations On web servers Centralized malware console
IDS Spam filters Blocking use of removable media
Information Leakage o Countermeasures
Outbound email filters Block removable media Blocking internet access Tighter access controls Access logging Job rotation Periodic background checks
ENVIRONMENTAL CONTROLS
Threats and vulnerabilities o Electric power vulnerabilities
Spike: sharp increase Inrush: sudden increase Noise: presence of other
electromagnetic signals Dropout: momentary loss Brownout: sustained drop Blackout: complete loss
o Physical environment vulnerabilities Temperature Humidity Dust and dirt Smoke and fire Sudden unexpected movement
Countermeasures o Electric power
UPS Electric generator Dual power feeds Power distribution unit (PDU)
o Temperature and humidity controls: HVAC o Fire Prevention, detection, and suppression
controls Prevention:
Combustibles: stored away Cleanliness Electrical equipment
maintenance Detection: pull down stations, manual
alarms, detectors Suppression:
Types: wet pipe, dry pipe, pre-action, deluge, inert gas
Classes: o A: wood, paper
o B: liquids and gases
o C: electrical o D: combustible
metals o K: cooking oils
and fats PHYSICAL SECURITY CONTROLS
Threats and vulnerabilities o Theft o Sabotage o Espionage o Covert listening devices o Tailgating o Propped doors o Poor visibility
Countermeasures o Keycard systems o Cipher locks o Fences, walls, and barbed wire o Bollards and crash gates o Video o Visual notices o Bug sweeping o Guards o Guard dogs
AUDITING ASSET PROTECTION
Security Management o Policies, processes, procedures, and
standards o Records o Training o Data ownership and management o Data custodians o Security administrators o New and existing employees
Logical Access controls o Network access paths
IT infrastructure Network architecture and access
documentation o User Access Controls
User access controls: authentication, bypass, access violations, user account lockout, IDS/IPS, shared accounts, dormant accounts, system accounts
Password management: password standards, account lockout, access to encrypted passwords
Dom
ain 5 – Inform
ation Asset Protection
Password vaulting o User access provisioning:
Access request process Access approvals Segregation of duties (SOD) Access reviews
o Employee terminations Termination process Timeliness Access reviews Contractor access and termination
o Access logs Access log controls Centralized access logs Access log protection Log review Log retention
o Investigative procedures Policies and procedures Computer crime investigations Computer forensics
o Internet points of presence Search engines: what information is
available Social networking sites: what
others are saying Online sales sites: what’s being
sold Domain names
Network Security Controls o Architecture review
Diagrams Documents Support of business objectives Compliance with security policy Comparison of documented vs
actual o Network access controls
User authentication: Active Directory, LDAP
Firewalls IDS Remote access Dial-up modems
o Change management Change control policy Change logs Change control procedures Emergency changes Rolled-back changes Linkage to SDLC: change
management and SDLC
Alert management Penetration testing Application scanning Patch management
Environmental Controls o Power conditioning o Backup power o HVAC o Water detection o Fire detection and suppression o Cleanliness
Physical Controls o Siting and Marking
Proximity to hazards o Physical access controls
Physical barriers Surveillance Guards and dogs Keycard systems
Dom
ain 6 – BC & DR
DISASTERS
Types o Natural: Earthquakes, volcanoes, landslides,
avalanches, wildfires, tropical cyclones, tornadoes, windstorms, lighting, ice storms, hail, flooding, tsunamis, pandemic, extraterrestrial impacts
o Man-Made: Civil disturbances, Utility outages, materials shortages, fires, hazardous materials spills, transportation accidents, security events, terrorism and wars
o How they affect organizations Direct damage: earthquakes etc Utility outage Transportation Services and supplier shortage Staff availability Customer availability
BCP Process
Develop Policy: formal policy included in the overall governance model
BCP and COBIT Controls o Develop IT continuity framework o Conduct business impact analysis o Develop and maintain IT continuity plans o Identify and categorize IT resources based on
recovery objectives o Define and execute change control
procedures to ensure IT continuity plan is current
o Regularly test IT continuity plan o Develop follow-on action plan from test
results o Plan and conduct IT continuity training o Plan IT services recovery and resumption o Plan and implement backup storage and
protection o Establish procedures for conducting post-
resumption reviews Business Impact Analysis (BIA)
Inventory Key processes and systems Statement of impact: qualitative or quantitative
description of the impact if the process or system were incapacitated for a time
Criticality Analysis: study of each system and process, a consideration of the impact on the organization if it is incapacitated, the likelihood of incapacitation, and the estimated cost of mitigating the risk or impact of incapacitation. (risk analysis)
Establishing key targets Recovery Time Objective (RTO): Time from onset of an
outage until the resumption of service. ** An organization could establish two RTO targets, one for partial capacity and one for full capacity.
Recovery Point Objective (RPO): Time for which recent data will be irretrievably lost in a disaster. For critical transactions it is measure in minutes.
Developing Recovery Strategies and Plans Strategies:
o Site options: Hot, warm, cold, mobile, reciprocal (at another company)
o Recovery and resilience technologies RAID: Redundant Array of
Independent Disks RAID-0: stripped RAID-1: mirror RAID-4: Data stripping.
RAID 4-5 allows for failure of one disk without losing information
RAID-6: Withstands failure of any two disks drives in the array.
SAN: Storage Area Network
NAS: Network Attached Storage.
o Replication: Disk storage system Operating system Database management system Transaction management system Application
o Server clusters o Network connectivity and services
Redundant network connection Redundant network services
o Backup and restoration Plans
o Evacuation procedures o Disaster declaration procedures
Core team Declaration criteria Pulling the trigger: any single core
member Next Steps: Declaration will trigger
other response procedures. False alarms
o Responsibilities: injured, caring for family members, transportation unavailable, out of the area, communications, fear
Emergency Response: evacuation, first aid, firefighting
Command and Control (Emergency Management)
Scribe: Document the important events during disaster response operations
Internal Communications External communications Legal and compliance Damage assessment Salvage Physical security Supplies Transportation Network Network services Systems Databases Data and records Applications Access management Information security Off-site storage User hardware Training Relocation Contract Information
o Recovery procedures: should be hand in hand with the technologies that may have been added to IT systems to make them more resilient
o Continuing Operations o Restoration procedures o Considerations:
Availability of personnel Emergency supplies Communications: identifying Critical
personnel, suppliers, customers, and other parties, call trees, wallet cards
Transportation o Documentation
Supporting project documents Analysis documents: BIA, RTP,
RPO, Criticality analysis Response documents: Business
recovery plan, Occupant emergency plan (OEP), Emergency communications plan, contact lists, DR plan,
Dom
ain 6 – BC & DR
Continuity of operations plan
(COOP), Security incident response plan (SIRT)
Test and review documents Testing Recovery Plans
Test preparation: schedule, facilities, scripting, participants, recordkeeping, contingency plan,
Document review Walkthrough Simulation Parallel test Cutover test Documenting results Improving recovery and continuity plans
Training Personnel: Document review, participation in walkthroughs, participation in simulations, participation in parallel and cutover tests
Hard copy of plan Soft copy of plan Online access Wallet cards
Maintaining Recovery and Continuity Plans Auditing Business Continuity and Disaster Recovery: An audit of an organization’s BC program is a top-down analysis of key business objectives and a review of documentation and interviews to determine whether the BC strategy and program details support those key business objectives.
o Reviewing Business Continuity and Disaster Recovery Plans
o Reviewing Prior Test Results and Action Plans
o Evaluating off-site storage o Evaluating alternate processing facilities o Interviewing key personnel o Reviewing service provider contracts o Reviewing insurance coverage