ISMN 5750 exam 2
types of documentation (information gathering)
- administrative - system - procedural - network architecture diagrams - vendor support access documents and agreements
threat analysis (threat identification)
- adversarial - accidental - structural - environmental
enterprise risk management (ERM):
- align risk appetite and strategy - identify cross-enterprise risks - reduce surprises and losses - improve capital allocations - seize opportunities - enhance risk response decisions
NIST has three IT security control categories. The following are controls in one of the categories: 1. Identification and authorization 2. Logical access control 3. Audit trail 4. Cryptography The above controls are examples of which control category?
technical
Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and __________.
technical
threat analysis
when undertaking a risk management plan, a complete threat analysis must be completed
assessing IT security controls:
- is it effective? - is it required? - how much effort or money should be spent?
minimum acceptable level of risk and security baseline definitions
- need to complete risk assessment - controls based on level of risk to the org - org wide - 7 domains of a typical IT infrastructure
IT testing and monitoring (questions):
- is IT performance measured to detect problems before it is too late? - does management ensure that internal controls are effective and efficient? - can IT performance be linked back to business goals?
security control points in an IT infrastructure
- management - operational - technical - detective - corrective
scope restrictions (negative impacts of scope restrictions)
- not providing enough resources - limiting the time frame - preventing the discovery of audit evidence - restricting audit procedures - withholding relevant historical records or information about past incidents
necessary documentation
- organizations written policies - administrative documentation - system documentation - procedural documentation - network architecture diagrams - vendor support access documents and agreements
audit interview framework:
- preparing - scheduling - opening - conducting - closing - recording
documented security policy framework
- security policy framework: foundation, direction, support internally, direction for assessments and audits - policies: quality, inexpensive control, difficult to implement, provides reference to auditor, includes standards, procedures, and guidelines
examples of documents auditor should gather include:
- system config documentation - applications config documentation - network documentation for applications and systems being audited - standard config documents for role specific systems
risk assessment analysis
- the likelihood of a threat to exploit a given vulnerability - the impact on the organization if that threat against the vulnerability is achieved - the sufficiency of controls to either eliminate or reduce the risk
IT testing and monitoring
- the most important and beneficial element of an IT security program - testing and monitoring must be conducted to know the controls are working - all frameworks include a control objective for regularly assessing and monitoring IT systems and controls
vulnerability identification resources
- vulnerability lists and databases - security advisories - software and security analysis
privacy audits address the following three concerns:
1. what type of personal information is processed and stored? 2. where is it stored? 3. how is it managed?
scope
includes areas to be reviewed and the time period
frequency
is every one,two, or three years
goals
must be aligned with audit objectives
Which of the following is NOT an important step for conducting effective IT audit interviews?
setting organizational goals during the interview
objectives
should satisfy internal and external requirements
resources in an IT infrastructure
- data - apps - technology - facilities - personnel
system configuration documentation:
- IP addresses - operating system - patch level - hardware specifications - installed software - protocols - service config - user accounts - password settings - audit log settings
NIST standards and methodologies
- NIST 800-53 and NIST 800-53A are two important and widely used standards - NIST provides a catalog of security controls and a framework to assess the controls - many orgs base their policies on NIST - CSD of NIST provides several popular publications: special publications, NISTIR, ITL bulletins, FIPS
layered audit
- a layer audit approach is necessary when systems span across the domains of an IT infrastructure - predominant in audits: of a particular process,
applying risk management strategies
- accept the risk - avoid the risk - share the risk - control the risk
identifying critical security control points:
- adequate controls should be in place to meet high level defined control objectives - organizational risk assessment plays an important role in identifying high risk areas - consensus audit guidelines (CAG)
tradeoffs to risk assessment analysis
- cost: are the costs of a control justified by the reduction of risk? - operational impact: does the control have an adverse effect on system performance - feasibility: is the control technically feasible? will the control be feasible for the end users?
tools used in the IT audit process
- electronic work papers - project management software - flowcharting software - open issue tracking software - audit department website
standard config documents for role specific systems:
- firewalls - web servers - mail servers - DNS servers - FTP servers
existing IT security policy framework defintion
- frameworks exist to help with risk management programs, security programs, and policy creation - ensure compliances across the IT infrastructure - important for the auditor to know upon what framework organization has based its policy - allows better alignment between the organizations policy and the audit
obtaining information, documentation, and resources
auditor: must understand organization, must understand security in place, must know industry best practices
An IT infrastructure audit __________ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk.
baseline
National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __________.
corrective