IT Security System Audits Ch.5

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Control recommendations

Consider controls to reduce the level of risk to an acceptable level.

Risk determination

Consider the likelihood, magnitude of impact, and adequacy of controls as an equation of risk.

System characterization

Identify and understand the systems and their operating environment.

Vulnerability identification

Identify flaws or weaknesses that can be triggered or exploited, which might result in a breach.

Threat identification

Identify potential methods or situations that could exploit a weakness.

Medium

Some history of the threat, and the threat might occur

threat actions

methods that may be utilized to carry out an attack.

Preventive controls

stop a particular threat in the first place

audit objective

the goal of the audit

threat identification

the identification of all possible threats

scope creep

the plans or goals expand beyond what was originally intended.

An IT audit doesn't just assess adherence to the security policy; it also uncovers situations in which the policy needs to be refined

true

Before an evaluation of controls can begin, the auditor must first identify the critical controls. To do so, the auditor must consider the audit scope and objective along with the risk assessment. Documentation and any preliminary interviews also help to identify the requirements.

true

Combined with Risk IT and another framework, Val IT, COBIT 5 provides a framework of controls to minimize as well as manage risk.

true

Defining scope requires consideration of the personnel, systems, and records relevant to the objective.

true

Depending on the risk, the frequency of audits varies

true

Documentation related to business structure, configuration, and even previous audits should be gathered and reviewed prior to an audit

true

During integrated audits, financial controls are the focus

true

Privacy audits go beyond traditional IT audits in that the entire information lifecycle process needs to be considered.

true

Project management requires the management of three competing needs to achieve the project objectives. Known as the triple constraint, these include scope, cost, and time.

true

The risk assessment will influence the critical requirements for an IT audit

true

Two major factors contributing to interrelation of security and privacy are regulatory issues and the rapid growth and widespread use of the Web

true

Threat classifications

• Adversarial • Accidental • Structural • Environmental

reactive or corrective control

can lessen the effects of a threat

The audit plan should be prepared only after a ____ __________ is complete.

risk assessment

audit frequency

the rate of occurrence for audits

baseline

the system in a known good state, with the applied minimum controls relative to the accepted risk.

A privacy audit should consider what privacy laws apply to the organization. Auditors should consider who has responsibility for , privacy within the organization, and the policies and procedures specific to privacy should be examined.

true

An alternative approach is to analyze impact and likelihood quantitatively. Such matrixes might use percentage values or a numerical count instead of defining what is high versus medium.

true

An audit is a project

true

An example of an IT risk framework compatible with ERM is ISACA's Risk IT.

true

An organization's written policies are among the most important documents for an auditor. They provide a guideline from which to check the environment for gaps.

true

Antivirus software is a common control that spans all three controls. It can prevent a system from getting a virus in the first place. It can detect if a virus is on the system. Finally, it can react and correct the situation by removing or quarantining the virus.

true

Assessing IT security is largely about ensuring that adequate controls are in place.

true

Auditing IT infrastructure for compliance incorporates the evaluation of various types of controls.

true

Auditors should be familiar with the Project Management Institute (PMI), which has created a standard named A Guide to the Project Management Body of Knowledge (PMBOK). This guide provides a well-known and applied framework for managing successful projects.

true

Audits can occur on an annual basis or every two or three years, depending on regulatory requirements and the determined risk.

true

Baselines provide a solid and simple method from which to audit a system. Comparing a system against a baseline can help identify nonexistent controls that should be applied as well as controls that have been removed or disabled.

true

Ways to identify vulnerabilities

• Vulnerability lists and databases published by industry organizations • Security advisories • Software and security analysis using automated tools

Privacy audits address the following three concerns:

• What type of personal information is processed and stored? • Where is it stored? • How is it managed?

Project characteristics

A project is temporary A project is unique and produces unique results A project is progressively elaborated

vulnerability

A weakness

Control analysis

Analyze controls to reduce the likelihood of a threat successfully exploiting a vulnerability

Impact analysis

Determine the impact of a successful attack on a vulnerability by a threat. Consider the mission of a system, data criticality, and data sensitivity

Likelihood determination

Determine the likelihood of an attack by considering the motivation and capability of the threat source along with the nature of the vulnerability in relation to the current controls.

Results documentation

Document for management the observations on threats and vulnerabilities as well as risks overall and recommended controls.

Guidance for privacy audits established by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

Generally Accepted Privacy Principles (GAPP)

Low

No previous history of the threat, and the threat is not likely to occur

High

Substantial history of the threat, and the threat is likely to occur

NIST 800- 30, "Risk Management Guide for Information Technology Systems," 9 step risk assessment process

System characterization Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Control recommendations Results documentation

Technical controls

These include controls that are performed by the IT systems. Examples include the following: • Identification and authorization • Logical access control • Audit trails • Cryptography

chief privacy officer (CPO)

a senior-level position responsible for the overall management of an organization's privacy program

ISACA definition of privacy within the context of information systems

adherence to trust and obligation in relation to any information relating to an identified or identifiable individual (data subject). Management is responsible to comply with privacy in accordance with its privacy policy or applicable privacy laws and regulations.

General controls

also known as infrastructure controls. These types of controls apply broadly to all system components across an organization

threat

any activity that represents a possible danger

Application controls

apply to individual application systems.

Risk IT provides a comprehensive framework not just for assessing risk, but also for

governance and response

detective control

identifies that a threat is present.

vulnerability analysis

identifying vulnerabilities that can be exploited by the previously identified threats

Application control types

include various transaction controls, such as input, processing, and output controls.

high-level classification of controls for IT systems

includes general and application controls.

audit scope

includes the area or areas to be reviewed as well as the time period.

Reducing operational surprises and losses

This enhances the organization's ability to identify potential events or threats and react appropriately.

Identifying and managing multiple and cross-enterprise risks

This helps the organization to consider related risks from across the organization and provides a unified response across the varying risks.

Aligning risk appetite and strategy

This helps the organization to manage the uncertainty with consideration of the goals of the organization.

Seizing opportunities

This helps the organization to recognize events from which new opportunities can be pursued.

Improving deployment of capital

This improves how organizations divide their financial resources to enhance performance and profitability.

Enhancing risk response decisions

This improves the organization's ability to make decisions about how to better manage risk.

Operational controls

These include controls that are implemented by people rather than systems. These controls are often interrelated with both management and technical controls. Examples include the following: • Personnel and user issues • Contingency and disaster planning • Incident response and handling • Awareness, training, and education • Computer support and operations • Physical and environmental security

Management controls

These include controls typically governed by management as part of the overall security program. Examples include the following: • Security policy • Security program management • Risk management • Security and planning in the system development life cycle • Assurance

Effective risk management starts with identifying the IT assets and their value. Next, organizations need to identify the threats and vulnerabilities to these assets. . Next, organizations need to identify the likelihood each threat will exploit a vulnerability. Finally, organizations need to consider the impact of the risk. Risks should then be prioritized. This enables organizations to give attention to the most severe.

true

For the audit to be effective, the scope must consider the objectives of the audit.

true

General knowledge about the business can be gained by gathering information on business and reporting cycles, key business processes, and key personnel to interview.

true

How well an organization adheres to its own policy when combined with an assessment risk helps to identify any gaps

true

IT audits also are known for not following a predefined frequency, but instead using a continuous risk-assessment process. This is more appropriate given the fast-paced change in technology as well as the threats and vulnerabilities related to IT.

true

IT organizations today are concerned with controls relating to both security and privacy.

true

In addition to providing guidelines for information security risk management, this ISO standard also supports the concepts within ISO/IEC 27001.

true

Managing and understanding risk is a key operating component of any organization

true

Projects require someone to manage them. This position is often given the title of project manager. Large projects and even audits might have a dedicated project manager. Other times, the person managing the project might be the project expert.

true

Risk management provides a method for dealing with the uncertainty. This includes identifying which ones to accept and which ones to control.

true

Strategic objectives of an organization reveal details about the organization in the future and how this will affect its information systems. In addition, information about the operational objectives for internal control provides relevant information with regard to the current state of the organization.

true

The scope, objectives, goals, and frequency of audits are based on a risk assessment.

true

The threats that are more difficult to identify are those that pertain specifically to the organization

true

Threats are matched with existing vulnerabilities to further understand the risk.

true

Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and technical controls

true

Time is another consideration dependent upon the objective. The depth and breadth of an audit usually determines the time frame required to meet the objectives.

true

Understanding control classifications provides auditors with a foundation to identify and assess critical controls.

true

When defining the scope, the auditor should consider the controls and processes across the seven domains of IT infrastructure. This includes relevant resources such as the following: • Data • Applications • Technology • Facilities • Personnel

true

audits specific to IT processes may focus on governance and software development.

true

due to recent legislation regarding the need to protect personally identifiable information, audits specific to privacy are more commonplace than before.

true

information security policies are living documents.

true

infrastructure audits are conducted for compliance

true

matrixes and other mechanisms are useful for qualitatively understanding risk.

true

risk management needs to be a key part of organizations and any audit.

true

scope and objective are closely related.

true

further documentation that may be needed for an audit

• Administrative documentation • System documentation • Procedural documentation • Network architecture diagrams • Vendor support access documents and agreements

enterprise risk management (ERM) components

• Aligning risk appetite and strategy • Enhancing risk response decisions • Reducing operational surprises and losses • Identifying and managing multiple and cross-enterprise risks • Seizing opportunities • Improving deployment of capital

information the auditor needs before performing an audit

• An understanding of the organization and what its business requirements and goals are • Knowledge of how the security program is currently in place • Industry best practices for the type of organization and systems

restrictions that an organization may place on an auditor

• Not providing enough resources • Limiting the time frame • Preventing the discovery of audit evidence • Restricting audit procedures • Withholding relevant historical records or information about past incidents

risk determination functions

• The likelihood of a threat to exploit a given vulnerability • The impact on the organization if that threat against the vulnerability is achieved • The sufficiency of controls to either eliminate or reduce the risk


Set pelajaran terkait

PSIO 305 Block 1 Quizzes and Clicker Questions

View Set

Intestinal and Rectal Disorders Prep U

View Set

RN Maternal Newborn Online Practice 2019 A with NGN

View Set

Ch. 5 Ethernet & Ch. 6 Network Layer

View Set

The Building of the Great Pyramid

View Set

Introduction to Aviation: Unit 2

View Set