IT Security System Audits Ch.5
Control recommendations
Consider controls to reduce the level of risk to an acceptable level.
Risk determination
Consider the likelihood, magnitude of impact, and adequacy of controls as an equation of risk.
System characterization
Identify and understand the systems and their operating environment.
Vulnerability identification
Identify flaws or weaknesses that can be triggered or exploited, which might result in a breach.
Threat identification
Identify potential methods or situations that could exploit a weakness.
Medium
Some history of the threat, and the threat might occur
threat actions
methods that may be utilized to carry out an attack.
Preventive controls
stop a particular threat in the first place
audit objective
the goal of the audit
threat identification
the identification of all possible threats
scope creep
the plans or goals expand beyond what was originally intended.
An IT audit doesn't just assess adherence to the security policy; it also uncovers situations in which the policy needs to be refined
true
Before an evaluation of controls can begin, the auditor must first identify the critical controls. To do so, the auditor must consider the audit scope and objective along with the risk assessment. Documentation and any preliminary interviews also help to identify the requirements.
true
Combined with Risk IT and another framework, Val IT, COBIT 5 provides a framework of controls to minimize as well as manage risk.
true
Defining scope requires consideration of the personnel, systems, and records relevant to the objective.
true
Depending on the risk, the frequency of audits varies
true
Documentation related to business structure, configuration, and even previous audits should be gathered and reviewed prior to an audit
true
During integrated audits, financial controls are the focus
true
Privacy audits go beyond traditional IT audits in that the entire information lifecycle process needs to be considered.
true
Project management requires the management of three competing needs to achieve the project objectives. Known as the triple constraint, these include scope, cost, and time.
true
The risk assessment will influence the critical requirements for an IT audit
true
Two major factors contributing to interrelation of security and privacy are regulatory issues and the rapid growth and widespread use of the Web
true
Threat classifications
• Adversarial • Accidental • Structural • Environmental
reactive or corrective control
can lessen the effects of a threat
The audit plan should be prepared only after a ____ __________ is complete.
risk assessment
audit frequency
the rate of occurrence for audits
baseline
the system in a known good state, with the applied minimum controls relative to the accepted risk.
A privacy audit should consider what privacy laws apply to the organization. Auditors should consider who has responsibility for , privacy within the organization, and the policies and procedures specific to privacy should be examined.
true
An alternative approach is to analyze impact and likelihood quantitatively. Such matrixes might use percentage values or a numerical count instead of defining what is high versus medium.
true
An audit is a project
true
An example of an IT risk framework compatible with ERM is ISACA's Risk IT.
true
An organization's written policies are among the most important documents for an auditor. They provide a guideline from which to check the environment for gaps.
true
Antivirus software is a common control that spans all three controls. It can prevent a system from getting a virus in the first place. It can detect if a virus is on the system. Finally, it can react and correct the situation by removing or quarantining the virus.
true
Assessing IT security is largely about ensuring that adequate controls are in place.
true
Auditing IT infrastructure for compliance incorporates the evaluation of various types of controls.
true
Auditors should be familiar with the Project Management Institute (PMI), which has created a standard named A Guide to the Project Management Body of Knowledge (PMBOK). This guide provides a well-known and applied framework for managing successful projects.
true
Audits can occur on an annual basis or every two or three years, depending on regulatory requirements and the determined risk.
true
Baselines provide a solid and simple method from which to audit a system. Comparing a system against a baseline can help identify nonexistent controls that should be applied as well as controls that have been removed or disabled.
true
Ways to identify vulnerabilities
• Vulnerability lists and databases published by industry organizations • Security advisories • Software and security analysis using automated tools
Privacy audits address the following three concerns:
• What type of personal information is processed and stored? • Where is it stored? • How is it managed?
Project characteristics
A project is temporary A project is unique and produces unique results A project is progressively elaborated
vulnerability
A weakness
Control analysis
Analyze controls to reduce the likelihood of a threat successfully exploiting a vulnerability
Impact analysis
Determine the impact of a successful attack on a vulnerability by a threat. Consider the mission of a system, data criticality, and data sensitivity
Likelihood determination
Determine the likelihood of an attack by considering the motivation and capability of the threat source along with the nature of the vulnerability in relation to the current controls.
Results documentation
Document for management the observations on threats and vulnerabilities as well as risks overall and recommended controls.
Guidance for privacy audits established by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Generally Accepted Privacy Principles (GAPP)
Low
No previous history of the threat, and the threat is not likely to occur
High
Substantial history of the threat, and the threat is likely to occur
NIST 800- 30, "Risk Management Guide for Information Technology Systems," 9 step risk assessment process
System characterization Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Control recommendations Results documentation
Technical controls
These include controls that are performed by the IT systems. Examples include the following: • Identification and authorization • Logical access control • Audit trails • Cryptography
chief privacy officer (CPO)
a senior-level position responsible for the overall management of an organization's privacy program
ISACA definition of privacy within the context of information systems
adherence to trust and obligation in relation to any information relating to an identified or identifiable individual (data subject). Management is responsible to comply with privacy in accordance with its privacy policy or applicable privacy laws and regulations.
General controls
also known as infrastructure controls. These types of controls apply broadly to all system components across an organization
threat
any activity that represents a possible danger
Application controls
apply to individual application systems.
Risk IT provides a comprehensive framework not just for assessing risk, but also for
governance and response
detective control
identifies that a threat is present.
vulnerability analysis
identifying vulnerabilities that can be exploited by the previously identified threats
Application control types
include various transaction controls, such as input, processing, and output controls.
high-level classification of controls for IT systems
includes general and application controls.
audit scope
includes the area or areas to be reviewed as well as the time period.
Reducing operational surprises and losses
This enhances the organization's ability to identify potential events or threats and react appropriately.
Identifying and managing multiple and cross-enterprise risks
This helps the organization to consider related risks from across the organization and provides a unified response across the varying risks.
Aligning risk appetite and strategy
This helps the organization to manage the uncertainty with consideration of the goals of the organization.
Seizing opportunities
This helps the organization to recognize events from which new opportunities can be pursued.
Improving deployment of capital
This improves how organizations divide their financial resources to enhance performance and profitability.
Enhancing risk response decisions
This improves the organization's ability to make decisions about how to better manage risk.
Operational controls
These include controls that are implemented by people rather than systems. These controls are often interrelated with both management and technical controls. Examples include the following: • Personnel and user issues • Contingency and disaster planning • Incident response and handling • Awareness, training, and education • Computer support and operations • Physical and environmental security
Management controls
These include controls typically governed by management as part of the overall security program. Examples include the following: • Security policy • Security program management • Risk management • Security and planning in the system development life cycle • Assurance
Effective risk management starts with identifying the IT assets and their value. Next, organizations need to identify the threats and vulnerabilities to these assets. . Next, organizations need to identify the likelihood each threat will exploit a vulnerability. Finally, organizations need to consider the impact of the risk. Risks should then be prioritized. This enables organizations to give attention to the most severe.
true
For the audit to be effective, the scope must consider the objectives of the audit.
true
General knowledge about the business can be gained by gathering information on business and reporting cycles, key business processes, and key personnel to interview.
true
How well an organization adheres to its own policy when combined with an assessment risk helps to identify any gaps
true
IT audits also are known for not following a predefined frequency, but instead using a continuous risk-assessment process. This is more appropriate given the fast-paced change in technology as well as the threats and vulnerabilities related to IT.
true
IT organizations today are concerned with controls relating to both security and privacy.
true
In addition to providing guidelines for information security risk management, this ISO standard also supports the concepts within ISO/IEC 27001.
true
Managing and understanding risk is a key operating component of any organization
true
Projects require someone to manage them. This position is often given the title of project manager. Large projects and even audits might have a dedicated project manager. Other times, the person managing the project might be the project expert.
true
Risk management provides a method for dealing with the uncertainty. This includes identifying which ones to accept and which ones to control.
true
Strategic objectives of an organization reveal details about the organization in the future and how this will affect its information systems. In addition, information about the operational objectives for internal control provides relevant information with regard to the current state of the organization.
true
The scope, objectives, goals, and frequency of audits are based on a risk assessment.
true
The threats that are more difficult to identify are those that pertain specifically to the organization
true
Threats are matched with existing vulnerabilities to further understand the risk.
true
Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and technical controls
true
Time is another consideration dependent upon the objective. The depth and breadth of an audit usually determines the time frame required to meet the objectives.
true
Understanding control classifications provides auditors with a foundation to identify and assess critical controls.
true
When defining the scope, the auditor should consider the controls and processes across the seven domains of IT infrastructure. This includes relevant resources such as the following: • Data • Applications • Technology • Facilities • Personnel
true
audits specific to IT processes may focus on governance and software development.
true
due to recent legislation regarding the need to protect personally identifiable information, audits specific to privacy are more commonplace than before.
true
information security policies are living documents.
true
infrastructure audits are conducted for compliance
true
matrixes and other mechanisms are useful for qualitatively understanding risk.
true
risk management needs to be a key part of organizations and any audit.
true
scope and objective are closely related.
true
further documentation that may be needed for an audit
• Administrative documentation • System documentation • Procedural documentation • Network architecture diagrams • Vendor support access documents and agreements
enterprise risk management (ERM) components
• Aligning risk appetite and strategy • Enhancing risk response decisions • Reducing operational surprises and losses • Identifying and managing multiple and cross-enterprise risks • Seizing opportunities • Improving deployment of capital
information the auditor needs before performing an audit
• An understanding of the organization and what its business requirements and goals are • Knowledge of how the security program is currently in place • Industry best practices for the type of organization and systems
restrictions that an organization may place on an auditor
• Not providing enough resources • Limiting the time frame • Preventing the discovery of audit evidence • Restricting audit procedures • Withholding relevant historical records or information about past incidents
risk determination functions
• The likelihood of a threat to exploit a given vulnerability • The impact on the organization if that threat against the vulnerability is achieved • The sufficiency of controls to either eliminate or reduce the risk
