The Audit of Information Systems

Management Tool Monitoring and checking the ISMS; Information processed and stored in information systems (mandatory).

Computer System A set of elements; Functional inter-correlation; Automatic processing of information (at least one element); Components: hardware, software, communication, users, organizational framework; Part of the Information System;

Standards

Types of standards: international; national; of companies; of an industry; IT; IT security; security;

Standards

General standard: ISO 19011:2003 Guideline for auditing the quality and/or environment management systems; Reference standard : ISO/IEC 27001/2005 ISMS auditing; Reference standard: ISO/IEC 17799:2005 ISMS auditing.

Definition Audit: Anglo-Saxon; Auditum listening;

Definition

According to ISO 19011:2003 Systematic evaluation; Independency; Documented; Persons with special qualification; Satisfy previous instructions; Effectively implemented; Capable to achieve the established objectives.

Definition According ISO 9000:2001 Audit proof (quantitative, qualitative); Audit criteria.

Definition Inter-connected elements: Audit; Auditing; Auditor; Audited; Audit client.

Audit objectives Initial point for developing Management System (MS); MS compliance/non-compliance; MS efficiency; MS improvement; Prevention, correction and tracking.

Audit types Criteria: choosing the audit team: Internal; External (second party, third party).

Audit types Criteria: audit objective: Determining the actual state; Accreditation; Certification.

Audit types Criteria: audit area: MS; Process; Product/service.

Audit types Criteria: audit standards: Consultancy audit; Compliance audit.

Audit principles According to ISO 19011:2003 comparable conclusions Ethical behavior; Correct presentation; Professional responsibility; Independency; Approach based on proof.

Auditors abilities and knowledge Audit principles, procedures and techniques; Reference MS and documents; Organizational situations; Laws, regulations and other requirements; Leadership (audit team leaders).

Types of auditors Information systems; Software products; Data.

Auditors evaluation Identifying the personal capabilities, knowledge and aptitudes; Establishing the evaluation criteria (quantitative, qualitative); Selecting the evaluation method; Performing the evaluation.

Questioning techniques Audits quality questioning techniques. Questions: Open (indirect) Who? What? Where? Why? When? etc. Closed Yes/No answers; Oriented domination and manipulation Dont you think that...? Am I right that...? Opinion What do you think about...? Investigation Did you take the steps for...? Non-verbal.

Audit organizations ISACA Information Systems Audit and Control Association;

CISA Certified Information Systems Auditor, CISM Certified Information Security Manager

IFA International Federation of Accountants; IIA Institute of Internal Auditors.

Audit program 1. Objectives Program size; Concept responsibility; Necessary resources; Procedures and other documents; Program implementation; Program recordings.

Audit program 2. Monitoring and analysis At the level of program implementation; Performance indicators.

Process flow for the audit program management

1. Establishing the audit program (PLANNING): - Objective, size; - Responsibilities; - Resources; - Procedures.

Process flow for the audit program management

2. Implementing the audit program (DOING): - Scheduling the audits; - Evaluating the auditors; - Selecting the audit team; - Leading the audit activities; - Maintaining the recordings.

Process flow for the audit program management

2 Implementing the audit program (continued): on the basis of the activities it is ensured: - Auditors competencies and evaluation; - Performing the audit activities.

Process flow for the audit program management

3. Monitoring and analyzing the audit program (CHECKING): - Monitoring, analyzing; - Identifying the need for corrective and preventive actions; - Identifying the improvement opportunities.

Process flow for the audit program management

4. Improving the audit program (ACTING): - Going back to Step 1 of the process for audit program management.

Performing the audit Audit steps According to ISO 19011:2003 1. Audit initiation; 2. Performing the document analysis; 3. Preparing the audit activity on site; 4. Performing the audit on site; 5. Preparing, approving and distributing the audit report; 6. Audit closing; 7. Performing the tracking audit.

Performing the audit 1. Audit initiation Naming the audit leader; Audit objectives, area, criteria; Reliability.

Performing the audit

1. Audit initiation (continued)

Selecting the audit team - Size; - Competency; - Including the technical experts (possibility); - Including the auditors in training (possibility); - Risk and risk management, security, business continuity, attack techniques.

Performing the audit

1. Audit initiation (continued)

Initial contact with the audited entity.

Performing the audit 2. Document analysis Recordings of the audited entity relevant documents of the management system; Previous audit reports.

Performing the audit 3. Preparing the audit on site Developing the audit plan; Attributing responsibilities; Preparing the document drafts.

Performing the audit 4. Performing the audit on site Hold the opening meeting; Communications methods during the audit; Roles and responsibilities of the observers; Collecting and checking the information; Writing the audit findings; Preparing the audit conclusions; Hold the closing meeting.

Performing the audit 5. Preparing, approving and distributing the audit report: Preparing the report; Approving and distributing the report; Complete, exact, concise and clear; Model of audit report.

Performing the audit 6. Closing the audit Fulfilling the activities in the audit plan; Distributing the audit report; Keeping/destroying the recordings; Document confidentiality.

Performing the audit 7. Tracking activities Corrective, preventive of improvement actions; Efficacy checked through a new audit; Value add audit team tracking.

Information Security Management System (ISMS) internal audit SENTINET Security services platform; State of IT infrastructure; Traffic monitoring; Model of internal audit program.

ISMS internal audit Software tools for testing the security of a bank information system Vulnerability scanners: Nessus, Microsoft Baseline Security Analyzer; Network protocols analyzers: Wireshark; Intrusions detection system: Snort; Wireless sniffer: Kismet; Web scanner: Nikto; E-mail server scanner: Microsoft Exchange Best Practices Analyzer; Hierarchy of evaluation software tools; Tools for interpreting the results of applying the questionnaires: Microsoft Security Assessment Tool.

ISMS internal audit Evaluating the system configuration Evaluating the hardware system; Computer network at physical level; Software evaluation; Intrusion monitoring; Vulnerabilities scanning.

ISMS external audit ISO/IEC 17799:2005 ISMS audit Minimizing the interferences between the audited system and the auditors; Established the guidelines and general principles for initiating, implementing, maintaining and improving the ISM in an organization; The controls are based on risk evaluation; Each control category contains: control assertion, recommendations in the ISM implementation, other information (juridical framework, references to other standards).

ISMS external audit Control types and number of security categories in ISO/IEC 17799:2005: Security Policy (1); organization of information security (2); capital management (2); Human resource security (3); physical and environment security (2); communications and operations management (10); access control (7); acquisition, development and maintenance of the information system (6); information security incident management (2); business process continuity management (1); compliance (3).

A. Security policy - 1 control category: 1. The information security policy: provides direction and support for informational security according to the business requirements and regulations: a) Support document for information security policy: approved by management, published and communicated to the employees and relevant third parties; Document content: - Definition of information security, importance and area; - The management intention regarding security;

A. Security policy - 1 control category: 1. Information security policy: Document content (continued): - Framework for control objectives, controls carried out, risk assessment and management; - Explanation of security policies, principles, standards, compliance requirements; - General and specific responsibilities of information security management; - References to the policy support documents.

A. Security policy - 1 control category: 1.Information security policy:

b) Information security policy evaluation: performed at planned intervals or relevant changes. The assessment includes: Assessing opportunities for improvement; Security management due to changes in the organization environment.

A. Security policy - 1 control category: 1.Information security policy:

Evaluation results: Improved approach for managing organization security; Improved control objectives and controls; Improving resource allocation and/or responsibilities.

B. Organization of information security 2 categories of controls: 1. Internal organization: organization security management -initiating and implementing information security controls: a) Management commitment: providing support for information security by: clear directions, demonstrated commitment, confirmation of responsibilities. Management should: - Provide the identification of security objectives according to the organizational requirements and integrated in its processes;

B. Organization of information security 2 categories of controls:

1. Internal organization:

Management should (continued): To formulate, evaluate and approve security policy; To evaluate the effectiveness of policy implementation; To provide a clear direction and support for security initiatives; To provide the necessary resources; To approve the allocation of responsibilities for information security; To initiate security awareness plans and programs; To provide coordination for implementing security controls.

B. Organization of information security 2 categories of controls: 1. Internal organization: b) Coordination of information security: made by representatives from different areas of the organization with important roles and responsibilities - cooperation and collaboration with managers, users, administrators, applications developers, auditors, personnel involved in security, other specialists; c) The work involves: Execution of security activities in accordance with security policy;

B. Organization of information security 2 categories of controls:

1. Internal organization: The work involves (continued): Identify how to handle nonconformities; Approval of security methodologies and processes; Identifying changes on threats and exposure to these threats; Evaluation of controls from the point of view of adequate character and coordination of their implementation; Promote education, training, awareness; Recommendations for appropriate actions for identified security incidents.

B. Organization of information security 2 categories of controls: 1. Internal organization:

c) Allocation of responsibilities: clear definition of responsibilities for security; made in accordance with security policy, supplemented with details specific to location and processing facilities; Allocation of responsibilities includes: Identification and clear definition of security processes associated with a system; Association between responsible process and accountability documentation; Authorization levels clearly defined and documented.

B. Organization of information security 2 categories of controls: 1. Internal organization: d) Authorization process for information processing: definition and implementation of the process of authorizing new informational processing facilities; Aspects of Authorization process: Authorizing facilities (objective, use); Check hardware and software compatibility with other system components; Identify and implement controls for new vulnerabilities introduced by the use of devices such as laptops, handheld devices in business information processing and personal purposes.

B. Organization of information security 2 categories of controls: 1. Internal organization: e) Confidentiality agreements: identification and periodic assessment of confidentiality agreements and unauthorized distribution of information; Identification confidentiality and distribution requirements: Define confidential information; Duration of the agreement; Actions undertaken when closing the agreement; Responsibilities and actions to prevent unauthorized distribution;

B. Organization of information security 2 categories of controls: 1. Internal organization: Identification confidentiality and distribution requirements: Information property, trade secrets and intellectual property; Use the confidential information and usage rights; The right to audit and monitor information; Notification and reporting unauthorized distribution or loss; Actions taken in case of breach of agreement.

B. Organization of information security 2 categories of controls: 1. Internal organization: f) Contact with authorities: maintaining relationships with relevant authorities for the organization; specifying authorities (monitoring, intervention, etc.) and reporting security incidents without violating the laws;

B. Organization of information security 2 categories of controls: 1. Internal organization: g) Contact with special groups: appropriate contacts with third parties of the organization, professional associations and experts in security; The purpose of belonging to special groups: Improve knowledge on information security news; The understanding on the security environment is complete and current; Receive alerts as warnings, tips and patches on atta cks and vulnerabilities; Access to information security specialists advice;

B. Organization of information security 2 categories of controls: 1. Internal organization: The purpose of belonging to special groups: Share and distribute information about new technologies, products, threats and vulnerabilities; Making connection points on security incidents.

B. Organization of information security 2 categories of controls: 1. Internal organization: h) Independent evaluation of information security: made periodically or when significant changes occur in security implementation; the result is recorded and reported to the management that initiated the evaluation.

B. Organization of information security 2 categories of controls: 2. Third parties: the maintenance of information security or processing facilities which are accessed, processed, communicated, administered by third parties; access control to the organizations information and facilities: a) Identify the risks associated to third parties: identify risks and implement adequate controls before granting access to third parties;

B. Organization of information security 2 categories of controls: 2. Third parties: Identify risks associated to third parties: - Access of third parties to processing facilities; - Access type: physical (offices, computer centers etc.), logical (databases, IT systems etc.), network connection; - Information value and sensitivity; - Needed controls for protecting information which is not accessible to third parties; - The staff from third parties involved in information handling;

B. Organization of information security 2 categories of controls: 2. Third parties: Identify risks associated to third parties (continued): - Identify the organization or the staff, check authorization, reconfirm access; - Means and controls of third parties to store, process, communicate, share, change information; - Impact of unavailable access on the third party and of providing inexact information; - Practices and procedures to handle the security incidents and possible damage; - Legal requirements, rules, contractual bindings; - How are affected the interests of other involved parties by the agreements with third parties.

B. Organization of information security 2 categories of controls: 2. Third parties: b) Security approach in customer relationships: identify the security requirements before granting the customers access to the organizations information and capital; Issues to consider in customer approach: - Capital protection: information, software, vulnerabilities management, data loss or change, integrity, sharing restrictions; - Product or service description; - Reasons, requirements, benefits for customers access;

B. Organization of information security 2 categories of controls: 2. Third parties: Issues to consider in customer approach (continued): - Access control policy: access methods, authorization process, unauthorized access is prohibited, revocation of access rights and closing the connection; - Reporting, notification, investigation of inadequate information, security incidents, security breaches; - Description of each service; - Responsibilities under the law; - Intellectual property rights, copyright, etc.

B. Organization of information security 2 categories of controls: 2. Third parties: c) Security approach in agreements with third parties: access, processing, communication, management of the organizations information and facilities, adding products or services to the processing facilities. The agreement must consider: The security policy; The controls to protect capital: information, software, hardware, physical protection, malicious software, capital compromising, capital destruction, confidentiality, integrity, availability, restrictions of distributing information;

B. Organization of information security 2 categories of controls: 2. Third parties: The agreement must consider (continued): - User and administrator training in methods, procedures, security; - User awareness for security responsibilities; - Provisions for transfer of personnel; - Responsibilities regarding hardware and software installation and maintenance; - Clear reporting structure and agreed reporting formats; - Clear change management process; - Access control policy;

B. Organization of information security 2 categories of controls: 2. Third parties: The agreement must consider (continued): - Arrangements for reporting, notification and investigation of security incidents and security breaches; - Description of product or services; - Defining, monitoring and reporting performance criteria; - Right to monitor and revoke the activities related to the organization's capital; - Conditions of renegotiation, agreement termination.

C. Capital management 2 categories of controls: 1. Capital responsibility: ensuring and maintaining the protection of capital, inventory and specifying the owner: a) Capital inventory: identification and maintenance of capital inventory; b) Capital ownership: designating the owner in the organization for information and processing facilities; c) How to use capital: establishing, documenting and rules on use of capital (information and processing facilities).

C. Capital management 2 categories of controls: 2. Information classification: establishing an adequate level of protection; classification determines the need, priorities and degree of protection when handling information Classification guide: how to classify information according to certain characteristics: the importance (value), legal requirements, sensitivity, critical character for the organization; a) Labeling and handling information: labeling and handling procedures in accordance with the classification module.

D. Human Resources Security 3 categories of controls: 1. Pre-employment: ensure the comprehension by the employees, contractors and third parties of the responsibilities for reducing the risks of theft, fraud and inadequate usage of facilities: a) Roles and responsibilities: definition and documentation in accordance with security policy; b) Screening: checking candidates, contractors and third parties in accordance with laws, regulations and code of ethics, in proportion to business requirements, classification of information and risks;

D. Human Resources Security 3 categories of controls: 1. Pre-employment: c) Terms of employment: fixing agreement and signing them in the contract; establishing signatories responsibilities (organization, employees) on information security.

D. Human Resources Security 3 categories of controls: 2. During employment: awareness of threat and concerns, responsibilities and obligations, training to support security policy during the performance of work tasks: a) Management responsibilities: management requirements for employees, contractors, third parties of applying the security policies and procedures; b) Information security awareness, education, training: training of employees, contractors, third parties on organizational policies and procedures;

D. Human Resources Security 3 categories of controls: 2. During employment: Disciplinary process: the existence of formal trial for employees who commit security breaches.

D. Human Resources Security 3 categories of controls: 3. Post-employment or job change: the existence of an organized way to leave the organization; requires to return equipment and cancellation of access: a) Responsibilities for terminating the work contract: defined and assigned; b) Return the capital: required when leaving the organization (employment, contract, agreement); c) Removing access rights: elimination when leaving the organization.

E. Physical and environment security 2 categories of controls: 1. Safety areas: preventing unauthorized physical access, damage on the organizations premises and information; defining the security perimeters with barriers and entry controls: a) Physical security perimeter: walls, card controlled entry, reception desk; b) Input controls (physical): appropriate input controls for access only to authorized personnel;

E. Physical and environment security 2 categories of controls: 1. Safety areas: c) Safety of offices, rooms and other facilities: existence of a physical security design and its implementation; d) Protection against external and environmental threats: protection against damage such as fires, floods, earthquakes, explosions, social unrest and other natural or man-made disasters;

E. Physical and environment security 2 categories of controls: 1. Safety areas: e) Working in safety areas: physical safety and rules for performing activities in safety areas; f) Public access, delivery and loading areas: area control (is access granted to unauthorized personnel) and isolation to avoid unauthorized access.

E. Physical and environment security 2 categories of controls: 2. Equipment safety: prevent loss, damage, theft, compromise of the organization's capital and business interruption; equipment protected from physical and environmental threats: a) Location and protection of equipment: so as to reduce risks of environmental threats, unauthorized access opportunities; b) Utilities: protection from power failures or other interruptions due to utilities;

E. Physical and environment security 2 categories of controls: 2. Equipment safety: Cabling security: protection from interception or damage to electrical or communication cables; a) Equipment maintenance: insurance availability and integrity through proper maintenance; b) Security of equipment off premises: risks of working outside the office;

E. Physical and environment security 2 categories of controls: 2. Equipment safety: f) Safety of equipment sold or reused: verify deletion or overwriting the data and software on equipment with drives; g) Change of ownership: prior authorization for equipment, information or software.

F. Communications and operations management 10 control categories: 1. Operational procedures and responsibilities: correct and safe operation of processing facilities, development of appropriate operating procedures: a) Documented operating procedures: documentation, maintenance and availability for users of the operating procedures; b) Change management: control changes on facilities and systems;

F. Communications and operations management 10 control categories: 1. Operational procedures and responsibilities: c) Segregation of duties: tasks and areas of responsibility should be separated to reduce risk of unauthorized or unintentional modification of capital (information, facilities); d) Separation of the development, testing and operational facilities: reducing the risk of unauthorized access or changes in the operational system.

F. Communications and operations management 10 control categories: 2. Management of services provided by third parties: implementation and maintenance of adequate security level; verify implementation of agreements, monitor compliance with agreements, change management: a) Services provision: implementation, operation and ensuring security checks, definition of services and delivery levels under agreements; b) Monitoring and evaluating the services provided by third parties: services, reports, records monitored and evaluated, regularly conducted audits;

F. Communications and operations management 10 control categories: Management of services provided by third parties: c) Change management for services provided by third parties: management changes in services provision, including insurance and improvement of policies, procedures and security controls.

F. Communications and operations management 10 control categories: 3. System planning and acceptance: minimizing risks of failure of the system; forecasts of future capacity requirements to prevent overloading: a) Capacity management: ensuring system performance by monitoring, adapting and future projections of capacity requirements; b) System acceptance: establishing acceptance criteria for new systems, upgrades, new versions and performing tests during system development and prior to its acceptance.

F. Communications and operations management 10 control categories: 4. Protection from malicious code and mobile code: software and information integrity protection; precautions to prevent and detect the introduction of unauthorized malicious code or mobile code: a) Controls on malicious code: implementation of detection, prevention and recovery; user awareness procedures; b) Controls on mobile code: code mobile operation according to security policy; preventing unauthorized mobile code execution.

F. Communications and operations management 10 control categories: 5. Back-Up: maintaining the integrity and availability of information and processing facilities: a) Information back-Up: copies of information and software made and tested regularly according to the back-up policy.

F. Communications and operations management 10 control categories: 6. Management of network security: protection of information in networks and infrastructure: a) Computer network controls: adequate management and control of the network, providing systems security, applications and information in transit; b) Network security services: identification and inclusion of security features, service levels and management requirements in network services agreement.

F. Communications and operations management 10 control categories: 7. Handling the media: prevent unauthorized distribution, alteration, deletion or destruction of capital, interruption of activities; physical control and protection of media: a) Management of removable devices: existence of procedures; b) Remove media: use procedures for safe removal; c) Procedures for information handling: existence of procedures to prevent unauthorized distribution or misuse;

F. Communications and operations management 10 control categories: 7. Handling the media: d) System documentation security: protection against unauthorized access.

F. Communications and operations management 10 control categories: 8. Exchange of information: ensuring information security and exchange of software in the organization or external entities; existing trade policy according to trade agreements and legislation in force: a) Policies and procedures on information exchange: protection for exchange of information by using all communication facilities; b) Agreements on exchange of information: set the framework for exchange of information and software between the organization and third parties;

F. Communications and operations management 10 control categories: 8. Exchange of information: c) Media in transit: protection of media during transport outside the organization; d) Electronic messages: protecting information in electronic messaging; e) Business information systems: policies and procedures to protect information on interconnection between IT systems.

F. Communications and operations management 10 control categories: 9. E-commerce services: insurance of e-commerce services security and their safe use: a) Electronic commerce: the information available in public networks protected by fraudulent activities, distribution or unauthorized modification; b) Trading on-line: information protection to prevent incomplete transmission, failed/defective routing, unauthorized modification of the message, unauthorized distribution, unauthorized duplication;

F. Communications and operations management 10 control categories: 9. E-commerce services: c) Public information: prevent unauthorized modification to ensure information integrity.

F. Communications and operations management 10 control categories: 10. Monitoring: detecting unauthorized processing activities; monitoring systems and recording security events: a) Logging audit: recording activities, exceptions, user security events for further investigation and monitoring access control; b) Use monitoring system: establishing procedures and periodic evaluations of monitoring activities;

F. Communications and operations management 10 control categories: 10. Monitoring: c) Protection of log information: information and facilities protected from unauthorized handling and access; d) Management and operating logs: activities recorded by the system administrator and operator; e) Logging failure: recorded, analyzed logging; f) Synchronize watches: for major processing systems, using an accurate time source.

G. Access control 7 control categories: 1. The business requirements for access control: information access control, based on the business and security requirements: a) Access control policy: established, documented and evaluated based on business and security access requirements.

G. Access control 7 control categories: 2. User access management: ensuring access to authorized users and preventing unauthorized access; procedures to control allocation of access rights: a) User registration: registration or removal procedure for granting or revoking access; b) Management of privileges: restrict and control the allocation and use of privileges; c) Managing user passwords: passwords control allocation; d) Evaluation of user access rights: formal process at regular intervals.

G. Access control 7 control categories: 3. User responsibilities: preventing unauthorized user access, compromise or theft of information or processing facilities; cooperation of authorized users: a) Using passwords: choice and use of passwords according to best practices; b) Use of equipment: adequate insurance of protection; c) Clear desk and clear screen policy: no documents, storing devices, screen without documents.

G. Access control 7 control categories: 4. Network access control: intrusion prevention; control access to internal and external network services; users should not compromise the network services: a) Policy for using the network services: user access to the network services for which is authorized; b) User authentication for external connections: authentication methods for access control of remote users;

G. Access control 7 control categories: 4. Network access control: c) Identification of network equipment: automatic, means of authentication of connections between locations and equipment; d) Remote diagnostics and configuration of port protection: physical and logical access control for diagnostics and configuration; e) Separation of networks: separate the groups of information services, users and information systems;

G. Access control 7 control categories: 4. Network access control: f) Control of network connection: restricted connection for networks shared between premises; g) Network routing control: ensuring connections and information flows by respecting the access control policy.

G. Access control 7 control categories: 5. Access control to the operating system: prevent unauthorized access, restrict access only to authorized users through the security features of the operating system: a) Secure log-on procedure: access controlled by the secure log-on procedure; b) Identification and authentication of users: the existence of unique identifier (user ID) and authentication techniques for proving identity;

G. Access control 7 control categories: 5. Access control to the operating system: c) The password management system: interactive, ensures qualitative passwords; d) Use of system utilities: restricted; use utility programs that redefine the system and application controls; e) Session timeout: inactive session closed after a time interval; f) Limitation of connection time: additional security for high risk applications.

G. Access control 7 control categories: 6. Access control to applications and information: prevent access to information stored in applications systems; restrict access to application and in the application: a) Restrictions on access to information: restrict users according to control access policy; b) Isolation of sensitive system modules: isolated (dedicated) media.

G. Access control 7 control categories: 7. Mobile computing and teleworking: ensure security when using mobile computing and teleworking: a) Mobile computing and communications: policy, security measures against the risks of using mobile computing and communications facilities;

G. Access control 7 control categories: 7. Mobile computing and teleworking: ensure security when using mobile computing and teleworking: a) Mobile computing and communications:

Implementation: Specify risks and rules: Unprotected work environment; Physical protection against media loss or theft; Access controls for unauthorized persons; Cryptographic techniques; Easy and fast back-up; Antivirus protection; Connection to network from public spaces;

G. Access control 7 control categories: 7. Mobile computing and teleworking: a) Mobile computing and communications: Specify risks and rules (continued):
use cryptographic techniques outside the organization; apply procedures against malicious software; identification and authentication of access from public networks; physical insurance of equipment in remote areas or continuous surveillance; providing training sessions for staff which use mobile devices.

G. Access control 7 control categories: 7. Mobile computing and teleworking: a) Mobile computing and communications: Specify risks and rules (continued):
Features of wireless networks security protocols insufficiently developed, with weakness; poor back-up (insufficient bandwidth, devices not connected when is launched the back-up procedure).

G. Access control 7 control categories: 7. Mobile computing and teleworking: b) Teleworking: politic, operational plans and procedures.

H. Acquisition, development and maintenance of the information system 6 control categories: 1. The information system security requirements: security approached at the level of the whole system: operating systems, infrastructure, applications, products, services etc.: a) Security requirements analysis and specification: specification for new systems or enhancements to existing ones.

H. Acquisition, development and maintenance of the information system 6 control categories: 2. Correct processing in applications: preventing errors, loss, unauthorized modification or misuse of information in applications: a) Validation of input data: correct and appropriate data; b) Control of internal processing: validation of information - no changes due to processing errors or deliberate acts; c) Message integrity: identification of authenticity and safety requirements; d) Output data validation: stored information is correct and appropriate.

H. Acquisition, development and maintenance of the information system 6 control categories: 3. Cryptographic controls: Privacy protection, authenticity, information integrity; existence of policy and key management to support cryptographic techniques: a) Policy on use of cryptographic controls: development and policy implementation; b) Key management: support for the use of cryptographic techniques.

H. Acquisition, development and maintenance of the information system 6 control categories: 4. Security of system files: control access to system files, software source code: a) Operational software control: software installation control in operational systems; b) Protection of system test data: careful selection of test data, their protection and control; c) Control access to source code: restricting access to source code.

H. Acquisition, development and maintenance of the information system 6 control categories: 5. Security in development processes and support processes: ensuring security in software application system; strict control on support media and projects: a) Change control procedures: implementation of changes controlled through procedures; b) Technical evaluation of applications after operating system changes: eliminate the negative impact on organizational operations or security;

H. Acquisition, development and maintenance of the information system 6 control categories: 5. Security in development processes and support processes: c) Restrictions on changes to the software packages: discourage software changes, limit to necessary changes, strict control of changes; d) Loss of information: prevention of data loss opportunities; e) Outsource software development: supervised and monitored by the organization.

H. Acquisition, development and maintenance of the information system 6 control categories: 6. Technical vulnerability management: risk reduction from published technical vulnerabilities: a) Control of technical vulnerabilities: obtaining information about vulnerabilities, assessment of organization exposure, risk reduction through appropriate measures.

I. Information security incident management 2 categories of controls: 1. Reporting information security events and weaknesses: events reporting and escalation procedures: a) Reporting information security events: through appropriate management channels; b) Reporting security weaknesses: employees, contractors, third parties.

I. Information security incident management 2 categories of controls: 2. Incident and safety improvements management: responsibilities and procedures for handling security events, continuous improvement process to monitor, assess and manage security incidents: a) Responsibilities and procedures: quick, efficient, organized response to information security incidents;

I. Information security incident management 2 categories of controls: 2. Incident and safety improvements management: b) Adopt the conclusions resulting from security incidents: quantification and monitoring mechanisms for security incidents; c) Collecting proof: legal tracking actions after the incident, according to the law.

J. Business process continuity management 1 category of controls: 1. Security aspects of business continuity management: avoid business disruptions, protection of critical business processes from system failures or disasters, activity resumed in the shortest time: a) Including security in the business continuity management process: develop and ensure a business continuity process that takes into account security aspects;

J. Business process continuity management 1 category of controls: 1. Security aspects of business continuity management: b) Business continuity and risk assessment: identification of interruption events, likelihood and impact of interruptions; c) Developing and implementing continuity plans, including information security: ensuring or restoring for the availability of information at he level required and in the time required, after the interruption;

J. Business process continuity management 1 category of controls: 1. Security aspects of business continuity management: d) The business continuity planning framework: unique; consistent plans; identify priorities for testing and maintenance; e) Test, maintain and review plans to ensure continuity: ensure timeliness and effectiveness of the plans.

K. Compliance 3 control categories: 1. Compliance with legal requirements: legal advisory services, legislative requirements: a) Establishing applicable legislation: explicitly defined, documented, up to date for each information system; b) Intellectual property rights: adequate procedures in compliance with legislation; c) Organizations records protection: from loss, destruction, falsification compliant with legislation;

K. Compliance 3 control categories: 1. Compliance with legal requirements: c) Personal data protection: required by law, other agreements; d) Preventing abusive, faulty usage of information processing facilities: discourage users to use processing facilities for unauthorized purposes; e) Regulation of cryptographic controls: according to the law.

K. Compliance 3 control categories: 2. Compliance with security policies and standards and technical compliance: ensuring system compliance with security policies and standards; regular evaluation of information systems security: a) Compliance with security policies and standards: develop security procedures according to policy and security standards; b) Technical compliance checking: periodic verification of systems for compliance with implementation standards.

K. Compliance 3 control categories: 3. Information systems audit issues: maximizing efficiency and minimizing interferences with the information systems audit process: a) Information systems audit controls: audit requirements and activities check the planned operational systems to minimize risks of business processes disruption; b) Protection of audit tools: protected access to the audit tools; preventing their misuse or compromise.

ISACA structure of the CISA examination handbook: 1. IS audit process; 2. IS management, organization and planning; 3. technical infrastructure and operational practices; 4. information capital protection; 5. disaster recovery and business continuity; 6. development, acquisition, implementation and maintenance of business applications systems; 7. assessment of business processes and risk management.

IS audit process 10%, 20 questions: development and/or implementation of audit strategy and objectives based on risk; planning of audits; obtain sufficient, appropriate, reliable, relevant and useful audit proof; analysis of information collected; examination of business; communication of results; facilitating and monitoring risk management and control practices.

IS audit process IS audit standards: audit charter - document responsibility and authority; independence - professional, organizational professional ethics and standards; competence - knowledge, skills, continuous education; audit planning; audit performance; reporting - content, form; follow-up activities.

IS management, planning and organization 11%, 22 questions:

IS strategy evaluation; evaluation of IS policies, standards and procedures; evaluation of IS management practices; evaluation of IS structure and organization; evaluation of selection and of external IS management services.

IS management, planning and organization Employee handbook: section: personnel management; explanatory content regarding: a. security policies and procedures; b. expectations of the organization; c. employee benefits; d. policy on vacations and holidays; e. rules on working overtime; f. employment outside the organization; g. employee performance evaluations; h. emergency procedures; i. disciplinary actions: unauthorized absence, breach of confidentiality and/or security, non-compliance with organization policies.

Technical infrastructure and operational practices: 13%, 26 questions: assessment of hardware acquisition, installation and maintenance; assessing development/acquisition, implementation and maintenance of software systems and utilities; assessment of acquisition, installation and maintenance of network infrastructure; assessment of operational practices effectiveness of the usage of technical resources; system performance evaluation.

Technical infrastructure and operational practices Hardware acquisition - selection criteria for suppliers proposals: service response time; system response time to user requirements; time needed for logging into the system or connecting to the network; system workload performed per unit time (e.g. instructions per second); volume of work done in one unit of time; portability of applications to new systems; concurrent access management (network requests, user data processing); availability vs. system failures.

Information capital protection 25%, 50 questions: importance of information Security Management; vulnerabilities and controls of access at logic level; network infrastructure security; auditing information security management; auditing network infrastructure security; environmental vulnerabilities and controls; physical access vulnerabilities and controls.

Information capital protection Implementation strategies of antivirus software: section: Viruses; control and prevention of virus spreading; level of server/workstation:
a. scheduled scans; b. scans on request; c. continuous scans;

Information capital protection Organizational network level antivirus software part of the used firewall technologies:
a. SMTP protection SMTP traffic in accordance with the e-mail server; b. HTTP protection download viruses through ActiveX and Java; c. FTP protection download infected files;

antivirus software:
a. reliability and quality in detecting viruses; b. memory residence continuous check; c. effectiveness not affect speed and resource access.

Disaster recovery and business process continuity: 10%, 20 questions:

proper evaluation of back-up to ensure a rapid return to the state previous to the disaster; assessing the organization's ability to provide replacement of the primary information system (during failure of the primary system); assessing the organization's ability to provide information processing and business process continuity.

Disaster recovery and business process continuity

Disasters and disruption events: natural disasters; interruption of public utilities; man-made: terrorist attacks, hackers, viruses, fraud, theft, sabotage; accidental: deletion of files, system crashes, fires, etc.

Motivation for the attack: technical challenge; prestige; obsession for hacking; momentary impulse; financial gain; envy, revenge, resentment against the manager, jealousy, etc.

Business continuity process planning: ST and LT strategy on the most pessimistic scenarios; ST alternative processing facilities; new, permanent facility, as a alternative on LT.

Life cycle phases of the business continuity processes planning:

impact analysis on business processes; classification of operations and the analysis of their critical character; developing a business continuity plan and disaster recovery procedures; staff training and awareness; testing and implementing the plan; monitoring.

Development, acquisition, implementation and maintenance of business applications systems 16%, 32 questions: assessment of development and implementation processes; assessment of acquisition and implementation processes; assessment of the maintenance processes.

Development, acquisition, implementation and maintenance of business applications systems Detailed design and development: section: audit of system development, acquisition and maintenance; the auditor performs:
a. b. c. d. e. f. g. h. system flow examination accordance with system design and check approvals for modifications made; examination of designed input, processing and output; interview key users - check understanding of the system; assessment of audit traceability and accountability; check integrity of processing and key processes; check the system capability to identify and process erroneous data; examine quality assurance for the results obtained; verification of the corrections of programming errors.

Evaluation of business processes and risk management 15%, 30 questions

evaluating the efficiency and effectiveness of the IS; assessing the design and implementation of automated and manual controls; evaluation of projects to change business processes; assess the implementation of risk management and risk governance.

Evaluation of business processes and risk management Risk management methods: qualitative the most simple and used: based on verification lists and attribution of risk ratings (high, medium, low); quantitative some have a lack of rigor in accountancy and management; used in the military, nuclear, chemical areas; probabilistic and anticipation based on the statistical theory of probabilities and anticipation; historical information establish a pattern or a trend; the new value v = v x p, p occurrence probability; anticipation of annual loss way to quantify loss.

Risk analysis risk given potential as a threat to exploit vulnerabilities; threat - a potential security violation; vulnerability - characteristic or property which may be exploited by a threat to cause loss; impact - consequence of unwanted incident; protection - mechanism or procedure that reduces risk; residual risk - the risk remaining after implementation of the protection; risk analysis - the process of identifying security risks, determining their level and identifying the areas needing protection.

Risk control strategies: risk prevention; reducing impact; reduce probability; early detection; recovery; risk transfer.

Policies, practices, standards and procedures definitions:

policy:
a. action direction (government, political parties, business environment); b. high level documents; c. strategic thinking, organizational philosophy; d. clear and concise; e. low-level (divisions, departments); f. periodical examination (business changes, technological novelties);

Policies, practices, standards and procedures definitions:

practice usual actions, to execute theoretical specifications;

standard object, quality or basic measure towards which compliance is evaluated; excellence degree required for a particular goal;

Policies, practices, standards and procedures definitions:

procedure:
a. b. c. d. e. manner to execute tasks; series of actions order and manner; detailed documents; derived from policies; high level of dynamics;

independent examination of the policies and procedures.

The Corporate Security Manual Figure

Information Security Policy Figure

Security Awareness Continuous series of activities which presents and then reinforces the message in the view of improving security: maintain awareness of people about their responsibility and their role; gain and maintain people commitment.