Escolar Documentos
Profissional Documentos
Cultura Documentos
Management Tool Monitoring and checking the ISMS; Information processed and stored in information systems (mandatory).
Computer System A set of elements; Functional inter-correlation; Automatic processing of information (at least one element); Components: hardware, software, communication, users, organizational framework; Part of the Information System;
Standards
Standards
General standard: ISO 19011:2003 Guideline for auditing the quality and/or environment management systems; Reference standard : ISO/IEC 27001/2005 ISMS auditing; Reference standard: ISO/IEC 17799:2005 ISMS auditing.
Definition
According to ISO 19011:2003 Systematic evaluation; Independency; Documented; Persons with special qualification; Satisfy previous instructions; Effectively implemented; Capable to achieve the established objectives.
Definition According ISO 9000:2001 Audit proof (quantitative, qualitative); Audit criteria.
Audit objectives Initial point for developing Management System (MS); MS compliance/non-compliance; MS efficiency; MS improvement; Prevention, correction and tracking.
Audit types Criteria: choosing the audit team: Internal; External (second party, third party).
Audit types Criteria: audit objective: Determining the actual state; Accreditation; Certification.
Audit principles According to ISO 19011:2003 comparable conclusions Ethical behavior; Correct presentation; Professional responsibility; Independency; Approach based on proof.
Auditors abilities and knowledge Audit principles, procedures and techniques; Reference MS and documents; Organizational situations; Laws, regulations and other requirements; Leadership (audit team leaders).
Auditors evaluation Identifying the personal capabilities, knowledge and aptitudes; Establishing the evaluation criteria (quantitative, qualitative); Selecting the evaluation method; Performing the evaluation.
Questioning techniques Audits quality questioning techniques. Questions: Open (indirect) Who? What? Where? Why? When? etc. Closed Yes/No answers; Oriented domination and manipulation Dont you think that...? Am I right that...? Opinion What do you think about...? Investigation Did you take the steps for...? Non-verbal.
Audit program 1. Objectives Program size; Concept responsibility; Necessary resources; Procedures and other documents; Program implementation; Program recordings.
Audit program 2. Monitoring and analysis At the level of program implementation; Performance indicators.
1. Establishing the audit program (PLANNING): - Objective, size; - Responsibilities; - Resources; - Procedures.
2. Implementing the audit program (DOING): - Scheduling the audits; - Evaluating the auditors; - Selecting the audit team; - Leading the audit activities; - Maintaining the recordings.
2 Implementing the audit program (continued): on the basis of the activities it is ensured: - Auditors competencies and evaluation; - Performing the audit activities.
3. Monitoring and analyzing the audit program (CHECKING): - Monitoring, analyzing; - Identifying the need for corrective and preventive actions; - Identifying the improvement opportunities.
4. Improving the audit program (ACTING): - Going back to Step 1 of the process for audit program management.
Performing the audit Audit steps According to ISO 19011:2003 1. Audit initiation; 2. Performing the document analysis; 3. Preparing the audit activity on site; 4. Performing the audit on site; 5. Preparing, approving and distributing the audit report; 6. Audit closing; 7. Performing the tracking audit.
Performing the audit 1. Audit initiation Naming the audit leader; Audit objectives, area, criteria; Reliability.
Selecting the audit team - Size; - Competency; - Including the technical experts (possibility); - Including the auditors in training (possibility); - Risk and risk management, security, business continuity, attack techniques.
Performing the audit 2. Document analysis Recordings of the audited entity relevant documents of the management system; Previous audit reports.
Performing the audit 3. Preparing the audit on site Developing the audit plan; Attributing responsibilities; Preparing the document drafts.
Performing the audit 4. Performing the audit on site Hold the opening meeting; Communications methods during the audit; Roles and responsibilities of the observers; Collecting and checking the information; Writing the audit findings; Preparing the audit conclusions; Hold the closing meeting.
Performing the audit 5. Preparing, approving and distributing the audit report: Preparing the report; Approving and distributing the report; Complete, exact, concise and clear; Model of audit report.
Performing the audit 6. Closing the audit Fulfilling the activities in the audit plan; Distributing the audit report; Keeping/destroying the recordings; Document confidentiality.
Performing the audit 7. Tracking activities Corrective, preventive of improvement actions; Efficacy checked through a new audit; Value add audit team tracking.
Information Security Management System (ISMS) internal audit SENTINET Security services platform; State of IT infrastructure; Traffic monitoring; Model of internal audit program.
ISMS internal audit Software tools for testing the security of a bank information system Vulnerability scanners: Nessus, Microsoft Baseline Security Analyzer; Network protocols analyzers: Wireshark; Intrusions detection system: Snort; Wireless sniffer: Kismet; Web scanner: Nikto; E-mail server scanner: Microsoft Exchange Best Practices Analyzer; Hierarchy of evaluation software tools; Tools for interpreting the results of applying the questionnaires: Microsoft Security Assessment Tool.
ISMS internal audit Evaluating the system configuration Evaluating the hardware system; Computer network at physical level; Software evaluation; Intrusion monitoring; Vulnerabilities scanning.
ISMS external audit ISO/IEC 17799:2005 ISMS audit Minimizing the interferences between the audited system and the auditors; Established the guidelines and general principles for initiating, implementing, maintaining and improving the ISM in an organization; The controls are based on risk evaluation; Each control category contains: control assertion, recommendations in the ISM implementation, other information (juridical framework, references to other standards).
ISMS external audit Control types and number of security categories in ISO/IEC 17799:2005: Security Policy (1); organization of information security (2); capital management (2); Human resource security (3); physical and environment security (2); communications and operations management (10); access control (7); acquisition, development and maintenance of the information system (6); information security incident management (2); business process continuity management (1); compliance (3).
A. Security policy - 1 control category: 1. The information security policy: provides direction and support for informational security according to the business requirements and regulations: a) Support document for information security policy: approved by management, published and communicated to the employees and relevant third parties; Document content: - Definition of information security, importance and area; - The management intention regarding security;
A. Security policy - 1 control category: 1. Information security policy: Document content (continued): - Framework for control objectives, controls carried out, risk assessment and management; - Explanation of security policies, principles, standards, compliance requirements; - General and specific responsibilities of information security management; - References to the policy support documents.
B. Organization of information security 2 categories of controls: 1. Internal organization: organization security management -initiating and implementing information security controls: a) Management commitment: providing support for information security by: clear directions, demonstrated commitment, confirmation of responsibilities. Management should: - Provide the identification of security objectives according to the organizational requirements and integrated in its processes;
1. Internal organization:
Management should (continued): To formulate, evaluate and approve security policy; To evaluate the effectiveness of policy implementation; To provide a clear direction and support for security initiatives; To provide the necessary resources; To approve the allocation of responsibilities for information security; To initiate security awareness plans and programs; To provide coordination for implementing security controls.
B. Organization of information security 2 categories of controls: 1. Internal organization: b) Coordination of information security: made by representatives from different areas of the organization with important roles and responsibilities - cooperation and collaboration with managers, users, administrators, applications developers, auditors, personnel involved in security, other specialists; c) The work involves: Execution of security activities in accordance with security policy;
1. Internal organization: The work involves (continued): Identify how to handle nonconformities; Approval of security methodologies and processes; Identifying changes on threats and exposure to these threats; Evaluation of controls from the point of view of adequate character and coordination of their implementation; Promote education, training, awareness; Recommendations for appropriate actions for identified security incidents.
c) Allocation of responsibilities: clear definition of responsibilities for security; made in accordance with security policy, supplemented with details specific to location and processing facilities; Allocation of responsibilities includes: Identification and clear definition of security processes associated with a system; Association between responsible process and accountability documentation; Authorization levels clearly defined and documented.
B. Organization of information security 2 categories of controls: 1. Internal organization: d) Authorization process for information processing: definition and implementation of the process of authorizing new informational processing facilities; Aspects of Authorization process: Authorizing facilities (objective, use); Check hardware and software compatibility with other system components; Identify and implement controls for new vulnerabilities introduced by the use of devices such as laptops, handheld devices in business information processing and personal purposes.
B. Organization of information security 2 categories of controls: 1. Internal organization: e) Confidentiality agreements: identification and periodic assessment of confidentiality agreements and unauthorized distribution of information; Identification confidentiality and distribution requirements: Define confidential information; Duration of the agreement; Actions undertaken when closing the agreement; Responsibilities and actions to prevent unauthorized distribution;
B. Organization of information security 2 categories of controls: 1. Internal organization: Identification confidentiality and distribution requirements: Information property, trade secrets and intellectual property; Use the confidential information and usage rights; The right to audit and monitor information; Notification and reporting unauthorized distribution or loss; Actions taken in case of breach of agreement.
B. Organization of information security 2 categories of controls: 1. Internal organization: f) Contact with authorities: maintaining relationships with relevant authorities for the organization; specifying authorities (monitoring, intervention, etc.) and reporting security incidents without violating the laws;
B. Organization of information security 2 categories of controls: 1. Internal organization: g) Contact with special groups: appropriate contacts with third parties of the organization, professional associations and experts in security; The purpose of belonging to special groups: Improve knowledge on information security news; The understanding on the security environment is complete and current; Receive alerts as warnings, tips and patches on atta cks and vulnerabilities; Access to information security specialists advice;
B. Organization of information security 2 categories of controls: 1. Internal organization: The purpose of belonging to special groups: Share and distribute information about new technologies, products, threats and vulnerabilities; Making connection points on security incidents.
B. Organization of information security 2 categories of controls: 1. Internal organization: h) Independent evaluation of information security: made periodically or when significant changes occur in security implementation; the result is recorded and reported to the management that initiated the evaluation.
B. Organization of information security 2 categories of controls: 2. Third parties: the maintenance of information security or processing facilities which are accessed, processed, communicated, administered by third parties; access control to the organizations information and facilities: a) Identify the risks associated to third parties: identify risks and implement adequate controls before granting access to third parties;
B. Organization of information security 2 categories of controls: 2. Third parties: Identify risks associated to third parties: - Access of third parties to processing facilities; - Access type: physical (offices, computer centers etc.), logical (databases, IT systems etc.), network connection; - Information value and sensitivity; - Needed controls for protecting information which is not accessible to third parties; - The staff from third parties involved in information handling;
B. Organization of information security 2 categories of controls: 2. Third parties: Identify risks associated to third parties (continued): - Identify the organization or the staff, check authorization, reconfirm access; - Means and controls of third parties to store, process, communicate, share, change information; - Impact of unavailable access on the third party and of providing inexact information; - Practices and procedures to handle the security incidents and possible damage; - Legal requirements, rules, contractual bindings; - How are affected the interests of other involved parties by the agreements with third parties.
B. Organization of information security 2 categories of controls: 2. Third parties: b) Security approach in customer relationships: identify the security requirements before granting the customers access to the organizations information and capital; Issues to consider in customer approach: - Capital protection: information, software, vulnerabilities management, data loss or change, integrity, sharing restrictions; - Product or service description; - Reasons, requirements, benefits for customers access;
B. Organization of information security 2 categories of controls: 2. Third parties: Issues to consider in customer approach (continued): - Access control policy: access methods, authorization process, unauthorized access is prohibited, revocation of access rights and closing the connection; - Reporting, notification, investigation of inadequate information, security incidents, security breaches; - Description of each service; - Responsibilities under the law; - Intellectual property rights, copyright, etc.
B. Organization of information security 2 categories of controls: 2. Third parties: c) Security approach in agreements with third parties: access, processing, communication, management of the organizations information and facilities, adding products or services to the processing facilities. The agreement must consider: The security policy; The controls to protect capital: information, software, hardware, physical protection, malicious software, capital compromising, capital destruction, confidentiality, integrity, availability, restrictions of distributing information;
B. Organization of information security 2 categories of controls: 2. Third parties: The agreement must consider (continued): - User and administrator training in methods, procedures, security; - User awareness for security responsibilities; - Provisions for transfer of personnel; - Responsibilities regarding hardware and software installation and maintenance; - Clear reporting structure and agreed reporting formats; - Clear change management process; - Access control policy;
B. Organization of information security 2 categories of controls: 2. Third parties: The agreement must consider (continued): - Arrangements for reporting, notification and investigation of security incidents and security breaches; - Description of product or services; - Defining, monitoring and reporting performance criteria; - Right to monitor and revoke the activities related to the organization's capital; - Conditions of renegotiation, agreement termination.
C. Capital management 2 categories of controls: 1. Capital responsibility: ensuring and maintaining the protection of capital, inventory and specifying the owner: a) Capital inventory: identification and maintenance of capital inventory; b) Capital ownership: designating the owner in the organization for information and processing facilities; c) How to use capital: establishing, documenting and rules on use of capital (information and processing facilities).
C. Capital management 2 categories of controls: 2. Information classification: establishing an adequate level of protection; classification determines the need, priorities and degree of protection when handling information Classification guide: how to classify information according to certain characteristics: the importance (value), legal requirements, sensitivity, critical character for the organization; a) Labeling and handling information: labeling and handling procedures in accordance with the classification module.
D. Human Resources Security 3 categories of controls: 1. Pre-employment: ensure the comprehension by the employees, contractors and third parties of the responsibilities for reducing the risks of theft, fraud and inadequate usage of facilities: a) Roles and responsibilities: definition and documentation in accordance with security policy; b) Screening: checking candidates, contractors and third parties in accordance with laws, regulations and code of ethics, in proportion to business requirements, classification of information and risks;
D. Human Resources Security 3 categories of controls: 1. Pre-employment: c) Terms of employment: fixing agreement and signing them in the contract; establishing signatories responsibilities (organization, employees) on information security.
D. Human Resources Security 3 categories of controls: 2. During employment: awareness of threat and concerns, responsibilities and obligations, training to support security policy during the performance of work tasks: a) Management responsibilities: management requirements for employees, contractors, third parties of applying the security policies and procedures; b) Information security awareness, education, training: training of employees, contractors, third parties on organizational policies and procedures;
D. Human Resources Security 3 categories of controls: 2. During employment: Disciplinary process: the existence of formal trial for employees who commit security breaches.
D. Human Resources Security 3 categories of controls: 3. Post-employment or job change: the existence of an organized way to leave the organization; requires to return equipment and cancellation of access: a) Responsibilities for terminating the work contract: defined and assigned; b) Return the capital: required when leaving the organization (employment, contract, agreement); c) Removing access rights: elimination when leaving the organization.
E. Physical and environment security 2 categories of controls: 1. Safety areas: preventing unauthorized physical access, damage on the organizations premises and information; defining the security perimeters with barriers and entry controls: a) Physical security perimeter: walls, card controlled entry, reception desk; b) Input controls (physical): appropriate input controls for access only to authorized personnel;
E. Physical and environment security 2 categories of controls: 1. Safety areas: c) Safety of offices, rooms and other facilities: existence of a physical security design and its implementation; d) Protection against external and environmental threats: protection against damage such as fires, floods, earthquakes, explosions, social unrest and other natural or man-made disasters;
E. Physical and environment security 2 categories of controls: 1. Safety areas: e) Working in safety areas: physical safety and rules for performing activities in safety areas; f) Public access, delivery and loading areas: area control (is access granted to unauthorized personnel) and isolation to avoid unauthorized access.
E. Physical and environment security 2 categories of controls: 2. Equipment safety: prevent loss, damage, theft, compromise of the organization's capital and business interruption; equipment protected from physical and environmental threats: a) Location and protection of equipment: so as to reduce risks of environmental threats, unauthorized access opportunities; b) Utilities: protection from power failures or other interruptions due to utilities;
E. Physical and environment security 2 categories of controls: 2. Equipment safety: Cabling security: protection from interception or damage to electrical or communication cables; a) Equipment maintenance: insurance availability and integrity through proper maintenance; b) Security of equipment off premises: risks of working outside the office;
E. Physical and environment security 2 categories of controls: 2. Equipment safety: f) Safety of equipment sold or reused: verify deletion or overwriting the data and software on equipment with drives; g) Change of ownership: prior authorization for equipment, information or software.
F. Communications and operations management 10 control categories: 1. Operational procedures and responsibilities: correct and safe operation of processing facilities, development of appropriate operating procedures: a) Documented operating procedures: documentation, maintenance and availability for users of the operating procedures; b) Change management: control changes on facilities and systems;
F. Communications and operations management 10 control categories: 1. Operational procedures and responsibilities: c) Segregation of duties: tasks and areas of responsibility should be separated to reduce risk of unauthorized or unintentional modification of capital (information, facilities); d) Separation of the development, testing and operational facilities: reducing the risk of unauthorized access or changes in the operational system.
F. Communications and operations management 10 control categories: 2. Management of services provided by third parties: implementation and maintenance of adequate security level; verify implementation of agreements, monitor compliance with agreements, change management: a) Services provision: implementation, operation and ensuring security checks, definition of services and delivery levels under agreements; b) Monitoring and evaluating the services provided by third parties: services, reports, records monitored and evaluated, regularly conducted audits;
F. Communications and operations management 10 control categories: Management of services provided by third parties: c) Change management for services provided by third parties: management changes in services provision, including insurance and improvement of policies, procedures and security controls.
F. Communications and operations management 10 control categories: 3. System planning and acceptance: minimizing risks of failure of the system; forecasts of future capacity requirements to prevent overloading: a) Capacity management: ensuring system performance by monitoring, adapting and future projections of capacity requirements; b) System acceptance: establishing acceptance criteria for new systems, upgrades, new versions and performing tests during system development and prior to its acceptance.
F. Communications and operations management 10 control categories: 4. Protection from malicious code and mobile code: software and information integrity protection; precautions to prevent and detect the introduction of unauthorized malicious code or mobile code: a) Controls on malicious code: implementation of detection, prevention and recovery; user awareness procedures; b) Controls on mobile code: code mobile operation according to security policy; preventing unauthorized mobile code execution.
F. Communications and operations management 10 control categories: 5. Back-Up: maintaining the integrity and availability of information and processing facilities: a) Information back-Up: copies of information and software made and tested regularly according to the back-up policy.
F. Communications and operations management 10 control categories: 6. Management of network security: protection of information in networks and infrastructure: a) Computer network controls: adequate management and control of the network, providing systems security, applications and information in transit; b) Network security services: identification and inclusion of security features, service levels and management requirements in network services agreement.
F. Communications and operations management 10 control categories: 7. Handling the media: prevent unauthorized distribution, alteration, deletion or destruction of capital, interruption of activities; physical control and protection of media: a) Management of removable devices: existence of procedures; b) Remove media: use procedures for safe removal; c) Procedures for information handling: existence of procedures to prevent unauthorized distribution or misuse;
F. Communications and operations management 10 control categories: 7. Handling the media: d) System documentation security: protection against unauthorized access.
F. Communications and operations management 10 control categories: 8. Exchange of information: ensuring information security and exchange of software in the organization or external entities; existing trade policy according to trade agreements and legislation in force: a) Policies and procedures on information exchange: protection for exchange of information by using all communication facilities; b) Agreements on exchange of information: set the framework for exchange of information and software between the organization and third parties;
F. Communications and operations management 10 control categories: 8. Exchange of information: c) Media in transit: protection of media during transport outside the organization; d) Electronic messages: protecting information in electronic messaging; e) Business information systems: policies and procedures to protect information on interconnection between IT systems.
F. Communications and operations management 10 control categories: 9. E-commerce services: insurance of e-commerce services security and their safe use: a) Electronic commerce: the information available in public networks protected by fraudulent activities, distribution or unauthorized modification; b) Trading on-line: information protection to prevent incomplete transmission, failed/defective routing, unauthorized modification of the message, unauthorized distribution, unauthorized duplication;
F. Communications and operations management 10 control categories: 9. E-commerce services: c) Public information: prevent unauthorized modification to ensure information integrity.
F. Communications and operations management 10 control categories: 10. Monitoring: detecting unauthorized processing activities; monitoring systems and recording security events: a) Logging audit: recording activities, exceptions, user security events for further investigation and monitoring access control; b) Use monitoring system: establishing procedures and periodic evaluations of monitoring activities;
F. Communications and operations management 10 control categories: 10. Monitoring: c) Protection of log information: information and facilities protected from unauthorized handling and access; d) Management and operating logs: activities recorded by the system administrator and operator; e) Logging failure: recorded, analyzed logging; f) Synchronize watches: for major processing systems, using an accurate time source.
G. Access control 7 control categories: 1. The business requirements for access control: information access control, based on the business and security requirements: a) Access control policy: established, documented and evaluated based on business and security access requirements.
G. Access control 7 control categories: 2. User access management: ensuring access to authorized users and preventing unauthorized access; procedures to control allocation of access rights: a) User registration: registration or removal procedure for granting or revoking access; b) Management of privileges: restrict and control the allocation and use of privileges; c) Managing user passwords: passwords control allocation; d) Evaluation of user access rights: formal process at regular intervals.
G. Access control 7 control categories: 3. User responsibilities: preventing unauthorized user access, compromise or theft of information or processing facilities; cooperation of authorized users: a) Using passwords: choice and use of passwords according to best practices; b) Use of equipment: adequate insurance of protection; c) Clear desk and clear screen policy: no documents, storing devices, screen without documents.
G. Access control 7 control categories: 4. Network access control: intrusion prevention; control access to internal and external network services; users should not compromise the network services: a) Policy for using the network services: user access to the network services for which is authorized; b) User authentication for external connections: authentication methods for access control of remote users;
G. Access control 7 control categories: 4. Network access control: c) Identification of network equipment: automatic, means of authentication of connections between locations and equipment; d) Remote diagnostics and configuration of port protection: physical and logical access control for diagnostics and configuration; e) Separation of networks: separate the groups of information services, users and information systems;
G. Access control 7 control categories: 4. Network access control: f) Control of network connection: restricted connection for networks shared between premises; g) Network routing control: ensuring connections and information flows by respecting the access control policy.
G. Access control 7 control categories: 5. Access control to the operating system: prevent unauthorized access, restrict access only to authorized users through the security features of the operating system: a) Secure log-on procedure: access controlled by the secure log-on procedure; b) Identification and authentication of users: the existence of unique identifier (user ID) and authentication techniques for proving identity;
G. Access control 7 control categories: 5. Access control to the operating system: c) The password management system: interactive, ensures qualitative passwords; d) Use of system utilities: restricted; use utility programs that redefine the system and application controls; e) Session timeout: inactive session closed after a time interval; f) Limitation of connection time: additional security for high risk applications.
G. Access control 7 control categories: 6. Access control to applications and information: prevent access to information stored in applications systems; restrict access to application and in the application: a) Restrictions on access to information: restrict users according to control access policy; b) Isolation of sensitive system modules: isolated (dedicated) media.
G. Access control 7 control categories: 7. Mobile computing and teleworking: ensure security when using mobile computing and teleworking: a) Mobile computing and communications: policy, security measures against the risks of using mobile computing and communications facilities;
G. Access control 7 control categories: 7. Mobile computing and teleworking: ensure security when using mobile computing and teleworking: a) Mobile computing and communications:
Implementation: Specify risks and rules: Unprotected work environment; Physical protection against media loss or theft; Access controls for unauthorized persons; Cryptographic techniques; Easy and fast back-up; Antivirus protection; Connection to network from public spaces;
G. Access control 7 control categories: 7. Mobile computing and teleworking: a) Mobile computing and communications: Specify risks and rules (continued):
use cryptographic techniques outside the organization; apply procedures against malicious software; identification and authentication of access from public networks; physical insurance of equipment in remote areas or continuous surveillance; providing training sessions for staff which use mobile devices.
G. Access control 7 control categories: 7. Mobile computing and teleworking: a) Mobile computing and communications: Specify risks and rules (continued):
Features of wireless networks security protocols insufficiently developed, with weakness; poor back-up (insufficient bandwidth, devices not connected when is launched the back-up procedure).
G. Access control 7 control categories: 7. Mobile computing and teleworking: b) Teleworking: politic, operational plans and procedures.
H. Acquisition, development and maintenance of the information system 6 control categories: 1. The information system security requirements: security approached at the level of the whole system: operating systems, infrastructure, applications, products, services etc.: a) Security requirements analysis and specification: specification for new systems or enhancements to existing ones.
H. Acquisition, development and maintenance of the information system 6 control categories: 2. Correct processing in applications: preventing errors, loss, unauthorized modification or misuse of information in applications: a) Validation of input data: correct and appropriate data; b) Control of internal processing: validation of information - no changes due to processing errors or deliberate acts; c) Message integrity: identification of authenticity and safety requirements; d) Output data validation: stored information is correct and appropriate.
H. Acquisition, development and maintenance of the information system 6 control categories: 3. Cryptographic controls: Privacy protection, authenticity, information integrity; existence of policy and key management to support cryptographic techniques: a) Policy on use of cryptographic controls: development and policy implementation; b) Key management: support for the use of cryptographic techniques.
H. Acquisition, development and maintenance of the information system 6 control categories: 4. Security of system files: control access to system files, software source code: a) Operational software control: software installation control in operational systems; b) Protection of system test data: careful selection of test data, their protection and control; c) Control access to source code: restricting access to source code.
H. Acquisition, development and maintenance of the information system 6 control categories: 5. Security in development processes and support processes: ensuring security in software application system; strict control on support media and projects: a) Change control procedures: implementation of changes controlled through procedures; b) Technical evaluation of applications after operating system changes: eliminate the negative impact on organizational operations or security;
H. Acquisition, development and maintenance of the information system 6 control categories: 5. Security in development processes and support processes: c) Restrictions on changes to the software packages: discourage software changes, limit to necessary changes, strict control of changes; d) Loss of information: prevention of data loss opportunities; e) Outsource software development: supervised and monitored by the organization.
H. Acquisition, development and maintenance of the information system 6 control categories: 6. Technical vulnerability management: risk reduction from published technical vulnerabilities: a) Control of technical vulnerabilities: obtaining information about vulnerabilities, assessment of organization exposure, risk reduction through appropriate measures.
I. Information security incident management 2 categories of controls: 1. Reporting information security events and weaknesses: events reporting and escalation procedures: a) Reporting information security events: through appropriate management channels; b) Reporting security weaknesses: employees, contractors, third parties.
I. Information security incident management 2 categories of controls: 2. Incident and safety improvements management: responsibilities and procedures for handling security events, continuous improvement process to monitor, assess and manage security incidents: a) Responsibilities and procedures: quick, efficient, organized response to information security incidents;
I. Information security incident management 2 categories of controls: 2. Incident and safety improvements management: b) Adopt the conclusions resulting from security incidents: quantification and monitoring mechanisms for security incidents; c) Collecting proof: legal tracking actions after the incident, according to the law.
J. Business process continuity management 1 category of controls: 1. Security aspects of business continuity management: avoid business disruptions, protection of critical business processes from system failures or disasters, activity resumed in the shortest time: a) Including security in the business continuity management process: develop and ensure a business continuity process that takes into account security aspects;
J. Business process continuity management 1 category of controls: 1. Security aspects of business continuity management: b) Business continuity and risk assessment: identification of interruption events, likelihood and impact of interruptions; c) Developing and implementing continuity plans, including information security: ensuring or restoring for the availability of information at he level required and in the time required, after the interruption;
J. Business process continuity management 1 category of controls: 1. Security aspects of business continuity management: d) The business continuity planning framework: unique; consistent plans; identify priorities for testing and maintenance; e) Test, maintain and review plans to ensure continuity: ensure timeliness and effectiveness of the plans.
K. Compliance 3 control categories: 1. Compliance with legal requirements: legal advisory services, legislative requirements: a) Establishing applicable legislation: explicitly defined, documented, up to date for each information system; b) Intellectual property rights: adequate procedures in compliance with legislation; c) Organizations records protection: from loss, destruction, falsification compliant with legislation;
K. Compliance 3 control categories: 1. Compliance with legal requirements: c) Personal data protection: required by law, other agreements; d) Preventing abusive, faulty usage of information processing facilities: discourage users to use processing facilities for unauthorized purposes; e) Regulation of cryptographic controls: according to the law.
K. Compliance 3 control categories: 2. Compliance with security policies and standards and technical compliance: ensuring system compliance with security policies and standards; regular evaluation of information systems security: a) Compliance with security policies and standards: develop security procedures according to policy and security standards; b) Technical compliance checking: periodic verification of systems for compliance with implementation standards.
K. Compliance 3 control categories: 3. Information systems audit issues: maximizing efficiency and minimizing interferences with the information systems audit process: a) Information systems audit controls: audit requirements and activities check the planned operational systems to minimize risks of business processes disruption; b) Protection of audit tools: protected access to the audit tools; preventing their misuse or compromise.
ISACA structure of the CISA examination handbook: 1. IS audit process; 2. IS management, organization and planning; 3. technical infrastructure and operational practices; 4. information capital protection; 5. disaster recovery and business continuity; 6. development, acquisition, implementation and maintenance of business applications systems; 7. assessment of business processes and risk management.
IS audit process 10%, 20 questions: development and/or implementation of audit strategy and objectives based on risk; planning of audits; obtain sufficient, appropriate, reliable, relevant and useful audit proof; analysis of information collected; examination of business; communication of results; facilitating and monitoring risk management and control practices.
IS audit process IS audit standards: audit charter - document responsibility and authority; independence - professional, organizational professional ethics and standards; competence - knowledge, skills, continuous education; audit planning; audit performance; reporting - content, form; follow-up activities.
IS strategy evaluation; evaluation of IS policies, standards and procedures; evaluation of IS management practices; evaluation of IS structure and organization; evaluation of selection and of external IS management services.
IS management, planning and organization Employee handbook: section: personnel management; explanatory content regarding: a. security policies and procedures; b. expectations of the organization; c. employee benefits; d. policy on vacations and holidays; e. rules on working overtime; f. employment outside the organization; g. employee performance evaluations; h. emergency procedures; i. disciplinary actions: unauthorized absence, breach of confidentiality and/or security, non-compliance with organization policies.
Technical infrastructure and operational practices: 13%, 26 questions: assessment of hardware acquisition, installation and maintenance; assessing development/acquisition, implementation and maintenance of software systems and utilities; assessment of acquisition, installation and maintenance of network infrastructure; assessment of operational practices effectiveness of the usage of technical resources; system performance evaluation.
Technical infrastructure and operational practices Hardware acquisition - selection criteria for suppliers proposals: service response time; system response time to user requirements; time needed for logging into the system or connecting to the network; system workload performed per unit time (e.g. instructions per second); volume of work done in one unit of time; portability of applications to new systems; concurrent access management (network requests, user data processing); availability vs. system failures.
Information capital protection 25%, 50 questions: importance of information Security Management; vulnerabilities and controls of access at logic level; network infrastructure security; auditing information security management; auditing network infrastructure security; environmental vulnerabilities and controls; physical access vulnerabilities and controls.
Information capital protection Implementation strategies of antivirus software: section: Viruses; control and prevention of virus spreading; level of server/workstation:
a. scheduled scans; b. scans on request; c. continuous scans;
Information capital protection Organizational network level antivirus software part of the used firewall technologies:
a. SMTP protection SMTP traffic in accordance with the e-mail server; b. HTTP protection download viruses through ActiveX and Java; c. FTP protection download infected files;
antivirus software:
a. reliability and quality in detecting viruses; b. memory residence continuous check; c. effectiveness not affect speed and resource access.
proper evaluation of back-up to ensure a rapid return to the state previous to the disaster; assessing the organization's ability to provide replacement of the primary information system (during failure of the primary system); assessing the organization's ability to provide information processing and business process continuity.
Disasters and disruption events: natural disasters; interruption of public utilities; man-made: terrorist attacks, hackers, viruses, fraud, theft, sabotage; accidental: deletion of files, system crashes, fires, etc.
Motivation for the attack: technical challenge; prestige; obsession for hacking; momentary impulse; financial gain; envy, revenge, resentment against the manager, jealousy, etc.
Business continuity process planning: ST and LT strategy on the most pessimistic scenarios; ST alternative processing facilities; new, permanent facility, as a alternative on LT.
impact analysis on business processes; classification of operations and the analysis of their critical character; developing a business continuity plan and disaster recovery procedures; staff training and awareness; testing and implementing the plan; monitoring.
Development, acquisition, implementation and maintenance of business applications systems 16%, 32 questions: assessment of development and implementation processes; assessment of acquisition and implementation processes; assessment of the maintenance processes.
Development, acquisition, implementation and maintenance of business applications systems Detailed design and development: section: audit of system development, acquisition and maintenance; the auditor performs:
a. b. c. d. e. f. g. h. system flow examination accordance with system design and check approvals for modifications made; examination of designed input, processing and output; interview key users - check understanding of the system; assessment of audit traceability and accountability; check integrity of processing and key processes; check the system capability to identify and process erroneous data; examine quality assurance for the results obtained; verification of the corrections of programming errors.
evaluating the efficiency and effectiveness of the IS; assessing the design and implementation of automated and manual controls; evaluation of projects to change business processes; assess the implementation of risk management and risk governance.
Evaluation of business processes and risk management Risk management methods: qualitative the most simple and used: based on verification lists and attribution of risk ratings (high, medium, low); quantitative some have a lack of rigor in accountancy and management; used in the military, nuclear, chemical areas; probabilistic and anticipation based on the statistical theory of probabilities and anticipation; historical information establish a pattern or a trend; the new value v = v x p, p occurrence probability; anticipation of annual loss way to quantify loss.
Risk analysis risk given potential as a threat to exploit vulnerabilities; threat - a potential security violation; vulnerability - characteristic or property which may be exploited by a threat to cause loss; impact - consequence of unwanted incident; protection - mechanism or procedure that reduces risk; residual risk - the risk remaining after implementation of the protection; risk analysis - the process of identifying security risks, determining their level and identifying the areas needing protection.
Risk control strategies: risk prevention; reducing impact; reduce probability; early detection; recovery; risk transfer.
policy:
a. action direction (government, political parties, business environment); b. high level documents; c. strategic thinking, organizational philosophy; d. clear and concise; e. low-level (divisions, departments); f. periodical examination (business changes, technological novelties);
procedure:
a. b. c. d. e. manner to execute tasks; series of actions order and manner; detailed documents; derived from policies; high level of dynamics;
Security Awareness Continuous series of activities which presents and then reinforces the message in the view of improving security: maintain awareness of people about their responsibility and their role; gain and maintain people commitment.