ITauditSecurity’s CISA Study Guide

For a description of this guide, guidance on using it, and some warnings, see http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/ Table of Contents on next page Copyright 2012, ITauditSecurity Rev 2.0 NOTE: When this guide was created, the main sections of the exam were as follows: • IS Audit process • IT Governance • Systems & Lifecycle Mgmt • IT Service Delivery & Support • Protection of Info Assets • BCP and DRP ISACA has since reorganized the sections, but that doesn’t affect the information itself.

Quick Review Info
Yellow highlight notes where ISACA emphasizes CISA must-know this Blue highlight = good-to-know info List of key items to recite from memory:
5 Task Statements - SPCCA 10 Knowledge Statements – SPGE – CRP - CCC 7 Code of Ethics – IPS PC DE 3 types of Standards 6 Project Mgmt – IP EMC Projects: Triple restraint: QRS & CDT 10 Audit Stages OSI – PDNTSPA TCP/IP – NDITA Capability Maturity Model– zeroIRDMO 6 SDLC – FRD DIP (don’t forget differences if software purchased) 6 Benchmarking – PROAAI

FREE CISA Study Guide from http://ITauditSecurity.wordpress.com

1 of 40

Quick Review Info ................................................................................................................................................... 1 > IS Audit Process...................................................................................................................................................... 5 5 Task Statements - SPCCA .................................................................................................................................. 5 10 Knowledge Statements – SPGE – CRP - CCC ................................................................................................. 5 7 Code of Ethics – IPS PC DE ............................................................................................................................... 5 Information Tech Assurance Framework (ITAF) .................................................................................................... 6
3 types of Standards (+ Guidelines & Techniques = ITAF) .................................................................................................. 6 Policy/Standards .................................................................................................................................................................. 6

Misc Notes .............................................................................................................................................................. 6 Project Mgmt .......................................................................................................................................................... 6
Project Estimation ................................................................................................................................................................ 7

10 Audit Stages ...................................................................................................................................................... 7 Engagement Letter vs. Audit Charter ..................................................................................................................... 8
Charter - RAA....................................................................................................................................................................... 8 Sampling .............................................................................................................................................................................. 8

Open Systems Interconnect (OSI) Model............................................................................................................. 10 IP Addresses (32 bits) .......................................................................................................................................... 11
Packet Switching ................................................................................................................................................................ 11

> IT Governance ...................................................................................................................................................... 12
CMM vs. ISO 15504 (SPICE) – PME PO ........................................................................................................................... 13 Risk Management .............................................................................................................................................................. 13 Business Process Reengineering (BPR) ............................................................................................................................ 13 Risk Management .............................................................................................................................................................. 14

Systems & System Development Life Cycle (SDLC) ............................................................................................... 15
Alternatives to SDLC Project Organization......................................................................................................................... 16 Alternative Development Methods ..................................................................................................................................... 17 Physical Architecture Analysis (RADFFP) .......................................................................................................................... 18

Change Control Procedures ................................................................................................................................. 19
Change Management Auditing ........................................................................................................................................... 19 Emergency Changes .......................................................................................................................................................... 19

Computer-aided Software Engineering (CASE) ................................................................................................... 19
Key CASE Audit Issues ...................................................................................................................................................... 19

Programming Languages ..................................................................................................................................... 19
Fourth-generation Languages ............................................................................................................................................ 19 4GL Types.......................................................................................................................................................................... 20

Application Controls ................................................................................................................................................. 20 Input Controls ....................................................................................................................................................... 20
Input Control Techniques ................................................................................................................................................... 21

Processing Controls ............................................................................................................................................. 22 FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 2 of 40

Output Controls .................................................................................................................................................... 23 Data Integrity ............................................................................................................................................................ 24
Testing ............................................................................................................................................................................... 24 Data Integrity Requirements (ACID)................................................................................................................................... 24 Application Testing Methods .............................................................................................................................................. 24

Continuous Auditing Techniques ............................................................................................................................. 24
E-commerce Risks ............................................................................................................................................................. 25 EDI Controls ....................................................................................................................................................................... 25 Auditing EDI ....................................................................................................................................................................... 26 Digital Signatures ............................................................................................................................................................... 26 Project Mgmt Organizational Alignment ............................................................................................................................. 28

> IT Service Delivery & Support ............................................................................................................................... 28 IS Operations ........................................................................................................................................................ 28 IS Hardware .......................................................................................................................................................... 28 IS Architecture & Software ................................................................................................................................... 28
Database Management System (DBMS) ........................................................................................................................... 28 Database Structures .......................................................................................................................................................... 29

Networking ............................................................................................................................................................ 29 Wireless ................................................................................................................................................................ 30 TCP/IP (32-bit) ...................................................................................................................................................... 30
System Control................................................................................................................................................................... 30

> Protection of Information Assets ........................................................................................................................... 31
Key elements of Information Security Mgmt ....................................................................................................................... 31 Inventory Classification ...................................................................................................................................................... 31 Mandatory access control (MAC) ....................................................................................................................................... 31 Discretionary access control (DAC) ................................................................................................................................... 31 Biometrics .......................................................................................................................................................................... 31 Bypassing Security Controls .............................................................................................................................................. 32

Wireless Security .................................................................................................................................................. 32 Firewalls................................................................................................................................................................ 33
Application Firewalls - 2 levels/types.................................................................................................................................. 33 Stateful Inspection Firewalls............................................................................................................................................... 33 Firewall implementations .................................................................................................................................................... 34

Intrusion Detection Systems (IDS) ....................................................................................................................... 34
IDS Types .......................................................................................................................................................................... 34

Encryption ............................................................................................................................................................. 34
Digital signatures................................................................................................................................................................ 35 Digital Envelope ................................................................................................................................................................. 35 Encryption Risks ................................................................................................................................................................ 36 Viruses ............................................................................................................................................................................... 37

FREE CISA Study Guide from http://ITauditSecurity.wordpress.com

3 of 40

VOIP .................................................................................................................................................................................. 37 Auditing Infosec Management Framework ......................................................................................................................... 38 Computer Forensics (IPAP) ............................................................................................................................................... 38

> BCP/DRP .............................................................................................................................................................. 38 Difference between ISACA book and Sybex ........................................................................................................... 40

FREE CISA Study Guide from http://ITauditSecurity.wordpress.com

4 of 40

Maintain privacy and confidentiality of information obtained during your audit except for required disclosure to legal authorities. Serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon your profession. and due diligence in accordance with professional standards. strive to improve your competency. protection. Perform your duties with objectivity.CCC Standards/Code of Ethics Auditing practices/techniques Techniques to gather/preserve evidence Evidence lifecycle (collection.com 5 of 40 . and procedures for information systems. Support the use of best practices. results Advise on risk mgmt & control practices 10 Knowledge Statements – SPGE – CRP . guidelines. Support ongoing professional education to help stakeholders enhance their understanding of information systems security and control. professional care.wordpress.> IS Audit Process 5 Task Statements . standards.SPCCA Develop & implement risk-based IS audit strategy Plan specific audits Conduct audits Communicate issues. chain of custody) Control objectives & controls Risk Assessment Audit planning & mgmt Reporting/Communication CSA Continuous audit techniques 7 Code of Ethics – IPS PC DE Support the implementation of appropriate policies. risks. Undertake only those activities in which you are professionally competent. FREE CISA Study Guide from http://ITauditSecurity. Disclose accurate results of all work and significant facts to the appropriate parties.

deliverables) • Executing • Monitoring & Controlling • Closing Earned value – current value of work already performed in a project FREE CISA Study Guide from http://ITauditSecurity. and info to be communicated Policy/Standards Policy. and Reporting standards.Information Tech Assurance Framework (ITAF) • • • Provides guidance on design. product approval. Standard. and reporting of IT audit & assurance Establishes IT audit standards Consists of General. certification.com 6 of 40 . goals. cannot use for licensing External – customer auditing your organization or you auditing supplier Independent – 3rd party audit used for licensing. Triple restraint: QRS • Quality • Resources (cost. means of communication. Procedure – mandatory Guideline– discretionary Misc Notes Purpose of audit: challenge mgmt assertions and determine whether evidence supports mgmt claims Types of audits: • • • Internal – audit own organization. and procedures for leading IT organizations. Tools & Techniques (TBA) 3 types of Standards (+ Guidelines & Techniques = ITAF) General – guiding principles for IT assurance profession Performance – how to conduct IT assurance engagements Reporting – address types of reports. Performance.wordpress. scope restrictions. Guidelines. processes.check the content/substance and integrity of a claim Risk – the potential that a given threat will exploit vulnerabilities of an asset (or group of assets) and thereby cause harm to the organization CobiT – Control Objectives for Information and Related Technology. progressive (planning starts high-level and gets more detailed). time) • Scope 3 project elements: CDT • Cost/resources • Deliverables • Time/duration 5 Process groups/phases of project management – IP EMC • Initiating (2 components: scope & authorization) • Planning (detail scope. Project Mgmt Project is unique. and has start and end dates. conduct. Compliance audit– verify presence or absence Substantive audit . A framework consisting of strategies.

wordpress. 4. outputs. failure. longest route.com 7 of 40 . 3. 6. Mostly likely. interfaces.-schedule & sequence in waterfall-style (MS Project). and Pessimistic PERT time estimate for each task: [O + P + 4 (M)] / 6 Timebox Management • Define and deploy software deliverables in short/fixed period of time • Prevents cost overruns or delays from scheduled delivery • Design/development shortened due to newer development tools/techniques 10 Audit Stages 1. 7. 2. shortest time estimate for completion) Activities on critical path have no slack time. files. serial view w/bars & diamonds o Shows concurrent and sequential activities o Show project progress and impact of completing a task early or late • PERT (Program Evaluation Review Technique)-illustrates relationships between planned activities o Critical path (minimum steps. 5.Project Estimation • • • Source Lines of Code (SLOC) – traditional method (also Kilo LOC or KLOC) – direct size-oriented measures Thousand Delivered Source Instructions (KDSI) – better with structured programming languages like BASIC. Approving audit charter/engagement letter Preplanning audit Risk Assessment Determine whether audit is possible Performing the actual audit Gathering evidence Performing audit tests Analyzing results Report Results Follow-up activities FREE CISA Study Guide from http://ITauditSecurity. 10. and likely completion o 3 hourly estimates for each task’s effort: Optimistic. 9. COBOL Function Point Analysis (FPA) – indirect measure • Based on number and complexity of inputs. 8. and user queries • Functions are weighted by complexity Project Diagramming • Gantt: resource details. activities w/ no slack time are on critical path Route on which a project can be shortened (accelerated) or lengthened (delayed) o Quantitative measure for risk analysis: risk of delays.

Low error rate requires large sample. Discovery sampling – 100 percent sampling to detect fraud (ex: forensics).PDCA 1. FREE CISA Study Guide from http://ITauditSecurity. • Pervasive (technology) • Detailed IS controls (tasks) • Application (most detailed. reporting requirements 2 foundational audit objectives: • Test control implementation to determine if adequate safeguards implemented • Comply with legal requirements Process technique – Shewhart . Audit Charter Diff is auditor independence (external vs. Auditor determines whether to stop testing or continue testing.com 8 of 40 . internal audit) Charter . reduces overall sample size. Act – how are differences identified and dealt with? Controls • General – overall controls. Do – work match the plan? 3. Plan – plan or method? 2.Engagement Letter vs. all depts. Check – anyone monitoring the process? What is acceptable criterion? 4.wordpress.RAA • • • Responsibility – scope with goals/objectives Authority – right to access & audit Accountability – agreement between auditor/Audit Committee. Reduces effort. Precision/expected error rate – acceptable margin of error between samples and subject population. lowest level controls) Evidence Life Cycle – ICI SAP PR Chain of custody • Identification • Collection • Initial preservation • Storage • Analysis • Post analysis preservation storage • Presentation • Return of evidence Sampling Statistical/Mathematical • Random • Cell – random selection at defined intervals • Fixed interval – select every n + increment Non-statistical • Haphazard Compliance Testing – presence/absence Attribute sampling – is attribute present in sample? Specified by rate of occurrence Stop & Go sampling – used when few errors expected.

Unstratified mean estimation – projects an estimated total for entire population Stratified mean estimation – calculate average by grouping items (all males.com 9 of 40 .Substantive Testing – content/integrity Variable sampling – designating $ value or effectiveness (weight) of entire subject by prorating from a smaller sample (ex: weigh $50 bill and calculate value of stack of bills by total weight). 95% & higher = high degree of confidence Attestation – providing assurance via your signature that document contents are authentic & genuine. Type 2 after (not auditor’s responsibility to detect subsequent events) FREE CISA Study Guide from http://ITauditSecurity. all over 30) Difference estimation – determine difference between audited and unaudited claims of value. Audit coefficient – level of confidence re: audit results. all females.wordpress. Type 1 events occur before balance sheet date.

4 twisted pairs Fiber – dense wave multiplexing FREE CISA Study Guide from http://ITauditSecurity.com 10 of 40 .Open Systems Interconnect (OSI) Model Provides standard interface at each layer.Data Link 1 – Link (LAN/WAN Interface) Do Please ↑ 1 – Physical Nor Cable & voltage requirements -Flow control -Error notification -Order sequence Control electrical link between systems -NetBIOS -DHCP -PPP MAC Address = 48-bit Cables • • • Coax – 185 meters. as well as virtually with the same layer on the remote system 4 TCP/IP Layers Memory Phrase Headers & Data Communication Types Layer Controls/ Provides Protocol Memory Phrase 7 OSI Layers To Application Away 7 – Application Gateway Pizza 6– Presentation 4Application Anchovi es Format & Data Structure App to App Sausage 5 – Session Host to Host Throw Throw 4 – Transport 3– Transport 2– Internet/ Network -Standard interface to the network -Problem solving -Encryption Translate & Display. Screen formatting Communicati on sessions between applications -Login screen -DNS Message Packet Router -Frame -MAC address Switch/Bridg e Signal Cable/Wireless Hub/Repeater Wifi Transmitter Not 3 – Network I Routing Address to Address Transmit & Receive -RPC -SQL database session -NFS -TCP (confirmed delivery) -UDP(un-confirmed) -IP Do 2 . ensures each layer does not have to be concerned about the details of how other layers operate Each layer is self-contained and can be updated without affecting other layers • Each layer communicates with the layer above and below it.wordpress. 2 pairs of wires UTP < 200 ft.

reconfigures network port on switch • Policy or rule-based: Rule based on IP address or protocol in header.0) for routing table/network path • Starting IP • Ending IP (IPs in between start & end = IP address space) • Broadcast IP ARP = MAC address to IP address VLANs (requires router to access other subnets) • Port-based: specific port configured to a specific VLAN. • Digital Subscriber Line (DSL) – over POTS.com 11 of 40 . replaced dedicated phone lines o Switched Virtual Circuits (SVCs) – path dynamic.wordpress. video (conference). not distance Examples • X. 1.g.544 Mbps. 155 Mbps – 1 GBps o Cell switching and multiplexing ensures solid delivery o Multiple concurrent data paths Multiprotocol Label Switching (MPLS) • Protocol and routing table independent • Packet headers examined once (versus every hop in traditional layer 3 switching) and then assigned a stream/label that contains forwarding information FREE CISA Study Guide from http://ITauditSecurity. Small networks • MAC-based: ties MAC address into VLAN.5 Mbps (replaced X. voice.25) o Different format and functionality o Packets arrive out of sequence. 368 Kbps-1. runs on POTS • Primary trunk line (T1) – 28 POTS circuits..544 – 44.25 – foundation of modern switched networks (not popular today) o Quality of Service (QOS) o Permanent Virtual Circuits (PVCs) – fixed path. constantly changing • Frame relay – has PVC and SVC. Charged by the mile.544 Mbps.0. are reassembled • Asynchronous Transfer Mode (ATM) o High speed.0. Packet Switching • • • • Eliminated need for dedicated lines (Internet is PS’d) Not limited by distance Source & destination known. path is not Charged according to packets transmitted. Switch ports reconfigure automatically DNS – Bootp using RARP! Dedicated Phone Circuits • POTS – 56Kbs (half of ISDN circuit) • Integrated Services Digital Network (ISDN) – 128Kbs.Point-to-Point Protocol (PPP) • Data link layer protocol for accessing remote network using IP over serial lines (replaced SLIP) IP Addresses (32 bits) Four IPs in each subnet are lost/reserved • Numeric name (e. 1. 192. 23 channels of data.

modify. no message delivery verification Remote Monitoring Protocol (RMON1) – monitors only Data Link/MAC layers and below Remote Monitoring Protocol 2 (RMON2) .Piconet – one trillionth or very small – Small wireless adhoc network – Bluetooth (PAN) Syslog – no message authentication/integrity.unlike Sniffer that monitors layers 1-3. RMON2 monitors all 7 OSI layers > IT Governance IT Governance – leading and monitoring IT performance & investment • • • Strategic alignment between IT & business Monitoring assurance practices for executive management Intervention to stop. or fix practices as they occur 3 IT Governance management levels: • Strategic (3+ yrs) • Tactical (6 months – 2 yrs) • Operational (daily) Balanced Scorecard – CB FG • • • • Customer Business process Financial Growth & Learning 3 layers that incorporate the 4 perspectives (MMS) • Mission • Metrics • Strategy 5 Capability Maturity Model (CCM) Levels – zero IRD MO • 13 to 25 months to move up a level • Idea started in auto assembly line FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 12 of 40 .

procedures documented • Lessons learned • Standardization between departments • Objectives. Business efficiency 2. decision making • statistical process control ISO Incomplete Performed 2 Repeatable Documented Managed 3 Defined well documented and understood Established 4 Managed mgmt controls processes & adjusts Predictable 5 Optimized continually improved to reflect business needs Optimizing Risk Management Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) % Annual Loss Expectancy (ALE)$ = SLE * Annual Rate of Occurrence (ARO) Business Process Reengineering (BPR) 3 areas of improvement 1.CMM vs. firefighting Process unique and chaotic (people have most freedom and decision making) • Inspected quality • Project mgmt • Basic standards.com 13 of 40 . New requirements Guiding Principles • Think big  future process/end state • Incremental • Hybrid approach  top down view of strategy. bottom-up research FREE CISA Study Guide from http://ITauditSecurity. Improved techniques 3. processes.wordpress. qualitative measurements. improvement procedures • Portfolio mgmt • PMO • Predictable by quantitative measure (numeric measure of quality) • least freedom. ISO 15504 (SPICE) – PME PO # 0 1 Level Nothing Initial Description adhoc.

link each process to improvement strategy and organizational goals Business Impact Analysis – discovery of inner workings of a process • Process value • How process works. external customer needs Identify benchmarks. archive files. who does what • Shortcomings • Revenue created or supported • Project process lifetime Risk Management Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) % Annual Loss Expectancy (ALE) = SLE * Annual Rate of Occurrence (ARO) FREE CISA Study Guide from http://ITauditSecurity. TQM * When software is purchased rather than developed in-house BPR Rules • Fix only broken processes • Calculate ROI • Understand current process first • No leftovers Role of IS in BRP • Enable new processes by improving automation • Provide IT project mgmt tools to analyze process and define requirements • Provide IT support for collaboration tools. goals obtained? Lessons learned. Project Mgmt vs. activities. goals Stakeholder buy-in. then that of other businesses • Observe – visit benchmark partner. collect data • Analyze – identify gaps between own and benchmark partner’s processes • Adapt – translate findings into principles strategies action plans • Improve . roles. transition Post Implementation Monitor and review. alternatives Development/Configuration* Build prototypes Implementation Install systems. communication needs Design/Select* Determine solutions.Business Process Reengineering (BPR) vs. teleconference. sponsor. costs. SDLC Chart 6 BPR EIDRRE Envision Initiate Diagnose Redesign 5 Project Mgmt IP EMC Initiate 6 SDLC FRD DIP Waterfall method Feasibility Requirements Task Plan Execute Reconstruct Evaluate Manage and Control Close Scope. train. resources.wordpress. and specialized business user software • Help business integrate their processes with ERP Delphi technique – blind interaction of ideas between group members 6 Benchmarking Steps – PRO AAI • Plan – identify critical processes • Research – baseline data re: own processes.com 14 of 40 . pick a process.

program.wordpress.software baselining (design freeze).> Systems & System Development Life Cycle (SDLC) Verification/Validation Model (V-model) • • Identifies relationship between development and test phases Most granular test. database specifications o Implement change control for scope creep . performed by IT. lessons learned o ROI requires a few business cycles to be completed first o Info to be reviewed needs to be identified at project startup FREE CISA Study Guide from http://ITauditSecurity. version numbering o Address security considerations • Development/Configuration* o Includes all unit and system testing.com 15 of 40 . used to reassess risks and update security plan o Accreditation process Management decision to authorize operation Involves accepting responsibility and accountability for system’s risks and system security • Post Implementation o Assess whether system meets business requirements. not functionality related • Implementation o Final UAT o Certification Assessment of management. software QA plan.FRD DIP See chart under Business Process Re-engineering • Feasibility o Identify the alternatives for addressing the business need o Business case that justifies proceeding to the next phase o Calculate ROI o Impact assessment – future effects on current projects/resources • Requirements o Management/users must be involved o Identify stakeholders and expectations o Request for Proposal (RFP) process o Create project schedule and resource commitments o Create general preliminary design use entity relationship diagram (ERD) • Design/Select (When software is purchased rather than developed in-house. iterations of user acceptance testing (UAT) in secure environment to protect against changes o Develop data conversion strategies o Train super users o QA activities. unit test. has appropriate access controls. the stages are Select and Configuration) o Establish baseline of system. operational. Application QA function Focuses on documented specifications and technology used. application works as specified in logical design. ROI achieved. validates detailed design phase Development methodology • Organization-centric use SLDC • End-user centric alternate approaches SDLC/Waterfall technique . and technical controls.

an event such as a sale or a repair service. deals with development complexities and risks Examples • Evolutionary – create prototype to gather/verify requirements.wikipedia.org/wiki/File:ER_Diagram_MMORPG.Entity Relationship Diagram (ERD) • Example: http://en.com 16 of 40 .. project documentation). with feedback after each stage Now regarded as best practice. frequent team meetings • Pair-wise programming: 2 people code same functions (knowledge share and quality check) FREE CISA Study Guide from http://ITauditSecurity. one of first processes. time-boxed iterations (plan and do 1 phase at a time) • Replanning at the end of each iteration (e.wordpress. risk analysis precedes each prototype • Agile – developed in short. identify new requirements.g. time-boxed iterations.png • Identifies relationships between system data • Data modeling technique that describes information needs or the type of information to be stored in a database (helps design the data dictionary) • Entity o Physical object such as a report. or a concept such as a customer transaction or order (logical construct) NOUNS o Attributes form the keys of an entity o Primary key uniquely identifies each instance of an entity o Represented by rectangular boxes • Relationships o How entities are associated VERBS o Foreign key is one or more entity attributes that map to primary key of related entity o Represented by diamonds Testing • Regression – rerunning a part of the test scenario to ensure changes have not introduced new errors • Socialability – can system operate in target environment without impacting existing systems (memory. 1990s Characteristics • Small. explore design issues (called prototyping) • Spiral – uses series of prototypes that become more detailed. reprioritizing) • Relies on head knowledge (vs. uses trace-bullet approach Evolutionary (Prototyping) Development (also called Heuristic) • • Combines best of the SDLC with an iterative approach that enables developer and customer to react to risks at each iteration Focuses on prototyping screens and reports Disadvantages • Leads to system extras that were not included in initial requirements (could end up functionally rich but inefficient) • Poor controls (that normally come out of traditional SDLC) • Poor change control and documentation/approvals Agile Development Process designed to handle changes to the system being developed or the project itself Scrum. shared DLLs) Alternatives to SDLC Project Organization Iterative Development • • Develop in iterations or increments.

SDLC which addresses data separate from procedures) OOSD = programming technique.. • Objects are created from a template called a class. agile. NOT a software development methodology: can be used in prototyping. 17 of 40 FREE CISA Study Guide from http://ITauditSecurity.e. object-oriented) are independent of the project organization model (evolutionary. Development 4. functionality = methods (vs. Excel and Word). which can interact with one another regardless of language written in or OS running) o In process client components – run from within a container ( e. well-trained team • Integrated power tools for development • Central repository • Iterative requirements and design workshops • Does NOT support planning or analysis of the info needs of business area/ enterprise as a whole Stages 1. which contains characteristics of the class without reference to the data • Polymorphism: ability of objects to interpret a message differently at execution depending on object’s superclass • First OOP languages: Simiula67. waterfall. Concept definition 2. etc. spiral..• • Planning and control by team members. Deployment Alternative Development Methods Development methods (data-oriented. Java boosted acceptance of OOP • Unified Modeling Language (UML) Major Advantages • Ability to manage unrestricted variety of data types • Ability to model complex relationships • • • Component-Based Development • • Outgrowth of OOD Definition: assembling applications from packages of executable software that make their services available through defined interfaces (i. Smalltalk.g.com . airline flight data Eliminates data transformation/converting errors Object-Oriented System Development (OOSD) Data and procedure (instructions) are grouped in an object Data = attributes. agile) Data-Oriented System Development (DOSD) Focuses on data and their structure in prespecified formats for download or use in other systems Examples: stock. project manager = facilitator/advocate Validate functionality via frequent build-test cycle to limit defects Rapid Application Development (RAD) Well-defined methodology • Evolutionary prototypes with rigid limits on development timeframes • Small.. web browser) o Stand-alone client components – applications that expose services to other software (e.g. Functional design 3. objects.wordpress.

o Simplifies reuse. o Improves quality. Any changes to these require a new decompiler. o Stand-alone server components – processes running on servers that provide standard services o In process server components – run on servers within containers Microsoft’s Transaction Server (MTS) Enterprise Java Beans (EJB) Benefits o Reduces development time & cost.com 18 of 40 . No source required. which all objects on distributed platforms to interact.wordpress. Also identifies the web service available to be used Universal Description. o Supports multiple development environments as components can interact regardless of language or OS. OSs. Review of existing architecture Analysis and design Draft functional requirements (start vendor selection) Function requirements Define final functional requirements Proof of Concept Physical Architecture Analysis (RADFFP) • • • • • • FREE CISA Study Guide from http://ITauditSecurity. no need to know procedural or class libraries.• Initiated by RPCs or other network calls. Prewritten components have already been tested. and Integration (UDDI) is used to make an entry in the UDDI directory. Also called middleware. o Promotes modularity. and programming languages. Supporting technologies: • Microsoft’s Distributed Component Object Model (DCOM) – basis for ActiveX • Common Object Request Broker Architecture (CORBA) • Java via Remote Method Invocation (RMI) All of the above are distributed object technologies. Increases abstraction and shields low-level programming details. Only have to code unique parts of the system. Reverse Engineering Risks software licenses usually prohibit it to protect trade secrets/programming techniques • Decompilers depends on specific computers. o Allows combining build and buy components. formats the SOAP messages in/out of the module. which provides run-time services whereby programs/objects/components can interact. Discovery. which allows others to find and use the available web services Reengineering – updating an existing system by extracting and reusing design and program components. o Allows developers to focus more on business functionality. Web-Based Application Development Extensible Markup Languages (XML) are key to development Simple Object Access Protocol (SOAP) is used to define APIs • • • • SOAP works with any OS or programming language that supports XML SOAP is simpler than RPCs in that modules are coupled loosely (can change one component without changing others) Web Services Description Language (WSDL) identifies the SOAP specification used for the module’s API.

editing criteria. process flow • Lower CASE – generate code and database definitions (using upper and middle case output) Key CASE Audit Issues Functional design and data elements become the source code • • • • • • Users are involved CASE methodology is defined and followed Integrity of data between CASE products and processes is controlled and monitored Changes to the application are reflected in stored CASE product data Application controls are designed and included CASE repository is secured and version control implemented Programming Languages 1 – machine lang st 2nd – assembly lang 3rd – English-like 4th – embedded database interface. properties. programmer selects program actions (aka psuedocoding or bytecoding) 5th – artificial intelligence. text editing.Change Control Procedures Change Management Auditing • • • • • • • • • • Program library access is restricted Supervisory reviews occur Changes are approved and documented Potential impact of changes is assessed User approves change Programming management reviews/approves change Implementation date on change request matches actual implementation date Distributed systems – changes are rolled out to all nodes (check for same version of software) Emergency ID use is logged and monitored Normal change controls are applied. help screens. temporary storage. OS commands Simple language subsets 19 of 40 FREE CISA Study Guide from http://ITauditSecurity.com . and methods Portable across OSs. prewritten utilities. data object organization.wordpress. uses OOP concepts of objects. learning system/fuzzy logic/neural algorithms Fourth-generation Languages 4GL Characteristics • • • • • Nonprocedural language – event driven. often retroactively Emergency Changes Computer-aided Software Engineering (CASE) 3 categories of CASE tools • Upper CASE – describe and document business/application requirements • Middle CASE – develop the detailed design: screen/report layouts. and graphical outputs Programmer workbench concepts (integrated development environment) – include filing facilities. computer architectures Software facilities – allows design/paint of screens.

. predetermined field (e. do not ensure correct employees.com 20 of 40 .wordpress. missing. MANTIS. reconciliation is performed between the initial edit file totals and the master file. and exception data Auditor tasks • Identify significant application components and flow of transactions • Gaining understanding of the application through documentation review and interviews • Identifying application control strengths and weaknesses • Testing controls and evaluating control environment • Reviewing application efficiency/effectiveness.. processing. Application Controls Definition: controls over input. and output functions Examples • Edit tests • Totals • Reconciliations • Identification/reporting of incorrect. NATURAL Application generators – generate lower-level programming languages (3GL) like COBOL and C. and whether it meets management objectives Input Controls Input Authorization • Signatures on batch forms/source documents • Online access controls ensuring only authorized users can access data and perform sensitive functions • Unique passwords • Terminal/workstation identification to limit clients that can access the application • Source documents – should be prenumbered and controlled Batch Controls and Balancing • Definition: Input transactions grouped together (batched) to provide control totals. • Computer agreement – application compares the batch totals recorded in the batch header with the calculated totals and accepts/rejects the batch FREE CISA Study Guide from http://ITauditSecurity. only errors or omissions Balancing Controls • Batch registers – comparing manual batch totals against system reported totals • Control accounts – control account use is performed via an initial edit to determine batch totals. NOMAD 2 Relational database 4GLs – included in vendor DBMS to allow better use of DBMS product: SQL+. pay rates.4GL Types • • • • Query and report generators Embedded database 4GLs – FOCUS. Batch Controls • Total $ amount • Total items • Total documents • Hash totals – total of a meaningless. After processing data to the master file. customer account numbers or zip codes) used to detect errors or omissions.g. RAMIS II. etc.

and data control procedures Error correction procedures o Logging of errors o Timely corrections o Upstream resubmission o Approval of corrections o Suspense file o Error file o Validity of corrections Anticipation – user or control group anticipates the receipt of data Transmittal log of transmission or receipt of data Cancellation of source documents – punching or marking to avoid duplicate entry • • • Batch Integrity • Batch established by time of day. specific terminal of entry. or individual who entered data • Supervisor reviews batch and releases for processing Data Validation/Editing Procedures • Identifies errors. • Should occur as close to the time and point of origination as possible Edits and Controls (types of checks) • Sequence – control numbers are sequential • Limit • Range • Validity • Reasonableness • Table lookups • Existence • Key verification – two people key the data and both sets are compared • Check digit – detects transposition and transcription errors • Completeness • Duplicate • Logical relationship FREE CISA Study Guide from http://ITauditSecurity. verified to source documents Reconciliation of data Documentation – written evidence of user. incomplete or missing data. and inconsistencies amount related items. data entry.com 21 of 40 .wordpress.Error Handling and Reporting Input Error Handing • Reject only transactions (trx) with errors • Reject the whole batch of trxs • Hold the batch in suspense (until errors corrected) • Accepting the batch and flagging error transactions Input Control Techniques • • • • Trx Log of all updates.

etc. exception reports... • Master data/balance data – running balances and totals should be adjusted only under strict approval/review controls and logged • Trx files – controlled via validation checks. changes to these files should be controlled same as program changes • Standing data – data that seldom changes.g. tapes • Version usage (file or database) • Data file security • One-for-one checking – documents processed equals source documents] • Prerecorded input – some data preprinted on blank input forms to reduce entry errors • Trx logs • File dating and maintenance authorization • Parity checking for transmission errors o Vertical/column check – check on single character o Horizontal/longitudinal/row check – check on all the equivalent bits Use of both checks recommended 4 Categories of data files or database tables • System control parameters – controls edits and exception flags. detects incorrect file or file version) • Reasonable verification of calculated amounts • Limit checks on calculated amounts – check using predetermined limits • Reconciliation of file totals • Exception reports Data File Control Procedures • Ensures only authorized processing occurs Data File Control Procedures • Ensures only authorized processing occurs Data File Control Techniques • Before and after image reporting – shows impact trxs have on data • Maintenance error reporting and handling • Source documentation retention • Internal and external labeling of files.g.com 22 of 40 . vendor names & addresses).wordpress. referred to during processing (e. Changes should be authorized and logged. FREE CISA Study Guide from http://ITauditSecurity.Processing Controls Ensure completeness and accuracy of accumulated data Processing Control Techniques • Manual recalculations • Edit check • Run-to-run totals • Programmed controls (e. control totals. batches.

or printers o Confidential disposal Balancing and reconciling Output error handling Output report retention Verification of receipt of reports • • • • Risk Assessment of Application Controls • Quality of internal controls • Economic conditions • Recent accounting system changes • Time since last audit • Prior audit results • Complexity of operations • Changes in operations/environment • Changes in key positions • Time in existence • Competitive environment • Assets as risk • Staff turnover • Trx volume and trends • Regulatory agency impact • Monetary volume • Sensitivity of trxs • Impact of application failure User Procedures Review • SOD – authority to do only one: origination. and delivered consistently and securely • • • Logging and storage of negotiable. sensitive. and critical forms securely Computer generation of negotiable instruments. websites. distribution (DAVO) • Authorization of input – written approval or unique passwords o Supervisor overrides should be logged and reviewed by mgmt o Excessive overrides may indication validation/edit routines need improvement • Balancing • Error control and correction • Distribution of reports • Access authorizations and capabilities o Based on job description o Activity reports generated and reviewed (activities valid for user and occurs during authorized hours of operations) o Violation reports of unauthorized activities or unsuccessful access attempts FREE CISA Study Guide from http://ITauditSecurity. and signatures Report distribution o All reports logged prior to distribution o Secure print spools to avoid deletion or redirection of print jobs o Restricted to certain IT resources. forms.Output Controls Ensures delivered data is presented. verification.com 23 of 40 .wordpress. authorization. formatted.

tagging selected trxs and using tracing to track them Test data/deck Base case system evaluation – uses test data to verify correct system operations (extensive test) Parallel operation Integrated test facility – using fictitious file with test trxs that is processed with live data Parallel simulation – processing production data against simulated program logic Trx selection programs – uses audit software to screen and select trxs Embedded audit data collection – software embedded in production system used to select input and generated trxs during production o System control audit review file (SCARF) – auditor determines reasonableness of tests incorporated into normal processing.com 24 of 40 . provides information for further review o Sample audit review file (SARF) – randomly selects trxs for analysis Extended records – gathers all data affected by a particular program for review Data Integrity Requirements (ACID) • • • • • • • • • • • • • • Application Testing Methods • Continuous Auditing Techniques • • • • • System control audit review file and Embedded Audit Modules (SCARF/EAM) Snapshots of data from input to output. Whole file is eventually checked after multiple cycles. allows review before issues get out of hand Integrated test facility (ITF) Continuous and Intermittent Simulation (CIS) – system audits trxs that meet predetermined criteria FREE CISA Study Guide from http://ITauditSecurity. one section of data at a time. trxs are tagged by applying identifiers and recording selected information for audit review Audit hooks – functions as red flags.Data Integrity Testing • • Cyclical testing – checking data against source documents. or both Define existence relationships between database elements (primary and foreign keys) All references to a primary key from another file (foreign key) actually exist in the original file Atomicity – trx is completed entirely or not at all Consistency – maintained with each trx. Data Integrity Tests o Relational – at data element and record levels o Referential – enforced through programmed data validation routines or by defining the input conditions (edits). taking the database from one consistent state to another Isolation – Each trx isolated and accesses only data part of a consistent database state Durability – trxs that are reported complete survive subsequent HW/software failures Snapshot – records flow of designated trxs through logic paths within programs Mapping – identifies untested program logic and whether program statements have been executed Tracing & tagging – shows trail of instructions executed.wordpress.

password mgmt) • Digital signatures • Public Key Infrastructure (PKI) o Framework for issuing. • Log monitoring • Methods and procedures to identify security breaches • Protecting customer data to ensure not used for other purposes or disclosed without permission • Regular audits of security and controls EDI Risks • Transaction authorization • Business continuity • Unauthorized access to transactions • Deletion/manipulation of transactions before or after establishment of application controls • Loss or duplication of EDI transmissions • Loss of confidentiality or improper distribution of trx by 3rd parties EDI Controls • • • • • • • • • Message format and content standards to avoid transmission errors Controls to ensure transmissions are converted properly for the application software Receiving organization controls to ensure reasonableness of messages received. certificate validity period Certificate Authority (CA) – trusted provider of public/private key pairs that confirms authenticity of the owner of the certificate (business) by issuing/signing the requestor’s certificate with CA’s private key Registration Authority (RA) – optional entity that some CA’s use to record/verify business’ information needed by a CA to issue/revoke certificates Certification revocation list Certification practice statement (CPS) – Rules governing CA’s operations. PKI. Error handling for trxs that are nonstandard or from unauthorized parties FREE CISA Study Guide from http://ITauditSecurity.com 25 of 40 . algorithm. encryption.wordpress. verifying and revoking public key certificates by a trusted party. controls. certificates. expectations of how certificates are to be used.Public key and info about the owner that authenticates the owner (issued by trusted 3rd party) • Includes distinguishing username. validation methods.E-commerce Risks • • • • • Confidentiality Integrity Availability Authentication and non-repudiation Power shift to customers E-commerce Audit/Control Issues (Best Practices) • Security architecture (firewalls. based on trading partner’s trx history or documentation Controls to guard against manipulation of trxs in files and archives Procedures for ensuring messages are from authorized parties and were authorized Dedicated transmission channels between partners to prevent tapping Data is encrypted and digitally signed to identify source and destination Message authentication codes are used to ensure what was sent is received. maintaining. o Key elements Digital certificates . public key.

RSA (asymmetric – public key) • Risk Management for e-banking 1. unusual. but can’t produce message from them o 128-bit cryptographic hash o Similar to checksum or fingerprint of the document DES (symmetric). fixed length number o Some messages have the same digest. or invalid trxs prior to updating the application Edit checks to assess trx reasonableness and validity Trx are logged on receipt Control totals on receipt of trxs to verify number/value of trx to be passed to the application. if applicable o Sending acknowledgement trx to sender to verify receipt. sender matches acks against a log of EDI messages sent. Board & mgmt oversight 2. function.com 26 of 40 . cannot be transferred or reused Verifies sender and that document has not been altered Based on message digest. trailer. often within the EDI header. group. or control record o Using VAN sequential control numbers or reports. or interchange level. and reconcile totals between applications and trading partners Segment count totals built into trx set trailers by sender Trx set count totals built into group headers by sender Validity of sender against trading partner details by: o Using control fields with a message at the trx. Security controls 3. a short. and business terms of the trxs Auditing EDI • • • • • • • • Encryption processes ensure CIA and nonrepudiation of trxs Edit checks to identify erroneous.wordpress.• Business relationships are defined in trading partner agreement identifying trxs to be used. Digital Signatures • • • Unique to each document. responsibilities of both parties in handling/processing trxs. Legal and reputational risk management Purchase Order Accounting functions • Accounts payable processing • Goods received processing • Order processing Artificial Intelligence • • Languages: LISP and PROLOG Primary components o Inference engine o Knowledge base Contains subject matter facts and rules for interpreting them Decision trees – questionnaires or choices users walk through Semantic notes – graph which describes relationships between the nodes o Explanation module o Database FREE CISA Study Guide from http://ITauditSecurity.

com 27 of 40 . especially in health care Decision Support Systems • Emphasizes effectiveness (right task/right decision) over efficiency (performing tasks quickly and reducing costs) • G. mgmt control.S. Morton framework – degree of structure in decision process & mgmt level making decision o Decision-structure: structured. and strategic planning • Sprague-Carson framework – family trees structure • Motivated by end users • Use 4GL Critical Success Factors (CSF) • Productivity • Quality • Economic value • Customer service Integrated Resource Management Systems ERP American Standard Code for Information Interchange (ASCII) Extended Binary-Coded Decimal Interchange Code (EBCDIC) Project Portfolio Management Objectives • Optimization of the results of the project portfolio • Prioritizing and scheduling projects • Resource coordination • Knowledge transfer throughout the projects PPM requires a PP database Benefits Realization (Management) Techniques • Describe benefits mgmt • Assign measure/target • Establish measuring/tracking regimen • Document assumption • Establish key responsibilities for realization • Validate the benefits predicted in the business • Planning the benefit to be realized FREE CISA Study Guide from http://ITauditSecurity.wordpress. unstructured Decision-structure depends on the extent it can be automated/programmed o Mgmt-level: operational control.• • • Also contains o Knowledge interface – allows entry of knowledge without needing a programmer o Data interface – Enables system to collect data from nonhuman sources (other systems. semi-structured. like temperatures) Used in auditing! Errors in system have a bigger impact. Gorry-M.

managed to improve competency ISO 9126 Software Quality Metrics – FUR PEM • • • • • • Functionality of the software processes Usability (Ease of use) Reliability with consistent performance Portability between environments Efficiency Maintainability for modifications ISO 15489:2001 – Records Mgmt/Retention • Requires ISO 9001 quality and 140001 records mgmt compliant • Includes fundraising campaigns • Used to determine liability and sentencing during prosecution • Requires data classification Decision Making • Critical success factors • Scenario planning > IT Service Delivery & Support IS Operations • • • Resource allocation Standards & procedures Process monitoring IS Hardware CPU = arithmetic logic unit (ALU). control unit. trained staff.Project Mgmt Organizational Alignment Method Influence Pure Matrix Authority Not formal Formal Shared between PM & dept heads Style Advise on which activities to complete Special work area ISO – Intern’l Org for Standardization – creates intern’l standards ISO 15504 – PME PO / Software Process Improvement and Capability Determination (SPICE) – see CCM ISO 9001 – quality mgmt • Requires quality manual. and internal memory IS Architecture & Software Database Management System (DBMS) Primary Functions • Reduced data redundancy • Decreased access time • Security over sensitive data FREE CISA Study Guide from http://ITauditSecurity.com 28 of 40 .wordpress.

o No high-level query capability. they link physical separate network segments. Can connect LAN and WAN. entire capacity used to transmit one signal Broadband – multiple channels. modify. and search. Router does packet-switching using microprocessor. name) o One-to-many or one-to-one mappings o Sets can have the same member record type o Very complex o No high-level query capability.Data Dictionary/Directory System • Contains index and description of all items stored in database • Defines and stores source and object forms of all data definitions in schemas and all associated mappings • One DD/DS can be used across multiple databases Database Structures • Hierarchical o data arranged in parent/child relationships o one-to-many mappings o results in duplicate data o easy to implement. less efficient than switches. Block broadcast data. half-duplex. used between LANs and mainframes or LANs and Internet FREE CISA Study Guide from http://ITauditSecurity. modify o Normalization – minimizing amount of data needed and stored by eliminating data redundancy and ensuring reference integrity • • Networking Baseband – single channel.com 29 of 40 . query. multiple signals Bridge – Data link layer 2 device used to connect LANs or create separate LAN or WAN segments to reduce collision domains Router – Like bridges/switches. full duplex.wordpress. layer 3 switch does switching using ASIC hardware Layer 4 switch – switches based on layer 3 addresses and application information (such as port #s) to provide policybased switching Layer4-7 switches – used for load balancing Gateways – protocol converters. have to navigate the database Relational o Based on sets and relational calculations (dynamic database) o Data organized in tables (collection of rows) Row/tuple = record Columns/domains/attributes = fields o Properties Values are atomic Rows are unique Sequence of columns and rows insignificant Allow control over sensitive data o Easy to understand. member record. software-based. have to navigate the database Network o Data arranged in sets (owner record type.

Synchronous transmission – bits transmitted at constant speed. system is solving problems for user. authorization. Multiplexing – dividing physical circuit into multiple circuits by: • Time-division – regardless of whether data is ready to transmit • Asynchronous time division – dynamically assigned time slots as needed for transmission • Frequency – based on signal frequency • Statistical – dynamic allocation of any data channel based on criteria Wireless Wi-fi Protected Access (WPA) – wireless security protocol Wireless Application Protocol (WAP) – multi-layered protocol and technologies that provide Internet content to mobile wireless devices (phones and PDAs). Provides maximum efficiency. Visual Basic) Servlet – Small program that runs in web server. Asynchronous transmission – Sender uses start and stop bit before and after each data byte. authentication. and devices. servlets stay in memory and can serve multiple requests Middleware – software used by client/server applications to provide communications and other services between applications. similar to CGI program. but simpler. TCP/IP (32-bit) • • • Includes network and application support protocols Network layer 3 = IP Transport layer 4 = TCP/UDP Common Gateway Interface (GFI) Script – machine-independent code run on a server that can be called & executed by a web server. directories. System Control First level of control in a computer is the privileged supervisory user (root/admin). Unlike CGI. JavaScript. performs tasks such as processing input received from a web form Applets – Programs downloaded from web servers that run applications in browsers (most popular ones use Java. • Services include identification. Lower efficiency. systems.com 30 of 40 . • Wait – computer busy and unable to respond to additional requests FREE CISA Study Guide from http://ITauditSecurity. • General user/problem – security is active. Operating System States • Supervisory – security front end not loaded. Sending modem uses specific character when it starts sending data block to synchronize the receiving device. requests are run at highest authority level without security controls. and security • Resides between the application and the network • Manages the interaction between the GUI and the database back-end.wordpress.

data) Relative value to the organization Location Security risk/classification Asset group.> Protection of Information Assets Risk – What can happen if a threat exploits a vulnerability.wordpress. type II) – unauthorized person allowed access o Increase in type I rate decreases the type II rate & vice versa 31 of 40 FREE CISA Study Guide from http://ITauditSecurity. type I) – person falsely rejected access o Failure to enroll rate (FER) – person fails to enroll successfully o False acceptance rate (FAR. Key elements of Information Security Mgmt • • • • • • Senior mgmt commitment & support Policies and procedures Organization (define who is responsible for protection) Security awareness & education Monitoring and compliance Incident Handling & response Inventory Classification • • • • • • • Identification of the asset (hardware. if asset forms part of larger system’ Owner Custodian Logical security layers • Networks • Platforms (OS) • Applications • Databases Mandatory access control (MAC) • • • Control that cannot be changed by normal users or data owners. Threat – Who or what can cause an undesirable event. Vulnerability – How a weakness in technology or organizational process can be exploited by a threat. prohibitive Changed by admins making decisions derived from policy Example: password complexity requirements Discretionary access control (DAC) • • Controls that CAN be changed by normal users/data owners Example: access to departmental shared folder on server Pharming – redirecting web site traffic to a bogus site via changes in DNS or a user’s host file Biometrics • • Something you are (fingerprint) or do (typing behavior) Quantitative measures (% rate) o False rejection rate (FRR. software.com . they act by default.

Employee sabotage 4.wordpress. Foreign government espionage 7. which most access control rules are based. hand. size. 3D. ease of integration Face – acceptable/friendly. Malicious hackers 6. high cost Fingerprint – low cost. Foreign government espionage 9. Exits often exist outside of the computer security system.com 32 of 40 . so they are not restricted or logged. Lower the measure. Industrial espionage 5. retina. best FAR. Personal privacy threats Main Wireless Threats 1. the more effective the biometric o Best response times and lowest ERR: palm. Malicious code 8. Malicious code 6. voice Palm* – ridges and valleys Hand geometry* – oldest. low storage cost o Single Sign-on (SSO) • Consolidation of platform-based administration. 260 characteristics. high cost Retina – blood vessel pattern. Theft of service FREE CISA Study Guide from http://ITauditSecurity. and bypasses the associated security on the file • System exits – system software feature that allows complex system maintenance. DOS 3. hand and fingers. No physical contact.• • • • • • Equal error rate (ERR) – point at which FRR & FAR are equal. and authorization functions into a single. Malicious hackers 4. but lack of uniqueness * Socially accepted. Fraud and theft by authorized/unauthorized users 3. Errors and omissions 2. Loss of physical and infrastructure support 5. 90 measurements Iris – color patterns around pupil. requires close proximity. iris. • Special system logon IDs – vendor provided Wireless Security 9 categories of overall security threats 1. Industrial espionage 7. Project Athena Bypassing Security Controls Only system software programmers should have access to: • Bypass label processing (BLP) – bypasses the reading of the file. developed at MIT. fingerprint. Theft 2. centralized function • Example: Kerberos. authentication.

port number) at network layer simple.2 levels/types • • • • • • • • • • • • application-level circuit-level Neither allow the direct exchange of packets between outside/inside systems Can secure. etc can reduce network performance Analyzes traffic through a single. and log all packets Provide NAT analyzes traffic through a set of proxies. faster firewall as packets are not examined in deep OSI layers Bastion hosting: Handle all requests and are highly fortified Application level Circuit-level Stateful Inspection Firewalls FREE CISA Study Guide from http://ITauditSecurity. modify. the first packets will be examined. ftp.com 33 of 40 . asmodeous Install local firewall. one for each service: http. but rare Tracks destination address of packets leaving network. prevents initiation of attacks from outside Tracks connection-oriented and connectionless packets like UDP More efficient.Security Requirements • Authenticity – verification that message not changed in transit • Nonrepudiation – verification of origin or receipt of message • Accountability – actions traceable to an entity • Network availability Scanners – strobe.wordpress. and the rest won't • • Caused by default setting that passes residual packets Firewall should drop fragmented packets or offset value = 1 Application Firewalls . stable performance allows direct exchange of packets between outside/inside systems Router packet filtering Miniature fragment attack . turn off scripting Firewalls 3 types of firewalls • • • • • • • router packet filtering application stateful inspection first generation examines header (source/destination IP. general-purpose proxy more efficient.fragment the IP packet into smaller ones. jakal.

wordpress. but more scalable Intrusion Detection Systems (IDS) • • • • Monitor network anomalies Network-based Host-based – monitor modification of programs. files. but capable of self-learning IDS cannot help with • Policy definition weaknesses • Application-level vulnerabilities • Backdoors in applications • Identification and authentication scheme weaknesses Encryption Key elements • Encryption Algorithm • Encryption Keys • Key length Private Key Systems FREE CISA Study Guide from http://ITauditSecurity. similar to statistical-based.com 34 of 40 . but not as flexible or scalable Software firewalls more slower. detect privileged command execution Components o Sensors that collect data o Analyzers that receive input and determine intrusive activity o Administrative console o User interface IDS Types • • • Signature-based Statistical-based – must be configured with known and expected system behaviors Neural networks – monitors general activity. accepting traffic only from the bastion host Requires compromise of 3 hosts.Firewall implementations Screened host • • • • • packet filtering router and bastion host Includes application firewall/proxy services bastion host is on private network. packet filtering router is between Internet and private network Requires compromise of two systems More restrictive version of the screened host firewall. a dual-home bastion host Dual homed firewall DMZ or screened-subnet firewall • • • • Uses 2 packet filtering routers and bastion host Provides network (packet filtering) and application-level security with a DMZ network Insider router manages DMZ access to the internal network. hides internal network addresses Hardware firewalls faster.

one encrypts. Diffie-Hellman. Shamir. 128-bit length digest Hashes are one-way functions.• • • • Symmetric – 1 key encrypts and decrypts Less complicated. and non-repudiation Elliptical Curve Cryptography (ECC) • Public key variation using discrete logarithm using elliptical curve (2 points on curve) • Works with networked computers. and non-repudiation gained by symmetric key FREE CISA Study Guide from http://ITauditSecurity. faster Problem is distributing key safely RC2.com 35 of 40 . Uses asymmetric keys to protect the data integrity. mobile devices • Less computational power. SHA-256 Digital signature encrypted by sender's private key. receiver decrypts with public key. wireless phones. authentication. AES Data Encryption Standard (DES) 64-bit block cipher • 56-bit key (8 extra bits for parity checking) • Replaced by AES 128-256 bit key (Rijndal → invented by Rijmen and Daemen) o Symmetric block cipher o Unlike DES. RC4. SHA-1. IDEA. can't reverse o MD5. then recomputes a digital signature and compares it to the original signature Ensure data integrity. DSA. authentication. decrypt with public key – authentication and non-repudiation Encrypt with private key. smaller version of the original message Changes variable length messages into a fixed. Adelman invented in 1977). more security per bit (160-bit ECC = 1024-bit RSA) Quantum Cryptography • Uses interaction of light pulses. symmetric key used to decrypt data. Rijndal has variable block and key length o Based on round operations Public Key Systems • Asymmetric – 2 keys. Fortezza Encrypt with public key.wordpress. then public key – confidentiality. authentication. and non-repudiation (but not confidentiality) Vulnerable to man-in-the-middle attack Digital Envelope • • • Contains data encrypted with symmetric key and the session key (which is the symmetric key. polarization metrics Digital signatures • • • • • • • Uses public key algorithm to ensure identify of sender and integrity of the data Hash algorithm creates message digest. smart cards. decrypt only with private key – confidentiality (read only by receiver) Encrypt with private key. encrypted with the receiver's public/asymmetric key) Receivers' private key used to decrypt session key (symmetric key). other decrypts • Keys created by integer factorization • Used to encrypt symmetric keys and for digital signatures • RSA (Rivest. DES.

and public key cryptography to provide confidentiality. subnets. authentication (between client & server). negotiation. and non-repudiation IPSec • • • • • • Runs at the network layer Used for communicating between two or more hosts. etc. uses of SAs. NNTP and above the TCP protocol • Uses hybrid of hashed.wordpress. SSH • • • Runs at application layer Client/server program for encrypting command-line shell traffic used for remote logon and management.) Using asymmetric encryption via Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) increases ISPsec security by using key management. SMTP. Used to secure telnet and ftp Secure Multipurpose Internet Mail Extensions (S/MIME) • Email protocol authenticating sender and receiver • Verifies message integrity and confidentiality. so important to use strong passwords FREE CISA Study Guide from http://ITauditSecurity. etc. or hosts and subnets (establishes VPNs) Transport mode – only data portion of packet (encapsulation security payload (ESP)) is encrypted – confidentiality Tunnel mode – ESP payload (data) and header are encrypted. only the server is authenticated (including the client requires PKI deployment) • Phases o Algorithm negotiation o Exchange of Public key and certificate-based authentication o Symmetric cipher-based traffic encryption • Runs on layers beneath application protocols HTTP. initialization vectors. integrity. including attachments Secure Electronic Transactions (SET) • Visa/MasterCard protocol used to secure credit card transactions • Application protocol using PKI of trusted 3rd party Encryption Risks • • • Secrecy of keys is paramount Randomness of key generation relates to how easy a key can be compromised Tying passwords to key generation weakens the key’s randomness.Secure Sockets Layer (SSL) and Transport Layer Security (TLS) • Session or connection-layered protocol • Provides end point authentication and confidentiality • Typically. keys. Additional authentication header (AH) provides non-repudiation Uses security associations (SAs) to define the security parameters to use (algorithms. public keys.com 36 of 40 . private.

but line may be left open for eavesdropping • Embedded passwords can be restored when system rebooted during crash recovery FREE CISA Study Guide from http://ITauditSecurity. file directory system. monitor for DoS. data files • • Does not attach to programs Propagates via OS security weaknesses Virus/Worm controls – policies (preventative) and antivirus software (detective) • Backups = vital control VOIP • • • • • Replaces circuit switching (and associated waste of bandwidth) with packet switching Secure VOIP similar to data networks (firewalls. provide network address and protocol transition features Private Branch Exchange (PBX) • In-house phone company for organization. save cost of individual phone lines to phone company’s central office • PBX security different from normal OS security o External access/control by 3rd party for updates/maintenance o Richness of features available for attacks PBX Controls • Physically secure PBX and telephone closets • Configure and secure separate and dedicated admin ports • Control direct inward dial (DID) lines to avoid external parties getting dial tone for free long-distance calls • Block certain long-distance numbers • Control numbers destined for faxes and modems • Use call-tracking logs • Maintenance out of Service (MOS) – signaling communication is terminated on PBX.wordpress. allows 4-digit dialing.Viruses • • • Worms Attached to programs Self-propagating to other programs Attack EXEs.com 37 of 40 . encryption) Network issues take down phones also. so backup availability a big issue VLANS should be used to segregate VOIP infrastructure/traffic Session Border Controllers (SBCs) provide VOIP security similar to firewalls by monitoring VOIP protocols. boot & system areas.

com 38 of 40 . unaltered evidence Analyze Present • • > BCP/DRP Starts with risk assessment • People.Auditing Infosec Management Framework • • • • • • • • • • • • • • • Policies/Procedures. custodians. documenting chain of custody ▪ Who had access to the data ▪ How evidence gathered ▪ Proving that analysis based on copies of original. and other resources that support key business processes • Dangers and threats to the organization • Estimated probability of threat occurrence BCP includes • DRP plan • Plan to restore operations to normal following disaster • Improvement of security operations BCP Lifecycle • Create BCP policy • Businesses Impact Analysis (BIA) • Classify of operations and criticality • Identify IS processes that support business criticality • Develop BCP and IS DRP • Develop resumption procedures • Training and awareness programs • Test and implement plan • Monitoring FREE CISA Study Guide from http://ITauditSecurity. data) Antivirus Passwords Patching Minimizing services (turn off unneeded) Addressing vulnerabilities Backups Computer Forensics (IPAP) • • Identify – information Preserve – retrieving data. infrastructure. data. including Logical Access Security Polices Security Awareness and training Data ownership: owners. security administrator New IT users (sign document regarding security policies/procedures) New Data Users Documented user authorization Terminated users Security baseline Inventory (devices. applications.wordpress.

• Mobile site – data center in a box • Reciprocal agreements with other businesses Redundant Array of Inexpensive/Independent Disks (RAID) • Level 0 -striped disk array. earliest time when business operations must resume. striped plus mirror.wordpress. at least 3 drives. • Cold site – has basic utilities. no fault tolerance. stripes data and parity (faster in HW) mirrored sets • Level 6 – Level 5 with 2 independent distributed parity schemes (faster in HW) • Level 10 – high reliability & performance. Not for extended use. 2 drives. stripes multiple disks into one volume (faster when software based) • Level 1 – mirroring. Site ready in hours. at least 2 striped data drives with 1 for parity (faster in HW) • Level 5 – block level.com 39 of 40 . • Warm site – partially configured (network and peripheral devices. hi I/O • Level ) 0 + 1 – High transfer rate. half the space (faster when software based) • Level 2 – Hamming code ECC – interweaving data based on hamming code (EXPENSIVE and rare. at least 4 drives. date/time or synchronization point to which systems/data will be restored. Recovery time objective (RTO) – based on acceptable downtime. detective. • Redundant site – dedicated. losses are unaffordable) Maximum Tolerable outage (MTO) – maximum time business can operate in alternate processing mode before other problems occur Service delivery objective (SDO) – acceptable level of services required during alternate processing Recovery Alternatives • Hot site – fully configured and ready to operate within hours. earliest time in which it is acceptable to recover. HW based. independent disks with distributed parity blocks. self-developed sites. and corrective controls • BCP most critical corrective control • Incident management control • Main severity criterion is service downtime • Media backup control BIA identifies: • Different business processes & criticality • Critical IS resources supporting critical business processes • Critical recovery period before significant or unacceptable loses occur Recovery point objective (RPO) – based on acceptable data loss. resource intensive) • Level 3 – parallel transfer with parity. operations ready in days or weeks. losing 2 drives = major data loss FREE CISA Study Guide from http://ITauditSecurity. ready in weeks. stripes level 1 segments.BCP Policy • Should encompass preventative. but no main computers). Interruption window – how long a business can wait before operations resume (after this point.

FREE CISA Study Guide from http://ITauditSecurity.com 40 of 40 . Then read the other book and supplement your notes. I would never read just one book.wordpress. son (daily) backup rotation scheme Difference between ISACA book and Sybex Sybex is easier to read and digest • Layout is better and more reader-friendly • More bullet points. not existing • No compensation for loss of image/goodwill Grandfather (monthly). and tables that summarize the information and show relationships or differences in the subject matter • Less subject matter on a page. loss due to computer media damage • Business interruption • Valuable papers and records • Errors and omissions • Fidelity coverage – loss due to dishonest/fraudulent acts • Media transportation • Covers loss based on historical performance. Read one book and take notes. so eyes don’t get so tired as you read. Each perspective is helpful. but ISACA is more specific in their must-know notes. This process will help you understand the difference between the two sources.Insurance Coverage • IS equipment/facilities • software media reconstruction • Extra expense – of continuing operations after disaster. charts. father (weekly). Both identify critical things a CISA must know.

Sign up to vote on this title
UsefulNot useful