Professional Documents
Culture Documents
2010 CISA The How To Pass On Your First Try Certification Study Guide
2010 CISA The How To Pass On Your First Try Certification Study Guide
This Exam Preparation book is intended for those preparing for the
Certified Information Systems Auditor certification.
Do not underestimate the value of your own notes and study aids.
The more you have, the more prepared you will be.
Ivanka Menken
Executive Director
The Art of Service
Notice of Rights
All rights reserved. No part of this book may be reproduced or transmitted in any form
by any means, electronic, mechanical, photocopying, recording, or otherwise, without
the prior written permission of the publisher.
Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While
every precaution has been taken in the preparation of the book, neither the author nor
the publisher shall have any liability to any person or entity with respect to any loss or
damage caused or alleged to be caused directly or indirectly by the instructions
contained in this book or by the products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this book,
and the publisher was aware of a trademark claim, the designations appear as
requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of
such companies with no intention of infringement of the trademark. No such use, or
the use of any trade name, is intended to convey endorsement or other affiliation with
this book.
2
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Write a review to receive any free eBook from our Catalogue -
$99 Value!
If you recently bought this book we would love to hear from you!
Benefit from receiving a free eBook from our catalogue at
http://www.emereo.org/ if you write a review on Amazon (or the online
store where you purchased this book) about your last purchase!
3
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Table of Contents
FOREWORD ............................................................................................................ 1
2 EXAM SPECIFICS........................................................................................... 11
4
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.5 CONTROLS ................................................................................................... 46
3.5.1 Internal Controls .................................................................................. 46
3.5.2 IS Control Objectives ............................................................................ 48
3.5.3 Internal Control Objectives .................................................................. 50
3.5.4 Control Procedures .............................................................................. 51
3.6 REPORTING AND COMMUNICATION .................................................................. 52
3.6.1 Report Structures ................................................................................. 52
3.6.2 Documentation .................................................................................... 53
3.6.3 Follow-up ............................................................................................. 53
3.7 CONTROL SELF-ASSESSMENT........................................................................... 54
3.7.1 CSA Tools .............................................................................................. 54
3.7.2 CSA Benefits ......................................................................................... 55
3.7.3 CSA Auditor .......................................................................................... 55
4 IT GOVERNANCE .......................................................................................... 56
4.1 IT STRATEGY ELEMENTS ................................................................................. 56
4.1.1 IT Strategies ......................................................................................... 56
4.1.2 Steering Committee ............................................................................. 56
4.1.3 Policies ................................................................................................. 57
4.1.4 Information Security Policy .................................................................. 58
4.1.5 Procedures ...........................................................................................61
4.2 IT GOVERNANCE FRAMEWORK ........................................................................ 62
4.2.1 Corporate Governance ......................................................................... 62
4.2.2 IT Governance ...................................................................................... 63
4.2.3 IT Strategy Committee ......................................................................... 64
4.2.4 Standard IT Balanced Scorecard .......................................................... 65
5 Information Security Governance ............................................................ 65
5.1 ENTERPRISE IT ARCHITECTURE ......................................................................... 68
5.1.1 Zachman Framework ........................................................................... 68
5.1.2 Technology-Based Frameworks ........................................................... 69
5.1.3 Process-Based Frameworks ................................................................. 69
5.1.4 Federal Enterprise Architecture ........................................................... 70
5.2 RISK MANAGEMENT ...................................................................................... 70
5.2.1 Key Definitions .....................................................................................71
5.2.2 Principles and Practices .......................................................................71
5.2.3 Controls and Countermeasures............................................................ 72
5.3 CONTRACT MANAGEMENT ............................................................................. 74
5.3.1 Delivery Options................................................................................... 74
5.3.2 Outsourcing Practices .......................................................................... 75
5.3.3 Advantages and Disadvantages ........................................................... 76
5.3.4 Outsourcing Risks ................................................................................ 77
5.4 LEGISLATIVE AND REGULATORY ISSUES............................................................... 78
5.4.1 1996 National Information Infrastructure Protection Act.................... 78
5
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.4.2 President's Executive Order on Critical Infrastructure Protection ........ 79
5.4.3 USA Patriot Act of 2001 ....................................................................... 79
5.4.4 Homeland Security Act of 2002 ........................................................... 80
5.4.5 Computer Fraud and Abuse Act ........................................................... 81
5.4.6 Electronic Communications Privacy Act (ECPA) ................................... 81
5.5 HUMAN RESOURCE MANAGEMENT .................................................................. 82
5.5.1 Multiple Roles ...................................................................................... 82
5.5.2 Hiring ................................................................................................... 84
5.5.3 Education ............................................................................................. 85
6 LIFE CYCLE MANAGEMENT ........................................................................... 87
6.1 BENEFITS MANAGEMENT ............................................................................... 87
6.1.1 Business Case ....................................................................................... 87
6.1.2 Benefits Realization ............................................................................. 87
6.1.3 Benefits Realization Process ................................................................88
6.2 PROJECT MANAGEMENT ................................................................................ 89
6.2.1 Project Phases...................................................................................... 90
6.2.2 Project Life Cycle .................................................................................. 91
6.2.3 Project Stakeholders ............................................................................ 93
6.2.4 Organizational Influences .................................................................... 93
6.3 PROGRAM MANAGEMENT .............................................................................. 95
6.4 CONFIGURATION MANAGEMENT...................................................................... 96
6.5 CHANGE MANAGEMENT ................................................................................ 98
6.5.1 Change Management .......................................................................... 98
6.6 APPLICATION DEVELOPMENT .........................................................................100
6.6.1 Software Development Life Cycle ......................................................100
6.6.2 Phase A: Feasibility ............................................................................101
6.6.3 Phase B: Requirements ......................................................................103
6.6.4 Phase 3A: Application Design ............................................................104
6.6.5 Phase 3B: Acquiring Software ............................................................106
6.6.6 Phase 4A: Development ..................................................................... 107
6.6.7 Phase 5: Implementation ...................................................................108
6.6.8 Phase 6: Post Implementation ...........................................................109
7 IT SERVICE DELIVERY .................................................................................. 110
7.1 SERVICE LEVEL MANAGEMENT ......................................................................110
7.1.1 Service Level Agreements ..................................................................110
7.2 NETWORK COMPONENT FUNCTIONALITY .........................................................112
7.2.1 Repeater ............................................................................................112
7.2.2 Hub ....................................................................................................113
7.2.3 Modem ..............................................................................................113
7.2.4 Network Interface Card (NIC) ............................................................114
7.2.5 Media Converter ................................................................................115
6
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7.2.6 Bridge ................................................................................................115
7.2.7 Switch ................................................................................................116
7.2.8 Wireless Access Point .........................................................................118
7.2.9 Router ................................................................................................123
7.2.10 Firewall ..........................................................................................123
7.3 INCIDENT MANAGEMENT .............................................................................124
7.4 PROBLEM MANAGEMENT ............................................................................. 126
8 PROTECTING INFORMATION ASSETS .......................................................... 129
8.1 LOGICAL ACCESS CONTROLS ..........................................................................129
8.1.1 Identification and Authentication ......................................................129
8.1.2 Passwords ..........................................................................................131
8.1.3 Access Control Implementation .........................................................132
8.1.4 Identity Management ........................................................................133
8.1.5 Identity Management Technology .....................................................134
8.1.6 Access Lists.........................................................................................136
8.1.7 Context-Based Access Control ............................................................ 137
8.2 LOGICAL ACCESS SECURITY ARCHITECTURES .....................................................139
8.2.1 Authentication ...................................................................................139
8.2.2 Virtual Private Network .....................................................................142
8.2.3 IPSec ..................................................................................................143
8.2.4 Internet Key Exchange (IKE) ...............................................................145
8.2.5 Public Key Infrastructures (PKI) ..........................................................146
8.3 ATTACK METHODS ......................................................................................149
8.3.1 Denial of Service (DoS) .......................................................................150
8.3.2 Buffer Overflows ................................................................................151
8.3.3 Mobile Code .......................................................................................151
8.3.4 Malicious Software ............................................................................ 152
8.3.5 Password Crackers ............................................................................. 153
8.3.6 Spoofing/Masquerading .................................................................... 155
8.3.7 Sniffers, Eavesdropping, and Tapping ................................................ 157
8.3.8 Emanations ........................................................................................ 157
8.3.9 Shoulder Surfing ................................................................................158
8.3.10 Object Reuse..................................................................................158
8.3.11 Data Remanence ...........................................................................160
8.3.12 Unauthorized Targeted Data Mining .............................................161
8.3.13 Dumpster Diving ............................................................................ 162
8.3.14 Backdoors and Trapdoors .............................................................. 162
8.3.15 Theft ..............................................................................................163
8.3.16 Social Engineering .........................................................................163
8.4 INTRUSION DETECTION SYSTEMS....................................................................164
8.4.1 Intrusion Detection Systems ..............................................................164
8.4.2 Analysis Engine Methods ...................................................................166
7
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.4.3 Intrusion Responses ...........................................................................168
8.5 ENCRYPTION ALGORITHMS............................................................................169
8.5.1 Ciphers ...............................................................................................169
8.5.2 Types of Ciphers ................................................................................. 170
8.5.3 Cryptography Forms .......................................................................... 172
8.5.4 Data Encryption Standard.................................................................. 174
8.5.5 Advanced Encryption Standard .......................................................... 177
8.5.6 Other Encryption Methods ................................................................ 178
8.5.7 RSA.....................................................................................................180
8.5.8 Diffie-Hellmann Algorithm .................................................................181
8.5.9 Message Integrity Controls ................................................................181
8.5.10 Digital Signatures ..........................................................................184
8.6 PUBLIC KEY INFRASTRUCTURE........................................................................185
8.6.1 Different Methods of Support ............................................................185
8.6.2 Trusting External CAs .........................................................................185
8.6.3 Subordinate CAs ................................................................................186
8.6.4 Enrolling Managed Entities ................................................................186
8.6.5 Validating Certificates........................................................................ 187
8.6.6 Secure Sockets Layer ..........................................................................188
8.6.7 Transport Layer Security (TLS) ...........................................................189
8.6.8 Secure Shell (SSH) ..............................................................................190
8.6.9 Pretty Good Privacy (PGP) .................................................................190
8.7 PHYSICAL SECURITY SYSTEMS ........................................................................191
8.7.1 Authentication Devices ......................................................................191
8.7.2 Integrated Circuit Cards .....................................................................193
8.7.3 Biometrics ..........................................................................................198
8.8 WIRELESS SECURITY CONTROLS ..................................................................... 200
8.8.1 Wired Equivalent Privacy ................................................................... 200
8.8.2 Authentication ................................................................................... 203
8.8.3 Problems with WEP Security .............................................................. 205
8.8.4 Wi-Fi Protected Access ...................................................................... 206
8.8.5 802.1x and EAP .................................................................................. 206
8.8.6 Service Sets ........................................................................................ 209
9 BUSINESS CONTINUITY AND DISASTER RECOVERY ..................................... 212
9.1 BCP/DRP PROCESSES .................................................................................212
9.1.1 Business Continuity ............................................................................212
9.1.2 Disasters ............................................................................................214
9.1.3 Business Impact Analysis ...................................................................214
9.1.4 Classifications ....................................................................................216
9.1.5 Recovery Point and Recovery Time Objective ....................................216
9.1.6 Recovery Strategies............................................................................ 217
9.1.7 Recovery Technologies ....................................................................... 217
8
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
9.1.8 Organizational Responsibilities ..........................................................219
9.2 BACKUP AND RESTORE PRACTICES ..................................................................222
9.2.1 Redundant Array of Inexpensive Disks ...............................................222
9.2.2 Backups..............................................................................................224
9.2.3 Full and Incremental Backups ............................................................ 225
9.2.4 Distributed and Centralized Backups ................................................. 226
9.2.5 Data Replication ................................................................................ 227
9.3 CONTINUITY AND RECOVERY PLANS ................................................................228
9.3.1 Recovery and Continuity Planning .....................................................228
9.3.2 Continuity Planning Process ..............................................................229
10 PRACTICE EXAM......................................................................................... 233
9
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
1 Certified Information Systems Auditor
10
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
2 Exam Specifics
After passing the exam, the candidate has five years to apply for
certification. This is done by completing the certification and verifying
work experience. Experience required is five years in professional IS
audit, control assurance, or security service. This requirement can be
substituted with the achievement of one of the following:
Up to one year of experience can be in information
systems or non-IS auditing experience.
Up to two years can be substituted with 120 completed
university credit hours (one year for 60 credit hours).
Up to one year for a bachelor's or master's degree from a
university enforcing the ISACA-sponsored Model
Curriculum.
Up to one year for a master's degree in information
security or information technology.
11
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3 Information Systems Audit Process
Audits should be planned in the short term and long term. Short-term
planning cover audit issues for the next year, while long-term planning
covers those audit issues present because of changes to the
organization's IT strategic direction. The audit issues should be
analyzed at least once a year, to consider new control issues,
changing technologies and business processes.
12
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Current and future technologies
Business process requirements
IS resource limitations
An audit plan must address the audit objective and apply applicable
professional auditing standards, relevant to the audit area and its
technology infrastructure. The success of the audit is dependent on
the understanding of the business area which the audit will address.
To gain this understanding, the auditor should:
13
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Tour key organization facilities.
Read background material
Review long-term strategic plans
Interview key managers
Review prior audit reports
Identify applicable regulations
These regulations will impact the goals and plans of the organization
and define the responsibilities and activities of the information
services function. To determine compliance to these regulations, the
14
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
audit should take into account:
External requirements related to:
o Electronic data, personal data, copyrights,
e-commerce, e-signatures
o Computer system practices and controls
o Storage of computers, programs, and data
o Information services organization
o Information services activities
o Audits and auditing practices
Pertinent laws and regulations which have been
documented.
Alignment between external requirements and the
organization's policies, standards and procedures.
Internal documents addressing adherence to regulations.
Established procedures to address external requirements.
16
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Forensic audits – specifically focuses on discovering,
disclosing, and reviewing after the occurrence of fraud or a
crime.
The audit strategy and plan will identify the scope, audit objectives
and audit procedures covered in the audit program. General audit
procedures typically include:
Understanding audit area
Performing risk assessment
Creating general plan and schedule
Initial review of audit area
Evaluating audit area
Verifying control design
Compliance testing
Substantive testing
Communicating results
17
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Follow-up
18
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Developing the procedures for gathering data and
performing the audit.
Developing the procedures for evaluating test or review
results.
Developing procedures for communicating with
management.
Preparing the audit report.
20
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
manner, while maintaining high standards of conduct and
character, and not engage in acts discreditable to the
profession.
4. Maintain the privacy and confidentiality of information obtained
in the course of their duties unless disclosure is required by
legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to
undertake only those activities that they can reasonably
expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed,
revealing all significant facts known to them.
7. Support the professional education of stakeholders by
enhancing their understanding of IS security and control.
22
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
care, including observance of applicable
professional auditing standards.
S4 Professional Competence:
o The IS auditor should be professionally competent,
having the skills and knowledge to conduct the
audit assignment.
o The IS auditor should maintain professional
competence through appropriate continuing
professional education and training.
S5 Planning:
o The IS auditor should plan the information systems
audit coverage to address the audit objectives and
comply with applicable laws and professional
auditing standards.
o The IS auditor should develop and document a
risk-based audit approach.
o The IS auditor should develop and document an
audit plan detaining the nature and objectives,
timing, extent and resources required.
o The IS auditor should develop an audit program
and procedures.
S6 Performance of Audit Work:
o Supervision – IS audit staff should be supervised to
provide reasonable assurance that audit objectives
are accomplished and applicable professional
auditing standards are met.
o Evidence – During the course of the audit, the IS
auditor should obtain sufficient, reliable and
23
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
relevant evidence to achieve the audit objectives.
The audit findings and conclusions are to be
supported by appropriate analysis and
interpretation of this evidence.
o Documentation – The audit process should be
documented, describing the audit work and the
audit evidence that supports the IS auditor's
findings and conclusions.
S8 Follow-up Activities:
o After the reporting of findings and
recommendations, the IS auditor should request
and evaluate relevant information to conclude
whether appropriate action has been taken by
management in a timely manner.
S9 Irregularities and Illegal Acts:
o In planning and performing the audit risk to a low
level, the IS auditor should consider the risk of
irregularities and illegal acts.
o The IS auditor should maintain an attitude of
professional skepticism during the audit,
recognizing the possibility that material
misstatements due to irregularities and illegal acts
could exist, irrespective of his/her evaluation of the
risk of irregularities and illegal acts.
o The IS auditor should obtain an understanding of
the organization and its environment, including
internal controls.
o The IS auditor should obtain sufficient and
24
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
appropriate audit evidence to determine whether
management or others within the organization have
knowledge of any actual, suspected or alleged
irregularities and illegal acts.
o When performing audit procedures to obtain an
understanding of the organization and its
environment, the IS auditor should consider
unusual or unexpected relationships that may
indicate a risk of material misstatements due to
irregularities and illegal acts.
o The IS auditor should design and perform
procedures to test the appropriateness of internal
control and the risk of management overriding
controls.
o When the IS auditor identifies a misstatement, the
IS auditor should assess whether such a
misstatement may be indicative of an irregularity or
illegal act. If there is such an indication, the IS
auditor should consider the implications in relation
to other aspects of the audit and in particular the
representations of management.
o The IS auditor should obtain written
representations from management at least annually
or more frequently depending on the audit
engagement. It should:
Acknowledge its responsibility for the
design and implementation of internal
controls to prevent and detect irregularities
25
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
or illegal acts.
Disclose to the IS auditor the results of the
risk assessment that a material
misstatement may exist as a result of an
irregularity or illegal act.
Disclose to the IS auditor its knowledge of
irregularities or illegal acts in relation to
management and employees who have
significant roles in internal control.
o The IS auditor should have knowledge of any
allegations of irregularities or illegal acts, or
suspected irregularities or illegal acts, affecting the
organization as communicated by employees,
former employees, regulators and others.
o If the IS auditor has identified a material irregularity
or illegal act, or obtained information that a material
irregularity or illegal act may exist, the IS auditor
should communicate these matters to the
appropriate level of management in a timely
manner.
o If the IS auditor has identified a material irregularity
or illegal act involving management or employees
who have significant roles in internal control, the IS
auditor should communicate these matters to the
appropriate level of management in a timely
manner.
o The IS auditor should advise the appropriate level
of management and those charged with
26
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
governance of material weaknesses in the design
and implementation of internal control to prevent
and detect irregularities and illegal acts that may
have come to the IS auditor's attention during the
audit.
o If the IS auditor should advise the appropriate
exceptional circumstances, such as a material
misstatement or illegal act, that affects the IS
auditor's ability to continue performing the audit,
the IS auditor should consider the legal and
professional responsibilities applicable in the
circumstances, including whether there is a
requirement for the IS auditor to report to those
who entered into the engagement or, in some
cases, those charged with governance or
regulatory authorities, or consider withdrawing from
the engagement.
o The IS auditor should document all
communications, planning, results, evaluations and
conclusions related to material irregularities and
illegal acts that have been reported to
management, those charged with governance,
regulators and others.
S10 IT Governance:
o The IS auditor should review and assess whether
the IS function aligns with the organization's
mission, vision, values, objectives and strategies.
o The IS auditor should review whether the IS
27
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
function has a clear statement about the
performance expected by the business
(effectiveness and efficiency) and assess its
achievement.
o The IS auditor should review and assess the
effectiveness of IS resource and performance
management processes.
o The IS auditor should review and assess
compliance with legal, environmental and
information quality, and fiduciary and security
requirements.
o A risk-based approach should be used by the IS
auditor to evaluate the IS function.
o The IS auditor should review and assess the
control environment of the organization.
o The IS auditor should review and assess the risks
that may adversely affect the IS environment.
S11 Use of Risk Assessment in Audit Planning:
o The IS auditor should use an appropriate risk
assessment technique or approach in developing
the overall IS audit plan and determining priorities
for the effective allocation of IS audit resources.
o When planning individual reviews, the IS auditor
should identify and assess risks relevant to the
area under review.
28
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.2.3 ISACA IS Auditing Guidelines
30
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.2.4 ISACA IS Auditing Procedures
31
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.3 Evidence Life Cycle
3.3.1 Testing
3.3.2 Evidence
32
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
more reliable than internal sources.
The information or evidence provided by an individual is
qualified to provide it.
The evidence has higher levels of objectivity and does not
rely on evidence requiring judgment or interpretation.
The evidence is timely, not late in being available or
outdated.
33
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
in determining:
Actual functions performed.
Actual processes and procedures being followed.
Current awareness of security requirements.
Relationships for reporting.
3.3.4 Sampling
34
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
confidence level of this type of sampling relates to the number of
times per 100 the sample will represent the larger population.
35
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
and projected as an estimated total.
Difference estimation – estimates the total difference
between audited values and unaudited values based on
observations.
36
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.3.5 Managing Evidence
37
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
documented chain of custody.
Legality – must be gathered within the parameters of the
law and respecting the rights of the accused.
Audit planning will incorporate risk analysis to identify any risks and
vulnerabilities present in the environment being audited and the audit
itself, in order to determine how to mitigate against those risks. Risks
are any potential event which may negatively affect the fulfillment of
business objectives. A risk from an organizational perspective
consists of:
Threats to processes and physical and information assets.
Impact on assets from threats and vulnerabilities.
Likelihood and frequency of occurrence from threat.
38
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Risk analysis allows an auditor to:
Identify risks and threats to the IT environment and
Information Systems needing to be addressed.
Providing information for evaluation of controls in audit
planning.
Aids in determining audit objectives.
Supports risk-based audit decisions.
39
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Several risk assessment methodologies are available to an IS auditor,
ranging from simple classifications based on judgment to complex
and scientific calculations. Risk assessments allow:
Management to allocate limited resources effectively.
Relevant information to be obtained from all levels of
management.
A basis for effectively managing the audit department.
An individual audit subject to be relevant to the overall
organization.
40
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.4.3 Qualitative Risk Assessments
41
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.4.4 Quantitative Risk Assessments
42
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Formulas used include:
SLE = asset value ($) * exposure factor (%)
ALE = ARO * SLE
Qualitative Assessments
NIST SP 800-30
NIST SP 800-66
OCTAVE
FRAP – Facilitated Risk Analysis Process
CRAMM – CCTA Risk Analysis and Management Method
Quantitative Assessments
Spanning Tree Analysis
Failure Modes and Effect Analysis
3.5 Controls
47
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Corrective controls minimize the impact of a threat from problems
discovered by detective controls. They serve to identify the cause of
the problem, correct any errors, and modify systems to minimize the
future occurrences of the problem. An incident must occur before
corrective controls activate, along with recovery and compensation
controls. Recovery controls focus on overcoming the impact of the
incident on the business. This is done by resolving any problems
related to the occurring incident. Compensation controls work to
ensure that normal business operations continue by applying
appropriate resource. Redundant systems are an example of
compensating.
49
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.5.3 Internal Control Objectives
50
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.5.4 Control Procedures
51
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.6 Reporting and Communication
Audits end with an exit interview to allow the auditor the chance to
discuss findings and make recommendations with management. The
auditor will ensure facts within the report are accurately stated, the
recommendations are realistic and cost-effective, and implementation
dates for the recommendations are provided. Results may be
presented to multiple levels of management using either an executive
summary or visual presentation.
3.6.2 Documentation
3.6.3 Follow-up
54
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.7.2 CSA Benefits
When CSA programs are created, the auditor role shifts to become
internal control professionals and assessment facilitators. They must
understand the involved business processes. The auditor becomes a
resource for understanding the internal controls, risks, and potential
impact of improvements affecting those controls.
55
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4 IT Governance
4.1.1 IT Strategies
4.1.3 Policies
57
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
consistent with the corporate policies.
59
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
services, and well as service level and objective level agreements and
compliance to legal and regulatory agencies. Measures can be
proactive or reactive to known threats and vulnerabilities. They fall
into any of the following categories:
Preventive – intended to stop the occurrence of a security
incident. Solutions related to authentication, authorization,
identification, and access control are typical examples of
preventive measures.
Reductive – intended to minimize the possible damage
resulting from a security incident and typically consists of
regular backups and implementation of contingency plans.
Detective – intended to provide the earliest detection of a
security incident possible. Primary example of a detective
measure is virus-checking software.
Repressive – intended to reduce or stop the security
incident from occurring again. Disabling accounts after
several sequential failed login attempts is an example of
repressive measures.
Corrective – intended to repair the damage resulting from
a security incident. Restoring, roll-back, and back-out
procedures are examples of corrective measures.
60
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Integration of security policy with business need.
Management justification and support of security
procedures.
Effective marketing and education of security
requirements.
Integrated continuous improvement.
4.1.5 Procedures
62
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4.2.2 IT Governance
63
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
IT strategy committee
Risk Management
IT balanced scorecard
66
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
confidentiality may be found within an organization, ranging from
classified, sensitive, confidential, to protected and public.
67
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Information exchanges and business transactions between
enterprises, partners, and customers can be trusted.
69
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.1.4 Federal Enterprise Architecture
70
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.2.1 Key Definitions
73
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.3 Contract Management
Contracts are used to define the required IT services from third party
vendors. In many cases, services may be delivered by multiple
vendors. Specific objectives for IT are different from one organization
to the next.
75
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.3.3 Advantages and Disadvantages
76
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Lack of loyalty to customer may not exist.
Disgruntled employees or customers over outsourcing.
Service costs not competitive throughout the contract life.
Vendor systems become obsolete.
Anticipated benefits not achieved by either company.
Damage to reputations due to project failures.
Litigations which are lengthy and expensive due to
contract failures.
Multiple risks can arise when outsourcing IT. These risks can be
reduced by:
Establishing measurable goals and rewards.
Sharing goals and rewards between parties.
Using multiple suppliers.
Using additional business as incentive for performance.
Creating short-term contracts.
Creating a cross-functional contract management team.
Including of specific contractual provisions, such as:
o Service quality expectations
o Adequate access control and security requirements
o Violation reporting and handling of investigations
o Roles and responsibilities
o Change or version control and testing
o Performance parameters
77
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
o Business continuity and disaster recovery
o Capacity management criteria
o Contract change
o “Right to audit”
o Dispute resolution process
o Protection from damage caused by either party
o Confidential agreements
o Relevant legal and regulatory requirements
o Data confidentiality, integrity, and availability
o Ownership of intellectual property
o Warranty and maintenance periods
o Software escrow
One of the most difficult problems with the rapid growth of computer
technology is ensuring the laws and regulations to protect against
computer crimes remain abreast of emerging technologies. This was
present in 1994 when the Computer Emergency and Response Team
(CERT) reported that a 498 percent increase in the number of
computer intrusions and 702 percent rise in the number of sites
affected by these intrusions. U.S. legislature chose to add
amendments to the Computer Fraud and Abuse Act to address
specific abuses from misuse of new technologies. The result is the
78
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
1996 National Information Infrastructure Protection Act.
79
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Title III focuses on monetary transactions used in
supporting terrorist activities.
Title IV provides guidelines of border control and
immigration laws involving electronic sharing of
intelligence.
Title V provides guidelines for removing obstacles when
investigating terrorism.
Title VII covers increasing information sharing for critical
infrastructure protection.
Title VIII strengthens criminal laws as they apply to
terrorism.
The act creating this government agency was the Homeland Security
80
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Act of 2002.
81
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.5 Human Resource Management
83
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.5.2 Hiring
84
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Suspected terrorist watch list
The level of background checking usually matches the security
importance of the job position.
5.5.3 Education
The architecture and design of the security solution must address the
design, implementation, and operations of those controls used to
enforce the levels of confidentiality, integrity, and availability required.
86
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6 Life Cycle Management
87
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Establish a system of tracking or measuring the
performance.
Document the assumption.
Establishing key responsibilities.
Validating predicted benefits.
Planning the predicted benefits.
88
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.2 Project Management
89
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.2.1 Project Phases
90
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Defense Software
Construction Pharmaceuticals
Acquisition Development
Operations and
Support
The project life cycle defines the beginning and end of the project.
The transitional actions at the end of the project are also determined
by the definition of the project life cycle.
91
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the transfers or hand-offs between those phases. In some cases, fast
tracking may be employed which is an overlapping of phases. This is
defined by the life cycle as well as:
The technical work performed in each phase.
The personnel involved in each phase.
Project life cycles can have general or detailed descriptions, but share
several characteristics:
Cost and staffing levels are low at the start, higher near the
end, and drop radically when concluding the project.
The beginning of the project has the lowest probability of
success and highest level of risk and uncertainty. These
levels raise and lower respectively as the project
progresses.
The influence of the stakeholders on the final
characteristics of the product or service is highest at the
start of the project and decreases as the project
progresses.
The final cost of the project is typically higher at the start of
the project than at the end.
The project life cycle is typically one stage found within a product life
cycle. Subprojects within projects may also have distinct project life
cycles.
92
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.2.3 Project Stakeholders
94
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.3 Program Management
95
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.4 Configuration Management
96
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
customers of suppliers.
Interfaces – those assets required to deliver a service.
97
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.5 Change Management
99
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Application developers and support
Security specialists and consultants
IT Operations staff
Facilities staff
Contractors
102
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.6.3 Phase B: Requirements
103
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.6.4 Phase 3A: Application Design
104
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
instances representing actual physical objects or logical obstructs.
Attributes characterize each entity and are compared to identify
similarities.
105
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.6.5 Phase 3B: Acquiring Software
106
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.6.6 Phase 4A: Development
107
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
segments before testing the entire system and can be started before
the entire program is complete. The different classes of tests include:
Unit testing
Interface/Integration testing
System testing
Final acceptance testing
108
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6.6.8 Phase 6: Post Implementation
109
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7 IT Service Delivery
110
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
building or to ensure the minimal level of awareness and
compliance in conducting safe business transactions.
Customer-based SLA – covers the requirements of a
single customer. For security, this may translate into
defining special requirements and security relationships
with customers of the business, or individual departments
within the organization. Departments like Finance and
Research and Development may have more stringent
requirements for security than Customer Support. Different
classifications of information may contribute to different
SLAs being applied.
Multi-level SLA – A three-layer structure for adopting
agreements. The levels are corporate, customer, and
service. The corporate level covers all generic concerns
and requires less frequent changes. Customer level
relates to a specific customer or business unit regardless
of the service provided, while the service level relates to a
specific service for a specific customer.
111
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7.2 Network Component Functionality
7.2.1 Repeater
The general rule for using repeaters is the 5-4-3 Rule. The rule states
that the maximum path between two stations cannot exceed 5
segments with 4 repeaters between those segments and no more
than 3 segments populated. A small amount of latency is introduced
when using repeaters requiring a transmitting device to take into
account the delay introduced in order to detect a collision with another
device.
112
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7.2.2 Hub
Hubs work on the physical layer of the OSI model. They perform the
same function as repeaters, but through multiple ports. Hubs are
typically found in wiring closets to concentrate Thinnet and 10BaseT
networks. They are often used within the star topology to facilitate
communication between network nodes. There are three types of
hubs:
Passive – does not require an external power source, does
not regenerate the signal, and should be considered as
part of the cable in respect to cable length.
Active – requires an external power source to allow for
regeneration of the signal.
Intelligent – An active hub that provides error detection.
7.2.3 Modem
Modems are used to convert analog to digital and vice versa. For the
most part, modem use is an alternative when a wireless hotspot is
unavailable but a telephone line is. Connectivity is performed through
a dial-up application to a predefined phone number of the service
provider which allows connection to the WAN. From there, the user
typically has connectivity to the Internet or with the proper credentials,
within their companies Intranet.
Most homes and small offices have cable modems or ADSL modems
113
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
that act as hotspots to provide wireless and wired Internet
connectivity. To access these modems from the computer,
configuration is similar to setting up a Local Area Network using
Ethernet.
114
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7.2.5 Media Converter
7.2.6 Bridge
Bridges can control the collision domains on the network. They will
filter any incoming frames with the destination MAC addresses that
are on the same segment where the frame arrived from, preventing
the frame from being forwarded. Bridges can do this because they
have already learned the MAC layer address for each node on each
segment and the interface they are located on. If the address is
unknown, the bridge will forward the frame in a process called
flooding, which is also used in broadcast frames.
Bridges store the entire frame until the CRC is verified and forward
the frame. If a CRC error is detected, the frame is discarded. The
115
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Spanning-tree Protocol is implemented to build a loop free network
topology. With the protocol, different bridges communicate with each
other, exchanging information such as priority and bridge interface
MAC addresses. As a group they select a root bridge and implement
the protocol which places some interfaces into a hold state while
others are in a forward mode, resulting in a single path to send the
frame.
7.2.7 Switch
Switches are more advanced than bridges. They use fast integrated
circuits to reduce latency normally introduced by bridges. They
generally have more ports than bridges and run faster. They store
MAC addresses for each part and implement the Spanning-Tree
Protocol. Where they differ from bridges is that each part is a separate
collision domain but all are part of the broadcast domain. Broadcasts
are not controlled by switches.
ATM switches perform cell relay services, but different types of ATM
switches provide services, such as:
Different interfaces and services
Redundancy
Sophisticated traffic management
Depth of ATM internetwork software
117
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
reduce congestion and enable new services such as Virtual LANs. A
wide variety of local backbone and WAN types must be supported.
Additionally, the ability to connect multiple switches together is
another important characteristic.
Access points provide an entry point into the wireless network. The
hardware is half duplex with an intelligence equivalent to a
sophisticated Ethernet switch. Access points have the ability to
communicate with the client, the network and other access points.
119
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Access points can be portals allowing client connectivity from wireless
802.11 networks to wired 812. 3 or 802.5 networks. Several hardware
and software options are available, including:
Fixed or detachable antennas
Advanced filtering capabilities
Removable (modular) radio cards
Variable output power
Varied types of wired connectivity
120
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
number of users that can connect.
The administrator can control the power used by the access point to
send data through variable power output functions. Controlling power
allows the range of the access point to be controlled. The more power
used the greater the distance available to access the wireless
network.
121
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the greater the expense for the device. Some of the features available
on Small Office, Home Office (SOHO) devices and Enterprise devices
include:
SOHO devices
MAC filtering
WEP (64-bit or 128-bit)
USB or console configuration interfacing
Built-in web server configuration interface (simple)
Custom configuration applications (simple)
Enterprise
Custom configuration applications (advanced)
Built-in web server configuration interface (advanced)
Telnet access
SNMP management
802.1x/EAP
RADIUS client
VPN client and server
Static or dynamic routing
Repeater functions
Bridging functions
122
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7.2.9 Router
7.2.10 Firewall
124
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
management. A couple of steps are extensive because of the
immediacy of the incident, such as escalations and closure.
Escalation serves two functions in incident management. The first is
functional escalation when the Service Desk is unable to resolve the
incident entirely or within a specific time frame and requires the
incident record to be sent to another level of support. Hierarchical
escalation is performed for incidents with a high severity, when IT and
business management must be notified.
125
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7.4 Problem Management
126
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The problem management process consists of several general steps:
Problem Detection
Problem Logging
Problem Categorization
Problem Prioritization
Problem Investigation
Problem Diagnosis
Problem Workaround
Known Error Record
Problem Resolution
Problem Closure
Problem Review
All reported problems are logged and referenced back to the related
incidents. The typical details contained in a problem record include:
Information about the user
Information about the service
127
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Information about the equipment
Initial log data and time
Priority and categorization details
Incident description
All diagnostic or recovery actions taken
128
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8 Protecting Information Assets
129
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Three essential practices for identification include:
Uniqueness
Nondescriptive
Issuance
130
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Notification
Administration
Allocation
8.1.2 Passwords
131
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
complex and secure category of passwords, except that
their complexity usually will cause a user to write down the
password in order to remember.
The services found within the architecture support the core attributes
of the solution, including:
Identification – provides identity
Authentication – verifies identity and associated access
Authorization – determines what actions are available to
the user
Accountability – tracks user activity
132
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
In security solutions, the host is a system, user, application, or service
which provides the interface for identifying and authenticating the
user. The requester, Network Access Server (NAS), provides any
challenges to the host used to verify the user. The authenticator
provides the validation of the user's identity.
134
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
replication of information. Unfortunately, legacy systems do not
support using external systems, such as directories, to manage users.
138
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.2 Logical Access Security Architectures
8.2.1 Authentication
A Key Distribution Center (KDC) holds all the keys and provides a
centralized authentication service. The overall structure of control is
140
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
called a realm. Time-stamping tickets ensure the keys are not
compromised. All the systems within the realm have their clocks
synchronized to maintain a common reference for authentication.
141
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.2.2 Virtual Private Network
The peer model of VPN will determine the appropriate path for
transport at the network layer from a hop-to-hop basis and is typically
represented by a traditionally routed network. The edge nodes form a
relationship with the VPN service provider network to use the best
route instead of connecting with other edge nodes through a
predetermined path. With the peer model, all network layer
addressing must be unique within the VPN service provider network
and individual VPNs.
The overlay model of VPNs will determine the appropriate path for
transport at the network layer from one edge node to another by
cutting through the network. In this model the network layer requires
no knowledge of the underlying infrastructure and all edge nodes are
essentially a single hop away from each other. Unique network
addressing is not required except for addressing within a single VPN.
Link Layer VPNs are implemented at the second layer of the OSI
model rather than the third layer. The link layer provides the platform
for networking instead of having discrete networks at the network
142
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
layer. In this situation the different VPNs can share the same
infrastructure, but have no visibility to each other. A link layer VPN is
different from dedicated circuits because no synchronized data clock
is shared and no dedicated transmission path exists.
Network Layer VPNs are implemented at the third layer of the OSI
model and are often referred to as tunneling VPNs. In this situation,
tunnels are created between the source and destination router,
between routers, or between hosts. Tunneling can be done point-to-
point or point-to-multipoint. To allow tunneling, the VPN backbone and
VPN connected subnets do not require unique network addresses
and can be constructed transparently to the network provider.
8.2.3 IPSec
143
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Two specific security protocols are added to the IP protocol:
Authentication Header (AH) – provides connectionless
integrity, data origin authentication, and anti-replay
services to detect any modification of the data.
Encapsulating Security Payload (ESP) – provides
encryption of the payload.
The IKE Process is composed of two phases. The first phase sets the
foundation for the second phase. In the first phase:
Peers authenticate using certificates or a pre-shared
145
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
secret.
A DH key is created.
Keys and methods are exchanged and/or negotiated
between peers.
147
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the CRL repository is a HTTP server, the module uses the URL
published in the CRL Distributed Point extension located on the
certificate and opens a HTTP connection to access the repository. If
the CRL is on a LDAP server, a computer will locate the CRL in one of
the defined LDAP account units. If the CRL Distribution Point
extension exists, the directory entry which the CRL is published or the
LDAP URL is published. If the extension does not exist the attempt to
locate the CRL is in the entry of the CA itself in the LDAP server.
149
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Dumpster diving
Backdoor/trapdoor
Theft
Intruders
Social engineering
In the early 1990s, the most prevalent attacks were SYN attacks;
TCP/IP protocol manipulation caused when an overwhelming number
of open-ended session requests would be sent to a service, causing
the service to focus on processing these requests while delaying
legitimate requests. The result was that systems were virtually
unusable by valid users and applications of the service.
151
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the user and is typically known as downloadable code and active
content.
Password crackers are easily obtainable and are useful for both
hackers and system administrators. System administrators use
password crackers to identify the strength of a particular password. If
the password is weak, a request can be made to the user to change
to a stronger password.
8.3.6 Spoofing/Masquerading
156
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.3.7 Sniffers, Eavesdropping, and Tapping
8.3.8 Emanations
157
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
mechanisms such as TEMPEST.
159
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.3.11 Data Remanence
160
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
representation of the data with each rewrite.
161
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.3.13 Dumpster Diving
162
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.3.15 Theft
163
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.4 Intrusion Detection Systems
The unique traffic generated by the organization will require the IDS to
be tuned to support the network. If tuned incorrectly, the IDS can
create a significant vulnerability for the organization.
164
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the ports on a switch to a NIDS dedicated port. The system will
inspect all packets and monitor sessions without impact.
Some HIDS have the ability to monitor multiple hosts and will share
policy information and real-time information between systems.
165
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.4.2 Analysis Engine Methods
An IDS can utilize several analysis methods. Two basic types include:
Pattern matching - the attack vector is known and an alert
is provided when the pattern is detected
Anomaly detection – draws conclusions from the use of
several tactics to determine if the traffic represents a risk
166
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Anomalies can include:
Users logging in at strange hours.
Unusual error messages.
Unexplained system shutdowns or restarts.
Unexplained changes to system checks.
Multiple failed log-on attempts.
167
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Well-defined protocols can reduce the number of false-
positives.
Protocol analysis has a longer deployment time than
signatures.
168
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The sensor detects the event and produces the necessary
notification.
The enunciator acts as a relay station ensuring that the proper people
are alerts at the appropriate time. This assumes that not all people
need to be alerted at the same time.
8.5.1 Ciphers
169
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.5.2 Types of Ciphers
Playfair ciphers were used by the ally forces in the WWII, the Playfair
cipher starts with an agreement of a key word by the sender and
receiver. It is a substitution cipher. A table is created using that word
and the rest of the alphabet. A message is separated in groups of two,
ignoring the spaces in the message. Repeating letters are grouped
with a filler text such as X.
173
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
key holder, called the private key. The other half of the key pair could
be presented to anyone who wanted a copy, called the public key.
Asymmetric algorithms are one-way functions.
The origins of DES are based on the work of Harst Feistal using the
Lucifer algorithm. The core principle of the algorithm is to take an
input block of plaintext and divide it in half. Each half is then put
through an XOR operation to alter the other half.
Each DES key is 64 bits in length with each eighth bit ignored, leaving
an effective length of 56 bits.
174
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
There are five separate modes of DES, including:
Electronic Codebook Mode (ECB)
Cipher Block Chaining Mode (CBC)
Cipher Feedback Mode (CFB)
Output Feedback Mode (OFB)
Counter Mode (CTR)
The DEC is a block mode cipher though the last three modes were
developed to operate like a stream mode cipher in order to be more
versatile and support stream-based applications.
ECB is the most basic mode of DEC. It encrypts each 64-bit block of
text independently. It is used for very short messages.
With the CBC, the result of encrypting one block of data is used to
encrypt the next block of data.
CFM will segment the input into blocks of 8 bits, or the size of one
character. Each bit produced in the keystream is the result of a
predetermined number of fixed ciphertext bits. The operation has the
ciphertext result of the XOR calculations fed back in a shift register for
the keystream.
175
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
portion of the keystream.
The Rijndael algorithm uses block sizes of 12 8, 192, and 256 bits
with keys of the same lengths. The number of operating rounds used
is related to the size of the key: 10, 12, and 14 respectively. AES
supports only one block size.
RC4 was also developed by Ron Rivest in 1987 and became the
widely used stream cipher used in WEP and SSL/TLS. A variable key
length was used ranging from 8 to 2048 bits. The key initiates a state
vector 256 bits in length and will contain all possible values of 8-bit
number from 0 to 255. The state is generated into the keystream
which is XORed with the plaintext message.
179
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.5.7 RSA
The public key is {e, n}. The integer e is relatively prime to (n) which is
(p-1)(q-1)
180
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.5.8 Diffie-Hellmann Algorithm
Private and public keys are still used. The private key is randomly
selected and must be less than the prime number. The two hosts
would calculate the private key and a public key individually. The
public keys would be exchanged and compute a common session
key.
Once complete, the two parties could encrypt their data using a
symmetric key.
181
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Hash functions
Message authentication code
Simple hash functions will break the message down into fixed-size
blocks which are then XORed.
MD5 was developed by Ron Rivest at MIT in 1992 and is the most
widely used hashing algorithm. A 128-bit message digest is
generated. The message is processed in 512-bit blocks and four
rounds. Each round consists of 16 steps.
182
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Secure Hash Algorithm (SHA) were developed by NIST in 1993 and
issued as the Federal Information Processing Standard (FIPS) 180. A
revised version became SHA-1 in 1995.
185
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the CA's own certificate. After this validation, the details contained in
the CA's certificate and its public key can be used to obtain and
validate other certificates issued by the same CA.
The ICA will automatically trust all modules managed by the same
server that employs it. This is not true for External CAs, so the
external CA's certificate must be obtained and trusted.
186
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
request. The request is delivered manually to the CA by the
administrator. The administrator can complete the process by
importing the certificated issued by the CA to the server.
The VPN will also validate the use of the certificate in a given
situation, such as confirming the:
Certificate is authorized to perform the required action.
Correct certificate is used in the negotiation.
Secure Socket Layer (SSL) has become the defacto standard for
ensuring secure Internet transactions. It works in the network layer
between TCP and the application. SSL utilizes both symmetric and
asymmetric cryptography to provide a layer of security for all network
communication. To authenticate, SSL relies on the distribution of
secure digital certificates.
188
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.6.7 Transport Layer Security (TLS)
TLS is used in conjunction with HTTP, FTP, and SMTP, tunning on top
of them. It can be used with TCP or UDP. It is also used to create a
Virtual Private Network by tunneling an entire network stack. SIP uses
TLS to protect its application signaling.
189
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8.6.8 Secure Shell (SSH)
The Pretty Good Privacy (PGP) protocol is used for privacy and digital
signing of email messages, providing end-to-end security between
sender and receiver. Traditionally, PGP performs key exchanges
using RSA public key cryptography and encrypts messages using
IDEA.
190
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Within PGP, any user can validate the identity of another user,
creating a network trust model. A user's public key can be obtained
directly from the user then its hash can be communicated out of band.
The keys are stored in files called key rings; public key rings can be
found stored on the Internet.
191
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
embedded key to produce a unique string of numbers
and/or characters in a given timeframe, usually one
minute. The user will enter the character string whenever
access is requested to authenticate themselves.
Typically, the process requires the user to present the memory card
and a user ID or PIN. If the authentication information on the memory
card matches with the user provided information, access is granted. A
memory card can be used with computers, but a reader is required to
process the information.
Despite this security, memory cards have a basic flaw: the data stored
192
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
on the card is not protected. The data can be extracted or copied.
Since the card cannot process information, the data is unencrypted.
Smart cards, on the other hand, can have security controls and logic
embedded into its integrated circuits.
A smart card is the size of a credit card and has a semiconductor chip
embedded in it. The chip is either a memory chip with
nonprogrammable logic or a microprocessor with internal memory.
The chip will accept, store, and send information. That information is
divided into four sections:
Information that can be read only.
Information that can be added only.
Information that is updated only.
Information that has no access available.
Smart cards are more correctly termed integrated circuit card (ICC) by
the International Organization for Standardization (ISO) to specify all
devices which are an ISO 1 identification card with an integrated
circuit (IC). The size of the card is 85.6x53.98x0.76 mm or the size of
a bank or credit card.
194
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
A microcontroller is integrated into the chip to manage the data in
memory. Control logic is used to provide various services, including
security. The construction of the IC has great influence on the controls
associated with the data.
How smart cards interact with other system defines the type of smart
cards available. There are two basic types:
Contact cards require physical contact in order to
communicate with other systems.
Contactless cards use proximity technology to provide an
interface.
195
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
ISO 7816-2 allows eight electrical contacts for a contact ICC to
interact with other systems, though only six are used. Each contact
(Cn) has a designation starting with Vcc and is embedded
counterclockwise around the plate.
196
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
possible to the plate or magnetic strip. Contactless cards are found in
devices such as cell phones and PDAs
The PCD will alternate between two modulation, or signal, types until
a PICC is incorporated into the communication process. Both types,
type A and type B, support 106 kbps in bidirectional communications.
The log-on process for smart cards is done at the reader and not the
host, providing an advantage to the technology because the identifier
and password are not exposed while in transit to the host.
197
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
VPNs.
Hard disk encryption.
8.7.3 Biometrics
198
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Face scan – verifies the heat signatures and geometry of
the user.
199
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
CER, the more accurate the system.
WEP keys are 64-bit and 128-bit, but they are sometimes referred to
as 48-bit and 108-bit keys because 24-bits are used for the
Initialization Vector. Keys for WEP are typically static, meaning they
never change. Most access points and clients can hold up to 4 WEP
keys simultaneously allowing network segmentation.
201
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Advance Encryption Standard (AES) is a replacement for RC4 used in
WEP. AES used the Rjindale algorithm in specified key lengths: 128,
192, and 256-bit lengths. The National Institute of Standards and
Technology adopted AES for the Federal Information Process
Standard (FIPS).
SSID filtering is the most basic form of access control, where the
SSID of the wireless client must match the SSID on the access point
or other clients on the network. An SSID is easy to identify using a
sniffer. The SSID is typically part of the beacon sent by access points,
though some manufacturers have provided the ability to remove the
SSID from the beacon or probe responses.
202
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
With MAC address filtering, the network administrator programs a list
of allowable MAC addresses into each access point or in a RADIUS
authentication server. Specific MAC addresses can also be blocked
from the network.
8.8.2 Authentication
The use of WEP is required for Shared Key authentication. The WEP
key is typically manually entered by the administrator on both the
client and the access point.
Since WEP is a weak means for security, a new means was required.
Wi-Fi Protected Access (WPA) is based on the 802.11i standard and
deals with WEP static encryption key issue. WPA uses Temporal Key
Integrity Protocol (TKIP) which changes keys with every data packet.
206
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
manufacturers.
207
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
1. The client makes a request to associate with an access point.
2. The access point requests the EAP identity of the client.
3. The client responses to the access point's request who
forwards the response to the Authentication Server.
4. The Authentication Server makes a request for EAP
authentication to the access point who forwards to the client.
5. The client responses to the request back to the access point
who forwards to the Authentication Server.
6. The Authentication Server verifies the association to the
access point and further to the client.
There are several types of EAP authentication that are used to secure
a wireless LAN connection. Understanding the EAP type assists in
understanding the authentication methods used like:
Passwords
Key generation
Mutual authentication
Protocol
208
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
using dynamically generated WEP keys, and support
mutual authentication
EAP-TLS (Transport Layer Security) – provides
certification-based, mutual authentication of the client and
the network
EAP-TTLS – an extension of EAP-TLS requiring only
server side certificates and can support legacy password
protocols
EAP-SRP (Secure Remote Password) – a secure,
password-based authentication and key exchange protocol
used to securely authenticate clients to servers where the
user must memorize a small secret, such as a password
without any other information available
EAP-SIM (GSM) – used as a mechanism for Mobile IP
network access authentication and registration key
generation using the GSM Subscriber Identity Module
(SIM)
There are three options for configuring a wireless LAN and different
hardware is required for each configuration:
Basic service set.
Extended service set.
209
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Independent basic service set.
A basic service set consists of only one access client and one or more
wireless client. A BSS utilizes infrastructure mode requiring the use of
an access point and that all traffic transverses that access point.
Communication from one wireless client to another must go through
the access point. A single cell, or RF area, is covered by the access
point. The cell consists of varying data rate zones that can be
imagined as concentric circles of differing data speeds. The actual
data speeds is dependent on the technologies used, for instance,
802.11b equipment would provide data speeds of 11, 5.5, 2 and 1
Mbps. The data rates decrease the farther they are from the center. A
BSS has one unique SSID.
210
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
covers a single cell and has one SSID. The clients share the
responsibility of sending beacons to each other. In order to transmit
outside of the IBSS, one client must also act as a gateway or router. A
software solution can serve this purpose. Because clients make direct
connections with each other to transmit data, the solution is often
referred to as a peer-to-peer network.
211
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
9 Business Continuity and Disaster Recovery
212
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
during recovery.
Restoration plan – activities used to return operations to
normal.
The BCP process takes into consideration the entire plan of the
organization. All BCP activities start with a risk analysis to determine
the identifiable threats to the organization. Risk, in this sense, is
proportional to the value of the asset and the probability of the threat
to occur. Application systems are classified based on their value to the
business, which is proportional to the role the application system has
in supporting business strategy.
213
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Continuity of support plan.
Crisis communication plan.
Incident response plan.
Disaster recovery plan.
Occupant emergency plan.
9.1.2 Disasters
215
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
9.1.4 Classifications
Risks are ranked based on the impact expected from the critical
recovery likelihood of a disruption occurring. The ranking system used
typically contains the following classifications:
Critical – tolerance to disruption is low and very costly and
systems must be replaced by identical capabilities
automatically.
Vital – manual performance of functions can occur, allow
greater tolerances to interruption, as long as full services
are available within a certain time frame.
Sensitive – manual performance of functions can occur
over a longer period of time with additional staffing
required.
Non-sensitive – functions may be interrupted for an
extended period of time with little or no cost to the
company.
The Recovery Point Objective (RPO) is the earliest point in time that
data can be recovered based on the acceptable data loss projections
for a disruption. The objective quantifies the amount of data that can
be listed. The Recovery Time Objective (RTO) defines the earliest
point in time that business operations must resume, determining the
acceptable downtime. Both objectives are based on time: the lower
216
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the required time, the higher the cost of the recovery strategy.
218
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
backup site.
Usage period – the time and resource requirements.
Communications – defines the communication methods
and frequency.
Warranties – defines the availability and adequacy terms.
Audit – provides a “right-to-audit” clause.
Testing – defines the rights to testing.
Reliability – defines the reliability of the site.
219
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Application team – restores user packs and application
programs.
Security team – monitors system security and
communication links.
Emergency operations team – consists of operations and
supervisors at the systems recovery site to perform
operations during the operations.
Network recovery team – reroutes wide-area voice and
data traffic.
Communications team – works with the remote network
recovery team to establish the network for communications
purposes.
Transportation team – coordinates the transport of
company employees.
User hardware team – coordinates the delivery and
installation of user hardware devices.
Data preparation and records team – updates the
applications database.
Administrative support team – acts as a message center
for the user recovery site.
Supplies team – coordinates logistics for an ongoing
supply of office and computer supplies.
Salvage team – manages the relocation project.
Relocation team – coordinates move from hot site to new
or restored location.
Coordination team – manages efforts across offices in
different locations.
220
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Legal affairs team – handling any legal matters that arise.
Recovery test team – tests and analyzes various plans.
Training team – provides training to users about business
continuity and disaster recovery.
221
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
9.2 Backup and Restore Practices
Back to the different RAID levels, deciding which level to use is one of
the most important decisions in SAN designing using RAID. Level 0 is
best used when high throughput is desired with the lowest cost
possible, but offers no redundancy. Level 1 is excellent when the
primary requirements are high availability and high reliability, but is
costly since double the storage capacity is required. RAID level 3
provide the best high data transfer and costs less than other levels,
but write performance is low and is unsuitable for frequent
transactions using small data transfers. Level 5 has a high read rate
and is reliable. It is most suitable for multiple applications, but
performance goes down when the drive fails though it can withstand
223
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
single drive failures. Level 6 have high reliability and high read speed.
It is best used when the primary requirements are high availability and
data security. The cost is high and the write speed slower than RAID
5.
9.2.2 Backups
224
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
9.2.3 Full and Incremental Backups
A full backup will back up all the data blocks in the datafiles, whether
they are modified or not. An incremental backup will only back up the
data blocks in the datafiles that were modified since the last
incremental backup. A full backup cannot be part of an incremental
backup strategy. The baseline backup for an incremental backup is
designated as level 0. This level 0 backup is a full backup since all
blocks are backed up regardless of modification. Incremental backups
are then merged with the level 0 backup in the future to complete a
full backup at the current point of time.
226
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
9.2.5 Data Replication
227
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
without disrupting the backup. Some operations may switch between
modes, starting in synchronous mode until a communication problem
occurs where the operation switches to asynchronous mode.
229
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Gaining management support.
Building a project team for continuity planning activities
and defining the roles within the team.
Defining project resource requirements.
Identifying and leveraging existing and planned disaster
avoidance preparations.
230
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
A benchmark or peer review.
231
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Designing the initial acceptance testing of the plans.
Within the implementation phase, the project team works with the
organization's business process owners to implement:
Continuity plans.
Short-term and long-term testing.
Short-term and long-term maintenance strategies.
Training, awareness, and education processes.
Management processes.
232
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
10 Practice Exam
Question 1
A) Flow-charting
B) Specialized audit software
C) Generalized audit software
D) Audit logs
Question 2
233
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 3
Question 4
A) Compliant specifications
B) Minimum specifications
C) State of resources
D) Initial specifications
234
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 5
A) Administrative
B) Operational
C) Internal accounting
D) Financial
Question 6
A) Flowcharts
B) Documentation
C) Policies
D) Measurements
235
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 7
Who are the people who have the most invested in the success or
failure of a project?
A) Project team
B) Stakeholders
C) Executive management
D) Project Office
Question 8
A) Phase 4A
B) Phase 3B
C) Phase 3A
D) Phase 2
236
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 9
A) Issuance
B) Uniqueness
C) Nondescriptive
D) Maintenance
Question 10
A) Sensitive
B) Non-sensitive
C) Vital
D) Critical
237
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 11
A) Severity
B) Frequency
C) Customer
D) Impact
Question 12
A) Standard
B) Normal
C) Repeat
D) Emergency
238
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 13
A) Least privileges
B) Job sensitivity
C) Vacations
D) Job rotation
Question 14
A) Integrity
B) Accountability
C) Availability
D) Confidentiality
239
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 15
A) Preventative
B) Compensation
C) Deterrent
D) Corrective
Question 16
240
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 17
A) Discovery sampling
B) Frequency-estimating sampling
C) Stop-or-go sampling
D) fixed sample-size attribute sampling
Question 18
A) Documentation
B) Evidence
C) Supervision
D) All of the Above
241
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 19
A) Operational
B) Integrated
C) Administrative
D) Specialized
Question 20
A) Audit
B) Risk Assessment
C) Business Impact Analysis
D) Performance Monitoring
242
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 21
Question 22
A) Information is correct.
B) Confirmation from third parties is provided.
C) Information is from qualified individual.
D) High level of objectivity in creating the evidence.
243
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 23
A) Confirmation
B) Analytical
C) Circumstantial
D) Documentation
Question 24
244
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 25
A) Control
B) Implement
C) Evaluate
D) Design
Question 26
What method of dealing with risk looks to the costs and benefits of
handling a risk or leaving it alone?
A) Risk Mitigation
B) Risk Avoidance
C) Risk Acceptance
D) Risk Transfer
245
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 27
A) Matrix
B) Projectized
C) Functional
D) Mixed
Question 28
A) Repeater
B) Switch
C) Router
D) Access Point
246
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 29
A) TACACS+
B) RADIUS
C) Kerberos
D) None of the Above
Question 30
A) Communications
B) Network recovery
C) Emergency management
D) Application
247
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 31
A) Shoulder surfing
B) Emanations
C) Trojan horses
D) Eavesdropping
Question 32
A) Business Continuity
B) Change Management
C) Problem Management
D) Incident Management
248
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 33
A) Service
B) Organization
C) Internal
D) Interface
Question 34
A) Offshoring
B) Outshoring
C) Outsourcing
D) Offsite support
249
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 35
Question 36
A) Detective
B) Preventative
C) Corrective
D) Recovery
250
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 37
A) Reliability
B) Legality
C) Integrity
D) Relevancy
Question 38
A) Relevance
B) Competence
C) Sufficiency
D) Validity
251
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 39
A) Controls
B) Risks
C) Assets
D) Solutions
Question 40
A) Performance compliance
B) Regulatory compliance
C) Establishing baselines
D) All of the above
252
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
11 Answer Guide
Question 1
Answer: A
Reasoning: Flow charting is a technique used to diagram processes
and understand the flow of the process, rather manual or automatic.
Question 2
Answer: C
Reasoning: Substantive testing ensures that data, information, and
transactions maintain its integrity.
Question 3
Answer: B
Reasoning: Standard deviation looks at the variance of the values in a
sample from the sample mean to determine the spread or
dispersement of the sample.
Question 4
Answer: D
Reasoning: Function baselines identify the initial specification before
changes are made to the environment.
253
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 5
Answer: C
Reasoning: Internal accounting controls handle accounting objectives,
including assets and financial records.
Question 6
Answer: A
Reasoning: The artifacts associated with the Zachman framework
include diagrams, flowcharts, data models, class models, and code.
Question 7
Answer: B
Reasoning: Stakeholders are actively involved in the execution of a
project and have the greatest concern with the success or failure of
the project. For this reason, numerous communication channels are
relied on to keep the stakeholders informed of the project's status.
Question 8
Answer: C
Reasoning: An established baseline of a system's specification is the
outcome of the phase 3A for designing the software.
Question 9
Answer: D
Reasoning: the three essential practices related to identifying
individuals are uniqueness, nondescriptive, and issuance.
254
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 10
Answer: B
Reasoning: Non-sensitive functions are not required for critical
business processes should a major disruption occur.
Question 11
Answer: C
Reasoning: The customer, specifically the role they have, is not a
valid variable for determining priority: however, a customer's role or
position may have an impact on business operations should a service
disruption occur which may adjust the priority.
Question 12
Answer: A
Reasoning: Standard risks are usually pre-defined because they are
done often and have a relatively low risk involved in their execution.
Question 13
Answer: D
Reasoning: Job rotations assigns individuals to specific roles
temporarily to reduce collusions.
Question 14
Answer: C
Reasoning: Availability is a security concept where information is
available to be accessed at any time for the appropriate person.
255
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 15
Answer: B
Reasoning: Compensation controls apply alternative solutions to react
to changing demands of a system. Redundant systems are used
when thresholds are reached and the controls communicate the need
for alternative systems to bear the workload.
Question 16
Answer: D
Reasoning: Spanning Tree Analysis and Failure Modes and Effect
Analysis are two common quantitative assessments for risks.
Question 17
Answer: A
Reasoning: Discovery sampling allows testing on an attribute which
occurs very rarely.
Question 18
Answer: B
Reasoning: S6 Performance of Audit Work speaks to supervision,
evidence and documentation.
Question 19
Answer: C
Reasoning: Administrative audits focus on the efficiency of the
operation's productivity. Operational audits focus on the controls in
place within the operation.
256
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 20
Answer: B
Reasoning: Every major change or introduction of a process into the
environment should begin with a risk assessment to determine what
issues needed to be addressed by the process. Risk assessments are
usually incorporated into other efforts, including business cases and
analysis.
Question 21
Answer: D
Reasoning: Control risks are a classification of material errors that
cannot be detected or prevented by the established controls of an
internal system.
Question 22
Answer: A
Reasoning: Correctness is not an appropriate attribute for determining
the reliability of evidence. The fact that the information is incorrect can
be evidence in itself.
Question 23
Answer: C
Reasoning: Circumstantial evidence is used in a legal context. The
other choices are used primarily in audits.
257
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 24
Answer: B
Reasoning: Net benefit is determined by subtracting the present value
of cost from the present value of benefits creating a difference in the
two numbers.
Question 25
Answer: D
Reasoning: The five elements of ISMS framework are control, plan,
implement, evaluate, and maintain.
Question 26
Answer: C
Reasoning: Risk acceptance recognizes that the costs and benefits of
not taking action are better than trying to prevent or mitigate the risk.
Question 27
Answer: A
Reasoning: An organization structured by projects and specialties is
called a matrix organization.
Question 28
Answer: B
Reasoning: An Enterprise ATM is inherently a switch which performs
cell relay services.
258
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 29
Answer: C
Reasoning: The Kerberos solution uses symmetric-keys and tickets to
authentication users on the network.
Question 30
Answer: B
Reasoning: The network recovery team is responsible for ensuring all
wide-area traffic, including voice and data, can be exchanged over the
network, requiring some rerouting.
Question 31
Answer: A
Reasoning: Shoulder surfing is a form of social engineering performed
through direct observation. One time use passwords prevent potential
attackers from observing password entries and gaining access to the
network.
Question 32
Answer: D
Reasoning: Incident Management is the initial process for dealing with
service disruptions to provide first attempts to resolve the disruptions
or put a workaround in place. Problem management and eventually
change management will handle situations were a solution cannot be
put into place immediately. Business continuity rarely gets involved
when individual's services are disrupted.
259
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 33
Answer: B
Reasoning: Business Strategies are used to describe the organization
and are therefore an organization configuration item.
Question 34
Answer: C
Reasoning: Outsourcing relies on third-party support to provide all or
part of a business's IT services.
Question 35
Answer: D
Reasoning: Reductive measures look to reduce the damage that
occurs from a security incident.
Question 36
Answer: A
Reasoning: IDS solutions, or Intrusion Detection Systems, apply
detective controls to identify intrusive events when they happen.
Question 37
Answer: C
Reasoning: Integrity is not required for evidence to be admissible in a
court of law.
260
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 38
Answer: B
Reasoning: Quality is a measure of competence which is both valid
and relevant.
Question 39
Answer: A
Reasoning: Controls are used to minimize the risk to the business and
audits are concerned about the effectiveness of these controls and
their compliance to regulatory and process guidelines.
Question 40
Answer: D
Reasoning: Audits are used in a number of capacities, most of which
is to understand the current environment in relation to an expected
norm or baseline. It can be used to generate an initial baseline or to
determine compliance to an existing baseline, including performance
goals and regulatory requirements.
261
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
12 References
262
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
13 Websites
www.artofservice.com.au
www.theartofservice.org
www.theartofservice.com
263
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
14 Index
A
failure 59, 66-7, 98, 124, 127, 151, 222, 236, 254
265
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Feasibility 6, 91, 100-1
filter 115, 123, 137
firewalls 7, 123, 136, 156, 165, 168
framework 49, 59, 62, 65-6, 68-70
functions 13, 17-18, 27-8, 34, 44, 50, 65, 73-4, 83, 113, 125, 143, 164, 195, 197,
216
266
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
levels 14, 33, 39-40, 45-6, 57, 64, 66, 72, 83, 85, 92, 97-8, 111, 125, 165, 222-5
locations 162, 191, 217-18, 220, 224, 227
network 98, 112-16, 118, 120, 123, 132, 137, 142, 149, 156-7, 164, 202-3, 205-7,
220-1, 226-7, 259
nodes 115, 144
267
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
plaintext 154, 171-2, 174, 176, 205
plans 14, 17, 23, 59, 109, 212-13, 221, 232, 258
policies 5, 46, 51-2, 57-9, 61, 71, 97, 235
population 34-6, 73
private key 140, 145, 148, 172, 174, 180-1, 184
problem management 7, 125-6, 248, 259
problems 8, 47-8, 76, 78, 83, 88, 97, 100, 103, 106-7, 124, 126, 128, 205, 238
programs 15, 19, 95, 101, 104, 107-8, 152-3, 195
project management 6, 44, 57, 89-90, 94-5
protocols 115-16, 120, 123, 134, 143-4, 146, 165, 167, 187, 190, 203, 206-7
268
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
SLAs (Service Level Agreements) 6, 110-11
sniffer 7, 157, 202, 205
software 106, 123, 139, 143, 151-2, 254
solutions 44, 60, 71, 79, 87-8, 97, 101-2, 126, 128, 132, 134-5, 139, 176, 192, 211,
226
sources 32, 136, 138, 143, 163
staff 94
stakeholders 20-1, 54, 62, 89, 92-3, 99, 103, 236, 254
strategies 5, 13, 27, 39, 56, 59, 64-5, 103, 162, 231
switches 7, 116-17, 165, 228, 246, 258
users 67, 103, 113, 121, 125, 127, 129-33, 135-6, 140-1, 146, 150-4, 156, 160, 191-
2, 198-9, 206-7
values 3, 27, 45, 63-4, 66, 69, 163, 172, 177, 179, 199, 213, 223, 234, 253
vendors 76, 106, 133
VPNs (Virtual Private Network) 7, 142-3, 146, 174, 187-9, 206
vulnerabilities 38, 40, 60, 79, 151, 161-2, 164, 183
269
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055