2010 CISA The How To Pass On Your First Try Certification Study Guide

Foreword
This Exam Preparation book is intended for those preparing for the
Certified Information Systems Auditor certification.
This book is not a replacement for completing the course. This is a

study aid to assist those who have completed an accredited course
and are preparing for the exam.
Do not underestimate the value of your own notes and study aids.
The more you have, the more prepared you will be.
While it is not possible to pre-empt every question and content that

MAY be asked in the CISA exam, this book covers the main concepts
covered within the CISA discipline.
Due to licensing rights, we are unable to provide actual CISA Exam.

However, the study notes and sample exam questions in this book will
allow you to more easily prepare for a CISA exam.
Ivanka Menken
Executive Director
The Art of Service
Notice of Rights
All rights reserved. No part of this book may be reproduced or transmitted in any form
by any means, electronic, mechanical, photocopying, recording, or otherwise, without
the prior written permission of the publisher.
Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While
every precaution has been taken in the preparation of the book, neither the author nor
the publisher shall have any liability to any person or entity with respect to any loss or
damage caused or alleged to be caused directly or indirectly by the instructions
contained in this book or by the products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this book,
and the publisher was aware of a trademark claim, the designations appear as
requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of
such companies with no intention of infringement of the trademark. No such use, or
the use of any trade name, is intended to convey endorsement or other affiliation with
this book.
2
Copyright The Art of Service │Brisbane, Australia│Email:service@theartofservice.com
Web: http://store.theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Write a review to receive any free eBook from our Catalogue -
$99 Value!
If you recently bought this book we would love to hear from you!
Benefit from receiving a free eBook from our catalogue at
http://www.emereo.org/ if you write a review on Amazon (or the online
store where you purchased this book) about your last purchase!
How does it work?
To post a review on Amazon, just log in to your account and click on

the Create your own review button (under Customer Reviews) of the
relevant product page. You can find examples of product reviews in
Amazon. If you purchased from another online store, simply follow
their procedures.
What happens when I submit my review?
Once you have submitted your review, send us an email at

review@emereo.org with the link to your review, and the eBook you
would like as our thank you from http://www.emereo.org/. Pick any
book you like from the catalogue, up to $99 RRP. You will receive an
email with your eBook as download link. It is that simple!
3
Table of Contents
FOREWORD ............................................................................................................ 1
TABLE OF CONTENTS .............................................................................................. 4
1 CERTIFIED INFORMATION SYSTEMS AUDITOR .............................................. 10
2 EXAM SPECIFICS........................................................................................... 11
3 INFORMATION SYSTEMS AUDIT PROCESS .................................................... 12

3.1 AUDITING PRACTICES ..................................................................................... 12
3.1.1 Audit Planning ..................................................................................... 12
3.1.2 Laws and Regulations .......................................................................... 14
3.1.3 Audit Process ....................................................................................... 15
3.1.4 Types of Audits ..................................................................................... 16
3.1.5 Audit Procedures .................................................................................. 17
3.1.6 Audit Methodology .............................................................................. 18
3.1.7 Audit Risk ............................................................................................. 19
3.1.8 Audit Objectives ................................................................................... 20
3.2 ISACA IS AUDIT STANDARDS, GUIDELINES AND PROCEDURES................................ 20
3.2.1 ISACA Code of Professional Ethics ........................................................ 20
3.2.2 ISACA IS Auditing Standards ................................................................ 21
3.2.3 ISACA IS Auditing Guidelines ................................................................ 29
3.2.4 ISACA IS Auditing Procedures ............................................................... 31
3.3 EVIDENCE LIFE CYCLE ..................................................................................... 32
3.3.1 Testing.................................................................................................. 32
3.3.2 Evidence ............................................................................................... 32
3.3.3 Gathering Evidence .............................................................................. 33
3.3.4 Sampling .............................................................................................. 34
3.3.5 Managing Evidence ............................................................................. 37
3.4 RISK ASSESSMENTS ....................................................................................... 38
3.4.1 Risk Analysis ........................................................................................ 38
3.4.2 General Assessment Process ................................................................ 40
3.4.3 Qualitative Risk Assessments ............................................................... 41
3.4.4 Quantitative Risk Assessments ............................................................ 42
3.4.5 Common Security Measurements ........................................................ 42
3.4.6 Assessment Methodologies ................................................................. 43
3.4.7 Baseline Modeling ............................................................................... 43
3.4.8 Gap Analysis ........................................................................................44
3.4.9 Cost Benefit Analysis ............................................................................ 45
4
3.5 CONTROLS ................................................................................................... 46
3.5.1 Internal Controls .................................................................................. 46
3.5.2 IS Control Objectives ............................................................................ 48
3.5.3 Internal Control Objectives .................................................................. 50
3.5.4 Control Procedures .............................................................................. 51
3.6 REPORTING AND COMMUNICATION .................................................................. 52
3.6.1 Report Structures ................................................................................. 52
3.6.2 Documentation .................................................................................... 53
3.6.3 Follow-up ............................................................................................. 53
3.7 CONTROL SELF-ASSESSMENT........................................................................... 54
3.7.1 CSA Tools .............................................................................................. 54
3.7.2 CSA Benefits ......................................................................................... 55
3.7.3 CSA Auditor .......................................................................................... 55
4 IT GOVERNANCE .......................................................................................... 56
4.1 IT STRATEGY ELEMENTS ................................................................................. 56
4.1.1 IT Strategies ......................................................................................... 56
4.1.2 Steering Committee ............................................................................. 56
4.1.3 Policies ................................................................................................. 57
4.1.4 Information Security Policy .................................................................. 58
4.1.5 Procedures ...........................................................................................61
4.2 IT GOVERNANCE FRAMEWORK ........................................................................ 62
4.2.1 Corporate Governance ......................................................................... 62
4.2.2 IT Governance ...................................................................................... 63
4.2.3 IT Strategy Committee ......................................................................... 64
4.2.4 Standard IT Balanced Scorecard .......................................................... 65
5 Information Security Governance ............................................................ 65
5.1 ENTERPRISE IT ARCHITECTURE ......................................................................... 68
5.1.1 Zachman Framework ........................................................................... 68
5.1.2 Technology-Based Frameworks ........................................................... 69
5.1.3 Process-Based Frameworks ................................................................. 69
5.1.4 Federal Enterprise Architecture ........................................................... 70
5.2 RISK MANAGEMENT ...................................................................................... 70
5.2.1 Key Definitions .....................................................................................71
5.2.2 Principles and Practices .......................................................................71
5.2.3 Controls and Countermeasures............................................................ 72
5.3 CONTRACT MANAGEMENT ............................................................................. 74
5.3.1 Delivery Options................................................................................... 74
5.3.2 Outsourcing Practices .......................................................................... 75
5.3.3 Advantages and Disadvantages ........................................................... 76
5.3.4 Outsourcing Risks ................................................................................ 77
5.4 LEGISLATIVE AND REGULATORY ISSUES............................................................... 78
5.4.1 1996 National Information Infrastructure Protection Act.................... 78
5
5.4.2 President's Executive Order on Critical Infrastructure Protection ........ 79
5.4.3 USA Patriot Act of 2001 ....................................................................... 79
5.4.4 Homeland Security Act of 2002 ........................................................... 80
5.4.5 Computer Fraud and Abuse Act ........................................................... 81
5.4.6 Electronic Communications Privacy Act (ECPA) ................................... 81
5.5 HUMAN RESOURCE MANAGEMENT .................................................................. 82
5.5.1 Multiple Roles ...................................................................................... 82
5.5.2 Hiring ................................................................................................... 84
5.5.3 Education ............................................................................................. 85
6 LIFE CYCLE MANAGEMENT ........................................................................... 87
6.1 BENEFITS MANAGEMENT ............................................................................... 87
6.1.1 Business Case ....................................................................................... 87
6.1.2 Benefits Realization ............................................................................. 87
6.1.3 Benefits Realization Process ................................................................88
6.2 PROJECT MANAGEMENT ................................................................................ 89
6.2.1 Project Phases...................................................................................... 90
6.2.2 Project Life Cycle .................................................................................. 91
6.2.3 Project Stakeholders ............................................................................ 93
6.2.4 Organizational Influences .................................................................... 93
6.3 PROGRAM MANAGEMENT .............................................................................. 95
6.4 CONFIGURATION MANAGEMENT...................................................................... 96
6.5 CHANGE MANAGEMENT ................................................................................ 98
6.5.1 Change Management .......................................................................... 98
6.6 APPLICATION DEVELOPMENT .........................................................................100
6.6.1 Software Development Life Cycle ......................................................100
6.6.2 Phase A: Feasibility ............................................................................101
6.6.3 Phase B: Requirements ......................................................................103
6.6.4 Phase 3A: Application Design ............................................................104
6.6.5 Phase 3B: Acquiring Software ............................................................106
6.6.6 Phase 4A: Development ..................................................................... 107
6.6.7 Phase 5: Implementation ...................................................................108
6.6.8 Phase 6: Post Implementation ...........................................................109
7 IT SERVICE DELIVERY .................................................................................. 110
7.1 SERVICE LEVEL MANAGEMENT ......................................................................110
7.1.1 Service Level Agreements ..................................................................110
7.2 NETWORK COMPONENT FUNCTIONALITY .........................................................112
7.2.1 Repeater ............................................................................................112
7.2.2 Hub ....................................................................................................113
7.2.3 Modem ..............................................................................................113
7.2.4 Network Interface Card (NIC) ............................................................114
7.2.5 Media Converter ................................................................................115
6
7.2.6 Bridge ................................................................................................115
7.2.7 Switch ................................................................................................116
7.2.8 Wireless Access Point .........................................................................118
7.2.9 Router ................................................................................................123
7.2.10 Firewall ..........................................................................................123
7.3 INCIDENT MANAGEMENT .............................................................................124
7.4 PROBLEM MANAGEMENT ............................................................................. 126
8 PROTECTING INFORMATION ASSETS .......................................................... 129
8.1 LOGICAL ACCESS CONTROLS ..........................................................................129
8.1.1 Identification and Authentication ......................................................129
8.1.2 Passwords ..........................................................................................131
8.1.3 Access Control Implementation .........................................................132
8.1.4 Identity Management ........................................................................133
8.1.5 Identity Management Technology .....................................................134
8.1.6 Access Lists.........................................................................................136
8.1.7 Context-Based Access Control ............................................................ 137
8.2 LOGICAL ACCESS SECURITY ARCHITECTURES .....................................................139
8.2.1 Authentication ...................................................................................139
8.2.2 Virtual Private Network .....................................................................142
8.2.3 IPSec ..................................................................................................143
8.2.4 Internet Key Exchange (IKE) ...............................................................145
8.2.5 Public Key Infrastructures (PKI) ..........................................................146
8.3 ATTACK METHODS ......................................................................................149
8.3.1 Denial of Service (DoS) .......................................................................150
8.3.2 Buffer Overflows ................................................................................151
8.3.3 Mobile Code .......................................................................................151
8.3.4 Malicious Software ............................................................................ 152
8.3.5 Password Crackers ............................................................................. 153
8.3.6 Spoofing/Masquerading .................................................................... 155
8.3.7 Sniffers, Eavesdropping, and Tapping ................................................ 157
8.3.8 Emanations ........................................................................................ 157
8.3.9 Shoulder Surfing ................................................................................158
8.3.10 Object Reuse..................................................................................158
8.3.11 Data Remanence ...........................................................................160
8.3.12 Unauthorized Targeted Data Mining .............................................161
8.3.13 Dumpster Diving ............................................................................ 162
8.3.14 Backdoors and Trapdoors .............................................................. 162
8.3.15 Theft ..............................................................................................163
8.3.16 Social Engineering .........................................................................163
8.4 INTRUSION DETECTION SYSTEMS....................................................................164
8.4.1 Intrusion Detection Systems ..............................................................164
8.4.2 Analysis Engine Methods ...................................................................166
7
8.4.3 Intrusion Responses ...........................................................................168
8.5 ENCRYPTION ALGORITHMS............................................................................169
8.5.1 Ciphers ...............................................................................................169
8.5.2 Types of Ciphers ................................................................................. 170
8.5.3 Cryptography Forms .......................................................................... 172
8.5.4 Data Encryption Standard.................................................................. 174
8.5.5 Advanced Encryption Standard .......................................................... 177
8.5.6 Other Encryption Methods ................................................................ 178
8.5.7 RSA.....................................................................................................180
8.5.8 Diffie-Hellmann Algorithm .................................................................181
8.5.9 Message Integrity Controls ................................................................181
8.5.10 Digital Signatures ..........................................................................184
8.6 PUBLIC KEY INFRASTRUCTURE........................................................................185
8.6.1 Different Methods of Support ............................................................185
8.6.2 Trusting External CAs .........................................................................185
8.6.3 Subordinate CAs ................................................................................186
8.6.4 Enrolling Managed Entities ................................................................186
8.6.5 Validating Certificates........................................................................ 187
8.6.6 Secure Sockets Layer ..........................................................................188
8.6.7 Transport Layer Security (TLS) ...........................................................189
8.6.8 Secure Shell (SSH) ..............................................................................190
8.6.9 Pretty Good Privacy (PGP) .................................................................190
8.7 PHYSICAL SECURITY SYSTEMS ........................................................................191
8.7.1 Authentication Devices ......................................................................191
8.7.2 Integrated Circuit Cards .....................................................................193
8.7.3 Biometrics ..........................................................................................198
8.8 WIRELESS SECURITY CONTROLS ..................................................................... 200
8.8.1 Wired Equivalent Privacy ................................................................... 200
8.8.2 Authentication ................................................................................... 203
8.8.3 Problems with WEP Security .............................................................. 205
8.8.4 Wi-Fi Protected Access ...................................................................... 206
8.8.5 802.1x and EAP .................................................................................. 206
8.8.6 Service Sets ........................................................................................ 209
9 BUSINESS CONTINUITY AND DISASTER RECOVERY ..................................... 212
9.1 BCP/DRP PROCESSES .................................................................................212
9.1.1 Business Continuity ............................................................................212
9.1.2 Disasters ............................................................................................214
9.1.3 Business Impact Analysis ...................................................................214
9.1.4 Classifications ....................................................................................216
9.1.5 Recovery Point and Recovery Time Objective ....................................216
9.1.6 Recovery Strategies............................................................................ 217
9.1.7 Recovery Technologies ....................................................................... 217
8
9.1.8 Organizational Responsibilities ..........................................................219
9.2 BACKUP AND RESTORE PRACTICES ..................................................................222
9.2.1 Redundant Array of Inexpensive Disks ...............................................222
9.2.2 Backups..............................................................................................224
9.2.3 Full and Incremental Backups ............................................................ 225
9.2.4 Distributed and Centralized Backups ................................................. 226
9.2.5 Data Replication ................................................................................ 227
9.3 CONTINUITY AND RECOVERY PLANS ................................................................228
9.3.1 Recovery and Continuity Planning .....................................................228
9.3.2 Continuity Planning Process ..............................................................229
10 PRACTICE EXAM......................................................................................... 233
11 ANSWER GUIDE ......................................................................................... 253
12 REFERENCES .............................................................................................. 262
13 WEBSITES ................................................................................................... 263
14 INDEX ........................................................................................................ 264
9
1 Certified Information Systems Auditor
The Certified Information Systems Auditor certification is for

experienced information systems auditors and those individuals with
responsibilities in information systems auditing. The certification
covers the planning, execution, and delivery of an enterprise's
information audit program using internationally accepted practices.
The CISA is accredited by the American National Standards Institute

(ANSI) under ISO/IEC 17024:2003.
The exam covers the following disciplines and percentage scope:

 The IS Audit Process 10%
 IT Governance 15%
 Systems and Infrastructure Life Cycle Management 16%
 IT Service Delivery and Support 14%
 Protection of Information Assets 31%
 Business Continuity and Disaster Recovery 14%
10
2 Exam Specifics
CISA Exams are proctored by ISACA. Registration and location

information can be found on the www.isaca.org web site. The exam is
administered twice a year: June and December. Exams are delivered
in a secure environment, proctored, and timed.
Specifics about the exam are:

 Time Limit: 240 minutes
 # of Questions: 200
 Question Type: Multiple Choice
 Passing Score: 450 or higher
After passing the exam, the candidate has five years to apply for
certification. This is done by completing the certification and verifying
work experience. Experience required is five years in professional IS
audit, control assurance, or security service. This requirement can be
substituted with the achievement of one of the following:
 Up to one year of experience can be in information
systems or non-IS auditing experience.
 Up to two years can be substituted with 120 completed
university credit hours (one year for 60 credit hours).
 Up to one year for a bachelor's or master's degree from a
university enforcing the ISACA-sponsored Model
Curriculum.
 Up to one year for a master's degree in information
security or information technology.
11
3 Information Systems Audit Process
3.1 Auditing Practices
Information System Audits can either be an internal audit or be

integrated in other audits, such as financial or operational. The exact
handling of audits is defined within an audit charter, which clearly
states the responsibility, objectives, and delegation of authority of the
IS audit function.
3.1.1 Audit Planning
Audits should be planned in the short term and long term. Short-term
planning cover audit issues for the next year, while long-term planning
covers those audit issues present because of changes to the
organization's IT strategic direction. The audit issues should be
analyzed at least once a year, to consider new control issues,
changing technologies and business processes.
Each audit to be performed over the next year should also be

carefully planned to take into account:
 Risk assessments
 Privacy issues
 Regulatory requirements
 System implementation/upgrade deadlines
12
 Current and future technologies
 Business process requirements
 IS resource limitations
Audit planning should consider the business practices and functions

related to the subject area of the audit. The process for planning the
audit has the following steps:
1. Understand the business, specifically:
 Mission
 Objectives
 Purpose
 Processes
 Information requirements
 Processing requirements
2. Evaluate any risk assessment, specifically related to:
 Privacy impact analysis
3. Perform a risk analysis.
4. Conduct an internal control review.
5. Set scope and objectives of the audit.
6. Develop the approach or strategy for the audit.
7. Assign personnel resources.
An audit plan must address the audit objective and apply applicable
professional auditing standards, relevant to the audit area and its
technology infrastructure. The success of the audit is dependent on
the understanding of the business area which the audit will address.
To gain this understanding, the auditor should:
13
 Tour key organization facilities.
 Read background material
 Review long-term strategic plans
 Interview key managers
 Review prior audit reports
 Identify applicable regulations
3.1.2 Laws and Regulations
Computer systems of all organizations have some level of compliance

required from governmental and private regulatory parties that must
be addressed by audit procedures. Some industries, such as finance,
have been closely regulated. Privacy laws and regulations are of
particular interest, as it relates to the extent and impact of the audit
over confidential information systems and the confidential
requirements for the audit results.
Some regulatory requirements have a number of layers regarding:

 Establishment of regulatory requirements
 Organization of regulatory requirements
 Assigned Responsibilities
 Correlation of financial, operational, and IT audit functions
These regulations will impact the goals and plans of the organization
and define the responsibilities and activities of the information
services function. To determine compliance to these regulations, the
14
audit should take into account:
 External requirements related to:
o Electronic data, personal data, copyrights,
e-commerce, e-signatures
o Computer system practices and controls
o Storage of computers, programs, and data
o Information services organization
o Information services activities
o Audits and auditing practices
 Pertinent laws and regulations which have been
documented.
 Alignment between external requirements and the
organization's policies, standards and procedures.
 Internal documents addressing adherence to regulations.
 Established procedures to address external requirements.
3.1.3 Audit Process
The audit process is a systematic activity performed by a competent

person whose objectives are to gather and evaluate evidence
regarding assertions. IS audits focus on reviewing and evaluating
automated information processing systems, as well as non-automated
processes and interfaces related to those systems.
Several steps are required by the audit process, such as:

 Planning
 Risk Assessment
15
 Program Development of Objectives and Procedures
 Gather Evidence
 Evaluate Strength and Weaknesses
 Prepare Audit Report
To ensure the availability of adequate audit resources and schedules,

audit management can be applied.
3.1.4 Types of Audits
The types of audits that can be performed internally or externally

consist of:
 Financial audits – assesses the correctness of financial
statements.
 Operational audits – evaluates the internal control
structure of a process or functional area.
 Integrated audits – combines the financial and operational
audits to assess overall objectives within an organization.
 Administrative audits – assesses the efficiency of the
productivity in operations.
 Information System audits – determines adequate
protection of assets, data and system integrity, and
availability of information.
 Specialized audits – IS audits with specific intent to
examine areas, such as processes, services, or
technologies, usually by third-party auditors.
16
 Forensic audits – specifically focuses on discovering,
disclosing, and reviewing after the occurrence of fraud or a
crime.
3.1.5 Audit Procedures
IT functions and systems are evaluated from different perspectives,

namely:
 Security
 Quality
 Fiduciary
 Service
 Capacity
The audit strategy and plan will identify the scope, audit objectives
and audit procedures covered in the audit program. General audit
procedures typically include:
 Understanding audit area
 Performing risk assessment
 Creating general plan and schedule
 Initial review of audit area
 Evaluating audit area
 Verifying control design
 Compliance testing
 Substantive testing
 Communicating results
17
 Follow-up
When testing and evaluating IS controls, the procedures the IS

auditor should be familiar with include:
 Using generalized audit software to survey data file
contents.
 Using specialized audit software to assess operating
system parameter file content.
 Using flow-charting techniques for documenting automated
processes.
 Using audit logs and reports from operation and
application systems.
 Reviewing documentation
 Observing business and technical operations
3.1.6 Audit Methodology
A set of documented audit procedures designed to meet audit

objectives is called an audit methodology and is approved by audit
management. The audit methodology typically consists of the
following steps:
 Determining the subject or area of the audit.
 Identifying the objectives to be met by the audit.
 Identifying the specific systems, function, of organizational
unit to be included in the audit.
 Planning for the audit.
18
 Developing the procedures for gathering data and
performing the audit.
 Developing the procedures for evaluating test or review
results.
 Developing procedures for communicating with
management.
 Preparing the audit report.
The methodology should be properly documented, as well as all the

audit plans, programs, activities, tests, findings and incidents from
performing the audit. This is done through workpapers which are an
interface between audit objectives and the final report.
3.1.7 Audit Risk
Audit risk represents the risk that an undetected error may be

contained in the information or financial report of the audit. They can
be categorized as:
 Inherent risk – an error is material or significant when
combined with other errors encountered during the audit or
susceptible to a misstatement when related controls are
missing.
 Control risk – a material error that cannot be prevented or
detected in time by the internal controls systems.
 Detection risk – the use of an inadequate test procedure
and misses materials errors that exist but not reported.
 Overall audit risk – combines the individual audit risks
19
assessed for each specific control objective.
3.1.8 Audit Objectives
The objectives of an audit typically concentrate on the existence of

internal controls to minimize risk to the business, specifically for
compliance with legal and regulatory requirements and ensuring the
confidentiality, integrity, reliability and availability of information and IT
resources. When planning, basic objectives are translated into
specific IS audit objectives.
3.2 ISACA IS Audit Standards, Guidelines and Procedures
3.2.1 ISACA Code of Professional Ethics
The ISACA Code of Professional Ethics is developed to define the

expected professional and personal conduct of members of the
association and its certification holders. The code states:
1. Support the implementation of, and encourage compliance
with appropriate standards, procedures and controls for
information systems.
2. Perform their duties with objectivity, due diligence and
professional care, in accordance with professional standards
and best practices.
3. Serve in the interest of stakeholders in a lawful and honest
20
manner, while maintaining high standards of conduct and
character, and not engage in acts discreditable to the
profession.
4. Maintain the privacy and confidentiality of information obtained
in the course of their duties unless disclosure is required by
legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to
undertake only those activities that they can reasonably
expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed,
revealing all significant facts known to them.
7. Support the professional education of stakeholders by
enhancing their understanding of IS security and control.
An investigation into the member's or certification holder's conduct will

be made if the person fails to comply with the code.
3.2.2 ISACA IS Auditing Standards
The ISACA IS Auditing Standards have the following objectives:

 To provide IS auditors the minimum level of acceptable
performance required to meet the professional
responsibilities set by the Code of Professional Ethics for
IS auditors.
 To provide the expectations concerning the work of audit
practitioners to management and other interested parties.
21
The framework set forth by the ISACA IS Auditing Standards includes:
 Standards defining mandatory requirements.
 Guidelines for applying the standards.
 Procedures providing information for meeting standards.
The applicable IS Auditing Standards are:

 S1 Audit Charter:
o The purpose, responsibility, authority and
accountability of the IS audit function or IS audit
assignments should be appropriately documented
in an audit charter or engagement letter.
o The audit charter or engagement letter should be
agreed and approved at an appropriate level with
the organization(s).
 S2 Independence:
o Professional Independence – In all matters related
to the audit, the IS auditor should be independent
of the auditee in both attitude and appearance.
o Organizational Independence -The IS audit
function should be independent of the area or
activity being reviewed to permit objective
completion of the audit assignment.
 S3 Professional Ethics and Standards:
o The IS auditor should adhere to the ISACA Code of
Professional Ethics.
o The IS auditor should exercise due professional
22
care, including observance of applicable
professional auditing standards.
 S4 Professional Competence:
o The IS auditor should be professionally competent,
having the skills and knowledge to conduct the
audit assignment.
o The IS auditor should maintain professional
competence through appropriate continuing
professional education and training.
 S5 Planning:
o The IS auditor should plan the information systems
audit coverage to address the audit objectives and
comply with applicable laws and professional
auditing standards.
o The IS auditor should develop and document a
risk-based audit approach.
o The IS auditor should develop and document an
audit plan detaining the nature and objectives,
timing, extent and resources required.
o The IS auditor should develop an audit program
and procedures.
 S6 Performance of Audit Work:
o Supervision – IS audit staff should be supervised to
provide reasonable assurance that audit objectives
are accomplished and applicable professional
auditing standards are met.
o Evidence – During the course of the audit, the IS
auditor should obtain sufficient, reliable and
23
relevant evidence to achieve the audit objectives.
The audit findings and conclusions are to be
supported by appropriate analysis and
interpretation of this evidence.
o Documentation – The audit process should be
documented, describing the audit work and the
audit evidence that supports the IS auditor's
findings and conclusions.
 S8 Follow-up Activities:
o After the reporting of findings and
recommendations, the IS auditor should request
and evaluate relevant information to conclude
whether appropriate action has been taken by
management in a timely manner.
 S9 Irregularities and Illegal Acts:
o In planning and performing the audit risk to a low
level, the IS auditor should consider the risk of
irregularities and illegal acts.
o The IS auditor should maintain an attitude of
professional skepticism during the audit,
recognizing the possibility that material
misstatements due to irregularities and illegal acts
could exist, irrespective of his/her evaluation of the
risk of irregularities and illegal acts.
o The IS auditor should obtain an understanding of
the organization and its environment, including
internal controls.
o The IS auditor should obtain sufficient and
24
appropriate audit evidence to determine whether
management or others within the organization have
knowledge of any actual, suspected or alleged
o When performing audit procedures to obtain an
understanding of the organization and its
environment, the IS auditor should consider
unusual or unexpected relationships that may
indicate a risk of material misstatements due to
o The IS auditor should design and perform
procedures to test the appropriateness of internal
control and the risk of management overriding
controls.
o When the IS auditor identifies a misstatement, the
IS auditor should assess whether such a
misstatement may be indicative of an irregularity or
illegal act. If there is such an indication, the IS
auditor should consider the implications in relation
to other aspects of the audit and in particular the
representations of management.
o The IS auditor should obtain written
representations from management at least annually
or more frequently depending on the audit
engagement. It should:
 Acknowledge its responsibility for the
design and implementation of internal
controls to prevent and detect irregularities
25
or illegal acts.
 Disclose to the IS auditor the results of the
risk assessment that a material
misstatement may exist as a result of an
irregularity or illegal act.
 Disclose to the IS auditor its knowledge of
irregularities or illegal acts in relation to
management and employees who have
significant roles in internal control.
o The IS auditor should have knowledge of any
allegations of irregularities or illegal acts, or
suspected irregularities or illegal acts, affecting the
organization as communicated by employees,
former employees, regulators and others.
o If the IS auditor has identified a material irregularity
or illegal act, or obtained information that a material
irregularity or illegal act may exist, the IS auditor
should communicate these matters to the
appropriate level of management in a timely
manner.
o If the IS auditor has identified a material irregularity
or illegal act involving management or employees
who have significant roles in internal control, the IS
auditor should communicate these matters to the
appropriate level of management in a timely
manner.
o The IS auditor should advise the appropriate level
of management and those charged with
26
governance of material weaknesses in the design
and implementation of internal control to prevent
and detect irregularities and illegal acts that may
have come to the IS auditor's attention during the
audit.
o If the IS auditor should advise the appropriate
exceptional circumstances, such as a material
misstatement or illegal act, that affects the IS
auditor's ability to continue performing the audit,
the IS auditor should consider the legal and
professional responsibilities applicable in the
circumstances, including whether there is a
requirement for the IS auditor to report to those
who entered into the engagement or, in some
cases, those charged with governance or
regulatory authorities, or consider withdrawing from
the engagement.
o The IS auditor should document all
communications, planning, results, evaluations and
conclusions related to material irregularities and
illegal acts that have been reported to
management, those charged with governance,
regulators and others.
 S10 IT Governance:
o The IS auditor should review and assess whether
the IS function aligns with the organization's
mission, vision, values, objectives and strategies.
o The IS auditor should review whether the IS
27
function has a clear statement about the
performance expected by the business
(effectiveness and efficiency) and assess its
achievement.
o The IS auditor should review and assess the
effectiveness of IS resource and performance
management processes.
o The IS auditor should review and assess
compliance with legal, environmental and
information quality, and fiduciary and security
requirements.
o A risk-based approach should be used by the IS
auditor to evaluate the IS function.
o The IS auditor should review and assess the
control environment of the organization.
o The IS auditor should review and assess the risks
that may adversely affect the IS environment.
 S11 Use of Risk Assessment in Audit Planning:
o The IS auditor should use an appropriate risk
assessment technique or approach in developing
the overall IS audit plan and determining priorities
for the effective allocation of IS audit resources.
o When planning individual reviews, the IS auditor
should identify and assess risks relevant to the
area under review.
28
3.2.3 ISACA IS Auditing Guidelines
The ISACA IS Auditing Guidelines provide the IS auditors with

additional information for complying with the ISACA IS Auditing
Standards. The index of guidelines includes:
 G1 Using the Work of Other Auditors
 G2 Audit Evidence Requirement
 G3 Use of Computer Assisted Audit Techniques (CAATs)
 G4 Outsourcing of IS Activities to Other Organizations
 G5 Audit Charter
 G6 Materiality Concepts for Auditing Information Systems
 G7 Due Professional Care
 G8 Audit documentation
 G9 Audit Considerations for Irregularities
 G10 Audit Sampling
 G11 Effect of Pervasive IS Controls
 G12 Organizational Relationship and Independence
 G13 Use of Risk Assessment in audit Planning
 G14 Application Systems Review
 G15 Planning Revised
 G16 Effect of Third Parties on an Organization's IT
Controls
 G17 Effect of Non-audit Role on the IS Auditor's
Independence
 G18 IT Governance
 G19 Irregularities and Illegal Acts
 G20 Reporting
29
 G21 Enterprise Resource Planning (ERP) Systems
Review
 G22 Business-to-consumer (B2C) E-commerce Review
 G23 System Development Life Cycle (SDLC) Review
 G24 Internal Banking
 G25 Review of Virtual Private Networks
 G26 Business Process Reengineering (BPR) Project
Reviews
 G27 Mobile Computing
 G28 Computer Forensics
 G29 Post-Implementation Review
 G30 Competence
 G31 Privacy
 G32 Business Continuity Plan (BDP) Review From IT
Perspective
 G33 General Considerations on the Use of the Internet
 G34 Responsibility, Authority and Accountability
 G35 Follow-up Activities
 G36 Biometric Controls
 G37 Configuration Management Process
 G38 Access Controls
 G39 IT Organization
 G40 Review of Security Management Practices
 G41 Return on Security Investment (ROSI)
 G42 Continuous Assurance
30
3.2.4 ISACA IS Auditing Procedures
Procedures for the ISACA IS Auditing effort were developed by the

ISACA Standards Boards to provide examples of possible processes
that might be used in an audit engagement. These procedures are not
mandatory, though their use will ensure assurance that the standards
are being followed by the auditor.
The index of procedures includes:

 P1 IS Risk Assessment Measurement.
 P2 Digital Signatures.
 P3 Intrusion Detection.
 P4 Viruses and Other Malicious Code.
 P5 Control Risk Self-Assessment.
 P6 Firewalls.
 P7 Irregularities and Illegal Acts.
 P8 Security Assessment.
 P9 Evaluation of Management Controls Over Encryption
Technologies.
 P10 Business Application Change Control.
 P11 Electronic Funds Transfer (EFT).
31
3.3 Evidence Life Cycle
3.3.1 Testing
Audits use testing for different reasons:

 Compliance testing – gathers evidence to test an
organization's compliance with control procedures.
 Substantive testing – gathers evidence to test the integrity
of individual transactions, data or information.
An IS auditor should be familiar with the different testing methods to

determine the evidence required and the best approach for meeting
audit objectives. This understanding will also establish the effort
required to perform the testing. Substantive testing can take more
effort if past or current testing revealed weaknesses in the controls.
3.3.2 Evidence
Evidence is information used to determine an audit subject's

compliance to audit criteria or objectives. Evidence must be sufficient,
relevant, and competent. Evidence can be gathered from observation,
interviews, communications and documentation, or results of tests.
Evidence is deemed reliable when:

 Confirmed with outside sources, as these sources are
32
more reliable than internal sources.
 The information or evidence provided by an individual is
qualified to provide it.
 The evidence has higher levels of objectivity and does not
rely on evidence requiring judgment or interpretation.
 The evidence is timely, not late in being available or
outdated.
3.3.3 Gathering Evidence
Evidence can have characteristics for quality and quantity. Quality is a

measure of competence. Evidence which is both valid and relevant is
considered competent. Quantity is a measure of sufficiency and
requires a level of judgment to determine what is appropriate.
Evidence can be gathered using the following techniques:

 Review organization structures.
 Review policies and procedures.
 Review standards.
 Review documentation.
 Conduct interviews with appropriate personnel.
 Observe process and employee performance.
Interviews and observation can provide reasonable assurance that

the resources, skills, and competence are in place to perform the
duties as required and documented. Observation of personnel can aid
33
in determining:
 Actual functions performed.
 Actual processes and procedures being followed.
 Current awareness of security requirements.
 Relationships for reporting.
3.3.4 Sampling
When time and cost considerations are limited, a sampling of the

population can be used to provide reasonable evidence of the
characteristics of the while. The larger the sample, the better the
conclusions about the larger populace can be, but the more time and
cost required to gather the evidence used. Audit sampling can be
statistical and non-statistical.
The construction and selection of a sample is determined by:

 Defining the test objectives.
 Defining the population to be sampled.
 Defining the sampling method.
 Defining the sample size.
 Selecting the sample.
 Evaluating the sample.
Statistical sampling is an objective approach using probability to make

an inference about the population. The method will determine the
sample size and the selection criteria of the sample. The reliability or
34
confidence level of this type of sampling relates to the number of
times per 100 the sample will represent the larger population.
Non-statistical sampling relies on judgment to determine the sampling

method, the sample size, and the selection items in the sample.
The methods of sampling used in audits are attribute and variable

sampling. Attribute sampling is usually applied to compliance tests to
identify the existence or non-existence of the attribute. Conclusions
from the sample are expressed as terms in the rate of incidence.
There are three types of attribute sampling methods:
 Frequency-estimating sampling (fixed sample-size
attribute sampling) – used to estimate the rate of
occurrence of a specific attribute in a population.
 Stop-or-go sampling – used to prevent excessive sampling
of an attribute by stopping an audit test at the earliest
possible moment.
 Discovery sampling – used when the expected occurrence
rate is extremely low, specifically when dealing with fraud,
circumvention of regulations, or other irregularities.
Variable sampling, mean estimation or dollar estimation sampling, is

used to estimate the monetary value or other unit of measure. The
different quantitative sampling models available to an auditor are:
 Stratified mean per unit – The population is divided into
groups and samples are drawn from different groups.
 Unstratified mean per unit – A sample mean is calculated
35
and projected as an estimated total.
 Difference estimation – estimates the total difference
between audited values and unaudited values based on
observations.
Terms used in sampling include:

 Confidence coefficient – the probability percent that the
sample characteristic represents the population accurately.
 Level of risk – represents one minus the confidence
coefficient.
 Precision – refers to the acceptable range difference
between the sample and actual population.
 Expected error rate – a percentage of errors that may exist
which will determine the required sample size.
 Sample mean – the sum of all sample values which is
divided by the sample size to determine the average size
of the sample.
 Sample standard deviation – the variance of the sample
values from the sample mean to determine the spread or
dispersion of the sample values.
 Tolerable error rate – the number of errors that can exists
without making the material unusable.
 Population standard deviation – measures the relationship
to the normal distribution and used to determine sample
size.
36
3.3.5 Managing Evidence
Evidence is important for supporting conclusions related to events.

Depending on how the evidence is used, there are two types of
evidence that an organization would be concerned with:
 Evidence for audit purposes, including
o Physical examination
o Documentation
o Observation
o Injury
o Mechanical accuracy
o Analytical procedures
o Confirmation
 Evidence of legal procedures, including
o Best evidence
o Secondary
o Direct
o Conclusive
o Circumstantial
o Corroborative
o Opinion
o Hearsay
For evidence to be admissible in a court of law, it must meet three

standards:
 Relevancy – must provide information related to the crime.
 Reliability – cannot be tampered with requiring a
37
documented chain of custody.
 Legality – must be gathered within the parameters of the
law and respecting the rights of the accused.
For any event requiring an investigation, a computer incident

response team (CIRT) is the best choice to lead the effort.
The planned outcome of the investigation should be an early decision,

to determine the appropriate scope and actions of the investigating
team. If criminal prosecution is the goal, digital forensic procedures
must be followed and appropriate law enforcement agency involved.
3.4 Risk Assessments
3.4.1 Risk Analysis
Audit planning will incorporate risk analysis to identify any risks and
vulnerabilities present in the environment being audited and the audit
itself, in order to determine how to mitigate against those risks. Risks
are any potential event which may negatively affect the fulfillment of
business objectives. A risk from an organizational perspective
consists of:
 Threats to processes and physical and information assets.
 Impact on assets from threats and vulnerabilities.
 Likelihood and frequency of occurrence from threat.
38
Risk analysis allows an auditor to:
 Identify risks and threats to the IT environment and
Information Systems needing to be addressed.
 Providing information for evaluation of controls in audit
planning.
 Aids in determining audit objectives.
 Supports risk-based audit decisions.
Risks can be financial, regulatory or operational. A risk can be present

because of the interaction between the business and its environment
or because of the strategies, systems, technology, process and
procedures, and information used by the business. High-risk issues
are typically associated with confidentiality, integrity, and availability
issues of sensitive and critical information, as well as the information
systems and processes supporting that information.
When mitigating risks, the goal is to identify controls that can be

implemented to prevent or reduce the likelihood of the occurrence of
the risk event, detect the risk event when it does occur, reduce the
impact of the risk event, or transfer the risk to another organization.
The countermeasures used should be assessed appropriately,
including cost-benefit analysis.
Performance levels of the risks should be monitored to identify the

significant changes in the environment which will cause changes to
the risk controls. Using risk assessments, risk mitigation, and risk
reevaluation, the risks can be mitigated to an acceptable level.
39
Several risk assessment methodologies are available to an IS auditor,
ranging from simple classifications based on judgment to complex
and scientific calculations. Risk assessments allow:
 Management to allocate limited resources effectively.
 Relevant information to be obtained from all levels of
management.
 A basis for effectively managing the audit department.
 An individual audit subject to be relevant to the overall
organization.
3.4.2 General Assessment Process
The process for assessing risks follows a few general steps.

Developed risk assessments may have specific procedures in place
to provide specific focus to meet assessment objectives. The general
steps include:
1. Identify Vulnerabilities.
2. Identify Threats.
3. Determine Likelihood.
4. Determine Impact.
5. Determine Risk.
6. Report Findings.
7. Select Countermeasure.
8. Determine Information Value.
40
3.4.3 Qualitative Risk Assessments
Results of a qualitative risk assessment are descriptive over

measurable. They are usually performed when:
 The expertise of quantitative risk assessments is limited.
 The timeframe required to complete the assessment is
short.
 Data required to conduct a quantitative assessment is
limited.
Qualitative risk assessments are typically performed by:

1. Gaining management approval.
2. Formulating an assessment team.
3. Gathering documentation on:
 Strategy.
 Policies, procedures, guidelines, and baselines.
 Past assessments and audits.
 Technical documentation.
 Application development and operations documentation.
 Business continuity and disaster recovery plans.
 Security incident response documentation.
 Data classification schemes.
 Executive mandates.
4. Interviews conducted with managers and employees.
41
3.4.4 Quantitative Risk Assessments
Quantitative risk assessments focus on the interpretation of

measurable data, covering:
 Frequency
 Probability
 Impact
 Countermeasure effectiveness
Quantitative risk assessments are conducted through a simple

process of:
1. Obtaining management approval.
2. Building an assessment team.
3. Review of information currently available within the
organization.
3.4.5 Common Security Measurements
Simple calculations used in quantitative risk assessments include:

 Single loss expectancy (SLE)
 Annualized rate of occurrence (ARO)
 Annualized loss expectancy (ALE)
 Local annual frequency estimate (LAFE)
 Standard annual frequency estimate (SAFE)
42
Formulas used include:
SLE = asset value ($) * exposure factor (%)
ALE = ARO * SLE
3.4.6 Assessment Methodologies
Qualitative Assessments
 NIST SP 800-30
 NIST SP 800-66
 OCTAVE
 FRAP – Facilitated Risk Analysis Process
 CRAMM – CCTA Risk Analysis and Management Method
Quantitative Assessments
 Spanning Tree Analysis
 Failure Modes and Effect Analysis
3.4.7 Baseline Modeling
Baselines are identified to mark significant states of a resource.

These are usually met to understand the effectiveness in change
outcomes. Baselines are agreed upon and approved. They can
characterize:
 Functional – identifies the initial specifications before any
changes are made.
 Allocated – identifies the specifications that meet the
43
approved requirements.
 Developmental – identifies the state of the resources as it
is developed to meet or exceed expectations and
requirements.
 Product – the minimal specifications required by the
resource to meet business outcomes.
Typically attributed to processes such as configuration management

and project management, baselines provide a reference point to a
specific fixed state. Revision control is applied to manage changes to
the resource.
3.4.8 Gap Analysis
Gap analysis is a tool which compares the actual performance or a

resource to its potential performance, between delivery and
expectation. It is used to measure the investment of time, money, and
resources to achieve a particular outcome.
Analysis of a resource gap can pertain to a number of focus areas,

including:
 Performance – compares the actual performance of a
resource to the desired performance of the same resource,
identifying potential deficiencies in the solution and
required changes to configuration.
 Functional – compares the actual available functions of the
resource to the desired functions as defined by customer
44
perspective, business requirements, and market research
and identifies possible improvements.
 Usage – compares the level of current usage of the
resource to the desired usage, and identifies areas of
growth, propagation, and education.
3.4.9 Cost Benefit Analysis
Cost benefit analysis is an approach for making financial decisions

that can be informal or formal, such as to appraise a specific project
or proposal. The approach focuses on weighing the total costs
expected against the total benefits expected of one or more actions to
identify the best or most profitable option. Both benefits and costs are
expressed in terms of money and adjusted for the effect of time. The
adjustment for time is applicable to identify the value of the decisions
at different points of a project or proposal's life cycle, particular initial
costs versus the ongoing expenses against the expected return.
The benefits can be expressed as tangible effects, such as increased

revenue or profit, greater productivity, and greater functionality, or as
intangible effects, such as change in reputation or credibility, market
penetration, alignment to long-term strategies. The actual practice of
analysis may be performed differently between geographic regions,
industries, and departments, mainly because the type of impact and
the extent of those impacts may differ. Despite this, a basic set of key
cost-benefit indicators are shared, including:
 NPV (net present value)
45
 PVB (present value of benefits)
 PVC (present value of costs)
 BCR (benefit cost ratio= PVB/PVC)
 Net Benefit (PVB-PVC)
 NPV/k (k represents the level of funds available)
The accuracy of reported costs and estimated benefits contributes to

the accuracy of the cost-benefit analysis. As a result, relying on
analysis results with even a single inaccuracy is a risk in decision
making. Most often these risks are the result of poor estimation,
particularly when:
 Relying on similar past projects.
 Relying on experience of significant cost drivers.
 Relying on crude methods to estimate intangibles.
 Dealing with bias in team members or a drive to fulfill an
agenda.
3.5 Controls
3.5.1 Internal Controls
Risks can be reduced using policies, procedures, practices, and

organizational structures. These are considered internal controls
which serve to assure management that the organization's business
objectives are protected from the occurrence of risk events. Internal
controls are developed by firstly identifying the objectives for the
46
controls as they relate to each risk and the implementation of control
activities to achieve the control objectives. Controls address what
should be achieved and what should be avoided.
Controls fall into six broad categories:

 Preventative – avoiding incidents
 Deterrent – discouraging incidents
 Detective – identifying incidents
 Corrective – applying remedies
 Recovery – restore conditions to normal
 Compensation – alternative control
Preventative controls detect problems (errors, omissions, or malicious

acts) before they happen. They typically will monitor both the systems
operations and the inputs into the systems, attempting to predict
potential problems and make adjustments to prevent the problem
from being realized.
Deterrent controls are similar to preventative controls except that

instead of making adjustments to the environment to prevent the
occurrence of a problem, the attraction of the environment is
diminished or reversed. The threat of prosecution can be an effective
deterrent control from possible attack.
Detective controls simply detect and report on the occurrence of an

error, omission or malicious act. They can identify specific symptoms
to potential problems.
47
Corrective controls minimize the impact of a threat from problems
discovered by detective controls. They serve to identify the cause of
the problem, correct any errors, and modify systems to minimize the
future occurrences of the problem. An incident must occur before
corrective controls activate, along with recovery and compensation
controls. Recovery controls focus on overcoming the impact of the
incident on the business. This is done by resolving any problems
related to the occurring incident. Compensation controls work to
ensure that normal business operations continue by applying
appropriate resource. Redundant systems are an example of
compensating.
3.5.2 IS Control Objectives
Objectives are statements of a desired result or purpose to be

achieved by the implementation of procedures. General Information
System control objectives include:
 Safeguarding assets.
 Assuring integrity of general operating system (OS)
environments.
 Assuring integrity of sensitive and critical application
system environments:
o Authorizing each transaction.
o Preventing duplication of transactions.
o Ensuring the completeness and accuracy of
processing of transactions.
48
o Ensuring overall information activities are reliable.
o Ensuring transaction output is accurate, complete,
and secure.
o Maintaining database integrity and availability.
 Ensuring effective and efficient operations.
 Compliance to user requirements, organizational policies
and procedures, and applicable laws and regulations.
 Developing business continuity and disaster recovery
plans.
 Developing incident response and handling plans.
 Change management.
The Control Objectives for Information and related Technology

(COBIT) is the leading framework for governance, control and
assurance for information and related technology recognized by
ISACA and published by the Information Technology Governance
Institute (ITGI). It consists of 34 IT processes grouped into four
domains:
 Plan and Organize
 Acquire and Implement
 Deliver and Support
 Monitor and Evaluate
49
3.5.3 Internal Control Objectives
Internal control objectives are applicable to all manual or automated

areas. Control features can be different between these areas and may
need to be addressed differently. Internal control objectives include:
 Internal accounting controls – focused on accounting
operations, specifically safeguarding assets and financial
records.
 Operational controls – focused on day-to-day operations,
functions and activities to ensure the meeting of business
objectives.
 Administrative controls – focuses on the operational
efficiency in a functional area and adhere to management
policies.
Examples of internal control objectives include:

 Safeguarding IT assets.
 Compliance to corporate policies or legal requirements.
 Input.
 Authorization.
 Accuracy and completeness of data processing.
 Output.
 Reliability of process.
 Backup and recovery.
 Efficiency and economy of operations.
 Change Management process.
50
3.5.4 Control Procedures
Controls consist of policies, procedures, tasks and activities. They are

established by management to provide assurance that specific
objectives are achieved. General controls are applicable to all areas
of the organization and can be translated into an IS-specific control
procedure. Sensitive or critical functions need the controls in a well-
designed information system with procedures to ensure proper
implementation and maintenance of the controls.
IS control procedures include:

 Organization and management structure.
 Strategic direction.
 Data and application access.
 Development methodologies.
 Change control.
 Data processing.
 Systems programming.
 Technical support.
 Quality assurance.
 Physical access.
 Business continuity and disaster recovery planning.
 Network management.
 Database administration.
 Communications.
51
3.6 Reporting and Communication
Audits end with an exit interview to allow the auditor the chance to
discuss findings and make recommendations with management. The
auditor will ensure facts within the report are accurately stated, the
recommendations are realistic and cost-effective, and implementation
dates for the recommendations are provided. Results may be
presented to multiple levels of management using either an executive
summary or visual presentation.
The audit findings should be presented to the management of the

audited entity before being presented to senior management. This
should be done to obtain agreement with the findings and develop a
course of action. When a disagreement arises, the auditor has an
opportunity to explain the findings, risks and impact more clearly.
3.6.1 Report Structures
An organization may dictate the general report structure within its

policies and procedures. Usually audit reports will have the following
content and structure:
 Introduction with scope and audit objectives.
 Overall conclusion.
 Qualifications of the auditor.
 Detailed audit findings and recommendations.
52
 Limitations to the audit.
 Review of audit guidelines followed.
3.6.2 Documentation
Documentation of an audit should record:

 Planning and preparation of scope and objectives.
 Description of the scoped audit area.
 Audit programming.
 Audit steps performed.
 Used of services from other auditors and experts.
 Audit findings, conclusions and recommendations.
Any information required by laws and regulations, contract

stipulations, and professional standards should be included in the
audit documentations. Audit documentation contains the necessary
evidence to support the conclusions reached during the audit. This
documentation is typically the property of the audit entity and is
available to authorized persons with specific or general permission.
3.6.3 Follow-up
Auditors must follow-up on completed audits to ensure that

recommendations provided have been implemented. Management
may not be able to implement all the recommendations immediately.
The timing of the follow-up is dependent on the critical nature of the
53
findings.
3.7 Control Self-Assessment
Control self-assessment (CSA) is used to assure stakeholders and

customers about the reliability of the internal control system, as well
as identify the risks to the business. It is a management technique
which is performed periodically and proactively. As a methodology, it
enables effective reviews of key business objectives, the risks
involved, and the internal controls for managing those risks.
3.7.1 CSA Tools
The CSA is a series of tools ranging from interview questions to

facilitated workshops which are used to gather information about the
organization. The purpose of the CSA is to verify the working
knowledge of the area employees and management. The tools used
remain the same for technical, financial or operational assessments.
These tools include:
 Management meetings
 Workshops
 Worksheets
 Rating sheets
 CSA Projects
54
3.7.2 CSA Benefits
The benefits attributed to a CSA include:

 Risks are detected early.
 Improvement areas for controls can be identified.
 Team cohesion can be created with employee
involvement.
 Increased awareness of organizational objectives, risks
and internal controls.
 Communication between operational and upper
management increased.
 Employees become highly motivated.
 Audit rating process can be improved.
 Control cost is reduced.
 Stakeholders and customers assured.
 Verification of regulatory compliance.
3.7.3 CSA Auditor
When CSA programs are created, the auditor role shifts to become
internal control professionals and assessment facilitators. They must
understand the involved business processes. The auditor becomes a
resource for understanding the internal controls, risks, and potential
impact of improvements affecting those controls.
55
4 IT Governance
4.1 IT Strategy Elements
4.1.1 IT Strategies
Strategies are statements describing how information technologies

will be used to improve business processes. It involves identifying
cost effective solutions and developing action plans. A strategic plan
will typically provide guidance for three to five years.
In considering the direction that strategies may take, planners must

take into account the demand for IT and the current capacity available
from the IT. As the demand increases, the capacity must increase as
well. IT demand considers the impact of the strategic direction as
described by objectives and business initiatives. IT capacity is
determined based on the requirements in place to support these
objectives and initiatives.
4.1.2 Steering Committee
Steering committees are comprised of key users, a sponsoring

executive, the CIO, and key advisors when required. They work with
the executive to deliver IT strategies by focusing on implementation of
IT services and technologies and overseeing the daily management of
56
IT service delivery and project management. The responsibilities of
the steering committee include:
 Deciding on the overall level of IT cost allocations and
spending.
 Aligns and approves the enterprise's IT architecture.
 Approval of project plans and budgets.
 Setting priorities and milestones related to projects.
 Ensures the acquisition and assignment of appropriate
resources.
 Ensures business requirements are met by projects.
 Ensures delivery of expected value and desired outcomes
by projects.
 Monitors conflicts with resources and priorities.
 Provides recommendations and change requests to
strategic plans.
 Communicates strategic goals.
 Contributes to IT governance responsibilities.
4.1.3 Policies
Policies are used to communicate the strategic thinking of senior

management and business processes. They are high-level
documents which provide the blueprint for a control environment over
the achievement of goals and directives. Corporate policies are meant
to set the tone of the business for the entire organization. Individual
divisions and departments will define lower-level policies that are
57
consistent with the corporate policies.
The best approach to developing policies is using a top-down

approach, though some organizations will start with the lower-level
policies because their development and implementation is cost
effective and most directly associated to risk assessments. The
development of corporate policies becomes a collaboration of existing
lower-level policies and may induce some inconsistency and conflict
between policies.
A schedule should be in place to review all policies regularly. The

policies should be updated whenever new technologies are adopted
or significant changes in business processes are made.
4.1.4 Information Security Policy
The most important policy to be created and managed is the

Information Security Policy. The activities of Information Security
Management are guided by and concentrate on security policies.
These policies are comprised of an overall Information Security Policy
and several underpinning security policies specific to the individual IT
technologies implemented. They cover all aspects of security and
should have the full support and commitment of executive
management.
The security policy is designed to aid in the achievement of

objectives. The fulfillment of those objectives is made when:
58
 Information is disclosed to only those individuals who have
a right to know.
 Information is complete, accurate, and protected against
modification from unauthorized individuals.
 Information is available and usable by customers when
required and the systems supporting the provision and
delivery of this information can resist and recover from
failure or attack.
 Information exchanges and business transactions between
enterprises, partners, and customers can be trusted.
These policies are the basis for creating an Information Security

Management System framework, which consists of five elements:
 Control
 Plan
 Implement
 Evaluate
 Maintain
Control of security relates to the management framework,

organization structure, roles and responsibilities, and documentation
required to provide a foundation for other elements of the framework
to succeed.
Planning is any attempt to define and recommend security measures

based on the organization's requirements. These requirements are
gathered from the plans, strategies, and risks of the business and IT
59
services, and well as service level and objective level agreements and
compliance to legal and regulatory agencies. Measures can be
proactive or reactive to known threats and vulnerabilities. They fall
into any of the following categories:
 Preventive – intended to stop the occurrence of a security
incident. Solutions related to authentication, authorization,
identification, and access control are typical examples of
preventive measures.
 Reductive – intended to minimize the possible damage
resulting from a security incident and typically consists of
regular backups and implementation of contingency plans.
 Detective – intended to provide the earliest detection of a
security incident possible. Primary example of a detective
measure is virus-checking software.
 Repressive – intended to reduce or stop the security
incident from occurring again. Disabling accounts after
several sequential failed login attempts is an example of
repressive measures.
 Corrective – intended to repair the damage resulting from
a security incident. Restoring, roll-back, and back-out
procedures are examples of corrective measures.
These measures eventually are implemented through a set of

procedures, tools, and controls needed to support the Information
Security Policy, specifically in the areas of asset accountability and
classifying information. A number of factors determine successful
implementation including:
60
 Integration of security policy with business need.
 Management justification and support of security
procedures.
 Effective marketing and education of security
requirements.
 Integrated continuous improvement.
Continuous evaluation of the implemented measures is required to

ensure compliance to security policy and meeting security
requirements. In addition, these evaluations provide regular audits of
the systems and provide information to external auditors and
regulators.
Continuous improvement mechanisms are in place to maintain and

improve the Information Security Management System to meet its
objectives and ensure the confidentiality, integrity and availability of
information assets.
4.1.5 Procedures
Policies are used to drive the formation of procedures. Those

documented must be clear, concise, and detailed. They document
business processes and the controls used in the environment. They
translate policies into effective work products. They can be more
dynamic than policies and reflect regular changes in business focus
and environment. Embedded into the procedures are the controls met
to fulfill the objectives supported by the policies. The procedures are
61
used by auditors to test the controls in the environment by
determining the difference between actual operational practices and
the practices documented in the procedures.
4.2 IT Governance Framework
4.2.1 Corporate Governance
Corporate governance practices exist in an organization to promote

ethical issues, specifically the ethical corporate behavior by directors
or others responsible for the creation and presentation of the financial
wealth of all stakeholders. The OECD defines the practice of
corporate governance as, “the distribution of rights and
responsibilities among different participants in the corporation, such
as board, managers, shareholders and other stakeholders, and spells
out the rules and procedures for making decisions on corporate
affairs. By doing this, it also provides the structure through which the
company objectives are set and the means of attaining those
objectives and monitoring performance.”
The framework for corporate governance provides protection to the

stakeholders by defining the responsibilities of the board of directors
and establishing rules in managing and reporting business risks.
62
4.2.2 IT Governance
IT Governance is a subset of corporate governance which covers the

alignment of IT and enterprise objectives in the areas of:
 Information systems
 Technology and communications
 Business, legal and other issues
 Stakeholder and management expectations
IT governance defined by ITGI as, “a structure of relationships and

processes to direct and control the enterprise in order to achieve the
enterprise's goals by adding value while balancing risk versus return
over IT and its processes.”
Controls provide certain assurances that enterprises are governed by

accepted best practices. From an IT perspective, this governance
ensures the information and related technology support of the
organization supports the business objectives, resources to meet
those objectives, and appropriate risk management. Executive
management will agree on the strategic alignment between IT and
enterprise objectives. IT governance serves this alignment by
effectively and efficiently deploying secure, reliable information and
applied technology.
The practice of IT governance is concerned with delivery value to the

business from IT and mitigating IT risks. It is the responsibility of the
board of directors and executive management. The key practices are
63
 IT strategy committee
 Risk Management
 IT balanced scorecard
While corporate governance is a set of responsibilities and practices

used to provide strategic direction, IT governance provides a
relationship structure and processes for directing and controlling the
enterprise to meet its objectives by balancing risk and return on
investment.
4.2.3 IT Strategy Committee
The IT strategy committee is created to advise on strategy, IT value,

risks, and performance. Its purpose is to enable IT governance to be
incorporated into corporate governance. Strategy committees are
different from steering committees.
Strategy committees are comprised of board members and specialist

non-board members. They have the authority to advise the board and
management on the IT strategy. The committee is delegated by the
board to provide input to the strategy and to enable its preparation for
approval. Current and future strategic IT issues are handled at this
level. The primary responsibility of the strategy committee is to
provide insight and advice to the board on the following topics:
 Business perspective relevance of IT developments.
 Alignment of IT and business direction.
 Achievement of strategic IT objectives.
64
 Availability of IT resources, skills and infrastructure.
 Optimization of IT costs.
 IT investment aspects of risk, return and competitiveness.
 Status on major IT projects.
 IT contribution to the business.
 Exposure and containment of IT risks.
 Direction based on IT strategy.
 Drivers and catalysts for IT governance practices.
4.2.4 Standard IT Balanced Scorecard
The standard IT balanced scorecard is a method for assessing IT

functions and processes by supplementing financial information with
information about user satisfaction, internal processes and the ability
to innovate. When the balanced scorecard is applied to IT, each of the
four perspectives shown on the scorecard is structured using mission,
strategy, and measures.
5 Information Security Governance
Information security governance is delivered by the Board of Directors

and senior executives and must be integrated with the governance of
the enterprise and aligned with IT governance. The framework
consists of leadership, organizational structures, and processes
necessary to protect informational assets. The outcomes of
information security governance include:
65
 Alignment of information security with business strategy to
meet organizational objectives.
 Implementation of risk management to reduce potential
impacts on information resources.
 Implementation of resource management to effectively and
efficiently use the knowledge and infrastructure of
information security.
 Measuring, monitoring, and reporting of performance
metrics related to information security governance.
 Delivery of value in security investments needed to support
organizational objectives.
Information security is a management discipline which provides

strategic direction of all IT security activities. The objective of
information security management is to protect the interests of those
relying on the data stores, database and metadata used by the
enterprise, the systems and communication mediums used to deliver
that information, and providing protection from harm due to failures in
confidentiality, integrity, and availability.
Often referred to as the CIA triad, confidentiality, integrity, and

availability are the foundational pillars of security. IT governance
provides the framework for developing these pillars for the purpose of
safeguarding business assets and practices.
Confidentiality refers to the need for information to be saved from

disclosure to unauthorized individuals. Normally, several levels of
66
confidentiality may be found within an organization, ranging from
classified, sensitive, confidential, to protected and public.
Integrity describes the wholeness and completeness of the

information without any alteration except by authorized sources. The
integrity of a system has a direct effect on the integrity of the
information on that system. If the system has no integrity, the
information cannot be considered trusted. Integrity is different from
confidentiality, in that integrity focuses on one's trust in the information
and not its security.
Availability speaks to the need to access the information when it is

needed. Depending on the information, availability may be restricted
to users based on the confidentiality level of the information.
Traditional systems attributed higher integrity to lower availability;
however open sources have demonstrated that higher integrity is
often found when greater availability is provided to the user base.
The security objectives are typically met when:

 Information is disclosed to only those individuals who have
a right to know.
 Information is complete, accurate, and protected against
modification from unauthorized individuals.
 Information is available and usable by customers when
required and the systems supporting the provision and
delivery of this information can resist and recover from
failure or attack.
67
 Information exchanges and business transactions between
enterprises, partners, and customers can be trusted.
5.1 Enterprise IT Architecture
5.1.1 Zachman Framework
Most enterprise architecture projects start with the framework created

by John Zachman in the late 1980s. The framework recognizes that
different participants are involved at different stages of the project. It
also identifies different artifacts which convey different aspects of the
systems at increasing levels of details. These artifacts can include:
 Diagrams
 Flowcharts
 Data models
 Class Models
 Code
The Zachman framework defines the scope, enterprise model,

systems model, technological model, and documentation to describe
different areas of the IT environment, including:
 Strategy
 Data
 Application
 Technology
 Organization
68
 Workflow
5.1.2 Technology-Based Frameworks
Enterprise Architectures frameworks that are technology-based focus

on simplifying complex technology options for the business. They aid
in determining if and when advanced technical environments should
be used, or how to connect intra-organizational and inter-
organizational systems. The modernization of legacy and ERP
systems which rely heavily on technologies are found in these
frameworks.
5.1.3 Process-Based Frameworks
Enterprise architectures which are focused on business processes

attempt to understand the organization as it relates to the value added
that the processes provide. The concept enables business
improvement by understanding processes, their distinguishable parts
and the technology supporting them. Several business models based
on these types of architectures have been developed for specific
industries.
69
5.1.4 Federal Enterprise Architecture
The US Federal government requires its agencies to create an

enterprise architecture and provide governance to that structure. The
Federal Enterprise Framework is a business and performance
framework dedicated to building collaboration between agencies,
transformation and improvements. There are five reference models in
the framework:
 Performance
 Business
 Service
 Technical
 Data
5.2 Risk Management
Risk is usually defined as the possibility of loss. Risk management is

the technique used to assess, minimize, and prevent accidental loss
to a business.
70
5.2.1 Key Definitions
Risk management introduces or refines the following terms:

 Control – the policies, procedures, guidelines, practices,
and structures used to manage risk.
 Risk – the combination of an event's probability and its
consequence.
 Risk assessment – the overall process of analyzing and
evaluating risk.
 Risk management – the coordinated activities to direct and
control an organization's treatment of risk.
 Risk treatment – the process for selecting and
implementing measures to impact risk.
 Threat – the potential cause of an unwanted incident,
which may result in harm to a system and organization as
a whole.
 Vulnerability – a weakness of an asset to be exploited by
one or more threats.
5.2.2 Principles and Practices
Risk management utilizes several methods for dealing with risk

including:
 Risk Avoidance – involves creating solutions that ensure a
specific risk is not realized.
 Risk Transfer – involves passing a specific risk to another
71
entity.
 Risk Mitigation – attempts to eliminate or significantly
decrease the level of risk present.
 Risk Acceptance – weighs the cost and benefits of
handling the risks over accepting it.
5.2.3 Controls and Countermeasures
Controls and countermeasures are applied to IT and business

solutions to mitigate risk to information. Some basic characteristics
should be considered when making the application of each control
and countermeasure, such as:
 Accountability – who is responsible for ensuring the control
or countermeasure remains in place or to manage the
impact when it fails?
 Auditability – can it be reviewed and tested?
 Trusted source – is its design, implementation, and
maintenance performed by people who are committed to
maintaining the security policy?
 Independent – is its design, implementation, and
maintenance dependent on the existence of other controls
and countermeasures?
 Distinct – does it work without overlapping other controls
and countermeasures?
 Consistent application – can the control or
countermeasure be applied in the same manner across
the organization?
72
 Simple and Public – is the control or countermeasure
easily accessible and implementable by the general
population (employees)?
 Cost-effective – is the cost of implementation better than
the cost of not implementing?
 Reliability – will it serve its purpose under multiple
circumstances?
 Sustainable – will it continue to function as expected over
time and/or adapt as changes or new elements are
introduced to the environment?
 Minimal manual intervention – is it automated fully or
partially to ensure that the need for manual work is
minimal?
 Ease of use – is its use or applicability ease to use?
 Secure – is the control and countermeasure itself safe
from exploitation or attack?
 Protection – does it protect the confidentiality, integrity, and
availability of assets as expected?
 Reversibility – can the control and countermeasures be
“backed out” when an issue arises?
 Safe – are any additional issues created when the control
or countermeasure is applied?
 Clean – it leaves no residual data as a result of its function.
73
5.3 Contract Management
Outsourcing has become a valid response for organizations to obtain

IT functionality to support business objectives without having the
financial or technical responsibility of maintaining an IT environment.
In some instances, IT functions have to rely on outside or third party
service providers.
5.3.1 Delivery Options
The delivery of Information Systems can be performed by:

 Insourcing – IT delivery is performed entirely by the
organization.
 Outsourcing – IT delivery is performed entirely by a third-
party service provider.
 Hybrid – IT delivery is a mix of support from the
organization and service providers.
Additionally, IT functions can be performed across several geographic

options:
 Onsite – IT delivery is performed within the organization's
site.
 Offsite – IT delivery is performed at a remote location in
the same geographical area.
 Offshore – IT delivery is performed at a remote location in
a different geographical area.
74
The reasons often cited to outsource IT services are:
 To focus on core business functions, rather than IT.
 To reduce costs and increase profits.
 Increasing competitiveness without incurring additional
costs.
 Providing flexibility with organization and structure.
5.3.2 Outsourcing Practices
Contracts are used to define the required IT services from third party
vendors. In many cases, services may be delivered by multiple
vendors. Specific objectives for IT are different from one organization
to the next.
Outsourcing services can include, but not limited to:

 Data entry.
 System design and development.
 Application maintenance.
 Application hosting.
 Conversion of legacy applications.
 Call center operations.
 Operations processing.
75
5.3.3 Advantages and Disadvantages
The advantages to outsourcing IT includes:

 Outsourcing vendors have the ability to achieve economies
of scale through reusable component software.
 Outsourcing vendors can devote more time and focus on a
given project.
 Outsourcing vendors can handle a wider range of
problems more effectively.
 The likelihood of better specifications is more probable
because of the development of contractual agreements.
 The likelihood of scope creep decreases due to the
number of time-consuming diversions and changes of a
vendor.
The disadvantages to outsourcing IT include:

 Loss of control over IT.
 Loss of internal IT experience.
 Costs exceeding customer expectations.
 Vendor failure.
 Limited product access.
 Reversing or changing outsourced arrangements is
difficult.
 Compliance with legal and regulatory requirements may be
deficient.
 Contractual agreements not met.
76
 Lack of loyalty to customer may not exist.
 Disgruntled employees or customers over outsourcing.
 Service costs not competitive throughout the contract life.
 Vendor systems become obsolete.
 Anticipated benefits not achieved by either company.
 Damage to reputations due to project failures.
 Litigations which are lengthy and expensive due to
contract failures.
5.3.4 Outsourcing Risks
Multiple risks can arise when outsourcing IT. These risks can be
reduced by:
 Establishing measurable goals and rewards.
 Sharing goals and rewards between parties.
 Using multiple suppliers.
 Using additional business as incentive for performance.
 Creating short-term contracts.
 Creating a cross-functional contract management team.
 Including of specific contractual provisions, such as:
o Service quality expectations
o Adequate access control and security requirements
o Violation reporting and handling of investigations
o Roles and responsibilities
o Change or version control and testing
o Performance parameters
77
o Business continuity and disaster recovery
o Capacity management criteria
o Contract change
o “Right to audit”
o Dispute resolution process
o Protection from damage caused by either party
o Confidential agreements
o Relevant legal and regulatory requirements
o Data confidentiality, integrity, and availability
o Ownership of intellectual property
o Warranty and maintenance periods
o Software escrow
5.4 Legislative and Regulatory Issues
5.4.1 1996 National Information Infrastructure Protection Act
One of the most difficult problems with the rapid growth of computer
technology is ensuring the laws and regulations to protect against
computer crimes remain abreast of emerging technologies. This was
present in 1994 when the Computer Emergency and Response Team
(CERT) reported that a 498 percent increase in the number of
computer intrusions and 702 percent rise in the number of sites
affected by these intrusions. U.S. legislature chose to add
amendments to the Computer Fraud and Abuse Act to address
specific abuses from misuse of new technologies. The result is the
78
1996 National Information Infrastructure Protection Act.
5.4.2 President's Executive Order on Critical Infrastructure

Protection
The terrorist attack on the United States on September 11, 2001

identified a number of concerns related to the vulnerability of the
national infrastructure. With two months, the President of the United
States issued the Executive Order on Critical Infrastructure Protection
to ensure protection of information systems used for the critical
infrastructure. Part of this infrastructure includes the emergency
preparedness communications and the physical assets supporting the
systems. In essence, the president created an official security policy
for the United States.
5.4.3 USA Patriot Act of 2001
Shortly after the Executive Order mentioned above, Congress passed

Public Law 107-56, titled the “Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct
Terrorist Act or 2001.” Its short name is the USA Patriot Act. The law
covers several items pertinent to IT solutions or the use of IT in
dealing with terrorist activity, including:
 Title II authorizes the interception of wire, oral, and
electronic communication to produce evidence of terrorism
offenses, computer fraud and abuse.
79
 Title III focuses on monetary transactions used in
supporting terrorist activities.
 Title IV provides guidelines of border control and
immigration laws involving electronic sharing of
intelligence.
 Title V provides guidelines for removing obstacles when
investigating terrorism.
 Title VII covers increasing information sharing for critical
infrastructure protection.
 Title VIII strengthens criminal laws as they apply to
terrorism.
5.4.4 Homeland Security Act of 2002
Another result of 9/11 was the creation of the Department of

Homeland Security, a government agency charged with the following
tasks:
 Control U.S. borders and prevent terrorists from entering.
 Quick and effective response to emergencies in
cooperation with state and local authorities.
 Develop technologies to detect and protect from biological,
chemical, and nuclear weapons.
 To provide a single daily report of threats from intelligence
and information from several law enforcement agencies.
The act creating this government agency was the Homeland Security
80
Act of 2002.
5.4.5 Computer Fraud and Abuse Act
U.S. legislation, 18 U.S.C. § 1030 (Computer Fraud and Abuse Act),

defines the activities that are considered felony offenses of computer
fraud and abuse. It also describes the actions available to law
enforcement in investigating and apprehending suspects of computer
fraud and abuse.
5.4.6 Electronic Communications Privacy Act (ECPA)
The ECPA governs the accessibility of stored electronic

communication for law enforcement. Electronic communication
consists of email messages. What was not originally covered is stored
wired communication, namely voice mail. Later amendments
redefined wired communication to include stored wired messages
allowing law enforcement access to stored voicemail.
81
5.5 Human Resource Management
The roles and responsibility for operations fall to a number of groups,

such as:
 Operators
 Users
 System administrators
 Security administrators
 System accounts
5.5.1 Multiple Roles
Adoption of organizational best processes can protect the

organization's information, as well as identify areas of weakness in
the organization:
Common best practices include:

 Job Rotation
 Separation of Duties
 Least Privileges
 Mandatory Vacations
 Job Position Sensitivity
Job rotations allow for a reduction in collusion of activities and

identifying activities which are outside the normal operating
procedures. Whenever possible, duties should be rotated to allow
82
persons to work different assignments on a temporary basis. This
enables greater understanding of the business operations and aids in
identifying vulnerabilities.
By dividing the steps of a particular process it ensures that a single

individual doesn't have absolute control and knowledge of the
process. Separating the control of mechanisms is an effective method
of preventing collusion.
Granting access only for what is required to perform an individual's

tasks reduces the risk of inappropriate or unintended disclosure of
information. Mandatory vacations provide similar benefits as rotating
and separation of duties by providing opportunities to understanding
the day-to-day performance of specific functions.
The access and duties of an individual can determine the sensitivity of

the position and determine the level of control on security practices.
Another method of deterring collusion is to require individuals to take

at least one week of vacation each year. Extended absences from the
office are opportunities to allow problems to arise that would normally
not be seen when an individual is on duty.
83
5.5.2 Hiring
Security is the responsibility of all employees in the organization. As a

result, how an organization treats its employees can impact the
security position of the company, whether the employee is current,
potential, or formal. Hiring and termination policies are key
vulnerabilities for security.
When hiring individuals, several areas of focus can minimize security

exposure:
 Clear job descriptions with detailed responsibilities and
requirements for education, experience and expertise.
 Employment agreements to acknowledge legal and ethical
responsibilities.
 Checking on references with past employers.
 Background checks, especially highly sensitive positions.
Background checks can cover a variety of searches into a person's

past, including:
 Credit checks
 Criminal history
 Driving history
 Drug and substance testing
 Prior employment
 Verification of education, licensing, and certification
 Validation of social security listing
84
 Suspected terrorist watch list
The level of background checking usually matches the security
importance of the job position.
Periodic performance reviews and ongoing supervision is crucial to

ensuring that security policies are being adopted properly from all
employees in the organization.
Different levels of care are important considerations for handling

terminations, especially related to whether they are friendly or
unfriendly.
5.5.3 Education
Training and education may involve any combination of:

 Awareness activities
 Job training
 Professional Training
Performance metrics are a clear method of determining security

needs and the effectiveness of training in the organization.
The architecture and design of the security solution must address the
design, implementation, and operations of those controls used to
enforce the levels of confidentiality, integrity, and availability required.
One of the most important topics of education is security. Security

85
awareness is the understanding in the importance of security for the
organization, the processes, and the customers. Security awareness
training is a method of informing employees of their roles and related
expectations as they relate to maintaining minimal information
security requirements. In some cases, security awareness programs
are a requirement for compliance to regulations, such as:
 HIPAA
 Sarbanes-Oxley Act
 Gram-Leach-Bliley Act
86
6 Life Cycle Management
6.1 Benefits Management
6.1.1 Business Case
Business cases are used whenever a new development in a new

system or investment in new technologies is considered. These
reports provide compelling information about the idea so that
decisions can be made. Business cases are usually developed in
stages. The initial business case takes on the feasibility of pursuing a
specific direction and provides an early assessment of the problem
scope, possible solutions and recommendations. Each solution has a
definitive business case which is used to compare solutions.
6.1.2 Benefits Realization
Benefits to the business are often enabled by technology, but not by

accident. Realization of these benefits occurs by a planned approach
that extends beyond the project. In many cases, the realization
doesn't always go as planned. To manage the realization of benefits,
the organization must:
 Describe benefits realization as a process.
 Assign a measure and target for the new technology.
87
 Establish a system of tracking or measuring the
performance.
 Document the assumption.
 Establishing key responsibilities.
 Validating predicted benefits.
 Planning the predicted benefits.
6.1.3 Benefits Realization Process
The process for realizing benefits is continuous, starting with an

assessment and business case of the process itself. Lessons learned
and studies should be compiled.
Typically, a post-implementation review is performed after 6 to 18

months of the implementation. The length of time before the review
allows problems to be worked out and benefits to start to accrue for
the solution.
The process is part of project governance and management; allowing

business owners to understand their investments into new solutions.
88
6.2 Project Management
Project Management is the application of knowledge, skills, tools, and

techniques used to meet stakeholders needs and expectations.
Needs are loosely defined as identified requirements, while

expectations are unidentified requirements. Meeting, or exceeding,
stakeholders’ needs and expectations require balancing competitive
demands such as:
 Scope
 Time
 Cost
 Quality
Different stakeholders usually have different needs and expectations.
Project management is not restricted to the day-to-day activities of

managing the project. The environment where project management
operates provides the context from which the project works from and
consists of:
 Project phases
 Project life cycle
 Project stakeholders
 Organizational influences
 General management skills
 Socioeconomic influences
89
6.2.1 Project Phases
Each project phase is defined by the completion of one of more

deliverables.
A deliverable is a tangible, verifiable work product.
The phases and deliverables are generally compiled using sequential

logic designed to create and manage a proper definition of the
product of service.
Project phases are concluded with a review of:

 Key deliverables
 Project performance
The review is conducted to determine if the next phase of the project

should be initiated and to identify and correct any errors.
The definition of phases is typically dependent on the application of

the project management. The following table represents the project
phases in common project environments:
90
Defense Software
Construction Pharmaceuticals
Acquisition Development
Concept Feasibility Discovery and Proof-of-concept

Exploration and Screening cycle
Definition
Demonstration Planning and Preclinical First Build cycle

and Validation Design Development
Engineering and Production Registration Second build

Manufacturing Workup cycle
Development
Production and Turnover and Postsubmission Final Cycle

Deployment Start-up Activity
Operations and
Support
6.2.2 Project Life Cycle
The project life cycle defines the beginning and end of the project.
The transitional actions at the end of the project are also determined
by the definition of the project life cycle.
The project life cycle is comprised of project phases and determines
91
the transfers or hand-offs between those phases. In some cases, fast
tracking may be employed which is an overlapping of phases. This is
defined by the life cycle as well as:
 The technical work performed in each phase.
 The personnel involved in each phase.
Project life cycles can have general or detailed descriptions, but share
several characteristics:
 Cost and staffing levels are low at the start, higher near the
end, and drop radically when concluding the project.
 The beginning of the project has the lowest probability of
success and highest level of risk and uncertainty. These
levels raise and lower respectively as the project
progresses.
 The influence of the stakeholders on the final
characteristics of the product or service is highest at the
start of the project and decreases as the project
progresses.
 The final cost of the project is typically higher at the start of
the project than at the end.
The project life cycle is typically one stage found within a product life
cycle. Subprojects within projects may also have distinct project life
cycles.
92
6.2.3 Project Stakeholders
Individuals or groups who are actively involved in the project or whose

interests may be positively or negatively impacted as a result of the
execution or completion of the project are project stakeholders.
The responsibility of the project management team in relationship to

the project stakeholders is to:
 Identify all stakeholders.
 Identify needs and expectations of each stakeholder.
 Manage and influence those expectations to successful
completions.
The key stakeholders in each project include:

 Project manager
 Customers
 Performing organizations
 Sponsors
6.2.4 Organizational Influences
Several influences from the organization may have an effect on how

projects are generated, managed, and used. These include:
 Management systems
 Cultures and style
 Organizational structures
93
Organizations may have different perspectives on project
management.
Project management organizations may either perform projects to

produce revenue and use the discipline of project management as a
method to manage the organization. These organizations typically
have systems and processes that make project management easier
to facilitate.
Non-project-based organizations do not have the management

systems in place to support project requirements effectively and
efficiently.
Cultures consist of shared values, norms, beliefs, and expectations

which have a direct impact on the project and its management.
The structure of an organization typically impacts the availability of

resources or the terms of use for the resources needed by the project.
The most common organizational structures are:

 Functional organizations – staff is grouped by specialty.
 Projectized organizations - staff is collated and focuses on
projects or accounts.
 Matrix organizations – blend of functional and projectized
attributes.
94
6.3 Program Management
Projects which have a common objective, common budget or

common schedule may be grouped together into programs for easier
management. Programs have limited time frames and bound by the
organization. They are generally much more complex, longer in
duration, with increased budgets and increased risks than project.
Many of the activities and structures used in project management are
found on a larger scale for program management.
Program management is responsible for managing:

 Scope
 Resources
 Schedules
 Objectives
 Context and environment
 Communication
 Culture
 Organization
The organization for managing programs typically includes:

 Program owner
 Program team
 Program office
95
6.4 Configuration Management
Many of the changes that are made to an IT environment are within

the configurations of the systems. Configuration Management is a
process that focuses on managing the impact of changes to the
applied configurations in the environment. Where Change
Management may be used as a communication tool and to manage
the implementation plan, Configuration Management is used to make
the actual change. The reason for this distinction is grounded in what
a configuration really is.
A Configuration Item (CI) can be any asset, service component, or

item that is managed by the Configuration Management process.
They can vary in complexity, size, and type. Groups of CIs may be
managed together, or selected thorough established criteria,
groupings, classifications, or other identification. The different types of
CIs can include:
 Service Lifecycle – broad descriptions of services and
major components of those services.
 Service – identifies the assets and resources for a service,
including any models, packages, and acceptance criteria.
 Organization – identifies the information assets of the
organization, such as the business strategy.
 Internal – represents the tangible and intangible assets
delivered, such as applications, software licenses,
computers, and the like.
 External – requirements and agreements with third party
96
customers of suppliers.
 Interfaces – those assets required to deliver a service.
From an information security management perspective, each security

policy can be considered a different configuration item as well as the
individual components of the solutions developed to ensure the
fulfillment of those policies. The most important concept about a
configuration item is its relationship to other configuration items. As
changes are made to one configuration item, the impact of the change
will carry over to other configuration items. Understanding the nature
of these relationships will aid in determining how to minimize the
impact and risk of changes.
To support this understanding, configuration items are managed using

a support system, often known as a Configuration Management
System (CMS). This system will store all the detailed information for
the configuration items tracked. Because of the level of information
that could be contained in the CMS, the system is often used for other
purposes, such as financial asset management. In addition to
maintaining the relationships between CIs, the CMS can also maintain
the relationship between an individual CI and any related incidents,
problems, known errors, and change information.
97
6.5 Change Management
6.5.1 Change Management
Change management is a process of standardized methods and

procedures to ensure that all changes are handled appropriately and
efficiently. In the business world, the introduction of change is risky
and can result in costly oversights, failed attempts, and loss of
business. The goal of change management is to respond to changing
business requirements while minimizing risk and reducing the levels
of incidents and re-work experienced.
There are three change models that are recognized:

 Standard Changes – identifies pre-authorized low-risk, and
well-tested changes. Individual Account Creation and
Deletions are examples of these types of changes, as well
as, system updates.
 Normal Change Model – identifies changes that must go
through some effort of assessment, authorization, and
agreement before the change can be implemented. Adding
a new resource to the network, or allowing a contracting
firm to do facilities work are examples of these types of
changes.
 Emergency Change – used for highly critical changes that
must be put into place immediately, usually as a result of
failure in availability or service quality.
98
Regardless of the type of change that may be introduced, the change
management process ensures that the appropriate level of
information is obtained to ensure the proper handling of the event. At
minimum, the following information should be identified for every
change (based on the 7 Rs of Change Management):
 RAISED – Who is introducing the change?
 REASON – Why is the change required?
 RETURN – What is the expected outcome of the change?
 RISKS – What can go wrong or should be of concern
about the change?
 REQUIRED – What resources are required to implement
and support the change?
 RESPONSIBLE – Who will be building, testing, and
implementing the change?
 RELATIONSHIP – How does this change impact other
changes already in place or expected to be in place?
Many enterprises will adopt a Change Advisory Board (CAB) which is

responsible for reviewing all changes and providing authorization to
proceed. The CAB will prioritize changes based on business need
and will be asked to reject changes if they do not meet or could harm
the business objectives. Several stakeholders may be represented on
the CAB, including:
 Customers
 User Managers
 User Groups
99
 Application developers and support
 Security specialists and consultants
 IT Operations staff
 Facilities staff
 Contractors
6.6 Application Development
Application systems are often critical to the functional performance of

key business processes, usually controlling critical information assets
and the IT resources.
6.6.1 Software Development Life Cycle
The Software Development Life Cycle (SDLC) is the implementation

process for business applications which begins when:
 New opportunities for a new or existing process arise.
 New problems for an existing business process are
discovered.
 Emerging technologies provide new opportunities.
 Inherent flaws in existing technologies are found.
The SDLC approach follow a series of systematic steps with defined

goals and activities to define, design, develop, and implement an
application.
 Phase 1: Feasibility – determine the benefits of
100
implementing the system.
 Phase 2: Requirements – defines the functional and quality
requirements of the solution.
 Phase 3A: Design – establishes a baseline of system and
subsystem specifications to describe the parts of the
system.
 Phase 3B: Selection – develops a request for proposal to
present to suppliers of packaged systems which meet the
requirements.
 Phase 4A: Development – if a packaged system is not
used, program and formalize the operational processes of
the system.
 Phase 4B: Configuration -tailor the system to the
organization's requirements.
 Phase 5: Implementation – place the new or changed
system into operational state.
 Phase 6: Post-implementation – assess the adequacy of
the system in operational state.
6.6.2 Phase A: Feasibility
The first phase of the approach consists of creating a feasibility study

meant to clearly define the need and identify possible solutions to
address the need and the various outcomes of each solution. The
study will analyze the benefits and solutions within the problem area.
A business case is developed. Within the study, the following items
are addressed:
101
 Time frame for implementation of the required solution.
 Selection of an alternative risk-based solution for meeting
the business needs.
 Determination whether the existing system can meet the
need with little or no modification.
 Determination of any vendor products which may meet the
need.
 Approximate cost of developing a solution.
 Identifying how much the solution aligns with business
strategy.
One of the major questions with business decisions is whether a

solution should be developed in-house or acquired from a third-party
vendor. The factors impacting this decision are:
 The required date for functional operation.
 The difference in cost between development and
purchasing.
 The resource requirements in development opposed to
implementing a vendor solution.
 The license characteristics and maintenance costs.
 Interface requirements with other systems.
 Compatibility with the IT infrastructure.
 Compatibility with strategic business plans.
 Potential future requirements for the system.
102
6.6.3 Phase B: Requirements
In the feasibility study, the requirements identified are focused on

resolving the problem or filling the need; and though some effort is
done to ensure alignment with business goals and strategies, it is
usually done at a high level. The requirements phase of the SDLC
focuses on determining and communicating business requirement for
the system chosen. The requirements will identify what the system is
capable of doing or should be capable of doing, how users will
interact with the system, the operational conditions for operating the
system, and the information criteria of the system. This phase may
also deal with issues which become non-functional requirements.
To activities performed in the requirements definition phase include:

 Identifying and consulting stakeholders to obtain
expectations.
 Detecting and correcting conflicting requirements and
prioritizing requirements.
 Identify system bounds and relationship with the
environment.
 Converting user requirements into system requirements.
 Recording and structuring requirements
 Verifying the completeness, consistency, testability, and
uniqueness of the requirements.
 Resolving conflicts with stakeholders.
 Resolve conflicts with resources.
103
6.6.4 Phase 3A: Application Design
The Design phase consists of the following key activities:

 Developing system flowcharts
 Developing entity relationships
 Determining the structure design techniques
 Defining inputs and outputs
 Defining process steps and computation rules
 Defining data or database file design
 Defining program specifications
 Developing test plans for:
o Program
o Modules
o System
o Interface
o File initializing
o Stress
o Security
o Backup and recovery
 Developing migration plans from old system to new system
Entity Relationship Diagrams (ERD) are used to understand the data

requirements that are needed to be captured and managed by a
system by becoming a logical data model. It can be used later as a
physical data model representing the actual database schema
created. The ERD works by identifying entities and relationships
between entities. Entities are groups of similar data elements or
104
instances representing actual physical objects or logical obstructs.
Attributes characterize each entity and are compared to identify
similarities.
When two entities are associated, they create a relationship. Foreign

key attributes are used to create the association by mapping the
attributes between entities. Relationship cardinality is a numeric
association between entities, such as a one-to-one, one-to-many, or
many-to-many association.
The National Institute of Standards and Technology (NIST) issued the

“Integration Definition for Information Modeling” (IDEFIX) standard in
1993 to codify and expand on the ERD concept. With IDEFIX, entities
are divided into:
 Identifier-independent entities
 Identifier-dependent entities
Relationships in IDEFIX are categorized as:

 Identifying connection relationships
 Non-identifying connection relationships
 Categorization relationships
 Non-specific relationships
105
6.6.5 Phase 3B: Acquiring Software
In some instances, the procurement of software is a better option than

using resources to develop an application to meet the need or resolve
the problem. This decision can save cost and time, but is dependent
on availability and flexibility. The three options usually facing
businesses when acquiring software are:
 Generic software to support a generic business process.
 Customizable software to meet business processes.
 Vendor-specific software developed for the organization.
Requests for Proposal (RFP) are generally created to initiate the

process to identify vendor produced software. Invitations are made to
various vendors to respond to the RFP. Included in an RFP are the
following concerns:
 Product and system requirements
 Customer references
 Vendor credibility
 Complete and reliable documentation
 Vendor support
 Availability of source code
 Experience offering product
 Recent or planned product enhancements
 List of current product users or sites
 Acceptance testing
106
6.6.6 Phase 4A: Development
The design of an application is put through a development phase

where the design is moved closer to a physical, deployable product.
Programmers and systems analysts have the greatest responsibility in
this phase. Key activities during this phase:
 Creating program coding
 Developing program and system documentation
 Debugging and testing developed programs
 Converting data from old to new system
 Creating user procedures
 Providing appropriate training
 Documenting modifications
Integrated Development Environments (IDEs) are popular

programming structures used to code and compile programs
interactively. These environments are available as online
programming facilities and consist of a program library which stores
information about the programming language and pre-defined
constructs.
Within the development phase, the program will eventually go through

testing to verify and validate the program's performance as designed.
Testing is performed using either top-down or bottom-up methods.
The top-down approach will test the entire system than specific
subsystems and has the advantage of identifying major problems and
interface errors earlier. The bottom-up approach will test specific
107
segments before testing the entire system and can be started before
the entire program is complete. The different classes of tests include:
 Unit testing
 Interface/Integration testing
 System testing
 Final acceptance testing
6.6.7 Phase 5: Implementation
During the implementation phase, the new information system is

established and tested in the actual production environment. The
system can go through any certification or accreditation process. Data
conversions are typically performed during this time.
The goal of implementation is to provide an appropriate structure for

supporting the application, including:
 Providing support for first-, second-, and third-line support
teams.
 Providing a single point of contact for application users.
 Providing roles and skills training related to the application.
108
6.6.8 Phase 6: Post Implementation
Best practices include a review after the implementation of the

application into the production environment. The objective of the
review is to:
 Assess the system's adequacy to original and new
requirements.
 Evaluate project cost benefits of ROI.
 Develop recommendations for improvement and plans for
implementation.
 Assess the development project process.
109
7 IT Service Delivery
7.1 Service Level Management
7.1.1 Service Level Agreements
Service Level Agreements (SLAs) are negotiated levels of assurance

or warranty to service quality. These SLAs are agreed upon based on
business need and capabilities of the service provider. As the service
is rendered, it is monitored and measured to ensure that the SLA is
fulfilled. In many cases, the several services may have to exist in
order to fulfill a single SLA.
Objective Level Agreements (OLA) are different from SLAs only in

they are not part of a formal agreement and can be set as additional
goals for the service provider. Where SLAs usually define a minimum
level of warranty required, OLAs can be higher. In those cases where
several services are required to fulfill a single SLA, each service may
have an associated OLA involved.
There are several types of Service Level Agreements that may be

found in any organization:
 Service-based SLA – covers the service for all customers
of that service. From a security standpoint, a service-
based SLA may be applied to general admissions into the
110
building or to ensure the minimal level of awareness and
compliance in conducting safe business transactions.
 Customer-based SLA – covers the requirements of a
single customer. For security, this may translate into
defining special requirements and security relationships
with customers of the business, or individual departments
within the organization. Departments like Finance and
Research and Development may have more stringent
requirements for security than Customer Support. Different
classifications of information may contribute to different
SLAs being applied.
 Multi-level SLA – A three-layer structure for adopting
agreements. The levels are corporate, customer, and
service. The corporate level covers all generic concerns
and requires less frequent changes. Customer level
relates to a specific customer or business unit regardless
of the service provided, while the service level relates to a
specific service for a specific customer.
SLAs should be clear and concise and leave no room for

interpretation. They do not define how a service is provided, only the
result of the service.
111
7.2 Network Component Functionality
7.2.1 Repeater
Repeaters connect different segments of the network by receiving

incoming frames, regenerating the preamble, amplifying the signals,
and sending the frame out all interfaces. They operate at the physical
layer of the OSI.
Repeaters are not aware of packets or frame formats, so they cannot

control broadcasts or collision domains. They are also not aware of
upper-layer protocols.
The general rule for using repeaters is the 5-4-3 Rule. The rule states
that the maximum path between two stations cannot exceed 5
segments with 4 repeaters between those segments and no more
than 3 segments populated. A small amount of latency is introduced
when using repeaters requiring a transmitting device to take into
account the delay introduced in order to detect a collision with another
device.
112
7.2.2 Hub
Hubs work on the physical layer of the OSI model. They perform the
same function as repeaters, but through multiple ports. Hubs are
typically found in wiring closets to concentrate Thinnet and 10BaseT
networks. They are often used within the star topology to facilitate
communication between network nodes. There are three types of
hubs:
 Passive – does not require an external power source, does
not regenerate the signal, and should be considered as
part of the cable in respect to cable length.
 Active – requires an external power source to allow for
regeneration of the signal.
 Intelligent – An active hub that provides error detection.
7.2.3 Modem
Modems are used to convert analog to digital and vice versa. For the
most part, modem use is an alternative when a wireless hotspot is
unavailable but a telephone line is. Connectivity is performed through
a dial-up application to a predefined phone number of the service
provider which allows connection to the WAN. From there, the user
typically has connectivity to the Internet or with the proper credentials,
within their companies Intranet.
Most homes and small offices have cable modems or ADSL modems
113
that act as hotspots to provide wireless and wired Internet
connectivity. To access these modems from the computer,
configuration is similar to setting up a Local Area Network using
Ethernet.
7.2.4 Network Interface Card (NIC)
A Network Interface Card, also called the Network interface Controller,

is a hardware device that provides an interface between a computer
network and devices to allow for a network-capable device to access
that network. The NIC has a ROM chip that contains a unique MAC
address which allows the device to be identified on the LAN. The NIC
exists on Layer 1 and 3 of the OSI model.
A NIC uses one of more techniques to transfer data:

 Polling – the status of peripherals under program control
are examined by the NIC.
 Programmed I/O – a designated peripheral is alerted by
having a MAC address applied to the system's address
bus.
 Interrupt-driven I/O – the peripheral alerts the NIC when
it’s ready to transfer data.
 Direct Memory Access (DMA) – an intelligent peripheral
assumes control of the system bus to access memory
directly.
114
7.2.5 Media Converter
Media Converters allow network traffic to be passed between different

types of network ports. Generally this is found between twisted pair
and fiber optic solutions. They can support different data
communication protocols and cabling types.
One can find media converters as small standalone devices or as a

PC card converter. High port-density chassis systems are available.
7.2.6 Bridge
Bridges, like repeaters, connect different segments of a network. They

are also protocol transparent. Unlike repeaters, bridges are intelligent
devices working on the data link layer of the OSI model.
Bridges can control the collision domains on the network. They will
filter any incoming frames with the destination MAC addresses that
are on the same segment where the frame arrived from, preventing
the frame from being forwarded. Bridges can do this because they
have already learned the MAC layer address for each node on each
segment and the interface they are located on. If the address is
unknown, the bridge will forward the frame in a process called
flooding, which is also used in broadcast frames.
Bridges store the entire frame until the CRC is verified and forward
the frame. If a CRC error is detected, the frame is discarded. The
115
Spanning-tree Protocol is implemented to build a loop free network
topology. With the protocol, different bridges communicate with each
other, exchanging information such as priority and bridge interface
MAC addresses. As a group they select a root bridge and implement
the protocol which places some interfaces into a hold state while
others are in a forward mode, resulting in a single path to send the
frame.
7.2.7 Switch
Switches are more advanced than bridges. They use fast integrated
circuits to reduce latency normally introduced by bridges. They
generally have more ports than bridges and run faster. They store
MAC addresses for each part and implement the Spanning-Tree
Protocol. Where they differ from bridges is that each part is a separate
collision domain but all are part of the broadcast domain. Broadcasts
are not controlled by switches.
Switches can run in cut-through mode which allows a frame to be

forwarded before the entire frame enters the buffer. Unfortunately, cut-
through operations increase the probability that error frames are
propagated on the network and most switches perform store-and
forward operations.
Two types of switches exist:

 LAN switches
 ATM switches
116
LAN switches can increase network performance and leverage
investments currently in existing media and adapters. VLAN
functionality is possible through LAN switching. The benefits of LAN
switching include:
 Superior microsegmentation
 Increased aggregate data forwarding
 Increased bandwidth
ATM switches perform cell relay services, but different types of ATM
switches provide services, such as:
 Different interfaces and services
 Redundancy
 Sophisticated traffic management
 Depth of ATM internetwork software
There are four types of ATM switches:

 Workgroup ATM
 Campus ATM
 Enterprise ATM
 Multiservice Access
Workgroup ATM switches utilize Ethernet switch ports with an ATM

uplink to a campus ATM switch. They are designed to provide high-
performance switching among workstations, servers, switches, and
routers within workgroup and campus backbone environments.
Campus ATM switches are best for small-scale ATM backbones to
117
reduce congestion and enable new services such as Virtual LANs. A
wide variety of local backbone and WAN types must be supported.
Additionally, the ability to connect multiple switches together is
another important characteristic.
Enterprise ATM switches are multiservice devices designed to be part

of the backbone for large, enterprise networks and are usually used in
conjunction with high-end multiprotocol routers. Enterprise ATMs
connect campus ATM switches. They can also act as a single point for
integrating all disparate services and technology found on the
backbone into a common platform and ATM transport infrastructure.
This eliminates the need for multiple overlaying networks and allows
for easier management of the network.
Multiservice Access switches are used by service providers as

customer premises equipment (CPE) and within public networks.
Their design is to support WAN and MAN services on a common
infrastructure.
7.2.8 Wireless Access Point
Access points provide an entry point into the wireless network. The
hardware is half duplex with an intelligence equivalent to a
sophisticated Ethernet switch. Access points have the ability to
communicate with the client, the network and other access points.
An access point can be configured in three modes:

118
 Root mode
 Repeater mode
 Bridge mode
Root mode is typically the default configuration. It is used when

connecting the access point to a wired network backbone through a
wired interface. Root-based access points are typically Ethernet
driven. When multiple access points are connected to the same wired
network distribution, they are in communication with each other
coordinating roaming functions
Bridge mode connects two or more wired networks using wireless

access points.
Repeater mode provides a wireless upstream link to a wired link. A

client will connect to an access point in repeater mode. A wireless
connection from the repeater is made with a root access point
upstream.
Use of repeater access points is not recommended because:

 Cells around each access point must overlap by more than
50%, reducing the range available to clients.
 Throughput is reduced since the repeater is
communicating with the upstream access points and all
clients.
 Users attached to repeaters typically experience low
throughput and high latency.
119
Access points can be portals allowing client connectivity from wireless
802.11 networks to wired 812. 3 or 802.5 networks. Several hardware
and software options are available, including:
 Fixed or detachable antennas
 Advanced filtering capabilities
 Removable (modular) radio cards
 Variable output power
 Varied types of wired connectivity
Devices with detachable antennas allow connection to any antenna

with any length of cable required. Some access points are shipped
with diversity antennas which allow the use of multiple antennas with
multiple inputs on a single receiver.
An access point may include MAC or protocol filtering capabilities

which is used to prevent intruders from accessing the wireless LAN.
Access points can be configured to filter devices that are not listed in
the MAC filter list in the administrative controls of the access point
device. Protocol filtering controls what protocols can be used on a
wireless link.
Some access points have the ability to add special functionality by

providing PCMCIA slots. This allows additional radios to be added or
removed from the device. With two PCMCIA slots, a device can have
one radio card to become an access point while another radio card
can act as a bridge or as independent access points increasing the
120
number of users that can connect.
The administrator can control the power used by the access point to
send data through variable power output functions. Controlling power
allows the range of the access point to be controlled. The more power
used the greater the distance available to access the wireless
network.
Fixed output access points are alternatives. Changes to power can be

made using:
 Amplifiers
 Attenuators
 Long cables
 High-gain antennas
Access points can link to most network types. Understanding the

limitations of wired connections to the access point from the core
network follows because of network restrictions.
Configuring and managing access points are dependent on the

feature set by the manufacturer. Most devices include at least a
console, telnet, USB, or built-in web server. Some models may
include custom configuration management software. An access point
is typically preconfigured with an IP address. A hardware reset button
is available to reset the device to factory defaults.
Several additional features are available. The more features available,
121
the greater the expense for the device. Some of the features available
on Small Office, Home Office (SOHO) devices and Enterprise devices
include:
SOHO devices
 MAC filtering
 WEP (64-bit or 128-bit)
 USB or console configuration interfacing
 Built-in web server configuration interface (simple)
 Custom configuration applications (simple)
Enterprise
 Custom configuration applications (advanced)
 Built-in web server configuration interface (advanced)
 Telnet access
 SNMP management
 802.1x/EAP
 RADIUS client
 VPN client and server
 Static or dynamic routing
 Repeater functions
 Bridging functions
Functionality support can vary drastically within the same feature;

some devices partially support the feature while others fully support.
122
7.2.9 Router
Routers make forwarding decisions based on network layer

addressing. They control collision domains and broadcast domains.
Each interface of a router is considered a different broadcast domain
which is defined by the subnet and mask. Routers are protocol aware
and are capable of forwarding or limiting packets of routed protocols.
When forwarding packets between networks of different media,

routers are the preferred method. Additionally, they have methods to
filter traffic, provide route redundancy, load balancing, hierarchical
addressing, and multicast routing.
7.2.10 Firewall
Firewalls are devices designed to prevent unauthorized access and

can be implemented using hardware or software. All packets going
through the firewall are examined using a set of predefined rules.
The types of firewalls include:

 Packet Filter – the most common type of firewall placed
between a trusted and untested network.
 Application Proxy – inspects all packets at the application
layer to filter any specific commands.
 Stateful Inspection – monitors packets for the purpose of
filtering but also monitors the status of connections.
 Screened Host – uses a packet filter firewall and
123
application proxy (Bastion) host.
 Screened Subnet – uses two packet filter firewalls and a
bastion host.
7.3 Incident Management
An incident is described as any event where the service is, or could

be disrupted. For information security, the service provided is the
provision of access to information resources and the prevention of
unauthorized access to information systems. An incident, in these
terms, would identify a failure to provide such access or a breach in
the system rending a leak of information.
Incident management is a process used to control the activities

related to identifying, managing, and overcoming an incident. Many
incidents are reoccurring; and therefore, pre-defined incident models.
These methods describe the steps for handling an incident.
Specifically, the model defines:
 The steps to be taken
 Order of steps, including dependencies
 Responsible parties
 Timelines and thresholds for completing steps
 Escalation procedures
 Activities for preserving evidence
The process for incident management is similar to problem
124
management. A couple of steps are extensive because of the
immediacy of the incident, such as escalations and closure.
Escalation serves two functions in incident management. The first is
functional escalation when the Service Desk is unable to resolve the
incident entirely or within a specific time frame and requires the
incident record to be sent to another level of support. Hierarchical
escalation is performed for incidents with a high severity, when IT and
business management must be notified.
Resolution, recovery, and closure of an incident can be more involved

in incident management. A request in change management is usually
not required. Potential resolutions are applied and tested. Typically,
closure is initiated when both the incident is resolved and the user is
satisfied with the resolution. As a result, the Service Desk usually
checks the following before closing the record:
 Closure categorization – ensure the incident is properly
categorized, or has been changed from initial
understanding.
 User satisfaction survey – to determine the satisfaction of
the user and find potential service improvements.
 Incident documentation – ensuring all information related
to the incident including the description of the event and
resolution attempts are documented.
 Recurring problem determination – making the decision to
introduce the incident details to problem management.
 Formal closure – provides the final closing procedures for
the incident.
125
7.4 Problem Management
Problem Management is responsible for the entire life cycle of a

problem. Though the objectives of problem management are to
prevent problems and minimize the impact of incidents, this is done
by clearly understanding the problem and putting an appropriate and
effective solution in place. The process defines the activities required
to determine the root cause of incidents and provide an appropriate
solution to that root cause. Implementation of the solution is
implemented using any number of control procedures, especially
Change Management and Release Management.
Problem Management is also responsible for maintaining information

about problems and their appropriate workarounds and resolutions. A
Known Error Database aids the Service Desk and end-users in
diagnosing and resolving their own problems with minimal risk of
harm or causing another incident.
There are two major processes to Problem Management:

 Reactive Problem Management – generally initiated
through the Incident Management process and occurs
after a problem created an incident.
 Proactive Problem Management – generally driven by
continuous improvement efforts and occurs before a
problem causes an incident.
126
The problem management process consists of several general steps:
 Problem Detection
 Problem Logging
 Problem Categorization
 Problem Prioritization
 Problem Investigation
 Problem Diagnosis
 Problem Workaround
 Known Error Record
 Problem Resolution
 Problem Closure
 Problem Review
Problem detection can happen in several ways. The most obvious is

through the occurrence of a failure, or incident with an unknown
cause. Some incidents may be resolved even when the root cause is
still unknown, which in turn initiates a problem record. Analysis of the
incident is performed to find the underlining cause. Incidents may be
raised when automated monitoring systems detect specific patterns
that may require a problem report. Problem notifications may also
come from suppliers or contractors who have detected problems
outside their scope of responsibility.
All reported problems are logged and referenced back to the related
incidents. The typical details contained in a problem record include:
 Information about the user
 Information about the service
127
 Information about the equipment
 Initial log data and time
 Priority and categorization details
 Incident description
 All diagnostic or recovery actions taken
Incidents and problems are categorized and prioritized in the same

record. Prioritization is based on the frequency of the incident and the
impact on the environment, real or imagined. The severity of the
problem may also drive priority. The priority will determine the speed
and nature of the resulting investigation into the problem. The
appropriate level of resources and expertise used during the
investigation can allow the investigation to become more effective and
efficient.
Investigations lead to diagnosing the problem. An immediate

workaround may be found to minimize the impact of the problem and
reduce the severity and prioritization of the problem. These
workarounds can be applied, but the problem record must remain
open for further work to find a resolution. A Known Error Record is
generated to identify the problem quickly and apply the found
workaround. Problem resolution will identify the controls and solutions
that will prevent the problem from reoccurring. Usually, these
resolutions require a change in the environment. After completing the
change, the problem record can be formally closed.
128
8 Protecting Information Assets
8.1 Logical Access Controls
8.1.1 Identification and Authentication
Identification ensures that the person requesting access is associated

correctly with the role defined in the system. It is important for
managing downstream activities and controls, such as accountability.
The purpose of identification is to bind the individual user to the
appropriate set of unique rights and privileges to required systems,
applications, and services.
A person's identity is verified using authentication methods. When

accessing a system, a person presents their unique user identification
and additional data to establish trust between the user and the
system. This combination can be as simple as a username and
password. The system will authenticate the user and grant access if
successful.
Common forms of identification include:

 Username
 User ID
 Account number
 Personal Identification Number (PIN)
129
Three essential practices for identification include:
 Uniqueness
 Nondescriptive
 Issuance
Identification for a user must be unique to the individual. A single

person may possess several forms of identification, but each of them
must be distinct from the others within a system. IDs should expose
the role or job function of the user, especially those of:
 Admin
 Administrator
 Webmaster
 Finance
 Root
In situations where several access control environments exist that do

not interact, share information, or provide access to the same
resources; it is possible to duplicate the same user identification
across those environments. Unfortunately, because individuals are
prone to duplicating certain attributes such as passwords, it is
typically bad security practice to allow a duplication of IDs.
The process used to issue identities must be secure and documented.

The quality of the process will impact the quality of the identifier. An
issuance process should consider:
 Approval
130
 Notification
 Administration
 Allocation
Authentication can utilize one, two, or all three factors, or types, to

verify a user. There are three factors of authentication:
 By knowledge - what a person knows.
 By ownership – what a person has.
 By characteristic – what a person does or is.
8.1.2 Passwords
Typically, authentication by knowledge is done through a password, a

5-15 string of characters which is remembered by the user and
provided with identification when requesting access. The more
diverse a password is, the harder it is to crack. Passwords fall into
different categories:
 Standard, or dictionary, words are recognizable words that
could be found in the dictionary. These are the least
secure passwords to be found in a system and are
typically not accepted in most systems.
 Combination, or alphanumeric, passwords usually are
multiple dictionary words combined with numbers to add
complexity.
 Complex passwords will utilize letters, numbers and
special characters to create a string. These are the most
131
complex and secure category of passwords, except that
their complexity usually will cause a user to write down the
password in order to remember.
Passphrases are an alternative to passwords and follow the same

rules as passwords. The difference between the two is that the
passphrase utilizes an easily remembered phrase for the user, such
as a list of names or a line from a song.
Passwords or passphrases should never be passed over a network or

stored in cleartext. The storage of passwords by a system should be
protected.
8.1.3 Access Control Implementation
Typical access control architectures are comprised of three systems:

 Host
 Requester
 Authenticator
The services found within the architecture support the core attributes
of the solution, including:
 Identification – provides identity
 Authentication – verifies identity and associated access
 Authorization – determines what actions are available to
the user
 Accountability – tracks user activity
132
In security solutions, the host is a system, user, application, or service
which provides the interface for identifying and authenticating the
user. The requester, Network Access Server (NAS), provides any
challenges to the host used to verify the user. The authenticator
provides the validation of the user's identity.
8.1.4 Identity Management
A set of technologies used to manage the identities of employees,

contractors, customers, partners, and vendors. The IT infrastructure is
designed to centralize and streamline the processes for managing the
user identity, authentication, and authorization data. All aspects of
access control are found within identity management.
Identity management focuses on the provisioning of users, processes,

and management of access control. The process typically consists of:
 Creating a new user profile within the HR database
 Creating a request for access for the profile
 The request for access being approved by all necessary
managers
 Approved requests sent to IT teams to grant required
access
 Access granted and recorded in history files
Challenges to successful identity management solutions include:

 Consistency of user data across multiple systems
133
 Efficient processes for granting access across multiple
systems to reduce repetitive tasks
 Increase of usability by reducing the requirement for
multiple prompts to verify identify
 Reliability of user profile data ensures the timely updates
of user information
 Scalability of the solution across enterprises
8.1.5 Identity Management Technology
The technologies used by identity management are:

 Directories
 Web access management
 Password management
 Legacy single sign-on
 Account management
 Profile updates
Directories are typically a comprehensive system built to centralize

data management efforts by containing the data within a hierarchy of
objects. A directory can be stored on one or more servers which
replicate between themselves. Access to the data in the directory is
usually provided by a protocol, such as Lightweight Directory Access
Protocol (LDAP).
Directories provide a method for simplifying architectures and avoid
134
replication of information. Unfortunately, legacy systems do not
support using external systems, such as directories, to manage users.
Building on directories, data can be leveraged to manage user

identity, authentication, and authorization using a Web Access
Management (WAM) solution. These solutions typically use a front-
end Web server to authenticate once when entering the web
environment and sustaining that authorization throughout the entire
session.
Password management provides a method of tracking passwords

across multiple platforms and their various expiration times. Based on
the criticality of the application or service, different requirements may
exist for resetting or changing the password on a regular basis. Most
users have accounts on multiple systems. A password management
system can manage the passwords on all these systems and even
allow mundane user tasks, such as password resets and account
management, to be conducted.
In some cases, a single sign-on (SSO) is provided for users to access

one or more systems simultaneously during a single authentication
process. In these solutions, a central repository of user credentials is
provided, sometimes on a server or within a smart card. These
repositories are separate from the application or service being
accessed. Therefore some replication processes must be in place
whenever the user ID and/or password are changed within the
application or the repository. Single sign-on solutions have a greater
cost attributed to them.
135
Account management is designed to control the creation, modification
and decommission of user accounts within a system. WANs typically
manage access control for web-based applications; but not enterprise
based solutions. Most account management solutions provide a
centralized, cross-platform security capability with features:
 Simultaneous management of user access to multiple
systems
 An automated workflow system for submitting requests for
new, modified, or deleted accounts
 Automatic replication of data
 Ability to load batch changes to user directories
 Policy-based changes automatically performed to create,
change, or remove access
 Focus on enterprise system access
Profiles are used to identify entities through a collection of associated

information. Most profiles will change at some point within the life
cycle of the user. Identifying and updating this information in a timely
basis is an important aspect of maintaining access control.
8.1.6 Access Lists
IP filtering utilizes access lists to permit or deny traffic based on the IP

address of the source or destination host. Traffic filtering on modern
networks can be highly complex requiring a router or firewall. The
Cisco Internetwork Operating System (IOS) utilizes an access list.
136
The functionality of the access list is dependent on the context in
which it is used, such as:
 To control access to networks through the router or define
particular traffic through the router.
 Limiting the contents of routing updates that are
advertised.
 Limiting access to services on the router.
 Defining the packets allowed when dial connections occur
if using Dial-on Demand routing.
 Defining packet priorities to determine queuing features.
An access list is comprised of a series of filters defined globally on a

router. Each filter will perform a comparison of passing packets
against the rule it represents to find a match. Once matched, the
packet is permitted or denied based on the rule.
8.1.7 Context-Based Access Control
Through Cisco Secure Integrated Software, context-based access

control (CBAC) goes beyond reflexive access lists to inspect outgoing
packets and create temporary opening for returning traffic based on
the information from the upper application layer rather than the
transport, network, and session layers.
The process when using CBAC follows:

 The outgoing packet is evaluated by the router against the
outgoing access list.
137
 Information such as the source and destination IP address
and port numbers are recorded as the state table entry
created for the new connection.
 A temporary access list entry is created based on the
information in the state table and placed at the beginning
of the extended access list on the router's external
interface.
 The temporary opening is designed to permit inbound
packets before releasing the outbound packet.
 The inbound packet is tested against the inbound access
list and permitted if a match exists.
 The state table entry and temporary access list is deleted
when the connection is closed.
To configure CBAC, the following steps are required:

 Choose the interface to allow CBAC.
 Configure the access lists for both inbound and outbound
traffic.
 Configure any global timeouts and thresholds.
 Create inspection rules used to evaluate packets.
138
8.2 Logical Access Security Architectures
8.2.1 Authentication
Small organizations can generally use the default authentication

method of the software providing remote access connectivity. As the
organization grows, more sophisticated solutions may be appropriate
such as RADIUS or TACACS/TACACS+.
With RADIUS, the access control subject provides authentication

credentials to the remote access server which passes the information
on the Radius Server of authentication. The RADIUS server will
respond to the remote access service with either acceptance of the
credentials or denial. The key advantage of this system is the
communication between the RADIUS server and the remote access
server is encrypted, increasing the overall security position of the
system.
Some characteristics of RADIUS include:

 UDP is used, offering only best-effort delivery.
 Only the password is encrypted during the authentication
process.
 RADIUS only works in OIP networks and does not support
multiple protocols.
 No control exists for commands executed on the router.
A similar procedure to RADIUS is the older TACACS system. The

139
authorization or denial of access is communicated between the
TACACS server and the user. There is no encryption used with the
TACACS system; however, the TACACS+ system does provide
encryption. TACACS+ has three distinct functions of authentication,
authorization, and accounting, which can be used independently or
together.
Some characteristics found in TACACS+ are:

 TCP using port 49 is used for transport, rather than UDP.
 The entire payload can be encrypted, including the
password, username, and other information.
 To enable troubleshooting, encryption can be turned off.
 Multiple protocols are supported, including IP, AppleTalk
Remote Access (APA), Novell Asynchronous Services
Interface (NASI), X.25 PAD connections, and NetBIOS.
 Greater control over router management in privileged and
non-privileged modes.
Kerberos is a network authentication protocol providing strong

authentication for client/server applications. It uses symmetric-key
authentication and authentication tokens, or tickets, to drive the
system. Each Kerberos system has a private key and the Kerberos
server has copies of all these keys, allowing for cross-platform
authentication.
A Key Distribution Center (KDC) holds all the keys and provides a
centralized authentication service. The overall structure of control is
140
called a realm. Time-stamping tickets ensure the keys are not
compromised. All the systems within the realm have their clocks
synchronized to maintain a common reference for authentication.
Part of the KDC is the Authentication Server (AS) which is responsible

for authenticating each client. During this authentication, the Ticket
Granting Service (TGS) makes the tickets and distributes to the
clients.
The process for user logon follows:

 User identifies themselves by presenting credentials to the
KDCs.
 The AS authenticates the credentials.
 The TGS issues a Ticket Granting Ticket (TGT) that is
associated with the client's token and is valid as long as
the user continues the session.
The process for resource access follows:

A) The Ticket Granting Ticket is presented to the KDC with the
details about the remote resource being accessed by the
client.
B) The KDC returns a session ticket to the client.
C) The session ticket is presented to the remote resource and
access is granted.
141
8.2.2 Virtual Private Network
A Virtual Private Network (VPN) represents a network deployed on a

shared infrastructure and employing the same security, management,
and throughput policies that is found on a private network. There are
several implementations of VPNs that can be employed by an
organization.
The peer model of VPN will determine the appropriate path for
transport at the network layer from a hop-to-hop basis and is typically
represented by a traditionally routed network. The edge nodes form a
relationship with the VPN service provider network to use the best
route instead of connecting with other edge nodes through a
predetermined path. With the peer model, all network layer
addressing must be unique within the VPN service provider network
and individual VPNs.
The overlay model of VPNs will determine the appropriate path for
transport at the network layer from one edge node to another by
cutting through the network. In this model the network layer requires
no knowledge of the underlying infrastructure and all edge nodes are
essentially a single hop away from each other. Unique network
addressing is not required except for addressing within a single VPN.
Link Layer VPNs are implemented at the second layer of the OSI
model rather than the third layer. The link layer provides the platform
for networking instead of having discrete networks at the network
142
layer. In this situation the different VPNs can share the same
infrastructure, but have no visibility to each other. A link layer VPN is
different from dedicated circuits because no synchronized data clock
is shared and no dedicated transmission path exists.
Network Layer VPNs are implemented at the third layer of the OSI
model and are often referred to as tunneling VPNs. In this situation,
tunnels are created between the source and destination router,
between routers, or between hosts. Tunneling can be done point-to-
point or point-to-multipoint. To allow tunneling, the VPN backbone and
VPN connected subnets do not require unique network addresses
and can be constructed transparently to the network provider.
Transport and Application Layers VPNs are implemented on the

transport and application layers of the OSI model and require the
application to be written for and aware of existing VPNs.
8.2.3 IPSec
IP Security (IPSec) protocols enable each IP packets between two

network participants to be validated for access control, authentication,
and data integrity without modifying any network hardware or
software. Three main functions are provided by IPSec:
 Authentication only
 Authentication and encryption
 Key exchange
143
Two specific security protocols are added to the IP protocol:
 Authentication Header (AH) – provides connectionless
integrity, data origin authentication, and anti-replay
services to detect any modification of the data.
 Encapsulating Security Payload (ESP) – provides
encryption of the payload.
IPSec can accommodate different security needs by using AH or ESP

independently or jointly. Security Associations (SAs) are used to
establish agreements between two systems which are participating in
an IPSec connection. The SA is a represented connection used to
provide security services using a selected policy and keys. Individual
SAs are identified through a Security Parameter Index (SPI), an IP
destination address, and a protocol identifier.
SPIs are represented by an arbitrary 32-bit value which is selected by

the destination system to distinguish the SA from other SAs that may
be present with the node. Separate SAs are created in both directions
when both AH and ESP protocols are being used, forming four
separate SAs to accommodate the security needs of the connection.
Each protocol supports transport and tunnel modes of operations.

Transport mode is found between two nodes, while tunnel mode is
found when one end of the SA is a security gateway which acts as an
intermediary that implement IPSec protocols. The different modes,
determine where the AH and ESP header are inserted. In transport
mode, the AH or ESP header is inserted after the IP header but before
any upper layer protocol headers. The AH will authenticate the
144
original IP header, while the ESP will protect anything that follows the
ESP header. In tunnel mode, the original IP header and payload are
encapsulated by the IPSec protocols. A new IP header will specify the
tunnel destination and the AH or ESP headers will protect the
package.
8.2.4 Internet Key Exchange (IKE)
Symmetric cryptography systems have both parties using the same

key for encryption and decryption of information. The components of
these keys must be exchanged between the two parties in a secure
manner and must remain exclusive to the two parties. Internet Key
Exchange (IKE) is designed to allow both sides to independently
produce the same symmetrical key. It builds a VPN tunnel by
authentication both ends and negotiating an agreement on the
methods for encryption and integrity. The intended results of an IKE
negotiation is an established Security Association (SA).
Diffie-Hellman (DH) is a part of the IKE protocol for exchanging the

components of the symmetrical keys used. The DH algorithm builds
an encryption key from the private key of one endpoint and the public
key of the second endpoint, creating a shared secret between the two
endpoints.
The IKE Process is composed of two phases. The first phase sets the
foundation for the second phase. In the first phase:
 Peers authenticate using certificates or a pre-shared
145
secret.
 A DH key is created.
 Keys and methods are exchanged and/or negotiated
between peers.
The security association is now established for users in the second

phase. The creation of the DH key is slow and requires lots of
computations, causing a decrease in performance.
The second phase focuses on exchanging materials between peers to

build the IPSec keys, which results in the establishment of the IPSec
Security Association.
8.2.5 Public Key Infrastructures (PKI)
The public key infrastructure (PKI) is a system of trust surrounding

digital signatures: how they are created, distributed, and managed. It
is used to establish trust between entities based on their mutual trusts
of certificate authorities (CAs). SLL is not the only protocol or
technology which builds on the PKI concept: X.509, IKE, and Virtual
Private Networks (VPNs) also use PKI solutions.
The purpose of the PKI is to create a trusted relationship. This is

possible only if the CA signing the peer's certificate is trusted. Trusting
a CA involves obtaining and validating the CA's own certificate. After
this validation, the details contained in the CA's certificate and its
public key can be used to obtain and validate other certificates issued
146
by the same CA.
A subordinate CA is a Certificate Authority that is certified by another

Certificate Authority. Subordinate CAs can issue certificates to other
subordinate CAs, creating a certification chain or hierarchy.
Enrollment is a process for requesting a CA to issue a certificate for

an entity. The process begins with the generation of a key pair. A
certificate request is created out of the public key and additional
information about the module. The CA type will determine the type of
certificate request created and the extent of the enrollment process.
When a certificate is received from another entity, the following

process is followed to validate the certificate:
 Verify the certificate signature.
 Verify the certificate chain has not expired.
 Verify the certificate chain has not been revoked.
A computer will also validate the use of the certificate in a given

situation, such as confirming the:
 Certificate is authorized to perform the required action.
 Correct certificate is used in the negotiation.
Two methods are used to determine the status of a certificate: CRL

and Online Certificate Status Protocol (OCSP).
The CRL is available from either a HTTP server or a LDAP server. If
147
the CRL repository is a HTTP server, the module uses the URL
published in the CRL Distributed Point extension located on the
certificate and opens a HTTP connection to access the repository. If
the CRL is on a LDAP server, a computer will locate the CRL in one of
the defined LDAP account units. If the CRL Distribution Point
extension exists, the directory entry which the CRL is published or the
LDAP URL is published. If the extension does not exist the attempt to
locate the CRL is in the entry of the CA itself in the LDAP server.
OCSP allows applications to identify the state of a certificate and may

be used to increase timely information on revocations than possible
using CRLs, as well as providing other status information. OCSP
clients will issue a status request to the OCSP server, acceptance of
the certificate is suspended until a response is received from the
server. To use OCSP, the root CA must be configured to use this
method instead of CRL and will be inherited by subordinate CA's.
Using a PKI to generate and distribute a digital certificate is not the

only option available. Other options include:
 Self-signed certificates
 Peer-to-peer certificates
In a self-signed certificate, a public/private key pair is used. The public

key is placed into the certificate and the private key is used to sign the
certificate. The certificate is associated with the application and
distributed as users access the application. In this way, the
organization deploying the application can become their own CA
rather than depend on a public signing organization.
148
Peer-to-peer authentication is another method of establishing trust
between two of more entities. It relies on one person who is trusted
saying that another person they trust can be trusted. This extends
until a network of trust is created.
8.3 Attack Methods
Any threat against the confidentiality, integrity, and availability of

enterprise assets is a threat to access control.
Recognized threats to access control consist of:

 Denial of service
 Buffer overflows
 Mobile code
 Malicious software
 Password cracker
 Spoofing/masquerading
 Sniffers
 Eavesdropping
 Emanations
 Shoulder surfing
 Tapping
 Object reuse
 Data remnants
 Unauthorized targeted data mining
149
 Dumpster diving
 Backdoor/trapdoor
 Theft
 Intruders
 Social engineering
8.3.1 Denial of Service (DoS)
Denial of service attacks consist of:

 Consuming specific resources.
 System services or applications becoming unusable by
users.
 Total failure of a system.
In the early 1990s, the most prevalent attacks were SYN attacks;
TCP/IP protocol manipulation caused when an overwhelming number
of open-ended session requests would be sent to a service, causing
the service to focus on processing these requests while delaying
legitimate requests. The result was that systems were virtually
unusable by valid users and applications of the service.
Denial of service is typically a result of finding a weakness in system

services and exploiting that weakness. One of the most common
characteristic of a DoS attack is the use of multiple events, systems,
or users to focus legitimate actions against a single system. The
result is a manipulation of system interactions for the purpose of
acquiring access of redirect communications.
150
8.3.2 Buffer Overflows
A portion of memory is usually allocated to temporarily store

information that is used for processing. This s called a buffer and is
essential to manage data input and outputs during system interaction.
A buffer overflow is a manipulation of the system's ability to manage

the buffer which, in turn, causes a system failure such as an outage,
failure to control the application state, or failure to control the data
required for processing.
Poor system memory access control and management is the typical

cause of buffer overflows. Proper coding of the application, services,
and operating systems managing the memory allocation is a good
start at preventing this threat. Adequate testing in the development
process can ensure that the coding is done properly and identify any
vulnerabilities to buffer overflows.
8.3.3 Mobile Code
Any software that is transmitted across a network from a remote

source to a local system and executed without any explicit action from
the user is referred to as mobile code. The local system can be a
personal computer, smart device, PDA, mobile phone, or Internet
appliance. Mobile code does not need to be installed or executed by
151
the user and is typically known as downloadable code and active
content.
Mobile code is not necessarily harmful and includes:

 ActiveX controls
 Java applets
 Browser scripts
 HTML email
However, significant security implications surround mobile code

because of the capabilities of dynamic distribution, limited user
awareness, and potential for harm. Mobile code used maliciously can
track user activity, access vital information or install other applications
without the user’s knowledge. To prevent malicious mobile code, the
system has to be configured properly.
8.3.4 Malicious Software
Malicious software used to describe Trojans or spyware, but has

expanded to include any software, application, applet, script, or digital
material run on a computer system that can be a threat to the system,
applications, or information.
Falling into the category of malicious software, or malware, is:

 Viruses – parasitic code which requires human assistance
to transfer or insert into the system or is attached to
another program to allow replication and distribution.
152
 Worms – self-propagating code which exploit
vulnerabilities in systems or applications. Similar to viruses
without the need for human interaction.
 Trojan Horses – any program that appears to the user as
desirable but are, in the end, harmful.
 Spyware – hidden applications intended to track user's
activity, obtain personal data, and even monitor system
inputs.
8.3.5 Password Crackers
Passwords are a grouping of secret characters used to prove the

identity of the user. Passwords are prone to discovering and given
that they range from an average or 5 to 15 characters, they are limited
by the number of potential combinations of characters.
Passwords are stored by a one-way hash, an algorithm producing a

unique representation of the password. When a system receives a
hashed password, it uses the same algorithm used to create the
password and compares it to the hash on file. If the hash is correct,
the certainty that the password provided is on file increases. In most
cases, the password is never stored or saved, only the hash.
Password crackers work on the hashed password which has been

saved. When the file containing the hashed password is found, the
password cracker compares every possible password combination
against the hash. This is done by using or creating a list of possible
153
combinations, hash them, and compare the hash to stored passwords
on the file. The length and complexity of the password has an impact
on the time required to test every combination, ranging from minutes
to years.
Password crackers are easily obtainable and are useful for both
hackers and system administrators. System administrators use
password crackers to identify the strength of a particular password. If
the password is weak, a request can be made to the user to change
to a stronger password.
In 1980, Martin Hellman described a method of using pre-calculated

data stored in memory to reduce the time required for cryptanalysis.
By performing an exhaustive search and loading results into memory,
time required to create a list for use by password crackers can be
significantly decrease. This is commonly referred to as a time-memory
tradeoff where saving memory and the cost of processing time
compete with each other.
Many password hashes are generated by encrypting a fixed plaintext

with the user's password as the key. A poorly designed password
hashing scheme will result in the plaintext and encryption method
being the same for all passwords. This allows password hashes to be
calculated in advance and subjecting them to a time-memory tradeoff.
The Hellman concept is based on enciphering the plaintext with all

possible keys whose results are organized into chains. Only the first
and last elements are loaded into memory. As the number of stored
154
chains increased, so did the frequency of generating the same results
with different keys.
By 1982, Ron Rivest had introduced the concept of distinguishing

points which improved simple password hashes by reducing the
number of memory lookups. The distinguishing points were defined at
the ends of the chains based on the fact that the first ten bits of the
key were all zeros. When a plausible match is identified, a chain is
pulled from memory from the end. Focus on the distinguishing points
at the end reduced the time required to process passwords.
A faster time-memory trade-off was developed by Philippe Oechslin in

2003. The issue with the chaining process was the possibility of
collision between chains and eventual mergers within memory. To
limit the collision rates and reduce memory requirements, Oechslin
proposed an approach to the creation of chains. His new chain
structure was called rainbow chains and utilized the distinguished
points concept with a process for successive reduction of points.
8.3.6 Spoofing/Masquerading
An attack method utilizing weaknesses with Internet protocols to gain

access to systems based on IP addresses and inherent trust
relationships was first conceived by Steve Bellovin. Kevin Mitnick
popularized the concept of IP spoofing in the 1980s. IP spoofing
allows a person to appear to come from a trusted source when they
are actually outside of the trusted environment.
155
Earlier versions of spoofing were performed at the protocol layer by
sending packets to the server with the source address of a known
system in the packet header. Filtering devices would pass the packet
if they were configured to permit activity to and from the trusted
address or network. Though this would allow the packet to arrive, it
did not guarantee the desired response from the server.
Modern systems and firewalls compensate for spoofing attacks.

Similar attacks manipulating the trust of systems and users are still
prevalent. Phishing is another form of masquerading as a trusted
source. Domain Name Servers can be used to redirect Internet users
from valid websites to malicious sites. Spoofing is used in man-in-the-
middle attacks where users may believe they are interacting with a
desired destination when in fact they have been redirected through an
intermediary, which is collecting information from both sides of the
communication.
Spoofing or masquerading has significant impact on the access

control environment since attackers gain access in such a way that
circumvents the established controls.
156
8.3.7 Sniffers, Eavesdropping, and Tapping
At some point in networking between to computers, communications

will pass through a physical device. Gaining access to the physical
device could provide insight into all layers of communication, in the
form of eavesdropping or tapping.
The same capabilities are utilized by IDSs which monitor

communications in an effort to detect unwanted activities.
Sniffers are devices collecting information from a communication

medium.
8.3.8 Emanations
Emanation is a proliferation or propagation of a signal which is most

evident in wireless networks. By being within range of the wireless
signal, an attacker can attempt to access the network without
physically accessing the facility.
Emanations can be tapped to allow eavesdropping. The key is

tapping into the electromagnetic properties of computing devices to
acquire data from a distance.
Encryption of signals can provide some protection. Reducing the

emanation of a signal can also provide some protection using
157
mechanisms such as TEMPEST.
8.3.9 Shoulder Surfing
Shoulder surfing is a form of social engineering where information is

gathered through direct observation. This is done by watching a
person entering a password or listening to a conversation containing
sensitive information.
Deterrents to shoulder surfing include:

 Awareness training
 One-time use passwords
 Multifactor authentication
 Screen filters
 Special polarized glasses
8.3.10 Object Reuse
The allocation or reallocation of system resources to an application or

process is referred to as object reuse. In essence, applications and
services create objects which are stored in memory. Those objects
can be used over and over by the application or service and are
shared with other applications and services. An object is used to
perform a privileged task for an application or authorized user. If the
usage of this object is not controlled and remains in memory, it can
become available to unauthorized use.
158
Application object reuse has two aspects:
 The direct employment of the object.
 The use of input or output data from the object.
To protect against the harmful reuse of an entire object, an application

should erase all residual data from the object before it is assigned to
another process to prevent the data from being intentionally or
unintentionally read.
Security requires a controlled sharing of object resources. Since these

resources are in memory, their management can be difficult. Many
systems are running multiple processes simultaneously. Memory may
be allocated to one process for a while, de-allocated and reallocated
to another process making the constant processing a potential
security vulnerability. This is because residual information may still
exist in a memory section when it is reallocated to a new process.
The same concern is applicable to system media like hard drives,

magnetic media, and other forms of data storage. It is common
practice to reuse media to reduce costs in backup activities.
Removing all data from the media ensures that proprietary and
confidential information is compromised. Standard methods include:
 Degaussing
 Writing over media
159
8.3.11 Data Remanence
Similar to object reuse is data remanence which is often seen when

used computer equipment is reused or sold to another user. The
partial or entire remains of digital information still exist for the new
user.
Hard drives are comprised of platters organized into segments and

clusters. When files are written to the hard drive, it is placed in one or
more clusters in a series or spread across the disk. The file allocation
table is responsible for tracking the physical location information for
the file in order to retrieve it later.
Several situations can lead to data exposure:

 Deleting a file removes the information from the file
allocation table but not from the physical cluster.
 Sensitive or confidential data is stored in the slack space
of partially used clusters and remains until the entire
cluster is overwritten with new data.
 Malicious information or code is stored by attackers within
the slack space.
The most effective mechanism to destroy data is to overwrite the data

several times accomplishing:
 Providing enough randomization to prevent statistical
analysis of the data.
 Further masking the remnants of any electromagnetic
160
representation of the data with each rewrite.
8.3.12 Unauthorized Targeted Data Mining
Any collection of large amounts of information for the purpose of

creating predictions is considered data mining. There are several
reasons for data mining information and is often used to provide a
logical determination about the information over specific data.
Hackers generally perform reconnaissance in order to collect as much

information as possible to determine the operations, practices,
technical architecture, and business cycles. Though individual pieces
of data may be harmless, different combinations of data could be
created and analyzed to identify vulnerabilities that can be exploited.
One common area of concern is marketing; where security is

concerned that public information that is placed on a web site cannot
be used against the company. In the early days of the Internet, a large
amount of data was posted by companies to the Internet that aided
hackers in determining how and what to attack. Current awareness
ensures that sensitive information is not posted as easily, however the
evolution of search engines have made finding sensitive information
easier to discover.
161
8.3.13 Dumpster Diving
Dumpster diving is a simple tactic of rooting through trash to obtain

enough information to make conclusion and create a strategy for
attacking a target. The process is similar to data mining in stringing
together small data of insignificant data together to obtain a large
more harmful fact about the target.
Destroying documentation is one of the best chances against this

vulnerability, as well as destruction of media to prevent exposure.
8.3.14 Backdoors and Trapdoors
Many creators of applications create special access capabilities into

their software code for troubleshooting purposes. These created
capabilities are commonly referred to as backdoors. If a person knows
the location of the backdoor, then they can obtain access to the
application or system without the knowledge of the system owner.
System Integrators create special rules and credentials to ensure they

have complete access to the systems installed for the purpose of
supporting their customer. Typically, the same methods and
credentials are used for multiple customers. If a person was to obtain
this information, they would have complete access over several
customers’ systems.
162
8.3.15 Theft
Physical theft is any item of value that an authorized person can

remove. Digital theft does not require removal, but simply needs to be
copied by an unauthorized person.
8.3.16 Social Engineering
Social Engineering is the use of coercion or misdirection to obtain

information. It always consists of a degree of interaction, though that
interaction may be on the telephone, through e-mail, or face-to-face.
E-mail social engineering is a common effort to use e-mail to obtain

information. In most cases, an e-mail is sent disguise as coming from
a trusted source. The message is a request for information. The victim
believes they are sending the information to a source that has the
right to know the information.
Help Desk fraud occurs when an attacker poses as an employee,

calls the Help Desk for assistance. The goal of the attack is usually to
reset a password. In some cases, remote-access phone numbers or
IP addresses can be obtained. Attackers will sometimes pose as
managers to obtain special privileges.
163
8.4 Intrusion Detection Systems
Intrusion detection systems (IDS) utilize various techniques to alert

organizations to adverse or unwanted activity. IDS can be
implemented as a network device (NIDS) or into a host system
(HIDS).
Intrusion prevention systems (IPS) block all unwanted processes,

permitting only allowed functions and actions on the network or
system. IPS can be implemented on the network (NIPS) or host
(HIPS).
8.4.1 Intrusion Detection Systems
An IDS is a reactive warning system meant to provide information to

administration to make decisions to respond to an attack.
Developments in technology have allowed some responses to
predefined attacks to be automated under limited conditions.
The unique traffic generated by the organization will require the IDS to
be tuned to support the network. If tuned incorrectly, the IDS can
create a significant vulnerability for the organization.
A Network Intrusion Detection System (NIDS) will monitor the traffic

traveling on the network segment which the system is attached. A
passive NIDS is attached to a hub using a network tap or mirroring
164
the ports on a switch to a NIDS dedicated port. The system will
inspect all packets and monitor sessions without impact.
NIDS have several essential characteristics:

 Monitors network packets and traffic in real time.
 Analyzes protocols and other packet information.
 Can send alerts or terminate offending connections.
 Can integrate with firewalls and define rules.
 Monitoring data packets can be disrupted by encryption.
Host-based intrusion detection systems (HIDS) are implemented at

the host level. The intrusion detection analysis is the primary
difference from NIDS. The scope of the HIDS is the boundaries of the
host, and increases the level of visibility and control available because
of its integration with the host.
Some HIDS have the ability to monitor multiple hosts and will share
policy information and real-time information between systems.
The characteristics of HIDS include:

 Apparent intrusions can be detected on the host.
 Event logs, critical system files, and other auditable system
resources can be scrutinized.
 Monitors for unauthorized changes or suspicious behavior
patterns.
 Alerts are sent when unusual events are detected.
 Multihost HIDS will receive audit data from multiple hosts.
165
8.4.2 Analysis Engine Methods
An IDS can utilize several analysis methods. Two basic types include:
 Pattern matching - the attack vector is known and an alert
is provided when the pattern is detected
 Anomaly detection – draws conclusions from the use of
several tactics to determine if the traffic represents a risk
Pattern matching technology was utilized by some of the first IDS

products and was based on signatures – collections of byte
sequences that represented a mode of attack. A single database in a
pattern matching IDS would have hundreds, or thousands, of
signatures.
Some attributes of a pattern matching IDS include:

 Known attacks are identified.
 Specific information for analysis and response is provided.
 False-positives may be triggered.
 Signatures need to be updated regularly.
 Attacks may be modified to avoid detection.
Another form of pattern matching is stateful matching where the IDS

scans for attack signatures within the traffic stream rather than the
individual packets. The main difference from basic pattern matching is
that signatures are detected across multiple packets.
166
Anomalies can include:
 Users logging in at strange hours.
 Unusual error messages.
 Unexplained system shutdowns or restarts.
 Unexplained changes to system checks.
 Multiple failed log-on attempts.
Statistical anomaly-based IDS will analyze the audit trail data by

comparing to predicted profiles to find potential breaches. The main
advantage of anomaly-based solutions is that they can detect
unknown attacks.
The attributes for statistical anomaly- based IDS are:

 A baseline for normal traffic and throughputs is developed
and monitored against.
 DoS floods and unknown attacks can be detected.
 Tuning the system properly can be difficult.
 The normal traffic conditions must be clearly understood.
A protocol anomaly-based IDS will use known protocols to determine

any unacceptable behavior. The benefits of this form of IDS are
directly impacted by the use of well-defined protocols.
Protocol anomaly-based IDS have attributes such as:

 Deviations from standards set by request for comments
(RFC) are monitored.
 Attacks not having signatures can be identified.
167
 Well-defined protocols can reduce the number of false-
positives.
 Protocol analysis has a longer deployment time than
signatures.
Analysis of the traffic structure can identify unaccepted deviation from

expected behaviors and is employed by traffic anomaly-based IDS.
The specific attributes include:
 Watches for new services or unusual traffic patterns.
 DoS floods and unknown attacks can be identified.
 Tuning the system can be difficulty.
 The normal traffic conditions must be clearly understood.
8.4.3 Intrusion Responses
The responses from an IDS include:

 Dropping suspicious data packets at the firewall.
 Denying access because of suspicious activity.
 Reporting activity to other hosts.
 Updating the configurations within the IDS.
Alarms are the primary capability of an IDS. There are three

fundamental components to alarms:
 Sensor
 Control and communication
 Alert/enunciator/actuator
168
The sensor detects the event and produces the necessary
notification.
The mechanism of distribution is the control and communication of the

alarm which determines if the alert is sent through e-mail, pager,
instant message, or the like.
The enunciator acts as a relay station ensuring that the proper people
are alerts at the appropriate time. This assumes that not all people
need to be alerted at the same time.
8.5 Encryption Algorithms
8.5.1 Ciphers
Substitution is the replacing of a character with another character.

This is typically done by shifting the alphabet positions.
Transposition, or permutations rely on transposing or interchanging

the order of the letters.
169
8.5.2 Types of Ciphers
Playfair ciphers were used by the ally forces in the WWII, the Playfair
cipher starts with an agreement of a key word by the sender and
receiver. It is a substitution cipher. A table is created using that word
and the rest of the alphabet. A message is separated in groups of two,
ignoring the spaces in the message. Repeating letters are grouped
with a filler text such as X.
The two letter group defines the parameters of a logical rectangle

within the table that was created. The letter grouping is replaced with
the letters in the opposite corners of the rectangle. If the letter
grouping is on the same row or column, the replacement is done with
the next letters in the same row or column respectively.
The simplest transposition cipher is called a rail fence. The message

is written and read on two or more lines by alternating diagonal rows.
The final message strings the created rows together. In a rail fence,
there is no substitution taking place, just a reordering of the letters. An
early form of cryptography used rectangular substitution tables. In this
method, the sender and receiver agreed on the size and structure of
the table holding the message, as well as the order for reading the
message.
Each letter in the message occupies a space in the table. Depending

on the order for reading agreed upon, the final message is a string of
rows or columns.
170
The Caesar cipher is a form of monoalphabetic cipher: a simple
substitution algorithm is created by shifting the alphabet over three
places. Monoalphabetic ciphers can also utilize a scrambled version
of the alphabet. The fundamental principle for these ciphers is that
each letter is replaced by another letter consistently throughout the
message.
Monoalphabetic ciphers are still driven by the characteristics of

plaintext language, making them relatively easy to decipher.
Polyalphabetic ciphers are harder to decipher because they use
several alphabets for substituting the plaintext. In a polyalphabetic
cipher, each letter is substituted by a letter from a different alphabet.
Since the number of alphabets is typically limited, they are recycled
as the message proceeds.
Blais de Vigenere developed a polyalphabetic cipher using 26

alphabets and a key word. Each alphabet was offset by one space
and grouped in a table. The top row represented the plaintext values,
while the first column represents the substitution alphabets.
The sender and receiver agree on a message key which is repeated

for the length of the plaintext message. The individual letters of the
message and key are cross-referenced on the table to identify the
appropriate ciphertext letter.
Modular Mathematics starts with matching each letter of the alphabet

with its corresponding numerical value. The English alphabet is
171
calculated as mod 26 because it has 26 letters in the alphabet. Each
letter in the alphabet is run through the equation:
Ciphertext = plaintext + key (mod 26)
The numerical value of the plaintext letter is added to the numerical

value of the key letter. If the sum of the two values is greater than 26,
a subtraction is made of 26. The result is the numerical value of the
the ciphertext letter.
A running key cipher uses modular mathematics to encrypt the

plaintext message. The key is repeated along the length of the
message. Each letter is put through the equation using the
corresponding key letter until a ciphertext is created.
8.5.3 Cryptography Forms
The two primary forms of cryptography are symmetric and

asymmetric.
Symmetric ciphers utilize an algorithm that operates on a single

cryptographic key that is used to encrypt and decrypt the message.
This encryption process comes in many names:
 Single key
 Same key
 Shared key
 Secret key
 Private key
172
The last two names represent the key factor in using symmetrical
algorithms: securing the cryptographic key. The result is extensive
focus on key management. This requires not only the generation of
the key but also the secure transmission of the key to both the sender
and receiver of the message. To ensure security, the key is often sent
separate from the message itself, called out-of-band distribution.
Some of the more common symmetric algorithms are:

 Data Encryption Standard (DES)
 Advanced Encryption Standard (AES)
 International Data Encryption Algorithm (IDEA)
 CAST
 Secure and Fast Encryption Routine (SAFER)
 Blowfish
 Twofish
 RC5
 RC4
The idea behind asymmetric algorithms was introduced in 1976 by

Drs. Whit Diffie and Martin Hellman The idea utilizes two different
keys link mathematically to perform cryptographic operations.
Typically, one key is used to encrypt, while the other is used to
decrypt.
These concepts were the introduction to public key cryptography. To

use an asymmetric algorithm, a person would need to generate a key
pair. One half of the key pair would remain secret known only to the
173
key holder, called the private key. The other half of the key pair could
be presented to anyone who wanted a copy, called the public key.
Asymmetric algorithms are one-way functions.
Any message that is encrypted with a public key can only be

decrypted with the private key of the pair, retaining the confidentiality
of the encrypted message. This is because the sender would be
encrypting the message with the public key of the receiver. Any
message that is encrypted using the private key of the sender could
be opened and read by anyone possessing the corresponding public
key. The process allows the confidentiality of the message to remain
intact and retain proof of origin. RSA is a form of asymmetric ciphers
8.5.4 Data Encryption Standard
The Data Encryption Standard (DES) became a standard in 1977

when adopted by several US federal government agencies. Today,
the encryption is used extensively in many financial, VPN, and online
encryption systems.
The origins of DES are based on the work of Harst Feistal using the
Lucifer algorithm. The core principle of the algorithm is to take an
input block of plaintext and divide it in half. Each half is then put
through an XOR operation to alter the other half.
Each DES key is 64 bits in length with each eighth bit ignored, leaving
an effective length of 56 bits.
174
There are five separate modes of DES, including:
 Electronic Codebook Mode (ECB)
 Cipher Block Chaining Mode (CBC)
 Cipher Feedback Mode (CFB)
 Output Feedback Mode (OFB)
 Counter Mode (CTR)
The DEC is a block mode cipher though the last three modes were
developed to operate like a stream mode cipher in order to be more
versatile and support stream-based applications.
ECB is the most basic mode of DEC. It encrypts each 64-bit block of
text independently. It is used for very short messages.
With the CBC, the result of encrypting one block of data is used to
encrypt the next block of data.
CFM will segment the input into blocks of 8 bits, or the size of one
character. Each bit produced in the keystream is the result of a
predetermined number of fixed ciphertext bits. The operation has the
ciphertext result of the XOR calculations fed back in a shift register for
the keystream.
In OFB mode, the keystream is generated independent of the

message. The operation is the same as CFB, except that the
encrypted keystream is feed into the shift register to create the next
175
portion of the keystream.
High-speed applications use counter mode. It is named as such

because a 64-bit random data block is used as the first initialization
vector. This block is called counter and is different for every block of
plaintext. Each subsequent counter is incremented by 1. The counter
is encrypted and used as a keystream that is XORed with the
plaintext. Since the keystream and the message are separate from
each other; several blocks of data can be processed at the same
time.
DES is susceptible to brute-force attacks because of the short key

used. To overcome this weakness, a stronger version of DES was
utilized by running the encryption process twice over the same
plaintext message using different keys. This is commonly called as
double DES.
Unfortunately, man-in-the-middle attacks are effective against double

DES solution which led to the design of Triple DES. The solution
utilizes two encryption keys and three encryption attempts. The
plaintext message is encrypted using the first key, then the second,
then the first key again.
Another mode of triple DES, EDE2, performs a decryption using the

second key. Therefore the process used on the plaintext message is
to encrypt using the first key, decrypt with the second key, then
encrypt with the first key again. This mode is compliant to ISO 8732
and ANS X9.17.
176
EEE3 and EDE3 are triple DES modes utilizing three encryption keys.
8.5.5 Advanced Encryption Standard
In 1997, the National Institute of Standards and Technology (NIST)

adopted the Advanced Encryption Standard (AES) as a replacement
for DES and 3DES. The standard is based on the Rijndael algorithm
created by Drs. Joan Daemon and Vincent Rijmen of Belgium. NIST
chose AES after considering several possible candidates.
The Rijndael algorithm uses block sizes of 12 8, 192, and 256 bits
with keys of the same lengths. The number of operating rounds used
is related to the size of the key: 10, 12, and 14 respectively. AES
supports only one block size.
To encrypt a plaintext message, the input is placed into a 128-bit state

array while the key is placed into a similar table. Then, four major
operations are conducted on the message:
 Substitute bytes – an S-box is used to substitute byte-by-
byte on the entire block.
 Shift rows – each row in the table is offsetted.
 Mix columns – each value in a column is substituted based
on the values of the data.
 Add round key – each byte is XORed with the key for the
current round. Additional rounds are performed with a
different key.
177
8.5.6 Other Encryption Methods
International Data Encryption Algorithm (IDEA) is meant to be a

replacement for DES and works off a 128-bit key within a 64-bit
operation. Eight rounds of transposition and substitution are
performed using modular addition and multiplication and bitwise XOR.
IDEA was developed by Xuejai Lai and James Massey in 1991.
Carlisle Adams and Stafford Tavares developed CAST in 1996. A

variant, CAST-256, was a candidate for AES and is a Feistal-type
block cipher using 128-bit blocks and keys the size of 128, 192, 160,
224, and 256 bits. 48 rounds of encryption are performed on a
plaintext message.
Secure and Fast Encryption Routine (SAFER) was developed by

James Massey which worked on 64-bit or 128-bit blocks. A variation
of SAFER is used for Bluetooth.
Blowfish is a Feistal-type cipher developed by Bruce Schneier. It is an

extremely fast cipher that can be implemented in as little as 5K of
memory. The cipher divides the input block in half and works on both
halves using variable key sizes from 32 to 448 bits on a 64-bit input
and output blocks.
One major characteristic of Blowfish is that the S-boxes are created

from the key and stored for later use. The processing time required to
178
change keys and recompute the S-boxes make Blowfish unsuitable
for applications with limited process power or where keys are
changed frequently. Despite this, Blowfish is considered unbreakable
using the technology of today.
Twofish is a version of Blowfish developed by a Bruce Schneier and a

team of cryptographers to provide another candidate for AES. It
performs 16 rounds of encryption using keys of 128, 192, or 256 bits
on blocks of 128 bits.
RC5 was developed by Ron Rivest of RSA Data Security. It utilizes a

key varying from 0 to 2040 bits, with the number of rounds ranging
from 0 to 255. The length of the input words could be 16, 32, or 64-bit
lengths. It has four modes of operation:
 RC5 – similar to DES ECB
 RC5-CBC – a cipher block chaining mode
 RC5-CBC-Pad – combined chaining with the ability to
handle any length of plaintext
 RC5-CTS – called ciphertext stealing
RC4 was also developed by Ron Rivest in 1987 and became the
widely used stream cipher used in WEP and SSL/TLS. A variable key
length was used ranging from 8 to 2048 bits. The key initiates a state
vector 256 bits in length and will contain all possible values of 8-bit
number from 0 to 255. The state is generated into the keystream
which is XORed with the plaintext message.
179
8.5.7 RSA
The most widely used form of public key encryption is RSA.

Developed by Ron Rivest, Adi Shamir, and Len Adleman in 1978,
RSA is based on factoring the product of two large prime numbers.
The formula used is:

e
C = P mod n for encryption
P = Cd mod n for encryption
To calculate RSA key pairs, two prime numbers are multiplied

together:
n = pq
The public key is {e, n}. The integer e is relatively prime to (n) which is
(p-1)(q-1)
The private key is {d,n}. The integer d is calculated using Euclid's

algorithm. de=10(n)+1
To attack the RSA algorithm, three major approaches are used:

 Trying all possible private keys.
 Factoring the product of two prime numbers.
 Measuring the running time if the decryption algorithm.
180
8.5.8 Diffie-Hellmann Algorithm
A key exchange algorithm used to enable two users to negotiate if

exchange a secret symmetric key used for future encryption. It uses
discrete logarithms based on finding the primitive root of a prime
number.
Private and public keys are still used. The private key is randomly
selected and must be less than the prime number. The two hosts
would calculate the private key and a public key individually. The
public keys would be exchanged and compute a common session
key.
Once complete, the two parties could encrypt their data using a
symmetric key.
8.5.9 Message Integrity Controls
Message authentication is the primary concern for most electronic

transactions. The concerns are:
 Has the message been modified?
 Is the sender really who they claim to be?
 Was the message received by the right party?
The controls utilized to maintain message integrity include:

 Checksums
181
 Hash functions
 Message authentication code
Checksums are used with symmetric key cryptography to manage

message integrity. Simple error detecting code or frame check
sequences are similar implementations.
The checksum is created and attached to the message. Receivers of

the message then decrypt the message and create another checksum
to check the integrity of the message.
Hash functions accept input messages of any length and generate a

fixed-length output. The result is referred to as hash code or message
digest. The hash is generated by using an algorithm, but no secret
key is used.
Simple hash functions will break the message down into fixed-size
blocks which are then XORed.
MD5 was developed by Ron Rivest at MIT in 1992 and is the most
widely used hashing algorithm. A 128-bit message digest is
generated. The message is processed in 512-bit blocks and four
rounds. Each round consists of 16 steps.
ND4 was developed in 1990 and does only three rounds of

processing with fewer mathematical operations. 128-bit output is
typically generated.
182
Secure Hash Algorithm (SHA) were developed by NIST in 1993 and
issued as the Federal Information Processing Standard (FIPS) 180. A
revised version became SHA-1 in 1995.
SHA is based on the MD4 algorithm and SHA-1 is based on MD5.

SHA-1 has four rounds of processing with 20 steps in each round.
The University of Wollongong in Australia developed HAVAL, a

methods that creates variable length output through a variable
number of rounds for every 1024-bit input block. The output may be
128, 160, 192, 224, 256 bits and the rounds can range from 3-5.
HAVAL operates 60 % faster than MD5
The European RACE Integrity Primitives Evaluation project developed

the RIPEMD-160 to overcome the vulnerabilities with MD4 and MD5.
The algorithm produces a 160-bit output. It performs five paired
rounds of 16 steps.
Also known as a cryptographic checksum, MACs are small blocks of

data created using the secret key and attached to the message.
When a message is received, the secret key is used to generate
another MAC. The result provides confidence that the message was
not changed during the transaction.
A MAC has characteristics such as:

 It is smaller than the message generating it.
 Given a MAC, to compute the message generating it is
183
impractical.
 Given a MAC and the message generating it, finding
another message using the same MAC is impractical.
A DES-based MAC is the most common creation methods but slow

compared to a hash function. Hash functions do not have secret keys
and cannot be used to create a MAC. RFC 2104 provides a hashed
MACing system used in IPSec and other secure Internet protocols.
HMAC operations have the cryptographic strength of hashing

algorithm with the protection of a secret key.
8.5.10 Digital Signatures
Digital signatures provide accountability for electronic transactions by

ensuring that a message truly comes from the person claiming to
have sent it. The digital signature usually consists of the data and time
of the signature and a third party to verify the signature.
The Digital Signature Standard (DSS) was proposed as FIPS 186 in

1991. Two methods are used to create a signature: RSA and DSS.
The hash version of a message is created. The RSA method encrypts

the hash with the private key of the sender. The DSS method uses the
Digital Signature Algorithm (DSA) to sign the hash. Once a digital
signature is created, it is appended to the message and sent to the
receiver.
184
8.6 Public Key Infrastructure
PKI solutions based on X.509 provide an infrastructure for

establishing trust between entities based on their mutual trust of the
Certificate Authority (CA).
IKE standards recommend the use of PKI in VPN environments. A

VPN module is involved in establishing a VPN tunnel, which must
have an RSA key pair and a certificate issued by a trusted CA. The
certificate includes information about the module's identity, its public
key, CRL retrieval details and CA signature.
8.6.1 Different Methods of Support
VPN solutions support the following situations:

 Multiple CA Support for Single VPN Tunnel
 Support for non-ICA CAs
 CA Hierarchy
8.6.2 Trusting External CAs
A prerequisite for establishing VPN tunnels is creating a trusted

relationship. This is possible only if the CA signing the peer's
certificate is trusted. Trusting a CA involves obtaining and validating
185
the CA's own certificate. After this validation, the details contained in
the CA's certificate and its public key can be used to obtain and
validate other certificates issued by the same CA.
The ICA will automatically trust all modules managed by the same
server that employs it. This is not true for External CAs, so the
external CA's certificate must be obtained and trusted.
8.6.3 Subordinate CAs
A subordinate CA is a Certificate Authority that is certified by another

Certificate Authority. Subordinate CAs can issue certificates to other
subordinate CAs, creating a certification chain or hierarchy.
8.6.4 Enrolling Managed Entities
Enrollment is a process for requesting a CA to issue a certificate for

an entity. The process begins with the generation of a key pair. A
certificate request is created out of the public key and additional
information about the module. The CA type will determine the type of
certificate request created and the extent of the enrollment process.
The enrollment process on an internally managed gateway is

automatic because the ICA is located on the Server machine. To
obtain a certificate from an OPSEC Certified CA, the server takes the
details of the module and the public key to encode a PKCS#10
186
request. The request is delivered manually to the CA by the
administrator. The administrator can complete the process by
importing the certificated issued by the CA to the server.
Automatic enrollment can be used to obtain a certificate for the

gateway. With this, a request for a certificate can be automatically
issued for any gateway in the community. The protocols supported by
automatic enrollment include SCEP, CMPV1, and CMPV2.
8.6.5 Validating Certificates
When a certificate is received from another entity, the following

process is followed to validate the certificate:
 Verify the certificate signature.
 Verify the certificate chain has not expired.
 Verify the certificate chain has not been revoked.
The VPN will also validate the use of the certificate in a given
situation, such as confirming the:
 Certificate is authorized to perform the required action.
 Correct certificate is used in the negotiation.
Two methods are used to determine the status of a certificate: CRL

and Online Certificate Status Protocol (OCSP).
The CRL is available from either a HTTP server or a LDAP server. If

the CRL repository is a HTTP server, the module uses the URL
187
published in the CRL Distributed Point extension located on the
certificate and opens a HTTP connection to access the repository. If
the CRL is on a LDAP server, VPN will locate the CRL in one of the
defined LDAP account units. If the CRL Distribution Point extension
exists, the directory entry which the CRL is published or the LDAP
URL is published. If the extension does not exist the attempt to locate
the CRL is in the entry of the CA itself in the LDAP server.
OCSP allows applications to identify the state of a certificate and may

be used for more timely information on revocations than possibly
using CRLs, as well as providing other status information. OCSP
clients will issue a status request to the OCSP server, acceptance of
the certificate is suspended until a response is received from the
server. To use OCSP, the root CA must be configured to use this
method instead of CRL and will be inherited by subordinate CA's.
8.6.6 Secure Sockets Layer
Secure Socket Layer (SSL) has become the defacto standard for
ensuring secure Internet transactions. It works in the network layer
between TCP and the application. SSL utilizes both symmetric and
asymmetric cryptography to provide a layer of security for all network
communication. To authenticate, SSL relies on the distribution of
secure digital certificates.
188
8.6.7 Transport Layer Security (TLS)
Transport Layer Security is a cryptographic protocol which provides

security for communications over the network by encrypting segments
of the connection at the Transport layer. TLS is based on the Secure
Sockets Layer (SSL) and is used in applications for web browsing,
electronic mail, Internet faxing, instant messaging, and VoIP.
TLS is designed to prevent eavesdropping, tampering, and message

forgery of Internet communications by providing endpoint
authentication and communications confidentiality. TLS supports
unilateral and bilateral authentication and involves three basic
phases:
 Peer negotiation.
 Key exchange and authentication.
 Symmetric cipher encryption and message authentication.
Different encryption algorithms can be used but must be agreed upon

by both endpoints within a communication session.
TLS is used in conjunction with HTTP, FTP, and SMTP, tunning on top
of them. It can be used with TCP or UDP. It is also used to create a
Virtual Private Network by tunneling an entire network stack. SIP uses
TLS to protect its application signaling.
189
8.6.8 Secure Shell (SSH)
A more secure protocol with the same functionality of Telnet, Secure

Shell allows data to be exchanged using a secure channel between
two networked devices. SSH is primarily used on Linux and Unix
systems to access shell accounts. Public-key cryptography is used to
authenticate remote systems and the use, if needed. Often used to
log into remote systems and execute commands, SSH will support
tunneling, forwarding TCP ports and X11 connections.
SSH-2 has three well-separated layers:

 Transport layer – handles initial key exchange and server
authentication and establishes encryption, compression,
and integrity verification.
 User Authentication layer -handles client authentication
and several methods for authentication including
password, publickey, and keyboard-interactive.
 Connection layer – defines channels, channel requests,
and global requests using SSH services.
8.6.9 Pretty Good Privacy (PGP)
The Pretty Good Privacy (PGP) protocol is used for privacy and digital
signing of email messages, providing end-to-end security between
sender and receiver. Traditionally, PGP performs key exchanges
using RSA public key cryptography and encrypts messages using
IDEA.
190
Within PGP, any user can validate the identity of another user,
creating a network trust model. A user's public key can be obtained
directly from the user then its hash can be communicated out of band.
The keys are stored in files called key rings; public key rings can be
found stored on the Internet.
8.7 Physical Security Systems
8.7.1 Authentication Devices
Instead of using a password, or in addition to a password, for

authentication, a person may have a physical device that can be
used. There are two methods found here:
 Asynchronous token devices utilize a challenge and
response technology requiring interaction between the
user and the authenticating party or system. When access
is requested, the authenticating party will provide a
challenge which can only be answered by the token in
possession of the user. The token will provide the correct
response which is given to the authenticating party and
access is granted.
 Synchronous token authentication is similar in process but
relies on an event, location, or time-based synchronization
between the requester and authenticating party. The most
popular method is time-based where the token utilizes an
191
embedded key to produce a unique string of numbers
and/or characters in a given timeframe, usually one
minute. The user will enter the character string whenever
access is requested to authenticate themselves.
In addition to tokens, authentication devices exist which house the

credentials for the user. The two most popular devices are:
 Memory cards
 Smart cards
The difference between the two is processing power. A memory card

will hold information but does not process information. A smart card
will process information. A memory card is used like a password to
gain access after the user enters their unique id.
Typically, the process requires the user to present the memory card
and a user ID or PIN. If the authentication information on the memory
card matches with the user provided information, access is granted. A
memory card can be used with computers, but a reader is required to
process the information.
The cost of readers, as well as the overhead with generating PINs

and cards, needs to be considered in any security solution. These
costs need to be balanced with the benefits of implementing memory
cards, which is generally, a more secure solution then basic
passwords.
Despite this security, memory cards have a basic flaw: the data stored
192
on the card is not protected. The data can be extracted or copied.
Since the card cannot process information, the data is unencrypted.
Smart cards, on the other hand, can have security controls and logic
embedded into its integrated circuits.
A smart card is the size of a credit card and has a semiconductor chip
embedded in it. The chip is either a memory chip with
nonprogrammable logic or a microprocessor with internal memory.
The chip will accept, store, and send information. That information is
divided into four sections:
 Information that can be read only.
 Information that can be added only.
 Information that is updated only.
 Information that has no access available.
8.7.2 Integrated Circuit Cards
Smart cards are more correctly termed integrated circuit card (ICC) by
the International Organization for Standardization (ISO) to specify all
devices which are an ISO 1 identification card with an integrated
circuit (IC). The size of the card is 85.6x53.98x0.76 mm or the size of
a bank or credit card.
The capabilities of a smart card are:

 Ability to store personal information.
 A high degree of security and portability.
 Tamper-resistant storage.
193
 Security-critical computations isolated within the card.
 Secure enterprise-wide authentication.
 Use of encryption systems.
 Can perform encryption algorithms.
The IC is essentially a memory chip. There are several types of

memory that can be implementing into a smart chip:
 Read-only memory (ROM) – the data found in ROM is
predetermined by the manufacturer and is unchangeable.
 Programmable read-only memory (PROM) – the type of
memory can be modified if high voltages are applied to
enact links within the IC. Found to be unsuitable for ICC.
 Erasable programmable read-only memory (EPROM) – an
early implementation operating within a one-time
programmable mode (OTP) because of its architecture. To
erase the memory, ultraviolet light is required.
 Electrically erased programmable read-only memory
(EEPROM) – provides user access and can be rewritten
many times over. The amount of memory offered ranges
from 8 to 256 KB.
 Random-access memory (RAM) – With ROM solutions,
the data remains intact when power is removed. The
opposite is true for cards with RAM, requiring cards to
have their own power source. Though the risk is that
power will deplete, a RAM card has better storage and
speed capabilities.
194
A microcontroller is integrated into the chip to manage the data in
memory. Control logic is used to provide various services, including
security. The construction of the IC has great influence on the controls
associated with the data.
The configuration of these cards limits certain types of data to be

stored on the device, as well as be accessed indirectly from external
applications. To allow the card to function as intended and protect the
data, programs can be embedded into portions of the memory utilized
by the processor.
There are several features that are found in smart cards:

 64-KB EEPROM.
 8-bit CPU microcontroller.
 Cryptographic functions for DES, 3DES, RSA 1024 bit and
SHA-1.
 2 to 5.5 V variable power.
 1 to 7.5 Mhz clock frequency.
 250,00 to 500,000 write/erase cycles (endurance).
 7 to 10 years data retention.
How smart cards interact with other system defines the type of smart
cards available. There are two basic types:
 Contact cards require physical contact in order to
communicate with other systems.
 Contactless cards use proximity technology to provide an
interface.
195
ISO 7816-2 allows eight electrical contacts for a contact ICC to
interact with other systems, though only six are used. Each contact
(Cn) has a designation starting with Vcc and is embedded
counterclockwise around the plate.
Contact Designation Use
C1 Vcc Power connection allowing operating power to the

microprocessor
C2 RST Allows reset signals from the interface device (IFD)
C3 CLK Clock signal line controlling the operation speed

and providing a common framework for data
communication
C4 RFU Reserved for future use
C5 GND Provides a common electrical ground between the

IFD and ICC
C6 Vpp Programming power connection used to program

EEPROM
C7 I/O Input/output line allowing half-duplex

communication channel between the reader and
the smart card
C8 RFU Reserved for future use.
Contactless cards are more durable, have greater speed and

convenience and have more applications in use than contact cards.
Because they do not require physical contact, less damage is
196
possible to the plate or magnetic strip. Contactless cards are found in
devices such as cell phones and PDAs
ISO 14442 defines the physical characteristics, radio frequency power

and signal interface, initialization and anticollision, and transmission
contactless cards, more commonly referred to as proximity integrated
circuit cards (PICC). A low frequency electronic magnetic radiation is
used to provide power and data interchange. A proximity coupling
device (PCD) provides the required signal and power control for
communicating with the card. A radio frequency (RF) field is produced
by the PCD which activates any card that falls within its electrometric
field loop. The field operates at 13.56 MHz ± 7 kHz and constant
power range.
The PCD will alternate between two modulation, or signal, types until
a PICC is incorporated into the communication process. Both types,
type A and type B, support 106 kbps in bidirectional communications.
The log-on process for smart cards is done at the reader and not the
host, providing an advantage to the technology because the identifier
and password are not exposed while in transit to the host.
Public key infrastructure (PKI) technologies provide several functions

for authentication and information security on smart cards, including:
 Secure log-on.
 Secure e-mail/digital signatures.
 Secure web access/remote access.
197
 VPNs.
 Hard disk encryption.
8.7.3 Biometrics
Biometrics use sophisticated technologies to calculate uniqueness

using behavioral characteristics or specific biological indicators of the
human body. There are two types of biometrics:
 Physiological
 Behavioral
Different physiological biometrics include

 Fingerprints – the oldest form of biometric uses to identify
uniqueness.
 Hand geometry – draws conclusion by discerning
attributes to the user's hand including tension,
temperature, length, and width.
 Hand scans – combination of fingerprints and hand
geometry.
 Retina scans – scans the unique attributes of the back of
the eye.
 Iris scans - scans the colored material surrounding the
pupil.
 Voice patterns and recognition – determines the unique
sounds produced to identify the user in addition to what is
being said.
198
 Face scan – verifies the heat signatures and geometry of
the user.
Behavioral biometrics focus on determining patterns in a user's

actions:
 Keystroke pattern analysis will utilize the user's pin or
password along with how the information is entered; driven
by the assertion that different people will enter the same
information differently.
 Signature dynamics will analyze stroke speed,
acceleration, deceleration, and pressure along with the
content of a user's signature.
Where passwords, tokens, or smart devices offer static processes that

have a high level of accuracy and confidence; biometrics are a
technical and mathematical-based estimate. Most scans rely on
hundreds or thousands of environmental variables to perform an
accurate reading. Any variance in those conditions can impact the
scan including illness.
There are three categories of biometric accuracy measurements:

 Type I error, or false reject rate, identify when authorized
users are rejected as unidentified or unverified.
 Type II error, or false accept rate, identify when
unauthorized users are accepted as authentic.
 Crossover error rate (CER) is the point where the type I
and type II errors are equal. The lower the value of the
199
CER, the more accurate the system.
Sensitivity is the key determiner in proper authentication through the

use of biometrics. Tuning the system to maintain a low CER is the
best way to ensure neutrality.
To maintain the integrity of the control environment, biometrics

considers:
 Resistance to counterfeiting.
 Data storage requirements.
 User acceptance.
 Reliability and accuracy.
8.8 Wireless Security Controls
8.8.1 Wired Equivalent Privacy
WEP is an encryption algorithm used for authenticating users by the

Shared Key authentication process and for encrypting data packets
over a wireless segment. It has some beneficial characteristics that
lead to its adoption by 802.11, include:
 Exportable
 Reasonably strong
 Self-synchronizing
 Computational efficiently
 Optional
200
The algorithm is simple, utilizing a pseudo-random number generator
(PRNG) and a RC4 stream cipher.
WEP is actually a weak deterrent to security, yet all manufacturers of

wireless hardware will load WEP.
At the heart of WEP are its keys, alphanumeric character strings

implemented on network clients and infrastructure components. A
WEP key is used to verify the identity of the authenticating station and
to encrypt and decrypt data. When used to authenticate with an
access point, the access point looks to see if the WEP key for the
client matches the WEP key distribution system on the wireless LAN.
WEP keys are 64-bit and 128-bit, but they are sometimes referred to
as 48-bit and 108-bit keys because 24-bits are used for the
Initialization Vector. Keys for WEP are typically static, meaning they
never change. Most access points and clients can hold up to 4 WEP
keys simultaneously allowing network segmentation.
Centralized encryption key servers should be used to provide:

 Centralized key generation.
 Centralized key distribution.
 Ongoing key rotation.
 Reduced key management overhead.
RC4 stream cipher is a fast method of encryption and decryption.
201
Advance Encryption Standard (AES) is a replacement for RC4 used in
WEP. AES used the Rjindale algorithm in specified key lengths: 128,
192, and 256-bit lengths. The National Institute of Standards and
Technology adopted AES for the Federal Information Process
Standard (FIPS).
Filtering can be used in addition to WEP and AES. Its intention is to

keep out what is not wanted while letting in what is wanted.
Three basic types of filtering exist:

 SSID filtering
 MAC address filtering
 Protocol filtering
SSID filtering is the most basic form of access control, where the
SSID of the wireless client must match the SSID on the access point
or other clients on the network. An SSID is easy to identify using a
sniffer. The SSID is typically part of the beacon sent by access points,
though some manufacturers have provided the ability to remove the
SSID from the beacon or probe responses.
Some common mistakes related to SSID include:

 Using the default SSID.
 Basing the SSID on something company-related.
 Using the SSID as a means of securing the network.
 Unnecessarily broadcasting SSIDs.
202
With MAC address filtering, the network administrator programs a list
of allowable MAC addresses into each access point or in a RADIUS
authentication server. Specific MAC addresses can also be blocked
from the network.
Protocol filtering simply prevents data packets using specific protocols

from entering the network.
8.8.2 Authentication
Two methods of authentication are specified by IEEE 802.11

standards:
 Open System authentication
 Shared Key authentication
Open System authentication is the simplest and most secure of the

two methods. The IEEE 802.11 specifies this as the default setting for
wireless LAN equipment.
The method is one of null authentication. Authentication is given

based on the possession of the right SSID. The process is effective in
both secure and non-secure environments.
The process of Open System Authentication follows:

 A request is made by the client to associate with the
access point.
 The access point authenticates the client and sends a
203
positive response.
Though there are several reasons for using Open System

authentication, the two primary reasons are:
 It is the more secure of the two methods.
 It requires no configuration at all since it is the default
setting for all 802.11 devices.
A wireless LAN administrator has the option of using WEP encryption

with Open System authentication. If this option is taken, no verification
of the WEP key happens until the client is authenticated and
associated.
The use of WEP is required for Shared Key authentication. The WEP
key is typically manually entered by the administrator on both the
client and the access point.
The process of Shared Key Authentication follows:

1. A request is made to associate with an access point by the
client.
2. The access point issues a challenge to the client, which is a
randomly generated plain text.
3. The client responds to the challenge by encrypting the change
text with the WEP key set on the client and sending it back.
4. The access point decrypts the response to ensure the
encryption matches the WEP key.
5. If the WEP keys match, authentication completes by sending
the client a positive response. If a match is not made, a
204
negative response is not made.
Shared Key authentication is not considered secure because the

access point transmits the challenge text in the clear and receives the
same challenge text encrypted. This allows a hacker using a sniffer to
see both the plaintext challenge and the encrypted challenge and
create a simple cracking program to derive the WEP key.
The WEP key is commonly confused with “shared secret.” a shared

secret is a string of numbers or text that provides an alternative test to
authenticate. Authentication documents, or certificates, are another
form of authentication. Both methods have traditionally been manually
configured, but applications have started to automatically work.
8.8.3 Problems with WEP Security
There are several issues related to security on 802.11 networks using

WEP:
 No key establishment available.
 Use of synchronous stream cipher where master key is
exposed to attack.
 Manual configuration of master key leading to limited key
space.
 High probability of key reuse.
 Linear CRC-32 for message integrity.
 802.11 header integrity not protected.
 No protection from replay attacks.
205
8.8.4 Wi-Fi Protected Access
Since WEP is a weak means for security, a new means was required.
Wi-Fi Protected Access (WPA) is based on the 802.11i standard and
deals with WEP static encryption key issue. WPA uses Temporal Key
Integrity Protocol (TKIP) which changes keys with every data packet.
Its biggest flaw is WPA-PSK (Pre-Shared Key) allows the

administrator to specify a password, which must be known by all
users in order for users to connect to an access point. If the password
is cracked, the network is vulnerable.
However, WPA uses a 14 character random password or passphrase

consisting of 5 randomly chosen words which makes the PSK virtually
impossible to crack.
8.8.5 802.1x and EAP
Several authentication solutions and protocols are on the market,

including VPN and 802.1x using EAP. Most solutions resort to passing
authentication requests through the access points to upstream
authentication servers.
Windows has native support for 802.11, 802.1x, and Extensible

Authentication Protocol (EAP), as does Cisco and other wireless LAN
206
manufacturers.
802.1x is a port-based network access control standard. Devices

using this standard have the ability to allow a connection into the
network at layer 2 only when user authentication is successful. This is
beneficial to keep users disconnected when they are not supposed to
be on the network.
EAP is a layer 2 protocol that allows plug-ins at either end of a link

from which several methods of authentication can be used. It is a
flexible replacement for PAP and CHAP under PPP which are used
for user authentication on wired LANs and support using passwords.
EAP provides the same functionality on wireless LANs.
User authentication is usually accomplished using a Remote

Authentication Dial-In User Service (RADIUS) server and some type
of database such as:
 Native RADIUS
 NDS
 Active Directory
 LDAP
In the 802.1x standard model, network authentication consists of

three pieces, the supplicant (client), the authenticator (access point),
and the authentication server.
The process for 802.11x and EAP follows:
207
1. The client makes a request to associate with an access point.
2. The access point requests the EAP identity of the client.
3. The client responses to the access point's request who
forwards the response to the Authentication Server.
4. The Authentication Server makes a request for EAP
authentication to the access point who forwards to the client.
5. The client responses to the request back to the access point
who forwards to the Authentication Server.
6. The Authentication Server verifies the association to the
access point and further to the client.
There are several types of EAP authentication that are used to secure
a wireless LAN connection. Understanding the EAP type assists in
understanding the authentication methods used like:
 Passwords
 Key generation
 Mutual authentication
 Protocol
Some of the commonly deployed EAP authentication types include:

 EAP-MD-5 Challenge – the earliest EAP authentication
type duplicating the CHAP password protection on
wireless networks.
 EAP-Cisco Wireless – also called Lightweight Extensible
Authentication Protocol (LEAP), this type is primarily used
in Cisco wireless LAN access points to provide security
during credential exchange, encrypt data transmission
208
using dynamically generated WEP keys, and support
mutual authentication
 EAP-TLS (Transport Layer Security) – provides
certification-based, mutual authentication of the client and
the network
 EAP-TTLS – an extension of EAP-TLS requiring only
server side certificates and can support legacy password
protocols
 EAP-SRP (Secure Remote Password) – a secure,
password-based authentication and key exchange protocol
used to securely authenticate clients to servers where the
user must memorize a small secret, such as a password
without any other information available
 EAP-SIM (GSM) – used as a mechanism for Mobile IP
network access authentication and registration key
generation using the GSM Subscriber Identity Module
(SIM)
8.8.6 Service Sets
Service sets describe the basic components of a fully operational

wireless LAN.
There are three options for configuring a wireless LAN and different
hardware is required for each configuration:
 Basic service set.
 Extended service set.
209
 Independent basic service set.
A basic service set consists of only one access client and one or more
wireless client. A BSS utilizes infrastructure mode requiring the use of
an access point and that all traffic transverses that access point.
Communication from one wireless client to another must go through
the access point. A single cell, or RF area, is covered by the access
point. The cell consists of varying data rate zones that can be
imagined as concentric circles of differing data speeds. The actual
data speeds is dependent on the technologies used, for instance,
802.11b equipment would provide data speeds of 11, 5.5, 2 and 1
Mbps. The data rates decrease the farther they are from the center. A
BSS has one unique SSID.
An Extended Service Set (EBSS) is comprised of two or more basic

service sets. The sets are connected by a common distribution
system. Distribution systems can be any method of network
connectivity. To operate in infrastructure mode, an ESS must have at
least two access points. All transmissions must travel through one of
the access points. Some additional characteristics of ESS from the
802.11 standard include:
 Covers multiple cells.
 Allows but does not require roaming.
 Does not require the same SSID for all BSS.
An Independent BSS (IBSS) is known as an ad hoc network. No

access point or other access to a distribution system exists. The IBSS
210
covers a single cell and has one SSID. The clients share the
responsibility of sending beacons to each other. In order to transmit
outside of the IBSS, one client must also act as a gateway or router. A
software solution can serve this purpose. Because clients make direct
connections with each other to transmit data, the solution is often
referred to as a peer-to-peer network.
211
9 Business Continuity and Disaster Recovery
9.1 BCP/DRP Processes
9.1.1 Business Continuity
Business continuity and disaster recovery practices are intended to

allow a business to continue offering critical services when a
disruption occurs and to survive a disaster. Business continuity
planning (BCP) is a process for reducing the business risk generated
by an unexpected disruption of critical functions. BCP is the
responsibility of senior management and followed by business units to
provide the minimum level of functionality in the operations of the
business.
Business continuity planning is concerned with:

 The key operations required for survival of the
organization.
 The human and material resources required to support the
key operations.
The plan for business continuity includes:

 Disaster Recovery plan – for recovering a facility deemed
inoperable.
 Operations plan – the activities taken by business units
212
during recovery.
 Restoration plan – activities used to return operations to
normal.
The BCP process takes into consideration the entire plan of the
organization. All BCP activities start with a risk analysis to determine
the identifiable threats to the organization. Risk, in this sense, is
proportional to the value of the asset and the probability of the threat
to occur. Application systems are classified based on their value to the
business, which is proportional to the role the application system has
in supporting business strategy.
The business continuity plan covers all aspects of continuing the

business, including and beyond information systems. The process
includes several life cycle phases:
 Business continuity and disaster recovery policy creation.
 Business impact analysis.
 Classification of operations and criticality analysis.
 Business continuity and disaster recovery procedure
development
 Training and awareness program.
 Plan testing and implementation.
 Monitoring.
The common components of the BCP are:

 Business recovery plan.
 Continuity of operations plan.
213
 Continuity of support plan.
 Crisis communication plan.
 Incident response plan.
 Disaster recovery plan.
 Occupant emergency plan.
9.1.2 Disasters
Disasters are considered events where critical information resources

are inoperable of a period of time, impacting business operations. The
disruption caused by the event can last from several hours to several
days and require recovery efforts to restore business services. A
disaster can be caused by natural calamities, through utility outages,
or by malicious attack. Not all critical disruptions are disasters, but still
be high-risk requiring actions to recover operations.
9.1.3 Business Impact Analysis
When developing the business continuity plan, a business impact

analysis is conducted to identify various events that impact the
continuity of operations and their impact on the organization. To begin
the analysis, an understanding of the organization, key business
processes, and IT resources is required. Support from senior
management is required, as well as participation from IT and end-user
groups. The criticality of the business processes must be identified
and approved.
214
To perform the analysis, several approaches may be used, including:
 Questionnaire
 Interviews
 Workshops
The three primary questions of a BIA consist of:

 What are the different business processes?
 What is the critical information resources associated with
each critical business process?
 What is the critical recovery time required for information
resources?
At the root of these questions are the determiners: downtime and

corrective alternatives. With downtime, the impact of the disruption
increased the longer the disruption lasts: which raises the cost of
downtime, specifically the cost of idle resources, drop of sales,
financial costs, delays, and indirect costs. Recovery costs are
decreased with alternative options for correcting the disruption.
Different aspects of recovery costs include preparation costs, testing
costs, cost of offsite backup operations, insurance coverage,
alternative sites and other expenses to continue operations.
215
9.1.4 Classifications
Risks are ranked based on the impact expected from the critical
recovery likelihood of a disruption occurring. The ranking system used
typically contains the following classifications:
 Critical – tolerance to disruption is low and very costly and
systems must be replaced by identical capabilities
automatically.
 Vital – manual performance of functions can occur, allow
greater tolerances to interruption, as long as full services
are available within a certain time frame.
 Sensitive – manual performance of functions can occur
over a longer period of time with additional staffing
required.
 Non-sensitive – functions may be interrupted for an
extended period of time with little or no cost to the
company.
9.1.5 Recovery Point and Recovery Time Objective
The Recovery Point Objective (RPO) is the earliest point in time that
data can be recovered based on the acceptable data loss projections
for a disruption. The objective quantifies the amount of data that can
be listed. The Recovery Time Objective (RTO) defines the earliest
point in time that business operations must resume, determining the
acceptable downtime. Both objectives are based on time: the lower
216
the required time, the higher the cost of the recovery strategy.
9.1.6 Recovery Strategies
Recovery strategies combine different variations of controls and

measures to remove threats, minimize occurrence or reduce the
impact. Physical and environmental security can remove the threat or
minimize the occurrence of a risk. Redundancies and alternative
routing can aid in minimizing the impact of a risk.
A recovery strategy will identify the best method of recovering a

system when disrupted. The selection of the recovery strategy is
based on:
 Business process criticality
 Application criticality
 Cost
 Time required to recover
 Security
9.1.7 Recovery Technologies
One of the key considerations in business continuity and disaster

recovery is predetermining the need for alternative recovery sites
which are needed:
 Cold sites – IT locations with the capability but not the
equipment.
217
 Warm sites – IT locations with the capability and some
equipment.
 Hotsites – IT locations with the capability and equipment.
 Mobile sites – remote mobile IT locations for temporary
use.
 Multiple processing sites – provides workload balancing
when one location fails.
 Workspace and facilities – provided by commercial
recovery site vendors.
 Virtual business partners – utilizes outside business
partner's IT when required.
Third-party sites require contracts to define the scope and

requirements of the BCP/DRP solution. Specific elements of the
contract include:
 Configurations – the adequate hardware and software
configurations.
 Disaster – an agreed upon definition.
 Speed of availability – the earliest possible moment the
site is available after the disaster.
 Subscribers per site – the number limit of subscribers per
site.
 Subscribers per area – the number limit of subscribers in
an area.
 Preference – if a common disaster between multiple
customers, defines the preference of support and access.
 Insurance – provides adequate coverage for employees at
218
backup site.
 Usage period – the time and resource requirements.
 Communications – defines the communication methods
and frequency.
 Warranties – defines the availability and adequacy terms.
 Audit – provides a “right-to-audit” clause.
 Testing – defines the rights to testing.
 Reliability – defines the reliability of the site.
9.1.8 Organizational Responsibilities
Several teams may be created to handle the responsibilities present

when a disaster occurs. Those teams include:
 Incident response team – receives information about every
incident that poses a threat to assets or processes.
 Emergency action team – comprised of the first
responders focusing on putting out fires and other
emergency scenarios.
 Damage assessment team – makes assessments of the
damage following a disaster.
 Emergency management team – coordinates the activities
of recovery teams and makes key decisions.
 Offsite storage team – handles the packaging and shipping
of media and records to recovery facilities.
 Software team – restores system packs and operating
systems.
219
 Application team – restores user packs and application
programs.
 Security team – monitors system security and
communication links.
 Emergency operations team – consists of operations and
supervisors at the systems recovery site to perform
operations during the operations.
 Network recovery team – reroutes wide-area voice and
data traffic.
 Communications team – works with the remote network
recovery team to establish the network for communications
purposes.
 Transportation team – coordinates the transport of
company employees.
 User hardware team – coordinates the delivery and
installation of user hardware devices.
 Data preparation and records team – updates the
applications database.
 Administrative support team – acts as a message center
for the user recovery site.
 Supplies team – coordinates logistics for an ongoing
supply of office and computer supplies.
 Salvage team – manages the relocation project.
 Relocation team – coordinates move from hot site to new
or restored location.
 Coordination team – manages efforts across offices in
different locations.
220
 Legal affairs team – handling any legal matters that arise.
 Recovery test team – tests and analyzes various plans.
 Training team – provides training to users about business
continuity and disaster recovery.
The emergency response team duties include:

 Retrieving critical and vital data from offsite storage.
 Installing and testing systems software and applications.
 Identifying, purchasing and installing hardware at recovery
site.
 Operating the recovery site.
 Rerouting network communication traffic.
 Reestablishing the network.
 Transporting users to recovery site.
 Reconstructing databases.
 Supplying office goods.
 Handling employee relocation expenses.
 Coordinating systems use and employee schedules.
221
9.2 Backup and Restore Practices
9.2.1 Redundant Array of Inexpensive Disks
Each storage device involves different technologies. Tape devices are

primarily used to back up large volumes of data. Magnetic disks are
the preferred device for primary storage. Both technologies have the
potential to fail at any point, though they are relatively stable.
Redundant Array of Inexpensive Disks (RAID) provides a fault-tolerant
array of drives to overcome any possibility of failure.
RAID is a simplified system for managing and maintaining the storage

environment. The system creates a combined large storage device
from smaller individual devices. Data is generally stored across
different drives and different levels of RAID provide different levels of
redundancy and performance. The most basic level is RAID 0. This
level does not offer any redundancy and is not recommended for
storing data. The different levels of RAID include:
 RAID Level 0 – simple level of disk striping which has data
stored on all drives.
 RAID Level 1 – uses mirroring to replicate data from one
drive to the next.
 RAID Level 3 – uses parity to store the parity value on a
separate drive.
 RAID Level 5 – uses parity to store parity values across
different drives.
222
 RAID Level 6 – parity is stored on striped drives along with
the data.
The level of redundancy provided by a virtual disk ensures that the

data is protected from disk failures. Damaged drives can be hot-
swapped without disrupting the network functions. The technology is
for large database operations, and RAID 5 and RAID 3 options are
the most popular choices for large databases.
Software implementation of RAID is possible, but the write speeds are

typically slower than hardware implementations. The reason for this
reduction in speed is the need for the host system to calculate the
parity values and perform additional I/O operations to ensure the
storage of these values. To minimize host processing, fast RAID
arrays have additional hardware caches, multiple buses, and striping
schemes.
Back to the different RAID levels, deciding which level to use is one of
the most important decisions in SAN designing using RAID. Level 0 is
best used when high throughput is desired with the lowest cost
possible, but offers no redundancy. Level 1 is excellent when the
primary requirements are high availability and high reliability, but is
costly since double the storage capacity is required. RAID level 3
provide the best high data transfer and costs less than other levels,
but write performance is low and is unsuitable for frequent
transactions using small data transfers. Level 5 has a high read rate
and is reliable. It is most suitable for multiple applications, but
performance goes down when the drive fails though it can withstand
223
single drive failures. Level 6 have high reliability and high read speed.
It is best used when the primary requirements are high availability and
data security. The cost is high and the write speed slower than RAID
5.
9.2.2 Backups
Backups are activities where data is copied to a second location for

the purpose of archiving and recovery. Tape devices are the primary
means for storing backup data because it is inexpensive and
physically compact. Unfortunately, storing data on tape is susceptible
to errors, the process of recording is slow and tapes can be damaged.
Disk storage provides an alternative to tape drives.
As organizations grow, so does the data that needs to be backed up.

Traditionally, backups were often performed late at night when
general office hours were over. Globalization and 24 hour operations
have made backup scheduling even more difficult.
Backup architectures provided by SANs offer:

 Reliability through the tape mirroring.
 Availability and performance through clustered servers.
 Remote connections to perform backup activities.
224
9.2.3 Full and Incremental Backups
A full backup will back up all the data blocks in the datafiles, whether
they are modified or not. An incremental backup will only back up the
data blocks in the datafiles that were modified since the last
incremental backup. A full backup cannot be part of an incremental
backup strategy. The baseline backup for an incremental backup is
designated as level 0. This level 0 backup is a full backup since all
blocks are backed up regardless of modification. Incremental backups
are then merged with the level 0 backup in the future to complete a
full backup at the current point of time.
Two types of incremental backups exist:

 Differential
 Cumulative
A differential incremental backup will only back up data blocks

modified since the more recent backup at the same level or lower. An
occurrence of the level 1 or level 2 backup is determined and any
modifications made since the last backup is included. This is the
default method for incremental backups.
A cumulative incremental backup will back up the data blocks that

have been modified since the most recent backup of the next lowest
level, or n-1. As a result, only one cumulative incremental backup
needs to be restored rather than multiple differential incremental
backups. A cumulative incremental backup requires more space than
225
a differential incremental backup.
9.2.4 Distributed and Centralized Backups
Conventional methods of backing up data fall into two types:

distributed and centralized. Distributed methods attach backup
devices to every server. In a centralized solution, the backup device is
connected to a central machine and backups are performed over the
LAN.
Distributed backups are the fastest method of backing up a server's

internal disk drive. It is the most appropriate solution for small network
environments. As the network grows and more servers are added, the
distributed process becomes more complicated and uses more tape
drives.
In a centralized solution, the IP network supports the communication

between servers and the centralized backup repository. The downfall
to this type of solution is the consumption of server CPU resources
required to transfer the complete volume and is taken to the maximum
extent. This sometimes refers to poor server performance.
Backup solutions which utilize a SAN take advantage of a dedicated

storage network to enable the process. As a result, all the benefits for
managing backups present for a centralized backup method still exist.
226
9.2.5 Data Replication
Data replication is another form of backing up data which copies data

in different forms. Replication allows multiple copies of the same data
to be stored and accessed in multiple locations throughout the
enterprise. This increases the overall performance of the network in
accessing the data, while ensuring that if a single location fails, the
data is still accessible from another location.
Replication of data is a popular solution for disaster recovery and

globalization requirements because of its support of high availability
needs. Replication is either performed at the storage level or
application level. Storage replication refers to bulk transfers of data
belonging to one application on one server to another server or set of
servers. Storage replication occurs irrespective of the application it
replicates and allows multiple applications to run on a single server.
Application replication focuses on the storage replication of a single
application. The application performs the replication at the
transactional level. When multiple applications exist on a single
server, each application requires their own application-specific
replication.
Replication can be synchronous or asynchronous. The synchronous

mode has data written faster because the backup process takes over
the host until it is complete. This of course presents performance
delays in other operations for the host. With asynchronous replication,
the signal for completion is not required and interruptions can occur
227
without disrupting the backup. Some operations may switch between
modes, starting in synchronous mode until a communication problem
occurs where the operation switches to asynchronous mode.
9.3 Continuity and Recovery Plans
9.3.1 Recovery and Continuity Planning
The preservation of business operations in the face of major

disruptions is a primary focus of business continuity planning (BCP)
and disaster recovery planning (DRP). The activities include the
preparation, processes, and practices to protect the critical business
processes from the impact of disruption and recovery of business
operations.
The purpose of continuity planning is driven by the existence of:

 Terrorist attack.
 Natural disaster.
 Internal and external audit oversight.
 Legislative and regulatory requirements.
Industry and professional standards are in place which provides

guidelines for effective business continuity including:
 National Standard on Preparedness, or NFPA 1600.
 ISO 17799.
 Defense Security Service (DSS).
228
 National Institute of Standards and Technology (NIST).
 Standard of Due Care.
BCP/DRP processes focus on increasing the probability of surviving a

major disruption by concentrating on potential loss categories, which
include
 Revenue loss.
 Extra expenses.
 Compromised customer service.
 Embarrassment or loss of confidence.
9.3.2 Continuity Planning Process
The major phases for business continuity planning include:

 Project Initiation.
 Current State Assessment.
 Design and Development.
 Implementation.
 Management.
The project initiation phase involves all the pre-planning activities

required to start BCP/DRP efforts properly. The primary goal is to
adequately identify management intentions and commitment. The
activities common for this phase are:
 Establishing the scope and objectives for continuity
planning.
229
 Gaining management support.
 Building a project team for continuity planning activities
and defining the roles within the team.
 Defining project resource requirements.
 Identifying and leveraging existing and planned disaster
avoidance preparations.
The development of the scope should focus on:

 Disaster recovery planning (DRP).
 Business continuity planning (BCP).
 Crisis management planning (CMP).
 Continuous availability (CA).
 Incident command systems (ICS).
Management support is required to:

 Formalize a continuity planning policy.
 Establish and manage a budget.
 Define continuity planning metrics.
The current state assessment phase consists of activities to provide

appropriate information about the current environment to make
informed decisions about future business planning needs. The
activities will complete:
 A threat analysis.
 A business impact assessment (BIA).
 An assessment of the current state of the continuity
planning process.
230
 A benchmark or peer review.
The result of this phase will provide a comprehensive understanding

of the strategies, goals and objectives of the organization. The
assessment should cover various areas including:
 Enterprise business processes analysis.
 People and organizations.
 Time dependencies.
 Motivation, risks and control objectives.
 Budgets.
 Technical issues and constraints.
Specific security concerns involve:

 Physical security.
 Personnel security.
 Environmental security.
 Information security.
Using the information gathered in the current state assessment

phase, the project team creates the most effective and efficient
recovery strategies. The primary activities for this stage include:
 Developing and designing appropriate strategies.
 Developing the crisis management plan (CMP) and
structures for BCP and DRP.
 Developing the required infrastructure testing and
maintenance activities.
 Planning the acquisition of recovery resources.
231
 Designing the initial acceptance testing of the plans.
Within the implementation phase, the project team works with the
organization's business process owners to implement:
 Continuity plans.
 Short-term and long-term testing.
 Short-term and long-term maintenance strategies.
 Training, awareness, and education processes.
 Management processes.
The management phase handles the day-to-day activities of continuity

planning.
232
10 Practice Exam
Question 1
What mechanisms can be used to understand automated processes?
A) Flow-charting
B) Specialized audit software
C) Generalized audit software
D) Audit logs
Question 2
What is the purpose of substantive testing?
A) Testing the compliance of control procedures.

B) Testing the confidentiality of data, information, and
transactions.
C) Testing the integrity of data, information, and transactions.
D) Testing the effectiveness of control procedures.
233
Question 3
What is standard deviation?
A) A mathematical representation of the average size of the

sample.
B) A mathematical representation of the dispersement of values.
C) A mathematical representation of the number of errors in the
sample.
D) A mathematical representation of a population characteristic.
Question 4
What do functional baselines characterize?
A) Compliant specifications
B) Minimum specifications
C) State of resources
D) Initial specifications
234
Question 5
The protection of assets and financial records are a product of what

type of internal control objectives?
A) Administrative
B) Operational
C) Internal accounting
D) Financial
Question 6
Which of the following is an artifact of the Zachman enterprise

architecture framework?
A) Flowcharts
B) Documentation
C) Policies
D) Measurements
235
Question 7
Who are the people who have the most invested in the success or
failure of a project?
A) Project team
B) Stakeholders
C) Executive management
D) Project Office
Question 8
Which of the SDLC phases established a baseline of the system's

specification?
A) Phase 4A
B) Phase 3B
C) Phase 3A
D) Phase 2
236
Question 9
Which of the following practices are not essential in ensuring effective

identification?
A) Issuance
B) Uniqueness
C) Nondescriptive
D) Maintenance
Question 10
Which of the following classifications in a business continuity ranking

system describes functions which can be interrupted by a disruption
over an extended period of time?
A) Sensitive
B) Non-sensitive
C) Vital
D) Critical
237
Question 11
Which of the following factors is not used to determine the priority of a

problem?
A) Severity
B) Frequency
C) Customer
D) Impact
Question 12
What is the change model which predefines frequently made changes

in the environment called?
A) Standard
B) Normal
C) Repeat
D) Emergency
238
Question 13
Reduction of collusion in business activities through temporary

assignments is a form of what human resource practice?
A) Least privileges
B) Job sensitivity
C) Vacations
D) Job rotation
Question 14
Which of the following technology concepts describes the ability to

obtain information under any circumstance?
A) Integrity
B) Accountability
C) Availability
D) Confidentiality
239
Question 15
Redundant systems are an example of what type of control?
A) Preventative
B) Compensation
C) Deterrent
D) Corrective
Question 16
Which of the following is an example of a quantitative risk

assessment?
A) CCTA Risk Analysis and Management Method

B) NIST SP 800-66
C) Facilitated Risk Analysis Process
D) Spanning Tree Analysis
240
Question 17
What type of sampling method is appropriate when the rate of

occurrence for the test attribute is extremely low?
A) Discovery sampling
B) Frequency-estimating sampling
C) Stop-or-go sampling
D) fixed sample-size attribute sampling
Question 18
Which of the following concepts is required by the S6 Performance of

Audit Work section of the ISACA IS Auditing Standard?
A) Documentation
B) Evidence
C) Supervision
D) All of the Above
241
Question 19
What type of audit focuses on determining the efficient

productiveness of an organization's operations?
A) Operational
B) Integrated
C) Administrative
D) Specialized
Question 20
What activity should be conducted before the introduction or major

change of any business or IT process?
A) Audit
B) Risk Assessment
C) Business Impact Analysis
D) Performance Monitoring
242
Question 21
What is a control risk?
A) An error which is significant when combined with other errors.

B) An error which exists but is not found.
C) An audit risk associated to a specific control objective.
D) An error which cannot be prevented by internal systems.
Question 22
Which of the following is not a condition of reliability for evidence?
A) Information is correct.
B) Confirmation from third parties is provided.
C) Information is from qualified individual.
D) High level of objectivity in creating the evidence.
243
Question 23
Which of the following is an example of evidence used for legal

procedures?
A) Confirmation
B) Analytical
C) Circumstantial
D) Documentation
Question 24
The difference in the present value of benefits versus cost is what

mathematical indicator in a cost benefit analysis effort?
A) Benefit cost ratio

B) Net benefit
C) Net present value
D) Level of funds available
244
Question 25
Which of the following is not an element of the Information Security

Management System framework?
A) Control
B) Implement
C) Evaluate
D) Design
Question 26
What method of dealing with risk looks to the costs and benefits of
handling a risk or leaving it alone?
A) Risk Mitigation
B) Risk Avoidance
C) Risk Acceptance
D) Risk Transfer
245
Question 27
When organizations are structured to handle duties based on

accounts and specialties, what type of structure is the organization
using?
A) Matrix
B) Projectized
C) Functional
D) Mixed
Question 28
An Enterprise ATM is what type of network device?
A) Repeater
B) Switch
C) Router
D) Access Point
246
Question 29
Which authentication system utilizes tickets to support a user's access

to the network and network resources?
A) TACACS+
B) RADIUS
C) Kerberos
D) None of the Above
Question 30
Which organizational team is responsible for rerouting wide-area

voice and data traffic during a disaster recovery effort?
A) Communications
B) Network recovery
C) Emergency management
D) Application
247
Question 31
One-time use passwords are a deterrent to what type of malicious

attack?
A) Shoulder surfing
B) Emanations
C) Trojan horses
D) Eavesdropping
Question 32
What process is typically invoked when a service is disrupted for an

individual or a group?
A) Business Continuity
B) Change Management
C) Problem Management
D) Incident Management
248
Question 33
In configuration management, what CI type would the business

strategy be?
A) Service
B) Organization
C) Internal
D) Interface
Question 34
What is the delivery of IT services from a third-party supplier is

called?
A) Offshoring
B) Outshoring
C) Outsourcing
D) Offsite support
249
Question 35
Reductive measures perform what function?
A) Repairing the damage of a security incident.

B) Preventing the occurrence of a security incident.
C) Reducing the probability of an incident from occurring again.
D) Minimizing the possible damage from a security incident.
Question 36
IDS systems are a form of what type of control?
A) Detective
B) Preventative
C) Corrective
D) Recovery
250
Question 37
Which of the following standards is not used to determine if evidence

can be admitted in a court of law?
A) Reliability
B) Legality
C) Integrity
D) Relevancy
Question 38
Quality is a measure of what from an audit perspective?
A) Relevance
B) Competence
C) Sufficiency
D) Validity
251
Question 39
Audits are concerned about the proper implementation of what IT

concept?
A) Controls
B) Risks
C) Assets
D) Solutions
Question 40
What reasons would performing audits be acceptable?
A) Performance compliance
B) Regulatory compliance
C) Establishing baselines
D) All of the above
252
11 Answer Guide
Question 1
Answer: A
Reasoning: Flow charting is a technique used to diagram processes
and understand the flow of the process, rather manual or automatic.
Question 2
Answer: C
Reasoning: Substantive testing ensures that data, information, and
transactions maintain its integrity.
Question 3
Answer: B
Reasoning: Standard deviation looks at the variance of the values in a
sample from the sample mean to determine the spread or
dispersement of the sample.
Question 4
Answer: D
Reasoning: Function baselines identify the initial specification before
changes are made to the environment.
253
Question 5
Answer: C
Reasoning: Internal accounting controls handle accounting objectives,
including assets and financial records.
Question 6
Answer: A
Reasoning: The artifacts associated with the Zachman framework
include diagrams, flowcharts, data models, class models, and code.
Question 7
Answer: B
Reasoning: Stakeholders are actively involved in the execution of a
project and have the greatest concern with the success or failure of
the project. For this reason, numerous communication channels are
relied on to keep the stakeholders informed of the project's status.
Question 8
Answer: C
Reasoning: An established baseline of a system's specification is the
outcome of the phase 3A for designing the software.
Question 9
Answer: D
Reasoning: the three essential practices related to identifying
individuals are uniqueness, nondescriptive, and issuance.
254
Question 10
Answer: B
Reasoning: Non-sensitive functions are not required for critical
business processes should a major disruption occur.
Question 11
Answer: C
Reasoning: The customer, specifically the role they have, is not a
valid variable for determining priority: however, a customer's role or
position may have an impact on business operations should a service
disruption occur which may adjust the priority.
Question 12
Answer: A
Reasoning: Standard risks are usually pre-defined because they are
done often and have a relatively low risk involved in their execution.
Question 13
Answer: D
Reasoning: Job rotations assigns individuals to specific roles
temporarily to reduce collusions.
Question 14
Answer: C
Reasoning: Availability is a security concept where information is
available to be accessed at any time for the appropriate person.
255
Question 15
Answer: B
Reasoning: Compensation controls apply alternative solutions to react
to changing demands of a system. Redundant systems are used
when thresholds are reached and the controls communicate the need
for alternative systems to bear the workload.
Question 16
Answer: D
Reasoning: Spanning Tree Analysis and Failure Modes and Effect
Analysis are two common quantitative assessments for risks.
Question 17
Answer: A
Reasoning: Discovery sampling allows testing on an attribute which
occurs very rarely.
Question 18
Answer: B
Reasoning: S6 Performance of Audit Work speaks to supervision,
evidence and documentation.
Question 19
Answer: C
Reasoning: Administrative audits focus on the efficiency of the
operation's productivity. Operational audits focus on the controls in
place within the operation.
256
Question 20
Answer: B
Reasoning: Every major change or introduction of a process into the
environment should begin with a risk assessment to determine what
issues needed to be addressed by the process. Risk assessments are
usually incorporated into other efforts, including business cases and
analysis.
Question 21
Answer: D
Reasoning: Control risks are a classification of material errors that
cannot be detected or prevented by the established controls of an
internal system.
Question 22
Answer: A
Reasoning: Correctness is not an appropriate attribute for determining
the reliability of evidence. The fact that the information is incorrect can
be evidence in itself.
Question 23
Answer: C
Reasoning: Circumstantial evidence is used in a legal context. The
other choices are used primarily in audits.
257
Question 24
Answer: B
Reasoning: Net benefit is determined by subtracting the present value
of cost from the present value of benefits creating a difference in the
two numbers.
Question 25
Answer: D
Reasoning: The five elements of ISMS framework are control, plan,
implement, evaluate, and maintain.
Question 26
Answer: C
Reasoning: Risk acceptance recognizes that the costs and benefits of
not taking action are better than trying to prevent or mitigate the risk.
Question 27
Answer: A
Reasoning: An organization structured by projects and specialties is
called a matrix organization.
Question 28
Answer: B
Reasoning: An Enterprise ATM is inherently a switch which performs
cell relay services.
258
Question 29
Answer: C
Reasoning: The Kerberos solution uses symmetric-keys and tickets to
authentication users on the network.
Question 30
Answer: B
Reasoning: The network recovery team is responsible for ensuring all
wide-area traffic, including voice and data, can be exchanged over the
network, requiring some rerouting.
Question 31
Answer: A
Reasoning: Shoulder surfing is a form of social engineering performed
through direct observation. One time use passwords prevent potential
attackers from observing password entries and gaining access to the
network.
Question 32
Answer: D
Reasoning: Incident Management is the initial process for dealing with
service disruptions to provide first attempts to resolve the disruptions
or put a workaround in place. Problem management and eventually
change management will handle situations were a solution cannot be
put into place immediately. Business continuity rarely gets involved
when individual's services are disrupted.
259
Question 33
Answer: B
Reasoning: Business Strategies are used to describe the organization
and are therefore an organization configuration item.
Question 34
Answer: C
Reasoning: Outsourcing relies on third-party support to provide all or
part of a business's IT services.
Question 35
Answer: D
Reasoning: Reductive measures look to reduce the damage that
occurs from a security incident.
Question 36
Answer: A
Reasoning: IDS solutions, or Intrusion Detection Systems, apply
detective controls to identify intrusive events when they happen.
Question 37
Answer: C
Reasoning: Integrity is not required for evidence to be admissible in a
court of law.
260
Question 38
Answer: B
Reasoning: Quality is a measure of competence which is both valid
and relevant.
Question 39
Answer: A
Reasoning: Controls are used to minimize the risk to the business and
audits are concerned about the effectiveness of these controls and
their compliance to regulatory and process guidelines.
Question 40
Answer: D
Reasoning: Audits are used in a number of capacities, most of which
is to understand the current environment in relation to an expected
norm or baseline. It can be used to generate an initial baseline or to
determine compliance to an existing baseline, including performance
goals and regulatory requirements.
261
12 References
CISA Review Manual 2007. Information Systems Audit and Control

Association, Illinois: 2006
Information Security Governance: Guidance for Boards of Directors
and Executive Management 2nd Edition, IT Governance Institute,
www.itgi.org.
ITIL Service Design, The Stationary Office, Norwich: 2007
The Official Introduction to the ITIL Service Lifecycle, The Stationary
Office, London: 2007
CompTIA Network+ ExamObjectives. Computing Technology Industry
Association: 2008.
Tipton, Harold F. and Henry, Kevin. Official (ISC)2 Guide to the CISSP
CBK. Auerbach Publications, Boca Raton:2007.
Stewart, James Michael. (ISC)2 SSCP Systems Security Certified
Practitioner. PrepLogic, Inc: 2006.
Certified Wireless Network Administrator Planet3 Wireless, Bremen
Georgia: 2002.
Virtual Private Networks Administration Guide Version NGX R65,
Check Point Software Technologies LTD: March 2007.
CISA information: www.isaca.org
262
13 Websites
www.artofservice.com.au
www.theartofservice.org
www.theartofservice.com
263
14 Index
A
access control 60, 77, 133, 136, 143, 149, 202

access points 118-21, 201-8, 210, 246
AES (Advanced Encryption Standard) 8, 173, 177-9, 202
agreements 52, 96, 98, 111, 144-5, 170
ALE (Annualized loss expectancy) 42-3
algorithm 153, 172, 174, 182-3, 201
alphabets 170-2
application systems 18, 100, 213
applications 72, 89-90, 96, 100, 106-9, 129, 133, 135, 143, 148, 150-3, 158-9, 162,
179, 188-9, 227
architecture 5, 57, 68-9, 85, 194
artifacts 68, 235, 254
assessments 41, 88, 98, 219, 230-1
assets 16, 38, 48, 50, 71, 73, 96-7, 213, 219, 235, 252, 254
assurance 23, 31, 33, 49, 51, 63, 110
attributes 35, 105, 130, 166-8, 198, 256-7
audit objectives 4, 17-20, 23-4, 39, 52
auditor 13, 18, 21-9, 31-2, 35, 39-40, 52-3, 55, 62
audits 4, 11-16, 18-20, 22-5, 27, 32, 35, 38, 41, 52-3, 242, 252, 257, 261
authentication 7-8, 60, 129, 131, 133, 135, 139-41, 143, 145, 189-91, 197, 200, 203-
5, 207
authorization 60, 98-9, 135, 140
backups 9, 104, 224-6, 228

baselines 41, 43-4, 101, 167, 236, 254, 261
BCP (Business continuity planning) 212-13, 228-31
benefits 2-3, 45, 55, 72, 83, 87-8, 100-1, 117, 167, 192, 226, 245, 258
bits 155, 174-5, 177-9, 183
blocks 164, 175-7, 179, 183, 225
bridges 7, 115-16, 120
business 13, 20, 28, 39, 48, 54, 57, 59, 61, 63, 65, 69-70, 98-9, 110-11, 212-13,
260-1
business cases 6, 87-8, 101, 257
business objectives 38, 50, 63, 99
business processes 12, 56-8, 69, 100, 106, 214-15
CA (Certificate Authority) 146-8, 185-8, 230

candidate 11, 177-9
capabilities 110, 152, 157, 162, 193, 217-18
card 192-5, 197
certificate 145-8, 185-8, 205, 209
certification 10-11, 108
264
change management 6, 96, 98-9, 125, 248, 259
ciphers 8, 169-71, 178
classifications 8, 40, 96, 111, 216, 237, 257
client 118-19, 141, 201-4, 207-9, 211
committees 5, 56-7, 64
compliance 14, 20, 28, 60-1, 86, 111, 233, 261
computers 15, 29, 96, 114, 147-8, 157, 192
confidentiality 20-1, 39, 61, 66-7, 73, 85, 149, 174, 239
Configuration Item (CI) 96-7, 260
connection 113, 120, 123, 138, 144, 148, 188-90, 207
control procedures 5, 32, 51, 126, 233
costs 34, 45-6, 58, 65, 72-3, 75, 102, 106, 135, 154, 159, 192, 215-17, 223-4, 244-5,
258
countermeasures 5, 39-40, 72-3
credentials 113, 139, 141, 162, 192
CSA (Control self-assessment) 5, 54-5
customers 44, 54-5, 59, 67-8, 77, 86, 97, 110-11, 133, 162, 238, 255
delivery 10, 44, 57, 59, 67, 74, 220, 249

design 25, 27, 72, 85, 91, 100-1, 107, 118, 176, 245
development 6, 58, 64, 75-6, 87, 91, 101-2, 107, 111, 164, 229-30
devices 112, 114, 120-3, 157, 193, 195, 197, 204, 207, 222
disaster recovery 8, 10, 78, 212, 217, 221, 227
disasters 8, 212, 214, 218-19
disruption 212, 214-16, 228-9, 237, 255, 259
drive 46, 61, 140, 222-3
DRP (disaster recovery planning) 51, 228, 230-1
EAP (Extensible Authentication Protocol) 8, 206-7

eavesdropping 7, 157, 189, 248
education 6, 45, 61, 84-5
effectiveness 28, 43, 85, 233, 261
employees 26, 41, 73, 84-5, 133, 163, 218
Encapsulating Security Payload (ESP) 144-5
encryption 31, 140, 144-5, 165, 174, 176, 180-1, 190, 201
enterprises 5, 57, 59, 63-6, 68, 99, 122, 134, 136, 227
entities 2, 72, 104-5, 136, 146-7, 149, 185-7
environment 11, 24-5, 28, 39, 47-8, 61-2, 68, 73-4, 89, 96, 103, 107, 128, 130, 203,
230
errors 19, 36, 47-8, 63, 90, 97, 182, 199, 224, 234, 243
evidence 4, 15, 23-4, 32-4, 37, 53, 79, 241, 243-4, 251, 256-7, 260
expectations 21, 44, 86, 89, 93-4, 103
failure 59, 66-7, 98, 124, 127, 151, 222, 236, 254
265
Feasibility 6, 91, 100-1
filter 115, 123, 137
firewalls 7, 123, 136, 156, 165, 168
framework 49, 59, 62, 65-6, 68-70
functions 13, 17-18, 27-8, 34, 44, 50, 65, 73-4, 83, 113, 125, 143, 164, 195, 197,
216
governance 5, 10, 27, 29, 49, 56, 63-6, 70
hardware 118, 120, 123, 209, 218

hash 153-4, 182, 184, 191
host 124, 133, 164-5, 197, 227
hubs 6, 113, 164
ICC (integrated circuit card) 8, 193-4, 196-7

identification 7, 60, 96, 129-31
IDS (Intrusion detection systems) 157, 164, 166-8
IKE (Internet Key Exchange) 7, 145-6
illegal acts 24-7, 29, 31
implementation 6, 20, 25, 27, 47-8, 51-2, 56, 58, 60, 72-3, 85, 88, 101-2, 108-9, 126,
142
incident management 7, 124-5, 248, 259
index 9, 29, 31, 264
infrastructure 65-6, 79, 102, 133, 142-3, 185
input 47, 64, 159, 175, 177
integrity 20, 32, 39, 48, 61, 66-7, 73, 78, 85, 145, 149, 182, 200, 239, 251, 253
interfaces 15, 19, 104, 112, 114-17, 123, 133, 138, 195, 249
Internet 113, 161, 191
Intrusion Detection Systems 7, 164, 260
investigation 21, 38, 77, 128
IPSec (IP Security) 7, 143-4, 184
irregularities 24-7, 35
ISACA 4, 11, 20-2, 29, 31, 49, 241
key pair 147, 173-4, 186

keys 140-1, 144-5, 154-5, 157, 171-4, 176-9, 191, 201
knowledge 23, 25-6, 54, 66, 83, 89, 131, 142, 162
laws 4, 14, 38, 53, 78-9

layers 14, 114, 142-3, 157, 188, 207
266
levels 14, 33, 39-40, 45-6, 57, 64, 66, 72, 83, 85, 92, 97-8, 111, 125, 165, 222-5
locations 162, 191, 217-18, 220, 224, 227
MAC 116, 120, 183-4, 203

management 19, 21, 24-7, 40, 46, 51-4, 64, 88, 94-5, 118, 125, 133-6, 142, 151,
159
manufacturers 2, 121, 194, 201-2, 207
media 117, 123, 159, 162, 219
memory 151, 154-5, 158-9, 178, 194-5
message 81, 163, 170-7, 181-4, 190
models 96, 121, 124, 142
modes 116, 118, 144, 166, 175-7, 179, 228
modification 59, 67, 102, 107, 136, 144, 225
monitor 47, 123, 164-5
network 98, 112-16, 118, 120, 123, 132, 137, 142, 149, 156-7, 164, 202-3, 205-7,
220-1, 226-7, 259
nodes 115, 144
Objective Level Agreements (OLAs) 60, 110

objectives 12-13, 15-16, 18, 20-1, 23, 27, 32, 46, 48, 51, 53, 56, 58, 61-4, 75, 126
observation 32-3, 36-7
occurrence 17, 38-9, 42, 46-8, 60, 127, 217, 225, 250
OCSP (Online Certificate Status Protocol) 147-8, 187-8
OLAs (Objective Level Agreements) 60, 110
operations 16, 18, 50, 75, 82, 85, 91, 116, 144, 161, 175, 177, 179, 212-15, 220,
227-8
order 38, 63, 110, 112, 132, 160-1, 169-70, 175, 195, 206, 211
organization 14, 24-6, 28-30, 39-40, 51-2, 57-8, 62-3, 71-2, 74-5, 84-7, 93-6, 110-11,
139, 164, 212-14, 231
OSI model 113-15, 142-3
outsourcing 74, 76-7, 249, 260
packets 112, 123, 137-8, 156, 165-6

parties 21, 29, 77-8, 96, 145, 181, 184, 243
passwords 7, 129-32, 135, 139-40, 153-4, 158, 163, 190-2, 197, 199, 206-7, 209,
248, 259
performance 21, 28, 44, 64, 77, 83, 88, 146, 222-4, 227
Personal Identification Number (PIN) 129, 192
perspectives 17, 30, 45, 63, 65, 94
phase 6, 90, 92, 101, 103-4, 106-9, 145-6, 229, 231, 236, 254
PKI (Public Key Infrastructures) 7-8, 146, 148, 185, 197
267
plaintext 154, 171-2, 174, 176, 205
plans 14, 17, 23, 59, 109, 212-13, 221, 232, 258
policies 5, 46, 51-2, 57-9, 61, 71, 97, 235
population 34-6, 73
private key 140, 145, 148, 172, 174, 180-1, 184
problem management 7, 125-6, 248, 259
problems 8, 47-8, 76, 78, 83, 88, 97, 100, 103, 106-7, 124, 126, 128, 205, 238
programs 15, 19, 95, 101, 104, 107-8, 152-3, 195
project management 6, 44, 57, 89-90, 94-5
protocols 115-16, 120, 123, 134, 143-4, 146, 165, 167, 187, 190, 203, 206-7
receiver 170-1, 173-4, 182, 184, 190

recommendations 24, 52-3, 57, 87, 109
recovery 48, 50, 104, 125, 213, 224, 228, 250
regulations 4, 14-15, 35, 49, 53, 78, 86
regulatory requirements 14, 20, 76, 78, 228, 261
relationships 36, 63, 93, 97, 103-5, 142
reliability 20, 34, 54, 219, 243, 251, 257
repeaters 6, 112-13, 115, 119, 246
replacement 170, 177-8, 202
request 24, 101, 106, 125, 133, 150, 154, 163, 167, 187, 203-4, 208
requirements 6, 11, 27, 44, 56, 59, 84, 86, 89, 96, 101-3, 109, 111, 134-5, 218
resources 20, 23, 28, 33, 43-5, 48, 55, 57, 63, 65, 94, 96, 98-100, 103, 106, 128
responsibilities 10, 12, 14, 22, 25, 57, 59, 62-4, 77, 82, 84, 93, 127, 211-12, 219
review 3, 27-8, 30, 42, 58, 88, 90, 109
risk assessments 4, 13, 26, 29, 38, 40, 58, 242, 257
risk management 5, 63, 66, 70-1
risks 19-20, 25, 28, 36, 38-40, 46-7, 52, 54-5, 59, 63-5, 70-2, 77, 83, 92, 216-17,
245
roles 26, 59, 77, 82, 86, 108, 129-30, 213, 230, 255
routers 7, 117, 123, 136-9, 143, 211, 246
sample 34-6, 234, 253

sampling 4, 34-6
scope 10, 17, 38, 52-3, 68, 76, 127, 165, 218, 229-30
SDLC (System Development Life Cycle) 30, 100, 103
Secure Sockets Layer 8, 188-9
security 21, 58-9, 66-7, 84-6, 104, 111, 142, 144, 159, 161, 173, 188-9, 192-3, 195,
201, 205-6
security incident 60, 250, 260
Security Parameter Index (SPIs) 144
server 117, 122, 134-5, 147-8, 156, 186-8, 207, 209, 226-7
services 2, 16, 53, 56, 60, 75, 90, 92, 96-7, 110-11, 117-18, 124, 132-3, 149-51, 158,
248-9
signal 112-13, 157, 197, 227
site 78, 215, 218-19
268
SLAs (Service Level Agreements) 6, 110-11
sniffer 7, 157, 202, 205
software 106, 123, 139, 143, 151-2, 254
solutions 44, 60, 71, 79, 87-8, 97, 101-2, 126, 128, 132, 134-5, 139, 176, 192, 211,
226
sources 32, 136, 138, 143, 163
staff 94
stakeholders 20-1, 54, 62, 89, 92-3, 99, 103, 236, 254
strategies 5, 13, 27, 39, 56, 59, 64-5, 103, 162, 231
switches 7, 116-17, 165, 228, 246, 258
teams 38, 133, 179, 219-20, 230

technologies 16, 31, 39, 49, 56, 58, 69, 78, 80, 87, 100, 118, 133-4, 146, 197-8,
222-3
threats 38-40, 47-8, 60, 71, 80, 149, 151-2, 213, 217, 219
tokens 191-2, 199
traffic 136-7, 164-6, 168
transactions 32, 48, 183, 233, 253
transport 137, 140, 142-4, 220
tunneling 143, 189
users 67, 103, 113, 121, 125, 127, 129-33, 135-6, 140-1, 146, 150-4, 156, 160, 191-
2, 198-9, 206-7
values 3, 27, 45, 63-4, 66, 69, 163, 172, 177, 179, 199, 213, 223, 234, 253
vendors 76, 106, 133
VPNs (Virtual Private Network) 7, 142-3, 146, 174, 187-9, 206
vulnerabilities 38, 40, 60, 79, 151, 161-2, 164, 183
weakness 71, 82, 150, 155, 176

wireless LAN 120, 201, 206-7, 209
workaround 126, 128, 259
269

2010 CISA The How To Pass On Your First Try Certification Study Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2010 CISA The How To Pass On Your First Try Certification Study Guide

Uploaded by

Copyright:

Available Formats

Foreword

This book is not a replacement for completing the course. This is a

While it is not possible to pre-empt every question and content that

Due to licensing rights, we are unable to provide actual CISA Exam.

How does it work?

To post a review on Amazon, just log in to your account and click on

What happens when I submit my review?

Once you have submitted your review, send us an email at

TABLE OF CONTENTS .............................................................................................. 4

1 CERTIFIED INFORMATION SYSTEMS AUDITOR .............................................. 10

3 INFORMATION SYSTEMS AUDIT PROCESS .................................................... 12

11 ANSWER GUIDE ......................................................................................... 253

12 REFERENCES .............................................................................................. 262

13 WEBSITES ................................................................................................... 263

14 INDEX ........................................................................................................ 264

The Certified Information Systems Auditor certification is for

The CISA is accredited by the American National Standards Institute

The exam covers the following disciplines and percentage scope:

CISA Exams are proctored by ISACA. Registration and location

Specifics about the exam are:

3.1 Auditing Practices

Information System Audits can either be an internal audit or be

3.1.1 Audit Planning

Each audit to be performed over the next year should also be

Audit planning should consider the business practices and functions

3.1.2 Laws and Regulations

Computer systems of all organizations have some level of compliance

Some regulatory requirements have a number of layers regarding:

3.1.3 Audit Process

The audit process is a systematic activity performed by a competent

Several steps are required by the audit process, such as:

To ensure the availability of adequate audit resources and schedules,

3.1.4 Types of Audits

The types of audits that can be performed internally or externally

3.1.5 Audit Procedures

IT functions and systems are evaluated from different perspectives,

When testing and evaluating IS controls, the procedures the IS

3.1.6 Audit Methodology

A set of documented audit procedures designed to meet audit

The methodology should be properly documented, as well as all the

3.1.7 Audit Risk

Audit risk represents the risk that an undetected error may be

3.1.8 Audit Objectives

The objectives of an audit typically concentrate on the existence of

3.2 ISACA IS Audit Standards, Guidelines and Procedures

3.2.1 ISACA Code of Professional Ethics

The ISACA Code of Professional Ethics is developed to define the

An investigation into the member's or certification holder's conduct will

3.2.2 ISACA IS Auditing Standards

The ISACA IS Auditing Standards have the following objectives:

The applicable IS Auditing Standards are:

The ISACA IS Auditing Guidelines provide the IS auditors with

Procedures for the ISACA IS Auditing effort were developed by the

The index of procedures includes:

Audits use testing for different reasons:

An IS auditor should be familiar with the different testing methods to

Evidence is information used to determine an audit subject's

Evidence is deemed reliable when:

3.3.3 Gathering Evidence

Evidence can have characteristics for quality and quantity. Quality is a

Evidence can be gathered using the following techniques:

Interviews and observation can provide reasonable assurance that

When time and cost considerations are limited, a sampling of the