Please answer the following:

1. Explain each of the three organization’s strategic business objectives attained through
implementation of information security. What are the associated risks that would prevent achieving
them?

Effective implementation of information security helps ensure that the organization’s strategic business
objectives are met. The three fundamental objectives for information are confidentiality, integrity, and
availability. These objectives are explained below along with the associated risks that would prevent
achieving them.

•Confidentiality is the protection of information from unauthorized access. This is important in

maintaining the organization image and complying with privacy laws. A possible risk associated with
confidentiality includes information security breaches allowing for unauthorized access or disclosure of
sensitive or valuable company data (e.g., policyholder information or corporate strategic plans to
competitors or public, etc.).

•Integrity is the correctness and completeness of information. This is important in maintaining the
quality of information for decision-making. A potential risk associated with information integrity includes
unauthorized access to information systems, resulting in corrupted information and fraud or misuse of
company information or systems.

•Availability refers to maintaining information systems in support of business processes. This is

important in keeping operational efficiency and effectiveness. Possible risks associated with availability
include disruption or failure of information systems, loss of the ability to process business transactions,
and crash of information systems due to sources like catastrophes, viruses, or sabotage.

2. Briefly describe six commonly-used techniques used to commit cybercrimes according to this
chapter.

 Phishing - A high-tech scam that frequently uses spam or pop-up messages to deceive people
into disclosing their personal information (i.e., credit card numbers, bank account information,
social security numbers, passwords, or other sensitive information). Internet scammers use e-
mail bait to “phish” for passwords and financial data from the sea of Internet users.
 Spoofing - Creating a fraudulent website to mimic an actual, well-known Website run by another
party. E-mail spoofing occurs when the sender address and other parts of an e-mail header are
altered to appear as though the e-mail originated from a different source. Spoofing hides the
origin of an e-mail message.
 Pharming - A method used by phishers to deceive users into believing that they are
communicating with a legitimate website. Pharming uses a variety of technical methods to
redirect a user to a fraudulent or spoofed Website when the user types in a legitimate Web
address. For example, one pharming technique is to redirect users—without their knowledge—
to a different website from the one they intended to access. Also, software vulnerabilities may
be exploited, or malware employed to redirect the user to a fraudulent Website when the user
types in a legitimate address.
 Denial-of-service Attack - Attack designed to disable a network by flooding it with useless traffic.
  Distributed denial-of-service - A variant of the denial-of-service attack that uses a coordinated
attack from a distributed system of computers rather than from a single source. It often makes
use of worms to spread to multiple computers that can then attack the target.
 Viruses - Piece of program code that contains self-reproducing logic, which piggybacks onto
other programs and cannot survive by itself.

3. What is the purpose of an information security policy?

An information security policy defines the security practices that align to the strategic objectives of the
organization. It describes ways to prevent and respond to a variety of threats to information and
information systems including unauthorized access, disclosure, duplication, modification, appropriation,
destruction, loss, misuse, and denial of use. The information security policy is intended to guide
management, users, and system designers in making decisions about information security. It provides
high-level statements of information security goals, objectives, beliefs, ethics, controls, and
responsibilities. An important factor to implement an information security policy in an organization is to
do an assessment of security needs. This is achieved by first understanding the organization’s business
needs and second by establishing security goals.

4. List and describe typical roles within information security, and their responsibilities in protecting
the organization’s information.

Information security is achieved through a team effort involving the participation and support of every
user who deals with information and information systems. An information security department typically
has the primary responsibility for establishing guidelines, direction, and authority over information
security activities. However, all groups have a role and specific responsibilities in protecting the
organization’s information, as described in the following sections.

•Information Owner Responsibilities - Information owners are the department managers, senior
management, or their designees within the organization who bear the responsibility for the acquisition,
development, and maintenance of production applications that process information. Production
applications are computer programs that regularly provide reports in support of decision making and
other organization activities. All production application system information must have a designated
owner. For each type of information, owners designate the relevant sensitivity classification, designate
the appropriate level of criticality, define which users will be granted access, as well as approve requests
for various ways in which the information will be used.

•Information Custodian Responsibilities - Custodians are in physical or logical possession of either

organization information or information that has been entrusted to the organization. Whereas IT staff
members clearly are custodians, local system administrators are also custodians. Whenever information
is maintained only on a personal computer, the user is necessarily also the custodian. Each type of
application system information must have one or more designated custodians. Custodians are
responsible for safeguarding the information, including implementing access control systems to prevent
inappropriate disclosure and making backups so that critical information will not be lost. Custodians are
also required to implement, operate, and maintain the security measures defined by information
owners.
•User Responsibilities - Users are responsible for familiarizing themselves (and complying) with all
policies, procedures, and standards dealing with information security. Questions about the appropriate
handling of a specific type of information should be directed to either the custodian or the owner of the
involved information. As information systems become increasingly distributed (e.g., through mobile
computing, desktop computing, etc.), users are increasingly placed in a position where they must handle
information security matters that they did not handle in days gone past. These new distributed systems
force users to play security roles that they had not played previously.

•Third-Party Responsibilities - Access to information from third parties needs to be formally controlled.
With the use of contractors and outsourcing, third parties will have the need to access the organization’s
information. There must be a process in place to grant the required access while complying with rules
and regulations. This process should include a nondisclosure agreement signed by the third party that
defines responsibility for use of that information. A similar process should be in place when individuals
in the organization have access to third-party information.

5. Information security test results should be recorded and, according to NIST, those test results
should include?

The only way to know whether an ISC works or not, or passes or fails, is to test it. Testing ISC cannot be
achieved through a vulnerability-scanning tool, which only checks a small number of security controls. A
vulnerability scan often tests a fraction, approximately five percent, of the security controls. When
testing ISC, the NIST RMF recommends the development and execution of a test plan. The test plan
should include all controls applicable to the specific information system. Testers should execute the test
plan with the information system owner and record the results, which per the NIST RMF framework,
include:

 A list of applicable security controls

 A test plan encompassing all of the applicable security controls
 A test report (pass/fail)
 Mitigations for any failed controls

Test results provide the risk executive with the information that is required to make a risk decision. The
risk executive is often the chief information officer (CIO), deputy CIO, chief information security officer
(CISO) or director of risk management. From an IT audit standpoint, test results support the audit work
and conclusion, and form the base for the formal exit communication with the organization’s
management.

6. List 10 sources for audit tools, best practices, and/or relevant audit information when performing
information security audits that was discussed in this chapter.

1. Cloud Security Alliance- CloudAudit Working Group

2. National Institute of Standards and Technology, Special Publication 800-144- Guidelines on
Security and Privacy in Public Cloud Computing
3. IIA- Global Technology Audit Guide (GTAG): Understanding and Auditing Big Data
4. AICPA- Audit Analytics and Continuous Audit—Looking Toward the Future
5. Deloitte- Cloud Computing—The Non-IT Auditor's Guide to Auditing the Cloud
6. PWC- A Guide to Cloud Audits
 7. ISACA- Auditing Cloud Computing: A Security and Privacy Guide
8. The SANS Institute- Cloud Security Framework Audit Methods
9. EY- Cybersecurity and the Internet of Things
10. Deloitte- Blockchain & Cyber Security

7. List information, screenshots, reports, etc. that the IT auditor would likely request from a client in
order to conduct an information security audit. Why is this information important for the IT auditor?

An information security auditor examines computer systems and their security components for
safety and effectiveness. A security auditor is primarily concerned with out-of-date computer systems
that could be vulnerable to a hacker attack. Following a security audit, the auditor will give a detailed
report demonstrating the system's effectiveness, describing any security vulnerabilities, and offering
changes and improvements. Information security auditors will continue to be in high demand as
information security systems become more complex and cybersecurity threats become more prevalent.

The majority of records are kept in digital databases, which are protected by firewalls,
encryption, and other security measures. These databases must be tested on a regular basis to verify
that they meet the most recent standards and procedures. This is where information security auditors
come in, ensuring that a business or government institution is protected against cybercrime. Information
security auditors will collaborate with a company to conduct a security system audit. This is a very
detailed and analytical process in which the auditor sorts through a large number of reports, looking for
evident problems as well as potential difficulties. Audits may be carried out at the departmental level in
bigger organizations, while audits can be carried out at any level in smaller firms.

The information security auditor will next analyze the data and produce a detailed report stating
whether or not the system is operating efficiently and effectively. This information is delivered to the
company's management team, and it will detail any modifications that must be made to improve the
system's integrity. If upgrades are suggested, it is part of the auditor's job to provide a cost-benefit
analysis so as to show how the upgrade will be of value. Information security auditors may also test
policies put forward by a company in order to determine whether there are risks associated with them
and may also interview staff members to learn about any security risks or other complications within the
company.

On the other hand, the information present is important for the IT auditors since it will enable
the organization the stay safe from cyber attacks that could possibly be encountered in the business.
This information allows the auditor to know which part needs to be improved and maintain the protect
of reliable and important information in the organization.