Projects-Summary
- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
CISA-Notes
CISA Notes
DISCLAIMER
- The information provided on this website is intended to provide a basic understanding of certain technologies and is not intended to be a comprehensive guide.
- Therefore, it should not be relied upon as the sole source of information and should not be used as a substitute for professional advice or expert analysis.
- Please exercise caution when visiting or downloading from websites mentioned on this website and verify the safety of the website and software.
- Some websites and software may be flagged as malware by antivirus programs.
- The reader assumes all responsibility for their use of the information contained on this website and any consequences that may arise.
- The author disclaims any liability for any damages or losses that may result from the use of this website or the information contained herein.
- The author reserves the right to update or change the information contained on this website at any time without prior notice.
- Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner.
- Unauthorized access is illegal and can result in serious legal consequences.
- It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
- Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
- It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
- It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
- It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.
References
- CISA REVIEW Manual
- Udemy ISACA's Certified Information System Auditor (CISA) Exam
- CISA Cert Prep: 1 Auditing Information Systems for IS Auditors
- CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors
- CISA Cert Prep: 3 Information Technology Life Cycle for IS Auditors
- CISA Cert Prep: 4 IT Operations, Maintenance, and Service Delivery for IS Auditors
- CISA Cert Prep: 5 Information Asset Protection for IS Auditors
- Simply learn youtube videos
- Process of Auditing Information Systems - Part 1
- Protection Of Information Assets
- Process of Auditing Information Systems - Part 2
- CISA Domain 2 Governance And Management Of IT
Table of Contents
Domain 1 Information System Auditing Process 18 percent 9
Domain 2 Governance and Management IT 18 percent 9
Domain 3 Information Systems Acquisition, Development and Implementation 12 percent 9
Domain 4 Information Systems Operations and Business Resilience 26 percent 9
Domain 5 Protection of Information Assets 26 percent 9
Domain 1 Information System Auditing Process 18 percent 9
ISACA code of profession ethics 12
Risk Assessment and Risk Analysis 18
let's start with identifying business objectives 25
now we can do risk management 27
now we can do risk treatment 28
the risk-based audit approach 34
Risk Assessment and Treatment 34
Sherwood applied business security architecture 41
service oriented modeling framework 42
knowledge of control principles 43
Classification of internal controls: 47
information system control procedures 51
Inherent, Control,Detection and overall Audit risk 57
risk-based audit definitions 61
Domain 1 Information System Auditing Process 75
knowledge statement 1.7 Knowledge 75
The main areas covered under this knowledge statement are 77
evidence characteristics and types: 80
Techniques for gathering evidence: 81
Communication of audit results 97
Knowledge of audit quality assurance systems and frameworks. 103
CSA VS traditional approach 112
RELIANCE ON OTHERS AUDITORS: 117
exam pointers for domain one 119
This concludes domain one. 122
Domain 5 Protection of Information Assets 26 percent 123
the risks to business include 125
threats to information Assets 126
Information Security Management 128
roles and responsibilities 129
system access permissions system 134
mandatory and discretionary access controls 135
privacy management issues and role of is Auditors 136
information security and external parties 138
monitoring and responding to security incidents 140
security controls related to Hardware system software 149
identification and authentication 150
identification and authentication log on IDs and passwords 152
password syntax format rules 153
passwords token devices and one-time passwords 154
identification and authentication biometric Access Control 155
single sign on SSO challenges 157
logical access Security Administration 157
risks and controls associated with virtualized systems 163
network and internet security devices protocols and techniques 168
General functions of firewalls 171
application firewall systems 173
types of firewalls and firewall issues 174
implementation of firewalls 176
demilitarized zone screened subnet firewall 177
information system attack methods and techniques 183
computer crime issues and exposures 184
types of passive attacks are 192
active attacks can be in the following ways 192
virus detection tools and control techniques 196
security testing techniques 201
risks and controls Associated data leakage 203
Network infrastructure security encryption 203
public key infrastructure PKI and digital signature techniques 213
public key infrastructure pki 214
certificate revocation list crl 217
peer-to-peer Computing instant messaging and web-based Technologies 218
social networking sites social 221
controls and risks associated with the use of mobile and wireless devices 222
voice communication Security 224
VoIP advantages over traditional telephony 225
private Branch exchange PBX 226
risks associated with use of PBX 227
evidence preservation techniques 228
considerations regarding evidence 230
key elements of computer forensics the 231
data classification standards and supporting procedures 232
inventory and classification of information assets 233
auditing physical access involves 238
Environmental Protection devices and supporting practices 239
the environmental exposures 240
environmental controls that can be applied are 242
handling confidential information Assets 245
This concludes the domain on protection of information assets 249
Section 1: Information System Auditing process: 250
What should be your first step in risk-based audit planning? 251
What is the advantage of risk-based audit planning? 251
What is the first step to conduct a data center review? 251
QAE questions - audit planning 251
The audit charter is the formal document that contains 252
Actions of the audit department are primarily influenced by the audit charter. 253
Electronic Data Interchange 254
Exam perspective Internal controls 258
Risk - understanding of Risk 262
Threat and vulnerability and their relationship. 264
Risk Response methods : Risk treatment plans. 268
Key Aspects of Risk based Auditing 272
determine the audit subject. 279
Define the audit objective. 280
Then you determine the audit process. 280
Field work and documentation. 280
Finally, the reporting phase. 280
Key aspects from the CISA exam perspective. 281
statistical, non statistical. 283
attribute and variable sampling. 284
stop or go sampling and discovery sampling. 284
What is the confidence coefficient? 285
Testing Concept - Compliance and Substantive testing: 287
compliance testing, as well as substantive testing. 287
Now what is the attribute sampling method? 288
some questions and the answer 288
1.8 Audit Evidence Collection Techniques 290
Testing Concept - Online Auditing Techniques 293
Five online auditing techniques. 293
So let us take one example of how SCARF works. 294
a point to remember for the CISA exam 296
some examples CISA Questions 296
Reporting and communication techniques 300
Testing Concept- Control SelfAssment CSA 302
What is control self-assessment? 302
objectives of controlling self-assessment. 302
What are the benefits of CSA? 302
1.12 - IS Internal Audit Function 304
IS Internal Audit Function 304
Requirement for Separate IS Audit Function 305
Governance of IS Audit Function 305
Reporting Structure of IS Audit Function 305
Management of IS Audit Resources 305
IS Audit objective should be aligned with overall Business Objective 306
1.13 - Managing third party IS Auditors and other experts 306
1.15 - Quality Assurance of Audit Process 306
Quality Assurance of Audit Process 306
Oversight by Audit Committee 307
Continuous Education and Updating of IS Auditors 307
Performance Monitoring of IS Audit Functions 307
Audit Finding Closure Rate: 307
Timeliness of Audit Reports: 307
Audit Recommendation Implementation Rate: 307
Accreditation/Certification of IS Audit Function 309
1.16 - Use of Artificial Intelligence in Audit Process Use of AI in Audit Process 309
Benefits of Use of AI in Audit Processes 309
Risks of Use of AI in Audit Processes 310
Use Cases of AI in Audit Process 310
Best Practices for Using AI in Audit Process 311
List of Domains
Domain 1 Information System Auditing Process 18 percent
Domain 2 Governance and Management IT 18 percent
Domain 3 Information Systems Acquisition, Development and Implementation 12 percent
Domain 4 Information Systems Operations and Business Resilience 26 percent
Domain 5 Protection of Information Assets 26 percent
Domain 1 Information System Auditing Process 18 percent
the process of auditing Information Systems this domain will account for 21% of the exam and it's really the guts of an audit
this is where we talk about how you actually conduct an audit at this point we're not as concerned with regulations and laws and technical issues so much as we're concerned with actual auditing process
and it is a formal process it's a science it's not an art
in this domain
we're going to have several lessons that walk you through the process so let's go ahead and get started with domain one after completing this domain domain one you'll be able to understand basically what an audit is and how an is audit function should be managed
you'll be able to detail the ISAC is audit and Assurance guidelines and standards
you'll be able to discuss risks and how to analyze them and discuss and understand internal controls
you'll also be able to explain the control assessment
you'll be able to demonstrate how an information system audit should be performed and
expounded upon the details of the audit process
possibly most importantly you'll be able to apply the isaka audit principles to your audits
possibly most importantly you'll be able to apply the isaka audit principles to your audits
the cisa divides up the task for the test into task and knowledge statements
we focus the lessons on knowledge statements but those include the tasks as well
task statements are what a CA candidate is expected to know how to do or perform
knowledge statements are what a CA students should know
if you first know the items involved then applying them is all that's required to perform a task
so while we break the lessons down by knowledge statements you will also learn to perform the
tasks tasks and knowledge statements establish and maintain the process of auditing Information Systems tasks can be mapped to more than one knowledge statement
now within this and the subsequent lessons we're going to walk you through what you need to know to pass the cisa
it's important that you take time to study and make sure you fully understand each of these lessons before proceeding to the next lesson
knowledge statement 1.1
tells us the knowledge of isaca it audit and Assurance standards guidelines tools and techniques the code of professional ethics and other applicable standards
are all required for those hoping to become cesa certified
there's an explanation for this knowledge statement first and foremost
The credibility of any audit is based at least in part on the use of commonly accepted standards
it just so happens that ISAC is a global Pioneer of is assurance and audit guidelines tools and techniques standards and has a comprehensive code of professional ethics
isaca standards provide you with a benchmark for any information systems audit
now the main areas that are covered under this knowledge statement include
first and foremost
the isaca code of professional ethics
that's important to keep in mind because isaca will emphasize this in the cisa exam
you need to know the professional ethics code and be able to apply it to scenarios that you're given
ISAC Information Systems assurance and audit standards framework
as well as
Information Systems assurance and audit guidelines
will be covered but in less detail than the professional ethics in other words for the framework and the guidelines you need a general understanding
the ISAC Information Systems Assurance audit tools and techniques will permeate the cesa exam you'll see some under this knowledge statement and other tools and techniques will show up in other knowledge statements and even other domains
and
finally you need to understand the relationship between guidelines tools techniques and standards
ISACA code of profession ethics
the code of professional ethics is critical to understand we're going to read it right now pausing with certain portions to give a little extra commentary where needed
isaca set forth a code governing the professional conduct and ethics of all certified as Auditors and all members of isaca members and certification holders shall
support the implementation of and encourage compliance with appropriate standards procedures and controls for information systems
perform their duties with due diligence and Professional Care in accordance with Professional Standards and best practices
serve in the interest of stakeholders in a lawful and honest manner while maintaining high standards of conduct and character and not engage in Acts discreditable to the profession
maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal Authority such information shall not be used for personal benefit or released to inappropriate parties
now this last one requires some extra commentary as an is auditor you're going to see all sorts of confidential information perhaps be exposed
to proprietary data processes plans
Personnel information that sort of thing you must make confidentiality a Cornerstone of your professional ethics
members and certification holders shall also maintain competency in their respective fields and agree to undertake only those activities which they can reasonably expect to complete with professional competence
what this means is first and foremost you have to continue learning make sure you increase your competency you're aware of new techniques and strategies and also make sure you don't take on projects you're not fully qualified for
inform appropriate parties of the results of work performed revealing all significant facts known to them
support the professional education of stakeholders and enhancing their understanding of Information Systems security and control
this last one also Bears some commentary the entire purpose of an audit is to inform the stakeholders of the situation of their information systems
how does it stand in a relationship to security well your job when the audit is over is to educate the stakeholders
failure to comply with the code of professional ethics can
result in an investigation into a member's Andor certification holder conduct
and ultimately in disciplinary measures isaka may choose to ban you from isaka or to revoke your certification if to situation warrant it
it audit and Assurance standards framework EST established by isaka has specific objectives is Auditors should be informed of the bare minimum level of performance needed to meet the professional responsibilities set out in the professional code of ethics
now keep that in mind these standards are the minimum you should always strive to do better the standard should also inform
the management of the profession's requirements concerning the work of audit practitioners
and these stand standard should also inform holders of cesa certification that failure to meet with these standards may result in a review Into the cesa holders conduct by the isaka board of directors which may ultimately result in disciplinary action
isaka is Assurance audit guidelines provide additional information on how to comply with isaka information technology assurance and standards the information systems auditor should use professional judgment which means sometimes you may differ from the standards but you need to be able to justify any difference
the guidelines are documents that are all identified by a prefix G followed by number for example G10 g12 G20 there's actually 42 categories of guidelines
isaka is Assurance audit guidelines provide additional information on how to comply with isaka information technology assurance and standards the information systems auditor should use professional judgment which means sometimes you may differ from the standards but you need to be able to justify any difference
the guidelines are documents that are all identified by a prefix G followed by number for example G10 g12 G20 there's actually 42 categories of guidelines
in the next few screens we'll briefly look at all of them you don't have to memorize them and therefore we won't read everyone to you
I will point out a few of them that are of particular importance on the certification test
what we see here due Professional Care that ties directly in with the professional code of ethics so G7 is particularly important
there's an entire knowledge statement on G10 audit sampling which discusses how to do proper sampling
audit evidence requirement G2 also is prominent on the certification test
g15 planning a properly planned audit is the only way you're going to have a good audit and of course
G20 reporting the way you report your audit is essential to communicating your findings to the stakeholders
g28 computer forensics may seem like an odd one to you it's not required that you be a forensics expert or professional but there is a forensics component and you need to have at least a basic understanding of forensics being able to effectively conduct an audit
continuous Assurance G 42 even if your audit shows that everything meets standards are we sure it will still meet standards a week from now a month from now any time period between now and the next audit
g38 access controls those are always a common point to check during your audit
ISAC also has standards and guidelines related to audit the ITF and you can see here a listing of those standards
as with the G standards you don't have to to memorize each of these and we won't read them to you but you should be familiar with them this concludes knowledge statement 1.1
knowledge of the risk assessment Concepts and tools and techniques used in planning examination reporting and followup
first of all your overall audit plan has to FOC focus on business risks related to the use of it
now throughout this course we're going to look at a lot of methodologies standards and techniques but if you think about it for just a moment
I think you'll agree that
information system auditing comes down to one simple concept
identify the risks a business faces
look at the controls in place to mitigate those risks and
evaluate the efficacy of those controls that's really
what auditing is all about
the area under our audit represents the audit scope we're not going to audit everything
so let's find out what we are going to audit what is the scope of our audit
Auditors should use risk analysis techniques to find out what are the critical areas to focus on within the audit scope in other words
you determine the audit scope by risk analysis
you obviously have limited audit resources
you don't have an infinite number of personnel number of hours or number of dollars to spend on an audit
so this requires a focus in drawing the audit plan and the focus is on the risks that are important to this business
it's also important to prepare a proper audit report
think about it for just a moment once you're done with your audit one of the big goals is to inform the odity of the issues you found and the remediation steps you recommend
the primary communication vehicle you have for this is your audit report so writing a good audit report is very important
follow up on issues that are found in the audit that's also very critical
it's not enough to identify an issue it's not even enough to recommend remediation there has to be some process to discover a followup
if the remediation was done
Risk Assessment and Risk Analysis
the main areas we'll look at in this lesson include risk analysis now throughout this course you're going to see other looks at risk analysis but
we'll begin in this lesson looking at risk analysis methodologies Pro processes and techniques this leads us to
audit methodology
now that's another issue that will permeate the course obviously various methodologies we'll begin in this lesson our whole focus is on
risk-based auditing using
risk analysis to drive the entire audit process
we also will be discussing
inherent risks in the audit itself what we call audit risk and materiality
we'll begin looking at
risk assessment how do we determine what is a risk and and treatment what are our steps to remediate a risk
this will involve beginning your introduction to
risk assessment techniques
we'll also be discussing
reporting techniques and followup
risk analysis:
let's start with looking at
risk analysis
this is a process that helps an auditor recognize the vulnerabilities and risks
that's the first part you have to be aware of what the risk and vulnerabilities to this specific organization are
now some risks and some vulnerabilities are common to everyone
everyone is at risk for a virus outbreak
everyone is at risk for a fire in the server room
but we also have very specific risk to specific Industries
then we need to look at how do we Define controls
that can be put in place or may already be in place to mitigate those risks
now throughout this lesson you're going to see several different phrasings of the definition of risk they're all worded slightly differently because they come from different sources but they all essentially mean the same thing
let's start with this
first one
risk is defined as the mixture of the likelihood of an event and its magnitude
first of all an event we're defining as some negative incident
How likely is it to happen some events are more likely than others not everything has an equal likelihood
for example for any organization the likelihood of a hard drive crash in a server is relatively High but
the likelihood of an intrusion by a state sponsored cyber terrorist is only high for certain businesses high-tech companies defense contractors
it's extremely low for a pizza delivery business or a book seller so we have to look at the likelihood of an event then let's look at the magnitude not all events have the same magnitude for every industry
let's consider a hypothetical an event that causes your web server to crash and to be offline temporarily
let's assume your business is pizzas you sell pizzas you have a chain of pizza restaurants
if your web server is down some of your customers will not do business with you during that time they can't order online so they will order from a competitor you will lose some business but
some customers will come into your restaurants and eat
there some will come in and get takeout some will phone in for their delivery orders so you will lose some business but by no means all
now let's assume the same web server crash but your business is that of e-commerce you sell things online it's
what you do if your web server is down you're making zero money you're losing all dollars for every minute the web server is down
now in both scenarios the web server going down is negative
it's a risk but
the magnitude is different in the second scenario than
in the first.
let's look at another definition that's very similar
it risk is specifically the Enterprise risk associated with the ownership use operation influence involvement and Adoption of Information Technology within a business
now let's think about that for just a moment
we all like new technologies myself more than most the convenience the productivity all these things that are afforded Us by new technologies
but every technology also involves a risk simply by owning and using it
for example we already mentioned websites that expand your customer base let you sell to customers more conveniently and in some cases to customers in other areas that you normally wouldn't get to reach
however
every website is vulnerable To
Deni of service attacks
SQL injection
cross-site scripting and a variety of other attacks
smartphones these are now ubiquitous everyone has one and I personally depend on mine all the time and many people
now bring these phones into the workplace and connect them to the organization's Wi-Fi this is referred to as byod bring your own device
well that poses a lot of risks yes it's incredibly convenient and it allows employees to blend work with personal time
they may on their own time address a work issue through their phone and they may be able to take a critical personal issue such as a
sick relative and still come to work because of the access they have with the phone so it Blends our worlds
however
you now have attached to your Wi-Fi
a diverse number of phones with a a wide range of operating systems software and Hardware
this is a risk
so every technology just owning it and using it gives us some risk to the Enterprise
let's consider two other
definitions of risks
and these are slightly worded differently but very similar and almost identical in meaning to what
we've already seen
the probable frequency and probable magnitude of a future loss
now what I really like about this definition is the use of the word probable
it's unlikely that you'll be able to know exactly how frequent an event may occur or the exact magnitude you have to perform an estimate
the second definition
the potential that a given threat will exploit vulnerabilities of an asset or group of assets and cause harm to the organization
now this comes from the standard ISO 27005
which you're definitely going to see on the C Isa exam not just this definition but you'll see more about the standard and we'll revisit again in future lessons definitely be familiar with ISO 27005 but
I like this definition because it emphasizes two things first and foremost we're concerned about harm to the organization if a particular it system is offline but it doesn't harm the organization it's not that big a concern
if you have 20 printers and one of them is offline it's an inconvenience it doesn't have great harm to the organization
I also like this definition because it's talking about the exploiting of vulnerabilities and that's what we're really concerned about in Risk mitigation
now the process of risk analysis is complex and involved and
it's applied in a variety of areas such as Disaster Recovery planning and business continuity planning but
let's look at it specifically
from the auditor's point of view from
the information system audit point of view risk analysis is used for the following purposes
first it helps the auditor identify threats and risks within the is environment
we've already stated that your audit has to be risk driven but that begins by identifying the threats and risks that are of most concern in this specific environment
it also lets you plan the audit by looking at the controls in place and we look at those controls in light of the specific risks and threat
we've already identified
now you're in a position to know the audit objectives
you're basically testing to see if the controls in place appropriately and adequately mitigate the threats and risks you've identified
this makes decision making a much easier process when you're using risk based methodology
now on the right hand side of the screen here you see several steps
these are actually occurring initially in a linear fashion for our initial Audi but then in an ongoing basis
let's start with identifying business objectives
this literally means
what is the business trying to do
now you can think about this in a very broad scope
but we're being more specific for example if you have a pizza business there objective is to sell pizzas but we need to break this down much more fine-tuned
for example the objective of the website is to allow people to order online underneath
that objective we have subobjectives we want to be able to effectively securely processed credit cards
we want it to be a user friendly experience and there may be a host of other objectives but before you can even begin looking at the audit you have to know what the business is trying to do
now that flows very naturally into identifying those information assets that support the business objective
it may sound odd but
normally an organization has a number of Information Systems some of which are not absolutely critical to the business objective
we're concerned about those are again
if you have 20 printers and most of your business is online anyway doesn't require printing for each transaction printing is used for things
like monthly reports and invoicing well then
one printer being down is not a big concern
the web server being down is a huge concern
now that you've identified the information assets that support those business objectives
now we flow straight to doing a risk assessment on those assets
what are the threats to those assets
what vulnerabilities are in those assets that would allow a threat to be realized and
what would be the impact now impact often involves something
we haven't discussed yet called
a criticality analysis
that's just a nice way of saying we look at each particular asset and evaluate how critical it is to the organization
and that's often based simply on
how much damage would it cause if that particular asset wasn't available
now that you've done a risk assessment
now we can do risk management
let's look at
the risks and map them to existing controls although that can be an involved process
it really comes down to two questions
are there controls in place that address each and
every risk you have any place you have a risk that does not have a control
that's an obvious place that needs to be addressed
the second question is assuming there is a control in place for that risk does it adequately mitigate the risk does it bring the risk down to a level that's tolerable once
you've done that
now we can do risk treatment
let's look at those risks that are not mitigated by existing controls
or at least the existing controls don't adequately mitigate
it now as I mentioned your initial audit this is a linear process
but
I think you'll agree things change business objectives change all the time
sometimes a business may add on new objectives
they may leave old objectives
they may add on a new line of business or
abandon the line of business
information assets definitely change
there are new operating systems
there are changes to Hardware all of these change things
certain threats change
for example
SQL injection is still a threat but it's less of a threat today than it was 5 years ago denial of
service attacks are still a big threat
but a specific old one called a sin flood Sy YN flood is not near as much a danger today as it once was due to Modern fire walls
threats have changed
on the other hand there are new threats that didn't exist 5 years ago
all of these changes cause this process to now become cyclical
we will re-evaluate the risk and repeat the process
there are some basic risk assessment terms
and these are borrowed from business continuity and Disaster Recovery planning
that you need to be familiar with
assets
are the resources you're trying to protect now your natural inclination may be to think about servers and those are certainly assets
but I think if
you'll reflect on this for a moment you'll agree that in most cases the data on the server is worth a lot more than the server itself
risk
and this is yet another definition that may seem to be worded differently but means essentially the same that we've seen so far it's the potential that a chosen action or activity will lead to a loss
threats
any negative action that could harm a system
vulnerabilities
any weakness that allows a threat to cause harm
impact
the severity of damage whenever possible we like to express this in dollars now to express that in dollars
we have some very specific formulas these formulas are also borrowed from disaster recovery and business continuity planning
exposure Factor
this is the percentage value of an asset loss due to an in now what we mean is in many cases you won't completely lose an asset
let's assume you have a database and you do a full backup every hour then the worst you can lose is 59 minutes worth of data because if the database crashes one minute before your next backup you will have lost those 59 minutes you can recover all the other data
now if we look at a
single loss expectancy
that means what do we lose in a single negative incident
we start with the asset value how much is the asset worth times that exposure factor that will give us a single loss expectancy
next we have to consider the
annual rate of occurrence
that's the number of losses
you might expect to have in a year now this can be effectively estimated through a number of different methods
first look at previous years what was the number of losses last year and the year before then there are a variety of security firms that every year publish reports
that tell you the preceding years various losses various attacks various threats broken down by industry and size of company
for example insurance companies that do over $20 million a year in business but less than 100 million how many virus outbreaks do they have on average that sort of information is publicly available
now I want to stop and point out something here
there are a number of things throughout this process that are estimates
annual rate of occurrence is one
but as I was just indicating an estimate doesn't mean a wild guess you shouldn't just think and come up with some random number annual rate of occurrences 15 times that's very ineffective and in fact counterproductive
but if you look at your prior Year's annual rate of occurrence
how many virus outbreaks did you have a year ago two years ago three years ago is there an upward Trend in them
if you look at industry reports that give you the norm for your industry and size of business and you use all of this to estimate the annual rate of occurrence
then yes it's an estimate no it's not exact but it's a good estimate
you should do the same thing when looking at asset value exposure factor or any number of factors that
we've already discussed or will discuss where we say it's an estimate
estimate should never be guessed I would also recommend that in your final audit report you actually include the basis for your estimates where'd you get this number now with that said
we're ready to compute
annualized loss expectancy
that's the year L cost due to a risk you take the single loss expectancy times the annual rate of occurrence and normally this is done per asset per risk
in other words the web server and denial of service attacks what's the annualized rate of occurrence what's the annualized loss expectancy
now the reason we do this is we can now
calculate the cost effectiveness of mitigating controls
let's say you've identified denial of service attacks as a risk to your website
let's say you have 10 Curren is a year each one costs roughly $1,000 so $10,000 a year
will be lost well now we have to ask a question what will it cost to mitigate that if there's a control that will reduce that to two times a year so our loss goes from 10,000 a year to 2,000 a year should we Implement that control well
it's a very simple formula how much does the control cost if it cost 5,000 but saves us 8,000 then it's well worth it if it cost 15 ,000 and saves us 8,000 we're actually better off without it.
now let's look at the three formulas at the bottom that use these terms again some of these items like annual rate of occurrence will be estimates exposure Factor will be estimates but please use as much data as possible to make these good estimates not just wild guesses
if you take the value of the asset however much it was worth that can include
Purchase cost
maintenance cost
development cost
whatever the complete value of the asset is
multiply that by the exposure Factor
the result is the single loss expectancy
how much you expect to lose if there's a single loss
what is risk
you take the probability of something happening times the cost if that happened
for example what would it cost you for your server to be down for a week
let's say your web server calculate that cost now that should be something you can do with concrete numbers with very little guessing
now you try to estimate the probability of a risk multiply that times the cost and you have your risk value
next let's look at
annualized loss expectancy
you take that single loss expectancy you previously computed multiply it time that annual rate of occurrence and
remember this is an estimate but
it's estimate hopefully based on statistical averages past performance and reports from industry but
in any case once you
multiply a Time SLE you have the annualized loss expectancy these three formulas and these terms are Central to impact analysis
thus they're Central to business continuity planning and Disaster Recovery planning
in other words this is how you calculate risk
risk should have as little guessing as possible
the risk-based audit approach is simply based on the concept of determining which area should be audited based on the level of risk
the things we've already talked about including the formulas we just looked at are how you decide the level of risk
now once you've looked at a risk and you've looked at controls even added or enhanced controls you have not totally eliminated risks
there is some risk left over and that's called residual risk
now how much residual risk is okay well that depends on the Management's risk appetite
so the goal of an audit is to make sure mitigating controls reduce risk
take that residual risk down to a level that's acceptable to management
let's summarize it now
risk assessment involves
identifying risks prioritizing them which are more important and as much as possible quantifying the risk that involves some of those formulas like Al and SLE that we already looked at
now we evaluate those against some criteria for risk tolerance what are the objectives and risk tolerance for this organization
risk assessments
have to be carried out regularly because things change the risk environment change regulatory requirements change legal requirements change
the risk appetite of a business may change so it's not adequate to base your audit on a really old risk assessment
the risk assessment should either immediately proceed your audit or very soon before your audit
once you've identified a risk while we may have dozens and hundreds of different technological answers all
risk treatment comes down to four categories the first is
risk mitigation
and this is by far the most common it's a control that lowers the risk hopefully lowers the risk to the point that the residual risk is acceptable to management
now one you might not have thought of is
risk accept acceptance
you objectively and knowingly choose not to take action now this is not lack of action due to ignorance
you weren't aware of the risk what happens is you did the risk you looked at mitigating controls and using formulas like the a and SLE formula you've recently seen
you determined that
the cost of mitigation was much much more expensive than the cost of loss
or you determine that the likelihood of a particular threat was so low as to be
almost impossible any of these criteri as may lead you to Simply accept the risk and not Implement mitigating controls
now before you take that course of action this absolutely must have management Buy in and should absolutely be documented thoroughly why are you choosing to accept
the risk avoidance
is something we prefer but rarely can do you literally evade the risk there's zero chance of risk occurring
that's hard to do in most cases the best you can do is effectively mitigate
now risk transfer sharing that used to mean
simply you have vendors Partners suppliers that take on part of the risk but more and more we're seeing insurance companies issue it breach insurance
so they share the risk they take on the cost of some issue should a threat occur
whereas we will look at many
many different methods throughout this course they really come down to a few different criteria a few different properties that
all risk assessment methods
have now there are some
formal methods like the scoring system method and judgmental method
first remember
that a combination of methods can be used you don't have to pick a single risk assessment method and stay with it
methods can develop and change over time
they get updated there are new methods that sort of thing
unfortunately
all methods to some degree depend on your subjective judgment
now you should always
evaluate the appropriateness of any chosen risk methodology method for your environment
don't just pick one because it's the one you always use what's appropriate for this environment and these specific goals
that concludes knowledge statement 1.2
knowledge statement 1.3
knowledge of fundamental business processes things like purchasing payroll accounts payable accounts receivable and the role of Information Systems in these processes
the purpose of this knowledge statement is to emphasize that
before you can do a successful is audit
you need to understand the underlying business process
that's being audited as
we already mentioned is this an accounts payable system is this a human resources system what's the purpose of the process
what are its goals how does it function what are its constraints
now you need to also understand the role that Information Systems play in these processes
clearly some business processes are more is centric than others
you need to understand the specific part that is plays in any given business process
information system auditing involves assessment of all the information system related controls
but also understanding those control objectives which is why you need to understand the fundamental processes
it also involves identifying key controls that help achieve a well controlled environment as per particular standards
that that may also involve the knowledge of certain industry standards and laws and we'll visit that topic in later knowledge statements
here are just some examples of fundamental business processes
using transactions as an example
a bank can have various transactions
mobile Banking ATM over the counter deposits withdrawals wire transfers all sorts of accounts
a chain store might have point of sale transactions with credit card Extranet cash transactions with suppliers using electronic data interchange
ordering from vendors
those sorts of processes whatever the particular business
you're auditing
you need to understand
what it is that business does and
what
what are the particular processes that are most critical to that business
what information systems those processes use and
then apply things that we've looked at in earlier lessons
such as risk assessment a risk assessment that's particular to the specific fundamental business processes for the organization
that you're about to audit
now there are a few different ways of looking at and understanding a business better.
the following few screens will show you a few of these methodologies
none of these do you have to memorize for the cesa exam
and we won't cover them in any significant depth
you just need to
basically identify what these
Frameworks or processes are the
zachman framework
is a common one used for defining an interprise
there are two ways to classify an Enterprise that are combined together in the zachman framework
the first is very simple what is the Enterprise how does it work when does it work who's involved where do they work why do they do these tasks
the second is more specific you identify the specific business elements in that Enterprise Define them look at their representation specification configuration and instantiation
now again it's not important that you go into more depth than Zach framework it's not important that you memorize it at least not for the cesa exam
the goal here
is to Simply make sure that you're aware that this is one framework
that you could utilize in your audit practice to help you better understand a specific Enterprise
so you will know their business processes in enough detail to be able to effectively audit their information systems
but something similar to the zachman framework is the
Sherwood applied business security architecture
Sherwood applied business security architecture
as you might guess this is more specific to Security in the business and
it looks at all the entprise from a risk driven perspective
looking at the architecture as it relates to information security
so this deviates a bit from zachman in that it's not so focused on General business processes and an enterprise-wide description
but more focused on the risk associated with specific security architectures
the primary characteristic of this Sherwood applied business security architecture
is that everything must be derived from an analysis of the business requirements for security
so you look at what that business needs for security and see if that's being met
it also involves an ongoing what they call manage and measure phases of the life cycle in other words
you're continually measuring how close we are to meeting those business requirements and we manage so that we make sure we're constantly Meeting those measurements.
I personally think that Sherwood applied business security architecture should be used in combination with zachman to give you a more comprehensive understanding of the business.
a third model you might consider devised by Michael Bell is the
service oriented modeling framework
often simply called SomF it allows you to
model business and software systems to specif ify service orientation
in other words we look at what services the business provides what services specific systems within the business provide and that perspective allows us to better understand the business itself
it can be used with any number of architectural approaches
in other words you can combine it with the Sherwood model we just looked at
it can also be used in addition to prepping an audit to design any application business environment local or distributed
in other words if you first consider what the business does what service it provides and then consider what software systems are necessary to provide that service that will drive not only audits but the designing of applications Technologies and systems
and again any of these particular options
service oriented modeling framework
Sherwood
OR
zachman
can be used in combination with others
the whole idea is not that you memorize each of these three but that you be aware that there are tools to help you better understand the underlying business
you don't simply have to approach in an ad hoc fashion trying to understand the business you can use one of these modeling tools to give yourself a deeper comprehension of the business that you're preparing to audit
that concludes knowledge statement 1.3
knowledge of control principles
related to controls and information systems
what we're going to attempt to do under this knowledge statement
is to ensure that you the candidate
understand the different types of controls and
how they function and you can explain how those control principles relate to Information Systems
Internal controls:
primarily were concerned with
internal controls
external controls would be laws and regulations that are external to a particular Enterprise but do impact how they handle information security in their information systems
but
internal controls
are the Enterprise his own internal processes that have been implemented to achieve specific objectives while minimizing risk
they comprise the Enterprise structures procedures policies and practices that have been implemented to lower the level of risk in an Enterprise
now that includes everything from Information Technology projects such as intrusion detection system
anti malware
to policies
to training
to procedures
everything within the Enterprise
that's meant to minimize risk and achieve specific objectives
and they can be
manual or automated
now in the information system world we often think of
automated
things such as antimalware intrusion detection systems and that sort of thing
but
manual things
such as having a second party confirm a payment over a certain level before that payment is processed well that can be manual or automated but it's still a control.
internal controls really consider
two things by implementing
this control
what can be attained or what can be evaded what can be attained
let's take for example manual spot checks of source code someone reviews source code before the project is compiled and distributed throughout the organization
what can be attained by that
well first and foremost better quality of software we can look and see that all the basic software procedures were implemented correctly
what can be evaded
well at least some of the more obvious bugs will be evaded through this process
internal controls and procedures have
two categories
the general control procedures
previously
we mentioned having a second party authorized payments over a certain level well that's a business control that's a general control for the entire Enterprise it may or may not be implemented through technology
information system control procedures
regard control procedures directly related to your information systems
how do we secure databases web servers and that sort of thing
Classification of internal controls:
all internal controls fall
into one of
three categories
preventative controls
corrective controls and
detective controls
preventatives stop something before it occurs
locking an office to prevent unauthorized access
using RSA tokens encrypting a hard drive to prevent someone from viewing files using a virtual private Network to prevent EES drop droppers from monitoring your communic
corrective controls
are meant to either minimize or actually correct when a problem occurs
for example data backup you can put the data back to where it was and correct the situation
detective controls
help you learn that something negative has occurred
now these can be things that are physical or information secure in the information security realm you're probably thinking of things like automated systems intrusion detection systems and
things of that nature but
something as simple as a physical access log
an audit Trail
Access Control list to server room
all of these are detective controls
that help you detect what occurred and when.
now it's not the case that any one of these three types of controls is more important than the other
a good system has to have
preventive
corrective and
detective controls
and during your audit you need to ensure that all three are in place to support the Enterprise's objectives
IS control objectives
now IS control objectives
are top level requirements that management sets
for adequate control of each it process
is control objectives
are first of all a statement of the preferred purpose or result to be attained by applying controls to particular Information Systems
in other words
by implementing this control whether it be a physical login sheet an anti-malware system or whatever it might be what is it you want to attain by doing this what do you hope will be gained.
is control objectives are also
procedures policies organizational structures and practices
anything that's intended to reasonably assure that Enterprise objectives will be achieved
while undesired events are detected corrected or prevented
so we're looking at the entire process we're looking at your company's policies
we're looking at the inherent organizational structures that can include everything from something as simple as
an organizational chart who do you report a particular issue to
to something far
more complex and intricate any procedures that you might have in place that might help assure Enterprise objectives This falls under the head set of is controls
here are some examples now I note that these are very general they're meant to be
this isn't telling you how to implement them
this is telling you the objectives
for example ensure the Integrity of the system
for example an operating system ensure the Integrity of sensitive and critical application systems
your financial data your customer data
Safeguard your assets that include clud physical assets as well as technology assets
ensure the Effectiveness and efficiency of operations it's not enough that things work they have to work well
ensure proper authentication processes for users this is a critical part of information system security
ensure the availability of Any Given service and
this is accomplished through Disaster Recovery planning and business continuity planning
there are other knowledge objectives later on in this course which will cover disaster recover recovery and business continuity in much more detail
information system control procedures
information system control procedures include all of the following and let's talk briefly about each of these
strategy and direction of the it function
what are we trying to accomplish with this specific function
how does it integrate with the organizational goals
it sometimes occurs that Enterprise goals change and Technology changes and a particular is control or particular it function May no longer fit with the strategy
system development procedures
we have lessons later on specifically on that topic but that's
one of the things you will check in an audit
are systems being developed in a proper manner and
that ties in closely with do we have
quality assurance processes
that are appropriate and that are being adhered to
what about the
communications in the network
do they meet security needs do they mesh with the Enterprise uh objective
do they support the goals of business
General organization and management
of the it function how is it this particular function we're auditing
how is it managed how is it organized
are there
operation procedures
in place that support Enterprise objectives
are there appropriate
physical access controls
if a database is involved and it usually is with an information system
is database Administration done in a way that's consistent with Enterprise objectives
what about
access to it programs data and resources
is it controlled appropriately
are there appropriate
system programming and system support departments
to support the Enterprise objectives
of course do we have
business continuity planning
in place that's appropriate and sufficient to support this particular business process
do we have
detective and protection mechanisms
all of these questions need to be addressed
when looking at each and every is control during the course of your audit
an audit work program represents your audit plan and strategy it has procedure scope and objectives.
it's basically
a guide for documenting the various steps you take during the audit the type and extent of evidentiary matters reviewed
it gives a trail for the entire process used
at some point you'll want to do quality Assurance of your audit process and only through an audit work program do you have the trail necessary to do that
and
it provides accountability for performance
whatever approach you use to auditing it always
comes down to four basic steps
first is planning
you always assess risks first and you develop your audit program in light of those risks you also
have objectives and procedures recall guidance 5 that we looked at in an earlier lesson once you have your plan you have to
obtain and evaluate evidence
it's all about evidence you don't have any pre preconceived notions about whether or not a control is meeting the objectives
when you're auditing you seek evidence to determine the strengths and weaknesses of controls
once you've done all of that you have to
prepare and present a report
there's usually a draft version in the final report
just as important and
covered in guidance 35 is the
follow up
were corrective actions taken to the issues
you found during the audit were they fixed or do those negative conditions still exist that's very important
audit methodology
audit methodology
are the standard audit procedures that are used to attain the objectives of the audit
this is a documented approach for performing the audit and it continues from occurring manner in order to achieve the planned audit objectives
audit methodology always has a scope of the audit
the audit objectives and the work programs we previously mentioned
that concludes knowledge statement 1.4
knowledge of risk-based audit planning and audit project management techniques including followup.
Risk based Audit Planning
what this means is we're going to look at an approach to audit that's based on the Enterprise's risks as you already realize
it's usually not possible or at least not practical
to audit every single function of every single is that you have in the organization all of your information systems are very complex and checking each and every control in each and every possible scenario is usually impractical
risk-based audit planning
starts with
identifying the key Enterprises risks what are the risks
that are particularly important to this Enterprise
in other words a risk analysis has been conducted
now for this to work you have to have an understanding of the organization
what sort of business are they
in what sort of transactions are they conducting
what is the business environment Now by environment
we're talking
about the information systems environment
their technology environment and
perhaps a regulatory environment
you also need to know
what the business's control objectives are
what are they trying to accomplish by implementing certain controls
it's important to understand the
type and nature of transactions that organization engages in
for example B2B wire transfers are very different than consumer initiated credit card transactions that
changes the entire scenario what risks are present
and how one goes about auditing
you also need to understand
the flow of these transactions and how they're captured in Information Systems
remember our focus is information system auditing so it's not just the transactions
but how are they processed within computer systems
Inherent, Control,Detection and overall Audit risk
there are four different risks we're concerned about
let's begin with
inherent risk stated
formally the
probability of an error existing that might be material assuming compensating controls not exist
this exist irrespective of an audit and is contributed to by the nature of a business
put another way certain businesses
have certain risks that are just part of how they do business
if your business routinely takes in paper checks
then there's always the chance of fraudulent checks or insufficient funds
if your business is engaged in e-commerce then you must have a website and
that website is susceptible to attack such as SQL injection
control risk
now formally that is a
probability that a material error exists which will not be prevented or detected in a timely basis by the system of internal controls
put in another way you either
lack the appropriate controls to detect an issue or the controls won't detect it in time or there is some issues some difference between what you would like the control to do and what it actually accomplishes
then we have
detection risk now
this is very important to the auditor
put formally the
probability that the information system auditor used inadequate checks and surmises that material errors are absent. when in fact they are present put much more succinctly and
simply the chance that you the auditor miss something this is terribly important to you as an auditor and
it's really combed by simply using all the appropriate standards tools and techniques that you'll learn throughout your study for the cisa exam
now if you take all three of these
inherent risk
control risk and
detection risk
and bring together into a cumulative risk
that is described as the
overall audit risk
it's the summation of all the audit risk groups for each control objective
that last part is critical you usually identify risks per control
or
per specific business activity a
specific business activity has an inherent risk the specific control for that specific activity have a control risk
the overall audit risk is broken down for each control
let's use an e-commerce example let's say you have an e-commerce website
the inherent risk is web attack such as SQL injection
you've
put in place a specialized application firewall that's designed to prevent those attacks
the control risk is that that control may or may not adequately prevent all of those attacks
the detection risk is that in the process of doing an audit you may or may not have detected any gaps in the control
now if you put all that together we have an overall audit risk for that specific control
being the application firewall that's there to help prevent a tax on a very specific business process the e-commerce transactions
Gap analysis
now this term has been used in marketing and other areas to mean something a little different than what we mean here
here we really have
two issues we have
a product Gap and
a usage Gap
let's start with usage Gap in a
usage Gap issue
you have a control that if used totally properly would be an adequate control
but
either the control is not implemented
or the control is not properly configured
or is not being properly used
there is some gap between the potential that control has to mitigate risk and the actual use of the control
now a product Gap
is when there's some issue the product itself is missing something
it's unable to fully meet your control needs
that's actually fairly common which is why most security situations require multiple controls to address specific issues
now when doing your risk-based audit there's some definitions
you need to have in mind
Target of evaluation
this is the particular information security deliverable the object for which assurances are made
what is it you're testing
Assurance activities
are the things you use to test the methods of testing
we'll discuss those at length later on the
security Target
these are the security specifications and requirements that you use to test the target of evaluation
put another way Assurance activities check a target of evaluation to discover whether or not that Target of evaluation has met the security targets
security protection profile
is similar to a security Target but it's broader in scope it's not about a specific deliverable but
it's more about General Security needs of a given business or group
risk-based audit definitions
need to be familiar with we've used some of these terms already and I believe you probably know what they mean but let's just make sure
what is a control I think we addressed this in earlier lessons but let's be clear again
control
is anything meant to mitigate a risk
now that can be technological things we mentioned previously in
application firewall that's a control
antivirus sofware is a control
intrusion detection systems that's a control
but controls also include
processes
any sort of educational program to train people in security that's a control
any sort of process whereby supervisors double check something that's a control
now an
IT control objective
is a statement of what you want that control to do exactly General statements
like make things more secure stop attacks those aren't useful a control objective should be very specific
risk
is the chance that something will happen
now we've looked at this definition in multiple different ways throughout the preceding lessons and you'll see it again throughout the course
the idea of
risk is that there is a probability that something negative will occur and will have some level of damage
evidence
we've not yet talked about evidence is all about data
auditing
is not an art it is a science and
like any science it's based on evidence
you collect data to make determinations at the end of the day
what an audit really comes down to is looking at the risks of an organization
that's why we're talking about risk-based auditing
examining the controls
that are put in place to mitigate those risks and
then Gathering evidence that will determine factually whether or not those controls meet
their control objectives or not it's as simple as that
it all comes down to evidence
it governance
is the entire process of managing your information systems
now this is very important to audit because specific issues in governance can affect security
for example what party is responsible for which aspect of security
who approves changes
all of these things affect your it security
and therefore they have to be addressed in your risk-based audit
that concludes knowledge statement 1.5
knowledge the applicable laws and regulations that affect the scope evidence collection and preservation and frequency of an audit
applicable laws and regulations for IS audit
certainly that won't occur in every audit
but if you routinely conduct Information Systems audits
it seems a guarantee that you will eventually uncover fraud
for this reason
fraud investigations
are legal procedings require the Integrity of evidence be maintained throughout its life cycle this is called chain of custody and forensic evidence
so for this reason your audit needs to be conducted assuming there might be evidence of fraud or something criminal that will have to be presented in a court proceeding
put another way you need to handle your audit
as if you were gathering evidence for court and
make sure you've maintained things like chain of custody
now don't be too concerned about that at this point there are later lessons and
knowledge statements that will give you some general knowledge of forensics
the
legal requirements
include laws regulations contractual agreements
all these things can be placed on your audit or the audit
management and audit Personnel in any organization have to be aware of these external requirements for computer system practices and controls
how your data is processed transmitted or stored
there's a need to comply with lots of different laws and lots of different legal requirements and that has an impact on your audit
now what we mean by all this is
every industry is affected by some laws
and in this lesson we will look at a few laws from the United States
now depending on where you are when you take the cisa usually the cisa exam will focus primarily on us laws because that's where the largest number of cesa testers are at
however they may throw in a few local laws for European Union Canada and other regions
so make sure you take the time to familiarize yourself with your local laws
but
back to the actual audit
no matter what organization you're auditing
there are some legal requirements
there may be industry regulations
that aren't laws but are really important for that particular organization
there may be contractual agreements
for example that entity has a contractual obligation with one of their clients to reach a certain level of information assurance
you have to be aware of all of these requirements
legal Regulatory and contractual
so that you can put those thoughts into your audit
and make sure your audit addresses those issues
there are a few essential areas that are covered under this knowledge statement
let's begin with
evidence now in previous lessons
we've mentioned
evidence is important
evidence is factual data
speculation really is not important in an audit
we're not interested in guessing in supposing
we need evidence that shows certain things are or are not true
in respect to Legal regulatory contractual requirements those usually relatively clear
you need evidence that the information systems you're auditing the controls you're auditing
either do or do not meet those requirements.
now of course that requires you to have in-depth familiar with that requirement
evidence goes hand in hand with
audit documentation
you need to have very thorough documentation of exactly what you audited
how you audited and what your conclusions were based on evidence
to some degree some level of continuous auditing is necessary
that doesn't necessarily mean
that a professional cisa auditor comes out and audits the organization continuously
it may mean such a simple thing
as internal spot checks it may
mean log examination it may mean
automated systems but
something to ensure that not only did the organization
meet its legal Regulatory and contractual requirements
today when you did the audit but
that they're still meeting them next month
legal requirements
are perhaps the most important
it is not the goal of the cisa to make you an attorney and not all the major laws will be reviewed on the cisa
it's important for you to spend some time familiarizing yourself with appropriate law
and
that will be based on your legal jurisdiction your industry and facts of that nature
but you do need to be aware there are legal requirements that do impact your audit
here's a few laws that are very important in the United States
Hippa and high-tech
the health insurance portability and accountability Act of 1996
now that's a very lengthy law but
most important for auditing
is it identifies
what is considered personal health information
and how it has to be handled
this was augmented by the
high-tech or health information technology for economic and clinical Health act
which redefined what a breach is and
gave stricter standards for notifying people in case of a breach
if you're auditing not just medical clinics not just hospitals
but medical billing companies
health insurance companies
anything of that nature
then these two laws become very critical
and again our goal is not to go in depth into every law
but to briefly
introduce you to a few of the most important ones
sarban Oxley is strictly United States issue
it does not affect other countries it is all about publicly traded companies so a privately held company does not have to adhere to sarbanes Oxley
sarban Oxley
was a rather complex piece of legislation and it was meant to address some financial fraud that had taken place in the early 2000s
most important for it
is the publicly traded companies must keep electronic records for 5 years
the reason
I point out this specific one is not so much that you have to memorize this for the test
but it gives us a great example of
how we take a legal requirement and that gives us a very clear control objective
and it's very easy to audit
if there are electronic records that don't go back 5 years
there needs to be an explanation or an understanding because
you're legally required to keep them
now the
PCI DSS or payment card industry data stand security standards
that's an extensive set of documents that could take an entire course in and of themselves.
cisa does not ask you to be a PCI DSS expert
but basically any organization that processes credit cards will to some level
have to comply with PCI DSS
now notice these are standards in the industry
it's not a law it's
the Visa Mastercard Discover American Express companies
saying look if you're going to process and handle credit card data you have to do these things
and that applies in many countries
in fact anywhere that you're processing credit cards PCI DSS comes into play
so anytime you're auditing a company
that processes credit card information you need to be familiar with PCI DSS and incorporate that in your audit
now these are just examples of legal and regulatory requirements
an exhaustive list would be humongous depending on where you live and your industry there can be any number of legal and regulatory requirements you don't have to memorize them all but be generally familiar with them
here's another set of standards that the test will not ask you to memorize
I'm just giving you an example of all the industry standards out there for cryptography there are a number of
ISO standards
used around the world you see a brief description of each here
digital signatures
how to handle Cipher algorithms
hash functions
how to manage Keys data processing
the point is very clearly it can become overwhelming the number of regulations the number of standards that you need to be familiar with
the good news is you don't have to be an expert in these areas
cisa does not assume that you're an expert in cryptography by any means
it just assumes that you know which standards to refer to
when conducting an audit if cryptography for
example is a part of the business activity and you need to refer to some standards to see if they meet control objectives
and these are just here exemplary you don't have to commit these to memory
when you're doing a report there are some Basics
first of all obviously
who are you auditing the organization
who should receive a copy of this audit and
are there restrictions should
this audit not be forwarded
can it be forwarded to certain people
basically these are demographic issues
who's being audited who gets to know about the audit
then the scope
what was the scope of your audit
what did you audit now
I personally this is not on the cisa this is just my personal practice
I also like to identify anything that was omitted
if I conduct an audit and certain items were not audited I want to point that out these were not audited and here's why
but for the test you need to
know your scope your objectives
what were you trying to accomplish
the period of coverage I audited
for a certain period of time and
that should be sufficient for 6 months or 12 months or however long you think
the nature of the audit
was it automated
was it a team did it involve penetration testing
as well as auditing or
vulnerability scanning
what happened
the timing and extent of the audit
how in- depth was it
timing is important because auditing at different times may give different results
for example if you're auditing retail credit card transactions in a heavy holiday season you may get different results
than you would at a different time
my favorite part is
findings conclusions recommendations followup reservations or qualifications
what this means is first of all
what did you find
what did your audit discover next
what do you conclude from that
probably the most important thing is what are your recommendations
if a particular control you found to be inadequate
how do you recommend they fix it
it's not enough for an auditor to look at an organization and say
this specific it control does not meet control objectives
you need to tell them how they can Rectify that situation
what if you found something did meet control objectives
do you have any reservations or qualifications
for example this might be a place to state
that yes this particular control does meet the control objectives
but that in your opinion those control objectives
may not adequately account for certain risks
now you should put this in some sort of
organization grouping them by materiality or by the intended recipient
or by the business group or by the particular control
those sorts of things some sort of organization
you also have to
mention any faults you found
in any constructive Corrections
normally
your report
will either be very large starting with an executive summary
or the report will essentially tell your findings
and then there will be appendices that have the evidence to support your results
either way
there has to be some way for the AUD audit recipient
to refer to your evidence
it's not appropriate for you to say because I said so you
have to show the evidence
now often times executives are not going to take the time to read all your evidence
Executives May simply read your conclusions but the evidence needs to be available
should they desire to look at it
of course your
overall findings conclusion and your opinion
and always signed and dated
one tool that the cisa occasionally will bring up is the
balance scorecard
this is a way of looking at an organization that was originally designed as a Performance Management tool
so it wasn't really designed for audits
it was used to track execution of activities
basically it's looking at
here is an objective
how is that objective
me sort of a scorecard
that's the name
now you can use
this to measure controls their performance against an expected value
and you can look at things from four perspectives
Financial perspective
how much did it cost
was there a return on investment was money lost
customer perspective
sometimes security controls can be so honorous that they negatively impact customer experience
well that should be involved in your audit report
internal processes
did the controls affect internal processes in a positive or negative way and then
finally
Innovation or learning
have you learned something from measuring this control
now again the balance scorecard was not originally meant for auditing
but it can be applied to the auditing situation
that concludes knowledge 1.6
Domain 1 Information System Auditing Process
knowledge statement 1.7 Knowledge
CISA knowledge statement 1.7
Knowledge of the Evidence collection techniques, observation, inquiry, inspection, interview, data analysis, forensic investigation techniques, computer assisted audit techniques used to gather, protect and preserve audit evidence.
Now what this means is first and foremost your
audit must be supported by objective evidence.
It cannot be a matter of opinion. So the next question becomes
how do you collect and preserve such evidence
for your CISA exam? You need to
know the various techniques used to gather and preserve evidence.
There are several ways to gather information.
Inquiry is one of them. literally conducting surveys of key personnel in an organization to discover if particular control objectives are being met.
This is particularly effective when part of your audit is checking on compliance with certain policies and industry regulation.
Observation. This involves observing people and systems to see if control objectives are being met.
Interviews can also be used where you interview key personnel and ask them specific questions.
Now, in both the interview and the inquiry options, you need to ensure that you've carefully selected the questions to get optimal information.
Don't just do ad hoc questioning.
And of course, we have analysis using computer as assisted auditing techniques.
We've listed a few here.
\ It's not critical that you know these specific computer assisted auditing packages.
However, you should be aware that computer assisted auditing techniques are very common, particularly when you have to sample large amounts of data.
Normally, you'll store and retain audit evidence in some sort of electronic media, USB drives, hard drives, that sort of thing.
And there should be retention policies established ahead of time that show the requirements for storing such evidence,
how long it has to be stored, that sort of a thing.
The main areas covered under this knowledge statement are
particularly computer assisted audit techniques,
but also evidence.
Now, evidence we've discussed in other lessons, and we're going to continue to discuss it because it's a key part of auditing.
Interviewing and observing personnel and the performance of their duties,
continuous auditing.
Now remember continuous auditing are processes that ensure that audit goals are still being met even between audits and
of course audit documentation.
evidence
Remember evidence is the information that you're going to base your conclusions on.
The information systems auditor gathers conclusive objective data in the course of performing an is audit.
The idea of evidence is to have objective data to support your audit findings.
Now, evidence has to directly relate to the objectives of the audit.
Tangential information or inconsequential information is not pertinent to an audit. We need evidence or data that directly relates to control objectives.
Now, how you gather that evidence is a key issue.
Remember the various standards we looked at in an earlier lesson. S6 performance of audit work talks about evidence and evidence gathering.
In addition to gathering it, you have to appropriately organize it and document it in order to support findings and conclusions.
reliable is the evidence:
How reliable is the evidence though? Just like with a criminal case that you might have seen on some sort of television drama or movie, different types of evidence have different levels of reliability.
What are the factors that determine if a particular piece of evidence is reliable?
First of all, whoever provided the evidence, be that a person or a system, are they independent? Do they have no particular stake in the outcome? Independent evidence is what you always want.
The qualification of the person providing the information or evidence. Is that person qualified to make the observations and conclusions they're providing you?
Objectivity is the evidence clearly objective. It's not biased in any particular way either for or against the audit target.
And of course, the timing of the evidence.
evidence characteristics and types:
Now, there are different characteristics that we're concerned with evidence.
The confidence level of evidence is based on its value.
You also look at audit evidence and consider the following.
Is it complete, adequate, and convincing in and of itself?
In other words, would this particular piece of evidence or group of evidence pieces lead another information systems auditor to form the same conclusions you have?
If so, then that evidence is sufficient.
Now, if it wouldn't, if other data is required to come to the same conclusion, then this evidence in and of itself is insufficient.
Is it useful?
Does it assist any auditor in meeting the audit objectives?
You can come up with a great deal of information during an audit. You'll learn a great deal about their information systems, their business processes and practices.
All kinds of data will come into your hands. However, not all of it assists you in meeting your audit objectives.
It may be evidence, but it's not pertinent to the audit.
It has to be reliable.
It has to be valid, factual, objective, and supportable. If it's not reliable, none of the rest really matters.
You can deal with evidence that in and of itself is not quite sufficient. And evidence that may not be useful, may not help your audit, but doesn't hurt it.
But evidence that's not reliable is a deep, deep concern.
Is the evidence relevant, that's very similar to useful.
Does it pertain to the audit objectives? Is there a logical relationship to the findings and conclusions that you're basing on this piece of evidence?
In other words, if your conclusion is based on a specific piece of evidence, that spec piece of evidence needs to have a specific and clear logical relationship to your conclusion.
Techniques for gathering evidence:
There are lots of ways to gather evidence. We start with
reviewing the organizational structure
as it relates to information systems. This will give you a clue as to who to interview, who to inquire with, who to observe.
You'll want to review is documentation.
If the information systems documentation doesn't adequately describe or meet control objectives, then it's very unlikely that the practices of the information systems department will meet those objectives.
Review the information system standards.
Are they based on well-known, well established third party standards, or are they internal standards? If they're internal standards, do they meet the control objectives?
Reviewing policies and procedures.
How does this organization handle a security breach? How does it handle data disposal of old media? What are their policies and procedures for each of these issues?
Frankly, it's impossible to do an adequate audit if you don't know what the company's policies and procedures are.
Now, and this is based on the previous review of the organizational structure, you can
interview appropriate personnel.
You want to make sure those personnel are in a position to give you reliable and sufficient evidence.
You may wish to also
observe processes and employees actually performing their duties. This can really let you know whether or not the policies and procedures are actually being implemented on a regular basis.
You can always
reperform a particular task to see if it meets or fails to meet control objectives.
And of course, a
generalized walkthrough can be helpful.
Any of these methods or in fact all of them you can use on any given audit to try to gather as much evidence as possible.
My personal feeling is you should always heir on the side of gathering too much evidence and then leave out extraneous or irrelevant data from your final report.
But it's better to have data that you have to pair down than to discover you didn't gather enough data.
Audit documentation.
It's really difficult to overdo an audit.
Now I'm talking about the documentation that you personally gather, not necessarily what goes in your final report.
Your audit documentation should at a minimum include a complete record of the following things.
The planning and preparation of audit scope and objectives.
How did you select the scope? How did you choose the objectives? How did you plan your audit?
If you're doing walkthroughs,
let's have a description of those walkthroughs or let's actually do a walkthrough of any particular audit area.
Do we have an audit program exact plan for how we're going to do our audit, what test we'll conduct, what tools we'll use, and
then we also absolutely must document the steps that were actually performed and the evidence gathered.
You may use the services of other auditors or experts.
One example might be let's assume that as part of your audit you have to gather information regarding the security policies as implemented on workstations.
However, some of the workstations are Macintosh computers and you don't have adequate Macintosh experience. You might use the services of a Macintosh professional to do that portion of your audit or to at least advise and assist you.
Of course, you'll need to fully document whatever you found, your conclusions, and your recommendations.
It really cannot be overstated that recommendations are a critical part of an audit. It's inadequate to simply tell a customer what gaps they have in their security coverage.
You need to give them recommendations to remediate those.
And of course, audit documentation relation with document identification and dates.
What documents did you get? What were the dates on those documents? How were they used? All of these items should be part of your audit documentation.
That concludes knowledge statement 1.7.
knowledge of different sampling methodologies and other substantive data analytical procedures
In this knowledge statement, we're going to look at two things.
First, comparing compliance to substantive testing and
then looking at sampling methodologies.
Compliance testing involves gathering evidence in order to test the enterprises compliance with control procedures.
Now what we're talking about here is any sort of requirement be it legal, regulatory, industry norm or internal requirements.
We essentially look at various security controls to determine whether they do or do not comply with a specific requirement.
This generally involves looking at the overall performance of the control, not specific transactions.
Substantive testing is evidence gathered to evaluate the integrity of individual transactions, data, or other information.
Put another way, with substantive testing, you're going to be looking at specific transactions or specific data records.
Obviously, this gives you a better basis to draw conclusions, but just as obviously, it's much more resource intensive.
Throughout this lesson, we'll consider a hypothetical e-commerce company
we'll call Acme E-commerce that had 100,000 records,
100,000 transactions during the audit period, which was last calendar year.
Now, the presence of internal controls can minimize the number of substantive tests that have to be done. How do we know there are adequate internal controls? Well, that's established via compliance testing.
If the controls pass compliance testing, then there is less need for substantive testing.
Conversely, any weakness or inadequacy in internal controls will increase the need or number of substantive tests.
We still don't want to check every single transaction. And that's where we use something from statistics called sampling.
Sampling is done when it's not logical or practical or even possible to test all the transactions. This is usually due to the time and cost needed.
Again, we have 100,000 transactions in our hypothetical scenario. Obviously, it is too cost prohibitive to look at all of them.
Main areas of coverage
So, once again, we'll be looking at
compliance versus substantive testing and
we'll be looking at sampling.
So, what is a sample?
First, let's look at what a population is.
A population consists of the entire group of items that we need to examine and draw conclusions on.
In our scenario, it's 100,000 records that took place last year.
A sample is a subset of that population that we use to infer characteristics about the population. Those inferences are based on examining the characteristics of the sample and extrapolating those results to the population.
Now because of this the sample has to represent as closely as possible the characteristics of the whole population.
Let me explain that with another hypothetical scenario. Let's assume that you've been tasked with determining the average height for males in France. You're not going to measure every single male in France.
That's simply not practical, not even possible. So you're going to get a sample of males in France. But you chose your sample from a convention for horse jockeys, men who ride horses in horse races.
Now, horse jockeys tend to be abnormally small men, much smaller than average. So, all of the conclusions you draw don't really apply to the population. Because you used poor sampling methodology, all of the inferences you draw are going to be inaccurate.
That same thing applies to every audit you do.
When you're sampling records, if you make the wrong selection in your sample, then your conclusions will be wrong.
In some cases, even the exact opposite of what the reality is for the general population. So, you can see that sampling methodology is very important.
Sampling can be either statistical or non-statistical.
Let's look at statistical first.
Statistical sampling
uses objective methods to determine first the sample size.
Let's pause and comment on that. We have 100,000 transactions to consider without any reference to statistical methodologies. I think you already intuitively know that selecting five records for your sample is not enough. And I think just as much you're aware that you don't need to select 50,000 records.
So we use objective methods to select sample size. Our selection criteria is based on objective methods. The most obvious is to randomly select.
But are we sure we randomly selected?
Are we sure we selected in such a way as to not skew our results and that gives us the precision of our sample.
All of these things are going to impact the reliability or confidence level we have in our sample.
Now for just a moment, let's reflect on confidence levels and statistics. The term confidence level has a very specific meaning within the world of statistics.
For the purpose of the CISA exam, you don't have to know statistics. There will be no questions wherein you have to perform statistical calculations.
And I know that's quite a relief to some of you.
However, let me state that in my opinion, the better knowledge you have of statistics and the more you apply statistics, the better auditor you will be.
But for our purposes, prepping you for the CISA, you don't need to know statistics. And I say that because the word confidence level has a very specific meaning in the world of statistics.
Now, statistical sampling can be used to infer population characteristics from the sample. And so, it's the preferred method.
Well, you might be wondering if it's the preferred method, why do we have an alternative method? Why not just always use statistical?
Well, let's look at that alternative method. And I think that will answer that question.
Non-statistical sampling
does not use any objective methods. It's purely subjective judgment to determine the method of sampling, sample size, and sample selection.
Non-statistical sampling cannot be used to infer population characteristics, and it's not the preferred method. So, when might you use it? Well,
let's look at that first statement. It cannot be used to infer population characteristics. So, non-statistical sampling can be used when you don't wish to infer population characteristics.
Let's assume that of our 100,000 transactions, the overwhelming majority are all roughly $100 in amount or less. I would like to look at the small handful of transactions that exceeded $1,000.
Well, I already know that these are not representative of the population. I already know that any conclusions about this very small sample cannot be extrapolated to the population.
I don't intend to infer population characteristics from the sample. In that scenario, it's possible to use non-statistical sampling.
Sampling methods are of two types.
Attribute sampling and
variable sampling.
Let's look at attribute first.
Sometimes this is called proportional sampling.
We will select some specific attribute and look for either the presence of that attribute or the absence.
For example, I might look at those transactions that had sales tax or did not have sales tax.
This is often used in compliance testing. Our sales tax scenario is a great example. If you did not apply sales tax, did you comply with regulatory requirements for scenarios where sales tax is not required?
The conclusions are often expressed in rates of incidents. How many transactions per 100, per 10,000, or per million actually meet or fail to meet that presence or absence of the attribute?
Lots of ways to do this. You can simply sample all the transactions grabbing those that have the attribute. Or you can pick a fixed sample size, or you can pick a frequency. Another way to do this is stop or go sampling.
Let's assume you've determined that the appropriate sample size is 1,000 transactions.
You first examine the very first 10,00 transactions in the database. If they have the attribute you're looking for, you stop and that just became the sample you'll work with. If not, you go to the next 1,00 and look again to see if that attribute exists. You'll continue this until you find a group of 1,00 that has your attribute, and that's your sample.
Discovery sampling is even less common. Essentially, you have an item that is so uncommon, so rare that you're basically waiting until it's discovered.
Now, in addition to attribute sampling, we have
variable sampling.
Variable sampling
is often used to estimate some quantitative measure like dollar value or weight. Dollar value is far more common, so this is often called dollar estimation.
Usually we're going to calculate a statistical mean for whatever measurement we're looking at.
For example, dollar. So it's also often called mean estimation sampling or quantitative sampling.
This is often applied in substantive testing and it provides conclusions related to any deviations from that norm.
There's basically two main ways to do this.
Unstratified or stratified.
Stratified simply means we've already divided up the population into ranges such as all transactions ranging from $10 to $100,
all transactions ranging from $11 to 200, all ranging from $21 to 300, so on and so forth. So we have stratified or unstratified.
Computer assisted audit techniques CAATS
are often used for gathering and analyzing data from computer systems to meet some audit objective.
Now you can probably realize that with sampling of large number of transactions used in substantive testing a computer assisted audit technique is almost a requirement.
It's almost impossible to do this effectively by hand.
involve a few things in the process. First, you have to understand the client, the client's needs, and their goals.
That's going to help you select the appropriate computer assisted audit technique. Now, you have to ensure that that technique will obtain effective evidence.
You have to ensure that it provides data analysis. I mentioned previously that you're not going to be asked to do any sort of statistical calculation, but your computer assisted audit technique should be able to and it should be able to report on findings.
Now, these techniques are going to vary and they're based on differences in hardware, software, data structures, record formats, the general IT environment, and the processing functions.
There are lots of examples of computer assisted audit techniques.
First of all, we have generalized audit software like IDEA and ACL.
Then we have utility software.
Your transactions are undoubtedly stored in a database. Most database management systems have a variety of report writers and even the ability to extract specific elements of data.
As a side note, the CISA exam does not require you to know structured query language or SQL. However, in your actual audit practice, if you're going to rely on database management systems, particularly relational database management systems,
a basic knowledge of SQL structured query language, will allow you to extract data with all kinds of formats with all kinds of criteria and even to perform some basic statistical calculations such as calculating the mean.
Debugging and scanning software is often used in auditing the IT systems themselves. In many cases, test data is important.
You want to be able to test to ensure that your computer assisted audit technique is functioning properly.
Expert systems rely on elements of artificial intelligence. And essentially, the issue with expert systems is that they're able to answer more questions than you asked.
With normal techniques like SQL commands that we've already mentioned, you have to ask a specific question. I want all transactions in this date range with this dollar amount.
Expert systems can look at the complete body of data and often are able to pull out specific relationships you didn't know to ask for. They're less common and far more expensive.
Third party access control software can use to audit the access control process.
Any application software tracing and mapping will allow you to map out exactly what particular software is doing and therefore audit it.
Many systems have all kinds of options built in them including reporting. All of these techniques can be used to assist in your audit.
The functional capabilities of all the generalized audit software should be as follows.
File access.
Your data is going to come to you in a variety of file structures and record formats. You need to ensure that your audit software is capable of accessing all of the record formats and structures that you need to access.
It should also provide you with reorganization so you can sort, merge, link, and index the data as you see fit.
It should give you a wide variety of data selection options, filtering data, selecting data, that sort of thing.
It should have built into it a number of statistical functions including sampling, stratification, frequency analysis, and computing basic statistics such as statistical mean, mode, standard deviation, variance, that sort of thing.
There should also be arithmetic functions and operators within the software.
This concludes knowledge statement 1.8. CISA
knowledge statement 1.9
knowledge of reporting and communication techniques including facilitation, negotiation, conflict resolution, audit report structure, issue writing, the management summary and result verification.
Communication needs to be effective and clear in order to improve the quality of the audit and maximize results.
The final product that you produce from any audit is essentially communication. There will be a written report along with an executive summary and usually a verbal briefing at the end of the audit.
No matter how effective and how high a quality your audit was, if your communication of the results and findings is inefficient, then the audit itself will be less effective.
Put another way, your report's going to have to give clear and concise as well as detailed information regarding your conclusions, your recommendations, and the basis for those conclusions and recommendations.
It's also the case that your verbal communication can either improve or be a negative impact have a deleterious effect on the audit outcome.
When an argument ensues between the auditor and the audit during the final findings report presentation, it's usually over the accuracy of the findings in the report. This makes the audit process counterintuitive, perhaps even counterproductive, and quickly dilutes the audit process and its value.
Now, you may be wondering, an argument ensuing, when might this occur? You have to consider the perspective of the audit.
Many auditees will consider any deficiencies documented in your report as essentially an attack on the quality of their work because your report is essentially stating that current existing IS controls fail to meet requisite standards.
They're substandard. They're not effective. And that is often taken as a criticism of at least certain members of the oddity staff.
A natural and common reaction is to reject your findings, to question the accuracy of your findings, and that's where disputes will occur.
Now, we will look at some techniques both in your written report and your verbal communication that can ameliorate this situation.
Audit findings will often be ultimately reported to stakeholders. Before that occurs, they need to have appropriate buy in from the auditees. This is the only way to have a successful audit process and add value to the audit organization.
In other words, it's a good idea to get the appropriate audit IT staff members involved before you present to stakeholders.
In other words, if you can get the IT staff to agree with your conclusions and your recommendations before presenting to stakeholders, it's much more likely that these implementations will be agreed upon and will be affected
throughout your entire audit.
Good communication and negotiation skills are required. And it's not possible to overemphasize this point.
You might be the most excellent information system auditor on the planet. And you might conduct a perfect audit from a technical point of view, but if you have poor communication skills that alienate the audit or at least members of the audit staff, you will decrease the efficacy of your audit.
Communication skills determine the effectiveness of the audit reporting process.
So, our
main areas of coverage are
how to communicate audit results
along with the information technology assurance framework section 2600 reporting standards.
In addition to the material in this lesson, it's probably a good idea to refer to that specific standard prior to taking the CISA exam.
Communication of audit results
During the exit interview, that's your final briefing with the audit.
The IS auditor has to ensure several things.
First and foremost, make absolutely certain that the
facts you present in your report are accurate.
You must be aware that anyone can make a mistake, including you or me. So first double check your results particularly any results that point to any flaws in the audit systems particularly egregious and significant flaws you need to double check your accuracy.
Now part of your report will be to recommend remediation steps.
Make sure your steps that you've recommended are both realistic and cost effective. It's not helpful if your recommendations are too expensive, maybe too vague or simply unrealistic.
Then recommend specific implementation dates for those recommendation that they have agreed upon.
In other words, once you get the audit to agree on a specific step to remediate an issue, recommend a specific date to implement it. And again, make sure that date is both realistic and cost-effective.
There's lots of things you can do in your presentation. You should always include an executive summary.
An executive summary is essentially an easy to- read concise summary of your report. It lacks some of the detail and supporting evidence, but gives the overall picture.
You may choose to use visual presentation aids such as slides or computer graphics.
I often like to include charts wherever possible.
Before you communicate any results of an audit to senior management, it's a good idea to discuss the findings with the lower level management staff and perhaps even the IT staff of the audited entity.
That way, you can work out any discrepancies or issues prior to informing senior staff.
The purpose of this is to ensure that all relevant parties agree on both what you found and the corrective actions you recommended.
Now, it's a good idea if you become familiar with the Isaca S7 reporting and S8 follow-up activities prior to taking the CISA exam.Both those are important to know.
Let's talk about communication skills.
We've already indicated that poor communication skills can have a negative impact on the entire auditing process, particularly on the reporting and recommendation phase.
Let's start with facilitation.
There are a lot of techniques you can use to facilitate clear communication.
The first, at least in my opinion, is to put yourself in the other person's perspective.
If you are, for example, going to list an issue with network security that impacts the gateway router, how would you react to this news if you were the network administrator responsible for that router?
And how can you phrase the issue so as
not to be accusatory and
not to engage in conflict?
That's one step to facilitating good communication.
Another one is good listening skills.
Now, a lot of people overlook listening skills. Clearly, you're capable of hearing what the other person said, but that's not the same thing as listening.
You need to fully understand the factual information they're communicating to you and their emotional tone.
The idea of communication is to take information from party A and get it to party B. Anything that degrades the communication received is adversarial to communication.
Let me put that another way.
When you're listening, be engaged, be focused. Don't simply be waiting to talk. Listen carefully to what the person is saying, but also listen to their tone of voice, their posture, facial expressions, and try to imagine how you would feel if you were in their position.
Another thing you can use is called active listening. Where appropriate, either ask a clarifying question brief or restate it in your own terms and see if you're hearing what they meant you to hear.
Make absolutely sure you fully understand by facilitating your
It's also important to not use any language that's accusatory.
Let's not come across as if we're blaming the oddities IT staff.
Now, in most cases, you're not. In most cases, they're simply human beings.
They executed very good procedures, but something was missed. That's okay. That's why we have audits.
In a few rare cases, the IT staff has egregiously mismanaged security, and it is perhaps really their fault, but you still don't want to come off saying that.
You want them to support your audit goals and recommendations and to be on board.
This also can involve negotiation and conflict resolution.
Negotiation, you have to be willing to give up something in return for something.
For example, you may be recommending a remediation step that the IT staff opposes. See if you can find a common ground. Now, don't compromise to the point that you've impacted negatively on network security.
Your idea of an audit is to improve the organizational security controls, not to damage them. So negotiation only goes so far, but you have to be actually involved and actively interested in compromise for negotiation to work.
Conflict resolution often involves some of the exact same steps I've already mentioned.
Looking at things from the other person's perspective, communicating in such a way as to not inflame any negative emotions,
not being accusatory, certainly not talking down to the person or anything of that nature. You are equals. You are colleagues. And you all have the same goal in mind. That's to have a robust security posture for the organization you're auditing.
You're all on the same team. You may have different ideas of how to get there. You may have different opinions on the specific deficiencies that need to be addressed and how they need to be addressed, but you do have the same goal.
If you keep that in mind and you communicate that through your words, your body language, and your expressions, you're going to go a long way to resolving conflict.
When you write up issues, make sure you write them up in a positive light, not an accusatory or negative light.
When you're writing your report, you're going to have individual issues that you believe are substandard and need remediation.
Think about the use of words.
For example, I just use the word substandard. that tends to have a negative connotation. Instead of talking about deficiencies, talk about room for improvement. Talk about ways to make the situation better, not necessarily how bad it is.
Now, I do not suggest that you take this to such an extreme that you're glossing over real issues.
Real issues need to be clearly and concisely described, but be careful in your language so that you're not using terms that are almost guaranteed to inflame a negative response from the audit's IT staff.
Audit report:
Your report,
we have a lot to say on the report. Let's start with the essentials that should be in there.
Obviously,
the organization you're auditing, who should receive a copy of this audit, and any restrictions. Now, that may sound a little odd, but audits contain a lot of confidential information.
We shouldn't be distributing them to just anyone. Are there restrictions on circulation?
What was the scope of your audit?
Specifically, what was it you audited?
And I like to add anything that was expressly excluded. I want to be very clear in my audit that these items were not audited. And here's why.
What were the objectives of your audit?
This should be numerous. there's not just an objective and not something generic like to test security. You had very specific issues. We wanted to find out if the web server was vulnerable to these specific attacks.
We wanted to check to see if the authorization and access control mechanisms were resistant to these specific attacks.
We wanted to find out if the database integrity steps met these regulatory requirements. Those are specific objectives.
The period of coverage, often times years, a month, 12 months is a common one, a one-year audit, but you may do a six-month audit, a quarterly audit, a two-year audit, whatever. What was the period of coverage,
the nature of your audit, the techniques you used, the overall approach, that sort of thing, the timing and extent, when did you do the audit, and how extensive was it?
Obviously, your findings, this needs to be quite detailed.
Exactly. What did you find? How did you find it? And what does it mean?
Conclusions. What are your conclusions? And more particularly, your recommendations for follow-up.
And particularly, the conclusions need to be supported by solid evidence. There needs to be a clear reason for these conclusions.
It's not enough for it simply to be your opinion.
Do you have any reservations or qualifications?
For example, you might be saying that a particular security control is adequate as long as a second security control is also kept in place. There are two security controls. In our hypothetical situation, let's say a firewall and an intrusion detection system. In your opinion, the firewall is good enough.
It meets standard provided the intrusion detection system is operating normally because it can make up for whatever the firewall lacks.
Now, that's just a hypothetical. If you have any reservations or qualifications to your conclusions or recommendations at all, make sure you clearly state them in your report.
Now, you can take these finding and conclusions and organize them in a variety of ways.
One way to do that is to group them by materiality.
\ In other words, what is this relevant to? How material is this specific conclusion or finding? Or you might group them by intended recipient.
You always want to mention the specific faults and constructive construct corrections, but you want to do it in a non-creating way.
Yes, you have constructive corrections. Yes, there were faults, but you want to phrase it in such a way as to ensure that the IT staff doesn't feel like they're under attack.
You must have evidence to support your results. And in many cases, this will be many pages of detailed data. So, it's common place to put those in a separate appendix.
You of course have to have your overall findings, conclusion, and opinion.
And absolutely, this has to be signed and dated.
Make sure you keep in mind and you go over again and again appropriate communication techniques.
Now, the test will ask you something about these and about reporting, but there's a limit to how much the test can cover in a written test regarding listening and verbal communication skills.
If you feel you have any lack in any of these areas, it's worth your time to take a class in appropriate listening, conflict resolution, or business communication.
This concludes knowledge statement 1.9.
Knowledge of audit quality assurance systems and frameworks.
Knowledge of audit quality assurance systems and frameworks.
This lesson is the beginning of our discussion of audit quality.
We will revisit that issue in subsequent lessons and it will be met again and again throughout the course.
This one will be just an introduction here.
Remember that auditing standards are the minimum parameters or minimum requirements to be taken into account of when performing an audit.
And keep that term minimum in mind.
It's always appropriate to exceed these standards. But audit standards give you a minimum level that you must achieve.
It's important for any information systems auditor to understand the impact of the information systems environment on traditional auditing practices and techniques. This is to ensure that audit objectives are achieved.
Put another way, there are a number of auditing techniques and practices, some of which have been borrowed from other domains outside of information systems.
You need to know your specific information system environment that you're working with and how it might impact your practices and
Control self assessments. This is going to be a major part of this particular lesson.
In this process, the auditor is basically acting as a facilitator facilitating the business process owners in assisting them in defining and assessing appropriate controls.
Now the is auditor doesn't actually conduct the control self assessment.
The process owner does.
The auditor helps them to take into account the risk appetite of the organization and how that control fits into the overall organizational strategy.
This is done because process owners are often in the best place to define appropriate controls because they have an intimate knowledge of that process.
Consider controls designed to protect your database. who understands those needs better than the database administrator.
However, the IAS auditor can help that process owner in our scenario a database administrator understand the needs for controls based on business risk.
What is the business appetite for risk? What are other controls in place outside the database domain that might impact it?
There are a lot of broader factors the is auditor can assist with.
main areas of coverage
So, the main areas we're going to look at under this
knowledge statement are we're going to start looking at
audit programs and methodologies.
We'll revisit that again in more detail in later lessons.
We're going to take a look at
audit objectives.
We're also going to start our
evaluation of audit strengths and weaknesses.
The major focus of this lesson is
control self- assessments.
Now, let's stop right there.
What does a control self assessment have to do with quality assurance?
Well, let's assume this organization in question does a full audit every year.
That may be inadequate. Control self assessments allow business process owners to evaluate specific controls within their domain of influence and to assure compliance with various standards at any point during the year.
They can do it quarterly, monthly, or as needed. that's always going to impact positively the quality of your audit.
We're going to look at
objectives, advantages, and disadvantages of the control self- assessment.
We're going to examine the auditor's role in a CSA, and
we'll talk about
using the services of other auditors and experts.
We'll also look at the
traditional versus CSA approach.
Now, before we move on,
let's discuss using the services of other auditors and experts.
This is a relatively brief but important subsection of this knowledge statement.
First of all, we might rely on other auditors, particularly if an auditor came in and recently did an audit of a specific system.
Let's assume you're doing a general audit of an enterprise, but just last month they had a PCI compliance audit.
It's probably not cost effective for you to repeat the same things that were done in the PCI compliance audit. So you might include by reference that audit in your audit report and use the conclusions of that audit to help you conduct your own audit.
Now obviously there's always a concern that you're relying on the product of another auditor depending on the scope and the level of reliance.
This doesn't need to be too great a concern. Normally, you do this when a very specific audit was recently done for a specific purpose and you're only relying a little bit on that auditor's
You also may frequently need to rely on experts. Let's assume in the process of your auditing, you have to check compliance on a web server. The web server is a Linux-based server running Apache.
You are strictly a Windows person. You know nothing about Linux or Apache other than the names.
it's probably inappropriate for you to audit that system without some assistance from someone more knowledgeable in Linux and Apache. This is a frequent thing in audits. You cannot know everything.
So, from time to time, you're going to have to rely on an expert in a specific technology field.
Control self assessment:
Now, let's start looking at CSA.
This is a methodology used to review key business objectives.
Let's start with that. CSAs are limited.
We have a specific business objective in mind.
We have risks only those associated with that specific objective and only those internal controls designed to mitigate those specific risks.
Now, the CSA takes that very narrow view and gives us a formal documented process to collaborate on assessing that specific control.
Think for a moment about the name control self assessment.
We're going to look at a specific control or at most a grouping of very closely related controls. We're going to assess the efficacy of those controls as compared to some standard. And this is going to be a self assessment.
It's going to be conducted by the process owner that owns those controls.
This can be a management technique used to assure stakeholders, customers, and any other relevant party that the internal control systems are reliable.
It's helpful in between audits. If you do an annual audit, you may wish to quarterly, monthly, or as needed do a quick CSA.
It can also be used to recheck very specific critical processes.
Because it's a self assessment, it ensures employees are aware of business risk and that they're conducting periodic proactive reviews of controls.
The term proactive is critical. We would like these to be done on a periodic basis, not only done in response to an incident.
Let's not wait till something negative has occurred that indicates some gap in our controls. Let's proactively evaluate. Let's not even wait for the annual review. If we have a concern, let's conduct a CSA and evaluate the concerned controls.
Now, now CSA and can involve any number of tools or techniques on a continuum of sophistication. Could be as simple as a questionnaire. Could be a facilitated workshop involving tools, techniques, and studies.
The simple questionnaire, let me give you an example of that.
Perhaps you're doing a control self assessment on a policy that's meant to control some issue. A simple questionnaire sent to relevant employees can help you ascertain whether or not the policy is being applied or not.
In a facilitated workshop, a little more time is required because individuals related to the group of controls or the specific control in question get together.
The process is usually facilitated by an IS auditor but still the process owners work together through this workshop to do a control self assessment.
objectives of a CSA
What are the objectives of a CSA? Well,
let's start with leveraging the internal audit function.
We should have some level of internal audit functionality even if we periodically and routinely do extensive external audits.
With the CSA, we're taking some of that internal audit function and shifting some of the control monitoring responsibilities out to the functional areas.
This does two things. It distributes the workload more evenly, but it also gets the line managers who are directly working with the processes and systems in questions directly in charge of monitoring the controls within their sphere of influence.
This can also be used to educate management on control design and monitoring. Now, the Cobbert standard provides some guidance on the development of a CSA.
Let's take a brief look at COBIT.
First and foremost, you should know that COBIT was designed and developed by ISACA. Given that the CISA exam is also designed and developed by ISAKa, it should come as no surprise to you to expect a great many COBIT questions on the exam.
What we're doing in this particular lesson is introducing you to COBIT. You're going to see much more in-depth details on COBIT as we go throughout this course.
COBIT is an acronym for control objectives for information and related technology.
Isaca first released the standard in 1996. It's been revised several times.
In 2005, it became an international standards organization standard called ISO-17799 2005.
The current version as of this video was published in 2012 and it's COBIT 5. There are 134 detailed information security controls based on 11 areas.
Now, you're not going to have to memorize all 134 information security controls, but you will need to have a general understanding of COBIT. And I would suggest beginning by memorizing these specific facts you see on the screen.
COBIT:
Now, first and foremost, you should know that Isaca.
Given that the CISA exam is also designed and developed by Isaca,
it COBIT is an acronym for control objectives for information and related technology.
ISACA first released the standard in 1996. It's been revised several times.
In 2005, it became an international standards organization standard called ISO17799 published in 2012 and it's COBIT 5.
general understanding of COBIT. And I screen now.
Benefits of CSA:
Benefits of CSA:
Now, as an auditor, you might be a little suspicious of the control self assessment. Isn't an external auditor more objective? Well, usually they are.
They're also more experienced at auditing. So what are our advantages of a CSA?
Put another way, why do people do them?
Early detection of risk may be the most important.
Comprehensive audits can be very effective, but due to their resource intensive nature, they don't happen quickly enough.
You're lucky if they happen once a year, sometimes not even that often.
A CSA can be conducted much more frequently, providing early detection of risk as opposed to waiting for the next full audit.
This will lead to more effective and improved internal controls because the process owners that understand those processes and controls better than almost anyone else
are the ones assessing their controls. They're better positioned to give feedback and perhaps recommend changes.
This gets employees involved in the auditing process which creates a more cohesive team. The employees and the auditors are working closely together.
The employees now have a sense of ownership of the controls. They are directly auditing or at least assessing their own controls and they feel more a part of the process
because in between major audits you're doing CSAs. You're finding and either correcting problems or perhaps establishing and confirming that controls are effective in between the audits.
This is going to improve your audit rating process and it's going to reduce control cost. We don't wait until an incident has occurred and we don't wait till an extensive audit to identify any control deficiencies.
We can do that at any time via CSA.
This is also going to cause an increased communication between operations and top management because the operations personnel conducting the CSA will have to be discussing the results with upper management.
This can lead to highly motivated employees since they're involved directly in their own control assessment. They have much more of a stake in it. They're much more motivated, much more engaged.
This also provides assurance to both customers and other stakeholders that you are routinely checking critical controls.
And that's a point we haven't discussed deeply enough yet.
How do you pick the target of a CSA? You don't just check any system because although a CSA is quicker and easier than an actual audit, it still does take some time and resources.
The way you select the target for a CSA are those systems or those controls you have the most concern over. based on prior risk analysis.
Disadvantages of CSA
There are some disadvantages.
Some people may think, well, if we're doing these CSAs, do we really need a full audit?
Well, a CSA is not a replacement for audit.
Obviously, the people doing the CSA are going to perceive this as an additional workload.
They may already be taxed to the limit of their capabilities.
If the employees take the time to be fully engaged, fully motivated, conduct the self assessment, come up with improvement suggestions, and they're ignored, that can be damaging to employee morale.
They can begin to view their self assessments as a simple wasteful exercise and become less engaged and they'll become less effective.
Inadequate motivation will limit the effectiveness in discovery of weak controls. If the people doing the self assessment are not motivated to do it or not totally engaged then it will be ineffective.
Now remember in a CSA the auditor is not conducting the assessment the process owner is. So what is the auditor's role in CSA?
as a control professional and assessment facilitator.
Basically, the management staff and the process owners are doing the CSA, not the auditor.
All you can do is provide expert consulting and to facilitate assessments as needed, answer questions, recommend tools or techniques, that sort of thing.
CSA VS traditional approach
So, let's look at the CSA and traditional approach.
In a traditional audit approach,
tasks are assigned.
Now, some of those tasks may be assigned to employees within the organization. Most will be done by the audit staff.
In a CSA,
the employees themselves are empowered, but they're also accountable for the results.
Traditional audits
are driven by policy requirements. Period.
CSAs are
a continuous improvement learning curve. You do them whenever it's necessary. You learn and you improve.
With a traditional audit,
there's very limited employee participation.
With the CSA,
there's extensive participation and training.
That is probably the most obvious difference between a CSA and an audit.
In a traditional audit,
there's limited stakeholder focus. The stakeholders are simply initiating the audit.
In the CSA, there's more broad stakeholder focus.
The traditional audit
is done by auditors and other specialists.
The CSA is
conducted by staff at all levels.
Anyone who's directly related to the business process or the controls for that business process can be involved in a CSA.
This concludes knowledge statement 1.10.
knowledge statement 1.11.
knowledge of various types of audits, internal, external, financial, etc. and methods for assessing and placing reliance on the work of other auditors or control entities.
Within the scope of this knowledge statement,
we're going to examine the nuance
differences between
internal and external audits,
when one or the other is appropriate, and the weaknesses and strengths.
We're also going to take a look at
specific domain audits, a financial audit, a PCI compliance audit, audits that have a very narrow scope.
We're also going to look at criteria for relying on the work product of other auditors
Now, we've looked at the strengths and weaknesses.
When are good times to use an internal audit?
First of all is a pre- audit.
If you have an external audit that could have severe repercussions if you fail it, such as regulatory compliance audits, legal compliance audits,
you might wish to do a pre- audit several weeks in advance so you have an opportunity to identify and correct issues before the formal audit.
You may wish to check periodically to ensure that you're in compliance with various regulations, laws, and industry norms.
If there's been an incident such as a cyber breach or virus outbreak, it's often a good idea to do at least a limited post incident audit. That allows you to identify the extent of the breach or problem or incident and to look and see if there are other vulnerabilities that could lead to a repetition of that same incident.
If you have specific processes or systems that are often targeted, those might require internal audit.
What about external audits?
What are their strengths and weaknesses?
The first obvious strength is they are totally unbiased. Another strength is presumably these are audit professionals.
Their primary job function is to conduct audits.
They've learned a lot from all of the other audits of other organizations they've conducted.
Things that your internal team could not possibly know due to their limited exposure.
The weaknesses of an
external audit are first and foremost cost.
It's expensive.
It costs a lot to bring in external firms or teams to audit your systems.
It's also not as easy to schedule.
These audit teams are always conducting audits all over the country or world. You may have difficulty scheduling it exactly when you need.
They're often used to absolutely ensure you're in compliance.
Many industry standards, many legal requirements require that you have an external audit. So do many regulatory requirements. They insist that the audit be done externally.
Also, a general overall audit of your system from an unbiased professional auditor can be an excellent way to check to see if your system is actually in compliance.
It's not a case of whether you should use internal or external.
You should actually use both.
It's a case of when to use one or the other.
Specific domain audits.
You might have a financial audit.
You're looking at those systems directly involved in financial transactions.
There are sometimes regulatory audits.
If you're in a business that does banking or health care, you have specific regulations and you must have audits to see if you're in compliance with those regulations.
If you process credit card payments,
the payment card industry data security standards require periodic PCI audits. So, you have to have an audit and the sole goal of that audit is to determine whether or not you're in compliance with the PCI data security standards.
You might have specific IT audits.
For example, you may wish to audit just the
web and e-commerce systems or
maybe just the database systems or
just network infrastructure.
Any item that requires attention outside of that of a general audit.
There are lots of occasions where you might do a specific domain audit.
The last category we looked at, IT specific,
you might do a risk analysis and determine which of your systems is most vulnerable and periodically do an internal domain specific audit for that specific system.
RELIANCE ON OTHERS AUDITORS:
There are occasions when you need to rely on other auditors work.
It's always a good idea to look at
previous audits if their reports exist.
that will allow you to see if the items listed for remediation in those audits have since been addressed.
It will let you see if there's been a persistent problem that's existed throughout many audit periods.
It will allow you to compare and contrast what you find with what past auditors have found.
It may be the case that you need to incorporate other audits into your audit report.
For example, if two months ago there was a PCI audit or an internal database specific audit, rather than repeat those audit processes and steps,
you might wish to incorporate them within your own audit. That's usually more cost-effective.
Now, one of the things you want to look out for is ensuring that you're not incorporating or relying on a past audit or other audit that wasn't appropriately done.
Any experienced auditor should be able to review an audit report and determine if it was appropriate, complete, and reliable.
You do that by looking at the evidence presented. Take a close look not just at the other auditor's conclusions, but the evidence he or she used to base those conclusions.
Audit factors
There are several factors to be considered in any audit,
whether it's internal or external, domain specific, it doesn't matter.
What is the audit subject?
What's the area to be audited?
This needs to be quite specific. You can't say, "I just want to audit all my systems."
What specific things are going to be checked? This will often be a detailed inventory of the systems and processes to be audited.
What are your objectives?
Now, this is normally not a single objective. It's a list of subobjectives. And in some cases, that can go many levels deep. You might have subobjectives to subobjectives to subobjectives.
For example, your goal is to preserve the integrity of financial transactions. That's a high-end high-level objective.
Beneath that, since you do e-commerce, you want to ensure the security of your web server and the integrity of web-based transactions.
Beneath that, you want to specifically test to see if your e-commerce site is vulnerable to cross-sight scripting.
So you can see how we have subobjectives.
Audit scope is also important.
What are the constraints to audit the specific system, function, unit or period of time?
In other words, you've been given a scope that may limit the time period of the audit, what systems you're going to audit, how much you can audit, how disruptive your audit can be.
All of these are issues that should be taken into account when conducting any audit.
This concludes knowledge statement 1.11.
We're going to talk about some exam pointers for domain one.
And we'll talk about these for all the domains.
Do keep in mind that I'm not saying that this is all you need to know for this domain.
I'm saying these are points that are so key that if you don't know them,
you have no chance of passing the test.
So, I'm going to read some of these. I won't read every single one of them because you can read them yourself, but some bear a little comment.
The auditor is a facilitator in a control self- assessment.
That's listed first because it's an important point to keep in mind and you'll definitely be asked about it.
Control self assessment enhances audit responsibility.
In other words, individuals are basically checking their own controls. Now, these are two different points about the control self assessment. You should expect to see quite a few.
Number four is one of my favorite. If you don't have authentication and identification as part of your access control, you just don't have accountability at all.
Responsibility and accountability can be established by use of audit trails.
That's point number eight. Very important to keep in mind that the whole point of an audit is checking for responsibility and accountability.
Now again, it's not important that I read these to you.
You're certainly capable of reading.
I am simply pointing out a few key ones that are of most importance.
Identifying those high-risk areas should be one of the first things to look at when you're going to start auditing and monitoring
because those are the areas you need to audit.
Now, this next few points are all talking about risk and
risk based auditing is an important part of the CISA and you should expect to see questions about it.
Knowing about risks such as inherent risk,
known threats and their impact, things like that are very important for the CISA exam.
Detection of risk can be minimized by use of statistical sampling. What we mean is the work you put into detecting risk, not the actual detection.
So statistically sampling things allows you detect risk without having to look at each and everything.
These are just a few pointers. Really make sure you know all of the major concepts of domain one. Now you've completed domain one.
These are just a few pointers. Really make sure you know all of the major concepts of domain one. Now you've
completed domain one.
Let's summarize what we covered.
In domain one, we outlined the framework for performing an IS audit.
We look specifically at mandatory requirements, what an ISIT's mission is, what they actually do,
what the best practices are to have an effective is audit, and
the basic process of auditing.
This is a fundamental lesson that gets you comfortable with the basic process of auditing.
This will form the basis and the foundation for the additional lessons we'll cover in the other four domains.
This concludes domain one.
Domain 5 Protection of Information Assets 26 percent
by the end of this domain you should be able to
understand and provide assurance that the Enterprises security policies standards procedures and controls ensure the confidentiality integrity and availability of information assets
detail the design implementation and monitoring of security controls
discuss the risks associated with use of mobile and wireless devices
understand encryption techniques such as public key infrastructure and risks related to data leakage
detail Network detection tools and techniques
discuss how confidential information can be stored retrieved transported and disposed
the following screen gives an overview of this domain an
information asset is a component related to provision of accurate data or information for decision-making purposes by an entity
it is considered to hold value to that particular organization and should therefore be protected by ensuring confidentiality integrity and availability CIA
examples of information assets are information or data
computer application systems
computers
personal computers
PCS laptops pdas phones
networks local area network landan wide area network Wan wireless networks
Human Resources facilities
main distribution facilities mdfs
data centers server room and
other Technologies
such as database Technologies among others
let us continue with the overview
the risks to business include
Financial loss electronic fraud
legal repercussions privacy issues
loss of credibility or Competitive Edge
blackmail industrial Espionage
sabotage and
breach of confidentiality
security failures can be costly to business
as more costs are incurred to secure systems and prevent further failure
further more costs are incurred from
losses from the failure itself and
when recovering from such losses
let us now look at
threats to information Assets
the threats to information assets
include hackers crackers freakers
authorized or unauthorized employees
is personnel and users
former employees
interested or educated Outsiders competitors organized Criminal criminals
part-time and temporary Personnel
vendors and consultants and finally
accidental ignorance
key
knowledge statement is to understand the techniques for the design security controls including security awareness programs
discussing design implementation and monitoring:
security needs to be aligned with business objectives to provide reasonable reduction in risk
security objectives may include the following
ensure the continued availability of Information Systems
ensure the Integrity of information stored on its computer systems
and security while the information is in transit
preserve the confidentiality of sensitive data while stored and in transit
ensure compliance with applicable laws regulations and standards
let us continue discussing design implementation and monitoring of screen
ensure adherence to trust and obligation requirements for any information assets accordance with the applicable privacy policy or privacy laws and regulations
Prudence in application of control is important because controls entail a cost either directly or indirectly by impacting on business operations
the business impact analysis Bia is the process used to establish the material Adverse Events the business should be worried about
the main areas to cover here are
key elements of Information Security Management
critical success factors to information security
inventory and classifications of information assets
Network infrastructure Security
Information Security Management
Information Security Management
effective ism is the most critical factor in protecting information assets and privacy the factors that raise the profile of information and privacy risk
include electronic trading through service providers and directly with customers
loss of organizational barriers through use of remote access facilities
and high profile security exposures
viruses
denial of service
dos attacks
intrusions
unauthorized access
disclosures
and identity theft over the Internet Etc
security awareness and education through training and regular updates
written policies and procedures and updates
non-disclosure statements signed by employees
newsletters web pages videos and other media
visible enforcement of security rules
simulated security incidents and simulated drills
rewards for reporting suspicious events
periodic audits
monitoring and compliance
control includes an element of monitoring
and usually relates to regulatory legal compliance
incident handling and response
roles and responsibilities
roles and responsibilities under the information security management
the security objectives to meet business requirements are
to ensure continued availability of Information Systems
to ensure Integrity of information stored in systems and while in transit
to preserve confidentiality of sensitive data
to ensure Conformity to applicable laws regulations and standards
to ensure adherence to trust and obligation requirements
to ensure protection of sensitive data
data Integrity as it relates to security objectives
generally refers to
accuracy completeness consistency or neutrality validity and verifiability of the data once loaded on the system
Integrity refers to reliability of data
key elements of ism
Senior Management commitment and support
the risk management begins at the top
policies and procedures
the framework that captures top management Declaration of Direction
organization
clearly defined and allocated roles and responsibilities
supplemented with guidance
usually relates to regulatory legal compliance
roles and responsibilities must be defined documented and communicated to personnel and management
is security steering committee
is represented by individuals from various management levels
it also discusses and approves security policies guidelines and procedures with input from end users executive management Auditors Security Administration is personnel and legal council
the committee is formally established with appropriate terms of reference
executive management
responsible for the overall protection of information assets and issuing and maintaining the policy framework
security advisory group
is responsible for defining information risk management process and acceptable level of risk and reviewing security plans
it is comprised of people involved in the business
and provides comments on security issues to Chief security officer CSO
it also advises the business whether the Security Programs meet business objectives
Chief Information Security Officer ciso is
a senior level corporate official
responsible for articulating and enforcing policies used to protect information assets
he has a much broader role than CSO who is normally only responsible for physical security within the organization
information asset owners and data owners
are entrusted with the responsibility for the owned asset including performance of a risk assessment selection of appropriate controls to mitigate the risk and to accept the residual risk
process owners
ensure appropriate security measures consistent with organizational policy are maintained
users
comply with procedures set out in the security policy
and adhere to privacy and security regulations
often specific to sensitive data
for example Health legal Finance Etc
Chief privacy officer CPO
is a senior level corporate official and is responsible for articulating and enforcing policies used to protect customers and employees privacy rights
external parties
follow procedures set out in the security policy
they adhere to privacy and security regulations often specific to sensitive data for example Health legal Finance Etc
Information Security administrator
is a staff level position
he is responsible for providing adequate physical and logical security for is programs data and Equipment
normally Guided by the information security policies
security specialist and advisors
assist with the design implementation management and review of security policies standards and procedures
it developers
implements information security within their applications
is Auditors
provide independent Assurance on appropriateness and effectiveness of information security objectives and controls related to these objectives
system access permissions system
system access permissions
system access permission is the ability to do something with a computer resource read create modify or delete a file or data execute a program or use an external connection
it is controlled at the physical And or logical level
logical controls govern access to information and programs
it is built into operating system invoked through Access Control software and Incorporated in application programs DBS Network control devices and utilities
physical controls
restrict entry and exit of personnel movement of equipment and media
they include badges memory cards keys and Biometrics
access is granted on a documented need to know basis with legitimate business requirement based on least privilege and on segregation of Duties principles
access principles relate to four layers of security namely
Network
platform typically the operating system
database
and
application
mandatory and discretionary access controls
mandatory and discretionary access controls
the mandatory access controls Mac's are logical access controls
Mac's that cannot be modified by normal users or data owners
they act by default
and are used to enforce critical security without possible exception
only administrators can grant a right of access Guided by an established policy of the organization
discretionary access controls dac's
controls may be configured or Modified by the users or data owners
access may be activated or Modified by a data owner
dac's cannot override Mac's
and they act as additional filters to restrict access further
privacy management issues and role of is Auditors
privacy management issues and role of is Auditors
privacy issues
relates to personally identifiable information
for example personal identification number pin
regulations generally
restrict use of such data by
giving the subject individual rights to access and correct that data
it also governs how such data is obtained requiring knowledge and consent of the data subject
impact of risks
including marketing risks
transported data flow and variations in regulations and
may require privacy experts during risk assessment
the goals of a privacy impact assessment are
identifying the nature of personally identifiable information relating to business processes
documenting The Collection use disclosure storage and destruction of
providing management with an understanding of privacy risk and options to mitigate this risk
ensuring accountability for privacy and facilitating compliance with relevant regulations
is audit considerations relating to privacy
include adequacy of privacy assessment
for example compliance with with privacy policy laws and other regulations
and the manner in which it is used for competitive gain
another consideration is the ongoing assessments conducted when new products Services Systems Operations processes and third parties are under consideration
besides trans border and Multinational laws should also be considered
focus and extent of privacy impact assessment may depend on changes in technology processes or people as shown by Below
information security and external parties
Human Resources security and third parties
security roles and responsibilities of employees contractors and thirdparty users should be defined and documented in accordance with the organizational security policy
information security policies to guide employees contractors and thirdparty users
information security and external parties
security of information and processing facilities must be maintained when external Party Services or products are introduced
controls must be agreed to and defined in a formal agreement o
organization must have right to audit the implementation and operations
external party Arrangements include
service providers isps Network providers
manage security services
customers
Outsourcing facilities Andor operations it systems sys data collection Services
management and Business Consultants and Auditors
developers and suppliers
cleaning catering
and other outsourced Support Services
others include temporary Personnel student placement and other casual short-term appointments
the risks related to external party access is information processing facilities required to be accessed by external parties
these types of access include
physical access
logical access
network connectivity organization and external party
value and sensitivity of information involved and its criticality for business operations
and
legal and other regulatory requirements
Security in relation to customers involve identifying security requirements for customers access
the customer access security considerations
asset protection
description of product or service to be provided
reasons requirements and benefits for customer access
Access Control policy
arrangements for reporting notification and investigation of information inaccuracies
Target levels of service and unacceptable levels of service
right to Monitor and revoke any activity related to an organization's assets
intellectual property rights and copyright assignment
monitoring and responding to security incidents
key knowledge point is the processes related to monitoring and responding to security incidents for example escalation procedures emergency incident Response Team
a formal incident response capability should be established to minimize the impact of security incidents recovery in a Time ly and controlled Manner and learn from such incidents history should be kept through properly recording of incidents
while Security Management may be responsible for monitoring and investigating events and may have drafted or set a requirement for escalation procedures other functions must be involved to ensure proper response
these functions must have well-defined and communicated processes in place that are tested periodically
the main areas covered here are
security incident handling and response
incident handling and response
an incident is an adverse event that threatens some aspect of information security to minimize damage from security incidents and to recover and to learn from such incidents a formal incident response capability had to be established and it includes
planning and preparation did
detection
initiation
recording
evaluation
containment
eradication
escalation
response
recovery
closure
and
post incident review
incident handling and response
procedures are defined for reporting different types of incidents
the process involves quick reporting and collection of evidence and
formal disciplinary process and
where applicable automated intrusion detection systems
incident handling and response roles involve
coordinator who is the liaison to business process owners
director who oversees incident response capability
managers who manage individual incidents
security Specialists that detect investigate contain and recover from incidents
non-security technical Specialists that provide assistance on subject matter expertise
business unit leader liaison which include legal HR and PR
logical access controls
knowledge point to learn here is logical access controls for the identification authentication and restriction of user users to authorized functions and data
logical access controls are used to manage and protect information assets controls enact and substantiate policies and procedures designed by management to protect information assets
controls exist at both the operating system level and the application Level so it is important to understand logical access
controls as they apply to systems that may reside on multiple operating system platforms and involve more than one application system or authentication Point
logical security
is often determined based on the job function of users the success of logical access controls is tied to the strength of the authentication method for example strong passwords
all user access to systems and data should be appropriately authorized and should be commensurate it with the role of the individual
authorization generally takes the form of signatures physical or electronic a relevant management
the strength of the authentication is proportional to the quality of the method used strong authentication may include dual or multifactor authentication using user 10 password tokens and Biometrics
the main areas covered here are
logical access
logical access controls are the primary means used to manage and protect information assets
these exposures can result in minor inconveniences to a total shutdown of computer functions
logical access controls
involve managing and controlling access to information resources
it is based on management policies and procedures for information security
logical access controls must be evaluated Visa V information security objectives
familiarization with the it environment
helps in determining which areas from a risk standpoint warrant is auditing attention
this includes reviewing security layers associated with is architecture Network OS database application
Paths of logical access points of Entry to is infrastructure
backend front-end systems
internal based users
externally based users and direct access to specific servers
All Points of Entry must be known
General points of Entry
relate to network or Telecom infrastructure in controlling access to information resources
typical client server environment
primary domain controllers Network management devices for example routers and firewalls
General modes of access
network connectivity remote access remotely dialing into a network for services that can be performed remotely for example email
traditional points of Entry
mainly applicable for Mainframe based systems used for large database systems or Legacy applications
operator console
these are privileged computer terminals that control most computer operations and functions
they provide high level of system access but do not have strong logical access controls
it is located in a suitably controlled facility so that physical access can only be gained by authorized Personnel
online workstations in client server environments
this method typically requires at least a log on ID and password to gain access to the host computer system
it may also require further entry of authentication or identification data for access to application specific systems
is resources are more accessible and available anytime and anywhere
computers store large volumes of data
sharing of resources has increased from one system to another
and accessibility has increased through internet and internet
logical Access Control software
has become critical in protecting is resources
it prevents unauthorized access and modification to sensitive data and use of critical functions
it is applied across all layers of is architecture Network OS DBS and applications
common attributes
of this software is that it has some form of identification and authentication
provides access authorization
it also checks specific information resource
and provide logs and reporting of user activities
greatest degree of protection is applied at the network and platform OS level
mainly because it is the primary point of entry two systems
besides it is the foundation primary infrastructure on which applications and DBS will reside
also an OS system Access Control software interfaces with databases And or applications to protect system libraries and data sets
these network devices for example routers and firewalls manage external access to networks
thus need the highest degree of protection
General OS application Access Control software functions
include creating or changing user profiles
assigning user identification and authentication
applying user log on limitation rules for example restrict log on IDs to specific workstations at specific times
establishing rules for access to specific resources
creating individual accountability and auditability by logging user activities
logging events and
Reporting capabilities
data database or application Level
controls creates or changes data files and database profiles
it also verifies user authorization
at the application and transaction level
within the application and at the field level for changes within the database
it also verifies subsystem authorization for the user at the file level
in addition it logs database data Communications access activities for monitoring access by violations .
security controls related to Hardware system software
Knowledge of the security controls related to Hardware system software for example applications operating systems and database Management Systems
Access Control soft Ware utilizes both identification and authentication I and a
once authenticated the system then restricts access based on the specific role of the user
I and a is the process by which the system obtains identity from a user the credentials needed to authenticate identity and validates both pieces of information
I & A is a critical building block of computer security since it is needed for most types of access control and is necessary for establishing user accountability
for most systems Ina is the first line of defense because it prevents unauthorized access or unauthorized processes to a computer system or an information asset
security controls related to hardware and system software:
logical access can be implemented in various ways the
is auditor should be aware of the strengths and weaknesses of various architectures such as single sign on SSO where a single authentication will enable access to all authorized applications identity management multifactor authentication
if this risk is considered manageable it should drive the implementation of multifactor authentication
the main areas covered here are
identification and authentication
single sign on in the next screen
identification and authentication
involves proving one's identity which is authenticated prior to being granted access
it is a critical building block of is Security
in which the basis of most Access Control Systems first line of defense preventing unauthorized access
I and A also establishes you user accountability linking activities to users
multifactor authentication
is a combination of more than one method for example
token and password or pin token and
biometric device
categories
can be something you know for example password
something you have for example token card
something you are or do a biometric feat teacher or
where you are
these techniques can be used independently or in combination single factor or two-factor authentication
some of the
common vulnerabilities
expected are
weak authentication methods
potential for bypassing authentication mechanism
lack of confidentiality and integrity of stored authentication information
lack of encryption for transmitted authentication information
lack of user knowledge regarding risks of sharing authentication elements for example password
identification and authentication log on IDs and passwords
log on IDs and passwords
is a two-phase user identification authentication process based on something you know
log on ID individual identification
password individual authentication
it is used to restrict access to computerized information transactions programs and system software
it may involve an internal list of valid logon IDs and a corresponding set of access rules for each log on ID
the access rules can be specified at OS level controlling access to files or within individual applications controlling access to menu functions and types of data
features of passwords
include easy for the user to remember but difficult for a perpetrator to guess
when the user logs on for the first time the system should force a password change to improve confidentiality
limited number of log on attempts typically three
user verification for forgotten passwords
internal one-way encryption and not displayed in any form
changed periodically for example every 30 days
unique if it is known by more than one person responsibility for activity cannot be enforced
password syntax format rules
ideally a minimum of eight characters in length a combination of at least three of the following alpha numeric upper and lower case and special characters some prohibit use of vowels not particularly identifiable to the user
system should enforce regular change of password WS for example after every 30 days
no reuse of previous passwords for example at least one year after being changed
deactivate dormant log on IDs
automatic session inactivity timeouts
powerful user IDs accounts such as supervisor and administrator accounts should be strictly controlled
these could have full access to the system
administrator password should be known only by one person
however the pass password should be kept in a sealed envelope for business continuity
passwords token devices and one-time passwords
is a two-factor authentication technique
for example a micro processor controlled smart card which generates unique time dependent one-time passwords called session passwords
this is good for only one logon session
the users enter this password along with the password they have met memorized to gain access to the system
it is characterized by unique session characteristic ID or time appended to the password
technique involves something you have a device subject to theft and something you know a pin
identification and authentication biometric Access Control
identification and authentication biometric Access Control
biometric security access control
is the best means of authenticating a user's identity based on a unique measurable attribute or trait for verifying the identity of a human being
it restricts computer access based on a physical something you are or behavioral something you do feature of the user for example a fingerprint or I retina pattern
a reader interprets the individual's biometric features before permitting authorized access
however it is not a foolproof process certain biometric features can change for example scarred fingerprints change in voice
the final template is derived through an iterative averaging process of acquiring samples
physically oriented Biometrics are
palm
hand
geometry
Iris
retina
fingerprint
face
Behavior oriented biometric
can be signature recognition and
voice recognition
single sign on SSO single
single sign on SSO
single sign on
SSO is a consolidation of the organization platform-based Administration authentication and authorization functions
it interfaces with
client server and distributed systems
Mainframe systems and
network security including remote access
the primary domain handles the first instance where user credentials are entered and
the secondary domain is any other resource that uses these credentials
single sign on SSO challenges
single sign on SSO challenges
overcoming heterogeneous nature of diverse architecture networks platforms databases and applications
requires understanding of each system's authorization rules and audit logs and ports
allowing host systems to control the set of users allowed access to particular host systems
SSO advantages
multiple passwords not required users motivated to select stronger passwords
efficiency in managing users and their authorizations
reduced administrative overheads for resetting passwords
efficiency of disabling deactivating user accounts
reduced log on time
sso disadvantages
single point of network failure
few software Solutions accommodate all major OS
substantial interface development required development costly
logical access Security Administration
logical access Security Administration
logical access Security Administration can be centralized or decentralized
advantages of decentralized administration
Administration on site at distributed location
timely resolution of issues
more frequent monitoring
controlling remote and distributed sites
software access controls
physical access controls lockable terminals locked computer rooms
control over dial-in facilities modems laptops
controls over access to system documentation
controls over data transmission access accuracy completeness
controls over replicated files and their updates accuracy and reduced duplication
risks associated with decentralized Administration
local standards rather than organizational may be implemented
level of Security Management may be below that of the Central site
unavailability of management checks and audits by the Central site
remote access security
remote access security
business need of remote access provides users with the same functionality that exists within their offices the components of remote access
remote environment employees branches laptops
telecommunication infrastructure the carrier used
corporate Computing infrastructure corporate connecting devices communication software
remote access risks could be
denial of service
malicious third party access
misconfigured communication software
misconfigured devices
host systems not secured appropriately and
physical security weaknesses at the remote stations
remote access methods
are analog modems and the public telephone Network
dedicated network connections proprietary circuits and
TCP IP internet-based remote access
the remote access controls are
policy and standards
proper authorization
identification and authentication mechanisms
encryption tools and techniques
system and network Management
pdas and mobile technology
pdas augment desktops and laptops due to their ease of use and functionality
the inherent risks is that they are
easy to steal easy to lose ready access to information stored
access issues with mobile technologies includes
flash disk and
controls
control issues to address are
compliance with policies and procedures incl including approval for PDA use
awareness of responsibilities and due care
compliance with security requirements
authorization and approval of use
standard PD applications authorized and licensed
synchronization backup and updating
encryption
virus detection and control
device registration
camera use
audit logging in monitoring system access
most Access Control software automatically log and report all access attempts success and failures
it provides management with an audit Trail to monitor activities
it facilitates accountability
access rights to system logs
should be for review purposes and
it is a form of security against modification
the tools for analysis of audit log information
audit reduction tools filter out in significant data
Trend variance detection tools
attack signature detection tools
reviewing audit logs
monitors patterns or Trends and
violations And or use of incorrect passwords
restricting and monitoring access features that bypass security
accessed by software programmers including
bypass label processing blp
system exits and
special system logon id's
risks and controls associated with virtualized systems
knowledge of risks and controls associated with virtualization of systems
virtualization provides an organization with a significant opportunity to increase efficiency and decree costs in its it operations
the is auditor needs to know the different advantages and disadvantages and needs to consider whether the Enterprise has considered the applicable risks in its decision to adopt Implement and maintain this technology
at a higher level virtualization allows OSs multiple operating systems os's or guests to Coexist on the same physical server or host in isolation of one another
virtualization creates a layer between the hardware and the guest os's to manage shared processing and memory resources on the host machine
a manag M console often provides administrative access to manage the virtualized system
virtualization introduced additional risks that the Enterprise must manage effectively
key risk is that the host represents a single point of failure within the system a successful attack on the host could result in a compromise very large in Impact
main areas covered here are
virtualization
network security controls
knowledge of the configuration implementation operation and maintenance of network security controls
Enterprises can effectively prevent and detect most attacks on their networks by employing perimeter security controls
firewalls and intrusion detection system IDs provide protection and critical alert information at borders between trusted and untrusted networks
proper implementation and maintenance of firewalls and IDs is critical to successful in-depth security program
the is auditor must understand the level of intruder detection provided by the different possible locations of the IDS and the importance of policies and procedures to determine the action required by security and Technical staff when an intruder is reported
main areas of covered here are
internet threats and Security
Network infrastructure security
the table demonstrates Network infrastructure security
auditing use of the internet involves ensuring a business case for
email communication
marketing customer communication
sales Channel or e-commerce
channel for delivery of goods and services online stores internet banking and
information gathering research
auditing networks
review Network diagrams
to identify networking infrastructure and
network design
also review Network management policies procedures standards guidance distributed to staff
besides identify responsibility for security and operation and
review staff training duties and responsibilities
you will further review legal issues regarding the use of the internet
service level agreements with third parties and
network administrator procedures
auditing remote access
involves identify all remote access facilities ensuring they have been documented
review policies governing the use of remote access
review architecture identifying points of entry and assessing their controls
test dialup access controls review
relation to business requirements
General network controls are
functions performed by technically qualified operators
these functions are separated and rotated regularly
apply least privilege access rights for operators
audit trail of operator activities must be periodically reviewed by management
Network operation standards must be documented
a review of workload balance response times and system efficiency must also be performed
further consider
terminal authentication and
data encryption
some of the network management Control software include novel NetWare Windows nt2000 Unix
network and internet security devices protocols and techniques
knowledge to network and internet security devices protocols and techniques
application and evaluation of Technologies to reduce risk and secure data is dependent on proper understanding of security devices their functions and protocols used in delivering functionality
an organization implements specific applications of cryptographic systems in in order to ensure confidentiality of important data
there are a number of cryptographic protocols which provide secure Communications on the internet
Additionally the security landscape is filled with Technologies and solutions to address many needs Solutions include firewalls intrusion detection and prevention devices proxy devices web filters antivirus and anti-spam filters data leak protection functionality identity and access control mechanisms secured remote access and wireless security
understanding the solutions function and its application to the underlying infrastructure requires knowledge of the infrastructure itself and the protocols in use
main areas covered here are
encryption
Network infrastructure Security
firewalls
firewalls
firewall is a security perimeter for corporate networks connecting to the internet aimed at
preventing external Intruders and
untrusted internal users internal hackers
it applies rules to control Network traffic flowing in and out of a network
allowing users to access the internet and
stopping hackers or others on the internet from Gaining access to the network
the guiding principle used is least privilege need to use basis
General firewall features include
combination of Hardware routers servers and software
it should control the most vulnerable point between a corporate Network and the internet
General functions of firewalls
includes blocking access to particular sites
limiting traffic on public services to relevant ports
preventing access to certain servers And or Services
monitoring and recording communication between internal and external networks
Network penetration internal subversion
encryption and VPN and
single choke point concentrating Security on a single system
General firewall features include techniques used to control traffic are
service control IP address TCP Port
Direction control direction of traffic
user control based on user rights
Behavior control based on how services are being used for example filter email for spam
types of firewalls
types of firewalls
the types of firewalls are
router packet filtering
application firewall systems and
stateful inspection firewalls
router packet filtering firewall is
deployed between the private Network and the internet
screening routers examine packet headers to ascertain IP address identity of the sender and receiver and
the authorized port numbers allowed to use the information transmitted kind of Internet service being used
these information is used to prevent certain packets from being sent between the network and the internet
the common attacks against packet filtering are
IP spoofing
Source routing specification and
miniature fragment attack
this method is
simple and
stable
the demerit is that it is
easily weakened by improperly configured filters
also it is unable to prevent attacks tunnel over permitted service
the diagram in the slide describes this type of firewall application firewall systems this type of firewall
application firewall systems
this type of firewall
allows information flow between internal and external systems but do not allow direct exchange of packets
host applications must be secured against threats posed by allowed packets
they rest on hardened operating systems for example win NT Unix
it works on the application layer of the OSI model
the firewall analyze packets through a series of proxies one for each service
there are two types
application Level fire walls and
circuit level firewalls
application Level firewalls
analyze packets through a series of proxies one for each service
circuit level firewalls
validates TCP and UDP sessions through a single general purpose proxy
the diagram in the slide demonstrates this
application firewall systems are
set up as proxy servers acting on behalf of network users
it employs Bastion hosting and
it is heavily fortified against attack
handling all incoming requests from the internet to the network
single host makes security maintenance easier as only the firewall system is compromised not the network
types of firewalls and firewall issues
types of firewalls and firewall issues
stateful inspection firewalls
track destination IP address of each packet leaving the network and references responses to requests that went out
it Maps source IP addresses of incoming packets to destination IP addresses of outgoing requests
it prevents attacks initiated and originated by Outsiders
main advantage is that it is more efficient than application firewall systems
the disadvantage is that it is more complex to administer
issues related to firewalls
false sense of security no additional internal controls are needed
weak against internal threats for example a disgruntled employee cooperating with an external attacker
cannot protect against attacks that bypass the firewall
for example modem dial-in
misconfigured firewalls
misunderstanding of what constitutes a firewall
monitoring activities not done regularly
implementation of firewalls
implementation of firewalls
firewalls can be implemented in three ways
screened host firewall
dual homed firewall and
demilitarized zone screened subnet firewall
in the
screened host firewall
screened host firewall this method utilizes packet filtering and a Bastion host proxy Services
Bastion host connects to the internal Network
packet filtering router installed between the internet and the Bastion host
Intruder has to penetrate two systems before the network is compromised
internal hosts reside on the same network as the Bastion host
security policies determine whether
hosts connect directly to the internet or
hosts use proxy Services of the Bastion host
dual homed firewall
this type of implementation is
more restrictive form of screen host firewall
one interface is established for information servers and a separate interface for private Network hosts
direct traffic to internal hosts is physically prevented as explained in the diagram
demilitarized zone screened subnet firewall
demilitarized zone screened subnet firewall
DMZ this mode utilizes two packet filtering routers and a Bastion host
it is the most secure firewall system and supports Network and application Level security
the separate DMZ functions are an isolated Network for public servers proxy servers and modem pools
key benefits are that the
Intruder must penetrate three separate devices
the private Network addresses are not disclosed to the internet also
internal systems do not have direct access to the internet
intrusion detection systems IDs
monitor Network usage anomaly
it is used together with firewalls and routers it
continuously operates in the background and the administrator is alerted when intrusions are detected
it protects against external and internal misuse
IDs components
sensor this collects Data Network packets log files system call traces
analyzer this receives input from sensors and determines intrusive activity
admin console
user interface
IDs are categorized into
network-based IDs nids
which identifies attacks within a network and
host-based ids's
HIDs which is configured for a specific environment and monitor internal resources of systems
IDs types are
signature-based intrusion pattern store as signatures and limited by detection rules
statistical based monitors expected Behavior
neural networks similar to statistical but adding learning functionality
a signature statistical combination offers better protection
IDs and intrusion prevention systems IPS
the key features of intrusion detection systems
intrusion detection and alerts
Gathering evidence automated response for example disconnect
security policy Administration and monitoring
interfaces with system tools logging facilities
IDs limitations include
weaknesses in policy definition
application Level vulnerabilities
back doors to Applications
weaknesses in schemes
intrusion prevention systems IPS
IPS is closely related to IDs
it is designed to detect and prevent attacks by predicting an attack before it happens hence limiting damage or disruption to systems that are attacked
it must be properly configured and tuned to be effective
honeypots and honey Nets
Honeypot is a software application that pretends to be an unfortunate server on the internet and is not set up to actively protect against break-ins
rather they act as decoy systems that lure hackers and therefore are attractive to hackers
the more a Honeypot is targeted by an intruder the more valuable it becomes
Honeypot is technically related to ids's and firewalls but it has no real production value as an active Sentinel of networks
the two basic types of honeypots are
high interaction gives hackers a real environment to attack
low interaction emulate production environments
honey net
is multiple honeypots Network together to simulate a larger Network installation known as a honey net
honey net let hackers break into the false Network while allowing invest investigators to watch their every move by a combination of surveillance Technologies
information system attack methods and techniques
the candidate needs to grasp the
knowledge of information system attack methods and techniques covered under this topic
risks arise from vulnerable abilities whether technical or human within an environment
several attack techniques exploit those vulnerabilities and may originate either within or outside the organization
computer attacks can result in proprietary or confidential data being stolen or modified loss of customer confidence and market share embarrassment to management and legal actions against an organization
information system attack methods and techniques
understanding the methods techniques and exploits used to compromise an environment provides the is auditor with a more complete context for understanding the risk and organization faces
the is auditor should understand enough of these attack types to recognize their risk to the business and how they should be addressed by appropriate controls
the is auditor should understand the concept of social engineering since these attacks can circumvent the strongest technical security the only effective control is regular user education
main areas covered here are
computer crime issues and exposures
wireless security threats and risks mitigation
computer crime issues and exposures
computer crimes can be committed from various sources including
computer is the object of the crime
perpetrator uses another computer to launch an attack
computer is the subject of the crime
perpetrator uses computer to commit crime and the target is another computer
computer is the tool of the crime
perpetrator uses computer to commit crime but the target is not the computer but instead data stored on the computer
computer symbolizes the crime
perpetrator lures the user of computers to get confidential information for example social engineering methods
common attack methods and techniques include
alteration attack
bot's Nets
Brute Force attack
denial of service dos attack
dial-in penetration attack War dialing
eavesdropping
email bombing and spamming
email spoofing
more common attack methods and techniques include
flooding
interrupt attack
malicious codes
man in the- Middle attack
masquerading
message modification
network analysis
packet replay
fishing
piggybacking
race conditions
local area network land security
local area network is faced with a lot of risks examples of these
risks are
unauthorized access and changes to data And or programs
inability to maintain Version Control
limited user verification and potential public Access
General access as opposed to need to know access
impersonation or masquerading as a legitimate lan user
internal user sniffing
internal user spoofing
Virus Infection
unlicensed or excessive numbers of software copies
destruction of logging and auditing data
lack of land administrator experience expertise
varying media protocol Hardware network software that make standard management difficult
security set aside for operational efficiency
land administrative capabilities
include declaring ownership of programs and files
limiting access to read only
record and file locking to prevent simultaneous update and
enforcing user ID password sign on procedures
in order to understand lands it is Paramount for a candidate
to have good knowledge of
lan topology and network diagram
functions performed by the land administrator owner
Lan users and user groups
applications used on the Lan
procedures and standards of network design support naming conventions data security
dialup access controls are having
encrypted passwords
portable PCS
dial back procedures and
one-time password generators or tokens
client server risks include
numerous access routes and points
increased risk of access to data and processing weaker access controls password change controls or access rules
weaker change control and change management
inaccurate unauthorized access and changes to systems or data
loss of network availability
obsolescence of network components
unauthorized connection of the network to other networks through modems
weak connection to public switch telephone networks
application code and data may not be stored on a secure machine
client server controls that will ensure security include
disabling floppy drives
automatic boot or startup batch files login scripts
network monitoring devices
data encryption
environment-wide authentication procedures and
application Level Access Control
organization of users into functional groups
internet threats
the internet is a global TCP IP based system that enables public and private heterogeneous networks to communicate with one another
internet threats are categorized into
passive attacks involves probing for Network information
active attacks intrusion or penetration into a network gaining full control or enough to cause certain threats
unauthorized access to modified data Andor programs
obtaining sensitive information for personal gain
escalating privileges
denial of service
impact could affect financial legal or Competitive Edge
types of passive attacks are
network analysis involves creating a profile of a network security infrastructure foot printing
system aliases internal addresses
potential gateways firewalls
vulnerable operating system Services
eavesdropping involves gathering information flowing through the network for personal analysis or third parties
traffic analysis entails determining the nature of traffic flow between defined hosts
active attacks can be in the following ways
Brute Force attack this entails launching many attacks to gain unauthorized access for example password cracking
masquerading this is presenting an identity other than the original identity which is unauthorized
packet replay passively capturing data packets and actively inserting them into the network replayed packets treated as another genuine stream it is effective when data received is interpreted and acted upon without human intervention
message modification making unauthorized changes or deletions to captured messages
unauthorized access through the Internet
telnet passwords transmitted in clear text
releasing CGI scripts as shareware
client side execution of scripts Java applets
denial of service flooding servers with data requests
systems are paralyzed
genuine users are frustrated with unavailability of system
dial in penetration attacks using phone number ranges and social engineering
email bombing repeating identical messages to particular addresses
email spamming sending messages to numerous users
email spoofing altering the identity of the source of the message
Trojan horses hiding malicious fraudulent code in an authorized computer program
rounding down drawing off small amounts of money from a computerized transaction or account to the perpetrator's account
salami technique slicing off truncating small amounts of money from a computerized transaction or account similar to rounding down
viruses malicious program code inserted into other executable code that can self-replicate and spread for from computer to computer
worms destructive programs that may destroy data or utilize tremendous computer and communication resources do not replicate like viruses
logic bombs similar to computer viruses but do not self-replicate destruction or modification of data is programmed to a specific time in the future difficult to detect before they blow up
trap doors are
exits out of an authorized program
they allow insertion of specific logic such as program interrupts to permit a view of data during processing
used by programmers to bypass OS Integrity during debugging and maintenance
they are meant to be eliminated in final editing of the code but sometimes forgotten or intentionally left for future access
asynchronous attacks these are
os-based attacks in a multi-processing environment job scheduling resource scheduling checkpoint restart capabilities
checkpoint copy data system parameters security levels
attacks involve access to and modification of this data to allow higher priority security
results in unauthorized access to data other programs and the OS
data leakage involves siphoning or leaking information out of the computer dumping files to paper stealing tape
wiretapping this is eves dropping on information being transmitted over telecommunication lines
piggybacking
is following an authorized person through a secure door also it means
electronically attaching to an authorized telecommunications link to intercept and possibly alter Transmissions
computer shutdown initiated through terminals or micro computers connected directly online or remotely dialup line to the computer
denial of service disrupt or completely deny service to legitimate users networks systems or other resources
virus detection tools and control techniques
the key is understanding detection tools and control techniques for example malware virus detection spyware
computer viruses and other malware continue to emerge at increasing rates and sophistication and present significant threats to individuals and organizations
layered tools should be implemented and distributed throughout the environment in order to mitigate the ability of this malware to adversely impact the organization
antivirus and anti-spam software is an necessary and critical component of an organization security program providing a mechanism to detect contain and notify whenever malicious code is detected
it is essential that the is auditor understand not only the need for the implementation of antimalware software but that it should be constantly be updated to ensure that it will detect and eradicate the latest attacks detected by the solutions providers
main areas are covered here are
viruses
viruses are
malicious programs designed to
self-propagate by appending to other programs
they are easily transmitted via the Internet email attachments local area networks
viruses attack four parts of the computer
executable program files
the file directory system which tracks the location of all the computer's files another area is
Boot and systems areas which are needed to start the computer
data files is also a target for viruses
virus controls available are
virus and worm controls
management procedural controls
technical controls
antivirus software periodically updated
Hardware controls remote booting boot virus protection
antivirus software implementation strategies
Dynamic antivirus program
sound policies and procedures
antivirus software implementation strategies
detecting the virus at its point of entry is crucial
at user workstation level through scheduled continuous and manual OnDemand scans
at corporate Network level as part of the firewall virus wall SMTP HTTP and FTP protection
besides automatically updating antivirus software
features of antivirus software
it should be reliable and offer quality of detection
it should be Memory resident to facilitate continuous checking
it should as well have efficient working speed and use of resources
types of antivirus software
scanners
virus masks or signatures
heuristic scanners based on statistical probability
active monitors looking for virus-like activity
Integrity CRC Checkers used to detect changes in files and executable code
Behavior blockers focus on detecting potentially abnormal behavior for example writing to the boot sector
immunizers append themselves to files and continuously check for changes
security testing techniques
it is Paramount for cisa candidates to have
knowledge of security testing techniques for example intrusion testing vulnerability scanning
tools are available to assess the effectiveness of network infrastructure security
these to tools permit identification of real-time risks to an information processing environment and corrective actions taken to mitigate these risks
such risks often involve the failure to stay updated on patch management for operating systems or the misconfiguration of security settings assessment tools whether open- Source or commercially produced can quickly identify weaknesses that would have taken hundreds of hours to identify manually
the is auditor should also be aware that security testing may be carried out by an approved third party for example a company specializing in penetration testing let us see the main area to cover under this topic
main areas covered here are
auditing Network infrastructure Security
Network infrastructure security
network penetration testing is
also called intrusion tests or ethical hacking
it involves using techniques available to a hacker
open-source intelligence gathering and Discovery
attempting to guess passwords
searching for back doors into systems
exploiting known operating system vulnerabilities it is
popular for testing firewalls
only performed by skilled experienced professionals
it requires permission from top level Senior Management but without informing is security staff
risks and controls Associated data leakage
risks and controls Associated data leakage
data leakage is the risk that sensitive information may be inadvertently made public
it occurs in different ways such as job postings that list the specific software and network devices with which applicants should have experience in to system administrators posting questions on technical websites that include posting with the specific details on the firewall or database version they are running and the IP addresses they are trying to connect
posting organization charts and strategic plans to externally accessible websites
data classification policies security awareness training and periodic audits of data leakage are elements that the is auditor will want to ensure are in place
main areas to be
computer Crime and exposures
Network infrastructure security encryption
Network infrastructure security encryption
knowledge of encryption related techniques
knowledge of encryption related techniques
one of the best ways to protect the confidentiality of information is through the use of encryption
effective encryption systems depend on
algorithm strength secrecy and difficulty of compromising a key
the non-existence of back doors by which an encrypted file can be decrypted without knowing the key
the inability to decrypt an entire Cipher text message if one knows the way a portion of it Crypts is known this is called known text attack
properties of the plain text being known by a perpetrator
although the is auditor is not expected to be an expert in how these algorithms are designed the auditor should be able to understand how these techniques are used and the relative advantages and disadvantages of each
main areas to be covered
encryption
encryption means converting plain text messages into secure coded text Cipher text
it is done via a mathematical function and a key a special encryption decryption password
encryption is
used to
protect data in transit over networks
protect information stored on computers
deter and detect alterations of data and
verify authenticity of a transaction or do document
note
we assume that the more difficult it is to decrypt the cipher text the better
key elements of encryption systems
encryption algorithm mathematical function calculation
encryption key piece of information used in the algorithm to make the process unique
key length predetermined length of key
effectiveness of encryption is based on
secrecy and difficulty of compromising the key
lack of other means of decrypting without the key
inability to perform a known text attack
knowing how a portion of encrypted text decrypts
tradeoffs in encryption
if the algorithm is too complex and it takes too long to use or
requires keys that are too large to store easily it becomes impractical to use
the need to balance between the strength of the encryption
that is how difficult it is for someone to discover the algorithm and the key and ease of use
there are two main types of encryption in use for computer security referred to as
symmetric and asymmetric key encryption
symmetric:
these are based on symmetric encryption algorithm
same key private to encrypt plain text and decrypt Cipher text
also called private or secret key cryptography
the common private Key cryptographic Systems are
data encryption systems Dees 64-bit
Advanced encryption standard AES 128bit 256bit
the advantage of this method is that it uses
one key to encrypt and decrypt and hence
uses less processing power
Disadvantages:
however getting the key to those you want to exchange data with is the problem
an illustration of symmetric key cryptographic system is on the next slide
symmetric key :
Key Management is an issue
each pair of communicating entities needs a shared key
for an N party system there are n (n minus one)/ two distinct keys
in the system and each party needs to maintain n minus one distinct Keys
how to reduce the number of shared keys in the system
centralized Key Management
session Keys
use public Keys
asymmetric public Key cryptographic Systems
this system uses different keys for encrypting and decrypting a message
it solves the problem of getting the key to those you want to exchange data with
it involves two keys working as a pair
one to encrypt and the other to decrypt
a symmetric equals inversely related to each other
one key secret private is known only to one person
the other key public is known to many people
common form of asymmetric encryption is RSA
Smith has two keys public and private
Smith publishes her public key such that the key is publicly known
Smith keeps her private key secret
other people use Smith's public key to encrypt messages for Smith
Smith uses her private key to decrypt messages
only Smith can decrypt since only she has the private key
advantages of public key cryptography are
the necessity of Distributing Secret keys to large numbers of users is eliminated
the algorithm can be used for authentication as well as for creating Cipher text
Security: to compute the private key from the public key is assumed difficult
public key cryptography ensures
authentication and non-repudiation encrypting with the sender's secret key
confidentiality encrypting with the receiver's public key
authentication and confidentiality for first encrypting with the sender's secret key and secondly with the receiver's public key
let us learn the differences between symmetric key and public key
in symmetric key encryption the
two parties must trust each other
typically both share the same key
symmetric key encryption is generally 100 times faster than public key encryption
examples include Dees Ida or rc5 AES
in public key encryption
the two parties do not need to trust each other
there are two separate Keys a public key and a private key
it is slower than symmetric key encryption
examples are RSA ElGamal encryption ECC
elliptical curve cryptography ECC
a variant and more efficient form of public key cryptography how to manage more security out of minimum resources gaining prominence is the elliptical curve crypto system
Quantum cryptography
the next generation of cryptography that will solve existing problems associated with current cryptographic systems
Advanced encryption standard AES
AES replaces data encryption standard Dees as the cryptographic algorithm standard due to its short key length the former standard for symmetric encryption Dees reach the end of its life cycle
digital signatures
electronic identification of a person or entity
intended for the recipient to verify the Integrity of the data and the identity of the sender
Ensures:
data signature ensures data Integrity one-way cryptographic hashing algorithm digital signature algorithms
server identity authentication public key cryptography
non-repudiation
replay protection timestamps and sequence numbers are built into the messages
digital envelope
used to send encrypted information and the relevant key along with it
the message to be sent can be encrypted by using either
asymmetric key or
symmetric key
public key infrastructure PKI and digital signature techniques
knowledge statement 5.13
public key infrastructure pki and digital signature techniques
encryption is the process of converting a plain text message into a secure coded form of text called Cipher text
which cannot be understood without converting back via decryption the reverse process to plane text
pkis use encryption to facilitate the following
prect prot data in transit over networks from unauthorized interception and manipulation
protect information stored on computers from unauthorized viewing and manipulation
deter and detect accidental or intentional alterations of data
verify authenticity of a transaction or document for example when transmitted over a web-based connection in online banking share dealing Etc
protect data in such situations from unauthorized disclosure
understanding the business use of digital signatures is also expected especially its use in providing non-repudiation of and replay protection to messages
main areas covered here are
encryption public key infrastructure pki
public key infrastructure pki
public key infrastructure pki framework by which a trust Ed party issues maintains and revokes public key certificates
pki reasons
many applications need key distribution
digital signature vulnerability senders private key and public key may be faked or intercepted and changed
anyone can derive keys so there is a need to have a mechanism to assure that Keys belong to entities they claim to come from
in pki a certification Authority CA validates Keys
distribution in pki is done via a hierarchy of CA's process
CA's process:
the ca checks real world credentials
gets key from user in persons
signs certificate cert validating key
then a certificate is attached to assure an endpoint that an entity is who it claims to be
if the endpoint trusts the ca then it will trust that entity and who it claimed to be
elements of pki include
digital certificates
certificate Authority CA
registration Authority ra
certificate revocation list crl
certification practice statement CPS
digital certificates
digital credential compromising
a public key of an individual and
identifying information about the individual
it is digitally signed by The Trusted entity with its private key
receiver relies on the public key of The Trusted party
it also includes algorithm used and validity period
certificate Authority CA
trusted provider of public and private key pairs
attest to the authenticity of owner of public key
uses due diligence to issue certificate on evidence or knowledge upon on verification of the user the ca signs the certificate using its private key
responsible for managing the certificate throughout its life cycle
authoritative for the name or key space it represents certificate
certificate revocation list crl
details digital certificates that are no longer valid
it is used for checking continued validity of certificates
time gaps between two updates are very critical
certification practice statement CPS is a detailed set of rules governing ca's operations it provides
understanding of the value and trustworthiness of certificates issued in terms of controls observed
method used to authenticate applicants
ca's expectations on how certificates may be used
registration Authority R A optional entity separate from the ca
that performs admin ministrative tasks like
recording and verifying information needed by the ca to issue certifications or crls
also performing certificate management functions
CA remains solely responsible for signing digital certificates or crls
peer-to-peer Computing instant messaging and web-based Technologies
Peer-to-peer Computing instant messaging and web-based Technologies:
knowledge of peer-to-peer Computing instant messaging and web-based Technologies for example social networking message boards blogs
knowledge of peer-to-peer Computing instant messaging and web-based Technologies for example social networking message boards blogs
social networks message boards blogs are technologies that introduce new risk to the Enterprise
information posted on social network sites May inadvertently disclose confidential non-public information that may violate Financial Security laws or violate customer privacy laws
peer-to-peer Computing is inherently insecure and may lead to the introduction of malicious code into an otherwise secure environment
main areas to be covered here are
computer crime issues and exposures
peer-to-peer Computing instant messaging and web-based Technologies
peer-to-peer Computing
in peer-to-peer Computing no specific server to which a user connects generally connection is between two peers
as a result there are risks associated with peer-to-peer
which include no Central server hence the risks include virus infected files can be directly shared with others
Trojans and spyware may be inadvertently copied across systems
users May expose their IP addresses that could result in for example IP spoofing traffic sniffing and other IP based attacks a user from the pier network May access sensitive data in unprotected folders
Controls in peer-to-peer Computing:
proper security policies and control measures are required for peer-to-peer Computing
safest approach is to deny such connections unless there is a business need
instant messaging
instant messaging IM is a popular mechanism for collaboration and keeping in touch involves two or more users connecting and chatting on topics of Interest with prompt acknowledgement and response rather than emails.
Risks of instant messaging are
eavesdropping if sensitive information is sent over unencrypted channels
exchange of virus infected files and other malicious codes
data leakage if the file is and unmonitored over IM channels
exploitation of vulnerabilities if the public IM client software is not adequately patched
controls
good IM policy and user awareness required
advisable to use internal IM software instead of public software
only Enterprise employees should be allowed to connect and
adequate monitoring of IM use to minimize risk of data leakage of confidential information
social networking sites social
networking sites SNS include sites such as Facebook and Linkedin that help establish connection with colleagues friends and relatives
risks
uploading of personal and private information
fishing
URL spoofing
cyberstalking
controls
policies on what information can be shared on such sites
education and awareness to staff on what information to share or not share on such sites
also having a policy Banning use of such sites in the office let us continue discussing social networking sites
example of an incident
a hacker was able to gather information about names of friends and date of birth of an employee they use this information to do email spoofing and manag to receive money from the Friends by impersonating him and claiming to be stranded in another country with no passport and money
controls and risks associated with the use of mobile and wireless devices
knowledge of controls and risks associated with the use of mobile and wireless devices.
portable and wireless devices present a new threat to an organization's information assets and must be properly controlled
policies and procedures as well as additional protection mechanisms must be put into place to ensure that data are protected to a greater extent on portable devices
since such devices will most likely operate in environments where physical controls are lacking or non-existent
most transportable media including including pdas Blackberry devices Etc are easily lost or stolen and thus require the use of encryption Technologies as well as strong authentication
it also may be necessary to classify some data as inappropriate for storage on a mobile device the is auditor should understand that all such media and devices which may include personal music MP3 devices can also be used by an individual to steal both data and programs for personal use or gain
we will focus on mobile Computing
main areas covered here are
mobile Computing
Laptop security
risk of using laptops
is the difficulty to implement logical and physical security in a mobile environment
laptop security controls
laptop security measures engraving the serial number company name
cable locks monitor detectors
regular backup of sensitive data
encryption of data
allocating passwords to individual files
theft response procedures
you will now attempt a 5.16 let us discuss about
voice communication Security
voice communication Security
Voiceover IP
VoIP IP
IP telephony internet telephony is the technology that makes it possible to have a voice conversation over the Internet protocols used to carry the signal over the IP network are referred to as VoIP
VoIP is a technology where voice traffic is carried on top of existing data infrastructure in
VoIP sounds are digitized into IP packets and transferred through the network layer before being decoded back into the original voice
VoIP has reduced long-distance call costs in a number of organizations
thus we will focus on voice over IP and private Branch exchange
let us continue to discuss VoIP in the next slide
VoIP advantages over traditional telephony
VoIP Innovation progresses at Market rates rather than at the rates of itu international telecommunications Union
lower costs per call or even free calls for long distance calls
lower infrastructure costs
the risk associated with the use of VoIP are the
need to protect two assets the data and the voice
inherent or security
the current Internet architecture does not provide the same physical wire security as the phone lines
controls for securing voip
is implementing security mechanisms such as those deployed in data networks for example firewalls encryption to emulate the security level currently used by pstn Network users
private Branch exchange PBX
PBX is a sophisticated computer-based phone system from the early 1920s originally it was analog but is now digital principal purpose was to save the cost of providing each person with a line
attributes incl include
multiple telephone lines
digital phones for both voice and data
switching calls within pvx
non-blocking configuration that allows simultaneous calls
operator console or switchboard
risks associated with use of PBX
are theft of service and toll fraud
disclosure of information through eavesdropping
unauthorized access to resources
denial of service
traffic analysis passive attack
evidence preservation techniques
knowledge of the evidence preservation techniques and processes followed in forensic investigations
for example it process chain of custody
audit conclusions should be supported by reliable and relevant evidence
evidence is collected during the course of an audit follows a life cycle
the life cycle introduces collection analysis and preservation and destruction of evidence
the source of evidence should be reliable and qualified that is from an appropriate original Source rather than obtained as a common or hearsay
evidence should originate directly from a trusted source to help ensure objectivity in fraud investigations or legal proceedings maintaining the Integrity of evidence throughout the evidence life cycle may be referred to as the chain of custody when the evidence is classified as forensic
audit evidence should include information regarding date of creation
main areas covered here are
evidence
audit documentation
investigation techniques
continuous auditing
investigation techniques
investigation techniques include the investigation of computer crime and the protection of evidence and chain of custody among others
investigation of computer crime
computer crimes are not reported in most cases simply because they are not detected or of the negative publicity they generate
in many countries laws are directed toward protecting physical property making it very difficult to use such laws against computer crime
it is very important that proper procedures are used to collect evidence from a crime scene
the environment and evidence must be left unaltered and specialist law enforcement officials must be called in after a crime
computer forensics is the process of identifying preserving and analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings for example Court
includes activities involving exploration and application of methods to gather process interpret and use digital evidence
loss of preservation of Integrity of evidence means loss of value in legal proceedings
the chain of evidence contains information regarding
who had access to the evidence cross chronological manner
procedures followed in working with the evidence
proving analysis is based on copies identical to original evidence
considerations regarding evidence
identify
identify information that may form evidence
preserve
practice of retrieving identified information and preserving it as evidence involves Imaging of original data and documenting chain of custody
analyze
involves extracting processing and interpreting the evidence analysis performed on image of the media not the original
present
involves a presentation to the various audiences such as management attorneys presenter to be qualified and the process of preservation and Analysis credible
key elements of computer forensics the
is auditor should consider
data protection measures to ensure sought-after information isn't altered
data acquisition all required data transferred to controlled location and writable media right protected
Imaging process allowing for bit forbit replication of data on disk that avoids damage to original data
extraction process of identification and selection of relevant data from the imaged data set
interrogation used to obtain prior indicators or relationships from extracted data
ingestion normalization process of converting extracted information to a format that can be understood by investigators
reporting information should be collected and reported in a proper way for it to be valuable
data classification standards and supporting procedures
knowledge of data classification standards and supporting procedures
information assets have varying degrees of sensitivity and criticality in meeting business objectives data is classified and protected according to the set degree
an important first step to data classification is Discovery inventory and risk assessment once this is accomplished data classification can then be put into use
by assigning classes or levels of sensitivity and criticality to information resources and establishing specific security rules for each class Enterprises can Define the level of access controls and the retention time and destruction requirements that should be applied to each information asset
the is auditor should understand the process of classification and the interrelationship between data classification and the need for inventorying information assets and assigning responsibility to data owners
data owner responsibilities should be clearly identified documented and implemented
main areas to be covered here are
inventory and classification of information assets
inventory and classification of information assets
a detailed inventory of information assets is required for Effective control
the inventory is the first step in classifying the assets and determining level of protection required
inventory record should include
specific identification of the asset
relative value to the organization
location
security risk classification
asset group where the asset forms part of a larger is
owner
designated custodian
classification should be simple and employed during risk assessment by end user managers and system admins use ISO IEC 2005
reduce risk and cost of over or under protection
used to identify
who has access to what
who determines access rights and levels
approvals required for Access
classification done by differing degrees for data sensitivity and mission criticality of the business applications
classification of assets
information assets have varying degrees of sensitivity criticality which determine appropriate levels of control
application database criticality classification for example
Mission critical
significant
moderate or
low
physical access controls
physical access controls for the identification authentication and restriction of users to authorized facilities
physical security weaknesses can result in financial loss legal repercussions loss of credibility or loss of Competitive Edge
thus information assets must be protected against physical attacks such as vandalism and theft through controls that restrict access to sensitive areas containing computer equipment or confidential data files
such controls usually employ the use of a access door locks that require the use of a password key token or biometric authentication of the person attempting entry
in high security areas access may require authentication through multiple means and the use of strong security measures such as the airlock type or Man Trap entrances
the is auditor should understand the nature of physical controls and the ways in which they can be circumvented as well as the con concept of the security boundary to establish where such devices should be placed and how effective they must be
main areas covered here are
physical access controls and
exposures
physical access controls and exposures is our main focus
physical access controls
door locks bolting combination electronic biometric
dead man doors
logging manual electronic
identification badges
video cameras
security guards
controlled visitor access
bonded Personnel
not advertising locations of sensitive facilities
computer workstation locks
controlled single entry points
alarm systems
secured report documentation distribution cards
primarily originate from natural and man-made hazards
Exposures include
unauthorized entry
damage vandalism theft
viewing or copying sensitive information
alteration of data
public disclosure of sensitive information
abuse of processing facilities
blackmail and embezzlement
let us continue discussing physical access exposures
auditing physical access
auditing physical access involves
during the information processing facility
visibly observing physical access controls
reviewing physical security documentation
evaluating
General cleanliness
doors windows walls curtains
ceilings raised floors and
ventilation
Environmental Protection devices and supporting practices
knowledge of Environmental Protection devices and supporting practices
certain natural and man-made events have the ability to do great damage to an organization's information systems and business processes
most data centers have mechanisms to prevent detect or mitigate the impact of these threats
however it is important that the Readiness and sufficiency of these controls be periodically tested by management to ensure that they will function as intended
the is auditor should understand the nature of these controls and how to ensure that they are functioning properly and are adequate to protect
the about Environmental Protection devices and supporting practices
environmental controls generally include fire and smoke detectors fire suppression systems water detectors and temperature and humidity controls
the is auditor should know the relative merits of different fire suppression systems and in what circumstances one type is more appropriate than another
main areas of coverage are
environmental exposures and controls
environmental exposures and controls
the environmental exposures
include natural events like lightning storms earthquakes Etc
power failures is of particular concern
total failure blackouts
severely reduced voltage brownouts
sags spikes and surges
electromagnetic interference Emi caused by electrical storms or noisy electrical equipment
static electricity magnetic fields
water damage and flooding
Fire
Man and terrorism vandalism smoke food
natural elements humidity dust temperature
environmental controls
power continuity
power generators long-term power interruptions
surge protectors at least on all expensive equipment
UPS devices sags spikes surges
emergency power off switch
redundant power lines for example leads from two substations
fire controls
fire extinguishers strategically placed throughout facility
fire suppression systems either
water based sprinklers damages equipment or
dry pipe sprinklers Halon systems or CO2 based
regular inspection by the fire department
also use of audible fire alarms
smoke detectors
having defined responsibilities
marked locations
fireproof walls floors and ceilings
environmental controls that can be applied are
more however
environmental controls that can be applied are
strategically locating the computer room not basement
raised floors and water detectors water
proper ventilation humidity and temperature control
wiring placed in fire resistant panels and conduits
prohibit eating drinking and smoking within information processing facilities
documented and tested emergency evacuation plan
auditing environmental controls involve
checking that systems work as specified and
are inspected and tested at least once a year
placing and assigning responsibility to concerned persons
maintaining communication and awareness
having a business continuity plan that will be used in case of a disaster
this plan should be fully documented and tested
handling confidential information Assets
knowledge of the processes and procedures used to store retrieve transport and disposal of confidential information assets
is key for a cisa candidate to learn
confidential information assets are vulnerable during storage retrieval and transport and must be disposed of properly
management should Define and Implement procedures to prevent unauthorized access to or loss of sensitive information and software from computers Diss and other equipment or media when they are stored transported or transmitted during processing retrieval and output
the is auditor should also understand the need for correct disposal of information and media in order to ensure that no unauthorized person gain access to the information by restoration or Recreation
thus we will mainly discuss about [Main areas of coverage]
storing retrieving transport and disposing of confidential information Assets
handling confidential information
storing retrieving transporting and disposing of confidential information
need procedures to prevent access to or software
further controls are required for
backup files and databases
data banks
disposal of media previously used to hold confidential information
management of equipment sent for off-site maintenance
public agencies and organizations concerned with sensitive critical or confidential information
e token electronic Keys
storage records
preserving information during shipment or storage
by keeping out of direct sunlight
keeping free of dust
keep free of liquids
minimize exposure to magnetic fields radio equipment or any sources of vibration
do not Air transport in areas and at times of exposure to a strong magnetic storm
Summary
Summary
you have learned so far protection of information assets
one a long asymmetric encryption key public key encryption increases encryption overhead cost
two creating user accounts that automatically expire by predetermined date is an effective control for granting temporary access to vendors and external support Personnel
three worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email
four identifying Network applications such as mail web of FTP servers to be externally accessed is an initial step in creating a proper firewall policy
five SSL protocol provides confidentiality through symmetric encryption such as data encryption standard
six intrusion detection systems IDs are used to gather evidence of network attacks
seven time stamps are an effective control for detecting duplicate transactions such as payment made or received
eight traffic analysis is a passive attack method used by Intruders to determine potential Network attacks
nine file encryption is a good control for protecting confidential data that resides on a PC
10 although many methods of fire suppression exist dry pipe sprinklers are considered to be the most environmentally friendly
11 logical access controls should be reviewed to ensure that access is granted on a least privilege basis for the organization's data owners
12 a callback system is a remote access control in which the user initially connects to the network systems via dialup access only to have the connection terminated by the server which then subsequently dials back the user at a predetermined number stored in the server's configuration database
13 information system security policies are used as the framework for developing logical access
This concludes the domain on protection of information assets
**********************************************************************************************
Udemy ISACA's Certified Information System Auditor (CISA) Exam
Section 1: Information System Auditing process:
Audit Planning:
The objective of an IS audit is
to evaluate whether implemented controls are efficient and
effective in protecting information assets,
maintaining data integrity, and
ensuring the availability of assets
in order to meet the organization’s goals and objectives.
An audit charter includes the following:
• The mission, purpose, and objective of the audit function
• The scope of the audit function
• The responsibilities of management
• The responsibilities of internal auditors
• The authorized personnel of the internal audit work
An audit plan helps to determine the following:
• The objectives of the audit
• The scope of the audit
• The periodicity of the audit
• The members of the audit team
• The method of audit
Audit universe: An inventory of all the functions/processes/units under the organization.
• Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative
parameters such as high, medium, and low.
• Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical
parameters and is quantified; for example, for a 50% chance of failure, the amount at risk is 1000 $.
• Risk factors: Factors that have an impact on risk. The presence of such factors increases the
risk, whereas their absence decreases the risk.
Selection Criteria
The resultant risk is evaluated against the criteria set by management.
The audit plan can then be designed to consider all high-risk areas.
What should be your first step in risk-based audit planning?
Your answer should be to identify high-risk processes in the company.
In risk-based audit planning,
the objective is to allocate audit resources effectively by focusing on areas with the highest level of risk.
By identifying high-risk processes within the company, auditors can prioritize their efforts
and concentrate on areas that are more likely to have significant control deficiencies
or potential financial misstatements.
This step involves assessing various factors, such as the complexity of the processes, the inherent risk associated with them.
What is the advantage of risk-based audit planning?
Your answer should be optimum use of audit resources for high-risk processes.
A major advantage of a risk-based approach to audit planning is the optimum use of audit resources
for high-risk processes.
By identifying and prioritizing high-risk areas within the organization, auditors can allocate their resources
and efforts effectively.
By focusing on high-risk processes, auditors can perform more thorough and detailed audit procedures in those areas, leading to more reliable and meaningful audit findings.
What is the first step to conduct a data center review?
Your answer should be the evaluation of vulnerabilities and threats to the data center location.
Getting information and an understanding of the processes being audited
and evaluating the risks and various threats will help auditors to concentrate
on high-risk areas,
thereby making the audit more effective and relevant.
QAE questions - audit planning
Which of the following is the first step in risk-based audit planning?
please try to understand the question thoroughly.
Question is about first step of a risk-based audit planning.
Now evaluate the available option
and select the best answer.
The correct answer here is
That is to identify high risk processes in the company.
In risk-based audit planning the objective is to allocate audit resources effectively by focusing on areas with the highest level of risk.
By identifying high risk processes within the company, auditors can prioritize their efforts and concentrate on areas that are more likely to have significant controlled deficiencies.
Which of the following is a major advantage of a risk-based approach to audit planning?
Correct answer is
That is optimum use of audit resources for high risk processes.
A major advantage of a risk-based approach to audit planning is the optimum use of audit resources for high risk processes.
By identifying and prioritizing high risk areas within the organization, auditors can allocate their resources
and efforts effectively. By focusing on high risk processes, auditors can perform more thorough and detailed audit procedures in those areas, leading to more reliable and meaningful audit findings.
Which of the following should be the first exercise while reviewing data center security?
Correct answer is
That is the evaluation of vulnerabilities and threats to the data center location.
Getting information and an understanding of the processes being audited and evaluating the risks and various threats will help auditors to concentrate on high risk areas thereby making the audit more effective and relevant.
Which of the following is the most important aspect of planning an audit?
Correct answer is
That is identifying high risk processes.
By identifying high risk processes, auditors can design appropriate audit procedures to address the identified risks. This includes understanding the nature of the processes, assessing the control environment and valuating the effectiveness of internal controls.
Audit charter
The audit charter is the formal document that contains
scope of the audit functions,
authority of the audit functions,
and responsibility of the audit functions.
Scope means which processes, department, locations, et cetera, should be audited.
Authority means what are the authorities of the audit department to access the records and relevant data for the audit.
Responsibility of audit function means what is the responsibility of the head of the audit, and whom he should be reporting.
Actions of the audit department are primarily influenced by the audit charter.
The question arises, "Who should approve the audit charter?" The audit charter should be approved by Senior Management. In most organizations, it is approved by audit committee of the board.
Now let us discuss what the audit charter should be and what the audit charter should not be.
The audit chatter should be approved
by the highest level of the management.
It should be a written document,
and it defines the roles and responsibility
of the audit function.
But, the audit charter should not be dynamic in nature.
That is, it should not be changed too often.
It should not include a detailed yearly audit calendar,
audit planning, yearly resource allocation,
and other routine audit activities.
It should not include aspects like
like Professional fees, travel expenses, et cetera.
Let us discuss some key aspects from CISA exam perspective.
Who should approve the audit charter of an organization?
Senior management.
What should be the content of an audit charter?
Scope of the audit function, authority of the audit function, and responsibility of the audit function.
What is the prime reason for review of an organization chart?
To understand the authority and responsibility of the individuals.
Actions of an IS auditor are primarily influenced by?
audit charter.
Which document provides the overall authority for an auditor to perform an audit?
Again, audit charter.
What is the primary reason for the audit function directly reporting to the audit committee board?
Yes, independence. The audit function must be independent of the business function and should have direct access to the audit committee of the board.
Practical questions:
The audit charter should?
incorporate the scope, authority, and responsibility of the audit department.
The prime objective of an audit charter is to?
to document the responsibility and authority of the audit department.
Electronic Data Interchange
EDI is the online transfer of data or information between two organizations. Traditional exchange of paper documents between two organizations have been replaced with the EDI platforms.
It contains the processing features, such as transmission, translation, and storage of transactions flowing between two enterprises.
risk associated with EDI process.
As we know in the EDI process, systems of two partners are connected. So it is very important to have an agreement, trading partner agreement.
In absence of agreement, there could be related uncertainty with specific legal liability.
Also an important aspect and important concern is transaction authorization and transaction authentication for EDI processes.
Other EDI related risks include unauthorized access, data integrity, and confidentiality, and loss or duplication of EDI transactions.
Controls for EDI process
What kind of control is required for my inbound transactions?
Inbound transactions are the transactions that my system is receiving from my partner's system.
First thing, I need to maintain log of each inbound transaction on its receipt.
I need to ensure proper reconciliation between inbound transaction by building a segment count totals. Segment count total will help me to do proper reconciliation between whatever transaction that I have received and whatever transaction that I have processed.
Any deviation or difference to be properly sorted out by doing root cause analysis.
I need to implement check digit control to detect transposition and transcription error.
Control requirements for outbound transactions.
That is the transaction moving from my system to my partner's system.
Again to maintain log of each outbound transaction. Transactions to be compared with trading partner's input.
Transactions to be compared with trading partner's input. So reconciliation between my output and my partner's input. Proper segregation of duties for high-risk transaction. For authentication, authorization, appropriate segregation of duties should be (indistinct).
CISA Exam perceptive:
What is the major risk of EDI transaction?
EDI means the system connecting two organization, two partner organization.
Major risk will be absence of proper agreement.
What is the objective of encryption?
To ensure the integrity and confidentiality of transactions.
How are the inbound transactions controlled in an EDI environment?
By maintaining the logs for receipt of inbound transactions, use of segment count totals, and use of check digit.
What is the objective of key verification control?
Key verification is the method where data is entered a second time and compared with the initial data entry to ensure that data entered is correct.
This is generally used in EFT transactions, where another employee re-enters the same data to perform this check before any amount is transferred.
What is the objective of non-repudiation?
Non-repudiation ensures that a transaction is enforceable and that the sender cannot deny generating and sending the message.
What is the most important component of the artificial intelligence/expert system area?
Knowledge base.
practice questions.
Which of the following is the area of greatest concern in an EDI process?
Unavailability of contract.
Encryption helps in achieving which of the following objectives in an EDI environment?
Confidentiality and integrity of the transactions.
In an EDI environment, which of the following procedures ensures the completeness of an inbound transaction?
Building a segment count total.
In which of the following process details entered by one employee is re-entered by another employee to check their accuracy?
Key verification.
Which of the following is used in an e-commerce application to ensure that a transaction is enforceable?
Non-repudiation.
internal controls and different forms of internal controls.
Internal controls provide reasonable assurance to management about the achievement of business objectives.
Internal controls are implemented through policies, procedures, practices, and organizational structures to address risks.
Internal controls help in achieving the objectives of the organization by mitigating various risks.
Through internal controls, risk events are prevented, or detected and corrected.
Thus, objective of implementing the internal controls is to provide reasonable assurance to management
about the achievement of business objectives.
There are primarily
four types of controls.
They are
preventive,
detective,
corrective and
deterrent.
Preventive controls are designed to be implemented
in such a way that prevents a threat event and thus avoids any potential impact of that threat event.
Detective controls are designed to detect a threat event
once that event has occurred. Detective controls aim to reduce the impact of such events.
Corrective controls are designed to minimize the impact
of a threat event once it has occurred, and help in restoring a business to normal operations.
The purpose of a deterrent control is to give a warning signal to deter a threat event.
Examples of preventive controls includes:
use of qualified personnel, segregation of duties, edit checks, firewalls, et cetera.
Examples of detective controls includes:
internal audits, parity and checkpoint controls, echo control, et cetera.
Examples of corrective controls includes:
BCP, DRP, et cetera.
Examples of deterrent controls includes:
CCTV cameras or under surveillance signs, et cetera.
different type of controls by evaluating a few examples.
Hash total.
A hash total is a value calculated by applying a hash function to a set of data elements. By comparing the hash totals of data sets, we can determine
whether the data has been altered,
tampered with or corrupted in any way.
If the hash totals match, it indicates
that the data has likely remained intact.
However, if the hash totals differ, it suggests that changes have occurred, and further investigation is required. Thus, hash controls is primarily considered
as detective control.
Rerun procedures.
Rerun procedures involve repeating or re-executing a specific process or task to rectify the situation.
These procedures aim to achieve the desired outcome or restore the system to a proper state. Thus, rerun procedures are primarily considered
as corrective control.
Log reviews.
Log reviews are considered detective controls because they involve the examination and analysis of system logs, event logs, or audit logs to identify anomalies, suspicious activities or potential security incidents that may have occurred.
Thus, log reviews are considered as detective control.
Contingency planning.
Contingency planning often includes developing procedures and protocols for responding to incidents
or disruptions that have already occurred.
These response plans outline the steps to be taken to mitigate the impact of the incident, minimize downtime, and restore normal operations.
The focus is on correcting the situation and recovering from the incident.
Thus, contingency planning is considered as corrective control.
Transaction authorization.
Transaction authorization involves establishing a formal process by which transactions are reviewed
and approved before they are executed or processed.
This process ensures that transactions meet specific criteria such as proper approval levels, sufficient funds or resources and compliance with policies or regulations.
Thus, transaction authorization is considered as a preventive control.
Error messages over tape label.
By monitoring the error messages displayed on tape labels, organizations can proactively identify potential issues such as data corruption, incomplete backups or failed tape operations.
These error messages act as a form of detective control by providing real-time feedback about the health and integrity of the tape data.
Thus, error messages are considered as a detective control.
Exam perspective Internal controls
"Segregation of duties is an example of which type of control?"
The answer should be preventive control.
Segregation of duties involves separating critical functions or responsibilities among multiple individuals to ensure that no single person has complete control over a process or transaction from start to finish.
This control helps prevent fraud, errors, and misuse of resources by reducing the likelihood of unauthorized activities or intentional misconduct.
"Controls that enable a risk or deficiency to be corrected before a loss occurs are known as?"
The answer should be corrective control.
"Controls that directly mitigate a risk or lack of controls directly acting upon a risk are known as?"
The answer should be compensating control.
Compensating controls are typically put in place when organizations cannot fully implement
a required control due to various reasons, such as technical limitations, cost constraints, or compatibility issues.
Rather than leaving the vulnerability or security gap unaddressed, compensating controls are implemented to reduce the risk to an acceptable level.
1st Ques
An organization has designed a well-structured process documentation to prevent processing errors.
This is an example of?
The correct answer is preventive control.
Preventive controls are measures put in place to avoid or minimize the occurrence of errors, risks, or problems.
They are proactive in nature and aim to prevent issues from happening in the first place.
By documenting the processes and providing clear guidelines, the organization is taking steps to prevent errors by ensuring that employees have access to accurate information and instructions.
Detective controls, on the other hand, are designed to identify errors or problems after they have occurred.
Corrective controls are implemented to address and rectify errors or problems that have been detected.
Deterrent controls are measures put in place to discourage individuals from engaging in undesirable behaviors or actions.
2 Next question.
An organization has designed a control that enables a deficiency to be corrected before a loss occurs.
This is an example of?
The correct answer is corrective control.
Corrective controls are designed to minimize the impact of a threat event once it has occurred
and help in restoring the routine operations of the business.
3 Next question.
Utilizing a service of only qualified resources is an example of?
Correct answer preventive control.
Preventive controls are measures put in place to prevent errors, risks, or problems from occurring in the first place.
By ensuring that only qualified resources are utilized, the organization aims to prevent potential issues that may arise from the use of unqualified or inexperienced individuals.
4 Next question.
A check subroutine that identifies an error and makes a correction before enabling the process to continue
is an example of what kind of control?
Correct answer corrective control.
A check subroutine refers to a specific section of code or a function that is designed to validate or verify certain conditions or inputs.
It is a routine or procedure that performs checks or tests to ensure the correctness, integrity, or compliance of data, processes, or systems.
The check subroutine serves as a control mechanism that detects errors and takes corrective action to fix them before allowing the process to continue.
By automatically identifying and correcting errors, the control aims to prevent further issues or negative consequences that could occur if the error were to persist.
5 Next question.
An organization has put up warning signs restricting unauthorized entry to its data center. This is an example of?
The correct answer is deterrent control.
Deterrent controls are measures put in place to discourage individuals from engaging in undesirable behaviors or actions.
In this scenario, the warning signs serve as a deterrent by clearly indicating that unauthorized entry is restricted.
The purpose of these signs is to create awareness and communicate the consequences of unauthorized access, thus deterring individuals from attempting to enter the data center without authorization.
6 Next question.
An organization has implemented echo protocol in its telecommunication channel. This is an example of?
The correct answer is detective control.
In the context of telecommunication and networking, an echo message refers to a type of message that is sent from one device or system to another with the purpose of testing the round trip time or latency of the communication channel.
Echo messages can be used for diagnostic purposes, troubleshooting network problems, or monitoring network performance.
They provide valuable information about the quality and efficiency of the communication channel, allowing administrators to identify and address any issues that may be impacting the overall communication experience.
7 Next question.
Checkpoints in a production job are examples of what kind of control?
The correct answer is detective control.
By implementing checkpoints, the organization can track the job's execution and compare it against predetermined criteria or expectations.
If any deviations or errors are detected at the checkpoints, they can be flagged and appropriate actions can be taken to investigate and resolve the issues.
8 Next question.
Controls that minimize the impact of a threat are what kind of controls?
The correct answer is corrective controls.
Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring to the routine operations of a business.
Examples of corrective controls include business continuity planning, disaster recovery planning, incident response planning, et cetera.
9 Next question.
Controls that indirectly address a risk or address the absence of controls that would otherwise directly act upon that risk are what kind of controls?
Correct answer is compensating controls.
Compensatory controls are put in place when it is not possible or practical to implement the primary or ideal control measures.
These controls are designed to counterbalance or compensate for the shortcomings of the primary controls, reducing the risk to an acceptable level.
10 next question.
An organization has implemented biometric access control for entering one of its critical databases.
This is an example of?
The correct answer is preventive control.
Biometric access control systems use unique physiological or behavioral characteristics such as fingerprints, iris patterns, or facial recognition to verify the identity of individuals seeking access.
By using biometrics, the organization aims to prevent unauthorized individuals from gaining entry to the database protecting sensitive information and reducing the risk of data breaches or unauthorized use.
11 next question.
Which of the following risks represents a process failure to detect a serious error?
Correct answer control risk.
Control risk refers to the risk that internal controls in an organization are not effective in preventing or detecting errors, fraud, or non-compliance.
It signifies the possibility that control measures are not properly designed, implemented, or functioning as intended, which can lead to errors or issues going undetected.
12 next question.
Which of the following statements best describes detective controls and corrective controls?
The correct answer is, that detective controls are used to identify that an error has occurred and corrective controls fix a problem before a loss occurs.
Detective controls are designed to detect or indicate that an error has occurred.
Examples of detective controls include audits, hash totals, echo controls, and so on.
Corrective controls are designed to correct a risk or deficiency to prevent losses.
Examples of corrective controls include business continuity planning, backup procedures, and more.
How do we define risk?
There are multiple definitions of the risk.
These are some of the definitions from widely accepted sources.
But for the risk exam, we need not worry about any of data.
All the above definitions directly or indirectly uses two words.
What are they?
Probability and impact.
So for us, risk is probability and impact and we need not worry about of any of the above definition for exam perspective.
In simple language, risk is the product of probability and impact.
Both probability and impact should exist to constitute a risk.
Let us take an example.
Risk of rain damaging equipment.
How to calculate this particular risk.So in scenario one,
we have 0% chance of rain as probability, whereas impact equipment costing $10,000.
So what will be the risk in this case?
As there cannot be any rain, there is no chance of equipment being damaged. So there is zero risk.
In another scenario,
There is a hundred percent chance of rain but equipment is costing only $0, maybe all the scrap item.
So here again risk will be nil.
This indicates both probability and impact plays an important part in calculating risk. So even if my equipment cost $10,000 but my probability is zero, my risk will be zero.
On the other hand, even if I have a hundred percent probability, my equipment is zero,
so my risk will also be zero.
Exam perspective.
Risk can be defined as ?
product of probability and impact.
Once the likelihood has been determined
What should be the next step?
Likelihood means probability.
To determine the risk we need to have two elements, probability and impact.
So the next step is to determine the magnitude of the impact.
Let us practice some questions.
Risk can be defined as?
product of probability and severity of the impact.
Next question.
Once the likelihood of an event has been determined, Which of the below factors would be assessed next?
Severity Of impact.
The most important factor for evolution of the risk is to?
consider the probability and likelihood of loss.
Risk evaluation should take into account the potential size and likelihood of a loss. Though other factors are important, the impact of the risk should be the primary driver for risk evaluation.
Inherent risk = It should be the residual risk that is more relevant. It is not mandatory to protect all the assets.
Review incidents occurred in similar companies = This is not a primary factor.
Next question.
The most important factor for mitigation of risk is to?
risk mitigation strategy.
That is what kind of control to be implemented
which risk to be controlled first. In such cases,
Answer = it is important to rank the risk first.
Ranking of the risk
helps the organization to determine the priority, and resources should be utilized to address the top level risk.
Threats and vulnerability are more important from a risk identification perspective rather than a risk mitigation perspective.
A risk owner identification is more important during risk analysis.
It is not possible to address or it is in fact not practical to address all the risks.
Threat and vulnerability and their relationship.
One of the favorite and most preferred game of ISACA is to get us confused between the terms threat and vulnerability during CISA exams.
So basically,
a threat
is the potential danger or harm.
Example of threat
can be a robber trying to break into your house or
a virus trying to infect your computer,
whereas a vulnerability
is a weakness
that makes you more exposed to threats.
For example,
leaving your front door unlocked is a vulnerability because it makes it easier for a robber to get into your house.
Similarly, not updating your computer's antivirus software is a vulnerability because it makes it easier for viruses to infiltrate your system.
Also, another important point to understand is that organization cannot have any control on threat.
You cannot stop anyone to become a robber, right?
Whereas a vulnerability can be controlled by the organization by taking appropriate action.
In this image, sweet little kid is vulnerable as he cannot defend.
Cat is a threat factor.
Other example of threat includes
hacker, earthquake, fire, malware, system failure, criminals, and many other unknown forces.
Example of vulnerability includes
missing antivirus, weak coding, weak access control, et cetera.
Practical exercise
to understand both the terms more precisely.
So when I say door is open, please close it to avoid thieves. If they get in, we will be robbed.
So what is the threat here and
what is the vulnerability and
what is the risk?
In this scenario,
thief is a threat.
We cannot control thief. We cannot dictate him to what to do and what not.
In this scenario,
An open door is a vulnerability. We can control the vulnerability by taking appropriate action.
So overall risk when a thief takes advantage of open door is robbery.
Let us take more example.
If antiviruses are not updated regularly, then new type of virus can destroy our data.
In this scenario,
virus is a threat.
We cannot control hackers who create different types of viruses.
But we can control viruses from entering our organization by installing and keeping updated antivirus software.
In this scenario,
expired antivirus in a vulnerability.
So overall risk when a virus takes advantage of expired antivirus software is compromise of data by way of data leakage or data destruction.
Three Types of RISK
Types of risk.
First one is, and very important one is,
Inherent risk.
Inherent risk is basically risk before controls,
We call it gross risk.
Then we have
Residual risk.
Residual risks are the res after controls.
So we take inherent risk, we apply the controls and what we get is residual risk.
Now,
control risk.
Control risk is basically ineffective controls, though controls are in place, they are not effective.
We do have
Detection risk.
Basically it speaks about ineffective audit.
Then we do have
Audit risk.
Audit risk is the sum total of inherent risk, control risk and detection risk.
Let us differentiate between
Inherent risk and residual risk.
So first,
Inherent risk.
The risks that an activity would pose if no controls or other mitigative factors were in place.
We call it gross risk or risk before controls.
Residual risk.
Risk there remains after controls are taken into account.
We call it net risk or we call risk after controls.
So now how to differentiate both detail.
Inherent risk is the gross risk and
The residual risk is net risk.
Inherent risk is Risk before control,
The residual risk is risk after control.
So if you take inherent risk, you apply the controls and what you get a residual risk.
control risk.
What are control risk?
Risk that a misstatement could occur but may not be detected and prevented by entity's internal control mechanism
that is ineffective controls.
Here though controls are in place they are not that effective.
What are detection risks?
Is an ineffective audit.
Risk that the auditors fail to detect a material misstatement in the financial statement.
So what is audit risk?
Audit risk is the sum total of inherent risk, control risk and detection risk.
concepts are more clear.
So for example,
First question
Business or process to make an error that is material in nature, assuming there are no internal controls.?
So when there are no internal controls there is inherent risk.
So answer here will be inherent risk.
Control risk means, the risk even though controls are in place is not effective.
Detection risk is the risk where auditor fail to identify material misstatement in financial statement.
Next question.
The risk that the controls put in place will not prevent, correct, detect error on a timely basis?
Answer is control risk.
Next question.
The actions of an IS auditor are most likely to affect which of the following risks?
Options - whether inherent, detection, control or business?
Answer - Auditors risk basically will impact detection risk.
Detection risk are the risk where auditor fails to identify material misstatement or error in financial statement.
Again,
inherent risk are the risk without any controls. Controls risk are the risk where control are in place but are not ineffective.
Next question.
Risk of an IS auditor certifying existence of proper system and procedure?.
So again, here
ineffective audit and so our answer will be detection risk.
Next question.
Log reviews may not result in timely detection or correction of error. This is an example of?
Options - Inherent, control, detection or race condition risk.
Now log reviews are basically a kind of control, but they are not effective in the sense, timely detection or correction of errors is not happening. So even though controls are in place they are not effective,
so the risk that we are facing here is control risk.
Risk Response methods : Risk treatment plans.
Discuss about
risk mitigation,
risk avoidance,
risk acceptance,
risk transferring,
risk sharing.
M A A T,
Mitigation,
Acceptance,
Avoidance,
Transfer.
Now,
Risk mitigation is also known as risk reduction, wherein
Risk transfer is also known as risk sharing.
Risk mitigation,
The objective is to reduce the risk to an acceptable level.
Efforts are made over here, to reduce the probability or impact of the risk event by designing appropriate controls.
Either probability is reduced or impact is reduced.
Risk Acceptance
In this approach, risk is accepted as it is. No steps are taken to reduce the risk.
This is more prevalent where the cost of controlling the risk is more than the cost of the risk event.
Risk Avoidance
In this approach projects or activities that cause the risk are avoided.
Risk avoidance is the last choice when no other option is adequate.
Risk transfer
Transfer. In this approach, risk is shared with partners, or transferred via insurance coverage, contractual agreement, or some other means.
Risk transfer option is generally used for the events with low probability, but high impact.
Example for each option.
Risk mitigation,
installing a firewall to mitigate the risk of unauthorized access.
Risk Acceptance
cost of anti-malware installation is more than the anticipated cost of damage due to malware attack.
In such cases it is preferable to accept the risk rather than doing any investment.
Risk avoidance,
declining a project when the business case shows a high risk of failure. So, to avoid that particular project.
Risk transfer
Example, taking insurance for damage due to natural disasters
where the probability of disaster is very low, but there can be a high impact.
So, what is the most risky approach among all the four options?
Risk acceptance,
organizations need to be utmost careful while accepting the risk.
If risk is accepted without knowing the correct level of risk, it may result in a higher level of liabilities.
Recap: Exam perspective
So, out of four options, in which option
risk is reduced at an acceptable level?
Answer = Risk Mitigation
In which option,
risk is accepted as it is, without taking any action.
Answer = Risk acceptance
Which option is the last choice for risk response?
Answer = risk avoidance
Example of insurance coverage?
Answer = Risk transfer
In which options, no steps are taken to reduce the risk?
Answer = Risk acceptance
Natural disasters are covered through?
Answer = Risk transfer
Cost of anti-malware is more than the cost of damage, which option would you like to such?
Answer = Risk acceptance
In which option a project is declined because of high risk?
Answer = risk avoidance
Chances of higher liabilities.
If you accept the risk without knowing the actual risk, it may amount to higher liabilities.
Exam perspective.
Risk response where cost of control exceeds the cost of risk event?
Answer = Risk Acceptance
Risk avoidance can be done by?
Answer = Exiting the process that causes the risk.
Risk response options that are most likely to increase the liability?
Answer = Risk acceptance
Risk response in which process is outsourced to a professional organization having expertise knowledge is?
Answer = risk mitigation
Most suitable risk response where risk related to a specific business process is greater than the potential opportunity.
Answer = Risk avoidance, To avoid the risk.
Risk response in form of purchasing and insurance is?
Answer = Risk transfer
What is the most important aspect for risk mitigation?
Answer= To ensure that risk is reduced to an acceptable level.
Most effective way to treat a risk with a low probability and a high impact, such as natural disaster.
Answer= Best way is to transfer the risk through insurance.
Practice questions.
Most effective risk response where cost of installation of anti-malware software exceeds the expected loss of threat is?
Answer risk acceptance
Characteristic of risk avoidance is?
Answer is Stop the process that give rise to the perceived risk.
When a risk practitioner recommends implementation of various controls to protect IT resources, which of the following approaches is recommended?
Answer, Risk mitigation
Risk response that most likely increases the liability of the organization is?
Answer, Risk acceptance.
Outsourcing of a process is an example of?
Answer,Risk mitigation.
In a scenario where risk is greater than potential opportunity, the best risk response is?
Answer,Risk avoidance.
Taking an insurance is an example of?
Answer, Risk transfer
Which of the following is utilized by a risk practitioner to propose a risk mitigation activity?
Answer,Business case.
To ensure that information systems controlled deficiencies are appropriately remediated, a risk practitioners should review?
Answer, Risk mitigation plan.
Objective of a risk mitigation is?
Answer, To reduce the risk within acceptable level.
Best response for a risk scenario with low probability and high impact, like natural disaster is?
Answer, Risk transfer.
Key Aspects of Risk based Auditing
The most important step in a risk assessment is to identify.
Most important step
to identify threats and vulnerabilities
In risk based audit planning, an IS auditor's first step is to identify what?
The first step is to identify high risk areas.
Once the threats and vulnerabilities are identified, what should be the next step?
To identify and evaluate the existing controls. It'll help us to draw conclusions about the residual risk.
What is the advantage of risk based audit planning?
It helps to plan the resources as per high risk areas.
What does the level of protection of information assets depend on?
Level of protection means, whether stringent control should be there, moderate control should be there, mild controls or no controls.
It depends on the criticality of the assets.
What is the risk that is influenced by the actions of an auditor known as?
Actions of an auditor.
It'll be termed as detection risk.
Risk detection risk refers to the risk that an internal audit fails to either identify or detect irregularities.
What is audit risk?
Audit risk is the sum total of inherent risk, controlled risk, and detection risk.
Now let us understand
what is
inherent risk.
Inherent risk means gross risk or risk before implementing any control.
Control risk
means implemented controls are not effective and
detection risk means the
The audit process is not effective.
So auditors should be concerned about inherent risk, control risk, and detection risk.
Risk is the product of?
PI, that is probability and impact.
Risk is the product of probability and impact.
If probability is zero and there is a huge impact, risk is zero because there is no probability.
On the other hand if there is high probability, but the impact is zero then also there is no risk as there is no impact.
So both the elements should be present to constitute a risk.
What are the results of risk management processes used for?
To design the control.
Management of risk to an acceptable level is the responsibility of?
senior management.
Absence of proper security measures is known as?
vulnerability.
What is the advantage of bottom-up approach for development of organizational policies?
Policies are considered on the basis of risk assessment.
Risk, before the controls are applied is known as?
inherent risk / gross risk.
Once the controls are applied, it is known as residual risk or net risk.
Q1 Which of the following is the most critical aspect of a risk analysis?
Answer: To identify the vulnerabilities.
Q2 What is the initial step in a risk focused audit planning?
Answer: To identify the high-risk processes.
Q3 What is the main objective of conducting a risk assessment?
Answer: To ensure that critical vulnerabilities and threats are recognized.
Q4 What should be the next step of an IS auditor after identifying the threats and vulnerabilities in a business process?
Once threats and vulnerabilities are identified next step is to identify the current level of controls.
Q5 Which of the following is the main benefit of risk-based audit planning?
To focus on high-risk areas.
Q6 Which of the following should be primary focus when considering the level of security of an IT assets?
Criticality of the IT assets.
Q7 The actions of the IS auditor is most likely to influence which of the following risk?
Detection risk.
Detection risk refers to the risks that internal auditor fails to identify or detect the irregularities.
Q8 What is the risk of an inadequate audit methodology known as?
Detection risk.
Q9 Particular threat of an overall business risk is indicated as:?
Product of probability and impact.
Q10 Which of the following is the first step in performing risk assessment of an information system?
The first step will be to review the threats and vulnerabilities impacting the assets.
Q11 What is the first step in evaluating the security controls of a data center?
To evaluate the threats and vulnerabilities applicable to the data center site.
Q12 What does the classification of information assets help to ensure?
That the information assets are subject to suitable level of protection.
They are not underprotected. They are not overprotected.
Q13 Which of the following should be performed first in a risk-focused audit?
To analyze the inherent risk.
Q14 In a risk-focused audit, which of the following is the most critical step?
To determine the high risk processes.
Q15 Which of the following options best describes the process of assessing a risk?
Risk is subject-oriented.
Q16 What is the outcome of a risk assessment exercise utilized for?
To implement relevant controls.
Q17 With whom does the responsibility of managing risks to an acceptable level rest?
Senior business management.
Q18 Which of the following is a major factor in the evaluation of IT risk?
Finding vulnerabilities and threats that are applicable to IT assets.
This is very important and major factor.
Q19 An IS auditor has determined a few vulnerabilities in a critical application. What should their next step be?
To identify the threats and their likelihood of occurrence.
Q20 What does a lack of appropriate control measures indicate?
Vulnerability.
Q21 Which of the following is the first step in a risk management program?
To identify the asset.
We should know what we are going to protect.
Q22 What is the advantage of a bottom-up approach to the development of enterprise policies?
They were created on the pages of risk analysis.
Q23 The mitigation of risk can be done through which of the following?
By implementing the controls.
Q24 The most important factor when implementing the controls is to ensure that control does which of the following?
Controls would help to mitigate the risk.
Q25 The absence of an internal control mechanism is known as:
Inherent risk.
Absence of internal control mechanism means there is no control as of now and then they are known as inherent risk. That is risk before control.
Q26 Which of the following represents the risk that the controls will not prevent, correct, or detect the errors in a timely manner?
Controls are present, but they are not effective. They're known as control risk.
Q27 What is the primary consideration when evaluating the risk management process?
All relevant risks must be recognized and documented for the analysis.
Q28 What is the best approach when focusing an audit on a high-risk area?
To perform a risk assessment first and then to concentrate on high-risk areas.
Q29 In a risk based audit approach, which of the following is the least relevant to audit planning?
Adoption of mature technology by the organization.
steps to be followed while conducting this assessment.
So now, there are six steps for this assessment activity.
So what are these six steps?
First Step:
One is to understand the business environment.
It is the basic requirement of any risk assessment activity to understand the business environment.
What is the
Second step?
Identify the critical assets.
So next, once you are aware of the business environment, you need to identify the critical assets that support that particular business.
Third one is?
identify all potential risks for that particular critical assets.
You identify the business environment, you identify the assets that support that business environment then you identify the risks that are applicable for that particular critical assets.
Fourth one is?,
now, all risks cannot be that important,
because their impact may not be that much. So we need to prioritize the risks in order of its criticality.
Fifth one?.
Now, for each risk, we can have multiple control mechanisms.
All mechanisms may not be relevant in the term that cost of control should always be less than cost of risk.
So we will need to evaluate all the available control mechanisms. And then
Last step?,
we need to apply the relevant control.
So again,
first step is to understand the business environment,
you understand the critical assets that support the business environment,
you identify the risk for the critical assets,
you prioritize all the risk,
you evaluate the control mechanism, and
then which control mechanism is relevant,
Do you apply the particular control mechanism?
Q1 Most important step in this analysis is to identify?
Options - critical assets, controls, vulnerabilities, and liabilities.
If you see in our earlier slide, we discuss what are the steps of risk assessment.
First one is we will identify the business environment.
Second one is we will identify the critical assets that support that particular business environment.
So in this question, we do not have an option on our business environment.
So my answer in this question will be to understand the critical assets.
So once critical assets been identified,
The second step will be to ensure what are the risks, what are the controls and so on.
Q2 Next question in risk-based audit planning, what would be the first step of ISA's audit?
Options: Responsibilities of stakeholders, high-risk area within the organization, cost center controls.
So again, if you'll see the steps, first is business environment,
Second is assets, third is high-risk and so on.
But we do not have the option of a business environment, and critical assets.
So the third area of our steps, that is the identification of critical risks will be our answer in this point.
That is point number B, a high-risk area within the organization.
Q3 Let us understand one more question, which actually assembles the question asked in the CISA exam.
ISA auditor in post office audit identifies certain threats, and vulnerabilities, what should be his next step?
Options: Identify stakeholder for that particular business, identify information, assets and underlying system, disclose the threats and impacts to the management, identify and evaluate the existing controls.
So once threats and vulnerability identified,
we saw in our earlier slide, the next step is to ensure what are the actual controls in its place.
So if threats and vulnerabilities are there, but proper mitigating controls are in place, then fine.
If residual risks are within the acceptance level of the management, then we need not go for option A, B, and C.
So here, once threats and vulnerability are identified, our next step is to understand whether any existing controls are there.
Then mitigate that particular threats and vulnerabilities.
If it's there, then the answer is yes, D, identify and evaluate the existing control.
Q4 Next question. An ISA auditor is evaluating management's risk assessment of information system. So what should be his first review?
Options: With the controls already in place, effectiveness of the controls mechanism for monitoring the risk and the threats, vulnerability affecting the assets.
So here, first we need to understand what the risks are.
Only if we understand what are the risks, will we'll able to understand what should be the controls, whether controls are effective, or whether risk has been identified and monitored properly.
So our answer here will be to understand the threats, and vulnerabilities affecting the assets.
If you know this, then option A, B and C are the next steps.
Q5 Let us take one more example. An ISA auditor is reviewing data center. So what should be his first step?
Options: Whether he should evaluate physical access control, or he should determine the vulnerability, threat or review screening process, or evaluate logical access control.
So all these three controls, option A, C and D will be relevant only if he knows what are the vulnerability or threats to a particular data center.
Once he identify the risks, then he can evaluate the controls, and then he can see whether particular relevant controls are in place and are actually in effect.
So answer here, the first step is you need to understand what are the vulnerabilities, and threats to the data center site.
Q6 Let us take one more example. So again, in a risk-based audit approach, what should be the role of ISA auditor? What should be the first role?
Options; Whether he needs to do inherent risk assessment, or control risk assessment, test of control, substantive test.
Inherent risk assessment means assessment of particular assets without any control mechanism. So it's basically gross risk assessment, or risk assessment before any controls.
Controlled assessment means whether controls are actually in place but may not be effective. That is known as controlled risk.
Test of control, same thing. Whether controls are effective. Substantive test assessment means testing of transaction.
So here, first step, he will understand what are the actual risks before implementation of the controls.
So the answer will be inherent risk assessment.
Q6 So again, one more question. In planning an audit, the most critical step is the identification of the?
Options: area of high-risk, skillset of the audit staff, test steps in the audit and time allotted for the audit.
So as we discussed earlier, only when he'll be knowing what the area of risk is, then only other points like B, C, and D can be taken care of.
So the answer will be areas of high-risk.
Q7 Let us take one more example. An ISA auditor is reviewing payroll applications. He identified some vulnerabilities, so what should he do?
Options : Report the vulnerabilities to the management immediately.
I don't think so. Vulnerabilities can have some major impact, can have minor impact or can have no impact at all.
So unless and until he will identify what are the impact of that vulnerabilities, he need to directly report to the management.
Examine application development process. This is irrelevant here.
Identify threats and likelihood of occurrence.
Exactly. So very next step is to identify what are the impacts of this particular vulnerability in this system.
So once he identifies, then he needs to take the second step whether to recommend a new application or whether to report to the management. Or maybe, he again needs to examine the full application development process.
But this step will be taken care only if he'll identify threats and likelihood of occurrence.
Q8 Let us take one more example. The auditor is developing a risk management program. The first activity to be performed is an?
Options: vulnerability assessment, control evaluation, identification of assets, gap analysis.
So again, if you go to the steps, first is the business environment, second is asset, third is risk, and so on.
So in our question, the answer will be identification of assets.
Audit Project Management:
For Audit Project Management.
What are the steps for conducting a audit?
First step is to
determine the audit subject.
For example, the IT department is one of the subjects that I want to audit.
Define the audit objective.
So once your subject is ready, you then decide what within this subject you are going to audit. So I want to audit IS policy, adherence to IS policy.
Then set the audit scope.
Which applications or locations to be covered.
Pre-audit planning.
You need to do risk assessment, you need to have business knowledge and other relevant knowledge to conduct the audit.
Then you determine the audit process.
On the basis of risk assessment you decide what kind of audit resource you require, what kind of methodology you will adopt, what kind of sampling you will follow.
Field work and documentation.
So in this step, you are evaluating the controls and documenting the evidence and doing the actual audit work.
Finally, the reporting phase.
Audit closure meeting, issues of the report, conducting the follow up audit, et cetera. will come under this particular phase.
steps in chronological order.
So what will be the
First step?
To determine the audit subject. Once subject is being identified,
Next step 2 is to...
Define your objective.
Next step 3
You set the audit scope.
Step 4
Pre-audit planning, risk assessment, you acquire the business knowledge and other relevant functions.
Step 5
You determine the audit process. What kind of methodology, what kind of sampling, what kind of audit resource you will use.
Step 6
Field work is an actual audit that is evaluating the controls and documenting the evidence. And
Finally Step
you will report the observations.
Key aspects from the CISA exam perspective.
Q1 What does the information system audit provide?
Reasonable assurance about coverage of material items.
Q2 What is the primary reason for a functional walkthrough?
Functional walkthrough means understanding the business processes.
The primary reason is to understand the business process.
Q3 What is the major concern in the absence of established audit objectives?
If you're not clear about the audit objectives, what you want to audit or what is your scope of audit, you are not able to determine the key business risk.
Q4 What is the primary objective for performing risk assessment prior to the audit?
To allocate audit resources to the areas of high risk.
So in the business of risk assessment you will identify which areas are critical and where resources are required for audit purposes.
Q5 What is the objective of the audit planning phase?
To connect the risk assessment and determine the areas of high risk.
QAE Audit Management
Explanation with respect to Audit Project Management.
Q1 The first step to review a service-oriented application is?
Service-oriented application means application that supports the multiple clients, that serves the multiple clients.
The first step is to understand the services and their allocation to the business processes.
Q2 An information system audit provides?
Reasonable assurance about the coverage of material items. It will not provide the definite assurance and it is very difficult to cover all the items.
Q3 The best sampling method when an IS auditor is concerned about fraud is?
When an IS auditor is concerned about fraud, the best sampling method is discovery sampling.
Q4 Which of the following is the first step in an audit project?
To develop an audit plan on the basis of risk assessment.
Q5 What is the primary goal during the planning phase of an IS audit?
To address the audit objectives.
Q6 What is the primary reason for a functional walkthrough?
Functional walkthrough means to gain knowledge about the function or the process.
To understand the business process.
Q7 An IS auditor has a strong suspicion of fraud during a preliminary investigation. What should they do next?
To collect more evidence for further investigation.
Q8 Which of the following is the first activity to be performed when developing a risk management program?
Inventory of assets. You need to know first what things that you need to protect.
Q9 An IS auditor has been assigned to audit a business continuity plan. The same auditor was involved in designing the business continuity plan. The IS auditor should?
To provide a disclaimer of conflict of interest to the audit management before accepting the audit.
Q10 Which of the following would be a major concern in absence of established audit objectives?
Answer: Established audit objectives means what is the purpose of the audit?
Not being able to determine the key business risk.
Q11 Which of the following is the next step once the audit findings have been identified?
To discuss the same with the auditee management to find the agreement on the findings.
Q12 The first step in developing an annual internal IS audit plan is to?
To determine the audit universe.
Audit universe means list of all the processes.
Q13 What will be the immediate step once the business process to be audited is identified?
To determine the control objectives and activities.
Q14 The prime consideration in determining the objective and the scope of an audit is?
Statutory requirements as applicable to the organization.
Q15 Which of the following is the prime reason for performing a risk assessment before conducting the audit?
The risk assessment is performed to identify the high-risk area.
So, objective is to provide reasonable assurance that at least high-risk areas are covered, so audit coverage of the material items.
Q16 The first step in the planning phase of an audit is?
During the planning phase, basically, we prepare the audit schedule, we decide the audit areas, we decide about the resource requirement.
So the first step in the planning phase is to conduct a risk assessment on the basis of which the above activity can be taken care of.
Q17 What should be the next course of action for an IS auditor once the potential material findings are discovered?
To conduct the additional test.
Q18 Which of the following is the best reason for a senior audit manager reviewing the work of an auditor?
Professional standards.
Q19 Which of the following is the best course of action if it is not possible to cover the total audit scope due to resource constraints?
To focus on high-risk areas.
Q20 The most reliable source of information when designing a risk-based audit plan is?
A risk-based audit plan means our objective is to audit high-risk areas. So high-risk areas and the critical areas are the areas that can be identified by the senior management.
Once you've identified the business process to audit, determining the control objectives and activities is essential because it establishes the framework for evaluating the effectiveness and efficiency of that process. This step aligns with your learning about the audit process, ensuring that you focus on the critical elements that need to be assessed.
Let us discuss
Two basic sampling techniques:
statistical, non statistical.
In statistical sampling,
all items have an equal chance of selection.
Whereas in non-statistics,
sampling is done on the basis of some judgment of the auditor.
So for example, if an auditor feels that one particular employee is more prone to error, he will select a sample from the cases processed by this particular employee. So here, subjectivity and judgment of the auditor is involved.
Other main distinction between statistical and non-statistical
is that in statistical, probability of error can be quantified.
So for example, my total population is a hundred, and my sample size is 10. So out of 10, if I get an error of one, I can assume there is 10% error read. So that cannot be assumed in non-statistical sampling.
And this is a very, very important point for the CISA exam.
So we need to remember that probability needs to be objectively quantified. Then in such a scenario we need to select statistical sampling.
Now let us discuss
attribute and variable sampling.
So, a simple rule for attribute sampling.
In attribute sampling we can have answers as either yes or no. So either it's been complied or not complied. There cannot be any third answer.
On the other hand, in variable sampling, it gives us more information than attribute data.
This is because it allows us to understand how much, or how bad, or how good, rather than just yes it's complied or no, it's not complied.
So generally applied in complex testing, it is applied in substantive testing.
Attribute sampling, expressing percentage, whereas variable sampling expresses either monetary values, weight, or some other methods.
So two things we need to understand from the CISA exam point of view is that,
compliance testing, attribute sampling, substantive testing, variable sampling.
So I request to remember this term.
AC: attribute compliance, VS: Variable substantive.
This is very, very important from a CISA exam point of view.
Let us discuss
stop or go sampling and discovery sampling.
So stop and go sampling.
It is used when the auditor believes that very few errors will be found.
It prevents excessive sampling by allowing an audit test to be stopped at the last possible moment.
Now, discovery sampling,
It is used when the objective of an audit is to discover fraud or other irregularities.
So, point remember for the CISA exam.
Whenever something like fraud or major irregularity is given, and then sampling technique is to be selected, we need to select discovery sampling.
important sampling topic.
What is the confidence coefficient?
It's a probability that samples are truly representative of the population.
So, to have a high confidence correlation, we need to select a high sample size.
In other words, if we select a high sample size, we will get a confidence correlation that will be high.
So this is how it's done.
So for example, my population is hundred and my sample size is 90. So it'll give me confidence of 95%.
On the other hand, if I select only 25 sample sizes, my confidence will be lower, that is only 25%. So higher the sample size, higher the confidence.
On the other hand, if we want to have higher confidence correlation, we need to see a higher sample size.
So for the CISA exam, we need to remember,
Whenever the internal controls are strong, we need not have more sample size.
So confidence correlation or sample size may be lowered when strong internal controls are there.
On the other hand, when weak internal controls are there confidence correlation or sampling size need to be increased.
So point to remember for the CISA exam.
Sampling.
Whenever compliance testing is there,
our answer should be attribute sampling.
So remember AC, attribute C4 compliance testing.
Whenever substantive testing is there,
Our answer should be variable sampling. So remember VS,
variable sampling and substantive testing.
So whenever any fraud indication is there,
our answers would be discovery sampling.
so when probability needs to be objectively quantifiable,
we need to select statistical sampling. So this is the core of the sample.
Let us discuss some questions.
Q1 Use of statistical sampling will be more relevant as compared to judgment sampling when? so, statistical
sampling is basically more relevant when we need to help probability of error to be objectively quantified.
So option A and D will not be there because any sampling technique of these two will not mitigate either sampling risk or audit risk.
Q2 Second question, the IS auditor is reviewing internal control of application software. The sampling method that will be most useful when testing for compliance is?
So remember AC, so for AC, attribute and compliance.
So our answer should be compliance.
So whenever attribute sampling is there our answer should be compliance testing. And whenever variable sampling is there, our answer should be substantive testing.
So AC and VS.
Q3 with regard to confidence correlation, can it be said that?
if an auditor knows the internal controls are strong, confidence coefficient may be lowered.
So for the CISA exam we need to remember, when internal controls are strong, your confidence correlation may be lowered.
When internal controls are vague, we need to have high sample size and confidence correlation.
Q4 An IS auditor reviewing critical financial applications is concerned about fraud? Which of the following sampling methods would best assist the auditor?
So if you see, we are concerned about the fraud, and
so our audit technique should be discovery sampling.
Q5 an IS auditor is determining the appropriate sample size for testing the effectiveness of CMP, change management process. No division noted in the last two years audit, and management has assured no division in process for the period under review. Auditor can adopt?
So from the question it seems that internal controls are strong.
So we already discussed
When internal controls are strong, lower confidence coefficient resulting in lower sample size can be used.
Q6 Statistical sampling reduces which of the following risks?
Answer; Audit risk? No. Audit risk is the control risk, inherent risk, as well as detection risk.
So, statistical sampling will not have any impact on control as well as inherent risk.
Detection risk is the risk that an auditor fails to detect any material misstatement in a financial statement.
So improper statistical sampling increases this kind of risk.
Testing Concept - Compliance and Substantive testing:
Discuss on compliance testing as well as substantive testing and then how to differentiate between both.
Please note both concepts are very important from the CISA exam point of view.
compliance testing, as well as substantive testing.
So what is compliance testing?
Compliance testing is basically a test of controls.
On the other hand, substantive testing is basically a test of transactions.
In compliance testing we test whether the particular controls are present or not
While in substantive testing we test the integrity of transactions or integrity of data.
Let us again discuss both details more precisely.
In compliance testing,
we get the evidence with the objective of testing and organization's compliance with control procedure and
with respect to substantive testing.
What we do, if what we want to verify is integrity of data or integrity of a particular transaction or integrity of particular information.
So basically compliance testing checks for the presence of control, either yes or no.
On the other hand in substantive use testing we check the integrity of contents of particular transactions or particular information.
So these are the examples of compliance tests.
We verify our router whether it's properly configured
We verify system exercise with a proper control survey.
We review firewall settings and
We review complaints with a password policy.
So these all are compliance testing.
On the other hand when we do any testing which is related to trial balance or balance sheet or profit and loss account or some inventory valuation or physical fixed as a match record
These all are examples of substantial testing here.
Basically we, we basically review the integrity of particular transactions or particular information.
So these are very, very, very important points to remember. For CISA exam
First point, in any given scenario compliance testing will be performed first.
Substantive testing will be the next step.
So you perform the compliance testing, you get the result. If you are satisfied with the controls you may now go for the substantive testing as well.
So result of compliance testing will be the basis for deciding the area of substantial testing.
So in any given scenario compliance testing will be the first step and then next step will be the substantive testing.
Second point In any given scenario, outcome results of compliance testing will form the basis for planning of substantive testing.
So now this is a very important point to remember. For CISA exam point,
in any given scenario, attribute sampling method will be useful when testing for compliance.
Now what is the attribute sampling method?
Attribute sampling will give us two results either yes or no.
So in compliance we also need two results. Either control is present or control is absent. Either yes or no. So whenever a question is there where it's being asked, what is the sampling method to be used for compliance testing? So we do not, we need either yes or no.
So that is attribute sampling. Either control is present or absent.
Now let us discuss
some questions and the answer
to that closely resembles the question and answer already asked in the CISA exam with respect to substantive as well as compliance test procedure.
Q1 question first. Each of the following is a substantive test policy?
options: Reviewing compliance with firewall policy reviewing IDs to change management policy using a statistical sample to inventory the tape library, reviewing password history reports.
So the substantive test we already discussed is basically a test of transaction or integrity of particular content.
So in all the four options here, integrity is required in statistical sampling to the tape library.
So option A, B, and D are basically compliance testing.
Q2 major difference between the compliance and substantive testing is the compliance testing test:
A, B, C, D. So
compliance testing we already discussed compliance testing, test the controls while substantive testing test the details, details integrity of particular transaction.
So option B is the correct one.
Q3 Reviewing the internal control of an application software which sampling method will be used?
So we already discussed for compliance what we required.
Either control is present or it's absent
The sampling method that gives us this definition is attribute sampling.
In attribute sampling we can say either it's yes or no there's no other way out.
So the correct option here will be attribute sampling.
Q4 test to determine whether the last 50 new user requisitions were a collective process in it is an example of.
what we are checking, we are checking basically controls are present to give access right to new user requisition.
Whether they're correctly processed, proper controls are in place.
So the answer will be compliance testing.
Either it's correctly processed or it's not correctly processed
So If controls are placed, then it's correctly processed If it's not in place,
then it's incorrectly processed
Q5 IS auditor performs a test to ensure that only active users have access to a critical system.?
Here again it's basically a compliance test.
Whether proper controls are there to ensure rights given to only active users.
So answer is compliance test
We are here testing the control of this particular activity.
Q6 IS auditors are most likely to reduce substantive test processors. If after the compliance test they concluded?
A substantive test would be too costly. The control environment is below in enter risk is low controlled excel within the acceptable limit.
So we already discussed first we test the compliance part and on the basis of the result of complaints part we test the substantial parts
Now while testing the compliance, if we fail there are enough controls in place that we can do the substantial test also.
So if we control risks that are within the acceptable limit we need not go for this substantial test procedure.
Here the answer will be substantive. Test procedures can be reduced if compliance tests conclude that control risks are within the acceptable limits.
So again, remember the first test will be the compliance and second will be the substantive.
So the result of compliance will be considered to plan this substantive test.
Q7 Which of the following is a substantive audit test?
So we already discussed basically anything with respect to trial balance, profit and loss account balance transactions where integrity and content of data or information is checked are known as substantial audit test
Q8 Evidence gathering to evaluate the integrity of individual transaction data or other information is typically each of the following?
Already discussed is basically substance use test.
Substance use tests basically verify the integrity of individual transaction data or other information.
Q9 The objective of the compliance test is to ensure?
controls are implemented as prescribed.
1.8 Audit Evidence Collection Techniques
Audit Evidence Collection Techniques
Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit.
Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.
Reliability of Evidence
An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.
Independence of the Evidence Provider
The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.
Qualifications of the Evidence Provider
The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.
Objectivity of the Evidence
Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.
Timing of the Evidence
Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.
Above mentioned rules are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.
Evidence-Gathering Techniques The following techniques are used by IS auditors to gather evidence during the audit process:
Review the organization’s structure
The IS auditor should review the organization’s structure and governance model.
This will help the auditor determine the control environment of the enterprise.
Review IS policies, processes, and standards
The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented.
The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.
Observations
The IS auditor should observe the process to determine the following:
– The skill and experience of the staff
– The security awareness of the staff
– The existence of segregation of duties (SoD)
Interview technique
The IS auditor should have the skill and competency to conduct interviews tactfully
Interview questions should be designed in advance to ensure that all topics are covered.
To the greatest extent possible, interview questions should be open-ended to gain insight into the process.
The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.
Re-performance
In re-performance, the IS auditor performs the activity that is originally performed by the staff of the organization.
Re-performance provides better evidence than other techniques.
It should be used when other methods do not provide sufficient assurance about control effectiveness.
Process walk-through
A process walk-through is done by the auditor to confirm the understanding of the policies and processes.
The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.
Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:
In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.
Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.
Key Aspects from the CISA Exam Perspective
The following table covers important aspects from the CISA exam perspective:
CISA Questions
What does the extent of the data requirements for the audit depend on?
What should audit findings be supported by?
What is the most important reason to obtain sufficient audit evidence? What is the most effective tool for obtaining audit evidence through digital data?
What is the most important advantage of using CAATS for gathering audit evidence?
What type of evidence is considered most reliable?
What is the primary reason for a functional walk-through?
Possible Answers
The objective and scope of the audit.
Sufficient and appropriate audit evidence.
To provide a reasonable basis for drawing conclusions.
Computer-assisted auditing techniques.
CAATS provide assurance about the reliability of the evidence collected.
Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.
To understand the business process.
Testing Concept - Online Auditing Techniques
In the CISA curriculum
Five online auditing techniques.
SCARF,
snapshots,
ITF,
Audit Hooks, and
Continuous Intermittent Simulation.
Let us discuss about
SCARF.
SCARF basically stands for
system control review audit file or embedded audit model.
It's basically inbuilt audit software, used when regular processing cannot be interrupted.
Then we do have
snapshots.
This technique actually takes pictures of the transaction when they are in flow.
It's used when an audit trail is required.
ITF,
integrated test facility.
Here we need to remember two things, dummy entities, live products, and environment.
So, dummy entities are created in a live production environment.
Then we do have
audit hooks.
Audit hooks complexity is very low, and hence it helps in early detection of error and fraud.
It's basically used when selected transactions need to be examined.
Then we do have
CIS.
It stands for Continuous Intermittent Simulation, is used with DBMS and
it is the best technique when a transaction meeting certain criteria needs to be examined.
Its complexity level is slightly high. and as is considered the best technique when some high or complex criteria need to be defined.
So, audit hooks and CIS basically work on similar models, but audit hooks are some low complexity level while CIS, high complexity.
Let us discuss about
SCARF.
System Control Audit Review File,
embedded, there is an inbuilt audit module.
So, here only those transactions are recorded, which have special audit significance and data has been defined by auditors.
It is useful when regular processing cannot be interrupted.
So SCARF physically host itself in the application module, and then they work simultaneously with the application module.
So let us take one example of how SCARF works.
So, in life insurance companies, generally chances of fraud are increased when the address of the policy holder changes, simultaneously or after sometimes this request of withdrawal of funds.
So this is basically a suspected transaction.
So here two conditions are set in the application model.
First, need to identify the transaction where the address has been changed. And
Second, for that particular transaction, if within some days, let us still say seven days, withdrawal of fund is requested, so this is kind of suspicious transaction for that particular activity.
So these transactions are recorded in a SCARF file, which are further reviewed by the auditor to rule out any fraud.
Snapshots.
In this technique snaps are taken of the transactions as the transaction moves through various data in the application system.
Both, before processing and after processing, images of the transaction are captured.
So, the auditor can verify the correctness of the processing by checking before processing and after processing images of the transaction.
These are very, very useful when an audit trail is required.
ITF
It stands for integrated test facility.
Here, as we discussed earlier, two things, dummy transactions but live production environment.
Process results and expected results are compared to verify that systems are operating correctly,
As a live production environment is used. no need to create a separate test environment,
however, need to isolate the test data from the actual production data once the test has been conducted and completed.
Let us take one example. A dummy asset of one let is entered into the system to verify whether same has been capitalized under correct head and depreciation is correctly as per correct rate.
So here, auditor will be entering this particular transaction, dummy transaction, in actual system.
Then, he will see what are the impact of this transaction.
So the impact of his transaction are compared to his actual calculated transaction, and if his data correct, that means system is working fine.
But here, subsequently, this dummy transaction need to be removed after verification of system controls.
CIS,
continuous and intermittent simulation.
This is basically used along with the database management system DBMS.
In this process, DBMS raise the transaction which is passed to CIS.
If transaction is as per selected criteria, then CIS examines the transaction for the correctness.
In case of any discrepancies, results are produced for verification of the auditor.
The CIS replicates or simulates the application system processing.
This is the best technique when a transaction meeting certain criteria needs to be examined. Because of its complexity level, even high complex criteria can be defined in CIS.
So how it works, again, data flows from the application system.
So DBMS then, if its particular transaction is within that particular criteria, is sent to CIS.
CIS then examined that particular criteria and then verified the working of the result of CIS along with the application data.
So if both the data matches then it means the system is working fine.
But in case of any deviation, its results are given to the auditor for further verification.
Audit Hook.
These are audit software that captures suspicious transactions.
Criteria for suspicious transactions are designed by the auditor as per their requirement.
Helps the IS auditor to act before an error or an irregularity gets out of the hand.
Here also, basically the model works like CIS only, but the thing is, that we cannot set complicated criteria in audit talk.
It basically takes low complexity data or criteria.
So in this one example, most of the organization case transactions are monitored closely.
Criteria can be designed to capture search transactions exceeding $50,000. So all search transitions can be further reviewed by the auditor.
a point to remember for the CISA exam
When an audit trial is required, software to be used is a snapshot.
When fictitious entities and live productions are there in question, if you need to answer ITF.
When early detection is required, you need to answer the audit hook.
When simulating the application system processing you need to answer CIS.
some examples CISA Questions
Q1 So here objective is to when an audit trial is required.
We already discuss when an auditor trial is required, we need some pictures or we need some snaps. So what are snaps and pictures? Yes, snapshots.
Q2 Second question. ITF has an advantage over other automated audit tools because of its following characteristics.?
So let us again go to the characteristics of ITF. To the basic point,
What is there that uses fictitious transactions but live production environments?
So the answer will be that creation of fictitious entities is not required as testing is done on actual master files.
ITF does not require setting up separate test environment test processes.
ITF is continuous audit tool.
ITF eliminates the need to prepare the test data.
If you see creation of a dummy fictitious entity is not required, that is wrong. We need to create a dummy or fictitious entity.
Second is that ITF does not require setting up separate test environments. Yes it does not require setting up a separate test environment because the environment which we will be using is the live environment.
So answer will be ITF does not require setting up a subject test environment.
Q3 Let us take one more example.
Characteristic that best describes an integrated test facility?
Technique to verify system processing,
technique to verify system integration,
technique to generate test data,
technique to validate ongoing operation of the system.
ITF is not an ongoing monitoring process. ITF is not the technique through which we can generate test data. Through ITF we will not be verifying the various system integration, but through ITF we can verify system processing.
So how ITF works, ITF basically checks the logic of this system by creating dummy entries, so basically it helps us to understand whether the system is throwing the correct picture or not.
So the answer is technique to verify system processing.
Q4 Want to just take one more example.
Early detection of error or irregularity is required in this question.
As we already discussed, because of its low complexity and easy to use audit hooks are correct answer in this case.
Q5 Let us discuss one more question.
Best tool to identify transactions as per pre-defined criteria?
So here most of the tools' predefined criteria can be defined in SCARF, also in CIS, ITF portion, and audit hooks also.
Answer: But if you see in CIS, multiple complexity data or criteria can be designed, so they are the best tool when such criteria need to be defined.
Q6 Let us take one more example.
Again, characteristics of ITF?
Actual transactions are validated on an ongoing basis, enable the IS auditor to generate test data, pre-determined results are compared with processing output, and enables the auditor to analyze the large amount of information.
So here the correct answer is, it helps us to predetermined results are compared with processing output to ascertain the correctness of the system process.
So dummy transactions with predetermined results are entered into the system and then calculated values are actually compared with the predetermined result to ensure whether the system is calculating correctly or not.
Q7 So, to identify excess inventory for the previous year, which online auditing technique can be used?
so here objective is to identify actual excess inventory of the previous year.
So test data will not be applicable. The integrated test facility also uses the test data, as it will not be applicable.
Embedded audit models will not help us to give results of the previous year.
So the answer will be generalized audit software.
Q8 So here, the objective is to replicate or simulate the application system processing?
As we already discussed it's CIS, continuous intermittent simulation.
It basically simulates the application system processing through DBMS database management system.
Discuss about data analytics and its important aspect from the CISA exam perspective.
Q1 What is the first step of conducting data analytics?
The first step will be determining the objective and scope of analytics.
Q2 Which is the most effective online audit technique when an audit trail is required?
Audit trail means audit evidence. Snapshot technique.
Q3 What is the advantage of an Integrated Test Facility?
In an integrated test facility, no separate test environment is required, as live systems and live processing is being used to test the system.
It helps to validate the accuracy of system processing.
Q4 What is the most effective online audit technique when the objective is to identify the transactions as per predefined criteria?
CIS is the most useful to identify the transactions as per redefined criteria in a complex environment.
some practice questions.
Q1 Which of the following steps will be taken first to carry out the data analytics?
The first step will be to determine the analytics targets, range and objective.
Q2 The prime benefit of the usage of CAAT is:?
CAAT is basically a computer-assisted audit technique.
That is a tool used for auditing.
So the main benefit of CAAT is?
It provides the reliability for source of information and thus reassurance on the audit finding.
CAAT captures the data from its source, and hence, there is no manual intervention. And hence, we can say there is reassurance on the audit findings.
Q3 Which of the following is a prime consideration while using computer-assisted audit techniques?
The most important aspect is to ensure the integrity of the data that we are using for analysis.
We need to ensure confidentiality and integrity of the data.
Q4 The best way to determine the proper functioning of the system calculation is?:
Functioning of the system calculation, it means transaction integrity is maintained in the system.
There is no error or other loopholes in this system.
The best way is to use the computer-assisted audit techniques to perform the substantive testing.
Q5 The best method when an audit trail is required?
Audit trail means audit evidence.
Remember, whenever an audit trail is required, the best method is snapshot.
Q6 An important feature of ITF is?:
Setting up a separate test environment, test process is not required.
Only test data is required. Test environment and test process is not required.
So in ITF, test data is used in a live environment, live system.
Q7 ITF is best used for?:
Verification of system processing.
Q8 The best continuous auditing technique for early detection of errors or irregularities is?:
Audit hooks.
Q9 The best auditing tool to capture the transactions as per predefined criteria is?:
CIS.
Q10 An important feature of the ITF is:?
The results of the test transaction are compared with the predetermined value to validate the system processing.
Q11 The best technique to identify the excess inventory for the previous year is:?
The question is about the previous year.
Answer is : Generalized audit software.
Reporting and communication techniques
About reporting and communication techniques.
Q1 What is the objective of an audit closure meeting?
The objective of an audit closure meeting is to ensure that there is no misunderstanding or the misinterpretation of the facts.
Q2 What is the objective of conducting a follow-up audit?
To validate the remediation action.
Q3 What is the best way to settle for the follow-up audit?
On the basis of the due date agreed upon by the auditee management.
some practice questions.
Q1 Which of the following should an IS auditor do when an auditee has taken immediate corrective action of audit finding?
we should report the observation and risk in the final report.
That's the professional standard.
Q2 The best course of action for an audit team if they find prior audit reports without work papers is to?
inform the audit management and suggest retesting the controls.
Please note, to inform the audit management and not the auditee management.
Audit management may take a final call after evaluating each aspect.
Q3 An auditor should hold the closure meeting with the objective of?
discussing the audit observations.
Q4 IS auditor is responsible for the communication of audit results to?
senior management, audit committee.
Q5 An auditor should hold the closure meeting with the objective of?
To ensure that there has been no misunderstanding or misinterpretation of fact.
Q6 Which of the following should be the first action in case of non-agreement by the department manager over the audit finding?
The first step will be to revalidate the supporting evidence to ensure that evidence is proper.
Q7 The main reason for meeting with auditees before formally releasing the audit report is to?
gain agreement on the audit findings
Q8 Which of the following should an IS auditor do when they find that a critical disaster recovery plan does not cover all of the system?
To determine the impact of non-inclusion of a critical system in DRP.
Q9 The main reason for meeting with the auditees before formally releasing the audit report is to?
to validate the accuracy of the audit findings.
Q10 Which of the following should an IS auditor do when they observe minor weaknesses in the database that are beyond this scope of the audit? Beyond the scope of audit?.
Even if it is beyond the scope of audit weakness should be reported in the report, audit report.
Q11 An IS auditor is reviewing the finance application. During course of audit, they observe major weakness in change management application supporting the finance application. What should IS auditor do?
Beyond the scope of audit, should it be ignores or reported?
Answer: As per professional standard it should be part of report.
Q12 The prime objective of an audit team discussing the audit findings with the auditee is to?
confirm the audit findings and propose a course of corrective action.
Q13 An IS auditor is reviewing a critical application that has not yet been implemented. Certain evidence is not yet available. The auditor should?
issue the report based on available information and highlighting the potential security weakness and the requirement for follow-up audit testing.
Q14 An IS auditor has observed inadequate controls for remote access for a critical application. However, management does not consider this as a risk. Auditor should?
Document the audit findings in the audit report.
Q15 The audit team should ensure that audit findings are supported by?
objective audit evidence.
Q16 Which of the following should an IS auditor do if an auditee does not agree with the audit findings?
How to handle the conflict. To explain the impact of the findings and risk of not correcting it.
Q16 The best way for an IS auditor to follow-up on the closure activities is to?
Closure activities means whether audit observations are closed appropriately or not.
Answer; To conduct a review of the controls after the projected remediation date.
Q17 To review the accuracy of management's remediation action plan, the most important factor is?
The criticality of the audit findings.
Q18 The best way to schedule a follow-up for the audit findings is to?
Follow-up for audit finding means to verify whether audit observations are closed appropriately.
So this can be done on the basis of closure dates provided by the management.
Q19 Which of the following is the main objective of conducting the follow-up audit?
Objective follow-up audit is to validate whether audit observations are closed appropriately.
To validate the remediation action plan.
So whatever action plan was there that was actually being followed or not.
Testing Concept- Control SelfAssment CSA
What is control self-assessment?
CSA is nothing but involvement of line managers in risk identification and mitigation processes.
As per CRM, CSA allows managers and teams directly enrolled in business unit to participate in assessing the organization's risk management and control processes.
So in simple words, the team understands the business processes, defines the controls, and generates an assessment of how well the controls are working.
For CISA exam, we need to understand the
objectives of controlling self-assessment.
The 2 main objectives to
concentrate on areas of high risk. And second one, to
enhance the audit responsibility.
This is done by shifting some of the control monitoring responsibility to the functional areas.
But please note: It is not the replacement of the audit responsibility.
It is an enhancement of the audit responsibility.
What are the benefits of CSA?
Early detection of risk because processors not themselves will identify the risk,
more effective and improved internal controls. Again,
assurance provided to stakeholders and customers.
Disadvantage of CSA
is that it could be mistaken as in audit function replacement.
This is the main disadvantage of CSA.
So now, what is the role of auditor in CSA?
Simple answer: he should act as a facilitator.
So during a CSA workshop, the auditor will lead and guide the auditee about the risk and control functions.
So in question, if the success factor of CSA is being asked then you need to answer important criteria's involvement of line management in control monitoring.
This is the important success factor of CSA.
Now, I request you to remember the content of this particular table.
Questions on CSA will be from this particular table only.
So for example,
Q1 What are the objectives of CSA?
First one, to concentrate on areas of high risk. And
second one, to enhance the audit responsibility.
But in question, if both the options are there, then you need to give preference to the first option. That is to concentrate on areas of high risk.
Q2 Benefits of CSA:
early detection of risk, more effective and improved internal controls, and then assurance provided to stakeholders.
So any of the three options should be our answer in question.
Q3 ISACA wants to know about the disadvantages of CSA,
our answer should be: it could be mistaken as an audit function replacement.
Q4 Auditor's role in CSA?
Simple answer: facilitator.
Q5 Success factor for CSA.
So our answer is that involvement of the line management is the prime or important success factor for implementing CSA.
Discuss some questions.
Q1 An IS auditor is evaluating a controlled self-assessment program in an organization. What is the main objective?
So here, as already seen, objective of the CSA program is to concentrate on area of high risk.
And then second objective is to enhance the audit responsibility.
Q2 Your question is about the auditor's role in a controlled self-assessment.
We already discussed, in such a scenario our answers should be: facilitator, program facilitator.
Q3 successful control self-assessment it is essential to have?:
Enrollment of line managers that take the responsibility for control monitoring.
Q4 An IS auditor has been asked to participate in an implementation of control self-assessment. So auditors should participate primarily as a?:
facilitator.
Q5 which of the following is an objective of a CSA program?
A replacement, enhancement, evaluative risk management program to provide audit training.
Objective CSA program is: first one is to identify area of errors, and
second one is to enhance the audit responsibility.
Q6 Which of the following best time to perform control self-assessment?
Please note: control self-assessment will be helpful when it will be done during the preliminary survey.
Q7 Primary advantage of control self-assessment is that:?
advantage of control self-assessment or traditional audit that:
it ascertains higher area that might need a detailed review later.
Q8 which of the following is the most important requirement for successful CSA?
So they are asking about the success factor. And the success factor depends upon the involvement of line managers.
Q9 So now, what is the advantage of CSA over traditional audit?
In traditional audit, basically we mostly do postmortem of particular activities.
But in CSA, it helps us to identify the risks at the earlier stage and the earlier identification of risk.
1.12 - IS Internal Audit Function
IS Internal Audit Function
The Internal Information Systems (IS) audit function is a specialized area within the broader internal audit framework that focuses on evaluating and assessing an organization's information systems, IT infrastructure, and related processes. The primary objective of the IS audit function is to ensure that the organization's IT systems are secure, reliable, and operate efficiently. This function helps identify potential risks, ensure compliance with relevant laws and regulations, and safeguard the organization's digital assets. By conducting regular audits, the IS audit function provides valuable insights and recommendations for improving the overall IT governance and security posture of the organization.
Requirement for Separate IS Audit Function
A separate Information Systems (IS) audit function is essential to ensure that the organization's IT systems and processes are thoroughly examined. This independence allows the auditors to provide an unbiased assessment of the IT environment. Having a dedicated IS audit function helps in identifying risks and vulnerabilities in the IT infrastructure, ensuring compliance with regulations, and safeguarding the organization's assets. In fact, many regulations mandate having a dedicated IS audit department. For example, the Sarbanes-Oxley Act (SOX) in the United States requires public companies to have internal controls and procedures for financial reporting, which includes an independent IS audit function. Similarly, the Reserve Bank of India (RBI) mandates that banks must have a separate IS audit team to oversee the security and integrity of their IT systems. This enhances the credibility of the audit findings since the auditors are not influenced by other departments.
Governance of IS Audit Function
The governance of the IS audit function involves setting up policies and procedures to guide the audit activities. This includes defining the scope of audits, setting audit objectives, and establishing procedures and guidelines for conducting audits. Effective governance ensures that the IS audit function aligns with the overall objectives of the organization and complies with regulatory requirements. It also involves regular reviews and updates to the audit processes to adapt to changes in technology and the business environment.
Reporting Structure of IS Audit Function
The IS audit function should have a clear and independent reporting structure. Typically, IS auditors report to the audit committee or the board of directors rather than the IT department or other operational areas. In many organizations, the IS audit function is a subset of the Internal Audit department. However, it is essential to ensure that the Head of Internal Audit has sufficient knowledge and expertise to understand IT-related risks. This independence in reporting ensures that the auditors can present their findings without any conflict of interest. It also helps in maintaining the objectivity and integrity of the audit process.
Management of IS Audit Resources
Managing IS audit resources involves ensuring that the audit team has the necessary skills, knowledge, and tools to perform their tasks effectively. This includes hiring qualified auditors, providing ongoing training and development, and ensuring access to the latest audit technologies and methodologies. Effective resource management helps in conducting comprehensive and efficient audits, ultimately contributing to the overall security and efficiency of the organization's IT systems.
IS Audit objective should be aligned with overall Business Objective
The objectives of the IS audit function should be closely aligned with the overall business objectives of the organization. This alignment ensures that the audit activities are not just focused on compliance and risk management, but also support the strategic goals of the business. By understanding and integrating the business objectives, IS auditors can provide insights and recommendations that enhance business performance, improve operational efficiency, and contribute to the achievement of the organization's long-term goals. This synergy between IS audit objectives and business objectives ultimately leads to a more resilient and successful organization.
By establishing a robust IS audit function, organizations can better protect their information assets, ensure compliance with regulations, and maintain trust with stakeholders.
1.13 - Managing third party IS Auditors and other experts
Managing Third Party IS Auditors and Other Experts
In today's complex business environment, organizations often rely on third-party IS auditors and other experts to ensure their information systems are secure and compliant with regulations. Due to the non-availability of in-house resources or cost considerations, the audit function may need to depend on external professionals. Managing these external experts effectively is crucial to achieving a successful audit outcome.
1.14 - Agile Auditing
Agile Auditing
In the rapidly changing business world, traditional audit processes can sometimes be too rigid and slow to keep up with the pace of organizational change. This is where Agile Auditing comes in. Inspired by Agile methodologies used in software development, Agile Auditing offers a flexible and responsive approach to auditing, ensuring that audit activities remain relevant and effective in a dynamic environment. By adopting Agile Auditing, organizations can continuously adapt to new risks and challenges, making their audit processes more efficient and effective.
1.15 - Quality Assurance of Audit Process
Quality Assurance of Audit Process
Quality assurance in the audit process is crucial for making sure audits are reliable and effective. It ensures that audits follow established standards and best practices, giving stakeholders confidence in the audit results. The quality assurance process includes oversight by the audit committee, continuous education for IS auditors, and performance monitoring of the IS audit function.
Oversight by Audit Committee
The audit committee, usually made up of members of the board of directors, plays a vital role in ensuring the quality of the audit process. They oversee the audit function to make sure audits are done fairly and thoroughly. The audit committee approves the audit plan, reviews audit reports, and ensures that any issues found are addressed properly. Their oversight helps maintain the independence and objectivity of the audits, which is essential for high-quality results.
Continuous Education and Updating of IS Auditors
In the fast-changing field of information systems (IS), it is essential for IS auditors to keep their knowledge and skills up to date. This involves staying informed about the latest technology developments, regulatory changes, and new risks. IS auditors should participate in training programs, earn certifications, and attend industry conferences to maintain their expertise. Continuous education helps auditors effectively identify and assess risks, use advanced audit techniques, and provide valuable insights to their organization.
Performance Monitoring of IS Audit Functions
Monitoring the performance of the IS audit function is a key part of quality assurance. Here are some examples of key performance indicators (KPIs) that can be used to monitor and evaluate the performance of the IS audit function:
Audit Coverage Rate:
· Definition: The percentage of planned audits that were completed within a given period.
· Example KPI: Number of completed audits / Number of planned audits × 100.
Audit Finding Closure Rate:
· Definition: The percentage of identified audit findings that have been addressed and closed within the specified time frame.
· Example KPI: Number of closed audit findings / Number of total audit findings × 100.
Timeliness of Audit Reports:
· Definition: The average time taken to issue audit reports after the completion of an audit.
· Example KPI: Average number of days from audit completion to report issuance.
Audit Recommendation Implementation Rate:
· Definition: The percentage of audit recommendations that have been implemented by management.
· Example KPI: Number of implemented recommendations / Number of total recommendations × 100.
Resource Utilization:
· Definition: The extent to which audit resources (e.g., personnel, budget) are utilized effectively.
· Example KPI: Actual hours spent on audits / Budgeted hours for audits × 100.
Stakeholder Satisfaction:
· Definition: The level of satisfaction among stakeholders (e.g., audit committee, management) with the audit process and outcomes.
· Example KPI: Average satisfaction rating from stakeholder surveys.
Compliance Rate:
· Definition: The percentage of audits that comply with established internal audit standards and procedures.
· Example KPI: Number of compliant audits / Number of total audits × 100.
Risk Coverage:
· Definition: The extent to which critical risks are identified and addressed through the audit process.
· Example KPI: Number of critical risks audited / Number of critical risks identified × 100.
Training and Development:
· Definition: The investment in and effectiveness of training and development programs for audit staff.
· Example KPI: Average training hours per auditor per year.
Audit Cost Efficiency:
· Definition: The cost-effectiveness of the audit function in relation to the value it provides.
· Example KPI: Total audit cost / Number of audits conducted.
· By regularly tracking these KPIs, the IS audit function can ensure continuous improvement, demonstrate its value to the organization, and align its activities with the overall business objectives.
Continuous Improvement
In addition to the above points, the IS audit function should also focus on continuous improvement and adaptation. This involves staying updated with the latest trends and threats in the IT landscape, regularly updating audit methodologies, and incorporating feedback from previous audits. It also includes fostering a culture of collaboration between the IS audit team and other departments to ensure a holistic approach to risk management and compliance.
Accreditation/Certification of IS Audit Function
Accreditation or certification of the IS audit function provides formal recognition that the audit process meets established standards. This can enhance the credibility and reliability of the audit function. For example, ISO 9001 QMS helps in standardizing the processes within the IS audit function. This standardization ensures that all audits are conducted in a consistent manner, following predefined procedures and guidelines. By having a clear set of standards and procedures, IS auditors can perform their tasks more effectively and efficiently, reducing variability and improving the reliability of audit outcomes. Such accreditations not only boost stakeholder confidence but also ensure that the audit function remains aligned with industry standards and practices.
By implementing strong quality assurance measures, organizations can ensure that their audit processes are compliant with standards and contribute effectively to overall governance and risk management.
1.16 - Use of Artificial Intelligence in Audit Process Use of AI in Audit Process
Artificial Intelligence (AI) is revolutionizing various industries, including auditing. Traditionally, auditing has been a manual and time-consuming process, requiring auditors to sift through large volumes of data to identify discrepancies and ensure compliance. However, with the advent of AI, the audit process is becoming more efficient, accurate, and insightful. AI can analyze vast amounts of data quickly, identify patterns, and even predict potential risks, making it an invaluable tool in modern auditing.
What is AI?
AI refers to the ability of machines to perform tasks that typically require human intelligence. This includes learning from experience, understanding complex patterns, making decisions, and even recognizing natural language. In the context of auditing, AI can be used to automate repetitive tasks, analyze data more comprehensively, and provide insights that might be missed by human auditors.
Benefits of Use of AI in Audit Processes
The integration of AI in audit processes offers several significant benefits:
1. Increased Efficiency: AI can process and analyze large datasets much faster than humans. This reduces the time required for audits and allows auditors to focus on more complex and judgment-based aspects of their work.
2. Improved Accuracy: AI algorithms can identify patterns and anomalies that might be overlooked by human auditors. This leads to more accurate identification of risks and errors, enhancing the overall quality of the audit.
3. Continuous Auditing: AI can facilitate continuous auditing by constantly monitoring transactions and data flows. This real-time analysis helps in identifying issues as they occur, rather than waiting for periodic audits.
4. Cost Savings: By automating routine tasks, AI reduces the need for extensive manual labor, leading to cost savings for organizations. This can be particularly beneficial for large companies with complex audit requirements.
Risks of Use of AI in Audit Processes
While AI offers many advantages, its use in auditing also comes with certain risks:
1. Data Privacy and Security: AI systems require access to large amounts of data, which can raise concerns about data privacy and security. Ensuring that AI tools comply with data protection regulations is crucial.
2. Algorithm Bias: AI systems can sometimes exhibit biases based on the data they are trained on. If the training data is biased, the AI’s decisions may also be biased, potentially leading to inaccurate audit results.
3. Dependence on Technology: Over-reliance on AI might lead to a reduction in critical thinking skills among auditors. It’s important to balance AI use with human judgment to ensure a comprehensive audit.
4. Complexity and Understanding: AI systems can be complex and difficult to understand. Auditors need to be trained to understand how these systems work and to interpret their findings correctly.
Use Cases of AI in Audit Process
AI is already being used in various aspects of the audit process. Following are some of the example of use cases of AI in audit process:
1. Data Analysis: AI can analyze financial transactions, identify anomalies, and flag potential areas of concern. For instance, AI can detect unusual patterns that may indicate fraud or non-compliance.
2. Document Review: AI tools can review and analyze large volumes of documents, such as contracts and agreements, to ensure compliance with regulations and identify any discrepancies.
3. Risk Assessment: AI can help in assessing risks by analyzing historical data and predicting future trends. This enables auditors to focus on high-risk areas and take preventive measures.
4. Compliance Monitoring: AI systems can continuously monitor transactions and activities to ensure compliance with laws and regulations. This is particularly useful in industries with stringent regulatory requirements.
5. IT System Audits: AI can evaluate the security and performance of IT systems by analyzing logs and detecting unusual activities that may indicate security threats or system failures.
6. Network Traffic Analysis: AI can monitor network traffic to identify potential security breaches or unusual patterns that could indicate malware or unauthorized access.
7. Software License Compliance: AI can audit software usage to ensure compliance with licensing agreements, helping organizations avoid legal and financial penalties.
Best Practices for Using AI in Audit Process
To maximize the benefits of AI in auditing while minimizing the risks, it's essential to follow best practices:
1. Data Quality and Integrity: Ensure that the data used for training AI models is accurate, complete, and free from biases. High-quality data leads to more reliable AI outputs.
2. Transparency and Explainability: Use AI tools that provide transparency in their operations and make it easy to understand how decisions are made. This helps auditors trust and verify AI findings.
3. Continuous Learning and Updates: Regularly update AI models to reflect the latest data and trends. Continuous learning helps AI tools adapt to changing conditions and improve over time.
4. Ethical Considerations: Consider the ethical implications of using AI, such as data privacy, fairness, and accountability. Ensure that AI systems are used responsibly and do not violate ethical standards.
5. Human Oversight: While AI can automate many tasks, human oversight is crucial. Auditors should review AI outputs, provide context, and make final decisions to ensure a balanced and comprehensive audit process.
6. Training and Skill Development: Invest in training for auditors to understand AI tools and techniques. This helps them use AI effectively and interpret its findings accurately.
7. Integration with Existing Processes: Seamlessly integrate AI tools with existing audit processes and systems. This ensures that AI complements, rather than disrupts, traditional auditing methods.
************************************************************************************
Popular Posts
HOME LAB : HANDS-ON
HOME LAB : HANDS-ON Disclaimer Home LAB Home Assistant on OMV Container in Raspberry Pi https://www.gouti1454.com/p/homeassistant.html Installing Home Assistant on Docker using OMV Compose, along with Portainer, Jellyfin, and MQTT. Here’s the breakdown: Home Assistant on OMV Compose Setting up MQTT and connected it to Home Assistant HomePage with Docker Compose https://www.gouti1454.com/p/homepage-docker.html Setting Up HomePage with Docker Compose Key things to get right, While installing HomePage Docker: Best Practices for Docker Compose: Widgets Configuration: Common Errors & Fixes: Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: ...
Marriage Registration Online steps [Tamil Nadu]
Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/ 2. Click on "User Registration" under " LOGIN " section 3. Now Login with UserID & Password Hindu Marriage Registration 4. After Log in then select Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details 1. Husband details A. Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name " B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person. 2. Wife Details A. same as above, have all the information to fill in details 3. Witness Options 4. Other Details 5. Proof Details: for Husband & Wife Home > Draft Listing T...
Multifactor authentication Updated for 2024
Table of Contents How to keep your Accounts safe Google: 2024 Multi-Factor Authentication: 2024: 2-Step Verification Settings 2024: Enhanced Browsing 2024 Dark web report Enable the Dark web report to get info on any data breaches. Facebook: Twitter: https://www.gouti1454.com/2017/05/enable-additional-security-layer-for.html
Comments
Post a Comment