Protection of Information Assets

Domain 5

Provide assurance that the enterprise’s security policies, standards,

procedures and controls ensure the confidentiality, integrity and
availability (CIA) of information assets.
Task 5.1

Evaluate the information security and privacy policies, standards and

procedures for completeness, alignment with generally accepted
practices and compliance with applicable external requirements.
 Security Objectives
• Security objectives to meet an organization’s business requirements should ensure the following:
• Continued availability of information systems and data
• Integrity of the information stored on computer systems and while in transit
• Confidentiality of sensitive data is preserved while stored and in transit
(CIA) • Conformity to applicable laws, regulations and standards
• Adherence to trust and obligation requirements in relation to any information relating to an
identified or identifiable individual (i.e., data subject) in accordance with internal privacy
policy or applicable privacy laws and regulations
• Adequate protection for sensitive data while stored and when in transit, based on
organizational requirements
ISMS
• An information security management system (ISMS) is a framework of policies,
procedures, guidelines and associated resources to establish, implement, operate,
monitor, review, maintain and improve information security for all types of organizations.
Information Security Management
• Information security management is the most critical factor in
protecting information assets and privacy.
• Key elements include:

Senior management
leadership, Policies and Security awareness
Organization
commitment and procedures and education
support

Monitoring and Incident handling

Risk management
compliance and response

Source: ISACA, CISA Review Manual 26th Edition, figure 5.2

ISMS (cont’d)
• An ISMS is defined in these guidelines and standards:
• ISO/IEC 2700X—Guidance for managing information security in specific industries
and situations
• ISO/IEC 27000—Defines the scope and vocabulary and establishes the basis for
certification
• ISO/IEC 27001—Formal set of specifications against which organizations may seek
independent certification of their information security management system
• ISO/IEC 27002—Structured set of suggested controls to address information security
risk
The ISO/IEC 27000-series (also known as the 'ISMS Family
of Standards' or 'ISO27K' for short) comprises information
security standards published jointly by the 
International Organization for Standardization (ISO) and the 
International Electrotechnical Commission (IEC)

The series provides best practice recommendations on

information security management
 ISM Roles & Responsibilities
Information
Executive Security advisory Chief privacy
security steering
management group officer (CPO)
committee

Chief information Information asset

Individuals security officer
Chief security
Process owners owners and data
officer (CSO)
& (CISO) owners

Groups
Information Security
Users External parties security specialist/
administrator advisors

IT developers IS auditors

Source: ISACA, CISA Review Manual 26th Edition, figure 5.3

Privacy
• Privacy means freedom from unauthorized intrusion or disclosure of information
about an individual (also referred to as a “data subject”).
• Management should perform a privacy impact analysis.
Privacy (cont’d)
• The IS auditor may be asked to support or perform this assessment (privacy impact analysis),
which should:
• Pinpoint the nature of personally identifiable information associated with business processes.
• Document the collection, use, disclosure and destruction of personally identifiable
information.
• Ensure that accountability for privacy issues exists.
• Identify legislative, regulatory and contractual requirements for privacy.
• Be the foundation for informed policy, operations and system design decisions based on an
understanding of privacy risk and the options available for mitigating that risk.
Human Resources Security
• Security roles and responsibilities of employees, contractors and third-party
users should be defined and documented in accordance with the organization’s
information security policy.

IS Auditor to ensure
Human Resources Security (cont’d)

• Human resources-related security practices include the following:

• Security responsibilities should be addressed prior to employment in adequate job
descriptions, and in terms and conditions of employment.
• All candidates for employment, contractors and third-party users should be adequately
screened, especially for sensitive jobs.
• Employees, contractors and third-party users of information processing facilities should sign
an agreement on their security roles and responsibilities, including the need to maintain
confidentiality.
• When an employee, contractor or third-party user exits the organization, procedures should
be in place to remove access rights and return all equipment.

IS Auditor to ensure
Third Party Access
• Third party access to an organization’s information processing facilities and
processing and communication of information must be controlled.
• These controls must be agreed to and defined in a contract with the third party.
Third Party Access (cont’d)
• Some recommended contract terms include:
• Compliance with the organization’s information security policy
• A clear reporting structure and agreed reporting formats
• A clear and specified process for change management
• An access control policy
• Arrangements for reporting, notifying and investigating information security incidents and
security breaches
• Service continuity requirements
• The right to monitor and revoke any activity related to the organization’s assets

Source: ISACA, CISA Review Manual 26th Edition, Figure 5.10

Security Controls
• An effective control is one that prevents, detects, and/or contains an incident and
enables recovery from an event.
• Controls can be:

Proactive
• Safeguards Reactive
Correct
• Controls that attempt • Countermeasures
to prevent an incident • Controls that allow the
detection, containment and
recovery from an incident
Control Methods
Managerial Controls related to the oversight, reporting, procedures and operations
of a process. These include policy, procedures, balancing, employee
development and compliance reporting.

Technical Controls also known as logical controls and are provided through the
use of technology, piece of equipment or device. Examples include
firewalls, network or host-based intrusion detection systems (IDSs),
passwords and antivirus software. A technical control requires proper
managerial (administrative) controls to operate correctly.

Physical Controls that are locks, fences, closed-circuit TV (CCTV) and devices that
are installed to physically restrict access to a facility or hardware.
Physical controls require maintenance, monitoring and the ability to
assess and react to an alert should a problem be indicated.

Source: ISACA, CISA Review Manual 26th Edition, figure 5.5

Control Monitoring
• To ensure controls are effective and properly monitored, the IS auditor should:
• Validate that processes, logs and audit hooks have been placed into the
control framework.
• Ensure that logs are enabled, controls can be tested and regular reporting
procedures are developed.
• Ensure that control monitoring is built into the control design.
Security Awareness Training
• An active security awareness program can greatly reduce risk by addressing the
behavioral element of security through education and consistent application of
awareness techniques.
• All employees of an organization and third-party users must receive appropriate training
and regular updates on the importance of security policies, standards and procedures in
the organization.
• In addition, all personnel must be trained in their specific responsibilities related to
information security.
System Access Permission
• System access permission generally refers to a technical privilege, such as the ability to read,
create, modify or delete a file or data; execute a program; or open or use an external
connection.
• System access to computerized information resources is established, managed and
controlled at the physical and/or logical level.

Physical access controls Logical access controls

• Restrict the entry and exit of personnel to • Restrict the logical resources of the
an area, such as an office building, suite, system (transactions, data, programs,
data center or room, containing applications) and are applied when the
information processing equipment. subject resource is needed.
System Access Reviews
• Roles should be assigned by the information owner or manager.
• Access authorization should be regularly reviewed to ensure they are still valid.

The IS auditor should evaluate the following criteria for defining permissions and granting
access:
• Need-to-know
• Accountability
• Traceability
• Least privilege
• Separation of Duties (SoD)
Task 5.2

Evaluate the design, implementation, maintenance, monitoring and

reporting of physical and environmental controls to determine
whether information assets are adequately safeguarded.
RECAP FROM PHYSICAL ACCESS CONROLS – Data Center
Physical Access Issues
• Physical access exposures may originate from natural and
man-made hazards,and can result in unauthorized access and interruptions in information
availability.
Unauthorized entry
• Exposures include:
Damage, vandalism or theft to equipment or documents

Copying or viewing of sensitive or copyrighted information

Alteration of sensitive equipment and information

Public disclosure of sensitive information

Abuse of data processing resources

Blackmail

Embezzlement
Physical Access Controls
Door locks (cipher,
Manual or Identification
biometric, bolted, CCTV
electronic logging badges
electronic)

Controlled visitor Computer Controlled single

Security guards
access workstation locks entry point

Deadman doors Alarm system

Physical Access Audit
• The IS auditor should begin with a tour of the site and then test physical
safeguards.
• Physical tests can be completed through visual observations and review of
documents such as fire system tests, inspection tags and key lock logs.
Physical Access Audit (cont’d)
• The test should include all paths of physical entry, as well as the following locations:
• Computer and printer rooms
• UPS/generator
• Operator consoles
IS auditor
• Computer storage rooms
• Communication equipment
• Offsite backup storage facility
• Media storage
Environmental Exposures
• Environmental exposures are due primarily to naturally occurring events.
• Common environmental exposures include:

Power failure
• Total failure (blackout)
• Severely reduced voltage (brownout)
• Sags, spikes and surges
• Electromagnetic interference (EMI)

Water damage/flooding

Manmade concerns
• Terrorist threats/attacks
• Vandalism
• Equipment failure
Environmental Controls
• Environmental exposures should be afforded the same level of protection as other types of
exposures. Possible controls include:

Alarm control Fire alarms and

Water detectors Fire extinguishers
panels smoke detectors

Fireproof and
Fire suppression fire-resistant Strategically located Electrical surge
systems building and office computer rooms protectors
materials

Documented and
Uninterruptible
Power leads from Emergency power- tested BCPs and
power supply/
two substations off switch emergency
generator
evacuation plans
Environmental Control Audit
• The IS auditor should first establish the environmental risk by assessing the location of the data center.
• In addition, the IS auditor should verify that the following safeguards are in place:
• Water and smoke detectors
• Strategic and visible location of handheld fire extinguishers
• Fire suppression system documentation and inspection by fire department
• UPS/generator test reports
• Electrical surge protectors
• Documentation of fireproof building materials, use of redundant power lines and wiring located in
fire-resistant panels
• Documented and tested emergency evacuation plans and BCPs
• Humidity and temperature controls
Task 5.3

Evaluate the design, implementation, maintenance, monitoring and

reporting of system and logical security controls to verify the
confidentiality, integrity and availability of information.
Logical Access
• Logical access is the ability to interact with/access computer resources
(hardware/software), granted using identification, authentication and
authorization.

• Logical access controls are the primary means used to manage and protect
information assets.
• IS auditors should be able to analyze and evaluate the effectiveness of a logical
access control in accomplishing information security objectives and avoiding
losses resulting from exposures.
Logical Access (cont’d)
• For IS auditors to effectively assess logical access controls, they first need to gain
a technical and organizational understanding of the organization’s IT environment
(platform), including the following security layers:
• Network
• OS platform
• Database
• Application
Paths of Logical Access
• Access or points of entry to an organization’s IS infrastructure can be gained
through the following paths:
• Direct
• Local network
• Remote
• General points of entry to either front-end or back-end systems occur through
network connectivity or remote access.
Paths of Logical Access (cont’d)

• Any point of entry not appropriately controlled can potentially compromise the
security of an organization’s sensitive and critical information resources.
• The IS auditor should determine whether all points of entry are identified,
managed and controlled.
Logical Access Exposures (CIA)

• Technical exposures are the unauthorized activities interfering with normal

processing.
• They include:
• Data leakage—Involves siphoning or leaking information out of the computer
• Wiretapping—Involves eavesdropping on information being transmitted over
telecommunications lines
• Computer shutdown—Initiated through terminals or personal computers
connected directly (online) or remotely (via the Internet) to the computer
Access Control Software
• Access control software is used to prevent the unauthorized access and modification
to an organization’s sensitive data and the use of system critical functions.
• Access controls must be applied across all layers of an organization’s IS architecture,
including networks, platforms or OSs, databases and application systems.

• Each access control usually includes:

• Identification and authentication
• Access authorization
• Accountability
• Verification of specific information resources
• Logging and reporting of user activities
Access Control Software Functions

General operating and/or application Database and/or application-level

systems access control functions access control functions
• Create or change user profiles. • Create or change data files and
• Assign user identification and database profiles.
authentication. • Verify user authorization at the
• Apply user logon limitation rules application and transaction level.
• Notification concerning proper use • Verify user authorization within the
and access prior to initial login. application.
• Create individual accountability and • Verify user authorization at the field
auditability by logging user level for changes within a database.
activities. • Verify subsystem authorization for
• Establish rules for access to specific the user at the file level.
information resources (e.g., system- • Log database/data communications
level application resources and data). access activities for monitoring
• Log events. access violations.
• Report capabilities.
Access Control Types
• Logical access control filters used to validate access
credentials
Mandatory • Cannot be controlled or modified by normal users or
access controls data owners
• Act by default
(MACs) • Prohibitive; anything that is not expressly permitted is
forbidden

• Logical access controls that may be configured or

Discretionary modified by the users or data owners
access controls • Cannot override MACs
• Act as an additional filter, prohibiting still more access
(DACs) with the same exclusionary principle
Network Infrastructure Security

• The IS auditor should be familiar with risk and exposures related to network infrastructure.
• Network control functions should:
• Be performed by trained professionals, and duties should be rotated on a regular basis.
• Maintain an audit trail of all operator activities.
• Restrict operator access from performing certain functions.
• Periodically review audit trails to detect unauthorized activities.
• Document standards and protocols.
• Analyze workload balance, response time and system efficiency.
• Encrypt data, where appropriate, to protect messages from disclosure during
transmission.
Network Infrastructure

https://www.renesas.com/us/en/solutions/network-infrastructure.html
http://itfinalsolutions.com/?page_id=154
LAN Security
• To gain a full understanding of the LAN, the IS auditor should identify and
document the following:
• Users or groups with privileged access rights
• LAN topology and network design
• LAN administrator/LAN owner
• Functions performed by the LAN administrator/owner
• Distinct groups of LAN users
• Computer applications used on the LAN
• Procedures and standards relating to network design, support, naming
conventions and data security
https://www.mekongnet.com.kh/en/latest-news/205/local-area-network-lan-?m_id=143
Virtualization
• IS auditors need to understand the advantages and disadvantages of virtualization to
determine whether the enterprise has considered the applicable risk in its decision to
adopt, implement and maintain this technology.
• Some common advantages and disadvantages include:

Advantages Disadvantages
• Decreased server hardware costs. • Inadequate host configuration could create
• Shared processing capacity and storage vulnerabilities that affect not only the host,
space. but also the guests.
• Decreased physical footprint. • Data could leak between guests.
• Multiple versions of the same OS. • Insecure protocols for remote access could
result in exposure of administrative
credentials.

Source: ISACA, CISA Review Manual 26th Edition, figure 5.14

https://www.youtube.com/watch?v=V9AiN7oJaIM
Client-Server Security
• A client-server is a group of computers connected by a communications network
in which the client is the requesting machine and the server is the supplying
machine.
• Several access routes exist in a client-server environment.
Client-Server Security (cont’d)
• The IS auditor should ensure that:
• Application controls cannot be bypassed.
• Passwords are always encrypted.
• Access to configuration or initialization files is kept to a minimum.
• Access to configuration or initialization files are audited.
Wireless Security
• Wireless security requirements include the following:
• Authenticity—A third party must be able to verify that the content of a message
has not been changed in transit.
• Nonrepudiation—assurance that someone cannot deny something
The origin or the receipt of a specific message must be verifiable by a third party.
• Accountability—The actions of an entity must be uniquely traceable to that entity.
• Network availability—The IT resource must be available on a timely basis to meet
mission requirements or to avoid substantial losses.
Internet Security
• The IS auditor must understand the risk and security factors needed to ensure
that proper controls are in place when a company connects to the Internet.
• Network attacks involve probing for network information.
• Examples of passive attacks include network analysis, eavesdropping and
traffic analysis.
 Internet Security (cont’d)
• Once enough network information has been gathered, an intruder can launch an
actual attack against a targeted system to gain control.
• Examples of active attacks include denial of service (DoS), phishing,
unauthorized access, packet replay, brute force attacks and email spoofing.

• The IS auditor should have a good understanding of the following types of

firewalls:
• Packet filtering
• Application firewall systems
• Stateful inspections

Firewall is a network security system that monitors and controls incoming and outgoing network traffic
Internet Security (cont’d)
• The IS auditor should also be familiar with common firewall implementations,
including:
• Screened-host firewall
• Dual-homed firewall
• Demilitarized zone (DMZ) or screened-subnet firewall
• The IS auditor should be familiar with the types, features and limitations of
intrusion detection systems (IDS) and intrusion prevention systems (IPS).
Malware
• There are two primary methods to prevent and detect malware that infects
computers and network systems.
• Have sound policies and procedures in place (preventive controls).
• Have technical controls (detective controls), such as anti-malware software,
including:
• Scanners
• Behavior blockers
• Active monitors
• Integrity CRC checkers
• Immunizers
Neither method is effective without the other.
Encryption
• Encryption generally is used to:
• Protect data in transit over networks from unauthorized interception and
manipulation.
• Protect information stored on computers from unauthorized viewing and
manipulation.
• Deter and detect accidental or intentional alterations of data.
• Verify authenticity of a transaction or document.

https://www.youtube.com/watch?v=fNC3jCCGJ0o
https://www.youtube.com/watch?v=r4HQ8Bp-pfw
Encryption (cont’d)
• Key encryption elements include:
• Encryption algorithm—A mathematically based function that
encrypts/decrypts data
• Encryption keys—A piece of information that is used by the encryption
algorithm to make the encryption or decryption process unique
• Key length—A predetermined length for the key; the longer the key, the more
difficult it is to compromise
Encryption (cont’d)
• There are two types of encryption schemes:
• Symmetric—a unique key (usually referred to as the “secret key”) is used for both
encryption and decryption.
• Asymmetric—the decryption key is different than the one used for encryption.

• There are two main advantages of symmetric key systems over asymmetric ones.
• The keys are much shorter and can be easily remembered.
• Symmetric key cryptosystems are generally less complicated and, therefore, use less
processing power.
Encryption (cont’d)
• In a public key cryptography system, two keys work together as a pair. One of the
keys is kept private, while the other one is publicly disclosed.
• The underlying algorithm works even if the private key is used for encryption and
the public key for decryption.
Encryption (cont’d)
• Digital signature schemes ensure:
• Data integrity— Any change to the plaintext message would result in the
recipient failing to compute the same document hash.
• Authentication—The recipient can ensure that the document has been sent
by the claimed sender because only the claimed sender has the private key.
• Nonrepudiation—The claimed sender cannot later deny generating the
document.
• The IS auditor should be familiar with how a digital signature functions to protect
data.

https://www.youtube.com/watch?v=JR4_RBb8A9Q