SlideShare a Scribd company logo

CISA Training - Chapter 5 - 2016

Hafiz Sheikh Adnan Ahmed
Hafiz Sheikh Adnan Ahmed

CISA Training - Chapter 5 - 2016

Technology
1 of 70
2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
Quick Reference Review • Importance of Information Security Management • Inventory and Classification of Information Assets • Physical/Environmental Exposures and Controls • Logical Access • Auditing Information Security Management Framework
5.2 Importance of Information Security Management
5.2.1 Key Elements of IS Management
5.2.2 IS Management Roles & Responsibilities
5.2.3 Inventory & Classification of Information Assets
5.2.4 System Access Permission
5.2.5 Mandatory & Discretionary Access Controls
5.2.6 Privacy Management Issues & the role of IS Auditors
5.2.7 Critical Success Factors to IS Management
5.2.8 Information Security and External Parties
Identification of Risks related to External Parties
Addressing Security when dealing with Customers
Addressing Security inThird Party Agreements
5.2.9 Human Resources Security andThird Parties • Screening • Terms and Conditions of Employment • During Employment • Removal of Access Rights
5.2.10 Computer Crime Issues & Exposures Threats to business • Financial Loss • Legal Repercussions • Loss of Credibility • Blackmail • Disclosure of Confidential, Sensitive or Embarrassing information Possible Perpetrators • Hackers • Script Kiddies • Employees (Current, Former) • IS Personnel • End Users • Third Parties
5.2.11 Security Incident Handling & Response
5.3 Logical Access • Primary means used to manage and protect information assets • IS auditors to analyze and evaluate the effectiveness of a logical access control in accomplishing IS objectives and avoiding losses resulting from exposures
5.3.1 Logical Access Exposures
5.3.2 Familiarization with the Enterprise’s IT Environment
5.3.4 Logical Access Control Software
5.3.5 Identification and Authentication • Logon ID & Passwords • Token devices, One time Passwords • Biometrics
5.3.6 Authorization Issues
5.3.7 Storing, Retrieving,Transporting & Disposing of Confidential Information
5.4 Network Infrastructure Security
5.4.1 LAN Security
5.4.2 Client-Server Security
5.4.3Wireless SecurityThreats and Risk Mitigation
5.4.4 InternetThreats and Security
5.4.5 Encryption
5.4.6 Malware
5.4.7Voice-Over IP (VOIP) • VOIP Security Issues • A computer system disruption terminates the telephone • A backup communication facility should be planned • IP telephones and their supporting equipment require the care and maintenance as computer systems do
5.4.8 Private Branch Exchange (PBX)
5.5 Auditing Information Security Management Framework
5.5.1 Auditing Information Security Management Framework • Review written Policies, Procedures and Standards • Logical Access Security Policies • Formal Security Awareness and Training • Data Ownership and Custodians • Data Users and new Users
5.5.2 Auditing Logical Access • Interviewing Systems Personnel • Review reports from Access Control Software • Review Application Systems Operations Manual
5.5.3Techniques forTesting Security • Terminal Cards and Keys • Logon IDs and Passwords • Logging and Reporting of Computer Access Violations • Review Access Controls and Password Administration
5.5.4 InvestigationTechniques Investigation of Computer Crime • Laws exist but not reported due to negative publicity • Proper procedures to be used in case of aftermath • The environment and evidence must be left unaltered • Specialist law enforcement and evidence must be left unaltered Computer Forensics • Process of identifying, preserving, analyzing, presenting digital evidence in a manner that is legally acceptable in any legal proceedings • Any electronic data or document can be used as digital evidence
5.6 Auditing Network Infrastructure Security IS auditor should: • Review network diagrams that identify the organization’s internetworking infrastructure • Identify the network design implemented, including the IP strategy used • Determine the applicable security policies, procedures, standards • Identify the roles and responsibilities for implementation of network infrastructure • Review SLAs to ensure that they include provisions for security
5.6.1 Auditing Remote Access IS Auditors should: • Review access points for appropriate controls, such as VPN, firewalls, IDSs
Network PenetrationTests
Full Network Assessment Reviews
5.7 Environmental Exposures & Controls
5.7.1 Environmental Issues and Exposures
5.7.2 Controls for Environmental Exposures
5.7.3 Auditing Environmental Controls
5.8 Physical Access Exposures & Controls
5.8.1 Physical Access Issues & Exposures
5.8.2 Physical Access Controls
5.8.3 Auditing Physical Access
5.9 Mobile Computing Controls to reduce the risk of disclosure of sensitive data stored on laptop/mobile devices: • Back up business critical or sensitive data on a regular basis • Use a cable locking system or a locking system with a motion detector that sounds an audible alarm • Encrypt data • Allocate passwords to individual files • Establish a theft response team and develop procedures to follow when a laptop is stolen • Using two-factor authentication. This can be achieved using biometric readers
Self-Assessment Questions 1. An IS auditor has just completed a review of an organization that has mainframe computer and two database servers where all production data reside. Which of the following weaknesses would be considered MOST serious? a) The security officer also serves as the DBA b) Password controls are not administered over the two database servers c) There’s no business continuity plan for the mainframe system’s noncritical applications d) Most LANs do not back up file-server-fixed disks regularly
Self-Assessment Questions 2. An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that: a) Maximum unauthorized access would be possible if a password is disclosed b) User access rights would be restricted by the additional security parameters c) The security administrator’s workload would increase d) User access rights would be increased
Self-Assessment Questions 3. A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? a) Intrusion Detection Systems (IDS) b) Firewalls c) Routers d) Asymmetric encryption
Self-Assessment Questions 4. Which of the following is the MOST effective antivirus control? a) Scanning email attachments on the mail server b) Restoring systems from clean copies c) Disabling universal serial bus (USB) ports d) An online antivirus scan with up-to-date virus definitions
Answers 1. b) Password controls are not administered over the two database servers 2. a) Maximum unauthorized access would be possible if a password is disclosed 3. a) Intrusion Detection Systems (IDS) 4. d) An online antivirus scan with up-to-date virus definitions
CISA Training - Chapter 5 - 2016

Recommended

CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 

Recommended

CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000Ben Kalland
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdfssuser918e9d1
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 

More Related Content

What's hot

CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000Ben Kalland
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 

What's hot (20)

CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdf
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 

Similar to CISA Training - Chapter 5 - 2016

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Unanet
 
Effective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowEffective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowPrecisely
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iPrecisely
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM IntegrationPrecisely
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsSolarWinds
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentPrecisely
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance WebinarSolarWinds
 
Supporting Contractors with NIST SP 800-171 Compliance
Supporting Contractors with NIST SP 800-171 ComplianceSupporting Contractors with NIST SP 800-171 Compliance
Supporting Contractors with NIST SP 800-171 ComplianceSolarWinds
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008Denny Lee
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessPrecisely
 

Similar to CISA Training - Chapter 5 - 2016 (20)

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
 
Effective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowEffective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to Know
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Supporting Contractors with NIST SP 800-171 Compliance
Supporting Contractors with NIST SP 800-171 ComplianceSupporting Contractors with NIST SP 800-171 Compliance
Supporting Contractors with NIST SP 800-171 Compliance
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

CISA Training - Chapter 5 - 2016

  • 1. 2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
  • 2. Quick Reference Review • Importance of Information Security Management • Inventory and Classification of Information Assets • Physical/Environmental Exposures and Controls • Logical Access • Auditing Information Security Management Framework
  • 3. 5.2 Importance of Information Security Management
  • 4. 5.2.1 Key Elements of IS Management
  • 5.
  • 6. 5.2.2 IS Management Roles & Responsibilities
  • 7.
  • 8. 5.2.3 Inventory & Classification of Information Assets
  • 9. 5.2.4 System Access Permission
  • 10. 5.2.5 Mandatory & Discretionary Access Controls
  • 11. 5.2.6 Privacy Management Issues & the role of IS Auditors
  • 12. 5.2.7 Critical Success Factors to IS Management
  • 13. 5.2.8 Information Security and External Parties
  • 14. Identification of Risks related to External Parties
  • 15. Addressing Security when dealing with Customers
  • 16. Addressing Security inThird Party Agreements
  • 17. 5.2.9 Human Resources Security andThird Parties • Screening • Terms and Conditions of Employment • During Employment • Removal of Access Rights
  • 18. 5.2.10 Computer Crime Issues & Exposures Threats to business • Financial Loss • Legal Repercussions • Loss of Credibility • Blackmail • Disclosure of Confidential, Sensitive or Embarrassing information Possible Perpetrators • Hackers • Script Kiddies • Employees (Current, Former) • IS Personnel • End Users • Third Parties
  • 19.
  • 20.
  • 21.
  • 22. 5.2.11 Security Incident Handling & Response
  • 23. 5.3 Logical Access • Primary means used to manage and protect information assets • IS auditors to analyze and evaluate the effectiveness of a logical access control in accomplishing IS objectives and avoiding losses resulting from exposures
  • 24. 5.3.1 Logical Access Exposures
  • 25. 5.3.2 Familiarization with the Enterprise’s IT Environment
  • 26. 5.3.4 Logical Access Control Software
  • 27. 5.3.5 Identification and Authentication • Logon ID & Passwords • Token devices, One time Passwords • Biometrics
  • 29.
  • 30. 5.3.7 Storing, Retrieving,Transporting & Disposing of Confidential Information
  • 31.
  • 36.
  • 40. 5.4.7Voice-Over IP (VOIP) • VOIP Security Issues • A computer system disruption terminates the telephone • A backup communication facility should be planned • IP telephones and their supporting equipment require the care and maintenance as computer systems do
  • 41. 5.4.8 Private Branch Exchange (PBX)
  • 42. 5.5 Auditing Information Security Management Framework
  • 43. 5.5.1 Auditing Information Security Management Framework • Review written Policies, Procedures and Standards • Logical Access Security Policies • Formal Security Awareness and Training • Data Ownership and Custodians • Data Users and new Users
  • 44. 5.5.2 Auditing Logical Access • Interviewing Systems Personnel • Review reports from Access Control Software • Review Application Systems Operations Manual
  • 45. 5.5.3Techniques forTesting Security • Terminal Cards and Keys • Logon IDs and Passwords • Logging and Reporting of Computer Access Violations • Review Access Controls and Password Administration
  • 46. 5.5.4 InvestigationTechniques Investigation of Computer Crime • Laws exist but not reported due to negative publicity • Proper procedures to be used in case of aftermath • The environment and evidence must be left unaltered • Specialist law enforcement and evidence must be left unaltered Computer Forensics • Process of identifying, preserving, analyzing, presenting digital evidence in a manner that is legally acceptable in any legal proceedings • Any electronic data or document can be used as digital evidence
  • 47.
  • 48.
  • 49.
  • 50. 5.6 Auditing Network Infrastructure Security IS auditor should: • Review network diagrams that identify the organization’s internetworking infrastructure • Identify the network design implemented, including the IP strategy used • Determine the applicable security policies, procedures, standards • Identify the roles and responsibilities for implementation of network infrastructure • Review SLAs to ensure that they include provisions for security
  • 51. 5.6.1 Auditing Remote Access IS Auditors should: • Review access points for appropriate controls, such as VPN, firewalls, IDSs
  • 55. 5.7.1 Environmental Issues and Exposures
  • 56. 5.7.2 Controls for Environmental Exposures
  • 57.
  • 59. 5.8 Physical Access Exposures & Controls
  • 60. 5.8.1 Physical Access Issues & Exposures
  • 62.
  • 64. 5.9 Mobile Computing Controls to reduce the risk of disclosure of sensitive data stored on laptop/mobile devices: • Back up business critical or sensitive data on a regular basis • Use a cable locking system or a locking system with a motion detector that sounds an audible alarm • Encrypt data • Allocate passwords to individual files • Establish a theft response team and develop procedures to follow when a laptop is stolen • Using two-factor authentication. This can be achieved using biometric readers
  • 65. Self-Assessment Questions 1. An IS auditor has just completed a review of an organization that has mainframe computer and two database servers where all production data reside. Which of the following weaknesses would be considered MOST serious? a) The security officer also serves as the DBA b) Password controls are not administered over the two database servers c) There’s no business continuity plan for the mainframe system’s noncritical applications d) Most LANs do not back up file-server-fixed disks regularly
  • 66. Self-Assessment Questions 2. An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that: a) Maximum unauthorized access would be possible if a password is disclosed b) User access rights would be restricted by the additional security parameters c) The security administrator’s workload would increase d) User access rights would be increased
  • 67. Self-Assessment Questions 3. A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? a) Intrusion Detection Systems (IDS) b) Firewalls c) Routers d) Asymmetric encryption
  • 68. Self-Assessment Questions 4. Which of the following is the MOST effective antivirus control? a) Scanning email attachments on the mail server b) Restoring systems from clean copies c) Disabling universal serial bus (USB) ports d) An online antivirus scan with up-to-date virus definitions
  • 69. Answers 1. b) Password controls are not administered over the two database servers 2. a) Maximum unauthorized access would be possible if a password is disclosed 3. a) Intrusion Detection Systems (IDS) 4. d) An online antivirus scan with up-to-date virus definitions