SlideShare une entreprise Scribd logo

CISA Training - Chapter 5 - 2016

Hafiz Sheikh Adnan Ahmed
Hafiz Sheikh Adnan Ahmed

CISA Training - Chapter 5 - 2016

Technologie
1  sur  70
2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
Quick Reference Review • Importance of Information Security Management • Inventory and Classification of Information Assets • Physical/Environmental Exposures and Controls • Logical Access • Auditing Information Security Management Framework
5.2 Importance of Information Security Management
5.2.1 Key Elements of IS Management
5.2.2 IS Management Roles & Responsibilities
5.2.3 Inventory & Classification of Information Assets
5.2.4 System Access Permission
5.2.5 Mandatory & Discretionary Access Controls
5.2.6 Privacy Management Issues & the role of IS Auditors
5.2.7 Critical Success Factors to IS Management
5.2.8 Information Security and External Parties
Identification of Risks related to External Parties
Addressing Security when dealing with Customers
Addressing Security inThird Party Agreements
5.2.9 Human Resources Security andThird Parties • Screening • Terms and Conditions of Employment • During Employment • Removal of Access Rights
5.2.10 Computer Crime Issues & Exposures Threats to business • Financial Loss • Legal Repercussions • Loss of Credibility • Blackmail • Disclosure of Confidential, Sensitive or Embarrassing information Possible Perpetrators • Hackers • Script Kiddies • Employees (Current, Former) • IS Personnel • End Users • Third Parties
5.2.11 Security Incident Handling & Response
5.3 Logical Access • Primary means used to manage and protect information assets • IS auditors to analyze and evaluate the effectiveness of a logical access control in accomplishing IS objectives and avoiding losses resulting from exposures
5.3.1 Logical Access Exposures
5.3.2 Familiarization with the Enterprise’s IT Environment
5.3.4 Logical Access Control Software
5.3.5 Identification and Authentication • Logon ID & Passwords • Token devices, One time Passwords • Biometrics
5.3.6 Authorization Issues
5.3.7 Storing, Retrieving,Transporting & Disposing of Confidential Information
5.4 Network Infrastructure Security
5.4.1 LAN Security
5.4.2 Client-Server Security
5.4.3Wireless SecurityThreats and Risk Mitigation
5.4.4 InternetThreats and Security
5.4.5 Encryption
5.4.6 Malware
5.4.7Voice-Over IP (VOIP) • VOIP Security Issues • A computer system disruption terminates the telephone • A backup communication facility should be planned • IP telephones and their supporting equipment require the care and maintenance as computer systems do
5.4.8 Private Branch Exchange (PBX)
5.5 Auditing Information Security Management Framework
5.5.1 Auditing Information Security Management Framework • Review written Policies, Procedures and Standards • Logical Access Security Policies • Formal Security Awareness and Training • Data Ownership and Custodians • Data Users and new Users
5.5.2 Auditing Logical Access • Interviewing Systems Personnel • Review reports from Access Control Software • Review Application Systems Operations Manual
5.5.3Techniques forTesting Security • Terminal Cards and Keys • Logon IDs and Passwords • Logging and Reporting of Computer Access Violations • Review Access Controls and Password Administration
5.5.4 InvestigationTechniques Investigation of Computer Crime • Laws exist but not reported due to negative publicity • Proper procedures to be used in case of aftermath • The environment and evidence must be left unaltered • Specialist law enforcement and evidence must be left unaltered Computer Forensics • Process of identifying, preserving, analyzing, presenting digital evidence in a manner that is legally acceptable in any legal proceedings • Any electronic data or document can be used as digital evidence
5.6 Auditing Network Infrastructure Security IS auditor should: • Review network diagrams that identify the organization’s internetworking infrastructure • Identify the network design implemented, including the IP strategy used • Determine the applicable security policies, procedures, standards • Identify the roles and responsibilities for implementation of network infrastructure • Review SLAs to ensure that they include provisions for security
5.6.1 Auditing Remote Access IS Auditors should: • Review access points for appropriate controls, such as VPN, firewalls, IDSs
Network PenetrationTests
Full Network Assessment Reviews
5.7 Environmental Exposures & Controls
5.7.1 Environmental Issues and Exposures
5.7.2 Controls for Environmental Exposures
5.7.3 Auditing Environmental Controls
5.8 Physical Access Exposures & Controls
5.8.1 Physical Access Issues & Exposures
5.8.2 Physical Access Controls
5.8.3 Auditing Physical Access
5.9 Mobile Computing Controls to reduce the risk of disclosure of sensitive data stored on laptop/mobile devices: • Back up business critical or sensitive data on a regular basis • Use a cable locking system or a locking system with a motion detector that sounds an audible alarm • Encrypt data • Allocate passwords to individual files • Establish a theft response team and develop procedures to follow when a laptop is stolen • Using two-factor authentication. This can be achieved using biometric readers
Self-Assessment Questions 1. An IS auditor has just completed a review of an organization that has mainframe computer and two database servers where all production data reside. Which of the following weaknesses would be considered MOST serious? a) The security officer also serves as the DBA b) Password controls are not administered over the two database servers c) There’s no business continuity plan for the mainframe system’s noncritical applications d) Most LANs do not back up file-server-fixed disks regularly
Self-Assessment Questions 2. An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that: a) Maximum unauthorized access would be possible if a password is disclosed b) User access rights would be restricted by the additional security parameters c) The security administrator’s workload would increase d) User access rights would be increased
Self-Assessment Questions 3. A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? a) Intrusion Detection Systems (IDS) b) Firewalls c) Routers d) Asymmetric encryption
Self-Assessment Questions 4. Which of the following is the MOST effective antivirus control? a) Scanning email attachments on the mail server b) Restoring systems from clean copies c) Disabling universal serial bus (USB) ports d) An online antivirus scan with up-to-date virus definitions
Answers 1. b) Password controls are not administered over the two database servers 2. a) Maximum unauthorized access would be possible if a password is disclosed 3. a) Intrusion Detection Systems (IDS) 4. d) An online antivirus scan with up-to-date virus definitions
CISA Training - Chapter 5 - 2016

Recommandé

CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 

Recommandé

CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
ShivamSharma909
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4
ShivamSharma909
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
Corporate Registers Forum
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
Desmond Devendran
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
Salih Islam
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Security audit
Security auditSecurity audit
Security audit
Rosaria Dee
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
Precisely
 

Contenu connexe

Tendances

Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
Desmond Devendran
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 

Tendances (20)

CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Security audit
Security auditSecurity audit
Security audit
 

Similaire à CISA Training - Chapter 5 - 2016

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
Precisely
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Unanet
 
Effective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowEffective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to Know
Precisely
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
Precisely
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
SolarWinds
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
Precisely
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
chris odle
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
SolarWinds
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
Precisely
 

Similaire à CISA Training - Chapter 5 - 2016 (20)

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
 
Effective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to KnowEffective Security Monitoring for IBM i: What You Need to Know
Effective Security Monitoring for IBM i: What You Need to Know
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Supporting Contractors with NIST SP 800-171 Compliance
Supporting Contractors with NIST SP 800-171 ComplianceSupporting Contractors with NIST SP 800-171 Compliance
Supporting Contractors with NIST SP 800-171 Compliance
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

CISA Training - Chapter 5 - 2016

  • 1. 2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
  • 2. Quick Reference Review • Importance of Information Security Management • Inventory and Classification of Information Assets • Physical/Environmental Exposures and Controls • Logical Access • Auditing Information Security Management Framework
  • 3. 5.2 Importance of Information Security Management
  • 4. 5.2.1 Key Elements of IS Management
  • 5.
  • 6. 5.2.2 IS Management Roles & Responsibilities
  • 7.
  • 8. 5.2.3 Inventory & Classification of Information Assets
  • 9. 5.2.4 System Access Permission
  • 10. 5.2.5 Mandatory & Discretionary Access Controls
  • 11. 5.2.6 Privacy Management Issues & the role of IS Auditors
  • 12. 5.2.7 Critical Success Factors to IS Management
  • 13. 5.2.8 Information Security and External Parties
  • 14. Identification of Risks related to External Parties
  • 15. Addressing Security when dealing with Customers
  • 16. Addressing Security inThird Party Agreements
  • 17. 5.2.9 Human Resources Security andThird Parties • Screening • Terms and Conditions of Employment • During Employment • Removal of Access Rights
  • 18. 5.2.10 Computer Crime Issues & Exposures Threats to business • Financial Loss • Legal Repercussions • Loss of Credibility • Blackmail • Disclosure of Confidential, Sensitive or Embarrassing information Possible Perpetrators • Hackers • Script Kiddies • Employees (Current, Former) • IS Personnel • End Users • Third Parties
  • 19.
  • 20.
  • 21.
  • 22. 5.2.11 Security Incident Handling & Response
  • 23. 5.3 Logical Access • Primary means used to manage and protect information assets • IS auditors to analyze and evaluate the effectiveness of a logical access control in accomplishing IS objectives and avoiding losses resulting from exposures
  • 24. 5.3.1 Logical Access Exposures
  • 25. 5.3.2 Familiarization with the Enterprise’s IT Environment
  • 26. 5.3.4 Logical Access Control Software
  • 27. 5.3.5 Identification and Authentication • Logon ID & Passwords • Token devices, One time Passwords • Biometrics
  • 29.
  • 30. 5.3.7 Storing, Retrieving,Transporting & Disposing of Confidential Information
  • 31.
  • 36.
  • 40. 5.4.7Voice-Over IP (VOIP) • VOIP Security Issues • A computer system disruption terminates the telephone • A backup communication facility should be planned • IP telephones and their supporting equipment require the care and maintenance as computer systems do
  • 41. 5.4.8 Private Branch Exchange (PBX)
  • 42. 5.5 Auditing Information Security Management Framework
  • 43. 5.5.1 Auditing Information Security Management Framework • Review written Policies, Procedures and Standards • Logical Access Security Policies • Formal Security Awareness and Training • Data Ownership and Custodians • Data Users and new Users
  • 44. 5.5.2 Auditing Logical Access • Interviewing Systems Personnel • Review reports from Access Control Software • Review Application Systems Operations Manual
  • 45. 5.5.3Techniques forTesting Security • Terminal Cards and Keys • Logon IDs and Passwords • Logging and Reporting of Computer Access Violations • Review Access Controls and Password Administration
  • 46. 5.5.4 InvestigationTechniques Investigation of Computer Crime • Laws exist but not reported due to negative publicity • Proper procedures to be used in case of aftermath • The environment and evidence must be left unaltered • Specialist law enforcement and evidence must be left unaltered Computer Forensics • Process of identifying, preserving, analyzing, presenting digital evidence in a manner that is legally acceptable in any legal proceedings • Any electronic data or document can be used as digital evidence
  • 47.
  • 48.
  • 49.
  • 50. 5.6 Auditing Network Infrastructure Security IS auditor should: • Review network diagrams that identify the organization’s internetworking infrastructure • Identify the network design implemented, including the IP strategy used • Determine the applicable security policies, procedures, standards • Identify the roles and responsibilities for implementation of network infrastructure • Review SLAs to ensure that they include provisions for security
  • 51. 5.6.1 Auditing Remote Access IS Auditors should: • Review access points for appropriate controls, such as VPN, firewalls, IDSs
  • 55. 5.7.1 Environmental Issues and Exposures
  • 56. 5.7.2 Controls for Environmental Exposures
  • 57.
  • 59. 5.8 Physical Access Exposures & Controls
  • 60. 5.8.1 Physical Access Issues & Exposures
  • 62.
  • 64. 5.9 Mobile Computing Controls to reduce the risk of disclosure of sensitive data stored on laptop/mobile devices: • Back up business critical or sensitive data on a regular basis • Use a cable locking system or a locking system with a motion detector that sounds an audible alarm • Encrypt data • Allocate passwords to individual files • Establish a theft response team and develop procedures to follow when a laptop is stolen • Using two-factor authentication. This can be achieved using biometric readers
  • 65. Self-Assessment Questions 1. An IS auditor has just completed a review of an organization that has mainframe computer and two database servers where all production data reside. Which of the following weaknesses would be considered MOST serious? a) The security officer also serves as the DBA b) Password controls are not administered over the two database servers c) There’s no business continuity plan for the mainframe system’s noncritical applications d) Most LANs do not back up file-server-fixed disks regularly
  • 66. Self-Assessment Questions 2. An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that: a) Maximum unauthorized access would be possible if a password is disclosed b) User access rights would be restricted by the additional security parameters c) The security administrator’s workload would increase d) User access rights would be increased
  • 67. Self-Assessment Questions 3. A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? a) Intrusion Detection Systems (IDS) b) Firewalls c) Routers d) Asymmetric encryption
  • 68. Self-Assessment Questions 4. Which of the following is the MOST effective antivirus control? a) Scanning email attachments on the mail server b) Restoring systems from clean copies c) Disabling universal serial bus (USB) ports d) An online antivirus scan with up-to-date virus definitions
  • 69. Answers 1. b) Password controls are not administered over the two database servers 2. a) Maximum unauthorized access would be possible if a password is disclosed 3. a) Intrusion Detection Systems (IDS) 4. d) An online antivirus scan with up-to-date virus definitions