...IT255 Introduction to Information Systems Security Unit 5 Importance of Testing, Auditing, and Monitoring © ITT Educational Services, Inc. All rights reserved. Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 2 Key Concepts Role of an audit in effective security baselining and gap analysis Importance of monitoring systems throughout the IT infrastructure Penetration testing and ethical hacking to help mitigate gaps Security logs for normal and abnormal traffic patterns and digital signatures Security countermeasures through auditing, testing, and monitoring test results IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 3 EXPLORE: CONCEPTS IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 4 Purpose of an IT Security Assessment Check effectiveness of security measures. Verify access controls. Validate established mechanisms. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 5 IT Security Audit Terminology Verification Validation Testing Evaluation IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved...
Words: 799 - Pages: 4
...United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G)...
Words: 174530 - Pages: 699
... NIST Risk Management Framework for FISMA ..................................................................... 4 III. Application Security and FISMA .......................................................................................... 5 IV. NIST SP 800‐37 and FISMA .................................................................................................. 6 V. How Veracode Can Help ...................................................................................................... 7 VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8 VII. Summary and Conclusions ............................................................................................... 10 About Veracode .................................................................................................................... 11 © 2008 Veracode, Inc. 2 Overview The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐ Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating information security controls and periodic audits. I. The Role of NIST in FISMA Compliance The National Institute of Standards and...
Words: 2451 - Pages: 10
...implementing the information security management standards, plus potential metrics for measuring and reporting the status of information security, both referenced against the ISO/IEC standards. Scope This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on risk assessment and treatment. Purpose This document is meant to help others who are implementing or planning to implement the ISO/IEC information security management standards. Like the ISO/IEC standards, it is generic and needs to be tailored to your specific requirements. Copyright This work is copyright © 2010, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this. Ref. | Subject | Implementation tips | Potential metrics | 4. Risk assessment and treatment | 4.1 | Assessing security risks | Can use any information security risk management method, with a preference for documented, structured and generally accepted methods such as OCTAVE, MEHARI, ISO TR 13335 or BS 7799 Part 3. See ISO/IEC 27005 for general advice. | Information security risk management...
Words: 4537 - Pages: 19
...Solutions for Chapter 12 Audit of Cash and Other Liquid Assets Review Questions: 12-1. It is important that cash and liquid asset testing be coordinated because the assets can be quickly moved and thus substituted for each other. For example, an organization could quickly move assets between cash and certificates of deposit. 12-2. General Cash Account. This is the account used to transact most of the organization's cash transactions. It is usually a high volume, but low balance account. Because of its high volume and its liquidity it is susceptible to greater risk than most asset accounts of the same size. Imprest Payroll Account. This is an account that is maintained strictly for the payment of payroll. The organization makes a deposit equal to the monthly or weekly payroll at the time the payroll checks or electronic transfers are issued. The account is used to minimize accounting costs and to isolate payroll risks to one account. 12-3. We disagree with the auditor's assessment of inherent risk of cash transactions as low. Granted, the accounting for cash and marketable securities is not overly complex. However, the liquidity of the accounts, coupled with their susceptibility to fraud or misappropriation, makes the inherent risk of the accounts at least moderate - if not high. Most organizations recognize the high inherent risk associated with the accounts and have implemented detailed control procedures to reduce control risk to a minimal level. 12-4...
Words: 14523 - Pages: 59
...Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016 Document Changes Date October 2008 Version 1.2 Description Pages To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2. Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2. Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b. 1.2.1 32 Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b. 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.” July 2009 5 64 October 2010 2.0 Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI DSS Version 1.2.1 to 2.0. November 2013 3.0 Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0. April 2015 3.1 Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1 for details of changes. April 2016 3.2 Update from PCI DSS v3.1. See PCI DSS...
Words: 57566 - Pages: 231
...identify risk. To determine the likelihood of a security problem or vulnerability to the facility and infrastructure of an organization. This process will be used to determine risk after normal management safeguards have been applied. The type of security checklist I will create, will be the tabular format. The focus will be on the infrastructure and the perimeter. The survey will show areas of weakness, deficiencies and vulnerabilities. Such as continuous surveillance, lighting and internal controls. Using the tabular format will allow for the collection of large amounts of security information. This format can be converted into different kinds of report and will be easier to relate policy to standards. Such as security standards and expectations by category. The format will include the following. Audit information page(s) with space for the name of the facility being audited, date and names of audit. A table of contents that lists the security categories. Points to be reviewed. Columns for indicating compliance/ non-compliance. Space for additional categories as may be needed. Such as Emergency Plans and perimeter security (http://nicic.gov?downloads/files). Knowing the security vulnerabilities the organization will enable you to develop a security program that’s best for the organization. The first step to eliminating the problem areas is to perform a risk assessment of the vulnerabilities. I will perform my assessment by focusing on the perimeter, internal and external...
Words: 491 - Pages: 2
...Control Self-assessment for Information and Related Technology To ensure smooth functioning of an enterprise striving to achieve predetermined objectives, business processes are identified and defined. To ensure the proper completion of process work, procedures are defined, documented and established. Business procedures need to be properly controlled to ensure smooth completion. Out-of-control procedures are expensive; therefore, controls need to be in place. These controls can be preventive, detective and/or corrective in nature. However, the adequacy of controls over procedures depends on various factors, including a balance between costs incurred for implementing controls and the resulting benefits derived. Many controls are essential overheads for the business, and therefore, their effectiveness must be reviewed periodically. Internal audit of controls, an essential overhead, helps avoid relaxation on controls. Ultimately, the control overheads constitute a major expenditure item. Assurance that the controls are in place and effective is essential. This assurance can be given through control self-assessment (CSA), also referred to as control self-assurance. Systems and procedures for many business organizations within various sectors have evolved over time. For example, banking is the oldest service sector and the controls over banking procedures are essential not only for the bank, but also for society in general. Controls in banking procedures have also evolved over...
Words: 5755 - Pages: 24
...WHAT IS INFORMATION SECURITY? 0.2 WHY INFORMATION SECURITY IS NEEDED? 0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS 0.4 ASSESSING SECURITY RISKS 0.5 SELECTING CONTROLS 0.6 INFORMATION SECURITY STARTING POINT Information security is defined as the preservation of confidentiality, integrity and availability of information … Information security is defined as the preservation of confidentiality, integrity and availability of information … 0.7 CRITICAL SUCCESS FACTORS 0.8 DEVELOPING YOUR OWN GUIDELINES 1 SCOPE 2 TERMS AND DEFINITIONS 3 STRUCTURE OF THIS STANDARD 3.1 CLAUSES Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. 3.2 MAIN SECURITY CATEGORIES 4 RISK ASSESSMENT AND TREATMENT 4.1 ASSESSING SECURITY RISKS Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization 4.2 TREATING SECURITY RISKS 5 SECURITY POLICY 5.1 INFORMATION SECURITY POLICY 5.1.1 Information security policy document 5.1.2 Review of the information security policy 6 ORGANIZATION OF INFORMATION SECURITY Defines the hierarchical...
Words: 1623 - Pages: 7
...substantive testing. C. compliance testing. D. stop-or-go sampling. The correct answer is: C. compliance testing. Explanation: Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed. 2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent B. Detection C. Control D. Business The correct answer is: B. Detection Explanation: Detection risks are directly affected by the auditor's selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the company's management. Business risks are not affected by the IS auditor. 3. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS...
Words: 97238 - Pages: 389
...CORRESPONDENCE, (E) ESTABLISHED CRITERIA, (F) COMMUNICATING THE RESULTS, AND (G) INTERESTED USERS. 2. A financial statement audit involves obtaining and evaluating evidence about an entity's financial statements for the purpose of expressing an opinion on whether the statements are presented fairly in conformity with established criteria--usually GAAP. Thus, the nature of the auditor's report is an opinion on the fairness of the financial statement presentation. A compliance audit involves obtaining and evaluating evidence to determine whether certain financial or operating activities of an entity conform to specified conditions, rules, or regulations. A report on a compliance audit takes the form of a summary of findings or assurance regarding degree of compliance. An operational audit involves obtaining and evaluating evidence about the efficiency and effectiveness of an entity's operating activities in relation to specified objectives. Reports on such audits include an assessment of efficiency and effectiveness and recommendations for improvements. 3. Independent auditors are individual practitioners or members of public accounting firms who render professional auditing services to clients. These services may involve financial statement audits, compliance audits, and operational audits. Internal auditors are employees of the companies they audit. They are involved in an independent appraisal activity, called internal auditing, as a service to the organization. Internal...
Words: 4500 - Pages: 18
...CEO requested me to prepare a report pointing out potential security vulnerabilities at the AEN company. For that I started with risk assessment exercise which will identify the relations between company assets, threats and vulnerabilities that may lead to the loss of confidentiality, integrity, availability, authenticity, or accountability. The output of the risk assessment will determine the actions for managing security risks and for implementing the appropriate controls needed to protect the company assets. The risk assessment process consists of the following tasks: • “Identify business needs and changes to requirements that may affect overall IT and security direction. • Review adequacy of existing security policies, standards, guidelines and procedures. • Analyze assets, threats and vulnerabilities, including their impacts and likelihood (See sheet # 1) • Assess physical protection applied to computing equipment and other network components. • Conduct technical and procedural review and analysis of the network architecture, protocols and components to ensure that they are implemented according to the security policies. • Review and check the configuration, implementation and usage of remote access systems, servers, firewalls and external network connections, including the client Internet connection. • Review logical access and other authentication mechanisms. • Review current level of security awareness and commitment of staff within the organization. ...
Words: 752 - Pages: 4
...Introduction to internal control systems Internal controls: the controls established to protect the assets of an organization. Internal control: describes the policies, plans, and procedures implemented by the management of an organization to protect its assets, to ensure accuracy and completeness of its financial information, and to meet its business objectives. Four objectives of internal control system: 1. Safeguard assets, 2. Check the accuracy and reliability of accounting data, 3. Promote operational efficiency, 4. Enforce prescribed managerial policies. Sarbanes Oxley Act of 2002 piece of legislation with respect to internal controls Section 404: reaffirms management is responsible for establishing and maintaining an adequate internal control structure. 1992 Coso report: established common definition of internal control for assessing control system, as well as determined how to improve controls. An internal control system should consist of the five components: 1. The control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring Control environment: foundation for all other internal control components and provides discipline and structure. Top management oversight, integrity, and ethical principles that guide the organization Risk assessment: identify organizational risks, analyze their potential in terms of costs and likelihood of occurrence, and implement only those controls whose projected benefits...
Words: 1409 - Pages: 6
...Homework – COSO Framework, Internal Controls and Security Internal control systems have five components: (a) control environment, (b) risk assessment, (c) control activities, (d) information and communication, and (e) monitoring. For each of the following items, indicate which component is being applied. Explain your answer! 1) The firm prints and distributes to all employees a copy of the firm’s policies and procedures. Information and communication. Provide policy information in detail to allow proper classification and reporting. 2) An internal audit committee is formed. Monitoring. To form committee is to reflect the firm’s operations. 3) Internal auditors perform a bank reconciliation as part of their audit of cash control operations. (Typically a bank reconciliation is performed by a clerk in the treasury department) Control activities. Auditors are doing internal control via operations. This is detailed control activities. 4) The firm creates a code of ethics. Control environment. Management integrity and ethical values. 5) Internal auditors test whether a computer hacker can break into the firm’s computers. Risk assessment. Braking computers is high risk, must be prevented. 6) The company determines the consequences if a warehouse is destroyed (e.g., by fire). Risk assessment. Destroyed warehouse is physical risk. 7) An employee is fired for embezzling funds. This fact is announced in a company...
Words: 1026 - Pages: 5
...transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings? That he either did not do a full audit of the company just showed him part of what he needed to see to pass them so they could operate without prying eyes 3. Can CardSystems Solutions sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue? No they did not and if they had credibility then yes they should sue but if they are at fault then they will be brought to trial in civil court 4. Who do you think is negligent in this case study and why? The company and the auditor because neither one did their job to the fullest extent and it cost the company 5. Do the actions of CardSystems Solutions warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)? Yes it does because they did not comply with the standards that were put before them 6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance? They should have had the firewalls in place that had monitoring built in to it, their website should have watched much more closely, and antivirus that would have protected their servers. Also they should have blocked all ftp ports 7. What security controls and security countermeasures do you recommend for CardSystems Solutions to be in compliance...
Words: 559 - Pages: 3
