CISA study materials : Business continuity & disaster recovery

Tags

BCP, CISA, DR, ISACA

Mirroring of critical elements is a tool that facilitates immediate recovery. Redundant Array of Inexpensive Disks (RAID) level 1 provides disk mirroring.

The primary purpose of table-top testing is to practice proper coordination since it involves all or some of the crisis team members and is focused more on coordination and communications issues that on technical process details. Functional testing involved mobilization of personnel and resources at various geographic sites. Full scale testing involves enterprise wide participation and full involvement of external organizations. Walk through testing requires the least effort of the options gives. Its aim is to promote familiarity of the BCP to critical personnel from all areas.

 

Preparedness test involve simulation of the entire environment and help the team to better understand and prepare for the actual test scenario.

Preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan’s effectiveness.

Walkthrough is a test involving a simulated disaster situation that test the preparedness and understanding of management and staff rather than the actual resources.

 

Paper Test (structured walk through) > Preparedness Test > Full Operational Test

In cost benefit analysis, the total expected purchase and operational/support cost and qualitative value for all actions are weighted against the total expected benefits in order to choose the best technical, most profitable, least expensive, or acceptable risk option. The annualized loss expectancy (ALE) is the expected monetary loss that is estimated for an asset over a one year period. It is a useful calculation that should be included in determining the necessity of controls, but is not sufficient alone. The cost of the hardware assets should be compared to the total value of the information that the asset protects, including the cost of the systems where the data reside and across which data are transmitted. Potential business impact is only one part of the cost-benefit analysis.

Integrity of transaction process is ensured by database commits and rollbacks.

A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking. But is normally lacking computing equipment.

BIA will identify the diverse events that could impact the continuity of the operations of an organization.

Recovery managers should be rotated to ensure the experience of the recovery plan is spread among the managers.

Disaster recovery planning (DRP) is the technological aspect of business continuity planning (BCP). Business resumption planning addresses the operational part of BCP.

RTO is an important parameter used when creating prioritization plans during the business continuity management process and is derived as a result of a business impact analysis (BIA). RTO is best utilized to determine recovery prioritization. A system that has a low level of confidentiality of information could have immediate recovery requirements.

 

Last mile circuit protection > Providing telecommunication continuity through providing redundant combinations of local carrier T1’s, microwave and or local cable to access the local communication loop is the event of a disaster.

Long haul network diversity > Providing diverse long distance network availability utilizing T-1 circuits among major long distance carriers.

Diverse Routing > Routing traffic through split-cable facilities or duplicate-cable facilities is called diverse routing.

Alternate routing > method of routing information via an alternative medium such as copper cable or fiber optics.

Mitigation > Schedule file and system backup

Deterrence > Installation of firewalls for information systems.

Recovery > hot site to restore normal business operations.

BCP Process: BIA > develop recovery strategy > developed, tested and implemented specific plans.

Shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. Electronic vaulting electronically transmits data either to direct access storage, an optical disk or another storage medium; this is a method used by banks. Hard-disk mirroring provide redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a methon for backing up data.

The recovery point objective (RPO) is the earliest point in time at which it is acceptable to recover the data. A high RPO means that the process can wait for a longer time. A high recovery time objective (RTO) means that additional time would be available for the recovery strategy, thus making other recovery alternatives. The lower the RTO the lower the disaster tolerance.

Network Data Management Protocol (NDMP) > data service, tape service, translator service

Risk assessment and business impact assessment are tools for understanding business-for-business continuity planning. Business continuity self audit is a tool for evaluating the adequacy of the business continuity plan. Resource recovery analysis is a tool for identifying a business resumption strategy. Gap analysis in business continuity planning is to identify deficiencies in a plan.

Fidelity insurance > covers the loss arising from dishonest or fraudulent acts by employees.

Business interruption insurance > loss of profit due to the disruption in the operations of an org.

Errors & omissions insurance > legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client.

Extra expense insurance > designed to cover the extra costs of continuing operations following a disaster/disruption within an organization.

Stockholders interview > simplicity of the BCP

Review plan and compare it with standards > adequacy of the BCP

Review result from previous test > Effectiveness of the BCP

 

CISA study materials : Protection of information assets

Tags

CISA, ISACA, Protection of Information Assets

Authorizing access to data > application owner

Data owners are responsible for the use of data.

Data owner holds the privilege and responsibility for formally establishing the access rights.

Qualified persons in IS who have knowledge of IS and user requirements > System analysis

Sharing password > user accountability may not be established.

Access control > prevent unauthorized access to data

Logical access controls > securing software and data within an information processing facility.

Call back features > hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches.

Call forwarding > bypassing callback control.

Logical access security > unencrypted password is the greatest concern.

Logical access control review > to determine whether access is granted per the organization’s authorities.

Line grabbing > enable eavesdropping, thus allowing unauthorized data access.

First step of data classification is establish ownership of the data.

Biometric system review steps > 1. Enrollment.

Sensitive > can be performed manually at a tolerable cost for an extended period of time.

Critical > can’t be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods.

Vital > can be performed manually but only for a brief period of time

Non critical > may be interrupted for an extended period of time at little or no cost to the company, require little time or cost to restore.

Defense-in-depth > Firewall as well as logical access control on the hosts to control incoming network traffic.

Diversity-in-defense > Using two firewalls of different vendors to consecutively check the incoming network traffic.

Shoulder surfing > masking password

Piggybacking > unauthorized persons following, either physically or virtually, authorized persons into restricted areas.

Impersonation > someone acting as an employee in an attempt to retrieve desired information.

Dumpster diving > looking through an organization’s trash for valuable information.

Data diddling > changing data before they are entered into the computer.

Neural network based IDS > monitors the general patterns of activity and traffic ont eh network and creates a database.

Statistical-based IDS > Like Neural IDS but has self-learning.

Signature-based IDS > Intrusive patterns identified are stored in the form of signatures.

The need-to-know basis is the best approach to assigning privileges during the authorization process.

Steganography > digital right management (DRM)

Remote booting is a method of preventing viruses, and can be implemented through hardware.

Hashing is irreversible. Encryption is reversible. Hashing creates an output that is smaller than the original message and encryption creates an output of the same length as the original message.

Asymmetric algorithm requires more processing time than symmetric algorithms.

Immunizers defend against viruses by appending sections of themselves to files.

Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record. Cyclical redundancy checkers (CRC) compute a binary number on an known virus-free program that is then stored in a database file. Active monitors interpret disk operating system and read only memory, basic input output system call.

Computation speed > elliptic curve encryption over RSA encryption. It use encryption methods support digital signatures, used for public key encryption and distribution and are of similar strength.

PKI > cryptography provides for encryption, digital signatures and no repudiation controls for confidentiality and reliability.

SSL > confidentiality

IDS > detective control

VPN > confidentiality and authentication (reliability)

Passive attack > traffic analysis,

Active attack > brute force, masquerading, packet reply, message modification, unauthorized access through the internet or web based services, denial-of-service attacks, dial-in penetration attacks, email bombing and spamming and email spoofing.

Forward error control > transmitting additional redundant information with each character or frame to facilitate detection and correction of errors.

Feedback error control > additional information is transmitted so the receiver can identify that an error has occurred.

CRC > a single set of check digits is generated, based on the contents of the frame for each frame transmitted.

Biometric solution accuracy > False Rejection Rate (FRR), Cross Error Rate(CER): When the false-rejection rate equals the false-acceptance rate and False Acceptance Rate (FAR): How often valid individuals are rejected.

False Acceptance Rate (FAR) > accepting an unauthorized person as authorized.

False Rejection Rate (FRR) > deny access to an authorized individual.

Equal Error Rate (ERR) > point where FAR equal the FRR

False Identification Rate (FIR) > probability that an authorized person is identified but is assigned a false ID.

Los EER is the measure of the more effective biometrics control device.

Degaussing the tapes is the process of magnetic tapes disposal.

Message digests in digital signature show if the message has been altered after transmission.

CA (Certificate Authority) maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication.

Registration Authority (RA) > responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA.

Certificate Relocation List (CRL) > instrument for checking the continued validity of the certificates.

Certification practice statement > is a detailed set of rules governing the certificate authority’s operations.

Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is a public key algorithm.

The calculation of a hash, or digest of the data that are transmitted and its encryption require the public key of the client (receiver) and is called a signature of the message, or digital signature.

Digital signature provide integrity and nonrepudiation. If we add hash it will provide confidentiality.

Digital signature features > Data Integrity, Authentication, Nonrepudiation, Replay Protection.

Nonrepudiation > claimed sender can’t later deny generating the sending the message.

Data Integrity > changes in the plaintext message that would result in the recipient failing to compute the same message hash.

Authentication > ensure that the message has been sent by the claimed sender.

Replay protection > method that a recipient can use to check that the message was not intercepted and replayed.

Password sniffing > gain access to systems on which proprietary information is stored.

Spoofing > enable one party to act as if they are another party.

Data modification > modify the contents of certain transactions

Repudiation of transactions > cause major problems with billing systems and transaction processing agreements.

Digital Certificates > sender authentication method

Digital Signature > authentication and confidentiality, but the identity of the sender would still be confirmed by the digital certificate.

Message authentication > used for message integrity verification.

Authenticity > prehash code using the sender’s private key.

Integrity > Mathematically deriving the prehash code

Confidentiality > Encrypting the prehash code and message using the secret key

SSL provides > data encryption, server authentication, message integrity and optional client authentication.

SSL use symmetric key for message encryption.

SSL use authentication code for data integrity.

SSL use hash function for generating message digest.

SSL use digital signature certificates for server authentication.

Double-blind testing > users are not aware about the penetration testing.

Targeted testing > IT team is aware of the testing and penetration testers are provided with information related to target and network design.

Internal testing > attacks and control circumvention attempts on the target from within the perimeter.

External testing > generic term that refers to attacks and control circumvention attempts on the target from outside that target system.

Web of trust > feasible for small group

Key distribution center > distribution method suitable for internal communication for a large group with in an institution and it will distribute symmetric keys for each session.

CA > is a trusted third party that ensures the authenticity of the owner of the certificate.

Kerberos Authentication system > the function of a key distribution center by generating tickets to define the facilities on networked machines which are accessible to each user.

Replay attack > residual biometric characteristics, such as fingerprintes left on a biometric capture device may be reused to gain access.

Brute force > feeding the biometric capture device numerous different biometric samples.

Cryptographic attack > Targets the algorithm or the encrypted data

Mimic Attack > reproduce characteristics similar to those of the enrolled user such as forging a signature or imitating a voice.

 

CISA study materials : IT service delivery & support

Tags

CISA, ISACA, IT Service Delivery and Support

Utilization > use of computer equipment and can be used by management to predict how/where/when resources are required.
Hardware error > provide information to aid in detecting hardware failures and initiating corrective action.

System logs > recording of the system activities

Availability report > time periods during which the computer was available for utilization by uses or other processes.

Identifying illegal software packages loaded to the network can be checked by checking hard drives.

Database renormalizing > increased redundancy.
Normalization is optimization process for a relational database that minimizes redundancy. 
Referential integrity > it ensures that a foreign key in one table will equal null or the value of a primary in the other table.
Cyclical checking > It is the control technique for the regular checking of accumulated data on a file against authorized source documentation.
Domain integrity > data item has a legitimate value in the correct range or set.
Relational integrity > performed at the record level and is ensured by calculating and verifying specific fields.
Concurrency controls prevent data integrity problems.
Access control restrict updating of the database to authorized users.
Quality controls such as edits ensures the accuracy, completeness and consistency of data maintained in the database.
Database integrity > Table link/reference checks ensure the database integrity.
Audit logs > enable recording of all events that have been identified and help in tracing the events.
Querying /Monitoring > access time checks helps designers improve database performance.
Rollback and roll forward > ensure recovery from an abnormal disruption.

Configuration management is widely accepted as one of the key components of any network.

Topological mappings provide outlines of the components of the network and its connectivity. Application monitoring is not essential and proxy server troubleshooting is used for troubleshooting purposes.

CRC > check for a block of transmitted data. CRC can detect all single-bit and bubble-bit errors.
Parity Check (Vertical redundancy check) >
Echo checks > detect line errors

Screening router / Packet filter > work at the protocol, service and port level. It analyze from layers 3 and 4.
Circuit gateway > like proxy or program that acts as an intermediary between external and internal accesses.

Managing risk steps :  identification and classification of critical information > Identification of threats, vulnerabilities > calculation of potential damages.

Screened-subnet firewall > used as a demilitarized zone. Utilizes two packet filtering routes and a bastion host.
Screened-host firewall > utilizes a packet filtering router and a bastion host.

Atomicity > Guarantees that either the entire transaction is processed or none of it is.
Consistency > ensures that the database is in a legal state when the transaction begins

and ends.

Isolation > means that, while in a intermediate state, the transaction data are invisible to external operations.
Durability > Guarantees that a successful transaction will persist, and cannot be undone.

Hardware maintenance program should be validated against vendor specifications. Maintenance schedules normally are not approved by the steering committee. Unplanned maintenance can’t be scheduled.

Library control software should be used to separate test from production libraries in mainframe and / or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and would not automatically move modified programs into production and can’t determine whether programs have been thoroughly tested.

Referential integrity is provided by foreign key.
Post-incident review improve internal control procedures.
Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively.

Determine unauthorized changes made to production code the auditor examine object code to find instances of changes and trace them back to change control records.

Normalization > is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and risk of not maintaining consistency of data, with the consequent loss of data integrity.

CISA study materials : Systems & infrastructure life cycle management

Tags

CISA, ISACA, Systems and infrastructure life cycle management

Provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance and disposal of system and infrastructure will meet the organization’s objective.

Scope creep > A software baseline is the cutoff point in the design and development of a system beyond which additional requirements or modifications to the design do not or can’t occur without undergoing formal strict procedures for approval based on a business cost benefit analysis.

PERT chart > will help determine project duration once all the activities and the work involved with those activities are know.

Function point analysis > is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files.

Rapid Application Development > is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality.

Object-oriented system development > is the process of solution specification and modeling.

Completeness check > is used to determine if a field contains data and not zeros or blanks.

Check digit > is a digit calculated mathematically to ensure original data where not altered.

Existence check > checks entered data for agreement to predetermined criteria.

Reasonableness check > matches input to predetermined reasonable limits or occurrence rates.

Functional acknowledgements are standard electronic data interchange (EDI) transactions that tell trading partners that their electronic documents are received.

Base case system evaluation > uses test data sets developed as part of comprehensive testing programs. It is used to verify correct systems operations before acceptance as well as periodic validation.

Redundancy check > detects transmission errors by appending calculated bits onto the end of each segment of data.

Reasonableness check > compare data to predefined reasonability limits or occurrence rates established for the data.

Parity check > hardware control that detects data errors when data are read from one computer to another.

Check digits > detect transposition and transcription errors.

CMMI level 5 > Continuous improvement

CMMI level 4 > Optimizing, quantitative quality goals

CMMI level 3 > Documented process 

Prototype system > provide significant time and cost savings. Also have several disadvantages like poor internal controls, change control becomes much more complicated and it often leads to functions or extras being added.

Decision support system (DSS) > emphasizes flexibility in the decision making approach of users.

Sanitized live transaction > test data will be representative of live processing.

Timebox management > by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and rapid application development (RAD) and integrates system and user acceptance testining.

Waterfall life cycle model > best suited to the stable conditions where requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate.
Top-down approach to testing ensures that interface errors are detected early and that testing of major function is conducted early.

Bottom-up approach to testing begins with atomic units, such as programs and module and works upward until a complete system test taken place.

Sociability testing and system tests take place at a later stage in the development process.

CISA study materials : IT Governance

Tags

CISA, ISACA, IT Governance

9 Tasks:
1. Evaluate the effectiveness of IT governance structure
2. Evaluate the IT organizational structure & human resource
3. Evaluate the IT strategy and process
4. Evaluate the organization’s IT policies, standards, procedures and processes
5. Evaluate management practices
6. Evaluate IT resource investment, use and allocation practices
7. Evaluate IT contracting strategies and policies and contract management practices
8. Evaluate risk management practices
9. Evaluate monitoring and assurance practices


15 Knowledge statements:



Fundamentally, IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise.
IT governance is the management system used by directors.


IT governance is the responsibility of the board of directors and executive management.
IT resources should be used responsibly, and IT-related risks should be managed appropriately.


This high-value goal can be achieved by aligning IT governance framework with best practices.


The key IT governance practices are IT strategy committee, risk management and IT balanced scorecard.


IT governance is a structure of relationships and processes used to direct and control the enterprise toward achievement of its goals by adding value while balancing risk vs. return over IT and its processes.


Govern IT within their enterprises are described in four focus areas: Strategic alignment, value delivery, resources management, risk management and performance measurement.
IT Governance Focus Area: Strategic alignment, Value delivery, Risk management, Resource management, Performance measurement.


Board of directors & executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforce, and an IT security risk and impact analysis is consistently performed, it is said to be “managed & measurable”.
Cross-training is a process of training more than one individual to perform a specific job or procedure.


Compensating controls are internal controls that are intended to reduce the risk of an existing opotential control weakness that may arise when duties can’t be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls can’t be achieved when duties can’t or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.


IT Governance Frameworks:
Control Objective for Information and related Technology (COBIT) : Framework that ensure IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, and IT risks are managed appropriately.
ISO/IEC 27001 (ISO 27001): Guidance to organizations implementing and maintaining information security programs
ITIL: Framework with hands on information regarding how to achieve successful operational service management of IT
IT Baseline Protection catalogs, or IT-Grundschutz Catalogs: Detecting and combating security weak points in the IT environment.
Information Security Management Maturity Model (ITM3): SIM maturity model for security.
AS8015-2005
ISO/IEC 38500:2008 Corporate governance of information technology
The continual monitoring, analysis and evaluation of metrics associated with IT governance initiatives require an independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT processes and associated IT governance initiatives.


IT governance need to be assessed:
• Alignment of the IS function with the organization’s mission, vision, values, objectives and strategies.
• Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function.
• Legal, environmental, information quality, fiduciary, security, and privacy requirements.
• The control environment of the organization.
• The inherent risks within the IS environment.


The IT balanced scorecard (BSC) is a process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes.
BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures of evaluate customer satisfaction.


Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitor of that risk.


To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.


Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat. Impacts represent the outcome of result of a threat exploiting vulnerability.


Enterprise architecture (EA) involves documenting the organization’s IT assets and processes in a structured manner to facilitates understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective.


The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business.
IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired. Centralizing control of IT is not always desired.


IT governance maturity model:
0 Non-existent Management process are not applied at all
1 initial Process are ad hoc and disorganized
2 Repeatable Process follow regular pattern
3 Defined Process are documented and communicated (lowest label of maturity model)
4 Managed Process are monitored and measured
5 Optimized Best practices are followed and automated


Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.


Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.


Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects.
It is critical that an independent security review of an outsourcing vendor be obtained.
A definition of key performance indicators is required before implementing an IT balanced scorecard.


Accountability cannot be transferred to external parties.


The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access.


Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and contracts and SLAs are mechanisms of risk allocation.


Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization’s broader plans for attaining their goals.

Assessment methods provide a mechanism, whereby IS management can determine if the activities of the organization have deviated from planned or expected levels. These methods include IS budgets, capacity and growth planning, industry standards/ benchmarking, financial management practices, and goal accomplishment. Quality management is the means by which the IS department processes are controlled, measured and improved. Management principles focus on areas such as people, change, processes and security. Industry standards/benchmarking provide a means of determining the level of performance provided by similar information processing facility environments.