Notes 6

# The chair of the steering committee should be a senior person (executive level manager) with the authority to make decisions.
- The chief information officer (CIO) would not normally be the chair, although the CIO or his representative would be a member to provide input on organization wide strategies.

# The project steering committee provides overall direction and is also responsible for monitoring project costs and project schedules .A project steering committee usually consists of a senior representative from each function that will be affected by the new system and would be the most appropriate group to approve the RFP. The project sponsor provides funding for the project.

# Other factors can be meaningless in absence of proper alignment of IT security with business and IT objectives. Even if top management approves the policy which is not in line with business objective, same should be questionable.

# Board of directors in any organization have ultimate responsibility for the development of IS security function. Security committee performs as per the direction of board. The IS department is responsible for the execution of the policy. IS audit department need to ensure proper implementation of IS security policy and in case of any deviation need to report to management.

# Board of directors in any organization have ultimate responsibility for the IT governance. IT strategy committee advises the board and IT steering committee monitors the board approved IT governance policy and facilitates deployment of IT resources for specific projects in support of business plans. The audit committee looks after audit issues and control part.

# Project steering committee is ultimately responsible for total project management for IT related projects. They provide direction and monitors costs and project schedules. Audit committee do not involve in monitoring the projects. User management and system development management are involved in projects to the extent of their role however responsibility lies with project steering committee. User management assumes ownership of the project and resulting system. They should review and approve deliverables as they are defined and accomplished.

# The project steering committee provides overall direction and is also responsible for monitoring project costs and project schedules .A project steering committee usually consists of a senior representative from each function that will be affected by the new system and would be the most appropriate group to approve the RFP. The project sponsor provides funding for the project. IS strategy committee advices board of directors on IT initiatives.

# The project sponsor is the manager in charge of the business function, the owner of the data and the owner of the system under development. Providing functional specifications through functional users is the responsibility of the project sponsor. So, Requirement specifications is ultimately responsibility of Project Sponsor.

Notes 5

# The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.

# The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence.

# A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments.

# Primarily consideration should be documentation of identified risk. In order to manage and control a risk, it first must be recognized as a risk. Only after documentation, other factors to be considered.

# Audit charter should be independent from IS department and IT steering committee.

# Action plan in case of disruption of services is included in BCP policy.

# Audit compendium includes summary of critical of audit observations for higher management.

# The result of risk management process is used for making security policy decisions.

# Attribute sampling method (either control is present or absent) will be useful when testing for compliance.

# Compliance testing involves verification of process
- substantive testing involves verification of transactions or data.

Notes 4

# Three main accuracy measures used for a biometric solution are:
- False-Acceptance Rate (FAR),
- False-Rejection Rate (FRR),
- Cross-Error Rate (CER) or Equal-Error Rate (EER)

- Most important overall quantitative performance indicator for biometric system is CER or EER.
- A low EER is a combination of a low FRR and a low FAR. CER or EER is a rate at which FAR and FRR is equal.
- The most effective biometric control system is the one with lowest CER or EER. Low FRRs or low FARs alone does not measure the overall efficiency of the device.

# Control self-assessment (CSA) is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes. Team understand the business process, define the controls and generate an assessment of how well the controls are working. This is best achieved during preliminary survey phase.

# Reference Monitor:
- Mechanism that checks each request by a subject to access and use an object is as per security policy.
- In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system.
- A reference monitor is implemented via a security kernel, which is a hardware/software/firmware mechanism.

# Address Resolution Protocol (ARP)
- A network layer protocol used to convert an IP address into a physical address such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.

# Access control analyzer
- An access control analyzer is an audit utility for analyzing how well access controls have been implemented and maintained within an access control package.

# Reverse ARP (RARP)
- Used by a host to discover its IP address. In this case, the host broadcasts its physical address and a RARP server replies with the host's IP address.

# A review of system configuration files for control options used would show level of access available for different user.
- Both log files are detective in nature.
- Job descriptions of users will not provide details about access level.

# Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, etc.

#  Information security, business continuity and risk management should be considered while developing IT plan, but all this will add value only if IT plan is in line with business plan.

# Unprotected passwords files represent the greatest risk. Such files should be stored in an encrypted manner.

# General operating system access control functions include log user activities, log events, etc.
# network control feature - Logging data communication access activities
# database control function - Verifying user authorization at the field level
# application-level access control functions - Changing data files

# The very first step in reviewing an organization's IT strategic plan is to review/understand the business plan. Without understanding the context in which business operates and its expansion plan, review of strategic plan may not be that effective. To evaluate the IT strategic plan, the IS auditor would first need to familiarize him/herself with the business plan. Alignment of IT processes as per business is an important consideration. However, first one needs to understand the business.

# Authentication: The process of verifying who you are. When you log on to a PC with a user name and password you are authenticating. Authentication is about who somebody is.

# Authorization: The process of verifying that you have access to something. Gaining access to a resource (e.g. directory on a hard disk) because the permissions configured on it allow you access is authorization. Authorization is about what they're allowed to do.

#
- The risk that many users can claim to be a specific user can be better addressed by proper authentication process rather than authorization.
- Without an appropriate authorization process, it will be impossible to establish functional limits and accountability.
- Authorization process will not directly impact sharing user accounts. Other controls are required to prevent sharing of user accounts.
- In absence of proper authorization process principle of least privilege cannot be assured.

# False-Acceptance Rate (FAR):
FAR is a rate of acceptance of unauthorised person i.e. biometric will allow unauthorised person to access the system.
- Most important performance indicator for biometric system is false-acceptance rate (FAR).
- This is a fail-unsafe condition, i.e., an unauthorized individual may be granted access.
- A low FAR is most desirable when it is used to protect highly sensitive data.

Equal Error Rate (EER) or CER is best indicator when overall performance is to be evaluated.

# The risk of false-acceptance cannot be eliminated. Risk of a biometric device may be optimized, but will never be zero because this would imply an unacceptably high risk of false rejection.
# The fingerprint reader does not need to be protected in itself by a password.
# The usage of biometric protection on PCs does not provide assurance that unauthorized access will be impossible.

# Both CPM & PERT is a technique for estimating project duration and timeline. However, PERT is more reliable than CPM for estimating project duration. Advantage of PERT over CPM is that in CPM only single duration is considered while PERT considers three different scenarios i.e optimistic (best), pessimistic (worst) and normal (most likely) and on the basis of three scenarios, a single critical path is arrived.

# Digital Signature:

Step 1: Create Hash (Message digest) of the message.
Step 2: Encrypt the hash (as derived above) with private key of the sender.

Upon receiving the message, recipient will perform following functions:
Step 1: He will independently calculate hash value of the message.
Step 2: Then he will decrypt the digital signature using public key of sender. If recipient is able to decrypt the message successfully with public key of sender, then it proves authentication i.e message is infact sent from the sender. It ensures non-repudiation i.e sender cannot repudiate having sent the message.

Step 3: Now, recipient will compare value derived under step (1) with value derived under step (2). If both tallies, it proves integrity of the message.

# Digital signature is created by encrypting hash of the message. Encrypted hash cannot be altered without knowing public key of sender.

# Digital Signature is created in below two steps:

Step 1: Create Hash (Message digest) of the message.
Step 2: Encrypt the hash (as derived above) with private key of the sender.

If the sender is customer, hash to be encrypted by using customer’s (sender’s) private key.

Notes 3

# Function of IDS - Obtaining evidence on intrusive activity.

# Function of FireWall:
- Control the access on the basis of defined rule
- Blocking access to websites for unauthorised users
- Preventing access to servers for unauthorised users

# Main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives (i.e. false alarm).

# Concerns of biometric implementation:
- instances of false rejection rate.
- instances of false acceptance rate.

# Denial of service is a type of attack and is not a problem in the operation of IDSs.

# BEST method to detect the intrusion is to actively monitor the unsuccessful logins.
- Deactivating the user ID is preventive method and not detective.

# IDS cannot detect attacks which are in form of encrypted traffic. So if organisation has misunderstood that IDS can detect encrypted traffic also and accordingly designed its control strategy, then it is major concern.

# ‘War Driving’ - Used by hacker for unauthorised access to wireless infrastructure. War driving is a technique in which wireless equipped computer is used to locate and gain access to wireless networks. Same is done by driving or walking in and around building. ‘War Driving’ is also used by auditors to test wireless.
- WPA-2 is an encryption standard and not a technique to test the security.
- War dialling is a technique for gaining access to a computer or a network through the dialling of defined blocks of telephone numbers.

# Following are the best practises for wireless (wi-fi) security :
- Enable MAC (Media Access Control) address filtering.
- Enable Encryption to protect data in transit.
- Disable SSID (service set identifier) broadcasting.
- Disable DHCP (Dynamic Host Configuration Protocol).

# A randomly generated PSK is stronger than a MAC-based PSK.
- WEP (Wired equivalent privacy) has been shown to be a very weak encryption technique and can be cracked within minutes.

# The risk management process is about making specific, security-related decisions, such as the level of acceptable risk.

# Out of all types of firewall, Application-Level Firewall provides greatest security environment (as it works on application layer of OSI model).
- Application gateway works on application layer of OSI model and Circuit gateway works on session layer.
- Application gateway has different proxies for each service whereas Circuit gateway has single proxy for all services.
Therefore, application gateway works in a more detailed (granularity) way than the others.

# Out of all types of firewall implementation structures, Screened Subnet Firewall provides greatest security environment (as it implements 2 packet filtering router and 1 bastion host). It acts as proxy and direct connection between internal network and external network is not allowed. A screened-subnet firewall is also used as a demilitarized zone (DMZ).
Difference between screened-subnet firewall and screened host firewall is that, screened-subnet firewall uses two packet filtering router whereas screened-host firewall uses only one packet-filtering firewall. Both works on the concept of bastion host and proxy.

# Application gateway works on application layer of OSI model and effective in preventing applications, such as FTPs and https. A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization's network.

# Application-level gateway
Out of all types of firewall, Application-Level Firewall provides greatest security environment (as it works on application layer of OSI model).An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted. It analyze each package in detail at application level of OSI which means that it reviews the commands of each higher-level protocol such as HTTP, FTP etc.

# Firewall Security can be compromised when all the installation options are kept open.

# Audit Charter outlines the overall authority, scope and responsibilities of the Internal Audit Function. Functions of External Audit are governed by Engagement letters.

# Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users.
- Vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks.
- Before-image/after-image logging of database transactions is a detective control
- Kerberos is a preventative control.

# Kerberos 
1. Kerberos is a Single Sign-on tool which is used to protect networks and related resources.
2. Kerberos work in Open Network Environment (ONE) which is sometimes also known as Distributed Computing Environment(DCE) and manages authentication in diverse environment.
3.In kerberos both client and server are authenticated.
4.Purpose of kerberos is to avoid spoofed attacks
5.Important components/ parts of kerberos system includes:

Authenticator
Credential
Kerberos Authentication Server(KAS)
Kerberos Database
Session Key
Ticket
Ticket Granting Server (TGS)
Timestamp
User or Client

6. Client identity is stored in kerberos database.
7. Ticket contains user identity,a session key, a timestamp etc.
8. Every ticket will have unique session key.
9. Tickets can be reused.
10. Kerberos server maintains history of previous user requests & sessions.

Notes 2

# Statistical sampling minimizes the detection risk.
- Detection risk is the chance that an auditor will not find material misstatements in an entity's financial statements. Detection risk is the risk that the auditor will conclude that no material errors are present when in fact there are.
- Using statistical sampling, probability of error can be objectively quantified and hence detection risk can be minimized.

#  compliance testing checks for the presence of controls. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.

# Bottom-Up Approach: 
Start with testing of individual units such as programs or modules and work upward until a complete system is tested.
Advantages of bottom-up: (i) Test can be started even before all programs are complete (ii) Errors in critical modules can be found early.

#Top-Down Approach: 
Test starts from broader level and then gradually moves towards individual programs and modules.
Advantages of top-down: (i) Interface error can be detected earlier (ii) confidence in the system is achieved earlier.

System testing includes (i) Recovery testing (ii) Security testing (iii) Load testing (iv) Volume testing (v) Stress testing & (vi) Performance testing.


#  A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed?
A. On the local network B. Outside the firewall C. In the demilitarized zone (DMZ) D. On the server that hosts the web site

The correct answer is: C

Explanation:
The local network doesn't make sense. The public website will be facing the Internet, and the local network should always be behind another layer of firewalls. Traffic for the website will never reach the local network, because the website has to be in a DMZ. As for the server that hosts the website: the IDS is a standalone device, with a very specialized mission that requires lots of pattern matching. So, it's better to have it in a separate, custom-built box. A "soft IDS" that shares hardware with a website could be easily flooded by your typical script-kiddie attacks. So we only have to decide the order of the boxes.

- Internet-IDS-Firewall, or Internet-Firewall-IDS.
Firewalls define DMZs, remember. Internet-IDS-Firewall would be option B and Internet-Firewall-IDS is option C. Firewalls are built to be the first line of defense and face the Internet. The analysis an IDS has to make is usually more complicated (I assume we're talking traditional firewalls, not "next-generation firewalls"), so it's good for the firewall to do the "coarse work" for it. Take a very simple example: if there's only one website on the DMZ, the firewall can filter everything except ports 80 and 443 into the website's address. Then all the IDS has to do is examining the HTTP traffic for web vulnerabilities, CSS, and the like. So option C is clearly the best.

# Actively managing compliance with the contract terms for the outsourced services is the responsibility of IT management.
- Compliance with regulatory requirements is in purview of compliance or legal team.
- Payment is in scope of finance team.
- Penalty for non-compliance is by-product of managing compliance with contract.

# The primary activity of a CA is to issue certificates and to validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA.
- CAs are not responsible of secured communication channel. Private keys are not made available in public domain.

# Board of directors in any organisation have ultimate responsibility for the development of IS security function.
- Security committee performs as per the direction of board.
- The IS department is responsible for the execution of the policy.
- IS audit department need to ensure proper implementation of IS security policy and in case of any deviation need to report to management

Reference Links

https://atmanjunath.wordpress.com/
https://www.auditscripts.com/free-resources/cisa-exam-references/cisa-practice-tests/
http://passcisa.blogspot.com/

Notes 1

Shoulder surfing - Attack wherein any person nearby could "look over the shoulder" of the user to obtain the password.
Piggybacking - Unauthorized persons following authorized persons into restricted areas.
Dumpster diving - Attack wherein critical information is obtained trash box.
Impersonation - refers to someone acting as an employee in an attempt to retrieve desired information.

# As high complex criteria can be set in CIS, it is the best technique to identify transactions as per pre-defined criteria. Continuous and Intermittent Simulation (CIS) is a moderately complex set of programs that during a process run of a transaction, simulates the instruction execution of its application. As each transaction is entered, the simulator decides whether the transaction meets certain predetermined criteria and if so, audits the transaction. If not, the simulator waits until it encounters the next transaction that meets the criteria. Audits hooks which are of low complexity focus on specific conditions instead of detailed criteria in identifying transactions for review. ITF is incorrect because its focus is on test versus live data.

# A warm site has the basic infrastructure facilities, such as power, air conditioning and networking and some of computers. However, all computing device are not installed. Hence before resumption of services from warm site, timely availability of hardware is major concern. A cold site is basically availability of space and basic infrastructure. No communication equipments and computers are installed. Cold site is characterized by at least providing for electricity and HVAC (heat, ventilation and air-conditioning). No other computing facilities are available at cold site.

# It is the responsibility of the IT sterring committee to ensure the efficient use of IT resources.
# Strategy committee is responsible for advising board members about new projects.

# Absence of a project steering committee represents a major risk. A steering committee would provide a liaison between the IS department and the user department. It monitors the IT project prioritization as per business requirements.

# The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact
of network load or terminal response times and network data transfer rates (choice C), and recommending network balancing procedures and improvements (choice D).
- Monitoring systems performance and tracking problems as a result of program changes (choice A) would put the analyst in a self-monitoring role.

# Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding his/her or other's personal data.
- A sniffer is a computer tool to monitor the traffic in networks.
- Back doors are computer programs left by hackers to exploit vulnerabilities.
- Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature.

#  For unit testing appropriate strategy is white box approach (as both involves testing of internal logic).Unit testing involves testing of individual program or module. In white box testing, program logic is tested. It is applicable for unit testing and interface testing. White box testing examines the internal structure of a module.
In black box, only functionality is tested. Program logics are not tested and hence not relevant for unit testing.