Term
| What are six types of audit assessment activities? |
|
Definition
1. 90-second assessment
2. Control self-assessments
3. Design/architecture reviews
4. Due diligence reviews
5. Spot checks
6. Penetration studies |
|
|
Term
| What are the five parts of a system assessment or review? |
|
Definition
1. Objective
2. Scope
3. Constraint
4. Approach
5. Result |
|
|
Term
| Define "objective" as related to a system assessment. |
|
Definition
A statement of the thing to be proved or disproved in the course of an assessment. It is often stated in terms of assurance. For example,
to provide assurance that Application Internet access cannot be exploited to gain access to internal systems.
Spectrum: Business driven to tech driven |
|
|
Term
| Define "scope" as related to a system assessment. |
|
Definition
Scope is a technical term that refers to the map of the purpose of the review to the thing to be reviewed.
Spectrum: technology to process |
|
|
Term
| Define "constraint" as related to a system assessment. |
|
Definition
The situations within which a reviewer operates, which may or may not hinder his or her ability to assess the entire scope and complete the assessment objective. For example, a prohibition on accessing the application during business hours.
Spectrum: Money to reviewer sphere of influence |
|
|
Term
| Define "approach" as related to a system assessment. |
|
Definition
Alternative sets of activities that covers the scope in a way that meets the objective of the assessment, given the constraints. I.e., how are we going to conduct the assessment.
Spectrum: interviews to technology testing |
|
|
Term
| Define "result" as related to a system assessment. |
|
Definition
An assessment of whether the assessment objective was met.
Spectrum: verbal yes or no answer to formally published reports |
|
|
Term
| What are the five parts of the "The 90-second Security Review"? |
|
Definition
Objective: To answer the question, “are we secure despite this?” with “yes.”
Scope: A verbal description or automated evidence of “this.” Situational awareness.
Contraint: Short timeframe, reliance on assumptions concerning technical detail behind the verbal description or evidence
Approach: Experienced-based detection, classification, containment exercise
Result: “yes” or “no” |
|
|
Term
| What are the five parts of the "The Control Self-Assessment"? |
|
Definition
Objective: To establish that the controls implemented maintain security are sufficient to do so.
Scope: The systems environment housing the data that an organization is charged to secure.
Constraint: Unknowns or lack of expertise in security mechanisms in third party products. Time. Participants are also responsible for system maintenance so may be biased.
Approach: Identify risks, exposures, potential perps, evaluate ability of controls to protect, detect, or recover from exploits.
Result: Control/weaknesses |
|
|
Term
| What are the five parts of the "The Design/Architecture Review"? |
|
Definition
Objective: To establish that a system is capable of securing data, and identify configuration parameters in the systems environment required to effect security.
Scope: Network and operating system placement diagrams, as well as detailed technical design documents on system security mechanisms.
Constraint: Unknowns or lack of expertise in security mechanisms in third party products. Time.
Approach: Compare settable parameters of all systems components to known secure configurations and/or security policy.
Result: List of issues to address, iterative process. |
|
|
Term
| What are the five parts of the "The Due Diligence Review"? |
|
Definition
Objective: To establish that a third party has adequate safeguards in place to secure data on an ongoing basis.
Scope: Service description, data exchange mechanisms, draft contract, security controls at third party site.
Constraint: Unknowns or lack of expertise in security mechanisms, as well as system configuration at third party site.
Approach: Obtain documentation on security controls at third party, evaluate effectiveness, test described controls.
Result: Opinion plus caveats, may be iterative. |
|
|
Term
| What are the five parts of "The Spot Check"? |
|
Definition
Objective: To render and opinion on whether a given security processing working.
Scope: Process description, system security parameters of system directly supporting the process.
Constraint: Reliance on assumptions with respect to systems interfaces and supporting systems (e.g. data feeds, network, OS).
Approach: Review all system security procedures and settings, identify expected user community, evaluate whether expected controls are in place.
Result: “yes” or “no” |
|
|
Term
| What are the five parts of "The Penetration Test"? |
|
Definition
Objective: To see if a system can be broken into from a publicly accessible portal.
Scope: System's publicly accessible portals and supporting layers of technology.
Constraint: No direct access to supporting layers of technology (in black box testing, no knowledge of those layers). Time.
Approach: Perform standard set of techniques (next page more detail) substitute time and materials for unknown activities in the project plan.
Result: List of vulnerabilities. |
|
|
Term
| What are the standard techniques for penetration testing? |
|
Definition
1. Reconnaissance – Map the target environment without getting caught.
2. Espionage – In the context of application security, this is a method of evaluating the security of a computer application by simulating an attack by a malicious user who tries to evade detection.
3. Fuzzing – A software testing technique that provides random or malformed data to inputs of a program to test for security and integrity.
4. Assault– Full frontal attack where non-repudiation is not the primary consideration. May include sabotage on test environments. |
|
|
Term
| What are the risks associated with network penetration testing? |
|
Definition
1. False sense of security
2. Miscommunication of test or result
3. Inadvertent escalation
4. Accidental system outages
5. Accidental data leakage |
|
|
Term
| What is a security review? |
|
Definition
| Work performed in the context of an organizational need to understand something about the level of protection in a given systems environment. |
|
|
Term
|
Definition
| An attestation service based on independently defined professional practices for those who will attest, following standards for identifying, evaluating, testing, and assessing controls in the context of an accountable management structure. |
|
|
Term
| What are four rules of auditor independence? |
|
Definition
1. Must have independent reporint structure to board level.
2. Must not rely on auditee for compensation.
3. Must not have participated in design or operations of system under review.
4. Must be distanct in attitude and appearance. |
|
|
Term
| What are the two parts of audit planning? |
|
Definition
1. risk assessment.
2. Control frameworks. Review organizations structure, policies , and procedures established in support of control objectives. |
|
|
Term
| What is a control objective? |
|
Definition
| Specific, measurable goals that individual controls are designed to achieve. |
|
|
Term
|
Definition
| The actions that an auditor will take to independently gather evidence of activity established by management that contributes to control objectives. |
|
|
Term
| What are compensating controls? |
|
Definition
| It is best to prevent undesired events from happening; howeever, if they cannot be prevented, compensating controls do one of two things: (1) Detect the undesired events in time for a response team to prevent harm, or (2) correct the situation if the undesired event was not detected in time to prevent harm. |
|
|
Term
| What are three rules for evidence evalutation? |
|
Definition
1. Evidence obtained from outside sources is more reliable than evidence provided by the organization being audited.
2. The qualifications of the person providing the evidence should be considered.
3. Objective evidence is more reliable than that which requires evaluation or interpretation. |
|
|
Term
| An audit report include audit points. What are the six parts of an audit point? |
|
Definition
1. Condition
2. Criterion
3. Cause
4. Effect
5. Recommendation
6. Management Response |
|
|
Term
| What is the definition of an audit point "condition"? |
|
Definition
| A factual description of audit evidence |
|
|
Term
| What is the definition of an audit point "criterion"? |
|
Definition
| Some objective standard as to why the audit point is valid |
|
|
Term
| What is the definition of an audit point "cause"? |
|
Definition
| The root cause of the situation that introduced the control weakness |
|
|
Term
| What is the definition of an audit point "effect"? |
|
Definition
| The risk in terms of potential negative impact that the condition presents to the audited organization |
|
|
Term
| What is the definition of an audit point "recommendation"? |
|
Definition
| Auditor’s opinion on what control activity should be established to mitigate the risk of the bad effects due to condition. |
|
|
Term
| What is the definition of an audit point "management response"? |
|
Definition
| IT Manager’s action plan that will change the condition. |
|
|
Term
| How are non-specific threats handled? |
|
Definition
| Risk Review. (See module 6). |
|
|
Term
| How are specific threats handled? |
|
Definition
| Employ the appropriate kind of system review as determined by the review contraints. E.g., time constrained, intelligence-intensive, damageaverting, response-focused: 90-second security review |
|
|
