This content provides a comprehensive overview of the "Protection of Information Assets" domain for the Certified Information Systems Auditor (CISA) certification. It details the principles, controls, risks, and techniques necessary to ensure the confidentiality, integrity, and availability (CIA) of an organization's information assets.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
hello and welcome to the fifth domain of
the certified Information Systems
auditor cisa course offered by simply
learn this domain will cover protection
of information assets let us look at the
objectives of this domain in the next
screen by the end of this domain you
should be able to understand and provide
assurance that the Enterprises security
policies standards procedures and
controls ensure the confidentiality
integrity and availability of
information assets detail the design
implementation and monitoring of
security controls discuss the risks
associated with use of mobile and wireless
wireless
devices understand encryption techniques
such as public key infrastructure and
risks related to data leakage detail
Network detection tools and techniques
discuss how confidential information can
be stored retrieved transported and
disposed the following screen gives an
overview of this domain an information
asset is a component related to
provision of accurate data or
information for decision-making purposes
by an entity it is considered to hold
value to that particular organization
and should therefore be protected by
ensuring confidentiality integrity and
availability CIA
examples of information assets are
information or data computer application
systems computers personal computers PCS
laptops pdas phones networks local area
network landan wide area network Wan
wireless networks Human Resources
facilities main distribution facilities
mdfs data centers server room and other
Technologies such as database
Technologies among others let us
continue with the overview in the
following screen the risks to business
include Financial loss electronic fraud
legal repercussions privacy issues loss
of credibility or Competitive Edge
blackmail industrial Espionage sabotage
and breach of
confidentiality security failures can be
costly to business as more costs are
incurred to secure systems and prevent
further failure further more costs are
incurred from losses from the failure
itself and when recovering from such
losses let us now look at threats to
information Assets in the next Slide the
threats to information assets include
hackers crackers freakers authorized or
unauthorized employees is personnel and
users former employees interested or
educated Outsiders competitors organized
Criminal criminals part-time and
temporary Personnel vendors and
consultants and finally accidental
ignorance let us begin with the first
Topic in this domain in the following
screen in this topic we will learn about
the concepts under the first knowledge
statement KS
5.1 we will begin with design
implementation and monitoring of
security controls in the next
screen the key knowledge statement is to
understand the techniques for the design
implementation and monitoring of
security controls including security
awareness programs security needs to be
aligned with business objectives to
provide reasonable reduction in risk
security objectives may include the
following ensure the continued
availability of Information Systems
ensure the Integrity of information
stored on its computer systems and
security while the information is in
transit preserve the confidentiality of
sensitive data while stored and in
transit ensure compliance with
applicable laws regulations and
standards let us continue discussing
design implementation and monitoring of
security controls in the next
screen ensure adherence to trust and
obligation requirements for any
information assets accordance with the
applicable privacy policy or privacy
laws and regulations Prudence in
application of control is important
because controls entail a cost either
directly or indirectly by impacting on
business operations the business impact
analysis Bia is the process used to
establish the material Adverse Events
the business should be worried about the
following screen lists the main areas to
be covered under this knowledge
statement the main areas to cover here
are key elements of Information Security
Management critical success factors to
information security inventory and
classifications of information assets
Network infrastructure Security in the
next screen we will learn about
Information Security
Management effective ism is the most
critical factor in protecting
information assets and privacy the
factors that raise the profile of
information and privacy risk include
electronic trading through service
providers and directly with customers
loss of organizational barriers through
use of remote access facilities and high
profile security exposures viruses
denial of service dos attacks intrusions
unauthorized access disclosures and
identity theft over the Internet Etc let
us continue discussing Information
Security Management ISM in the next
screen security awareness and education
through training and regular updates
written policies and procedures and
updates non-disclosure statements signed by
by
employees newsletters web pages videos
and other media visible enforcement of
security rules simulated security
incidents and simulated drills rewards
for reporting suspicious events periodic
audits monitoring and compliance control
includes an element of monitoring and
usually relates to regulatory legal
compliance incident handling and
response in the next few screens we will
learn about roles and responsibilities
under the information security
management the security objectives to
meet business requirements are to ensure
continued availability of Information
Systems to ensure Integrity of
information stored in systems and while
in transit
to preserve confidentiality of sensitive
data to ensure Conformity to applicable
laws regulations and standards to ensure
adherence to trust and obligation
requirements to ensure protection of
sensitive data data Integrity as it
relates to security objectives generally
refers to accuracy completeness
consistency or neutrality validity and
verifiability of the data once loaded on
the the system Integrity refers to
reliability of data let us continue
discussing Information Security
Management ISM in the next
screen the key elements of
ism Senior Management commitment and
support the risk management begins at
the top policies and procedures the
framework that captures top management
Declaration of Direction organization
clearly defined and allocated roles and
responsibilities supplemented with
guidance usually relates to regulatory
legal compliance let us continue
discussing Information Security
Management ISM in the next screen roles
and responsibilities must be defined
documented and communicated to personnel
and management is security steering
committee is represented by individuals
from various management levels it also
discusses and approves security policies
guidelines and procedures with input
from end users executive management
Auditors Security Administration is
personnel and legal councel the
committee is formally established with
appropriate terms of reference executive
management responsible for the overall
protection of information assets and
issuing and maintaining the policy
framework security advisory group is
responsible for defining information
risk management process and acceptable
level of risk and reviewing security
plans it is comprised of people involved
in the business and provides comments on
security issues to Chief security
officer CSO it also advises the business
whether the Security Programs meet business
business
objectives Chief Information Security Officer
Officer
ciso is a senior level corporate
official responsible for articulating
and enforcing policies used to protect
information assets he has a much broader
role than CSO who is normally only
responsible for physical security within the
the
organization information asset owners
and data owners are entrusted with the
responsibility for the owned asset
including performance of a risk
assessment selection of appropriate
controls to mitigate the risk and to
accept the residual risk
process owners ensure appropriate
security measures consistent with
organizational policy are
maintained users comply with procedures
set out in the security policy and
adhere to privacy and security
regulations often specific to sensitive
data for example Health legal Finance
Etc Chief privacy officer CPO is a
senior level corporate official and is
responsible for articulating and
enforcing policies used to protect
customers and employees privacy rights
external parties follow procedures set
out in the security policy they adhere
to privacy and security regulations
often specific to sensitive data for
example Health legal Finance Etc
Information Security administrator is a
staff level position he is responsible
for providing adequate physical and
logical security for is programs data
and Equipment normally Guided by the
information security
policies security specialist and
advisors assist with the design
implementation management and review of
security policies standards and
procedures it developers implements
information security within their
applications is Auditors provide
independent Assurance on appropriateness
and effectiveness of information
security objectives and controls related
to these objectives in the next screen
we will learn about system access
permissions system access permission is
the ability to do something with a
computer resource read create modify or
delete a file or data execute a program
or use an external connection it is
controlled at the physical Andor logical
level logical controls govern access to
information and programs it is built
into operating system
invoked through Access Control software
and Incorporated in application programs
DBS Network control devices and
utilities let us continue discussing
system access permissions in the next
screen physical controls restrict entry
and exit of personnel movement of
equipment and media they include badges
memory cards keys and
Biometrics access is granted on a
documented need to know basis with
legitimate business requirement based on
least privilege and on segregation of Duties
Duties
principles access principles relate to
four layers of security namely Network
platform typically the operating system
database and application in the next
screen we will learn about mandatory and
discretionary access
controls the mandatory access controls
Mac's are logical access controls Mac's
that cannot be modified by normal users
or data owners they act by default and
are used to enforce critical security
without possible exception only
administrators can grant a right of
access Guided by an established policy
of the
organization discretionary access
controls dac's controls may be
configured or Modified by the users or
data owners access may be activated or
Modified by a data owner dac's cannot
override Mac's and they act as
additional filters to restrict access
further in the next few screens we will
learn about privacy management issues
and role of is
Auditors privacy issues relates to
personally identifiable information for
example personal identification number
pin regulations generally restrict use
of such data by giving the subject indiv
idual rights to access and correct that
data it also governs how such data is
obtained requiring knowledge and consent
of the data subject impact of risks
including marketing risks transported
data flow and variations in regulations
and may require privacy experts during risk
risk
assessment the goals of a privacy impact
assessment are identifying the nature of
personally identifiable information
relating to business
processes documenting The Collection use
disclosure storage and destruction of
personally identifiable information
providing management with an
understanding of privacy risk and
options to mitigate this risk ensuring
accountability for privacy and
facilitating compliance with relevant
regulations is audit considerations
relating to privacy include adequacy of
privacy assessment for example
compliance with with privacy policy laws
and other regulations and the manner in
which it is used for competitive gain
another consideration is the ongoing
assessments conducted when new products
Services Systems Operations processes
and third parties are under
consideration besides trans border and
Multinational laws should also be
considered focus and extent of privacy
impact assessment may depend on changes
in technology processes or people as
shown by Below in the next few screens
we will learn about information security
and external parties Human Resources
security and third parties security
roles and responsibilities of employees
contractors and thirdparty users should
be defined and documented in accordance
with the organizational security policy
information security policies to guide
employees contractors and thirdparty
users information security and external
parties security of information and
processing facilities must be maintained
when external Party Services or products
are introduced controls must be agreed
to and defined in a formal agreement
organization must have right to audit
the implementation and
operations external party Arrangements
include service providers isps Network
providers manage security services
customers Outsourcing facilities Andor
operations it systems sys data
collection Services management and
Business Consultants and Auditors
developers and suppliers cleaning
catering and other outsourced Support
Services others include temporary
Personnel student placement and other
casual short-term
appointments the risks related to
external party access is information
processing facilities required to be
accessed by external parties these types
of access include physical access l iCal
access network connectivity organization
and external party value and sensitivity
of information involved and its
criticality for business operations and
legal and other regulatory
requirements Security in relation to
customers involve identifying security
requirements for customers access the
customer access security
considerations asset protection
description of product or service to be
provided reasons requirements and
benefits for customer access Access
Control policy arrangements for
reporting notification and investigation
of information
inaccuracies Target levels of service
and unacceptable levels of service right
to Monitor and revoke any activity
related to an organization's assets
intellectual property rights and
copyright assignment you will now
attempt a question to test what you have
learned so far in this topic we we will
learn about the concepts in knowledge statement
statement
5.2 let us discuss monitoring and
responding to security incidents in the
following screens the key knowledge
point is the processes related to
monitoring and responding to security
incidents for example escalation
procedures emergency incident Response
Team a formal incident response
capability should be established to
minimize the impact of security
incidents recovery in a Time ly and
controlled Manner and learn from such
incidents history should be kept through
properly recording of incidents while
Security Management may be responsible
for monitoring and investigating events
and may have drafted or set a
requirement for escalation procedures
other functions must be involved to
ensure proper response these functions
must have well-defined and communicated
processes in place that are tested
periodically the main areas covered here
are security incident handling and
response in the next screen we will
discuss about incident handling ad
response an incident is an adverse event
that threatens some aspect of
information security to minimize damage
from security incidents and to recover
and to learn from such incidents a
formal incident response capability had
to be established and it includes
planning and preparation did detection
initiation recording evaluation
containment eradication escalation
response recovery closure and post
incident review let us continue
discussing incident handling and
response procedures are defined for
reporting different types of incidents
the process involves quick reporting and
collection of evidence and formal
disciplinary process and where
applicable automated intrusion detection
systems incident handling and response
roles involve coordinator who is the
liaison to business process owners
director who oversees incident response
capability managers who manage
individual incidents security
Specialists that detect investigate
contain and recover from incidents
non-security technical Specialists that
provide assistance on subject matter
expertise business unit leader liaison
which include legal HR and PR logical
access controls is another area we're
going to learn in subsequent slides you
will now attempt a question to test what
you have learned so far in this topic we
will learn about the concepts in
knowledge statement
5.3 let us discuss logical access
controls in the following
screens knowledge point to learn here is
logical access controls for the
identification authentication and
restriction of user users to authorized
functions and data logical access
controls are used to manage and protect
information assets controls enact and
substantiate policies and procedures
designed by management to protect
information assets controls exist at
both the operating system level and the
application Level so it is important to
understand logical access controls as
they apply to systems that may reside on
multiple operating system platforms and
involve more than one application system
or authentication Point let us continue
the discussion about logical access
controls in the next few
screens logical security is often
determined based on the job function of
users the success of logical access
controls is tied to the strength of the
authentication method for example strong
passwords all user access to systems and
data should be appropriately authorized
ized and should be conasur it with the
role of the individual authorization
generally takes the form of signatures
physical or electronic a relevant
management the strength of the
authentication is proportional to the
quality of the method used strong
authentication may include dual or
multiactor authentication using user 10
password tokens and
Biometrics the main areas covered here
are logical access
logical access controls are the primary
means used to manage and protect
information assets these exposures can
result in minor inconveniences to a
total shutdown of computer functions
logical access controls involve managing
and controlling access to information
resources it is based on management
policies and procedures for information
security logical access controls must be
evaluated Visa V information security
objectives familiarization with the it
environment helps in determining which
areas from a risk standpoint warrant is
auditing attention this includes
reviewing security layers associated
with is architecture Network OS database
application Paths of logical access
points of Entry to is infrastructure
backend front-end systems internal based
users externally based users and direct
access to specific servers All Points of
Entry must be known General points of
Entry relate to network or Telecom
infrastructure in controlling access to information
information
resources typical client server
environment primary domain controllers
Network management devices for example
routers and firewalls General modes of
access network connectivity remote
access remotely dialing into a network
for services that can be performed
remotely for example email traditional
points of Entry mainly applicable for
Mainframe based systems used for large
database systems or Legacy
applications operator console these are
privileged computer terminals that
control most computer operations and
functions they provide high level of
system access but do not have strong
logical access controls it is located in
a suitably controlled facility so that
physical access can only be gained by authorized
authorized
Personnel online workstations in client
server environments this method
typically requires at least a log on ID
and password to gain access to the host
computer system it may also require
further entry of authentication or
identification data for access to
application specific systems is
resources are more accessible and
available anytime and anywhere computers
store large volumes of data sharing of
resources has increased from one system
to another and accessibility has
increased through internet and internet
logical Access Control software has
become critical in protecting is
resources it prevents unauthorized
access and modification to sensitive
data and use of critical functions it is
applied across all layers of is
architecture Network OS DBS and
applications common attributes of this
software is that it has some form of
identification and
authentication provides access
authorization it also checks specific
information resource and provide logs
and reporting of user
activities greatest degree of protection
is applied at the network and platform
OS level mainly because it is the
primary point of entry two systems
besides it is the foundation primary
infrastructure on which applications and
DBS will reside also an OS system Access
Control software interfaces with
databases Andor applications to protect
system libraries and data sets these
network devices for example routers and
firewalls manage external access to
networks thus need the highest degree of
protection General OS application Access
Control software functions include
creating or changing user profiles
assigning user identification and
authentication applying user log on
limitation rules for example restrict
log on IDs to specific workstations at
specific times establishing rules for
access to specific resources creating
individual accountability and
auditability by logging user activities
logging events and Reporting
capabilities data database or
application Level controls creates or
changes data files and database profiles
it also verifies user authorization at
the application and transaction level
within the application and at the field
level for changes within the database it
also verifies subsystem authorization
for the user at the file level in
addition it logs database data
Communications access activities for
monitoring access by violations you will
now attempt to question to test what you
have learned so far in this topic we
will learn about the concepts in
knowledge statement
5.4 let us discuss security controls
related to Hardware system
software in this slide we learn on the
security controls related to Hardware
system software for example applications
operating systems and database
Management Systems Access Control soft
Ware utilizes both identification and
authentication I and a once
authenticated the system then restricts
access based on the specific role of the
user I and a is the process by which the
system obtains identity from a user the
credentials needed to authenticate
identity and validates both pieces of
information Ina is a critical building
block of computer security since it is
needed for most types of access control
and is necessary for establishing user
accountability for most systems Ina is
the first line of defense because it
prevents unauthorized access or
unauthorized processes to a computer
system or an information asset in the
next screen we will discuss more about
security controls related to hardware
and system software logical access can
be implemented in various ways the is
auditor should be aware of the strengths
and weaknesses of various architectures
such as single sign on SSO where a
single authentication will enable access
to all authorized applications identity
management multifactor
authentication if this risk is
considered manageable it should drive
the implementation of multiactor
authentication the main areas covered
here are identification and
authentication single sign on in the
next screen we will discuss about
identification and authentication
identification and authentication
involves proving one's identity which is
authenticated prior to being granted
access it is a critical building block
of is Security in which the basis of
most Access Control Systems first line
of defense preventing unauthorized
access Ina also establishes you user
accountability linking activities to
users multiactor authentication is a
combination of more than one method for
example token and password or pin token
and biometric device let us continue
discussing identification and
authentication in the next slide
categories can be something you know for
example password something you have for
example token card something you are or
do a biometric feat teacher or where you
are these techniques can be used
independently or in combination single
factor or two-factor
authentication some of the common
vulnerabilities expected are weak
authentication methods potential for
bypassing authentication mechanism lack
of confidentiality and integrity of
stored authentication information lack
of encryption for transmitted
authentication information lack of user
knowledge regarding risks of sharing
authentication elements for example
password in the next few screens we will
discuss about identification and
authentication log on IDs and
passwords log on IDs and passwords is a
two-phase user identification
authentication process based on
something you know log on ID individual
identification password individual
authentication it is used used to
restrict access to computerized
information transactions programs and
system software it may involve an
internal list of valid logon IDs and a
corresponding set of access rules for
each log on ID the access rules can be
specified at OS level controlling access
to files or within individual
applications controlling access to menu
functions and types of data features of
passwords include easy for the user to
remember but difficult for a perpetrator
to guess when the user logs on for the
first time the system should force a
password change to improve
confidentiality limited number of log on
attempts typically three user
verification for forgotten passwords
internal one-way encryption and not
displayed in any form changed
periodically for example every 30 days
unique if it is known by more than one
person responsibility for activity
cannot be enforced password syntax
format rules ideally a minimum of eight
characters in length a combination of at
least three of the following alpha
numeric upper and lower case and special
characters some prohibit use of vowels
not particularly identifiable to the
user system should enforce regular
change of password WS for example after
every 30 days no reuse of previous
passwords for example at least one year
after being changed deactivate dormant
log on IDs automatic session inactivity
timeouts powerful user IDs accounts such
as supervisor and administrator accounts
should be strictly controlled these
could have full access to the system
administrator password should be known
only by one person however the pass
password should be kept in a sealed
envelope for business
continuity let us proceed to the next
slide for more on passwords token
devices and one-time passwords is a
two-factor authentication technique for
example a micro processor controlled
smart card which generates unique time
dependent one-time passwords called
session passwords this is good for only
one logon session the users enter this
password along with the password they
have met memorized to gain access to the
system it is characterized by unique
session characteristic ID or time
appended to the password technique
involves something you have a device
subject to theft and something you know
a pin in the next screen we will learn
about identification and authentication
biometric Access Control biometric
security access control is the best
means of authenticating a user's
identity based on a unique measurable
attribute or trait for verifying the
identity of a human being it restricts
computer access based on a physical
something you are or behavioral
something you do feature of the user for
example a fingerprint or I retina
pattern a reader interprets the
individual's biometric features before
permitting authorized access however it
is not a foolproof process certain
biometric features can change for
example scarred fingerprints change in
voice the final template is derived
through an iterative averaging process
of acquiring samples let us continue
discussing identification and
authentication biometric Access Control
continued physically oriented Biometrics
are palm hand geometry Iris retina
fingerprint face Behavior oriented
biometric can be signature recognition
and voice
recognition in the next few screens we
will discuss about identification and
authentication single sign on
SSO single sign on SSO is a
consolidation of the organization
platform-based Administration
authentication and authorization
functions it interfaces with client
server and distributed systems Mainframe
systems and network security including
remote access the primary domain handles
the first instance where user
credentials are entered and the
secondary domain is any other resource
that uses these
credentials single sign on SSO
challenges overcoming heterogeneous
nature of diverse architecture networks
platforms databases and applications
requires understanding of each system's
authorization rules and audit logs and
ports allowing host systems to control
the set of users allowed access to
particular host
systems SSO advantages multiple
passwords not required users motivated
to select stronger passwords efficiency
in managing users and their
authorizations reduced administrative
overheads for resetting passwords
efficiency of disabling deactivating
user accounts reduced log on time s o
disadvantages single point of network
failure few software Solutions
accommodate all major OS substantial
interface development required
development costly in the next screen we
will discuss about logical access Security
Security
Administration logical access Security
Administration can be centralized or
decentralized advantages of decentralized
decentralized
administration Administration on site at
distributed location timely resolution
of issues more frequent monitoring
controlling remote and distributed sites
software access controls physical access
controls lockable terminals locked
computer rooms control over dial-in
facilities modems laptops controls over
access to system
documentation controls over data
transmission access accuracy
completeness controls over replicated
files and their updates accuracy and reduced
reduced
duplication let us continue our
discussion about logical access Security
Administration risks associated with
decentralized Administration local
standards rather than organizational may
be implemented level of Security
Management may be below that of the
Central site unavailability of
management checks and audits by the
Central site in the next screen we will
discuss about remote access
security business need of remote access
provides users with the same
functionality that exists within their
offices the components of remote access
remote environment employees branches
laptops telecommunication infrastructure
the carrier used corporate Computing
infrastructure corporate connecting
devices communication software
remote access risks could be denial of
service malicious thirdparty access
misconfigured communication software
misconfigured devices host systems not
secured appropriately and physical
security weaknesses at the remote
stations let us continue discussing
about remote access Security in the next
screen remote access methods are analog
modems and the public telephone Network
dedicated network connections
proprietary circuits and TCP IP
internet-based remote access the remote
access controls are policy and standards
proper authorization identification and
authentication mechanisms encryption
tools and techniques system and network
Management in the next screen we will
discuss about pdas and mobile
technology pdas augment desktops and
laptops due to their ease of use and
functionality the inherent risks is that
they are easy to steal easy to lose
ready access to information stored
access issues with mobile technologies
includes flash disk and controls let us
continue discussing about pdas and
mobile technology in the next
screen control issues to address are
compliance with policies and procedures
incl including approval for PDA use
awareness of responsibilities and due
care compliance with security
requirements authorization and approval
of use standard PD applications
authorized and licensed synchronization
backup and updating encryption virus
detection and control device
registration camera use audit logging in
monitoring system access most Access
Control software automatically log and
report all access attempts success and
failures it provides management with an
audit Trail to monitor activities it facilitates
facilitates
accountability access rights to system
logs should be for review purposes and
it is a form of security against
modification let us continue discussing
about system access in in the next
screen the tools for analysis of audit
log information audit reduction tools
filter out in significant data Trend
variance detection tools attack
signature detection tools reviewing
audit logs monitors patterns or Trends
and violations Andor use of incorrect
passwords restricting and monitoring
access features that bypass security
accessed by software programmers
including bypass label processing blp
system exits and special system logon
ideas you will now attempt to question
to test what you have learned so far in
this topic we will learn about the
concepts in knowledge statement
5.5 let us discuss risks and controls
associated with virtualized
systems this slide Endeavors to learn
risks and controls associated with
virtualization of systems
virtualization provides an organization
with a significant opportunity to
increase efficiency and decree costs in
its it
operations the is auditor needs to know
the different advantages and
disadvantages and needs to consider
whether the Enterprise has considered
the applicable risks in its decision to
adopt Implement and maintain this
technology at a higher level
virtualization allows ows multiple
operating systems os's or guests to
Coexist on the same physical server or
host in isolation of one another let us
continue discussing about risks and
controls associated with virtualize
systems in the next
screen virtualization creates a layer
between the hardware and the guest os's
to manage shared processing and memory
resources on the host machine a manag M
console often provides administrative
access to manage the virtualized system
virtualization introduced additional
risks that the Enterprise must manage
effectively key risk is that the host
represents a single point of failure
within the system a successful attack on
the host could result in a compromise
very large in Impact main areas covered
here are
virtualization you will now attempt to
question to test what you have learned
so far in this topic we will learn about
the concepts in knowledge statement
5.6 let us discuss network security
controls in the next screen knowledge of
the configuration implementation
operation and maintenance of network
security controls are what we'll learn
in this slide Enterprises can
effectively prevent and detect most
attacks on their networks by employing
perimeter security controls
firewalls and intrusion detection system
IDs provide protection and critical
alert information at borders between
trusted and untrusted networks proper
implementation and maintenance of
firewalls and IDs is critical to
successful in-depth security program the
is auditor must understand the level of
intruder detection provided by the
different possible locations of the IDS
and the importance of policies and
procedures to determine the action
required by security and Technical staff
when an intruder is
reported main areas of covered here are
internet threats and Security in the
next few screens we will discuss about
Network infrastructure
security the table demonstrates Network infrastructure
infrastructure
security auditing use of the internet
involves ensuring a business case for
email communication marketing customer
communication sales Channel or
e-commerce channel for delivery of goods
and services online stores internet
banking and information gathering
research auditing networks review
Network diagrams to identify networking
infrastructure and network design also
review Network management policies
procedures standards guidance
distributed to staff besides identify
responsibility for security and
operation and review staff training
duties and
responsibilities you will further review
legal issues regarding the use of the
internet service level agreements with
third parties and network administrator
procedures auditing remote access
involves identify all remote access
facilities ensuring they have been
documented review policies governing the
use of remote access review architecture
identifying points of entry and and
assessing their controls test dialup
access controls review relation to
business requirements General network
controls are functions performed by
technically qualified operators these
functions are separated and rotated
regularly apply least privilege access
rights for operators audit trail of
operator activities must be periodically
reviewed by management Network operation
standards must be documented a review of
workload balance response times and
system efficiency must also be performed
further consider terminal authentication
and data encryption some of the network
management Control software include
novel netware Windows
nt2000 Unix you will now attempt a
question to test what you have learned
so far in this topic we will learn about
the concepts in knowledge statement
5.7 let us discuss network and internet
security devices protocols and
techniques in the next screen the key
knowledge to learn in this topic is
network and internet security devices
protocols and techniques application and
evaluation of Technologies to reduce
risk and secure data is dependent on
proper understanding of security devices
their functions and protocols used in
delivering functionality an organization
implements specific applications of
cryptographic systems in in order to
ensure confidentiality of important data
there are a number of cryptographic
protocols which provide secure
Communications on the internet
Additionally the security landscape is
filled with Technologies and solutions
to address many needs Solutions include
firewalls intrusion detection and
prevention devices proxy devices web
filters antivirus and anti-spam filters
data leak protection functionality
identity and access control mechanisms
secured remote access and wireless
security understanding the solutions
function and its application to the
underlying infrastructure requires
knowledge of the infrastructure itself
and the protocols in use in the next
screen we will see the main areas to be
covered under this
topic main areas covered here are
encryption Network infrastructure
Security in the next VI screens we will
learn about firewalls firewall is a
security perimeter for corporate
networks connecting to the internet
aimed at preventing external Intruders
and untrusted internal users internal
hackers it applies rules to control
Network traffic flowing in and out of a
network allowing users to access the
internet and stopping hackers or others
on the internet from Gaining access to
the network the guiding principle used
is least privilege need to use basis
General firewall features include
combination of Hardware routers servers
and software it should control the most
vulnerable point between a corporate
Network and the internet General
functions of firewalls includes blocking
access to particular sites limiting
traffic on public services to relevant
ports preventing access to certain
servers Andor Services monitoring and
recording communication between internal
and external networks Network
penetration internal subversion
encryption and VPN and single choke
point concentrating Security on a single
system General firewall features include
combination of Hardware routers servers
and software it should control the most
vulnerable point between a corporate
Network and the internet General
techniques used to control traffic are
service control IP address TCP Port
Direction control direction of traffic
user control based on user rights
Behavior control based on how services
are being used for example filter email
for spam in the next few screens we will
discuss about types of
firewalls the types of firewalls are
router packet filtering application
firewall systems and stateful inspection
firewalls router packet filtering
firewall is deployed between the private
Network and the internet screening
routers examine packet headers to
ascertain IP address identity of the
sender and receiver and the authorized
port numbers allowed to use the
information transmitted kind of Internet
service being used these information is
used to prevent certain packets from
being sent between the network and the
internet the common attacks against
packet filtering are IP spoofing Source
routing specification and miniature
fragment attack this method is simple
and stable the demerit is that it is
easily weakened by improperly configured
filters also it is unable to prevent
attacks tunnel over permitted surface
the diagram in the slide describes this
type of firewall application firewall
systems this type of firewall allows
information flow between internal and
external systems but do not allow direct
exchange of packets host applications
must be secured against threats posed by
allowed packets they rest on hardened
operating systems for example win NT
Unix it works on the application layer
of the OSI model the firewall analyze
packets through a series of proxies one
for each surface there are two types
application Level fire walls and circuit level
level
firewalls application Level firewalls
analyze packets through a series of
proxies one for each service circuit
level firewalls validates TCP and UDP
sessions through a single general
purpose proxy the diagram in the slide
demonstrates this application firewall
systems are set up as proxy servers
acting on behalf of network users it
employs Bastion hosting and it is
heavily fortified against attack
handling all incoming requests from the
internet to the network single host
makes security maintenance easier as
only the firewall system is compromised
not the network in the next screen we
will discuss about types of firewalls
and firewall issues stateful inspection
firewalls track destination IP address
of each packet leaving the network and
references responses to requests that
went out it Maps source IP addresses of
incoming packets to destination IP
addresses of outgoing requests it
prevents attacks initiated and
originated by Outsiders main advantage
is that it is more efficient than
application firewall systems the
disadvantage is that it is more complex to
to
administer issues related to firewalls
false sense of security no additional
internal controls are needed weak
against internal threats
for example a disgruntled employee
cooperating with an external attacker
cannot protect against attacks that
bypass the firewall for example modem
diin misconfigured firewalls
misunderstanding of what constitutes a
firewall monitoring activities not done
regularly in the next screen we will
discuss about implementation of
firewalls firewalls can be implemented
in three ways screened host firewall
dual homed firewall and demilitarized
zone screened subnet firewall in the
next screen we will discuss about
screened host
firewall screened host firewall this
method utilizes packet filtering and a
Bastion host proxy Services Bastion host
connects to the internal Network packet
filtering router installed between the
internet and the Bastion host Intruder
has to penetrate two systems before the
network is compromised internal hosts
reside on the same network as the
Bastion host security policies determine
whether hosts connect directly to the
internet or hosts use proxy Services of
the Bastion host next Gren we will
discuss about dual homed
firewall this type of implementation is
more restrictive form of screen host
firewall one interface is established
for information servers and a separate
interface for private Network hosts
direct traffic to internal hosts is
physically prevented as explained in the
diagram in the next screen we will
discuss about demilitarized zone
screened subnet firewall
DMZ this mode utilizes two packet
filtering routers and a Bastion host it
is the most secure firewall system and
supports Network and application Level
security the separate DMZ functions are
an isolated Network for public servers
proxy servers and modem pools key
benefits are that the Intruder must
penetrate three separate devices the
private Network addresses are not
disclosed to the internet also internal
systems do not have direct access to the
internet in the next screen we will
discuss about intrusion detection systems
systems
IDs intrusion detection systems IDs
monitor Network usage anomaly
it is used together with firewalls and
routers it continuously operates in the
background and the administrator is
alerted when intrusions are detected it
protects against external and internal
misuse IDs components sensor this
collects Data Network packets log files
system call traces analyzer this
receives input from sensors and
determines intrusive activity admin
console user
interface let us continue discussing
about intrusion detection systems IDs in
the next screen IDs are categorized into
network-based IDs nids which identifies
attacks within a network and host-based
ids's H IDs which is configured for a
specific environment and monitor
internal resources of systems IDs types
are signature-based intrusion pattern
store as signatures and limited by
detection rules statistical based
monitors expected Behavior neural
networks similar to statistical but
adding learning functionality a
signature statistical combination offers
better protection in the next screen we
will learn about IDs and intrusion
prevention systems
IPS the key features of intrusion
detection systems intrusion detection
and alerts Gathering evidence automated
response for example disconnect security
policy Administration and monitoring
interfaces with system tools logging
facilities IDs limitations include
weaknesses in policy definition
application Level
vulnerabilities back doors to
Applications weaknesses in
identification and authentication
schemes let us continue discussing about
IDs and intrusion prevention systems IPS
in the next screen intrusion prevention
systems IPS IPS is closely related to
IDs it is designed to detect and prevent
attacks by predicting an attack before
it happens hence limiting damage or
disruption to systems that are attacked
it must be properly configured and tuned
to be effective in the next screen we
will learn about honeypots and honey
Nets Honeypot is a software application
that pretends to be an unfortunate
server on the internet and is not set up
to actively protect against break-ins
rather they act as decoy systems that
lure hackers and therefore are
attractive to hackers the more a
Honeypot is targeted by an intruder the
more valuable it becomes Honeypot is
technically related to ids's and
firewalls but it has no real production
value as an active Sentinel of networks
the two basic types of honeypots are
high interaction gives hackers a real
environment to attack low interaction
emulate production environments honey
net is multiple honeypots Network
together to simulate a larger Network
installation known as a honey net honey
net let hackers break into the false
Network while allowing invest
investigators to watch their every move
by a combination of surveillance Technologies you will now attempt to
Technologies you will now attempt to question to test what you have learned
question to test what you have learned so far in this topic we will learn about
so far in this topic we will learn about the concepts in knowledge statement
the concepts in knowledge statement 5.8 let us discuss about information
5.8 let us discuss about information system attack methods and techniques in
system attack methods and techniques in the next screen the candidate needs to
the next screen the candidate needs to grasp the knowledge of information
grasp the knowledge of information system attack methods and techniques
system attack methods and techniques covered under this topic risks arise
covered under this topic risks arise from vulnerable abilities whether
from vulnerable abilities whether technical or human within an environment
technical or human within an environment several attack techniques exploit those
several attack techniques exploit those vulnerabilities and may originate either
vulnerabilities and may originate either within or outside the
within or outside the organization computer attacks can result
organization computer attacks can result in proprietary or confidential data
in proprietary or confidential data being stolen or modified loss of
being stolen or modified loss of customer confidence and market share
customer confidence and market share embarrassment to management and legal
embarrassment to management and legal actions against an
actions against an organization let us continue discussing
organization let us continue discussing about information system attack methods
about information system attack methods and techniques in the next
and techniques in the next screen understanding the methods
screen understanding the methods techniques and exploits used to
techniques and exploits used to compromise an environment provides the
compromise an environment provides the is auditor with a more complete context
is auditor with a more complete context for understanding the risk and
for understanding the risk and organization faces the is auditor should
organization faces the is auditor should understand enough of these attack types
understand enough of these attack types to recognize their risk to the business
to recognize their risk to the business and how they should be addressed by
and how they should be addressed by appropriate controls the is auditor
appropriate controls the is auditor should understand the concept of social
should understand the concept of social engineering since these attacks can
engineering since these attacks can circumvent the strongest technical
circumvent the strongest technical security the only effective control is
security the only effective control is regular user education main areas
regular user education main areas covered here are computer crime issues
covered here are computer crime issues and exposures wireless security threats
and exposures wireless security threats and risks mitigation in the next few
and risks mitigation in the next few screens we will discuss about computer
screens we will discuss about computer crime issues and
crime issues and exposures computer crimes can be
exposures computer crimes can be committed from various sources including
committed from various sources including computer is the object of the crime
computer is the object of the crime perpetrator uses another computer to
perpetrator uses another computer to launch an attack computer is the subject
launch an attack computer is the subject of the crime perpetrator uses computer
of the crime perpetrator uses computer to commit crime and the target is
to commit crime and the target is another computer computer is the tool of
another computer computer is the tool of the crime perpetrator uses computer to
the crime perpetrator uses computer to commit crime but the target is not the
commit crime but the target is not the computer but instead data stored on the
computer but instead data stored on the computer computer symbolizes the crime
computer computer symbolizes the crime perpetrator lures the user of computers
perpetrator lures the user of computers to get confidential information
to get confidential information for example social engineering methods
for example social engineering methods common attack methods and techniques
common attack methods and techniques include alteration attack botn Nets
include alteration attack botn Nets Brute Force attack denial of service dos
Brute Force attack denial of service dos attack dial-in penetration attack War
attack dial-in penetration attack War dialing eavesdropping email bombing and
dialing eavesdropping email bombing and spamming email spoofing more common
spamming email spoofing more common attack methods and techniques include
attack methods and techniques include flooding interrupt attack malicious
flooding interrupt attack malicious codes man in the- Middle attack
codes man in the- Middle attack masquerading message
documentation evaluating General cleanliness doors windows walls curtains
cleanliness doors windows walls curtains ceilings raised floors and
ceilings raised floors and ventilation you will now attempt a
ventilation you will now attempt a question to test what you have learned
question to test what you have learned so far in this topic we will learn about
so far in this topic we will learn about the concepts in knowledge statement
the concepts in knowledge statement 5.20 let us discuss about Environmental
5.20 let us discuss about Environmental Protection devices and supporting
Protection devices and supporting practices in the next screen cea
practices in the next screen cea candidate has to have a knowledge of
candidate has to have a knowledge of Environmental Protection devices and
Environmental Protection devices and supporting practices certain natural and
supporting practices certain natural and man-made events have the ability to do
man-made events have the ability to do great damage to an organization's
great damage to an organization's information systems and business
information systems and business processes most data centers have
processes most data centers have mechanisms to prevent detect or mitigate
mechanisms to prevent detect or mitigate the impact of these threats however it
the impact of these threats however it is important that the Readiness and
is important that the Readiness and sufficiency of these controls be
sufficiency of these controls be periodically tested by management to
periodically tested by management to ensure that they will function as
ensure that they will function as intended the is auditor should
intended the is auditor should understand the nature of these controls
understand the nature of these controls and how to ensure that they are
and how to ensure that they are functioning properly and are adequate to
functioning properly and are adequate to protect the
protect the organization let us continue discussing
organization let us continue discussing about Environmental Protection devices
about Environmental Protection devices and supporting
and supporting practices environmental controls
practices environmental controls generally include fire and smoke
generally include fire and smoke detectors fire suppression systems water
detectors fire suppression systems water detectors and temperature and humidity
detectors and temperature and humidity controls the is auditor should know the
controls the is auditor should know the relative merits of different fire
relative merits of different fire suppression systems and in what
suppression systems and in what circumstances one type is more
circumstances one type is more appropriate than another main areas of
appropriate than another main areas of coverage are environmental exposures and
coverage are environmental exposures and controls in the next few screens we will
controls in the next few screens we will discuss about environmental exposures
discuss about environmental exposures and
and controls the environmental exposures
controls the environmental exposures include natural events like lightning
include natural events like lightning storms earthquakes Etc power failures is
storms earthquakes Etc power failures is of particular concern total failure
of particular concern total failure blackouts severely reduced voltage
blackouts severely reduced voltage brownouts sags spikes and surges
brownouts sags spikes and surges electromagnetic interference Emi caused
electromagnetic interference Emi caused by electrical storms or noisy electrical
by electrical storms or noisy electrical equipment static electricity magnetic
equipment static electricity magnetic fields water damage and flooding Fire
fields water damage and flooding Fire Man and terrorism vandalism smoke food
Man and terrorism vandalism smoke food natural elements humidity dust
natural elements humidity dust temperature environmental controls power
temperature environmental controls power continuity power generators long-term
continuity power generators long-term power interruptions surge protectors at
power interruptions surge protectors at least on all expensive equipment UPS
least on all expensive equipment UPS devices sags spikes surges emergency
devices sags spikes surges emergency power off switch redundant power lines
power off switch redundant power lines for example leads from two
for example leads from two substations fire controls fire
substations fire controls fire extinguishers strategically plac
extinguishers strategically plac throughout facility fire suppression
throughout facility fire suppression systems either waterbased sprinklers
systems either waterbased sprinklers damages equipment or dry pipe sprinklers
damages equipment or dry pipe sprinklers Halon systems or CO2 based regular
Halon systems or CO2 based regular inspection by the fire department also
inspection by the fire department also use of audible fire alarms smoke
use of audible fire alarms smoke detectors having defined
detectors having defined responsibilities marked locations
responsibilities marked locations fireproof walls floors and
fireproof walls floors and ceilings more however environmental
ceilings more however environmental controls that can be applied are
controls that can be applied are strategically locating the computer room
strategically locating the computer room not basement raised floors and water
not basement raised floors and water detectors water proper ventilation
detectors water proper ventilation humidity and temperature control wiring
humidity and temperature control wiring placed in fire resistant panels and
placed in fire resistant panels and conduits prohibit eating drinking and
conduits prohibit eating drinking and smoking within information processing
smoking within information processing facilities documented and tested
facilities documented and tested emergency evacuation plan auditing
emergency evacuation plan auditing environmental controls involve checking
environmental controls involve checking that systems work as specified and are
that systems work as specified and are inspected and tested at least once a
inspected and tested at least once a year placing and assigning
year placing and assigning responsibility to concerned persons
responsibility to concerned persons maintaining communication and awareness
maintaining communication and awareness having a business continuity plan that
having a business continuity plan that will be used in case of a disaster this
will be used in case of a disaster this plan should be fully documented and
plan should be fully documented and tested you will now attempt a question
tested you will now attempt a question to test what you have learned so far in
to test what you have learned so far in this topic we will learn about the
this topic we will learn about the concepts in knowledge statement
concepts in knowledge statement 5.21 let us discuss about handling
5.21 let us discuss about handling confidential information Assets in the
confidential information Assets in the next few
next few screens knowledge of the processes and
screens knowledge of the processes and procedures used to store retrieve
procedures used to store retrieve transport and disposal of confidential
transport and disposal of confidential information assets is key for a cesa
information assets is key for a cesa candidate to learn confidential
candidate to learn confidential information assets are vulnerable during
information assets are vulnerable during storage retrieval and transport and must
storage retrieval and transport and must be disposed of properly management
be disposed of properly management should Define and Implement procedures
should Define and Implement procedures to prevent unauthorized access to or
to prevent unauthorized access to or loss of sensitive information and
loss of sensitive information and software from computers Diss and other
software from computers Diss and other equipment or media when they are stored
equipment or media when they are stored transported or transmitted during
transported or transmitted during processing retrieval and output the is
processing retrieval and output the is auditor should also understand the need
auditor should also understand the need for correct disposal of information and
for correct disposal of information and media in order to ensure that no
media in order to ensure that no unauthorized person gain access to the
unauthorized person gain access to the information by restoration or
information by restoration or Recreation thus we will mainly discuss
Recreation thus we will mainly discuss about storing retrieving transport and
about storing retrieving transport and disposing of confidential information
disposing of confidential information Assets in the next slide let us discuss
Assets in the next slide let us discuss about handling confidential information
about handling confidential information storing retrieving transporting and
storing retrieving transporting and disposing of confidential information
disposing of confidential information need procedures to prevent access to or
need procedures to prevent access to or loss of sensitive information and
loss of sensitive information and software further controls are required
software further controls are required for backup files and databases data
for backup files and databases data banks disposal of media previously used
banks disposal of media previously used to hold confidential information
to hold confidential information management of equipment sent for
management of equipment sent for off-site maintenance public agencies and
off-site maintenance public agencies and organizations concerned with sensitive
organizations concerned with sensitive critical or confidential information e
critical or confidential information e toen electronic Keys storage records let
toen electronic Keys storage records let us continue discussing handling
us continue discussing handling confidential information in the next
confidential information in the next screen preserving information during
screen preserving information during shipment or storage by keeping out of
shipment or storage by keeping out of direct sunlight keeping free of dust
direct sunlight keeping free of dust keep free of liquids minimize exposure
keep free of liquids minimize exposure to magnetic fields radio equipment or
to magnetic fields radio equipment or any sources of vibration do not Air
any sources of vibration do not Air transport in areas and at times of
transport in areas and at times of exposure to a strong magnetic storm you
exposure to a strong magnetic storm you will now attempt a question to test what
will now attempt a question to test what you have learned so far protection of
you have learned so far protection of information assets
information assets one a long asymmetric encryption key
one a long asymmetric encryption key public key encryption increases
public key encryption increases encryption overhead cost two creating
encryption overhead cost two creating user accounts that automatically expire
user accounts that automatically expire by predetermined date is an effective
by predetermined date is an effective control for granting temporary access to
control for granting temporary access to vendors and external support Personnel
vendors and external support Personnel three worms are malicious programs that
three worms are malicious programs that can run independently and can propagate
can run independently and can propagate without the aid of a carrier program
without the aid of a carrier program such as email four identifying Network
such as email four identifying Network applications such as mail web of FTP
applications such as mail web of FTP servers to be externally accessed is an
servers to be externally accessed is an initial step in creating a proper
initial step in creating a proper firewall
firewall policy five SSL protocol provides
policy five SSL protocol provides confidentiality through symmetric
confidentiality through symmetric encryption such as data encryption
encryption such as data encryption standard six intrusion detection systems
standard six intrusion detection systems IDs are used to gather evidence of
IDs are used to gather evidence of network attacks seven time stamps are an
network attacks seven time stamps are an effective control for detecting
effective control for detecting duplicate transactions such as payment
duplicate transactions such as payment made or received eight traffic analysis
made or received eight traffic analysis is a passive attack method used by
is a passive attack method used by Intruders to determine potential Network
Intruders to determine potential Network attacks nine file encryption is a good
attacks nine file encryption is a good control for protecting confidential data
control for protecting confidential data that resides on a PC 10 although many
that resides on a PC 10 although many methods of fire suppression exist dry
methods of fire suppression exist dry pipe sprinklers are considered to be the
pipe sprinklers are considered to be the most environmentally friendly 11 logical
most environmentally friendly 11 logical access controls should be reviewed to
access controls should be reviewed to ensure that access is granted on a least
ensure that access is granted on a least privilege basis for the organization's
privilege basis for the organization's data owners 12 a callback system is a
data owners 12 a callback system is a remote access control in which the user
remote access control in which the user initially connects to the network
initially connects to the network systems via dialup access only to have
systems via dialup access only to have the connection terminated by the server
the connection terminated by the server which then subsequently dials back the
which then subsequently dials back the user at a predetermined number stored in
user at a predetermined number stored in the server's configuration database 13
the server's configuration database 13 information system security policies are
information system security policies are used as the framework for developing
used as the framework for developing logical
logical access this concludes the domain on
access this concludes the domain on protection of information assets this is
protection of information assets this is the last domain to be covered in this
the last domain to be covered in this course with this we've come to the end
course with this we've come to the end of this course happy learning
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
