Domain 2 Information Security
questions and answer
,
Confidentiality -ANSWER>Confidentiality is enabling only authorized persons to access or view
the information.
Integrity -ANSWER>Integrity is assurance that the data has not been improperly altered, is
correct, and is reliable.
Availability -ANSWER>Availability is ensuring that authorized roles and individuals have access
to the information and information systems required to perform their duties without
unreasonable outages.
The internal audit activity may assess information security risks using the following techniques
and tools: -ANSWER>-ANALYSIS OF REPORTED INCIDENTS: Records can provide valuable
information about potential and actual losses.
-REVIEW OF EXPOSURE STATISTICS: Statistics from insurance carriers, industry associations, and
regulatory agencies can provide guidance about potential risk exposures.
-MAPPING KEY PROCESSES: Developing process maps and identifying potential risk points
provide helpful insights.
-PERIODIC INSPECTIONS: Health and safety inspections can surface compliance lapses and also
uncover opportunities to decrease risks.
-PERIODIC PROCESS AND PRODUCT AUDITS: Such internal audits can incorporate specific
questions to identify potential risks.
-ASSESSMENT OF MANAGEMENT SYSTEM EFFECTIVENESS: Beyond internal audits conducted to
verify conformance to one or more standards or to assess continual improvement, this
technique can identify gaps in management systems that expose the organization to potential
losses.
-SCENARIO ANALYSIS: Tools such as brainstorming and mind mapping are effective to identify
all the consequences that could occur in a worst-case scenario.
Internal Audit's Role in terms of Information Security Management -ANSWER>-The primary
monitoring role over information security (and other areas) is with management rather than
internal audit
-Internal audit's role is to periodically monitor the effectiveness of information security
management. This includes assessing the organization's information confidentiality, integrity,
,and availability practices and recommending, as appropriate, enhancements to, or
implementation of, new controls and safeguards.
-The CAE determines whether information integrity breaches and conditions that might
represent a threat to the organization will promptly be made known to senior management,
the board, and the internal audit activity.
-Internal auditors assess the effectiveness of preventive, detective, and mitigation measures
against past attacks, as appropriate, and future attempts or incidents deemed likely to occur.
They determine whether the board has been appropriately informed of threats, incidents,
vulnerabilities exploited, and corrective measures.
Internal Audit Activity and Security Violation Corrections -ANSWER>It is reasonable to expect
that the internal audit activity will monitor whether and how well information security
violations are corrected when they are discovered (similar to corrective action plans in
response to internal audits). In doing so, the focus of the internal auditor should be to ensure
that the root causes of the security violations are addressed.
Internal Audit Activity and Compliance Related to Security -ANSWER>-The internal audit activity
can report to management and the board on the level of compliance with security rules,
significant violations, and their disposition.
-With regard to information security, high-level compliance can be achieved through the
implementation of codes of practice for information security compliance.
An example is ISO/IEC 27002:2013, which:
-Focuses on information security controls and establishes guidelines and general principles for
initiating, implementing, maintaining, and improving information security management in an
organization.
-Contains best practices for control objectives and controls that can be applied by any
organization, regardless of size or industry.
IT General Controls -ANSWER>-IT general controls (ITGC) are those IT controls that form the
basis of the IT control environment (a framework for ensuring comprehensive information
security) and apply to all systems, components, processes, and data for a given organization or
systems environment.
-The other broad category of IT controls is application controls, which relate to a specific
application and so are not general.
-Some ITGCs are business-related, such as segregation of duties, and others are technical and
relate to the underlying IT infrastructure
,Information security needs to be a holistic endeavor so that a strong protection in one area is
not simply bypassed in some other way, such as: -ANSWER>-An outside person bypassing
external access security by accessing the network through someone's computer with weak
protections (or stealing a laptop with sensitive data).
-An unscrupulous programmer adding a backdoor into a computer system during systems
development or a system update.
The effectiveness of ITGCs is measured by... -ANSWER>-The number of incidents that damage
the enterprise's public reputation.
-The number of systems that do not meet security criteria.
-The number of violations in segregation of duties.
ITGCs are classified in the Global Technology Audit Guide (GTAG) 1, "Information Technology
Risk and Controls," 2nd Edition, as follows: -ANSWER>-Physical security
-Logical access management
-Systems development life cycle controls
-Program change management controls
-System and data backup and recovery controls
-IT operational controls
Physical Security -ANSWER>-Physical security involves the physical and procedural measures
used to protect an organization's buildings, the occupants, and the building contents
-The goal in workplace security is to eliminate or reduce the risk of harm to facility occupants
first, followed by risk of loss of organizational assets—tangible and intangible—from human
and natural disasters
Sources of Physical Security Vulnerabilities -ANSWER>-Unauthorized access to facilities,
systems, etc.
-Natural disasters (e.g., fires, floods, hurricanes, tornadoes, earthquakes)
-Service disruptions (e.g., telecommunications, network, Internet access, electrical power,
equipment, supply chain)
-Human error
-Theft and vandalism
-Terrorism or sabotage
General Physical Security Control -ANSWER>-Physical security awareness training for personnel
-Pre-employment background reference checks
-Post-employment security clearances
, -Separation of job duties are additional general measures that can help mitigate physical
security risks (e.g., theft).
Examples of how physical security begins with workspace design... -ANSWER>-Smoke alarms
-Adequate lighting throughout a facility
-Installation of an electronic security system for building entry
-A reception area with staff or a security guard, sign-in sheets, and visitor badges
-Restricted areas, such as the data center (Physical security can also be role-based, with certain
areas more secure than others, even to IT staff)
Physical Access Controls -ANSWER>-Physical access controls are the real-world (tangible) means
of providing and limiting access to buildings, data centers, record rooms, inventory areas, and
key operational areas to only authorized persons (and denying access to unauthorized persons).
-Note that many of these same types of access controls can be used to provide or deny access
to computer systems or other devices.
Examples of Physical Access Controls -ANSWER>-Keys or keycards
-Some type of code or password
-A biometric scan
-Security guards
-Checkpoints with metal detectors
-There may be a process to grant access to facilities such as log books and monitoring of all
entry points
-Visitor escorts may be required
-All persons may be required to have visible identification badges with area-specific access
rights
-All areas of a building should be covered by a general security system, including motion
sensors and cameras in key areas as well as devices to detect break-ins
-There may need to be perimeter restrictions such as fences
Physical Access Controls - Increasing Levels of Complexity to Increase Security -ANSWER>-
Preventing access to an asset could use a lock and a physical key, but there would be no audit
trail of who accessed that door (except perhaps for security camera footage)
-Keycard systems identify a particular user badge. A security computer checks the badge
against a list for access, and an access log indicates which badge was used and when
-Biometric devices check a user's identity through fingerprints, palm scans, iris photos, face
recognition, and/or other unique physical identifiers. The scan is compared to a copy in a
security database, so there is also an audit trail here
questions and answer
,
Confidentiality -ANSWER>Confidentiality is enabling only authorized persons to access or view
the information.
Integrity -ANSWER>Integrity is assurance that the data has not been improperly altered, is
correct, and is reliable.
Availability -ANSWER>Availability is ensuring that authorized roles and individuals have access
to the information and information systems required to perform their duties without
unreasonable outages.
The internal audit activity may assess information security risks using the following techniques
and tools: -ANSWER>-ANALYSIS OF REPORTED INCIDENTS: Records can provide valuable
information about potential and actual losses.
-REVIEW OF EXPOSURE STATISTICS: Statistics from insurance carriers, industry associations, and
regulatory agencies can provide guidance about potential risk exposures.
-MAPPING KEY PROCESSES: Developing process maps and identifying potential risk points
provide helpful insights.
-PERIODIC INSPECTIONS: Health and safety inspections can surface compliance lapses and also
uncover opportunities to decrease risks.
-PERIODIC PROCESS AND PRODUCT AUDITS: Such internal audits can incorporate specific
questions to identify potential risks.
-ASSESSMENT OF MANAGEMENT SYSTEM EFFECTIVENESS: Beyond internal audits conducted to
verify conformance to one or more standards or to assess continual improvement, this
technique can identify gaps in management systems that expose the organization to potential
losses.
-SCENARIO ANALYSIS: Tools such as brainstorming and mind mapping are effective to identify
all the consequences that could occur in a worst-case scenario.
Internal Audit's Role in terms of Information Security Management -ANSWER>-The primary
monitoring role over information security (and other areas) is with management rather than
internal audit
-Internal audit's role is to periodically monitor the effectiveness of information security
management. This includes assessing the organization's information confidentiality, integrity,
,and availability practices and recommending, as appropriate, enhancements to, or
implementation of, new controls and safeguards.
-The CAE determines whether information integrity breaches and conditions that might
represent a threat to the organization will promptly be made known to senior management,
the board, and the internal audit activity.
-Internal auditors assess the effectiveness of preventive, detective, and mitigation measures
against past attacks, as appropriate, and future attempts or incidents deemed likely to occur.
They determine whether the board has been appropriately informed of threats, incidents,
vulnerabilities exploited, and corrective measures.
Internal Audit Activity and Security Violation Corrections -ANSWER>It is reasonable to expect
that the internal audit activity will monitor whether and how well information security
violations are corrected when they are discovered (similar to corrective action plans in
response to internal audits). In doing so, the focus of the internal auditor should be to ensure
that the root causes of the security violations are addressed.
Internal Audit Activity and Compliance Related to Security -ANSWER>-The internal audit activity
can report to management and the board on the level of compliance with security rules,
significant violations, and their disposition.
-With regard to information security, high-level compliance can be achieved through the
implementation of codes of practice for information security compliance.
An example is ISO/IEC 27002:2013, which:
-Focuses on information security controls and establishes guidelines and general principles for
initiating, implementing, maintaining, and improving information security management in an
organization.
-Contains best practices for control objectives and controls that can be applied by any
organization, regardless of size or industry.
IT General Controls -ANSWER>-IT general controls (ITGC) are those IT controls that form the
basis of the IT control environment (a framework for ensuring comprehensive information
security) and apply to all systems, components, processes, and data for a given organization or
systems environment.
-The other broad category of IT controls is application controls, which relate to a specific
application and so are not general.
-Some ITGCs are business-related, such as segregation of duties, and others are technical and
relate to the underlying IT infrastructure
,Information security needs to be a holistic endeavor so that a strong protection in one area is
not simply bypassed in some other way, such as: -ANSWER>-An outside person bypassing
external access security by accessing the network through someone's computer with weak
protections (or stealing a laptop with sensitive data).
-An unscrupulous programmer adding a backdoor into a computer system during systems
development or a system update.
The effectiveness of ITGCs is measured by... -ANSWER>-The number of incidents that damage
the enterprise's public reputation.
-The number of systems that do not meet security criteria.
-The number of violations in segregation of duties.
ITGCs are classified in the Global Technology Audit Guide (GTAG) 1, "Information Technology
Risk and Controls," 2nd Edition, as follows: -ANSWER>-Physical security
-Logical access management
-Systems development life cycle controls
-Program change management controls
-System and data backup and recovery controls
-IT operational controls
Physical Security -ANSWER>-Physical security involves the physical and procedural measures
used to protect an organization's buildings, the occupants, and the building contents
-The goal in workplace security is to eliminate or reduce the risk of harm to facility occupants
first, followed by risk of loss of organizational assets—tangible and intangible—from human
and natural disasters
Sources of Physical Security Vulnerabilities -ANSWER>-Unauthorized access to facilities,
systems, etc.
-Natural disasters (e.g., fires, floods, hurricanes, tornadoes, earthquakes)
-Service disruptions (e.g., telecommunications, network, Internet access, electrical power,
equipment, supply chain)
-Human error
-Theft and vandalism
-Terrorism or sabotage
General Physical Security Control -ANSWER>-Physical security awareness training for personnel
-Pre-employment background reference checks
-Post-employment security clearances
, -Separation of job duties are additional general measures that can help mitigate physical
security risks (e.g., theft).
Examples of how physical security begins with workspace design... -ANSWER>-Smoke alarms
-Adequate lighting throughout a facility
-Installation of an electronic security system for building entry
-A reception area with staff or a security guard, sign-in sheets, and visitor badges
-Restricted areas, such as the data center (Physical security can also be role-based, with certain
areas more secure than others, even to IT staff)
Physical Access Controls -ANSWER>-Physical access controls are the real-world (tangible) means
of providing and limiting access to buildings, data centers, record rooms, inventory areas, and
key operational areas to only authorized persons (and denying access to unauthorized persons).
-Note that many of these same types of access controls can be used to provide or deny access
to computer systems or other devices.
Examples of Physical Access Controls -ANSWER>-Keys or keycards
-Some type of code or password
-A biometric scan
-Security guards
-Checkpoints with metal detectors
-There may be a process to grant access to facilities such as log books and monitoring of all
entry points
-Visitor escorts may be required
-All persons may be required to have visible identification badges with area-specific access
rights
-All areas of a building should be covered by a general security system, including motion
sensors and cameras in key areas as well as devices to detect break-ins
-There may need to be perimeter restrictions such as fences
Physical Access Controls - Increasing Levels of Complexity to Increase Security -ANSWER>-
Preventing access to an asset could use a lock and a physical key, but there would be no audit
trail of who accessed that door (except perhaps for security camera footage)
-Keycard systems identify a particular user badge. A security computer checks the badge
against a list for access, and an access log indicates which badge was used and when
-Biometric devices check a user's identity through fingerprints, palm scans, iris photos, face
recognition, and/or other unique physical identifiers. The scan is compared to a copy in a
security database, so there is also an audit trail here
