04.Information Security Control Testing and Evaluation (311) Flashcards

1
Q

Control Monitoring

Controls neeed to be designed so that monitoring can take place

311

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Control Auditing

Reviews and audits form part of an essential function for security managers to determine whether security safe guards are in place and working properly.

311

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Review and Security Audit

A security review is a less formal and less rigorous examination of one or more controls, processes, or systems

A security audit is a more formal, methodical, and rigerous examination of one or more controls, processes, or systems

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security Review and Security Audit

A security review is typically carried out internally, by the control owner.
A security audit is typically carried out by a separate party

312

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Audit

Systematic and repeatable process
Competent and independent professional evaluation
2 parties - auditor and auditee
2 types - internal and external

312

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Audit Techniques

Audits are a planned event that require formal planning to successfully achieve the objectives

313

A

Types of planning required;

  1. Purpose
  2. Scope
  3. Risk Analysis
  4. Audit Procedures
  5. Resources
  6. Schedule
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Audit Purpose

The auditor and auditee must establish the purpose as to the audit. For example, validating regulatory compliance

313

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Audit Scope

The auditor and auditee must establish the scope. This could include specific systems or specific time frames (start to finish)

313

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Audit - Risk Anaysis

An auditor needs to know the levels of risk associated with the domain being audited to determine where greatest amount of attention and resources are required

313

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Audit - Audit Procedures

The purpose and scope of an audit will help define the relevant procedures used. Specific rules on sample sizes and techniques may be stipulated if the audit for example is a compliance audit

313

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Audit - Resources

Determine what resources are needed and available for an audit.
The auditee may have a limited budget for an external audit
Specialist tools may be required to run sufficient analysis
Auditor needs to determine number of person-hours that will be required and skillset

314

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Audit - Schedule

Schedule needs to include enough time for interviews, data collection, analysis, report generation.

314

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Audit Objectives

Audit Objectives are the specific goals for an audit - typically to determine whether controls exist and if they are effective

314

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of Audit

The scope, purpose, and objectives of an audit will help to determine the type of audit to be performed.
Auditors must understand the type of audit required so they know what techniques and procedures to deploy

314

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Audit Type - Operational Audit

Examination of controls (IT, Security, Business), to determine control existence and effectiveness

315

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Audit Type - Financial Audit

Examination of accounting system, including accounting department processes and procedures

315

17
Q

Audit Type - Integrated Audit

Combined operational and financial audit. Offers auditor complete understanding of entire environments integrity

315

18
Q

Audit Type - IS Audit

Detailed examination of most/all information systems department operations.
Determines whether IT governance is aligned with organisation objectives and goals

315

19
Q

Audit Type - Administrative Audit

Examination of operational efficiency within a segment of the organisation

315

20
Q

Audit Type - Compliance Audit

Determines the level and degree of compliance to law, regulation, standard, internal control, or legal contract.
Particular law or standard requirements require approved and licenced external auditors

315

21
Q

Audit Type - Forensic Audit

Performed by a forensic specialist to support anticipated or active legal proceeding, or security incident investigation.
Strict procedures must be followed to preserve evidence and avoid evidence being inadmissible due to tampering

315

22
Q

Audit Type - Service Provider Audit

Third party service organisations undergo external audits to increase customer confidence in the integrity and security of their services

316

23
Q

Audit Type - Pre-Audit

An examination of business processes in anticipation of an upcoming audit from which the results can be used to implement improvements prior to the audit.

316

24
Q

Audit Methodology

An audit metholodolgy is the set of audit procedures used to accomplish a set of audit objectives
Typical audit methodology phases;

Audit Subject
Determine which process, info system, domain being audited
Audit Objective
Identify purpose of audit
Type of Audit
Determine the type of audit i.e. operational, financial, integrated etc…
Audit Scope
Identify the business process, department, or application that is subject to the audit
Pre-Audit Planning
Auditor needs certain information from the audit so will plan how this is obtained, techniques, physical locations to visit etc..

316

25
# Audit - Observing Personnel **Insufficient** for auditor to just obtain and **understand process documentation**. **Auditor must collect evidence** through **observation** and assess consistency and application of processes Observing personnel will include; **Real Tasks** Auditor sees actual tasks being carried out **Skills and Experience** Interview individuals about background to determine experience and maturity level **Security Awareness** Observe personnel to determine if security policies and procedures are followed **Segregation of Duties** Observe processes and functions to determine if adeuate segregation of duties in place ## Footnote 319
26
# Audit - Sampling **Sampling** techniques are used when it is **not feasible** to test an entire population of transactions Method examples include; **Statistical Sampling** random selection to statistically reflect entire population **Judgemental Sampling** Auditor judgementally and subjectively selects samples **Attribute Sampling** Used to study characteristics of a given population. i.e. Selection of disabled AD accounts, review how many were disabled within 24 hours **Variable Sampling** Determine the characterstic of a population based on a selected sample used to determine the total value in the entire population **Stop-or-go Sapling** Permit sampling to stop at the earliest possible time **Discovery Sampling** Auditor tries to identify exceptions in the population which if discovered, may include a more intenseive investigation to determine if other exceptions exist based on the sample discovered **Stratified Sampling** Population divided into classes and samples selected from each class to determine any statistical difference in the results ## Footnote 320
27
# Audit Report and results An **audit report** describes the **entire project**, including objectives, scope, controls evaluated, opinions on effectiveness and integrity, and recommendations ## Footnote 320
* Cover letter * Introduction * Summary * Description of the audit * Listing of systems and processes examined * Listing of interviewees * Listing of evidence obtained * Explanation of sampling techniques * Description of findings and recommendations
28
# Audit Report and results It is **not the auditors role** to determine how audit findings should be **remeidated** **Remediation** method **responsibilities** is the role of the **auditee management** ## Footnote 321
29
# Evaluating Control Effectiveness **Auditor** should **communicate effectivenss** of **controls** to auditee Often, findings can be **scored** based on **criticality**, or in a matrix **Criticality** scoring helps auditor **illustrate findings** and allow auditee to **focus** remediation activities if accepted ## Footnote 321
30
# Internal Audits **Internal Audits** focus on organisations **controls, processes, or systems**. **Carried out** by **personnel** who are part fo the **organisation** ## Footnote 322
31
# External Audits Performed by auditors **not employees of the organisation** **3 principle reasons** for organisation to undergo external audit 1. Legal or regulatory requirement 2. Lack of internal resources 3. Objectivity ## Footnote 323
32
# External Audits Personnel working with external auditors need to be coached to... 1. Answer only questions that auditors ask 2. Not express their opinions about a subject matter 3. Not volunteer additional information ## Footnote 325
33
# Control Self Assessment (CSA) **Control Self Assessment** is a methodology used by an organisation to **review** key business **objectives**, **risks** related to **achieving** those **objectives**, and key **controls** designed to **manage the risks** ## Footnote 325
34
# Control Self Assessment (CSA) Advantages of CSA; 1. Risk detected earlier 2. Internal controls can be improved in timely manner 3. Greater ownership of controls 4. Improved emplouyee awareness of controls 5. Improved relationships between departments and auditors ## Footnote 326
Disadvantages of CSA: 1. Mistaken by employees or management as a substitute for internal audit 2. Be seen as extra work and dismissed as unneccessary 3. Employees attempt to cover up poor work 4. CSA seen as an attempt for auditors to shake off their own responsibilities 5. Lack of employee involvement would mean no process improvement opportunities
35
# Control Self Assessment Life Cycle The phases in a Control Self Assessment Life Cycle; 1. Identify and assess risks 2. Identify and assess controls 3. Develop questionnaire or conduct workshops 4. ANalyse completed questionnairs or assess workshops 5. Control remediation 6. Awareness training ## Footnote [CSA LIfe Cycle](https://drive.google.com/file/d/17420sMF5DorHW-tywSfkmUfiZSMRbV0x/view?usp=drive_link) 326
36
# Control Self Assessment - Self Assessment Objectives **Control owners** should play a more active role in the **audit of their controls**. A key **objective** is the long-term **reduction** in **exceptions** **Security Manager and Internal Auditor** should ensure CSA process is not hijacked by efficiency corner cutting opportunitists who do not understand their purpose or significance ## Footnote 327