04.Information Security Control Testing and Evaluation (311)

Question 1

Control Monitoring

Controls neeed to be designed so that monitoring can take place

311

Question 2

Control Auditing

Reviews and audits form part of an essential function for security managers to determine whether security safe guards are in place and working properly.

311

Question 3

Security Review and Security Audit

A security review is a less formal and less rigorous examination of one or more controls, processes, or systems

A security audit is a more formal, methodical, and rigerous examination of one or more controls, processes, or systems

Security Review vs Audit

311

Question 4

Security Review and Security Audit

A security review is typically carried out internally, by the control owner.
A security audit is typically carried out by a separate party

312

Question 5

Security Audit

Systematic and repeatable process
Competent and independent professional evaluation
2 parties - auditor and auditee
2 types - internal and external

312

Question 6

Audit Techniques

Audits are a planned event that require formal planning to successfully achieve the objectives

313

Answer 6

Types of planning required;

1. Purpose
2. Scope
3. Risk Analysis
4. Audit Procedures
5. Resources
6. Schedule

Question 7

Audit Purpose

The auditor and auditee must establish the purpose as to the audit. For example, validating regulatory compliance

313

Question 8

Audit Scope

The auditor and auditee must establish the scope. This could include specific systems or specific time frames (start to finish)

313

Question 9

Audit - Risk Anaysis

An auditor needs to know the levels of risk associated with the domain being audited to determine where greatest amount of attention and resources are required

313

Question 10

Audit - Audit Procedures

The purpose and scope of an audit will help define the relevant procedures used. Specific rules on sample sizes and techniques may be stipulated if the audit for example is a compliance audit

313

Question 11

Audit - Resources

Determine what resources are needed and available for an audit.
The auditee may have a limited budget for an external audit
Specialist tools may be required to run sufficient analysis
Auditor needs to determine number of person-hours that will be required and skillset

314

Question 12

Audit - Schedule

Schedule needs to include enough time for interviews, data collection, analysis, report generation.

314

Question 13

Audit Objectives

Audit Objectives are the specific goals for an audit - typically to determine whether controls exist and if they are effective

314

Question 14

Types of Audit

The scope, purpose, and objectives of an audit will help to determine the type of audit to be performed.
Auditors must understand the type of audit required so they know what techniques and procedures to deploy

314

Question 15

Audit Type - Operational Audit

Examination of controls (IT, Security, Business), to determine control existence and effectiveness

315

Question 16

Audit Type - Financial Audit

Examination of accounting system, including accounting department processes and procedures

315

Question 17

Audit Type - Integrated Audit

Combined operational and financial audit. Offers auditor complete understanding of entire environments integrity

315

Question 18

Audit Type - IS Audit

Detailed examination of most/all information systems department operations.
Determines whether IT governance is aligned with organisation objectives and goals

315

Question 19

Audit Type - Administrative Audit

Examination of operational efficiency within a segment of the organisation

315

Question 20

Audit Type - Compliance Audit

Determines the level and degree of compliance to law, regulation, standard, internal control, or legal contract.
Particular law or standard requirements require approved and licenced external auditors

315

Question 21

Audit Type - Forensic Audit

Performed by a forensic specialist to support anticipated or active legal proceeding, or security incident investigation.
Strict procedures must be followed to preserve evidence and avoid evidence being inadmissible due to tampering

315

Question 22

Audit Type - Service Provider Audit

Third party service organisations undergo external audits to increase customer confidence in the integrity and security of their services

316

Question 23

Audit Type - Pre-Audit

An examination of business processes in anticipation of an upcoming audit from which the results can be used to implement improvements prior to the audit.

316

Question 24

Audit Methodology

An audit metholodolgy is the set of audit procedures used to accomplish a set of audit objectives
Typical audit methodology phases;

Audit Subject
Determine which process, info system, domain being audited
Audit Objective
Identify purpose of audit
Type of Audit
Determine the type of audit i.e. operational, financial, integrated etc…
Audit Scope
Identify the business process, department, or application that is subject to the audit
Pre-Audit Planning
Auditor needs certain information from the audit so will plan how this is obtained, techniques, physical locations to visit etc..

316

Question 25

Audit - Observing Personnel

Insufficient for auditor to just obtain and understand process documentation.
Auditor must collect evidence through observation and assess consistency and application of processes
Observing personnel will include;

Real Tasks
Auditor sees actual tasks being carried out
Skills and Experience
Interview individuals about background to determine experience and maturity level
Security Awareness
Observe personnel to determine if security policies and procedures are followed
Segregation of Duties
Observe processes and functions to determine if adeuate segregation of duties in place

319

Question 26

Audit - Sampling

Sampling techniques are used when it is not feasible to test an entire population of transactions
Method examples include;

Statistical Sampling
random selection to statistically reflect entire population
Judgemental Sampling
Auditor judgementally and subjectively selects samples
Attribute Sampling
Used to study characteristics of a given population. i.e. Selection of disabled AD accounts, review how many were disabled within 24 hours
Variable Sampling
Determine the characterstic of a population based on a selected sample used to determine the total value in the entire population
Stop-or-go Sapling
Permit sampling to stop at the earliest possible time
Discovery Sampling
Auditor tries to identify exceptions in the population which if discovered, may include a more intenseive investigation to determine if other exceptions exist based on the sample discovered
Stratified Sampling
Population divided into classes and samples selected from each class to determine any statistical difference in the results

320

Question 27

Audit Report and results

An audit report describes the entire project, including objectives, scope, controls evaluated, opinions on effectiveness and integrity, and recommendations

320

Answer 27

• Cover letter
• Introduction
• Summary
• Description of the audit
• Listing of systems and processes examined
• Listing of interviewees
• Listing of evidence obtained
• Explanation of sampling techniques
• Description of findings and recommendations

Question 28

Audit Report and results

It is not the auditors role to determine how audit findings should be remeidated
Remediation method responsibilities is the role of the auditee management

321

Question 29

Evaluating Control Effectiveness

Auditor should communicate effectivenss of controls to auditee
Often, findings can be scored based on criticality, or in a matrix
Criticality scoring helps auditor illustrate findings and allow auditee to focus remediation activities if accepted

321

Question 30

Internal Audits

Internal Audits focus on organisations controls, processes, or systems.
Carried out by personnel who are part fo the organisation

322

Question 31

External Audits

Performed by auditors not employees of the organisation
3 principle reasons for organisation to undergo external audit

1. Legal or regulatory requirement
2. Lack of internal resources
3. Objectivity

323

Question 32

External Audits

Personnel working with external auditors need to be coached to…

1. Answer only questions that auditors ask
2. Not express their opinions about a subject matter
3. Not volunteer additional information

325

Question 33

Control Self Assessment (CSA)

Control Self Assessment is a methodology used by an organisation to review key business objectives, risks related to achieving those objectives, and key controls designed to manage the risks

325

Question 34

Control Self Assessment (CSA)

Advantages of CSA;

1. Risk detected earlier
2. Internal controls can be improved in timely manner
3. Greater ownership of controls
4. Improved emplouyee awareness of controls
5. Improved relationships between departments and auditors

326

Answer 34

Disadvantages of CSA:

1. Mistaken by employees or management as a substitute for internal audit
2. Be seen as extra work and dismissed as unneccessary
3. Employees attempt to cover up poor work
4. CSA seen as an attempt for auditors to shake off their own responsibilities
5. Lack of employee involvement would mean no process improvement opportunities

Question 35

Control Self Assessment Life Cycle

The phases in a Control Self Assessment Life Cycle;

1. Identify and assess risks
2. Identify and assess controls
3. Develop questionnaire or conduct workshops
4. ANalyse completed questionnairs or assess workshops
5. Control remediation
6. Awareness training

CSA LIfe Cycle

326

Question 36

Control Self Assessment - Self Assessment Objectives

Control owners should play a more active role in the audit of their controls.
A key objective is the long-term reduction in exceptions
Security Manager and Internal Auditor should ensure CSA process is not hijacked by efficiency corner cutting opportunitists who do not understand their purpose or significance

327