Cisa Doshi

1. Understand the business 2. Identify Assets 3. Identify risks / vulnerabilities / threats 4. Impact Analysis 5. Prioritize Risks 6. Evaluate Controls 7. Risk treatment / Apply controls ✔This process is subjective ✔Is used to make security policy decisions. ✔Needs to consider the ENTIRE IT Environment

Defines how the organization will protect its assets and how it will respond to threats and incidents. Security should be separate from IT to stay objective. It includes: ✔Roles and responsibilities ✔Risk Management ✔Security Processes ✔Acceptable use It is VERY General - few specifics

A meeting used to discuss the scope of the audit

Risk = Probability * Impact or Risk = Asset Value Vulnerability Threat

✔All audit plans, programs, activities, tests, findings, and incidents ✔The bridge between the Audit Objectives and and the Final Report

Whatever we are trying to protect against

Weakness or gap in our protection efforts. Absence of proper security measures

✔Inherent Risk - The Business with no controls ✔Residual Risk - Risk that remains after controls ✔Detection Risk - Risk that Auditors fail to detect a misstatement in the log ✔Control Risk - Risk that the controls won't catch the problem ✔Audit Risk = Inherent Risk * Control Risk * Detection Risk

Risk Mitigation / Risk Reduction - An umbrella (Add Controls) Risk Avoidance - don't go out Risk Acceptance - just get wet Risk Transfer - insurance or Vendor

Is responsible for managing Risk

Are derived as a result of a risk assessment

A document that defines the Internal IS audit function's responsibility; authority, roles, scope, objectives, and accountability. ✔Approved and Changed by The Audit Committee ✔Independent from IS and IT ✔It is a Static Document ✔Does NOT include audit calendar, audit planning, yearly resource allocation, travel expenses, and other routine audit activities.

✔Verifies processes ✔Checks for controls ✔Attribute Sampling is used (the control is there or it is not) ✔Is done before Substantive Testing ✔Usually checks a Procedure or Policy

✔Verifies data or transactions of the data ✔Checks for completeness, accuracy, and validity of the data ✔Variable Sampling is used ✔Is done after Compliance Testing

Compliance Testing verifies Processes with Attribute Sampling Substantive Testing verifies Transactions with Variable Sampling

✔A self-regulation activity ✔Done during the preliminary survey phase ✔Facilitated by the Internal Auditor ✔Success dependent Involvement of Line Management in control monitoring ✔A technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes

✔To leverage the Internal Audit Function by shifting some of the control monitoring responsibilities to the functional areas ✔To concentrate on areas of High Risk ✔To provide early identification of risk ✔To enhance audit responsibilities (not replace)

✔Early Detection of Risk ✔More effective and improved controls ✔Assurance provided to stakeholders and customers.

✔It is Objective ✔Non-Judgmental ✔Probability of error can be objectively quantified ✔Each item has an equal chance of selection ✔Minimizes Detection Risk ✔Can be used to draw a conclusion on the entire population

✔It is Subjective ✔Also known as Judgmental Sampling ✔Cannot be objectively quantified ✔Sampling depends on the judgment of the auditor

✔Used in Compliance Testing ✔Some number of items in the sample comply, some do not ✔Expressed in Percentage ✔Answers "how Many?" (Not "How Much?" like Variable Sampling) ✔"This many failed to get approval

✔You are Sampling a specific Variable ✔Used in Substantive Testing ✔Allows us to understand "how much" (not how many like Attribute Sampling) ✔Expressed in units like weight, money, or other values ✔"It cost this much on average"

✔Separation of the target population into different groups, called strata, and the selection of samples from each stratum

✔Used when very few errors are expected to be found ✔Stopped once an error is found

✔Used to find Fraud ✔If Fraud is found, report it to the authorities

✔A higher number will result from the use of a larger sample size. ✔The use of a larger sample size will result in a high CCE ✔If controls are strong, the CCE / Sample Size may be lowered by the auditor ✔Meaning, if there are lots of controls you trust, you can use a smaller sample size.

✔To Identify the effectiveness of existing controls ✔To Identify process lapses and areas of improvement ✔To Identify exceptions and deviations ✔To identify areas of fraud ✔To evaluate data quality and identify areas with poor data quality ✔To assess risk and to plan audit activities ✔Can be effective for an IS auditor in both the planning and fieldwork phases of the audit

1. Determine the objectives and scope of analytics 2. Requirement gathering and obtaining the data 3. Determine the sufficiency and reliability of the data 4. Execute the test by running scripts / performing analytical tests. 5. Results/conclusions of the tests to be documented 6. Review of results/conclusion by a qualified person 7. Retain the results such as scripts, files, macro programs and data files.

✔Helps the auditor to capture and analyze the data during an audit ✔Good for complex environments or processes ✔Insures independence of auditors while capturing relevant data ✔Provides reliability of the source of the data and therefore reassurance on audit findings (Very Important) ✔Some are General Audit Software (GAS) ✔ Help in effective and efficient detection of exceptions or irregularities

✔Ensure data integrity by safeguarding Confidentiality, Integrity, and Authenticity (Most important) ✔Get approval to install it by the auditee ✔Only use Read-Only rights while accessing data

✔Real Time or Near Real Time auditing. ✔Quick results

✔Like AV or IDS ✔In general Continuous Auditing happens before Continuous Monitoring Should be independent of Continuous Auditing ✔Usually handed over to process owners

Continuous Auditing + Continuous Monitoring

✔The transmission of transactions (information) between two organizations ✔Promotes more efficient paperless environment ✔Consists of Transmission, Translation, and Storage of transaction. It is initiated or destined for application processing ✔Auditors should trace the transaction from beginning to end

1. Communications Handler - Involves the process for transmitting and receiving electronic documents between trading partners via dedicated channels. 2. Interface - This is the interface between the Application System and the Communication Handler. It has two parts: ✔Translation - translates data into trading partners format ✔Application Interface - It moves electronic transactions to or from the application systems. 3. Application System - It processes data sent to or received from the trading partner.

✔Transaction Authorizations don't really occur in an automated system ✔No inherent authorization occurs (Greatest Risk) ✔Needs a Trading Partner Agreement to cover specific legal liability (MOST IMPORTANT) ✔Performance issues could affect both parties ✔Unauthorized access, data integrity, confidentiality, loss or duplicate transactions

✔Ensure the integrity of message format and content to avoid transmission errors. ✔Ensure control at receiving end ✔Logs to be maintained ✔Ensure messages are properly authorized ✔Direct channels are best to prevent wiretapping ✔Use encryption ✔Use batch totals

Ensures CIA - Confidentiality, Integrity, and Authenticity and Non-Repudiation of transactions

To assess transaction reasonableness and validity

✔Use control fields withing an EDI message ✔Use VAN sequential control numbers or reports ✔Use acknowledgment transaction to sender ✔Use segmentation of duties for high-risk transactions Log it all

✔Log each transaction on Receipt ✔Build segment count totals into transaction set trailer by the sender ✔Use check digit to detect transposition and transcription error

Includes: ✔Operational Audit ✔IS Audit ✔Financial Audit

1. Identify risks 2. Identify key controls 3. Understand the design of the key controls 4. Test to see if key controls are supported by the IT system 5. Test to see if controls are effective 6. Issue combined report on risks, controls, and weaknesses

✔Easy to link controls and audit procedures ✔Helps with allocating and utilization of IT resources ✔Help link good corporate governance and reliable financial statements (MOST IMPORTANT)

✔Closure meeting ensures that there have been no misunderstandings or misrepresentation of facts. ✔Closing meeting helps to enhance the understanding between the auditor and the the auditee in terms of what was presented, discussed, and agreed upon. ✔For communication of audit results, IS auditor is ultimately responsible to senior management and the audit committee of the board of directors. If access is not granted for such a discussion, then it would limit the independence of the audit function ✔During the assignment, control weaknesses observed which are not in the scope of the audit, should still be reported to management. ✔ISACA's IS Audit and Assurance Standards on reporting requires that the IS auditor has sufficient and appropriate evidence to support the reported results ✔Generally accepted audit practice requires reporting of findings even if corrective action has already occurred ✔In some instances, IS auditor may be requested from audit management to assist in implementing recommendations. IS auditor should explain that is a role conflict and would affect independence. ✔Findings are clearly tracked back to evidence (Most IMPORTANT)

✔Auditor should elaborate on the significance of the finding and the risk of not correcting it. ✔The goal is to enlighten the Auditee

The auditor should use professional judgement to ensure that a sufficient amount of this will be collected

✔It is advisable to conduct confirmatory audit after the timelines agreed by management for remediation action. As a generally accepted practice, auditor should not dictate timelines ✔Primary purpose of conducting follow-up audits is to validate remediation action

✔In-sourced/In-house - Activity performed by the organization's staff ✔Outsource - Activity performed by Vendor's staff ✔Hybrid - Activity performed both ____________________________________________________________________________ ✔Onsite - Staff works onsite in IT department ✔Offsite/Nearshore - Staff works in a remote location in the same geographical location ✔Offshore - Staff works in different geographical location

✔It is a core function of the organization ✔It is a function that requires specific knowledge, processes, and critical staffs that cannot be replicated externally or on another location ✔In case of contract or regulatory restrictions

✔If can be performed with the same or higher quality or the same or lower price ✔Organization has sufficient experience managing 3rd parties.

✔Expert service can be obtained from outside so organization can concentrate on its core business (this is PRIMARY reason) ✔Cost Savings

1. Define the Function 2. Define the Service Level Requirements 3. Know the in-house cost 4. Conduct due diligence of service providers 5. Confirm contractual or regulatory requirements 6. Get the contract! MOST important

✔ SLA needs to contain measurable performance requirements ✔Escrow arrangement for proprietary software ✔Use multiple suppliers to reduce risk of dependency ✔Periodic Performance Reviews (MOST important) ✔Establish cross-functional contract management team ✔Establish necessary controls for foreseen contingencies ✔Get references from other sources ✔Make sure you have Detailed and Correctly Applied Specifications (BEST)

Accountability. Final accountability lies with the organization.

✔Service Level Agreement to contain measurable performance requirements (Do this FIRST) ✔Confidentiality agreements protecting both parties ✔"Right to Audit" Clause ✔Business Continuity and Disaster Recovery Provisions ✔Protection of Intellectual Property Rights ✔Requirements for CIA (Confidentiality, Integrity, and Availability) and privacy too. ✔Gain-sharing performance bonuses (Help the MOST to improve service and minimize costs)

✔Regular reviews of contract and service levels ✔Review of Outsourcer's documented procedures and outcome of their quality programs ✔Regular audits to certify that the process and procedures meet the quality standards ✔If Off-shored, Legal Jurisdiction is the most important issue

Relates to the long-term direction an enterprise wants to take in leveraging IT for improving its business processes

✔Requires setting up IT function at remote or offshore location ✔It may or may not involve outsourcing ✔Many organizations globalize their IT function for the same reasons cited for outsourcing ✔The following issues need to be addressed for smooth functioning of IT function from the offsite location: ✔Legal and Regulatory issues ✔Continuity of Operations ✔Telecommunication issues ✔Cross border and cross cultural issues

✔Shows Direction for IT ✔Very High Level ✔Advises Board on IT Strategy and Initiative ✔Members include Board Members and Specialized Officer ✔Responsibilities: 🎈Aligns IT with Business Objectives 🎈Exposure to IT Risks 🎈Direction to management related to IT strategy 🎈Contribution of IT to the Business 🎈Articulates the IT Mission and Vision

✔Drives the IT Implementation ✔Ensures IS is in harmony with the organization's mission and objectives ✔Determines the Organization's Risk Appetite ✔Keeps the Board of Directors informed ✔Maintains minutes of its meetings ✔Members include Executives, CIO, and other functions as required ✔Focuses on Implementation and monitoring of IT projects ✔Approves and Monitors funds for IT Strategy ✔Responsibilities Include: 🎈Aligns IT Processes with Business Requirements 🎈Approves Project Plans and Budgets 🎈Setting Projects, Priorities, and Milestones 🎈Acquires and Assigns appropriate Resources 🎈Ensures project meets the Business Requirements and Continuous Monitoring 🎈Ensure efficient use of IT Resources

IT should support business and align as per business objectives ✔Close alignment is evident when there is a clear mapping, linking, or cascading of IT strategy to business strategy ✔Business processes and objectives should always be the driver for IT requirements. ✔When formulating IT Strategy, the prime consideration should be Business Strategy ✔The 1st step in reviewing an organization's IT strategy is to review/understand the business plan ✔IS, to be effective, should be in line with enterprise requirements. Hence Enterprise Requirements should form the basis of Security Requirements ✔To govern IT effectively, IT and Business objectives can best be assured by the involvement of top management. ✔When formulating IT Strategy, the Enterprise must consider: 🎈Business Objectives 🎈Risks and benefits they can bring to the business 🎈Cost of current IT and whether this provides sufficient value to IT

Is used to establish, monitor, and evaluate (optimize) IT performance in terms of: ✔Business Contribution (Is IT adding to Business Success) ✔Future Orientation (Is IT prepared?) ✔Operational Excellence (is IT Efficient?) ✔User Orientation (Are users satisfied with IT?) ✔It is the most effective means to aid the IT strategy committee and management in achieving IT governance through proper IT and business alignment ✔It needs the involvement of senior management in IT Strategy Planning

✔Mandatory for Project Portfolio Management ✔Includes Owner, schedules, objectives, project type, status, and costs. ✔Needs to include reports such as bar chart, profit vs risk matrix, and a progress graph ✔Adds value to strategic IT decision making

✔Needs senior management's support in order to succeed ✔Supports Business Objectives ✔Driven by the CISO ✔Results in the enforcement of the management of security risk ✔Provides assurance that information assets are given a level of protection commensurate with their value or the risk their compromise poses to the organization. ✔Uses the Information Security Policy Statement as a starting point

Need to be defined BEFORE BSC implementation ✔Customer Satisfaction ✔Internal Processes ✔Ability to Innovate CIA ✔NOT financial performance ?!

IT Governance (including a Security Policy) is primarily the responsibility of this group

✔The group that provides overall direction and ensures appropriate representation of the major stakeholders in the project's outcome ✔Should be comprised of a senior representative from each relevant business area ✔Monitor costs, schedules, and timetables ✔Ensures the success of the project

✔Assumes ownership of the project and the resulting system. ✔Review and Approve deliverables

Provides technical support for the hardware and software environments by developing, installing, and operating the requested system

Provides assurance that program changes have been authorized

✔The manager in charge of the business function ✔Owner of the data and the system under development ✔Responsible fore providing functional specification through functional users.

An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements.

✔The cutoff point in the design; also referred to as Design Freeze ✔Prevents Scope Creep

Are accountable for protection of their resources

✔Organizations NEED to have a list of applicable laws and regulations ✔Compliance with these laws are ESSENTIAL is compliance with these laws

✔Is a process to provide adequate confidence that an item or product conforms to established norms ✔QA personnel verify that system changes are authorized, tested, and implemented in a controlled manner ✔Pro-active ✔Prevents defects ✔More focused on the process ✔Interacts between Project Management and User Management

✔Is the process for conducting tests or reviews to verify a product is defect-free and fulfills the requirements of the user. ✔Done before the product goes into production ✔Reactive ✔Finds Defects ✔More focused on Product ✔In order to ensure sufficient test coverage occurs, requirements can be tested in terms of performance and frequency of use.

✔Should be independent (IMPORTANT) ✔Does Quality Assurance and Quality Control ✔ Should not create a Segregation of Duties issue ✔Should never check his or her own work

✔Data Analytic Tool. ✔Computer programs used by auditors that provide data retrieval, data manipulation, and reporting capabilities specifically oriented to the needs of auditors

✔Type of Continuous Auditing ✔Dummy entity/account is set up in LIVE environment ✔Dummy or Test Transactions are entered ✔Process results are compared to expected results ✔Dummy / Test transactions are then removed

✔Type of Continuous Auditing ✔An embedded / inbuilt software module is used to continuously monitor transactions as they are processed ✔This method is used to collect data for special audit purposes. ✔Records only those transactions which are of special audit significance such as above a specified limit or related to a standard deviation. ✔A printout / output is produced regularly to be examined ✔Used when regular processing cannot be interrupted

Identifies specific program logic that has not been tested, and analyzes programs statements have been executed

✔Type of Continuous Auditing ✔Pictures (Snaps) are taken of the transactions as they move through various stages in the application system ✔Transaction snaps are taken pre- and post-processing. ✔Used when Audit Trail is required ✔Three important considerations: 🎈Location where the snaps are taken 🎈Time of snaps 🎈Reporting of snaps

✔A type of Continuous Auditing ✔This is a variation of the SCARF method ✔Can be used with DBMS (databases) ✔The database sends criteria based copies of transactions to the CIS, which replicates the processing the transaction gets in the actual application ✔The results from the application are compared to the results from CIS. ✔Best for pre-defined highly complex criteria

✔Type of Continuous Auditing ✔Audit Software that captures suspicious transactions ✔Criteria for suspicious transactions are designed by the auditors per requirement ✔Useful when Early Detection is needed

✔Unit - Single Module ✔Integrated or Interface - Two or more Modules ✔System - Usually in non-production ✔Final Acceptance Testing

✔Done by Developer on a particular module ✔White Box testing approach

✔Testing of two or more modules that pass information to each other

✔To evaluate the entire system's functionality. ✔Includes these types of testing: 🎈Recovery - ability to recover after hw / sw failure 🎈Security - System includes access controls and no new security holes 🎈Load - performance with lots of data 🎈Volume - uses increasing loads to find max volume 🎈Stress - uses increasing numbers of users to find max users 🎈Performance - compare to other systems using well-defined benchmarks

Done to optimize performance

✔Performed after system staff is satisfied with the system tests ✔QAT - Quality Assurance Testing ✔UAT - User Acceptance Testing

✔Ensures changes in a program have not introduced new errors ✔Data should be the same used for previous tests

✔Make sure the new or modified system can work in the specified environment without adversely impacting existing system

✔Testing system in one location before implementing it at other locations

✔Compares results of processing on the old and the new system ✔Purpose is to ensure implementation of new system meets the user requirements ✔Abilty to roll back is easy

✔Program Logic is Tested ✔Applicable for Unit Testing ✔Detailed knowledge of the program is needed

✔Functionality is tested, not program logic ✔Applicable for UAT (User Acceptance Testing) ✔Does not need detailed knowledge of the program

Alpha: ✔Done by internal user ✔Done before Beta testing ✔May not involve full functionality testing Beta: ✔Done by External user ✔Done after Alpha testing ✔Generally involves full functionality testing

Bottom-Up Approach: ✔Begin testing of individual units/programs/modules and work upward until a complete system is tested ✔Advantages: 🎈Tests can be started before all programs are complete 🎈Errors in critical modules can be found early Top-Down Approach: ✔Tests start from a broader level and work down towards individual until/programs/modules ✔More appropriate for Prototype development 🎈Interface errors can be detected earlier 🎈Confidence in the system can be achieved earlier

Unit Testing - Tests individual program or module Interface/Integrated Testing - Tests connections between two or more components that pass information

Regression Testing - changes have not introduced new errors Sociability Testing - changes still work in the existing system Interface Testing Integration Testing - to ensure data flows between modules

Seems to be the same thing to me

✔A mathematically calculated value that is added to data to ensure the original data has not been altered ✔Used to ensure accuracy ✔Identifies Transcription and Transposition errors Think - Transpose Digits when Transcribing

✔An extra bit is added to the data. The bit simply says whether the number of 1 bits is even or odd. ✔It has a 50% of detecting an error ✔Used for transmission errors, integrity, and completeness (Parity, Checksum, and CRC)

✔Same as Parity but much more complex ✔Used for transmission errors, integrity, and completeness (Parity, Checksum, and CRC)

✔More advanced Checksum ✔Used for transmission errors, integrity, and completeness (Parity, Checksum, and CRC)

✔Check Digit - Transcription or Transposition ✔Transmission Errors, Completeness, or Integrity, the following are true: 🎈Parity - Weak 🎈Checksum - Medium 🎈CRC - Strong

CRC with the ability to correct the error

✔A database feature where the entire transaction is committed or not at all. ✔Part of Concurrency Control

✔A set of rules that the database uses to ensure that the data between related tables is valid. ✔Uses Foreign Keys in linked tables

To sign an individual executable/interpreted code digitally so that users have confidence the code they run is the actual code from the developer.

Identify erroneous, unusual or invalid transactions (preventative)

✔Converts the data into a readable/understandable format ✔In a database, data will have a primary key, and one value for each attribute ✔If the database is not Normalized, justification needs to be obtained ✔Is a design or optimization process for a relational database that increases redundancy

Industry standard that facilitates portability

Rules in a Database that help ensure the quality of information

Records or Rows in a Relational Database

The best way to secure a web server

✔Technique for estimating project duration ✔A sequence of activities where duration is the longest ✔CPM is the shortest time to complete the job ✔Activities on CPM have Zero Slack Time ✔You can also say activities with Zero Slack Time are always on the CPM

The time that an activity can be delayed without delaying the entire project.

✔A type of CPM technique to estimate project duration ✔Better than CPM in that it considers three scenarios instead on one (CPM); 🎈Optimistic / Best 🎈Normal / Most Likely 🎈Pessimistic / Worst

✔To assess and measure the value of newly implemented systems ✔Do a Return on Investment Analysis ✔Ensures that the application operates as designed ✔Carried out weeks or months after the project ✔Go over lessons learned

✔Progress for the entire project can be read to determine whether the project is behind, ahead, or on schedule when compared to the base project plan ✔Can be used to track the achievement of a milestone

✔Estimates software size (and how long it will take to code) ✔Function Points are a unit of measure for software size, like miles for distance, or pounds for weight. ✔Function Points are derived from the number of inputs, outputs, files, interfaces, and queries. ✔This is more reliable than SLOC

✔A software size estimator. ✔More lines of code take longer

✔What have you completed so far? ✔Determines if spending and resource allocation is in line with the project plan ✔Compares the following metrics at regular intervals 🎈Budget to date 🎈Spending to date 🎈Estimate work hours to complete 🎈Estimate work hours at completion ✔Compares the planned amount of work with what has actually been completed to see if everything is on plan

✔Analogous Estimating - By using estimates of prior projects ✔Parametric Estimating - Take Analogous and and add statistical data like estimated employee hours materials costs, etc. ✔Bottom-Up Estimating - Estimated the cost of each activity in greatest detail - Most Accurate, Most Time Consuming ✔Actual Costs ✔Software Size Estimating - By complexity and lines of code

✔Advantage is that it prevents project cost overruns and delays from the scheduled delivery ✔Is used for prototyping or rapid application development where the project needs to be completed within a timeline ✔It integrates system and user acceptance testing but does not eliminate the need for quality process

✔Pert / CPM -- Project Duration or Timeline (PERT is Better) ✔Gantt -- Monitors progress and milestones ✔EVA -- What is done so far, What is left? ✔FPA & SLOC --Estimate software size and complexity (FPA is Better)

✔Is an interactive system that supports semi-structured decision making. ✔It collects data from varied sources and provides useful information to managers ✔Uses prototyping in design and development

✔Comparative sales figures, week to week ✔Projected revenue figures based on various assumptions ✔Evaluation of various alternative on the basis of past experience

✔Supports semi-structured or less-structured decisions ✔Uses techniques with traditional data access and retrieval function ✔Is flexible and adoptable in the changing environment ✔Uses a Decision Tree to lead users through a series of choices until solution is found

✔DSS says to concentrate on Effectiveness over Efficiency ✔DSS Right Task is better than Quick Tasks (reducing costs)

1. Non-existent or unwilling users 2. Multiple users or implementers 3. Disappearing users, implementers, and maintainers 4. Inability to predict and cushion impact on all parties 5. Lack or loss of support 6. Lack of experience with similar systems 7. Technical problems and cost-effectiveness 8. Inability to specify purpose or usage patterns in advance

✔Understand Business ✔Do a Risk Assessment ✔Set Audit Scope and Audit Project ✔Set Audit Approach ✔Assign Resources ✔Address logistics

✔Allows the programmer to just start writing a program without spending much time on pre-planning documentation ✔Less focus on paper deliverables ✔The major risk is the lack of documentation ✔More focus on delivering functional code in short iterations ✔At the end of each iteration, the team reviews and documents what worked well and what needs to be improved in future iterations. ✔Programmers like it because they skip tedious planning exercises.

✔Traditional SDLC development with formal sign off after each level ✔Does well when requirements are well defined ✔Does not do well with rapidly changing user requirements

1. Planning - Specific deliverables are defined for each phase 2. Analysis 3. Design 4. Development 5. Testing 6. Implementation 7. Maintenance

✔An activity that determines the expected benefits of a program or project. ✔Includes the estimated costs and benefits. ✔Used to build the Business Case ✔Seeks to uncover every reasonable issue and risk of the program or project. ✔Addresses the Organizational Impact of the project

These don't cover HOW the requirements are to be achieved. ✔They should be measurable as possible ✔Business Functional Requirements ✔Technical requirements ✔Security and Regulatory Requirements. ✔Disaster Recovery / Business Continuity Requirements ✔Privacy Requirements.

✔Top-down, High level to detailed level. ✔Business owners/customers should review the designs and approve ✔Create Test Plans at this stage ✔Auditors confirm that the future application's integrity can be confirmed through audits ✔Includes Requests for Proposals for software purchases (not in-house development) ✔Ends with a Design Freeze

✔Coding the Application ✔Create program and system level documents that include program logic, data flow, and interfaces ✔Write user procedures ✔Work with users to confirm the application will meet their needs ✔Debugging / Unit testing Commercial Off The Shelf (COTS) software may require coded customizations, reports, Authentication, and integration with other systems.

Plans are made then ✔Unit Testing, System Testing, Functional Testing, User Acceptance Testing OR Quality Assurance Testing for COTS

✔Implementation Planning ✔Training ✔Data Migration ✔Cutover

✔Post Implementation Review ✔All parts go into a Maintenance mode/process

✔Creating systems through controlled trial and error ✔A prototype is an early sample or model to test a concept or process. ✔The rapid pace may affect change control ✔A prototype is a small scale working system used to test Assumptions ✔Assumptions may be about user requirements, program design, or internal logic ✔Top-Down Testing is MOST effective during the initial phases of Prototyping ✔Prototyping can provide the organization with significant time and cost savings ✔By focusing on what the user wants and sees, developers may miss some of the controls that come from traditional methodologies. ✔The potential risk is fewer controls, extra functions, and complicated change control

✔Small and well-trained development teams ✔Prototypes ✔Tools to support modeling, prototyping, and component reuse-ability ✔Central repository ✔Rigid limits on development time frames

✔Enables the organization to develop systems quickly while reducing development cost and maintaining quality. ✔Shortens Development Time Frame ✔Relies on the usage of a prototype that can be updated continually to meet changing user or business requirements

✔Is a programming technique, not a software development methodology ✔Objects refer to a small piece of program that can be used individually or in combination with other objects ✔Objects are made from a template called a CLASS ✔In Object-oriented language, the application is made up of smaller components (objects) ✔One of the major benefits of object-oriented design and development is the ability to re-use objects. ✔OO uses a technique known as 'encapsulation' where one object interacts with another object. ✔Encapsulation allows an enhanced degree of security over data. ✔Polymorphism allows same message to be interpreted differently by two or more objects ✔Inheritance - classes inherit features from other classes ✔Any particular object can call another object to perform its work.

✔A general approach to systems development that focuses on building small self-contained blocks of code (components) that can be reused across a variety of applications within an organization. ✔Can be regarded as an outgrowth of OO (Object Oriented) development ✔A major advantage is the support of multiple development environments.

✔Usually automating system processes ✔You review an area, redesign and streamline it, and the implement and monitor it with a continuous improvement process

Secures communications between hosts, subnets, or both. Two modes: ✔Tunnel Mode that encrypts the entire packet, including the header ✔Transport Mode that encrypts only the data portion of the packet 🎈Adding the Encapsulating Security Payload protocol will add Confidentiality

Can provide proper assurance that proper data files are being used and it allows for automatic checking

✔Is the process of updating an existing system by extracting and re-using design and program components ✔This process is used to support major changes in the way an organization operates

✔Is the process of studying and analyzing an application and the information is used to develop a similar system

✔The use of automated tools to aid in the software development process ✔Three types of CASE Products 🎈Upper - Used to describe and document requirements. Includes data object definitions and relationships 🎈Middle - Used for detailed designs. Screen and report layouts 🎈Lower - Generate program code and database definitions

✔Redesigning of business processes to improve performance, quality, and productivity. ✔Risk of controls being re-engineered out of a system

1. Define areas to be reviewed 2. Develop a project plan 3. Gain an understanding of the process under review 4. Redesign and streamline the process 5. Implement and monitor the new process 6. Establish a continuous improvements process

✔IT Equipment & Facilities ✔Media (software) reconstruction ✔Extra Expense (for backup facilities) ✔Business Interruption ✔Valuable papers and records ✔Errors and Omissions (legal liability) ✔ Fidelity Coverage (usually in the form of blanket bonds, covers an employees fraud or forgeries) ✔Media Transportation - covers media in transit

Security or protection against loss or other financial burden (not insurance)

✔Acceptable amount of Downtime ✔Low RTO addressed with Hot Site ✔Critical Systems have Low RTO

✔Acceptable amount of data loss ✔Low RPO is addressed with Mirror imaging or replication ✔Critical Data has Low RPO

✔The maximum period of time the organization can wait from the point of failure to the critical services/applications restoration. After this time, the progressive losses caused by the interruption are unaffordable. ✔Is part of the Service delivery objective (SDO)

✔Level of services to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. ✔The minimum acceptable operational capability

Maximum time the organization can support processing in alternate mode. After this point, different problems may arise, especially if the alternate SDO is lower than the usual SDO, and the information pending to be updated can become unmanageable.

✔A fully redundant site with real-time data replication from the production site ✔Already has hardware, software, back-ups ✔Needs nothing to restore service ✔Even databases work ✔Most Expensive

✔Has Hardware and Software ✔Needs updated Database (IMPORTANT) ✔Needs an updated restore to restore service

✔Has some Hardware and some Software ✔Needs Some Applications ✔Needs timely availability of hardware (IMPORTANT) ✔Needs data restore

✔Has space and basic infrastructure (power) ✔Needs All Hardware and All Applications ✔Needs data restore ✔For Non-critical applications

✔Processing facilities in a transportable vehicle ✔Used with Cold or Ward Sites

✔When two organizations with similar processing agree to help each other in case of emergency ✔These are the least expensive ✔These are the least reliable - both companies may experience the same incident ✔Hardware and Software incompatibilities may exist

✔Copper circuits ✔Can be shielded or unshielded

✔Pairs are twisted to minimize interference from other pairs ✔Less Attenuation (loss of signal strength) ✔Current flows through pairs in opposite directions ✔Shield reduces cross-talk and electromagnetic sensitivity

✔Pairs are twisted to minimize interference from other pairs ✔Not immune to electromagnetic interference ✔Keep them away from fluorescent lights ✔Parallel runs should be avoided due to cross-talk

✔Glass fibers carry binary signals as flashes of light ✔Low transmission loss ✔Not affected by EMI (Electromagnetic Interference) ✔More secure than other media ✔Preferred media for voice and long distances

✔Easy installation and readily available ✔Expensive ✔Distance limited ✔Difficult to modify ✔Low Attenuation ✔Does not support many LANs

✔Weakening of signal during transmission ✔Occurs with wired and wireless ✔Length of wire affects Attenuation

✔Disturbance generated by an external source that affects electrical circuits ✔The disturbance can degrade the circuit ✔Can be caused by electrical storms, motors, fluorescent lights, radios, etc

Is EMI (Electromagnetic Interference) from one un-shielded pair to another, normally running in parallel

✔Provides redundancy for local communication loop

✔Provides redundancy for long distance availability

✔Is the method of routing information via an alternative medium such as copper cable or fiber optics ✔The process of allocating substitute routes for a given traffic stream in case of failures. ✔Two different cables from the exchange to your site

✔The method of routing traffic through split cable or duplicate cable facilities. ✔This can be accomplished with different and/or duplicate cable sheaths. ✔Two Cables from Two Exchanges

✔Alternate Routing - Alternative medium such as copper or fiber optics ✔Diverse Routing - uses split cables or duplicate cables

7. Applications - Application Layer Firewall 6. Presentation 5. Session - Circuit Layer firewall 4. Transport - TCP 3. Network - IP - Routers, Packet & Stateful Firewall, VLANs 2. Datalink - MAC - Switch 1. Physical - Wire - Hub / Repeater

✔Receives and re-transmits for longer distance ✔Layer 1 / Physical

✔Connect many devices for the exchange of data ✔Broadcasts to all connected devices ✔Lots of collisions ✔Does not learn MAC addresses ✔Layer 1 /Physical Layer

✔Smarter than hub ✔Broadcasts to required devices ✔No collisions in full duplex mode ✔Stores MAC addresses ✔Layer 2 / Data Link Layer

✔Works like a Layer 2 switch (Data Link Layer) ✔Looks at MAC address and forwards to destination ✔Can store frames and act as a storage and forward device ✔Only has a few ports

✔More intelligent than a Layer 2 switch ✔Layer 3 / Network Layer (IP) ✔Router examines IP address and makes intelligent decisions to forward packet to proper destination ✔Network segments connected via Router remain logically separate and can function as independent network ✔Routers Can: 🎈Block broadcast information 🎈Block traffic to unknown addresses 🎈Filter traffic based on network or host information

✔Full - Backup Everything - Slowest and lots of tapes ✔Differential - Everything that changed since last Full Backup ✔Incremental - Everything that changed since last backup (either Full or Incremental) - Fastest and fewest tapes

✔Full - Fastest ✔Differential - Middle ✔Incremental - Slowest

Data that describes data - this is the most important factor for designing Data Warehouses.

✔External - Attack on network perimeter ✔Internal - attack on target from within the perimeter ✔Blind - Attacker has Limited or No Knowledge of target's systems ✔Double Blind - Blind, plus the admin and security team don't know about the attack ✔Targeted - Attacker and security team are all aware. ✔Make sure Management knows about the test

✔Include exact IP addresses to be included ✔Details of Hosts Not to be included ✔Details of testing techniques ✔NDA - Non-Disclosure Agreement ✔Responsibility of penetration tester to provide appropriate warning of tests to avoid false alarms to law enforcement

✔The process of investigating and collecting information about emerging threats and threat sources. ✔Help organizations understand external threats

✔WWANs - Wide Area (radio, satellite) ✔WLANs - Regular ol' WiFi ✔WPANs - Personal Area - Bluetooth ✔Wireless Ad Hoc networks - Dynamic, like cell phones

✔Enable MAC Filtering ✔Enable Encryption (adds confidentiality) 🎈Dynamic keys are better that static keys ✔Disable SSID broadcast ✔Disable DHCP

✔Uses A Symmetric key (private key) exchanged via Asymmetric encryption. ✔Protects web and email ✔Provides the Best overall control for an internet business looking for Confidentiality, Integrity, and Reliability

✔Driving and Walking around trying to join / hack visible WiFI networks ✔Hackers use War Driving to hack networks

Drawing symbols on public places to show others an open Wifi Network

✔The most secure standard for WiFi ✔WEP was first, then WPA, now WPA2

✔Simplest and earliest firewall ✔Allow or Deny per IP and Port number of source and destination packets ✔Works at Network Layer 3

✔Keeps track of the destination of each packet that leaves the internal network ✔It ensures that incoming message is in response to the request that went out of the organization, and refuses all other messages. ✔Network Layer 3

✔The firewall handles all the incoming requests from the Internet to the corporate Network. ✔Circuit Level and Application Firewalls use this ✔Requires authentication for users to gain access to proxy services ✔It is configured to access specific hosts

✔Works on the concept of Bastion Host and Proxy Server ✔One Proxy for all Services ✔Do not allow a direct exchange of packets between the Internet and the internal server ✔System is hardened ✔Works on Session Layer 5

✔Works on the concept of Bastion Host and Proxy Server ✔Do not allow a direct exchange of packets between the Internet and the internal server ✔System is hardened ✔Separate Proxy servers for each application (FTP, Telnet, HTTP) ✔System is hardened ✔These are the most secure firewalls ✔Runs on Application Layer 7

✔Dual Homed - 2 NICs, 1 router ✔Screened Host - 1 NIC, 1 router ✔Screened Host (Subnet/Demilitarized Zone) - 2 routers (Safest)

✔Mandatory (MAC) ✔Discretionary (DAC) ✔Role-Based (great for user access, and often used for computer to computer application access) ✔Rule-Based

1. Inventory of IS resources 2. Classification of IS resources First step of classification is to find data/application owner 3. Grouping / Labeling of IS resources 4. Make the List

✔Set by InfoSec ✔Better that DAC

✔Set by data owners or normal users

✔Access is based on roles individuals have within the organization ✔Users are assigned roles which have been assigned various privileges needed to perform that role ✔There is no way to limit Role-Based Access

✔Reduces the Risk of Under-Protecting data ✔Reduces the Cost of Over-Protecting data ✔Must consider: 🎈Legal / Regulatory / Contractual 🎈Confidentiality, Integrity, Availablity

1. Inventory Information Assets 2. Establish ownership for each asset 3. Classification of Assets (public, private, sensitive) 4. Labeling of Information Assets 5. Creation of Access Control List

✔Needs to be validated against vendor specifications. ✔Need to ensure a formal plan has been developed and approved by management. ✔Reports include Availability, Utilization, Asset Management, etc

✔Classifies the Data ✔Accountable for maintenance of proper security controls

✔ A certificate binds a digital signature to an entity, whereas a digital signature is to ensure that a data/information remain secure from the point it was issued. ✔Digital certificates are used to verify the trustworthiness of a person (sender), while digital signatures are used to verify the trustworthiness of the data being sent. ✔Digital Signatures do not ensure confidentiality

✔Provides sender authenticity, message integrity, and non-repudiation

Provides Authentication of the Web Site to be surfed

✔A process where digital code is attached to an electronically transmitted document to verify it content and sender's identity ✔Ensures Integrity, Authentication, and Non-repudiation ✔Does NOT ensure Confidentiality

1. Create Hash Value of the Message 2. Encrypt the Hash of the Message with the Private Key of the sender /signer 3. Receiver creates a Hash of the Message 4. Receiver decrypts the Hash with Senders public key 5. Receiver compares the two Hashes

A mathematical algorithm which gives unique fixed string for any given message

✔A Single Key is used to encrypt and decrypt ✔Faster computation and processing ✔Less expensive that Asymmetric ✔The challenge is safely sharing the key with the other party

✔Users Two Keys; Public and Private ✔Message encrypted with one key and be decrypted with the other ✔Slower computation and processing ✔More expensive than Symmetric

✔Public keys are public ✔Private keys are private ✔Keys achieve Confidentiality, Integrity, and Availability

Ensured by encrypting the message with the receiver's Public Key

✔Make a Hash of the message ✔Encrypt Hash with Sender's Private Key

✔Make a Hash of the message ✔Encrypt the Hash with the Sender's Private Key

✔Sender encrypts message with Receiver's Public Key ✔Sender Hashes the message and encrypts the hash with Sender's Private Key.

✔Sender encrypts message with Receiver's Public Key ✔Sender Hashes the message and encrypts the hash with Sender's Private Key.

✔Sender encrypts the Symmetric key with the receiver's Public Key. ✔Sender encrypts message with Sender's private key.

✔An asymmetric encryption algorithm commonly used with smaller wireless devices. ✔It uses smaller key sizes and requires less processing power than many other encryption methods ✔Smaller keys are more suitable to mobile devices.

✔A Framework to issue, maintain, and revoke Public Key Certificates by a trusted 3rd party known as a CA (Certifying Authority) ✔Does not provide encryption, only Authentication and Integrity

1. Applicant applies for Digital Certificate from Certification Authority (CA) 2. Certification Authority (CA) delegates the verification process to the Registration Authority (RA) 3. Registration Authority (RA) validate information and tells Certification Authority (CA) to issue the certificate 4. Certification Authority (CA) issues the Certificate and manages the Certificate 5. Certification Authority (CA) maintains a list of certificates that have been revoked/terminated before its expiration date. This list is know as the Certificate Revocation List (CRL) 6. The Certification Authority (CA) will also have Certification Practice Statement (CPS) in which standard operation procedures (SOPs) for issuance of certificates and other relevant details are documented.

A list, maintained by the Certification Authority (CA), of certificates that have been compromised or revoked by the owner.

✔Describes how the Certificate Authority issues certificates and details about the certificate. ✔Provides value and trustworthiness of certificates

✔A trusted third party that issues digital certificates ✔Issues and manages certificates ✔Is solely responsible for issuance of digital certificates ✔Is responsible for managing the certificate throughout its life-cycle ✔Delegates to the Registration Authority (RA) some of the administrative functions like verification of information needed to issue certificates ✔Validates and authenticates the holder of the certificate after issuance of the certificate ✔Organizations owning their own CA may be considered weaker

✔An Optional Entity ✔Verifies the information provided by the applicant and tells the Certificate Authority (CA) to issue the certificate ✔Validates and authenticates information of the applicant before issuance of the certificate ✔Verifies the applicant is in possession of the private key - Proof of Possession (POP) ✔Distributes physical tokens containing private keys ✔Establishes a link between the requestor and its public key ✔Does NOT sign certificates

Can be conducted either by changing the host’s file on a victim’s computer or by exploiting a vulnerability in DNS server software

Two people carry out an operation

✔Metric related to human characteristics ✔Any means by which a person can be uniquely identified by evaluating one or more biological features

✔A measurement of invalid users that will be falsely accepted by the system. ✔Rate of false acceptances as a percentage of total access attempts ✔Rate of biometric acceptance of unauthorized persons. ✔This is a Type II error ✔This is the MOST important error rate ✔Retina Scan has the lowest / best rate

1. Enrollment 2. Transmission and Storage 3. Verification 4. Identification 5. Termination Process

✔A measurement of valid users that will be falsely rejected by the system. ✔This is called a Type I error.

✔The rate where FAR and FRR are equal ✔Lower rates are better / more effective / fewer errors ✔This is the best overall performance indicator

✔Replay - Residual fingerprint ✔Brute Force - Uses numerous different samples ✔Cryptographic - targets the algorithm or encrypted data ✔Mimic - imitating a voice - fake the biometric tool

✔Monitors a network or host for intrusive activities ✔Not a substitute for a firewall

✔High False Positive Rate ✔Better for detecting attacks from outside ✔Check for attacks or irregular behaviors by inspecting contents and header information of all the packets moving across the network

✔Low False Positive rate ✔Better for detecting attacks from insider ✔Detect activity on the host computer such as deletion of files and modification of programs

✔Sensors - Collect Data ✔Analyzers - Analyze data and determine intrusive activity ✔Administrative Console - To manage rules ✔User Interface - Enable user to view results and take necessary action

✔Signature Based - Based on known pattern types of attacks. ✔Statistical Based - Determine Normal behavior, and trigger outside of that (Most number of False Positives) ✔Neural Network - Like Statistical, but adds self-learning. It monitors the network and everything goes into the database.

✔Does not detect Application Level vulnerabilities ✔Back doors to application ✔Does not detect encrypted traffic

End user created programs. ✔Fast ✔May lack testing and general controls

✔Scripts that run on web servers ✔May allow a user to get unauthorized access to the servers

✔Similar to CGI Scripts ✔Once started, these stay in memory which speeds up the processes

✔An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems. ✔Helps define recovery strategies

✔The Disaster Recovery Plan is a sub-part of this ✔Manage risk while recovering from an event that adversely affected operations ✔Main goal is to protect human life ✔The activation of the plan is based on the duration of the outage ✔Employee Training is essential

✔Pretest - set up equipment ✔Test - the actual operational activities are executed ✔Post-test - cleanup Other tests: ✔Paper Test / Desk Based Evaluation - walk-through ✔Preparedness Test- actual resources do a simulation. Usually preceded by a Paper Test ✔Tabletop Test -involves participation of relevant members of the crisis management/response team to practice proper coordination ✔Functional test of a scenario with limited IT involvement ✔Full operational test - one step below actual service disruption

✔Like an IDS, but adds prevention ✔Improperly set thresholds / limits can block legit traffic ✔Can be used by attackers - lots of bad traffic may clog the IPS and cause it to be disfunctional

User authentication service that permits a user to use one set of credentials to access multiple applicaitons

✔Multiple passwords not required ✔Improves administrator's ability to manage user's accounts ✔Reduces administrative overhead cost in resetting passwords ✔Reduces time taken by users to log into multiple applications

✔SSO - User signs in once (Kerberos) ✔RSO - User signs into multiple systems with the same user name and password

✔Acts as a single authentication point for multiple applications which constitutes a risk of a single point of failure ✔Acts as a single point authentication point for multiple applications. (Most Important) ✔Support of all major operating systems environments is difficult ✔Complex passwords are the BEST CONTROL

✔Wet-Pipe Water-Based Systems (Danger to Equipment) ✔Dry Pipe Systems (Water) ✔Halon Systems ✔FM-200 ✔Argonite ✔Carbon Dioxide-CO2

✔Removes Oxygen from room ✔Not Safe for Humans ✔Should have an alarm, then a delay, then it should discharge ✔Banned since it destroys the ozone layer ✔Replaced with FM-200 NS Argonite

✔Replaces Halon Gas ✔Colorless and odorless ✔Is safe near humans ✔Environmentally Friendly ✔Commonly used as a gas fire suppression agent ✔Often the preferred method of fire suppression

✔Mixture of 50% Argonite and 50%Nitrogen ✔Also used as a gaseous fire suppression agent ✔Environmentally friendly and non-toxic ✔People have suffocated in Argonite

✔Pressurized CO2 replaces the Oxygen ✔ Not safe for Humans ✔In many countries, it is illegal to automatically resease if an human may be in the area ✔Is permitted where no humans are regularly present (such as a data center

✔Safe - Argonite, FM-200 SAFE ✔Not Safe - Halon, CO2 ✔Keep in mind people have suffocated in Argonite

✔Uses remote servers hosted on the Internet to store, manage, an process data ✔No worries about system maintenance ✔Automates computing capabilities like network, storage, server, etc, with no human intervention ✔Can be accessed anywhere by anything ✔Rapid and Scaleable ✔Relies on sharing of resources to achieve coherence and economies of scale, similar to a public utility ✔Ability to monitor, control, and report usage of the resource

✔Iaas - Infrastructure as a Service ✔Saas - Software as a Service ✔Paas - Platform as a Service

✔Cloud-hosted provider of virtualized servers and networks. ✔End users or IT Architects will use virtual machines as per their requirements ✔Physical servers are not maintained by the users ✔Amazon Web Services, Google Compute Engine, OpenStack, Etc

✔Provides ability to the end users to access an application over the Internet ✔Application is hosted and managed by the service provider ✔Users are not required to maintain or control application development platform and related infrastructure ✔Google Docs, Office 365, Salesforce.com

✔Provides platform to the users to develop and deploy an application on the development platform provided by the service provider ✔In traditional application development, the application will be developed locally and will be hosted in a central location ✔This changes the application development from local machine to online ✔Google AppEngine, Windows Azure

Private Cloud Public Cloud Hybrid Cloud Community Cloud

The cloud is used exclusively for the benefit of a particular organization. It resides within the boundaries of the organization ✔More secure environment and less chance of data leakage ✔Centralized control of cloud by organization itself ✔SLA does not exist or is very weak

Open for use to the general public. Offered on the basis of pay per use basis ✔Highly Available ✔Highly Scalable ✔Affordable Cost ✔Less secure than other models ✔Strict SLAs

Combination of public and private. Initially, the private cloud is used, then additional resources in the public cloud are used. ✔More complex since more than 1 model is used ✔Less secure than private cloud ✔Highly Scaleable ✔Better SLA than private cloud

Cloud is used by specific community of consumers that have shared interests ✔Collaborative maintenance is required. ✔No single company has control over the cloud ✔Less secure than private cloud / more secure than public cloud ✔Cost effective

✔Verify whether regulations of the locations of infrastructure is aligned with enterprise requirement's ✔Contract to include terms to restrict the movement of assets within approved locations (MOST Important) ✔To prevent disclosure, encrypt the asset prior to migration to the Cloud Service Provider (CSP) ✔An Indemnity Clause included in the contract with the service provider

✔Verify the Cloud Service Provider's (CSP'S) physical security policy and ensure that it aligns with the enterprise's security policy ✔Obtain copy of independent security reviews or audit reports (BEST) ✔Bind the CSP through a contract to align with the enterprise's security policy and to implement necessary controls to ensure it ✔Verify CSP's disaster recovery plans and ensure that they contain the necessary arrangement to protect assets.

✔Verify CSP's technical specifications and controls that ensure that data are properly wiped off as per requirement ✔Contract should specify that upon contract expiration a mandatory data wipe carried out in the presence of a representative of the company

✔Contract should specify requirement for proper disposal of applications including objects, source and backups. ✔Contract should also include the non-compete clause

✔Contract should include "right to audit" ✔Contract should specify implementation of necessary controls to ensure access to only authorized users ✔Obtain copy of independent security reviews or audit reports of CSP

✔Control should specify requirement of notification to enterprise in case of any event. ✔Contract should specify availability of contracted capacity and same should not be directed to other tenants (Instance) without approval ✔To use a private cloud deployment (no Multi Tenancy)

✔To ensure availability of information systems and data on continuous basis ✔To ensure the integrity and confidentiality information and sensitive data while stored and in transit ✔To ensure compliance to relevant laws, regulations and standards

✔Clarity with respect to data ownership, data custody, and security administration related to the cloud environment ✔To consider legal requirements, laws, regulations and unique risk in the cloud environment (Legal is MOST important) ✔Limitation to "right to audit" clause as it may not be possible to audit physical perimeters of cloud environment

✔Always have vendors include this in the contracts ✔At minimum, you need to have access to 3rd party versions

✔Allows users to run multiple operating systems simultaneously on a single server ✔Main goal is to manage workloads by transforming traditional computing to make it more scaleable ✔Uses a physical machine's full capacity by distributing its capabilities among many users or environments ✔Provides an enterprise with a significant opportunity to increase efficiency and decrease costs ✔Creates a layer between the hardware and the guest OSs to manage shared memory and shared processing resources on the host

✔Server / Hardware ✔Hypervisor - Know as the HOST - software firmware or hardware that creates and runs the virtual machine environment ✔Guest machines: Virtual elements - servers, firewalls, or anything that was made

✔Bare Metal / Native Virtualization - Hypervisor runs directly on hardware without a host ✔Hosted Virtualization - Hypervisor runs on top of the Host's OS ✔Containerization - Containers run as an isolated process in userspace on the Host OS

✔Poor configuration of the host may create vulnerabilities for host as well as guest ✔Any attack against the host could affect all the guests ✔Inadequate security of management console can have risk of unapproved administrative access to the host's guests ✔Performance issues of the host's own OS could impact each of the host's guests ✔Risk of data leakage between guests if there is poor control for memory release and allocation

✔Installation of toolkits as a hypervisor below the Operating System and thus risk of interception of the Guest's OS. ✔Risk of improper configuration of the hypervisor partitioning resources (CPU, Memory, Drive Space, etc) can allow unauthorized access to resources ✔On hosted virtualization, mechanisms called guest tools can allow an attacker to gain access to particular resources ✔On hosted virtualization, products rarely have hypervisor access controls. Anyone who can launch as application on the host OS can run the hypervisor

✔Secure configurations and harden the hypervisors and guest images ✔Encrypt hypervisor management communications ✔Ensure regular patch updates for the hypervisor ✔Synchronize to time server ✔Disconnect all unused hardware ✔Disable Hypervisor services such as Clipboard and Filesharing between Guest OS and Host OS ✔Log and monitor security events of each OS ✔File integrity monitoring of the hypervisor

Policies, Procedures, mechanisms, systems, and other measures designed to reduce risk.

✔Physical - video surveillance (BEST Physical), fences ✔Technical/Logical - Encryption, computer access controls, logs ✔Administrative/Managerial - policies and procedures

✔Preventative - Login screen, Encryption ✔Detective - The VIEWING of Video and logs ✔Deterrent - Dogs, guards, visible video ✔Corrective - the act of improving a process found to be defective ✔Compensating - implemented when a direct control cannot be used ✔Recovery - Virus removal tool

Checked by the auditor conducting the process again (re-performance)

Checked by conducting a walk-through

Centralized systems that monitor and control entire sites.

✔Disseminate security alerts, guidelines, and updates to users and assist them in understanding the risks

✔Vulnerable computer that is set up to entice an intruder to break into it ✔Provides the MOST relevant information for proactively strengthening security settings

Severs shouldn't be over or under utilized.

✔With Best / Most Concerning / Worst questions, read them as though all the answers have all occurred, and you have to choose at this point. ✔Seems whenever they ask about Fraud, Integrity is the Answer ✔Auditor should audit high-risk things first, then work down. Work it from the Risk Assessment ✔When it comes to BCP, testing is usually the most important thing to do ✔DRP - always make sure you have enough resources in the other location. ✔Patching needs change management. (for testing and risk review) ✔Unencrypted passwords and data is a bigger issue than most other security issues ✔Preventative Controls are better than Detective Controls ✔From a Risk standpoint, loss of data is much worse than loss of function ✔"Gap" is tied to "Existing" ✔"Accountability" is tied to "Log/Audit Trail"