Chapter 5: Protection of Information Assets Documents/Technical... · Chapter 5: Protection of Information Assets ... and monitoring of the data classification processes ... Assets

© 2012 Deloitte Development LLC

Chapter 5:Protection of Information Assets

2012 CISA Exam Cram Course


Chapter 5 Learning Objectives• Outline the information security policies, standards, and procedures for completeness and

alignment with the generally accepted practices.• Evaluate the design, implementation, and monitoring of system and logical security controls

to verify the confidentiality, integrity, and availability of information.• Assess the design, implementation, and monitoring of the data classification processes and

procedures for alignment with the organization’s policies, standards, procedures, and applicable external requirements.

• Assess the design, implementation, and monitoring of physical access and environmental controls to determine whether information assets are adequately safeguarded.

• Describe the processes and procedures used to store, retrieve, transport, and dispose of information assets (example, backup media, offsite storage, hard copy, or print data and soft copy media) to determine whether information assets are adequately safeguarded.


Chapter 5 Learning Objectives


Course Agenda• Information Security Management• Logical Access Controls• Auditing Logical Access• Environmental Issues & Exposures• Physical Access Issues & Exposures• Mobile Computing


Exam RelevanceChapter 5 Protection of Information Assets will represent approximately 30% of the CISA examination (approximately 60 questions).

IT Governance & Management of IT

Information Security Management


5.2 Importance of Information Security Management

• Ensure continued availability of their information systems

• Ensure integrity of the information stored on their computer systems

• Preserve confidentiality of sensitive data• Ensure conformity to applicable laws, regulations,

and standards• Ensure adherence to trust and obligation in relation

to any information relating to an identified or identifiable individual

• Preserve confidentiality of sensitive data in store and in transit

Security objectives to meet organization’s business requirements include:


5.2.1 Key Elements of Information Security ManagementKey elements of information security management are: • Senior management commitment and support • Policies and procedures• Organization• Security awareness and education• Monitoring and compliance• Incident handling and response


5.2.2 Information Security Management Roles and Responsibilities

Responsibilities to consider by position include:• IS security steering committee• Executive management• Security advisory group• Chief Privacy Officer (CPO)• Chief Security Officer (CSO)• Process owners• Information assets owners and data owners• Users• External parties • Security administrator• Security specialists or advisors• IT developers• IS auditors


5.2.3 Inventory and Classification of Information AssetsThe inventory record of each information asset should include:• Specific identification of assets• Relative value to the organization• Location• Security or risk classification• Asset group• Owner• Designated custodian

Image


5.2.4 System Access Permission• Who has access rights and to what?• What is the level of access to be granted?• Who is responsible for determining the access rights and access levels?• What approvals are needed for access?


5.2.5 Access ControlsThe two types of Access Control are:• Mandatory Access Controlo Enforces corporate security policyo Compares sensitivity of information resourceso Controls are prohibitive in nature

• Discretionary Access Controlo Enforces data owner-defined sharing of information resources


5.2.6 Privacy Management Issues and the Role of IS Auditors

Privacy impact analysis or assessments should:• Pinpoint the nature of personally-identifiable information associated with business

processes• Document the collection, use, disclosure, and destruction of personally identifiable

information• Ensure that accountability for privacy issues exists• Be the foundation for informed policy, operations, and system design decisions based on

an understanding of privacy risk and the options available for mitigating that risk


5.2.6 Privacy Management Issues and the Role of IS Auditors

Compliance with privacy policy and laws• Identify and understand legal requirements regarding privacy from laws, regulations, and

contract agreements• Check whether personal data are correctly managed in respect to these requirements• Verify that the correct security measures are adopted• Review management’s privacy policy to ascertain that it takes into consideration the

requirement of applicable privacy laws and regulations


5.2.7 Critical Success Factors to Information Security Management

• Strong commitment and support by the senior management on security training• Professional risk-based approach must be used systematically to identify sensitive and

critical resources


5.2.8 Information Security and External Parties

Exhibit 5.4 – Risks Related to External Party Access• The information processing facilities an external party is

required to access• The type of access the external party will have the

information and information processing facilities, for example:o Physical access, e.g., to offices, computer rooms

and filing cabinetso Logical access, e.g., to an organization’s database

and information systemso Network connectivity between the organization’s and

the external party’s network(s), e.g., permanent connection and remote access

o Whether the access is taking place onsite or offsite• The value and sensitivity of the information

Exhibit 5.4 – Risks Related to External Party Access (cont’d)

• How the organization or personnel authorized to have access can be identified, the authorization verified, and how often this needs to be reconfirmed

• The different means and controls employed by the external party when storing, processing, communicating, sharing and exchanging information

• The impact of access not being available to the external party when required, and the external party entering or receiving inaccurate or misleading information

• Practices and procedures to deal with information security incidents and potential damages, and the terms and conditions for the continuation of external party access in the case of an information security incident

• Legal and regulatory requirements and other contractual obligations relevant to the external party that should be taken into account

• How the interests of any other stakeholders may be affected by the arrangements


5.2.8 Information Security and External PartiesExhibit 5.5 – Customer Access Security

Considerations• Asset protection including:

o Procedures to protect the organization’s assets, including information and software, and management of known vulnerabilities

o Procedures to determine whether any compromise of the assets, e.g., loss or modification of data has occurred

o Integrityo Restrictions on copying and disclosing

information• Description of the product or service to be

provided• The different reasons, requirements and benefits

for customer access

Exhibit 5.5 – Customer Access Security Considerations (cont’d)• Access control policy, covering:

o Permitted access methods, and the control and use of unique identifiers such as user ID’s and passwords

o An authorization process for the user access and privilegeso A statement that all access that is not explicitly authorized

is forbiddeno A process for revoking access rights or interrupting the

connection between systems• Arrangements for reporting, notification and investigation of

information inaccuracies (e.g., of personal details), information security incidents and security breaches

• The target level of service and unacceptable levels of service• The right to monitor and revoke any activity related to the

organization’s assets• The respective liabilities of the organization and the customer• Responsibilities with respect to legal matters and ensuring that

the legal requirements are met, e.g., data protection legislation, especially taking into account different national legal systems if the agreement involves cooperation with customers in other countries

• Intellectual property rights (IPRs) can copyright assignment, and protection of any collaborative work


5.2.11 Security Incident Handling and Response

• Planning and preparation• Detection• Initiation• Recording• Evaluation• Containment• Eradication

A formal incident response capability should be established and should include the following phases:

• Escalation• Response• Recovery• Closure• Reporting• Post incident review• Lessons learned

Logical Access Controls


5.3 Logical Access ControlsLogical access controls are the primary means used to manage and protect information assets.

The advantages of using Logical Access Controls are:• It ensure integrity of the information stored on the computer system• It preserves the confidentiality of the sensitive data• It ensure continued availability of their information systems.


5.3.1 Logical Access ExposuresTechnical exposures include:• Data leakage• Wire tapping• Viruses and Worms• Logic bombs• Denial-of-Service (DoS) attacks• Distributed DOS (using Trojan horses)

• Computer shutdown• War driving• Piggybacking• Trap doors• Asynchronous attacks• Rounding down• Salami technique


5.3.2 Familiarization with the Organization’s IT Environment

• It is important for the IS auditors to gain a technical and organizational understanding of the organization’s IT environment.

• This helps them to identify the risk areas where IS auditing should be focused on in planning current and future work and finally assess the logical control effectively.

• The work includes reviewing of:o The networko Operating system platformo Database and application security layers


5.3.3 Paths of Logical Access• Access or points of entry to an organization's IS infrastructure can be gained through

several avenues. • The general points of entry and/or the modes of access into this infrastructures happens

through the following:o Network connectivityo Remote accesso Operator consoleo Online workstations or terminals


5.3.4 Logical Access Control Software• General operating and/or application systems access control functions include

the following:o Create or change user profileso Assign user identification and authenticationo Apply user logon limitation ruleso Notification concerning proper use and access prior to initial logino Create individual accountability and auditability by logging user activitieso Establish rules for access to specific information resources (for example, system-level

application resources and data)o Log eventso Report capabilities


5.3.4 Logical Access Control Software• Database and/or application-level access control functions include: o Create or change data files and database profiles o Verify user authorization at the application and transaction levelso Verify user authorization within the applicationo Verify user authorization at the field level for changes within a databaseo Verify subsystem authorization for the user at the file levelo Log database or data communications access activities for monitoring access violations


5.3.5 Identification and Authentication (I&A)Some of I &A's common vulnerabilities that may be exploited to gain unauthorized system access include:• Weak authentication methods• Lack of confidentiality and integrity for the stored authentication information• Lack of encryption for authentication and protection of information transmitted over a

network• User’s lack of knowledge on the risks associated with sharing passwords, security tokens,

etcetera.


5.3.5 Identification and Authentication (I&A)• Logon IDs and passwords (something you know)o Features of passwordso Password syntax (format) rules

• Token devices, one-time passwords (something you have and something you know)o Two-factor authentication technique

• Biometric (something you are or you do)o Management of biometrics

• Single Sign-on (SSO)o Advantage and Disadvantage


5.3.5 Identification and Authentication (I&A)Some of the best practices for login IDs are:• To enforce strict lock-out policy • Deactivate IDs that are not used • Set the system to automatically disconnect when there is no activity

Some rules to follow for passwords are:• They should be of minimum of 8 characters• They should be a combination of alpha, numeric, upper and lower case and special

characters• They should be changed periodically (password history or no re-use policy)


5.3.5 Identification and Authentication (I&A)• Token devices and one-time passwordso Two-factor authentication technique (e.g., Token card or USB — something you have;

and a PIN — something you know)• Biometricso Quantitative measures (FRR, FAR, and FER)o Physically-oriented biometric (something you are)§ Retina scan (highly reliable, lowest FAR)§ Face or hand or palm (less reliable due to lack of uniqueness)

o Behavior-oriented biometric (something you do)§ Signature and voice recognition


5.3.5 Single Sign-On (SSO) in I&A• SSO is the process for consolidating all organizational platform-based administration,

authentication, and authorization functions into a single centralized administrative function.• An SSO interfaces with: o Client-server and distributed systems o Mainframe systems o Network security including remote access mechanisms


5.3.5 Advantages and Disadvantages of SSO in I&AAdvantages of SSO are:• Multiple passwords are no longer required, therefore, a user may be more inclined and

motivated to select a stronger password.• It improves an administrator’s ability to manage users’ accounts and authorizations to all

associates systems.• It reduces administrative overhead in resetting forgotten passwords over multiple platforms

and applications.• It reduces the time taken by users to log into multiple applications and platforms.

Disadvantages of SSO are:• Support for all major operating system environments is difficult.• The costs associated with SSO development can be significant when considering the

nature and extent of interface development and maintenance that may be necessary.• The centralized nature of SSO presents the possibility of a single point of failure and total

compromise of an organization’s information assets


5.3.6 Authorization IssuesAccess restrictions at the file level include:

• Read, inquiry, or copy only• Write, create, update, or delete only• Execute only• A combination of the above

Access Control Lists (ACLs) refer to a register of:• Users who have permission to use a particular system

resource• The types of access permitted

Logical access security administration happens through either of the following:

• Centralized environment• Decentralized environment


5.3.6 Authorization IssuesThe advantages of conducting security in a decentralized environment are:• Security administration is onsite at the distributed location• Security issues are resolved in a timely manner• Security controls are monitored frequently

Some of the risks associated with distributed responsibility for security administration are:• Local standards might be implemented rather than those required• Levels of security management might be below than what can be maintained by central

administration• Unavailability of management checks and audits


5.3.6 Authorization IssuesRemote access security• Today’s organizations require remote access connectivity to their information resources for

different types of users such as employees, vendors, consultants, business partners, and customer representatives.

• TCP or IP Internet-based remote access is a cost-effective and inexpensive approach.


5.3.6 Authorization IssuesRemote access security risks include:• Denial of service • Malicious third parties• Misconfigured communications software• Misconfigured devices on the corporate computing infrastructure• Host systems that are not secured appropriately• Physical security issues over remote users’ computers


5.3.6 Authorization Issues Remote access security controls include:• Policies and standards• Proper authorizations• Identification and authentication mechanisms• Encryption tools and techniques (for example, the use of VPN)• System and network management


5.3.6 Authorization IssuesRemote access using Personal Digital Assistants (PDAs) addresses control issues including the following: • Compliance• Approval• Standard PDA applications• Due care• Awareness training• PDA applications• Synchronization• Encryption• Virus detection and control• Device registration• Camera use


5.3.6 Authorization Issues• There can be several access issues with mobile technology. Therefore, these devices

should be strictly controlled both by policy and by denial of use. • Some of the possible actions to deal with the access issues include:

o Banning all use of transportable drives in the security policyo Disabling use of mobiles with a logon script which removes them from the system directory,

where no authorized use of USB ports existso If they are considered necessary for business use, encrypting all data transported or saved by

these devices


5.3.6 Authorization IssuesAudit logging in monitoring system access provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID.

Access rights to system logs:• Security and administration personnel who maintain logical access functions may have no need for

access to audit logs• Confidentiality of audit trail information needs to be protected• A periodic review of system-generated logs can detect security issues, including inappropriate access

rights


5.3.6 Authorization IssuesTools for audit trails (logs) analysis• Audit reduction tools• Trends or variance-detection tools• Attack signature-detection tools


5.3.6 Authorization IssuesAttempted security violations can be detected or prevented by implementing the following:• Intrusion Detection System (IDS)• Intrusion Prevention System (IPS)

Restricting and Monitoring Access• Bypass Label Processing (BLP)• System Exits• Special system logon IDs (vendor default IDs)

Naming Conventions for Logical Access Controls• Reduce the number of access rules required to protect system resources


5.3.7 Handling Confidential InformationStoring, retrieving, transporting and disposing of confidential information in a proper way is crucial for our business. Therefore, it is important to have policies for:• Backup files of databases• Data banks• Disposal of media previously used to hold confidential information (example, Degaussing

magnetic tapes)• Management of equipment sent for offsite maintenance• Public agencies and organizations concerned with sensitive, critical or confidential

information• E-token electronic keys• Storage records


5.3.7 Handling Confidential InformationThere are chances of loosing information during shipment or storage. Some of the recommendations applicable to all types of media are:• To keep media out of direct sunlight• To keep them free of liquids• To keep them free of dust• To minimize exposure to magnetic fields, radio equipment, or any sources of vibration• Not to transport in areas and/or at times of exposure to strong magnetic storm


Media Storage Precautions

Hard drives • Store hard drives in antistatic bags, and be sure that the person removing them from the bag is static-free.

• If the original box and padding for the hard drive is available, use it for shipping. • Avoid styrofoam packaging products, or other materials that can cause static electricity.• Quick drops or spikes in temperature are a danger, since such changes can lead to hard drive

rashes.• If the hard drive has been in a cold environment, bring it to room temperature prior to installing

and using it.• Avoid sudden mechanical shocks or vibrations.

Magnetic media • Store tapes vertically.• Store tapes in acid-free containers.• Write-protect tapes immediately.

CDs and DVDs • Handle by the edges or by the hole in the middle.• Be careful not to bend the CD.• Avoid long-term exposure to bright light.• Store in a hard jewel case, not in soft sleeves.

5.3.7 Handling Confidential Information

Network Infrastructure Security


5.4 Network Infrastructure SecuritySome of the controls over communication network are as follows:• Network control functions should be performed by technically qualified operators.• Network control functions should be separated and the duties should be rotated on a

regular basis, where possible.• Network control software must restrict operator access from performing certain functions

(example, the ability to amend or delete operator activity logs).• Network control software should maintain an audit trail of all operator activities.• Audit trails should be periodically reviewed by operations management to detect any

unauthorized network operations activities.


5.4 Network Infrastructure SecuritySome of the other controls over communication network are:• Network operation standards and protocols should be documented and made available to

the operators, and should be reviewed periodically to ensure compliance• Network access by the system engineers should be monitored and reviewed closely to

detect unauthorized access to the network

• Analysis should be performed to ensure workload balance, fast response time and system efficiency

• A terminal identification file should be maintained by the communications software to check the authentication of a terminal when it tries to send or receive messages

• Data encryption should be used, where appropriate, to protect messages from disclosure during transmission


5.4.1 LAN SecurityThe IS auditor should identify and document:• LAN topology and network design• LAN administrator or LAN owner• Functions performed by the LAN administrator or owner• Distinct groups of LAN users• Computer applications used on the LAN• Procedures and standards relating to network design, support, naming conventions, and

data security


5.4.2 Client-Server SecurityThe control techniques that should be in place are:• Securing access to data or application• Use of network monitoring devices• Data encryption techniques• Authentication systems• Use of application level access control programs


5.4.2 Client-Server SecurityThe areas of risk and concern in a client-server environment are: • Access controls may be weak in a client-server environment• Change control and change management procedures• The loss of network availability may have a serious impact on the business or service• Obsolescence of the network components• The use of modems to connect the network to other networks• The connection of the network to public switched telephone networks may be weak• Changes to systems or data• Access to confidential data and data modification may be unauthorized• Application code and data may not be located on a single machine enclosed in a secure

computer room, as with mainframe computing


5.4.3 Wireless Security Threats and Risk MitigationSome of the common threats are:• Errors and omissions• Fraud and theft committed by authorized or unauthorized users of the system• Employee sabotage• Loss of physical and infrastructure support• Malicious hackers• Industrial espionage• Malicious code• Foreign government espionage• Threats to personal privacy


5.4.3 Wireless Security Threats and Risk Mitigation• To mitigate these risks, an organization must adopt security measures and practices that

help bring their risks to a manageable level. • Some of the security requirements are:o Authenticityo Nonrepudiationo Accountabilityo Network availability


5.4.3 Wireless Security Threats and Risk Mitigation• Malicious access to WLANs include:o War drivingo War walkingo War chalking

• Malicious access to WPAN include:o Man-in-the-middle attack


5.4.4 Internet Threats and SecurityNetwork security attacks could be of two types:

Passive attacks- Examples of passive attacks that gather network informationinclude network analysis, eavesdropping and traffic analysis asexplained in exhibit 5.8.

Active attacks- Once enough network information has been gathered, the intruder will launch an actual attack against a targeted system to eithergain complete control over that system or enough control to cause certain threats to be realized. This may include obtaining unauthorized access to modify data or programs, causing a denial of service, escalating privileges, accessing other systems, and obtaining sensitive information for personal gain. These typesof penetrations or intrusions are known as active attacks. They affect the integrity, availability and authentication attributes of network security.


5.4.4 Internet Threats and SecurityPassive attacks:• Network analysis• Eavesdropping• Traffic analysis

Active attacks:• Brute-force attack• Masquerading• Packet replay• Phishing• Message modification• Unauthorized access through the Internet or web-based services• Denial of service• Dial-in penetration attacks• E-mail bombing and spamming• E-mail spoofing


5.4.4 Internet Threats and SecurityCausal factors for Internet attacks are:• Availability of tools and techniques on the Internet• Lack of security awareness and training• Exploitation of security vulnerabilities• Inadequate security over firewallso Internet security controls


5.4.4 Internet Threats and SecurityFirewalls enable organizations to:• Block access to particular sites on the Internet• Limit traffic on an organization’s public services segment to relevant addresses and ports• Prevent certain users from accessing certain servers or services• Monitor communications between an internal and an external network• Monitor and record all communications between an internal network and the outside world to investigate network penetrations or detect internal subversion• Encrypt packets that are sent between different physical locations within an organization by creating a VPN over the Internet (IP security [IPSec], VPN tunnels)


5.4.4 Internet Threats and SecurityFirewall implementations can take advantage of the functionality available in a variety of firewall designs, to provide a robust layered approach in protecting an organization’s information assets. Examples of firewall implementations are:• Screened-host firewall• Dual-homed firewall• De-militarized Zone (DMZ)


5.4.4 Internet Threats and SecuritySome of the common firewall issues are:• A false sense of security• The circumvention of firewall• Misconfigured firewalls• What constitutes a firewall• Monitoring activities may not occur on a regular basis• Firewall policies


5.4.4 Internet Threats and SecurityFirewall platforms• Using hardware or software• Appliances versus normal servers

Firewall Types• Router packet filtering• Application firewall systems• Stateful inspection


5.4.4 Internet Threats and SecurityIntrusion Detection System (IDS)• An IDS works in conjunction with routers and firewalls by monitoring network usage

anomalies.• The two types of IDS are:o Network-based IDSo Host-based IDS


5.4.4 Internet Threats and SecurityComponents of an IDS are:• Sensors that are responsible for collecting data• Analyzers that receive input from sensors and determine intrusive activity• An administration console• A user interface

Types of IDS are:• Signature-based• Statistical-based• Neural networks


5.4.4 Internet Threats and SecurityFeatures of an IDS are:• Intrusion detection• Gathering evidence on intrusive activity• Automated response• Security monitoring• Interface with system tolls• Security policy management


5.4.4 Internet Threats and Security• Honeypots act as decoy systems to detect active Internet attacks.

• There are two basic types of honeypots:o High interaction — Give hackers a real environment to attacko Low interaction — Emulate production environments

• Honeynet is multiple honeypots networked together to let hackers break into a false network.


5.4.5 Encryption• The key elements of encryption systems are:o Encryption algorithmo Encryption key o Key length

• There are two types of cryptographic systems. They are:o Symmetric key systems (Private key cryptographic systems)o Asymmetric key systems (Public key cryptographic systems)


5.4.5 EncryptionTypes of encryption are:• Elliptical Curve Cryptosystem (ECC)• Quantum Cryptography• Advanced Encryption Standard (AES)• Digital Signatures


5.4.5 EncryptionFeatures of digital signature are:• Data integrity• Authentication• Nonrepudiation• Replay protection

Key Notes: • Digital signatures and public key encryption are vulnerable to man-in-the-middle attacks• Digital signature is protected by a password.. Compromise of password is the most

significant risk to this electronic signature scheme.


5.4.5 EncryptionA Digital Envelope• It is used to send encrypted information and the relevant key along with it.• The message to be sent, can be encrypted by using either:o Asymmetric keyo Symmetric key

image


5.4.5 EncryptionFeatures of a Public Key Infrastructure (PKI) are:• Digital Certificates• Certificate Authority (CA)• Registration Authority (RA)• Certificate Revocation List (CRL)• Certification Practice Statement (CPS)


5.4.5 Encryption Use of encryption in OSI protocols are:• Secure Sockets Layer (SSL)• Secure Hypertext Transfer Protocol (S/HTTP)• IP Security• SSH• Secure Multipurpose Internet Mail Extensions (S/MIME)• Secure Electronic Transactions (SET)


5.4.6 VirusesViruses attack four parts of the computer. They are:• Executable program files• The file directory system which tracks the location of all the computer’s files• Boot and system areas which are needed to start the computer • Data files


5.4.6 VirusesWays to prevent viruses and worms are:• Virus and worm controls • Management procedural controls • Technical controls (example, Immunizers)• Anti-virus software implementation strategies


5.4.7 Voice-Over IP• VoIP Security Issue is:o The current Internet architecture does not provide the same physical wire security as the

phone lines• The key to securing VoIP o Security mechanisms such as those deployed in data networks (example, firewalls,

encryption, etcetera) to emulate the security level currently used by PSTN network userso Session border controllers enhance the security in the access network and in the core

(example, protecting the VoIP infrastructure against DoS attacks) o VoIP infrastructure needs to be segregated using Virtual Local Area Networks (VLANs)

Auditing Logical Access


5.5.2 Auditing Logical AccessWhen evaluating logical access controls, the IS auditor should:• Obtain a general understanding of the security risks facing information processing.• Document and evaluate controls over potential access paths into the system.• Test control over access paths to determine whether they are functioning and effective • Evaluate the access control environment to determine if the control objectives are

achieved • Evaluate the security environment to assess its adequacy


5.5.3 Techniques for Testing Security• Terminal cards and keys• Terminal identification• Login IDs and passwords• Controls over production resources• Logging and reporting access violations• Follow-up access violations• Bypassing security and compensating controls

Auditing Network Infrastructure Security


5.6 Auditing Network Infrastructure SecurityWhen performing an audit of the network infrastructure, the IS auditor should:• Review network diagrams • Identify the network design implemented• Determine the applicable security policies, standards, procedures, and guidance on

network management and usage exist • Identify who is responsible for security and operation of Internet connections• Identify legal problems arising from the Internet• Review Service Level Agreements (SLAs), if applicable• Review network administrator procedures


5.6.1 Auditing Remote Access• Assess remote access points of entry• Test dial-up access controls• Test the logical controls• Evaluate remote access approaches for cost-effectiveness, risk and business

requirements


5.6.1 Auditing Remote AccessAuditing Internet points of presence include:• E-mail• Marketing• Sales channel or electronic commerce• Channel of delivery for goods or services• Information gathering


5.6.1 Auditing Remote AccessAuditing scope should identify the following penetration tests:• Precise IP addresses or ranges to be tested• Host restricted• Acceptable testing techniques• Acceptance of proposed methodology from management• Attack simulation details


5.6.1 Auditing Remote AccessAudit should also include:• Full network assessment reviews• Development and authorization of network changes• Unauthorized changes• Computer forensics

Environmental Issues and Exposures


5.7.1 Environmental Issues and ExposuresEnvironmental exposures are primarily due to naturally occurring events such as lightning storms, earthquakes, volcanic eruptions, hurricanes, tornados and other types of extreme weather conditions.

Power failures can be grouped into the following categories:• Total failure (blackout)• Severely reduced voltage (brownout)• Sags, spikes and surges• Electromagnetic interference (EMI)


5.7.2 Controls for Environmental ExposuresWays to control environmental exposures are:• Alarm control panels• Water detectors• Handheld fire extinguishers• Manual fire alarms• Smoke detectors• Fire suppression systems o Dry-pipe sprinkling systems (most effective and environmentally friendly)

• Strategically locating the computer room• Regular inspection by fire department


5.7.2 Controls for Environmental ExposuresMore ways to control environmental exposures are:• Fireproof walls, floors, and ceilings of the computer room• Electrical surge protectors• Uninterruptible power supply or generator• Emergency power-off switch• Power leads from two substations• Wiring placed in electrical panels and conduit• Inhibited activities within the IPF• Fire-resistant office materials• Documented and tested emergency evacuation plans

Physical Access Issues and Exposures


5.8.1 Physical Access Issues and ExposuresExposures that exist from accidental or intentional violation of these access paths include:• Unauthorized entry• Damage, vandalism or theft to equipment or documents• Copying or viewing of sensitive or copyrighted information• Alteration of sensitive equipment and information• Public disclosure of sensitive information• Abuse of data processing resources• Blackmail• Embezzlement


5.8.1 Physical Access Issues and ExposuresPossible perpetrators include employees who are:• Disgruntled• On strike• Threatened by disciplinary action or dismissal• Addicted to a substance or gambling• Experiencing financial or emotional problems• Notified of their termination


5.8.2 Physical Access ControlsExamples of some of the more common access controls are:• Bolting door locks• Combination door locks (cipher locks)• Electronic door locks• Biometric door locks• Manual logging• Electronic logging


5.8.2 Physical Access Controls• Identification badges (photo IDs)• Video cameras• Security guards• Controlled visitor access• Bonded personnel• Deadman doors


5.8.2 Physical Access Controls• Not advertising the location of sensitive facilities• Computer workstation locks• Controlled single entry point• Alarm system• Secured report or document distribution cart• Windows


5.8.3 Auditing Physical Access• Touring the Information Processing Facility (IPF) is useful.• Testing should extend beyond IPF to include the following related facilities:o Location of all operator consoleso Printer rooms, computer storage roomso UPS or generatoro Location of all communications equipment identified on the network diagramo Tape libraryo Off-site backup storage facility

Mobile Computing


5.9 Mobile ComputingControls to reduce the risk of mobile computing include:• Use of cable locking system• Backup of critical and sensitive data on a regular basis• Encryption of data• Establishment of procedures for reporting incidents• Ensure authentication procedures are in place


Conclusion — Chapter 5

Here are the key takeaways from Chapter 5:• Key elements of information management (example, senior management commitment and

support, policies and procedures, organization, security awareness and education, monitoring and compliance, and incident handling and response).

• General points of logical entry into a system (including logical protection at the network, platform, database, and application layers).

• Best practices for identification and authentication (default system accounts, normal user accounts, and privileged user accounts).


Conclusion — Chapter 5

Here are the key takeaways from Chapter 5:• Differences between various types of biometric technologies and advantages or

disadvantages of each.• Various issues and risks associated with technologies used in network infrastructures

(example, firewall implementation, the advantages or disadvantages of different types of intrusion detection or prevention systems, and encryption technologies).

• The proper maintenance of Operating Systems and other software (example, using only known and acknowledged services, removing those that are not needed, patching the vulnerabilities, and closing the ports that are not needed).


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence.

This publication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and their related entities (collectively, the “Deloitte Network”). None of the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

www.deloitte.com/about