Title

Description

Standards

Mandatory actions, explicit rules, or controls that are designed to support and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software, or behavior. Standards should always point to the policy to which they relate.

Procedures

Written steps to execute policies through specific, prescribed actions; this is the how in relation to a policy. Procedures tend to be more detailed than policies. They identify the method and state, in a series of steps, exactly how to accomplish an intended task, achieve a desired business or functional outcome, and execute a policy.

Guidelines

An outline for a statement of conduct. This is an additional (optional) document in support of policies, standards, and procedures and provides general guidance on what to do in particular circumstances. Guidelines are not requirements to be met but are strongly recommended.

Baselines

Platform-specific rules that are accepted across the industry as providing the most effective approach to a specific implementation.

Item

Attributes

Inherent risk

The risk that naturally occurs because of the nature of the business before controls are applied

Control risk

The risk that internal controls will not prevent a material error

Detection risk

The risk that misstatements or possibly material errors have occurred and were not detected

Class

Function

Example

Preventive

Prevents problems before they occur

Access control software that uses passwords, tokens, and/or biometrics

Detective

Senses and detects problems as they occur

Security logs

Corrective

Reduces the impact of threats and minimizes the impact of problems

Backup power supplies

Asset

Loss of Confidentiality

Loss of Integrity

Loss of Availability

Customer credit card and billing information

High

High

Medium

Production documentation

Medium

Medium

Low

Advertising and marketing literature

Low

Low

Low

HR (employee) records

High

High

Medium

First Job Role

Combined (Yes/No)

Second Job Role

Systems analyst

No

Security administrator

Application programmer

Yes

Systems analyst

Help desk

No

Network administrator

Data entry

Yes

Quality assurance

Computer operator

No

Systems programmer

Database administrator

Yes

Systems analyst

Systems administrator

No

Database administrator

Security administrator

No

Application programmer

Systems programmer

No

Security administrator

Terms

Control Usage

Attributes

Background checks

Hiring practice

Helps match the right person to the right job

Required vacations

Uncovers misuse

Serves as a detective control to uncover employee malfeasance

Rotation of assignment

Prevents excessive control

Rotate employees to new areas

Dual control

Limits control

Aids in separation of duties

Non-disclosure agreement (NDA)

Aids in confidentiality

Helps prevent disclosure of sensitive information

Security training

Improves performance

Improves performance and gives employees information on how to handle certain situations

Segregation of duties (SoD)

Reduces the risk of error and fraud

Reduces the risk of human error or fraud by requiring that higher-risk transactions be performed by two or more people

Form

Description

Pure project

Formal authority is held by the project manager. The team may have a dedicated project work area.

Influence

The project manager has no real authority, and the functional manager remains in charge.

Weak matrix

The project manager has little or no authority and is part of the functional organization.

Balanced matrix

The project manager has some functional authority, and management duties are shared with functional managers.

Strong matrix

In this more expensive model, the project has members assigned for dedicated tasks. The advantage is that this offers a greater level of authority.

Waterfall Phase

Description

Initiation

Benefits and needs are determined at this phase of the SDLC.

Development / Acquisition

At this phase, the purpose of the project must be defined. The systems must be designed, developed, constructed, or purchased.

Implementation

The system is installed and end users are trained. At this point, the auditor must verify that all required controls that are in the design function as described.

Operation / Maintenance

The system or program perform the work for which it was designed. Patching and maintenance are important at this point.

Disposal

At this phase the system or program is retired and data is destroyed or archived in an approved method.

Test Type

Description

Alpha test

The first and earliest version of an application, followed by a beta version. Both are considered prereleases.

Pilot test

Used as an evaluation to verify functionality of the application.

White-box test

A type of test that verifies inner program logic. This testing is typically cost-prohibitive on a large application or system.

Black-box test

Integrity-based testing that looks at inputs and outputs. Black-box testing can be used to ensure the integrity of system interfaces.

Function test

A type of test that validates a program against a checklist of requirements.

Regression test

A type of test that verifies that changes in one part of the application did not affect any other parts in the same application or interfaces.

Parallel test

Parallel tests involve the use of two systems or applications at the same time. The purpose of this testing is to verify a new or changed system or application by feeding data into both and comparing the results.

Sociability test

A type of test which verifies that the system can operate in its targeted environment.

Media

Wipe Standard

Description

Rewritable magnetic media (hard drive, flash drive, and so on)

Drive wiping or degaussing

DOD 5220.22-M seven-pass drive wipe or electric degaussing

Optical media (CD-RW, DVD-RW, DVD+RW, CD-R, DVD-R, and so on)

Physical destruction

Physical destruction of the media by shredding or breaking

Service

Description

Infrastructure as a Service

A form of cloud computing services that provides virtualized computing resources over the Internet.

Platform as a Service

A form of cloud computing services in which a platform allows customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with it.

Software as a Service

A form of cloud computing services in which a third-party provider hosts applications and makes them available to customers over the Internet.

Manual recalculations

Some transactions might be recalculated to ensure that processing is operating correctly.

Editing

A program instruction controls input or processing of data to verify its validity.

Run-to-run totals

Various stages of processing ensure the validity of data.

Programming controls

Software-based controls flag problems and initiate corrective action.

Reasonableness verification

This control ensures the reasonableness of data. For example, if someone tries to process a negative amount through a payment system, a reasonableness control should flag the result as invalid.

Limit checks

This control sets bounds on what are reasonable amounts. For example, someone might attempt to order 55 flat-screen TVs.

Reconciliation of file totals

This refers to the act of balancing debits, credits, and totals between two systems. This control should be performed periodically to verify the accuracy and completeness of data.

Exception reports

This type of report should be generated when transactions appear to be incorrect.

Technique

Description

Issues and Concerns

Systems control audit review file and embedded audit modules (SCARF/EAM)

The application must contain embedded audit software to act as a monitoring agent.

Cannot be used to interrupt regular processing

Integrated test facilities

Live and dummy data is fed into the system. The results of the dummy data are compared with precalculated results.

Should not be used with test data

Continuous and intermittent simulation (CIS)

CIS simulates the transaction run. If data meets certain criteria, the simulator logs the transaction; otherwise, processing continues.

Requires examination of transactions that meet specific criteria

Snapshots

This technique tags transactions and then takes snapshots as the data is moved from input to output.

Requires an audit trail

Audit hooks

This technique uses embedded hooks that act as red flags if certain conditions are met.

Detects items that meet specific criteria

Name

Overview

ITIL

A leading service management standard

FitSM

A lightweight service management standard

ISO 20000

One of the first service management standards

eTOM

Designed for the telecommunications market

Port

Service

Protocol

20/21

FTP

TCP

22

SSH

TCP

23

Telnet

TCP

25

SMTP

TCP

53

DNS

TCP/UDP

67/68

DHCP

UDP

80

HTTP

TCP

110

POP3

TCP

143

IMAP

TCP

161

SNMP

UDP

Equipment

OSI Layer

Description

Gateway

OSI Layer 4 or higher

Gateways operate at the transport layer and above. Gateways translate each source-layer protocol into the appropriate destination-layer protocol. For example, an application-layer gateway is found at Layer 7.

Router

OSI Layer 3

Routers are used to connect distant sites connected by a WAN, improve performance by limiting physical broadcast domains, and ease network management by segmenting devices into smaller subnets rather than one large network.

Switch

OSI Layer 2

Switches are hardware based and provide logical segmentation by observing the source and destination physical address of each data frame. Networking VLANs is one function that many switches can provide. VLANs separate various ports on a switch, therefore segmenting traffic much as a Layer 3 router function would.

802.11 wireless access points

OSI Layer 2

Wireless access points can be found at OSI Layer 2. Devices that have wireless and can route would be found at OSI Layer 3.

Hub

OSI Layer 1

Hubs connect individual devices and provide physical connectivity so that devices can share data. Hubs amplify and regenerate the electrical signals. They are similar to repeaters except that hubs have multiple ports.

Type

Use

Topology

Maximum Length or Distance

Access Standard

Copper cable

10BASE-T, 10Mbps

100BASE-TX, 100Mbps

1000BASE-TX, 10Gbps

Star

100 meters.

100 meters.

100 meters.

Ethernet

CSMA/CD

Coaxial cable

10BASE5, 10Mbps

10BASE2, 10Mbps

Bus

500 meters.

185 meters.

802.3

Fiber-optic cable

10BASE-F, 10Mbps

100BASE-FX, 100Mbps

1000BASE-LX, 1000Mbps

Bus, star, or mesh

Long distances. For example, 10BASE-F can range up to 2,000 m.

802.3 and 802.3ae

Wireless LAN

In the 2.4GHz bandwidth

Wireless

Varies, depending on the standard.

802.11

Type of Encryption

Advantages

Disadvantages

Symmetric

Faster than asymmetric encryption

Key distribution

Provides only confidentiality

Asymmetric

Easy key exchange

Can provide confidentiality and authentication

Slower than symmetric encryption

Application

Application

SSH, PGP, SET

Authentication

Presentation

SSL and TLS

Access control

Session

Nonrepudiation

Transport

Transport

Data integrity

Network

Network

IPsec

Confidentiality

Physical

Data link

PPTP, L2TP, WPA2

Assurance

Physical

Notarization

Commercial Business Classifications

Military Classifications

Confidential

Top secret

Private

Secret

Sensitive

Confidential

Public

Sensitive

Unclassified

Logs

Mandatory log monitoring.

Patching

Patching all systems and applications.

Vulnerability assessment

Establish a process to identify newly discovered security vulnerabilities.

Encryption

Enforce encryption for data at rest and data in transit.

User Accounts

Remove inactive user accounts at least every 90 days.

Passwords

Remove default passwords and require unique passwords for all users.

Security Control

Comments

Antivirus

Antivirus must be present on the host and all VMs.

Authentication

Use strong access control.

Encryption

Use encryption for sensitive data in storage or transit.

Hardening

All VMs should be hardened so that nonessential services are removed.

Physical controls

Controls should be implemented to limit who has access to the data center.

Remote access services

Remote access services should be restricted when not needed. When required, use encryption.

Resource access

Use administrative accounts only as needed.

Stage

Description

Planning

At this stage, a signed letter of authorization is obtained. The rules of engagement are established here. The team must have goals, know the time frame, and know the limits and boundaries.

Discovery

This stage is divided into two distinct phases:

Passive: This phase is concerned with information gathered in a very covert manner. Examples of passive information gathering include surfing the organization’s website to mine valuable information and reviewing job openings to gain a better understanding of the technologies and equipment used by the organization.

Active: This phase of the test is split between network scanning and host scanning. As individual networks are enumerated, they are further probed to discover all hosts, determine their open ports, and attempt to pinpoint the OS. Nmap is a popular scanning program.

Attack

At this stage, the pen testers attempt to gain access, escalate their privilege, browse the system, and expand their influence.

Reporting

In this final stage, documentation is used to compile the final report. This report serves as the basis for corrective action, which can range from nothing more than enforcing existing policies to closing unneeded ports and adding patches and service packs.