Shared Flashcard Set

Details

2H - SES 622 - Module 8 - Audit and Assessment
N/A
32
Engineering
Graduate
05/02/2012

Additional Engineering Flashcards

 


 

Cards

Term
What are six types of audit assessment activities?
Definition
1. 90-second assessment
2. Control self-assessments
3. Design/architecture reviews
4. Due diligence reviews
5. Spot checks
6. Penetration studies
Term
What are the five parts of a system assessment or review?
Definition
1. Objective
2. Scope
3. Constraint
4. Approach
5. Result
Term
Define "objective" as related to a system assessment.
Definition
A statement of the thing to be proved or disproved in the course of an assessment. It is often stated in terms of assurance. For example,
to provide assurance that Application Internet access cannot be exploited to gain access to internal systems.

Spectrum: Business driven to tech driven
Term
Define "scope" as related to a system assessment.
Definition
Scope is a technical term that refers to the map of the purpose of the review to the thing to be reviewed.

Spectrum: technology to process
Term
Define "constraint" as related to a system assessment.
Definition
The situations within which a reviewer operates, which may or may not hinder his or her ability to assess the entire scope and complete the assessment objective. For example, a prohibition on accessing the application during business hours.

Spectrum: Money to reviewer sphere of influence
Term
Define "approach" as related to a system assessment.
Definition
Alternative sets of activities that covers the scope in a way that meets the objective of the assessment, given the constraints. I.e., how are we going to conduct the assessment.

Spectrum: interviews to technology testing
Term
Define "result" as related to a system assessment.
Definition
An assessment of whether the assessment objective was met.

Spectrum: verbal yes or no answer to formally published reports
Term
What are the five parts of the "The 90-second Security Review"?
Definition
Objective: To answer the question, “are we secure despite this?” with “yes.”

Scope: A verbal description or automated evidence of “this.” Situational awareness.

Contraint: Short timeframe, reliance on assumptions concerning technical detail behind the verbal description or evidence

Approach: Experienced-based detection, classification, containment exercise

Result: “yes” or “no”
Term
What are the five parts of the "The Control Self-Assessment"?
Definition
Objective: To establish that the controls implemented maintain security are sufficient to do so.

Scope: The systems environment housing the data that an organization is charged to secure.

Constraint: Unknowns or lack of expertise in security mechanisms in third party products. Time. Participants are also responsible for system maintenance so may be biased.

Approach: Identify risks, exposures, potential perps, evaluate ability of controls to protect, detect, or recover from exploits.

Result: Control/weaknesses
Term
What are the five parts of the "The Design/Architecture Review"?
Definition
Objective: To establish that a system is capable of securing data, and identify configuration parameters in the systems environment required to effect security.

Scope: Network and operating system placement diagrams, as well as detailed technical design documents on system security mechanisms.

Constraint: Unknowns or lack of expertise in security mechanisms in third party products. Time.

Approach: Compare settable parameters of all systems components to known secure configurations and/or security policy.

Result: List of issues to address, iterative process.
Term
What are the five parts of the "The Due Diligence Review"?
Definition
Objective: To establish that a third party has adequate safeguards in place to secure data on an ongoing basis.

Scope: Service description, data exchange mechanisms, draft contract, security controls at third party site.

Constraint: Unknowns or lack of expertise in security mechanisms, as well as system configuration at third party site.

Approach: Obtain documentation on security controls at third party, evaluate effectiveness, test described controls.

Result: Opinion plus caveats, may be iterative.
Term
What are the five parts of "The Spot Check"?
Definition
Objective: To render and opinion on whether a given security processing working.

Scope: Process description, system security parameters of system directly supporting the process.

Constraint: Reliance on assumptions with respect to systems interfaces and supporting systems (e.g. data feeds, network, OS).

Approach: Review all system security procedures and settings, identify expected user community, evaluate whether expected controls are in place.

Result: “yes” or “no”
Term
What are the five parts of "The Penetration Test"?
Definition
Objective: To see if a system can be broken into from a publicly accessible portal.

Scope: System's publicly accessible portals and supporting layers of technology.

Constraint: No direct access to supporting layers of technology (in black box testing, no knowledge of those layers). Time.

Approach: Perform standard set of techniques (next page more detail) substitute time and materials for unknown activities in the project plan.

Result: List of vulnerabilities.
Term
What are the standard techniques for penetration testing?
Definition
1. Reconnaissance – Map the target environment without getting caught.
2. Espionage – In the context of application security, this is a method of evaluating the security of a computer application by simulating an attack by a malicious user who tries to evade detection.
3. Fuzzing – A software testing technique that provides random or malformed data to inputs of a program to test for security and integrity.
4. Assault– Full frontal attack where non-repudiation is not the primary consideration. May include sabotage on test environments.
Term
What are the risks associated with network penetration testing?
Definition
1. False sense of security
2. Miscommunication of test or result
3. Inadvertent escalation
4. Accidental system outages
5. Accidental data leakage
Term
What is a security review?
Definition
Work performed in the context of an organizational need to understand something about the level of protection in a given systems environment.
Term
What is an audit?
Definition
An attestation service based on independently defined professional practices for those who will attest, following standards for identifying, evaluating, testing, and assessing controls in the context of an accountable management structure.
Term
What are four rules of auditor independence?
Definition
1. Must have independent reporint structure to board level.
2. Must not rely on auditee for compensation.
3. Must not have participated in design or operations of system under review.
4. Must be distanct in attitude and appearance.
Term
What are the two parts of audit planning?
Definition
1. risk assessment.
2. Control frameworks. Review organizations structure, policies , and procedures established in support of control objectives.
Term
What is a control objective?
Definition
Specific, measurable goals that individual controls are designed to achieve.
Term
What are audit steps?
Definition
The actions that an auditor will take to independently gather evidence of activity established by management that contributes to control objectives.
Term
What are compensating controls?
Definition
It is best to prevent undesired events from happening; howeever, if they cannot be prevented, compensating controls do one of two things: (1) Detect the undesired events in time for a response team to prevent harm, or (2) correct the situation if the undesired event was not detected in time to prevent harm.
Term
What are three rules for evidence evalutation?
Definition
1. Evidence obtained from outside sources is more reliable than evidence provided by the organization being audited.

2. The qualifications of the person providing the evidence should be considered.

3. Objective evidence is more reliable than that which requires evaluation or interpretation.
Term
An audit report include audit points. What are the six parts of an audit point?
Definition
1. Condition
2. Criterion
3. Cause
4. Effect
5. Recommendation
6. Management Response
Term
What is the definition of an audit point "condition"?
Definition
A factual description of audit evidence
Term
What is the definition of an audit point "criterion"?
Definition
Some objective standard as to why the audit point is valid
Term
What is the definition of an audit point "cause"?
Definition
The root cause of the situation that introduced the control weakness
Term
What is the definition of an audit point "effect"?
Definition
The risk in terms of potential negative impact that the condition presents to the audited organization
Term
What is the definition of an audit point "recommendation"?
Definition
Auditor’s opinion on what control activity should be established to mitigate the risk of the bad effects due to condition.
Term
What is the definition of an audit point "management response"?
Definition
IT Manager’s action plan that will change the condition.
Term
How are non-specific threats handled?
Definition
Risk Review. (See module 6).
Term
How are specific threats handled?
Definition
Employ the appropriate kind of system review as determined by the review contraints. E.g., time constrained, intelligence-intensive, damageaverting, response-focused: 90-second security review
Supporting users have an ad free experience!