Premium Essay

Testing and Monitoring Security Controls & Security Audits and Assessments

In: Computers and Technology

Submitted By doodlebug
Words 316
Pages 2
Testing and Monitoring Security Controls & Security Audits and Assessments
Identify at least two types of security events and baseline anomalies that might indicate suspicious activity. * Authentication failures are one type of security event. A baseline anomalie that may indicate suspicious activity are unauthorized access attempts that can be found within log files. The log files contain records of all types of security events such as logon events, changes in system configuration and attempted violations of policy as well as system events like service startups and closures, errors and system warnings. * A second security event could be a sudden increase in overall traffic. It could simply mean that your website has been mentioned by a popular source, or it could mean that someone is trying to cause harm to your site.
Given a list of policy violations and security breaches, select three breaches, and consider the best options for controlling and monitoring each incident. Identify the methods to mitigate risk and minimize exposure to threats or vulnerabilities. * Problem: Removable storage drives introduce malware filtered only when crossing the network.
Solution: Limit user privileges that only include those that are required by the duties that are assigned to that individual. This will hopefully make it clear that no removable storage devices are to be connected to the network, no matter the circumstances unless they are screened first. * Problem: Predictable passwords meet minimum requirements but remain easily guessable.
Solution: Create a recurring change of passwords, say once every few months, for your company. Have the passwords require a combination of numbers and letters, as well as a special character. * Problem: Sensitive laptop data is unencrypted and susceptible to physical theft.
Solution: An obvious solution to this

Similar Documents

Premium Essay

It-255

...IT255 Introduction to Information Systems Security Unit 5 Importance of Testing, Auditing, and Monitoring © ITT Educational Services, Inc. All rights reserved. Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 2 Key Concepts  Role of an audit in effective security baselining and gap analysis  Importance of monitoring systems throughout the IT infrastructure  Penetration testing and ethical hacking to help mitigate gaps  Security logs for normal and abnormal traffic patterns and digital signatures  Security countermeasures through auditing, testing, and monitoring test results IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 3 EXPLORE: CONCEPTS IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 4 Purpose of an IT Security Assessment Check effectiveness of security measures. Verify access controls. Validate established mechanisms. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 5 IT Security Audit Terminology  Verification  Validation  Testing  Evaluation IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved...

Words: 799 - Pages: 4

Premium Essay

Ggao-09-232g

...United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G)...

Words: 174530 - Pages: 699

Premium Essay

Understanding Nist 800‐37  Fisma Requirements 

... NIST Risk Management Framework for FISMA ..................................................................... 4  III. Application Security and FISMA .......................................................................................... 5  IV. NIST SP 800‐37 and FISMA .................................................................................................. 6  V. How Veracode Can Help ...................................................................................................... 7  VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8  VII. Summary and Conclusions ............................................................................................... 10  About Veracode .................................................................................................................... 11                                      © 2008 Veracode, Inc.  2        Overview  The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. §  3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐ Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to  bolster computer and network security within the Federal Government and  affiliated parties (such as government contractors) by mandating information  security controls and periodic audits. I. The Role of NIST in FISMA Compliance  The National Institute of Standards and...

Words: 2451 - Pages: 10

Premium Essay

Information Security

...implementing the information security management standards, plus potential metrics for measuring and reporting the status of information security, both referenced against the ISO/IEC standards. Scope This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on risk assessment and treatment.  Purpose This document is meant to help others who are implementing or planning to implement the ISO/IEC information security management standards.  Like the ISO/IEC standards, it is generic and needs to be tailored to your specific requirements. Copyright This work is copyright © 2010, ISO27k Forum, some rights reserved.  It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.  You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this. Ref. | Subject | Implementation tips | Potential metrics | 4. Risk assessment and treatment | 4.1 | Assessing security risks | Can use any information security risk management method, with a preference for documented, structured and generally accepted methods such as OCTAVE, MEHARI, ISO TR 13335 or BS 7799 Part 3. See ISO/IEC 27005 for general advice. | Information security risk management...

Words: 4537 - Pages: 19

Premium Essay

Audit of Cash and Other Liquid Assets

...Solutions for Chapter 12 Audit of Cash and Other Liquid Assets Review Questions: 12-1. It is important that cash and liquid asset testing be coordinated because the assets can be quickly moved and thus substituted for each other. For example, an organization could quickly move assets between cash and certificates of deposit. 12-2. General Cash Account. This is the account used to transact most of the organization's cash transactions. It is usually a high volume, but low balance account. Because of its high volume and its liquidity it is susceptible to greater risk than most asset accounts of the same size. Imprest Payroll Account. This is an account that is maintained strictly for the payment of payroll. The organization makes a deposit equal to the monthly or weekly payroll at the time the payroll checks or electronic transfers are issued. The account is used to minimize accounting costs and to isolate payroll risks to one account. 12-3. We disagree with the auditor's assessment of inherent risk of cash transactions as low. Granted, the accounting for cash and marketable securities is not overly complex. However, the liquidity of the accounts, coupled with their susceptibility to fraud or misappropriation, makes the inherent risk of the accounts at least moderate - if not high. Most organizations recognize the high inherent risk associated with the accounts and have implemented detailed control procedures to reduce control risk to a minimal level. 12-4...

Words: 14523 - Pages: 59

Free Essay

Boss

...Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016 Document Changes Date October 2008 Version 1.2 Description Pages To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2. Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2. Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b. 1.2.1 32 Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b. 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.” July 2009 5 64 October 2010 2.0 Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI DSS Version 1.2.1 to 2.0. November 2013 3.0 Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0. April 2015 3.1 Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1 for details of changes. April 2016 3.2 Update from PCI DSS v3.1. See PCI DSS...

Words: 57566 - Pages: 231

Premium Essay

Case Study1

...identify risk. To determine the likelihood of a security problem or vulnerability to the facility and infrastructure of an organization. This process will be used to determine risk after normal management safeguards have been applied. The type of security checklist I will create, will be the tabular format. The focus will be on the infrastructure and the perimeter. The survey will show areas of weakness, deficiencies and vulnerabilities. Such as continuous surveillance, lighting and internal controls. Using the tabular format will allow for the collection of large amounts of security information. This format can be converted into different kinds of report and will be easier to relate policy to standards. Such as security standards and expectations by category. The format will include the following. Audit information page(s) with space for the name of the facility being audited, date and names of audit. A table of contents that lists the security categories. Points to be reviewed. Columns for indicating compliance/ non-compliance. Space for additional categories as may be needed. Such as Emergency Plans and perimeter security (http://nicic.gov?downloads/files). Knowing the security vulnerabilities the organization will enable you to develop a security program that’s best for the organization. The first step to eliminating the problem areas is to perform a risk assessment of the vulnerabilities. I will perform my assessment by focusing on the perimeter, internal and external...

Words: 491 - Pages: 2

Premium Essay

Control Self Assessment

...Control Self-assessment for Information and Related Technology To ensure smooth functioning of an enterprise striving to achieve predetermined objectives, business processes are identified and defined. To ensure the proper completion of process work, procedures are defined, documented and established. Business procedures need to be properly controlled to ensure smooth completion. Out-of-control procedures are expensive; therefore, controls need to be in place. These controls can be preventive, detective and/or corrective in nature. However, the adequacy of controls over procedures depends on various factors, including a balance between costs incurred for implementing controls and the resulting benefits derived. Many controls are essential overheads for the business, and therefore, their effectiveness must be reviewed periodically. Internal audit of controls, an essential overhead, helps avoid relaxation on controls. Ultimately, the control overheads constitute a major expenditure item. Assurance that the controls are in place and effective is essential. This assurance can be given through control self-assessment (CSA), also referred to as control self-assurance. Systems and procedures for many business organizations within various sectors have evolved over time. For example, banking is the oldest service sector and the controls over banking procedures are essential not only for the bank, but also for society in general. Controls in banking procedures have also evolved over...

Words: 5755 - Pages: 24

Premium Essay

Is2007

...WHAT IS INFORMATION SECURITY? 0.2 WHY INFORMATION SECURITY IS NEEDED? 0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS 0.4 ASSESSING SECURITY RISKS 0.5 SELECTING CONTROLS 0.6 INFORMATION SECURITY STARTING POINT Information security is defined as the preservation of confidentiality, integrity and availability of information … Information security is defined as the preservation of confidentiality, integrity and availability of information … 0.7 CRITICAL SUCCESS FACTORS 0.8 DEVELOPING YOUR OWN GUIDELINES 1 SCOPE 2 TERMS AND DEFINITIONS 3 STRUCTURE OF THIS STANDARD 3.1 CLAUSES Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. 3.2 MAIN SECURITY CATEGORIES 4 RISK ASSESSMENT AND TREATMENT 4.1 ASSESSING SECURITY RISKS Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization 4.2 TREATING SECURITY RISKS 5 SECURITY POLICY 5.1 INFORMATION SECURITY POLICY 5.1.1 Information security policy document 5.1.2 Review of the information security policy 6 ORGANIZATION OF INFORMATION SECURITY Defines the hierarchical...

Words: 1623 - Pages: 7

Premium Essay

Information and Survey Analysis

...substantive testing. C. compliance testing. D. stop-or-go sampling. The correct answer is: C. compliance testing. Explanation: Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed. 2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent B. Detection C. Control D. Business The correct answer is: B. Detection Explanation: Detection risks are directly affected by the auditor's selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the company's management. Business risks are not affected by the IS auditor. 3. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS...

Words: 97238 - Pages: 389

Premium Essay

Accounting

...CORRESPONDENCE, (E) ESTABLISHED CRITERIA, (F) COMMUNICATING THE RESULTS, AND (G) INTERESTED USERS. 2. A financial statement audit involves obtaining and evaluating evidence about an entity's financial statements for the purpose of expressing an opinion on whether the statements are presented fairly in conformity with established criteria--usually GAAP. Thus, the nature of the auditor's report is an opinion on the fairness of the financial statement presentation. A compliance audit involves obtaining and evaluating evidence to determine whether certain financial or operating activities of an entity conform to specified conditions, rules, or regulations. A report on a compliance audit takes the form of a summary of findings or assurance regarding degree of compliance. An operational audit involves obtaining and evaluating evidence about the efficiency and effectiveness of an entity's operating activities in relation to specified objectives. Reports on such audits include an assessment of efficiency and effectiveness and recommendations for improvements. 3. Independent auditors are individual practitioners or members of public accounting firms who render professional auditing services to clients. These services may involve financial statement audits, compliance audits, and operational audits. Internal auditors are employees of the companies they audit. They are involved in an independent appraisal activity, called internal auditing, as a service to the organization. Internal...

Words: 4500 - Pages: 18

Premium Essay

Risk Managment

...CEO requested me to prepare a report pointing out potential security vulnerabilities at the AEN company. For that I started with risk assessment exercise which will identify the relations between company assets, threats and vulnerabilities that may lead to the loss of confidentiality, integrity, availability, authenticity, or accountability. The output of the risk assessment will determine the actions for managing security risks and for implementing the appropriate controls needed to protect the company assets. The risk assessment process consists of the following tasks: • “Identify business needs and changes to requirements that may affect overall IT and security direction. • Review adequacy of existing security policies, standards, guidelines and procedures. • Analyze assets, threats and vulnerabilities, including their impacts and likelihood (See sheet # 1) • Assess physical protection applied to computing equipment and other network components. • Conduct technical and procedural review and analysis of the network architecture, protocols and components to ensure that they are implemented according to the security policies. • Review and check the configuration, implementation and usage of remote access systems, servers, firewalls and external network connections, including the client Internet connection. • Review logical access and other authentication mechanisms. • Review current level of security awareness and commitment of staff within the organization. ...

Words: 752 - Pages: 4

Premium Essay

Final Exam

...Introduction to internal control systems Internal controls: the controls established to protect the assets of an organization. Internal control: describes the policies, plans, and procedures implemented by the management of an organization to protect its assets, to ensure accuracy and completeness of its financial information, and to meet its business objectives. Four objectives of internal control system: 1. Safeguard assets, 2. Check the accuracy and reliability of accounting data, 3. Promote operational efficiency, 4. Enforce prescribed managerial policies. Sarbanes Oxley Act of 2002 piece of legislation with respect to internal controls Section 404: reaffirms management is responsible for establishing and maintaining an adequate internal control structure. 1992 Coso report: established common definition of internal control for assessing control system, as well as determined how to improve controls. An internal control system should consist of the five components: 1. The control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring Control environment: foundation for all other internal control components and provides discipline and structure. Top management oversight, integrity, and ethical principles that guide the organization Risk assessment: identify organizational risks, analyze their potential in terms of costs and likelihood of occurrence, and implement only those controls whose projected benefits...

Words: 1409 - Pages: 6

Premium Essay

Homework Coso Framework

...Homework – COSO Framework, Internal Controls and Security Internal control systems have five components: (a) control environment, (b) risk assessment, (c) control activities, (d) information and communication, and (e) monitoring. For each of the following items, indicate which component is being applied. Explain your answer! 1) The firm prints and distributes to all employees a copy of the firm’s policies and procedures. Information and communication. Provide policy information in detail to allow proper classification and reporting. 2) An internal audit committee is formed. Monitoring. To form committee is to reflect the firm’s operations. 3) Internal auditors perform a bank reconciliation as part of their audit of cash control operations. (Typically a bank reconciliation is performed by a clerk in the treasury department) Control activities. Auditors are doing internal control via operations. This is detailed control activities. 4) The firm creates a code of ethics. Control environment. Management integrity and ethical values. 5) Internal auditors test whether a computer hacker can break into the firm’s computers. Risk assessment. Braking computers is high risk, must be prevented. 6) The company determines the consequences if a warehouse is destroyed (e.g., by fire). Risk assessment. Destroyed warehouse is physical risk. 7) An employee is fired for embezzling funds. This fact is announced in a company...

Words: 1026 - Pages: 5

Premium Essay

Segregation of Duties

...Segregation of Duties One element of IT audit is to audit the IT function. While there are many important aspects of the IT function that need to be addressed in an audit or risk assessment, the fundamental element of internal control is the segregation of certain key duties, especially as it relates to risk. The basic idea underlying segregation of duties (SOD) is that no single employee should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. Similar to traditional SOD in accounting functions, SOD in IT plays a major role in reducing certain risk, and does so in a similar fashion as well. Duties that should be segregated include: 1. Custody of the assets 2. Authorization 3. Recording transactions If adequate segregation of duties does not exist, the following could occur: 1. Misappropriation of assets 2. Misstated financial statements 3. Inaccurate financial documentation (i.e. errors or irregularities) 4. Improper use of funds or modification of data could go undetected 5. Unauthorized or erroneous changes or modification of data and programs may not be detected As the figure 1 shows, there are some of the key roles and functions that need to be segregated. 1. IT Duties vs. User Departments The most basic segregation is the segregation of the duties of the IT function from user departments. Generally speaking, this means the user department does not perform its own IT duties. While a department provides...

Words: 2548 - Pages: 11