tag:blogger.com,1999:blog-48286141873544361492024-03-13T07:23:14.019+05:30CISA made Easy - Easy CISA PreparationPassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.comBlogger94125tag:blogger.com,1999:blog-4828614187354436149.post-78566100918234284142009-01-05T11:36:00.004+05:302010-12-12T14:57:04.788+05:30Business Continuity Planning (BCP)– Essential Steps<div style="text-align: justify;">Disaster can happen anytime to any strong setup. The best way to provide stability is by establishing mechanisms to provide continuity to all critical Operations. This can be achieved by a proper Business Continuity Plan (BCP). Business Continuity Planning is not only very important for CISA examination but equally important for Information Systems/Information Security setup. It is very critical to identify all critical process. Criticality ranking is required.Recovery Process needs to be established and a proper testing system is to be devised.<br />Following are the essential steps in designing a successful BCP.<br /></div><br /><span style="font-weight: bold;">1. Business Impact Analysis </span><br /><br />In the first phase we define all the critical resources which includes critical procedures, critical process and all the critical people. Remember processes connect procedures and people. Their impact analysis is studied individually and in overall system.<br /><br />Business Impact analysis involves:<br /><span style="font-style: italic;"><br />i. Criticality definition</span><br /><span style="font-style: italic;">ii. Criticality identification</span><br /><span style="font-style: italic;">iii.Individual/Overall Criticality impact</span><br /><span style="font-style: italic;">iv.Criticality Ranking.</span><br /><br /><span style="font-weight: bold;">2. Strategies for recovery</span><br /><br />Recovery process are designed which helps in identification, declaration and restoration of important critical resources. Recovery Strategies needs to be devised for :<br /><br /><span style="font-style: italic;">i. Identification of disaster</span><br /><span style="font-style: italic;">ii. Declaration of Disaster</span><br /><span style="font-style: italic;">iii.Various Teams development</span><br /><span style="font-style: italic;">iv.Backup Planning</span><br /><span style="font-style: italic;">v. Restoration Planning</span><br /><span style="font-style: italic;">vi.Resource allocation</span><br /><br /><br /><span style="font-weight: bold;">3. Testing of BCP</span><br /><br />Testing can be of following types:<br /><br /><span style="font-style: italic;">i. Paper test</span><br /><span style="font-style: italic;">ii. Full test</span><br /><br />Depending upon architecture of the Information System Testing mechanism should be adopted. Ideal situation will be a paper test followed by Full test. For the full test a replica of main setup is needed as Disaster recovery setup.<br /><br /><span style="font-weight: bold;">4.Documentation</span><br /><br />All of the above steps should be well documented, tested and approved.<br /><br /><span style="font-weight: bold;">5.Involvement of top Management</span><br /><br />In my view this is the most crucial step for a successful BCP.<br /><br /><span style="font-weight: bold;">6.Periodic review</span><br /><br />Periodic review is very important. BCP should also be reviewed when there is a major change in Information System.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com4tag:blogger.com,1999:blog-4828614187354436149.post-20878197111979885252008-12-12T16:48:00.002+05:302008-12-12T21:11:55.843+05:30Passing CISA is easy - final tips to pass CISAAll your queries and hits has made me to devote more and more time for this blog and this blog has become a vital part of my life.<br /><br /><br /><span style="font-weight: bold;">Thanks for your support</span>.<br /><br /><br /><br />Now examination is standing next to you.and my final say to all of my readers is that CISA is easy.<br /><br />My advice to all my readers before examination are:<br /><br />1. Do not read too much at this moment.<br /><br />2. Only do selective revision.<br /><br />3. No new topic now.<br /><br />4. Sleep well.<br /><br /><br /><br />My advice and secret of passing CISA exam is only one thing:<br /><br /><br />"Read question & all choices completely before answering any question"<br /><br />Believe me if you do this sincerely you will be winner and CISA designation will be next to your name.<br /><br /><br /><br /><br /><br />I shall advice like following:<br /><br />1. Read question carefully.<br /><br />2. See what is being asked:<br /><br />important word to be watched in the question would be:<br /><br />MOST<br /><br />LEAST<br /><br />NOT<br /><br />ALL etc.<br /><br />3. Read all choices<br /><br />4. Do not jump to the answer before reading all the choices.<br /><br />5. Decide which of the choices is most correct.<br /><br /><br /><br />In the above process take care of marking answer only to the question.Do see the time and remaining questions periodically during examination.<br /><br />Do not be panic if you do not know answer of one/few questions. You may come back to the unanswered question after solving others.<br /><br /><br /><br />Not much advice this time but definitely systematic question reading is the key.<br /><br /><br /><span style="font-weight: bold;">All the best for the D-Day</span> and thanks again for continued support to my blog.This will be a still better place for other readers in future.<br /><br />Do share your success.<br /><br />Your friend<br /><br />PassCISA.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com9tag:blogger.com,1999:blog-4828614187354436149.post-49242615447709720172008-12-11T17:49:00.000+05:302008-12-11T17:54:03.780+05:30CISA Quick Tips 08-1112<div style="text-align: justify;">1. <span style="font-weight: bold;">Asymmetric key cryptography</span> is known as <span style="font-weight: bold;">Public key encryption</span> and involves a private key and a public key.<br /><br /><br />2. A good <span style="font-weight: bold;">Backup and recovery System</span> should have following features:<br /><br /> i. Backup should be properly <span style="font-weight: bold;">labeled</span>.<br /> ii. <span style="font-weight: bold;">Retention period</span> should be clearly mentioned<br /> iii. <span style="font-weight: bold;">System log</span> and <span style="font-weight: bold;">application log</span> should be separately stored<br /> v. <span style="font-weight: bold;">Periodic audit</span> of the Backup & Recovery System should be there.<br /> vi. <span style="font-weight: bold;">Backup and Recovery Manua</span>l should be available.<br /> <br /> <br />3.<span style="font-weight: bold;">Periodic testing</span> / recovery and documentation are the most important part of backup policy.<br /><br /><br />4. Two important types of <span style="font-weight: bold;">parities</span> are:<br /><br /> i. <span style="font-weight: bold;">vertical parity</span> - single character<br /> <br /> ii. <span style="font-weight: bold;">horizontal parity</span> - multiple character<br /><br />Both parity together can not only detect but correct errors as well.<br /><br /><br />5. A <span style="font-weight: bold;">duplicate information processing facility </span><br /><br /> i. is used as a recovery site<br /> ii.can backup critical systems and application<br /> iii.many times dedicated.<br /> iv.helps in quick and efficient recovery in many situations<br /><br /></div>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-81339597808900445092008-12-10T15:49:00.000+05:302008-12-10T15:51:29.692+05:30CISA Quick Tips 08-1012<div style="text-align: justify;">1. The purpose of setting, Disaster Recovery Site is to avoid <span style="font-weight: bold;">Single Point of failure</span> and maitain <span style="font-weight: bold;">Business Continuity</span>.<br /><br />2. Logical Access & Physical Access Audit must include <span style="font-weight: bold;">authorization</span> as per the organization documented policy.<br /><br />3. <span style="font-weight: bold;">Carbon Dioxide base fire suppressor</span> is a good choice for a centre with <span style="font-weight: bold;">no human</span> being.<br /><br />4. Following are the functions/benefits of <span style="font-weight: bold;">Authentication Header</span> (AH):<br /><br /> i. Connectionless integrity protection<br /> ii. Datagram Authentication<br /> iii. Replay attack Protection<br /><br />5. <span style="font-weight: bold;">Program Evaluation and Review Technique</span> (PERT) helps in determining critical path for projects.<br /></div>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-68028767381231716172008-12-09T20:27:00.000+05:302008-12-09T20:31:06.159+05:30CISA Quick Tips 08-0912<div style="text-align: justify;">1. When data volume is more <span style="font-weight: bold;">Symmetric cryptography</span> is fast and suitable method to encrypt such data.<br /><br />2.<span style="font-weight: bold;">Access Control Lists</span>(<span style="font-weight: bold;">ACLs</span>) are used in firewalls and in interfaces that connect two or more networks/ network segments together.<br /><br />3. All <span style="font-weight: bold;">sensitive data</span> stored on hard disks should ideally be encrypted<br /><br />4. Following are some of the <span style="font-weight: bold;">benefits of encryption</span>:<br /><br />i. <span style="font-weight: bold;">Confidentiality</span><br /><br />Only legitimate destination (to whom data has been sent) can access the data.<br /><br />ii. <span style="font-weight: bold;">Integrity</span><br /><br />Data has not been modified in the transmission process<br /><br />iii. <span style="font-weight: bold;">Non-repudiation</span><br /><br />Sender later can not deny his sending of data.<br /><br />5. A password is a good tool for <span style="font-weight: bold;">User Authenitcation</span>.<br /></div>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-50000115625401968352008-12-08T21:43:00.000+05:302008-12-08T21:48:49.993+05:30CISA Quick Tips 08-05121. <span style="font-weight: bold;">Dry pipe sprinklers</span> are<br /><br /> i.very effective fire suppressor<br /> ii. environment friendly fire suppressor<br /><br /><br />2.<span style="font-weight: bold;">Security administrator</span> should not have full access/write access to security devices logs.<br /><br />3.<span style="font-weight: bold;">Unit testing</span> is done at almost all stages of Program development and generally precedes Acceptance testing.<br /><br />4. General characteristics of <span style="font-weight: bold;">4GL</span> are:<br /><br /> i.Closer to human languages<br /> ii.Portable<br /> iii.Database supportive<br /> iv.simple and requires less effort than 3GL<br /> v.Non procedural<br /><br />5.<span style="font-weight: bold;">Audit hooks</span> are inserted in application source codes and helps in error detection at the earlier stages.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-82604188032118886562008-12-04T14:07:00.000+05:302008-12-04T14:11:51.694+05:30IPsec & Encryption<span style="font-family: ";font-size:100%;";"><span style="font-size: 130%;">This post is in relation to a question asked by reader<br /><br />Question:<br /><br /></span></span><a href="profile/10094396295717842680" target="_blank">Angus</a> has left a new comment on your post "<a href="http://passcisa.blogspot.com/2008/11/ip-security-authentication-header-ah.html" target="_blank">IP Security & Authentication Header (AH)</a>":<br /><br />May I ask a question about IPsec?<br /><span style="font-weight: bold;">Which of the following VPN methods will transmit data across the local network in plain text</span> <span style="font-weight: bold;">without encryption?</span><br /><br /><span style="font-weight: bold;">A. Secure Sockets Layer (SSL)</span><br /><span style="font-weight: bold;">B. IPsec</span><br /><span style="font-weight: bold;">C. Transport Layer Security (TLS)</span><br /><span style="font-weight: bold;">D. Layer 2 Tunneling Protocol (L2TP)</span><br /><span style="font-weight: bold;">The book answer is B, but why? IPsec does provide the encryption, dosen't it? </span><br /><br /><br /><span style="font-weight: bold;">Answer:</span><br /><br />You are perfectly right IPSec do provide Encryption.<br /><br /><br />Let us see each choice one by one:<br /><br /><span style="font-weight: bold;">A. Secure Sockets Layer (SSL)</span><br /><br />SSL is the predecessor of Transport Layer Security (TLS).SSL encrypts data of OSI Layer -4 and provide end to end connectivity<br /><br /><br /><span style="font-weight: bold;">B. IPSec</span><br /><br />IPSec helps in<br />i. Authentication<br />ii. Encryption<br /><br />Encryption is decided by Security Association (SA)<br /><br /><br /><br /><span style="font-weight: bold;">C. Transport Layer Security (TLS)</span><br /><br />TLS also encrypts data of OSI Layer -4 and provide end to end connectivity and is actualyy successor of SSL.<br /><br /><br /><br /><span style="font-weight: bold;">D.Layer 2 Tunneling Protocol (L2TP)</span><br /><br />L2TP is essentially a Layer 5 Protocol.It does not provide encryption by itself. With the help of IPSec encryption is provided for data transfer.<br /><br /><br /><br /><br />So, in my view, the corect answer should be D. Layer 2 Tunneling Protocol (L2TP) and not the B. IPsec.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-36469604596488996722008-12-02T20:48:00.001+05:302008-12-02T21:03:22.007+05:30Audit Risk and Relationship<p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";font-size:100%;" ><span style="font-size:130%;">This post is in relation to a question asked by a reader</span><o:p></o:p></span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";font-size:100%;" ><o:p> </o:p></span></p> <p class="MsoNormal" style="text-align: justify; font-weight: bold;"><span style=";font-family:";font-size:100%;" >Question:</span></p><br /><a href="http://www.blogger.com/profile/16160314966505984430" target="_blank">Jez4christ</a> has left a new comment on your post "<a href="http://passcisa.blogspot.com/2008/09/audit-risk-assessment-risk-types.html" target="_blank">Audit Risk Assessment – Risk Types & Relationships...</a>":<br /><br />Hi,<br /><br />I am reading your blog to prepare for the CISA exam in addition to the CRM.<br /><br />Have a question: <span style="font-weight: bold;">you mentioned "Inherent Risk × Control Risk = Residual Risk</span><br /><span style="font-weight: bold;">".</span><br /><br /><span style="font-weight: bold;">How does the "x"- "multiply by" be explained?</span><br /><br /><span style="font-weight: bold;">Am still stuck in the "Residual risk = Total Risk - Responses to Risks</span>"<br /><br />Thanks,<br />James Tan<br /><br /><br /><br /><span style="font-weight: bold;">Answer:</span><br /><br /><p style="font-weight: bold; font-style: italic;">I. Your First Doubt</p> <p>you mentioned "Inherent Risk × Control Risk = Residual Risk<br />".</p> <p>How does the "x"- "multiply by" be explained?</p> <p> </p> <p>A good observation!<br /></p> <p>Before Explaining relationship between Inherent Risk,Control Risk and Residual Risk let us once more see what these terms denote.</p> <p><br />Inherent risk =1</p> <p>is the default risk linked to the area of audit. In other words Inherent risk is the risk naturally related to the business area of audit subject.</p> <p><br />Control Risk =2</p> <p>is the risk originated because of errors or irregularities in the audit subject may not be detected, prevented or corrected by existing internal control.</p> <p><br />Now the question is what should be the residual risk.</p> <p>Is it 1 less 2 ?</p> <p>No, but if you have to take X as minus sign then my explanation for residual risk will be :</p> <p><br />The risk linked to the audit area (i) , less the amount of error detected by controls(ii) =<br />The amount of error likely to remain unnoticed(iii).</p><p><br /></p><p>Here i is Inherent Risk & iii is Residual Risk<br /></p> <p>Now my question would be<br /></p><p>if 2=(ii) ?</p><p>&</p><p>is ii= control risk?<br /></p> <p> </p> <p style="font-weight: bold; font-style: italic;">II. Your second doubt</p> <p>Am still stuck in the "Residual risk = Total Risk - Responses to Risks"</p> <p> </p> <p>the quantity left over at the end of audit process i.e. the remainder is the residual risk.<br />Explanation for I will answer here as well.</p> <p> </p><p></p><blockquote>Remember Exam like CISA may not ask the formula but understanding the concept is very much recommended.</blockquote><br /><p></p>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-65225008015965584122008-12-01T20:53:00.001+05:302008-12-01T20:57:13.660+05:30Volatile and Non-volatile memory<p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";font-size:100%;" >This post is in relation to a question asked by a reader<o:p></o:p></span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";font-size:100%;" ><o:p> </o:p></span></p> <p class="MsoNormal" style="text-align: justify; font-weight: bold;"><span style=";font-family:";font-size:100%;" >Question:</span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";font-size:100%;" ><o:p> </o:p></span></p> <span style="font-size:100%;"><a href="http://www.blogger.com/profile/10094396295717842680" target="_blank">Angus</a> has left a new comment on your post "<a href="http://passcisa.blogspot.com/2008/08/application-softwarehardware-which.html" target="_blank">10 things you must remember about Antivirus</a>":<br /><br />Sorry, I can't find a proper subject appropriate for my question, so I post it here.<br />The question:<br /><span style="font-weight: bold;">Which of the following is the best description of nonvolatile data?</span><br /><span style="font-weight: bold;">A. Contents of random access memory</span><br /><span style="font-weight: bold;">B. Data on the hard disk</span><br /><span style="font-weight: bold;">C. Data acquired by forensic recovery</span><br /><span style="font-weight: bold;">D. Data from logical disk backups</span><br /><span style="font-weight: bold;">The book answer is B, but I thought the answer c, data acquired by forensic recovery is the most nonvolatile data.</span><br />Can PassCISA please correct my thoughts, thanks a lot.<br /><br /><br /></span><span style=";font-family:";font-size:100%;" ><span style="font-weight: bold;">Answer:<br /></span>Dear Angus,<br /><br />Thanks again for sharing your doubts.<br /><br />Before solving this question please remember the basic difference between Volatile memory and Non volatile meory.<br /><br /><br /><span style="font-weight: bold;">Volatile Memory</span> -<br /><br />Volatile memory is memory which loses its contents when the computer is switched off or power is lost.<br /><br />Example- Random Access Memory (RAM).<br /><br /><br /><span style="font-weight: bold;">Non Volatile Memory -</span><br /><br />Non Volatile memory is memory whose contents remains intact even if the computer/hardware is switched off or power is lost.<br />Example - Hard Disk, CMOS Memory,CD,DVD,Floppy,tapes etc.<br /><br /><br />Now let us discuss the choice one by one.<br /><br /><br /><br />1. <span style="font-weight: bold;">A. Contents of random access memory- contents of RAM</span> - By above definition this is a volatile memory.<br />2. <span style="font-weight: bold;">B. Data on the hard disk</span> - By above definition this is a Non volatile memory<br /><br />3. <span style="font-weight: bold;">C. Data acquired by forensic recovery</span> - This could be a combination of Volatile and Non-volatile memory.<br /> Most important data recovered for forensic purpose is that of a RAM which is a Non volatile memory.<br /><br />4. <span style="font-weight: bold;">D. Data from logical disk backups</span> -By above definition this is a volatile memory<br /><br />So, the answer of the book is correct and the correct answer is B and not C.<br /></span>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-40472358534487761792008-11-28T20:14:00.000+05:302008-11-28T20:15:18.742+05:30CISA Type Question 08-2811 on Diverse routing an Alternative routing<span style="font-weight: bold;">An IS Auditor while auditing a network finds a network routing scheme with following characteristics:</span><br /><br /><span style="font-weight: bold;">1. Routing involves two exchanges.</span><br /><br /><span style="font-weight: bold;">2. Routing involves split cables.</span><br /><br /><span style="font-weight: bold;">This routing scheme is most likely to be:</span><br /><br /><br />1. diverse Routing<br /><br /><br />2. alternative Routing<br /><br /><br />3. a combination of both of the above.<br /><br /><br />4. none of the above.<br /><br /><br /><br /><blockquote><br />republished/modified & republished - Answer already published</blockquote>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com2tag:blogger.com,1999:blog-4828614187354436149.post-31228885723162421282008-11-26T17:46:00.000+05:302008-11-26T17:48:27.514+05:30CISA Quick Tips 08-26111. programmer should not be allowed to alter or patch the Live environment.<br /><br />2. Loss/Leakage of Confidential data may lead to Reputation Risk for the Organization.<br /><br />3. Location of smoke detectors is very important environmental control.<br /><br />4. Paper /Wood Fire can be suppressed by fire suppressor like foam. Alternatively water suppressor can also be used.<br /><br />5. False Rejection Rate or FRR is also known as Type I error.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-9804696526591723522008-11-25T16:25:00.001+05:302008-11-28T20:13:45.417+05:30CISA Quick Tips 08-25111. CPM or Critical Path Methodology helps in determining critical tasks and identifies the dependencies between/among those tasks.<br /><br />2. Social engineering is the technique where attacker acquires sensitive information or improper access by building a trust relationship with authorized users.<br /><br />3.ACID test tests a Database Management System (DBMS) by testing<br /><br />i. Atomicity,<br />ii. Consistency,<br />iii. Isolation, and<br />iv. Durability.<br /><br /><br />4.The Registration Authority (RA)is responsible for<br /><br />i. User Enrollment<br />ii. Certificate Generation<br /><br /><br />5.Risk Assessment process helps in<br /><br />i. Risk Mitigation / Risk Reduction<br />ii. Risk Transfer<br />iii. Risk Assignment<br />iv. Risk AcceptancePassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-89782012665410591512008-11-24T06:39:00.000+05:302008-11-24T06:41:23.788+05:30Two factor authentication using digital certificates<p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >This post is in relation to a question asked by the reader<o:p></o:p></span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" ><o:p> </o:p></span></p> <p class="MsoNormal" style="text-align: justify; font-weight: bold;"><span style=";font-family:";" >Question:</span></p><div id=":wc" class="ArwC7c ckChnd"><div class="Ih2E3d"><a href="http://www.blogger.com/profile/10094396295717842680" target="_blank">Angus</a> comment on post "<a href="http://passcisa.blogspot.com/2008/07/certificate-authority-for-cisa-exam-its.html" target="_blank">Certificate Authority for CISA Exam - its all abou...</a>":<br /><br /><span style="font-weight: bold;">May I ask a question about how Digital certificates (also known as a soft token) can be used for two-factor authentication? Thanks a lot.</span><br /></div><br /><span style=";font-family:";" ><o:p></o:p></span></div> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" ><o:p> </o:p></span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" ><span style="font-weight: bold;">Answer:</span><o:p></o:p></span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Two factor authentication means use of following two factors:<o:p></o:p></span></p> <ol start="1" type="1"><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Something You have<o:p></o:p></span></li><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Something you are/Something you know</span></li></ol><br /><p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Let us first see what could be the one factor authorization. One factor authorization involves something you know- your user name and password. Best thing would be to combine this to something you have – digital certificate. The combination of these two will make this Two factor authentication.</span></p><p class="MsoNormal" style="text-align: justify;"><br /><span style=";font-family:";" ><o:p></o:p></span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Following will be the steps for simplest two factor authentication using digital certificate:<o:p></o:p></span></p> <ol start="1" type="1"><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >User account is created<o:p></o:p></span></li><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >User is linked to an unique digital certificate in the certificate database.<o:p></o:p></span></li><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >An unique digital certificate is installed in the user's system.<o:p></o:p></span></li><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Through PKI user's digital certificate is verified and user is allowed to use SSL services.<o:p></o:p></span></li><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >By using user name and password created user gains access to the resources.</span></li></ol><br /><p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" ><o:p> </o:p></span></p> <p class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Benefits of using Digital Certificate for two factor authentication are:<o:p></o:p></span></p> <ol start="1" type="1"><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Lower costs<o:p></o:p></span></li><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Easy to use<o:p></o:p></span></li><li class="MsoNormal" style="text-align: justify;"><span style=";font-family:";" >Availability of many standards.</span></li></ol>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-55374783449806837822008-11-21T13:39:00.000+05:302008-11-21T13:48:02.309+05:30CISA Quick Tips 08-21111. <span style="font-weight: bold;">Data mining</span> is the process of analyzing data from different sources and perspectives and summarizing it into helpful information by means of association, clustering, sequencing and forecasting.<br /><br />2. <span style="font-weight: bold;">RSA algorithm</span> uses message authentication code (MAC) for authenticating the message.<br /><br />3. <span style="font-weight: bold;">IS Policy</span> and Business objective should be mutually supportive<br /><br />4. <span style="font-weight: bold;">IT Security</span> policy should be regularly reviewed and be tuned with the technological changes.<br /><br />5. Ideal way to monitor relationship between source code and object code is the <span style="font-weight: bold;">time stamp</span> <span style="font-weight: bold;">comparison</span>.Unauthorized changes can also be detected by <span style="font-weight: bold;">time stamp comparison</span>.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-42139174153470750682008-11-20T12:59:00.001+05:302008-11-20T13:13:13.921+05:30CISA Quick Tips 08-2011<div style="text-align: justify;">1. Maintaining Strong and tough password is an <span style="font-weight: bold;">Preventive Control</span>.<br /><br /><br />2. <span style="font-weight: bold;">Stream cipher</span> is a type of symmetric encryption which operates on continuous streams of plain text (1 & 0) Mostly used in hardware and very faster as compared to block cipher<br /><br /><br /><br />3. Business Continuity plan should be tested by <span style="font-weight: bold;">Paper Test</span> method of testing.<br /><br /><br />4. <span style="font-weight: bold;">RAID</span> ( redundant array of independent disks) is an arrangement for data storage by using multiple hard disks to share and/or replicate data among the disks.<br /><br /><br />5. Identifying <span style="font-weight: bold;">High Risk areas</span> and their risk weightage is most crucial and most critical step in Audit planning.<br /><br /></div>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-625743920648641142008-11-19T15:32:00.001+05:302008-11-19T21:11:18.965+05:30IP Security & Authentication Header (AH)<div>IP Security (IPSec) is a super set of protocols which to large extent ensure security of Internet Protocol (IP). Beside Internet Key Exchange (IKE) two other important protocol supported by IPSec are<br /><br />1. Authentication Header (AH)<br />2. Encapsulating Security Payload (ESP)<br /><br /><br /><blockquote>This article intends to briefly discuss about Authentication Header (AH) part of IPSec. IKE and ESP will be discussed seperately.</blockquote><br /><br /><span style="font-weight: bold; ">Role and benefits of Authentication Header (AH)</span><br /><br />Following are the functions/benefits of Authentication Header (AH):<br /><br />1. Connectionless integrity protection<br />2. Datagram Authentication<br />3. Replay attack Protection<br /><br /><br /><span style="font-weight: bold; ">Architecture of Authentication Header:</span><br /><br />Following diagram will explain the architecture of AH:<br /><br /></div><div><br /></div><div><br /></div><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_oUDU5ZUhDSw/SSQzasYutrI/AAAAAAAAAIw/JFkdmez71qY/s1600-h/ah.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 79px;" src="http://3.bp.blogspot.com/_oUDU5ZUhDSw/SSQzasYutrI/AAAAAAAAAIw/JFkdmez71qY/s320/ah.JPG" border="0" alt="" id="BLOGGER_PHOTO_ID_5270393997614823090" /></a><br /><br />By the above diagram it is obvious that AH fits itself into datagram and with the help of Integrity check value (ICV) datagram integrity is ensured.Sequence number of AH provides protection against replay attack with the help of sliding window.<br /><br /><br /><br /><span style="font-weight: bold;">Implementation of Authentication Header (AH) </span><br />Authentication Header (AH) can be implemented in following ways:<br /><br />1. Single implementation of AH<br />2. Implementation along with Encapsulating Security Payload (ESP)<br />3. In tunnel modePassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com2tag:blogger.com,1999:blog-4828614187354436149.post-10332927418693371522008-11-18T11:57:00.000+05:302008-11-18T11:59:54.906+05:30CISA Quick Tips 08-18111. Liquid fire should be ideally suppressed by agents like Dry powders and/or Carbon Dioxide.<br /><br />2. Data Link(OSI Layer 2) handles bridging work.<br /><br />3. Business Impact Analysis (BIA) phase of BCP must include end users.<br /><br />4. Source codes of Live environment should be periodically checked/audited to find out any unauthorized changes to live environment.<br /><br />5. Continuity Plan maintenance for BCP should be periodically reviewed and analysed.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-40907526549762106622008-11-17T17:36:00.001+05:302008-11-17T17:43:10.503+05:30CISA Quick Tips 08-17111. Proper access control policy should be framed with regard to data file access and directory access while implementing Database Management system (DBMS).<br /><br />2. Segregation of duties is a key area to be audited while auditing IT Operations.<br /><br />3. In case of outsourced network operations, the logs of network devices should be secured and only accessed by the organization/third party(other than network vendor).<br /><br />4. CAAT provides reasonable assurance that audit objectives will be achieved.<br /><br />5. IT Governance ensures appropriate and suitable controls are being followed as per Standard practices by the organizationPassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-80865436035038303132008-11-14T11:05:00.001+05:302008-11-14T11:22:11.474+05:30How to select a CAATCAAT stands for <span style="font-weight: bold;">Computer Assisted Audit Techniques</span><br /><br /><br />This is a common thing of discussion among IS Auditors is "<span style="font-style: italic;">which one is best - CAATs or Manual method of IS Audit</span>". Sometimes manual method is not enough to find out effective and efficient IS Audit results. On the other hand in many instances use of CAATs gives less efficient results than corresponding manual IS Audit methods.<br /><br />It is always recommended to use a mix of CAATs and manual method for optimal results.<br /><br />"<span style="font-style: italic;">What should be the criteria to select CAATs</span>?" is another question many IS Auditors ask.<br /><br />Following are some of the important points an Organization should see before selecting CAATs.<br /><br /><span style="font-weight: bold;">1.End User of CAAT</span><br /><br />End user of CAAT/IS Auditors should be able to handle almost all operational and related aspects of the CAAT.<br /><br /><span style="font-weight: bold;">2.Cost Benefit analysis</span><br /><br />Cost benefit analysis over similar manual process should be analysed. Cost of control should never be much more than the loss due to risks.<br /><br /><span style="font-weight: bold;">3.System Impact analysis.</span><br /><br />This is particularly useful for the CAAT that is integrated to main system. Use of CAAT should never degrade the system performance beyond a certain limit.<br /><br /><span style="font-weight: bold;">4.Compatibility of CAAT</span><br /><br />CAAT should ideally be compatible in all hardwares/softwares and available infrastructure.<br /><br /><span style="font-weight: bold;">5.Efficiency, Accuracy & Speed of results</span><br /><br />This is the most important aspect of CAAT selection. An efficient, accurate and speedy results producing CAATs are generally preferred.<br /><br /><span style="font-weight: bold;">6.Support from the CAAT vendor</span><br /><br />This is equally important criteria for CAAT selection.<br /><br /><span style="font-weight: bold;">7.Limitations and Inherent risks within CAAT.</span><br /><br />This should be confirmed and evaluated at the time of decision making for CAAT selection.<br /><br /><span style="font-weight: bold;">8.Security of data processed by CAAT</span><br /><br />An important criteria which should be evaluated by Information Security Administrator.<br /><br /><span style="font-weight: bold;">9.Validity Tests</span><br /><br />Results of the CAATs should be validated as against corresponding processes. A wide variety of test and live data should be evaluated.<br /><br /><br /><blockquote>Be careful while analyzing test CAAT data in live environment for validity of CAAT results. Make necessary arrangements to separate test data in live environment.</blockquote><br /><br /><span style="font-weight: bold;">10.Regulatory and legal requirement (if any)</span><br /><br />Do consider regulatory and legal requirements wherever applicable.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-9479518151389844702008-11-11T11:29:00.000+05:302008-11-11T11:31:20.214+05:30CISA Type Question 08-1111 on Audit Trail<span style="font-weight: bold;">An IS Auditor while auditing a software Firewall will look which source for audit trails? </span><br /><br />1. Firewall Log<br /><br />2. Operating System Log<br /><br />3. Both 1 & 2<br /><br />4. None of the above.<br /><br /><br /><br /><br /><blockquote>republished/modified & republished - Answer already published</blockquote>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-51830875993929283262008-10-31T17:00:00.002+05:302008-11-05T15:08:46.643+05:30CISA Type Question 08-3110 on Audit Charter<span style="FONT-WEIGHT: bold">Which of the following is LEAST important characteristics of Audit Charter?</span><br /><br /><br />1. Audit Charter delegates authority from one person/organization to another person/organization<br /><br />2. Audit Charter should document Purpose, Accountabilities & Responsibilities related to Audit function<br /><br />3. Audit charter should describe independence, objectivity and Standards of Audit to be conducted<br /><br />4. Audit Charter is only related to scope of the Audit.<br /><br /><br /><br /><blockquote>republished/modified & republished - Answer already published</blockquote>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com3tag:blogger.com,1999:blog-4828614187354436149.post-25865159975444470242008-10-27T21:27:00.006+05:302008-10-27T22:31:33.227+05:30Access Control in UNIX based operating systems<div style="text-align: justify;">A lot of UNIX based operating systems are available. Although basic architecture is same for all these Operating System but they varies in functionality. Following are some of the important UNIX based OS:<br /></div><br />Solaris,<br />SCO UNIX,<br />Linux- Red Hat, Fedora,<br />BSD – Open BSD, NetBSD, Free BSD<br />HP-UX<br />AIX<br />Darwin<br />Mac<br /><br />In Unix based information system following measures are very much required to ascertain proper access control.<br /><br /><br /><br /><div style="text-align: justify;"></div><div style="text-align: justify;"><blockquote>CISA Exam may not ask platform specific question. Similarly the directory structure and commands may not be asked. CISA aspirants need to know the basic concepts behind these only. I am providing these details for Information Security Professionals and IS Auditors.</blockquote><br /></div><div style="text-align: left;"><br /></div><br /><span style="font-weight: bold;">1)Root access Control</span><br /><br />Root access can be controlled by configuring one of the following:<br /><br />a. <span style="font-style: italic;">/etc/default/login</span><br />b. <span style="font-style: italic;">Sshd.config</span><br />c. <span style="font-style: italic;">Ssh.config</span><br /><br /><br /><span style="font-weight: bold;">2)Remote Access Control</span><br /><br />Remote access can be controlled by configuring one of the following:<br /><br />.<span style="font-style: italic;">rhosts </span><br /><span style="font-style: italic;">.netrc</span><br /><br />The use of the following should be strictly on need basis as per predefined policy:<br /><br />a. <span style="font-style: italic;">rlogin</span> – remote login<br />b. <span style="font-style: italic;">rcp</span>- remote copy<br />c.<span style="font-style: italic;"> ftp</span> – file transfer protocol<br />d. <span style="font-style: italic;">telnet</span> – remote connectivity<br /><br /><br /><span style="font-weight: bold;">3)Restrict su capabilities to a few</span><br /><br /><span style="font-weight: bold;">4)Role Based Access Control (RBAC)</span><br /><br />RBAC can be configured by following:<br /><br />a. <span style="font-style: italic;">etc/security/auth_attr</span> - deals with attribute related to authorization<br />b. <span style="font-style: italic;">etc/security/prof_attr</span> - deals with attribute related to profiles<br />c. <span style="font-style: italic;">etc/security/exec_attr</span>- deals with attribute related to execution<br />d. <span style="font-style: italic;">etc/user_attr</span> - deals with attribute related to users and roles<br /><br /><span style="font-weight: bold;">5)File System Access Control Lists (FACL)</span><br /><br />By following command the FACL information may be obtained:<br /><br />getfacl –ad<br /><br />this will give nessacary information like<br /><br />filename<br />file owner<br />file group owner<br />ACL<br />Or default ACL<br /><br />The command <span style="font-style: italic;">setfacl</span> with parameters may be used to set ACLs.<br /><br /><span style="font-weight: bold;">6)Password Aging</span><br /><br />The periodic password agiing should be implemented by using<br /><br /><span style="font-style: italic;">/etc/default/passwd</span><br /><br /><br /><span style="font-weight: bold;">7)System Log management</span><br /><br />This should be done to know<br /><br />Event logs<br />SU attempts<br />Failed login attempts<br />Last command – who logged in, when and from where<br /><br />Also the periodic review of<span style="font-style: italic;"> /etc/hosts</span>.allow and <span style="font-style: italic;">/etc/hosts.deny</span> should be done<br />to know the efficacy of SSH.<br /><br />Ideally logs should be stored in a separate system and access to that system should be only to security administrator. In no case logs should be accessed by system administrator.<br /><br /><blockquote>Some of the commands/directories/files mentioned above may be specific to a particular flavour of UNIX.</blockquote>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-34819261264429455532008-10-22T19:58:00.000+05:302008-10-22T20:01:40.275+05:30CISA Type Question 08-2210 on Audit TrailsWhich of the following an IS Auditor should FIRST see, before analyzing the Audit Trails of a Local Area Network (LAN) ?<br /><br />1. Quantity of Audit Trails<br />2. Periodicity of audit trails<br />3. Synchronization of timing between server and clients<br />4. Interaction between different applications<br /><br /><br /><br /><br /><span style="font-weight: bold;">Answer to CISA type question 08-2010 on Audit Charter & Engagement Letter</span><br /><br />Responsibility, Authority and accountability should be the part of both Audit Charter & Engagement letter. So, the correct answer is 3. Both.<br /><br />Then, what is the difference between Audit Charter & Engagement letter ?<br /><br />I leave this question for my readers to answer.PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com1tag:blogger.com,1999:blog-4828614187354436149.post-6785711493373311412008-10-20T21:55:00.000+05:302008-10-20T21:56:51.773+05:30CISA type question 08-2010 on Audit Charter & Engagement Letter<span style="font-weight: bold;">Responsibility, Authority and accountability should be the part of</span><br /><br />1. Audit Charter<br />2. Engagement letter<br />3. Both<br />4. None<br /><br /><br /><span style="font-weight: bold;">Answer to CISA Type Question 08-1010 on Business Continuity & Disaster Recovery</span><br /><br /><div style="text-align: justify;">An IS auditor while auditing of an Information System finds that system does not force for backup before and after major events/major updates in the system. The IS Auditor should suggest Information System should force for backup before and after major events, All the major events and backup should be properly documented and The existing procedure are complete and sufficient. So, the correct answer is 4.More than one of the above<br /></div>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0tag:blogger.com,1999:blog-4828614187354436149.post-91927196716563607252008-10-13T21:30:00.001+05:302008-10-13T21:34:40.403+05:30Control Self-Assessment (CSA)- How,what & why ?<div style="text-align: justify;">Control Self-Assessment (CSA) is a technique by which an organization accesses & assesses the effectiveness, reliability and adequacy of existing internal controls which may help the organization in strengthening existing controls further.<br /><br /><span style="font-weight: bold;">What can be detected by CSA ?</span><br /><br />CSA may help in finding<br /><br />1.Internal Controls<br />2.Business & Operation Risks<br />3.Effectiveness of Controls<br />4.Reliability & Adequacy of controls<br /><br /><span style="font-weight: bold;">What are the benefits of CSA</span>?<br /><br />1.Optimization of resources<br />2.help in risk mitigation<br />3.Speedy audit<br /><br /><br /><span style="font-weight: bold;">Procedure for conducting CSA</span><br /><br />Followings are the steps needed for CSA<br /><br />1.Questionnaires are sent to previously identified user.<br />2.Users complete the questions and send the answers to internal audit team.<br />3.Questionnaires are evaluated.<br />4.Risk & efficacy for various internal controls are determined.<br /><br /><br /><span style="font-weight: bold;">How CSA is different from other types of audit?</span><br /><br />CSA can identify areas of higher risks earlier which may be thoroughly reviewed later<br /><br /><span style="font-weight: bold;">What CSA can not do?</span><br /><br />CSA can not take or replace the traditional or formal audit of the organization<br /><br /><br /></div>PassCISAhttp://www.blogger.com/profile/03345972688815109419noreply@blogger.com0