Summary of Exam Objectives

Previous page
Table of content
Next page

This chapter reviewed the audit and monitoring fundamentals of the ISC2 SSCP exam. This included a base understanding of the security triad CIA. The major control types that provide security services were also discussed, including preventative, detective, corrective, directive, and recovery controls. These controls are part of the control hierarchy, which consists of policies, procedures, and guidelines. This chapter contains information that is useful for passing the ISC2 SSCP exam but information from ISACA is also useful to complement audit and monitoring understanding. ISACA applies the COBIT standards which includes PO, AI, DS, and M.

The process by which information security audits are conducted was examined. A checklist audit provides a useful reference that can be easily repeated. However, this list should not be replied upon in lieu of human intuition and observation. The danger here is that the auditor could get a false sense of security if there is too much reliance on the tools used for audit and not enough creative thinking and questions on the part of the auditor. The same is true for CAATs to automate and refine the audit process.

The concept of governance was emphasized in this chapter. Governance is an important function that aligns security resources with business needs. The auditing methods used depend on the goals of the audit, the environmental specifics, and the intended audience for which the report must ultimately be presented. Governance considers organizational relationships and processes that directly affect the entire enterprise. Before expensive resources are allocated to a task, the landscape is considered, including industry best practices. The top down approach ensures that regulations that are industry-specific are considered by senior management in the security policy. Military security uses hierarchical structure and corporations have a similar structure (as opposed to academic environments which tend to be more liberal and democratic). The military security standards can be applied to the private sector with a few modifications. An example of this is the Trusted Security Standard (TSEC) model and the rainbow series, which includes the Orange Book. The Orange Book outlines three major control objectives: security policy, accountability, and assurance (SPAA). Exercises to reinforce the points learned included a war dialer exercise, installation of a sniffer that was able to intercept file transfer protocol (FTP) communication channels including user ID and password, and a Web server vulnerability scan.

The tools used to measure compliance of the security policy include the various audit methods. The threats and risks that require countermeasures include traffic analysis, trend analysis, keyboard monitoring, and radiation monitoring. The audit and monitoring engagement process is as follows:

  • Plan the audit:

    • Understand the business context of the security audit

    • Obtain the required approvals from senior management and legal representatives

    • Obtain historical information on previous audits, if possible

    • Research the applicable regulatory statutes

    • Assess the risk conditions inherent to the environment

  • Determine the existing controls in place and the associated risk profile:

    • Evaluate the current security posture using the risk-based approach

    • Evaluate the effectiveness of the existing security controls

    • Perform detection risk assessment

    • Perform control risk assessment

    • Determine the total resulting risk profile

  • Conduct compliance testing:

    • Determine the effectiveness of policies and procedures

    • Determine the effectiveness of segregation of duties

  • Conduct substantive testing:

    • Verify that the security controls behave as expected

    • Test the controls in practice

  • Determine the materiality of the weaknesses found:

    • If the security exploits found were to be executed, what would be the tangible impact to the business (in dollars) and the intangible impact (loss of reputation)

    • Determine if the security exploits found increase the organizational risk profile

  • Present the findings:

    • Prepare the audit report and the audit opinion

    • Create the recommendations

The relationship of the technical controls and the high-level administrative controls should be understood as working together and not mutually exclusive. The five goals of an audit mechanism are as follows:

  • Must allow the review of patterns of access

  • Must allow for the discovery of a user's repeated attempts to bypass security

  • Must allow for the discovery of user privileges that are excessive

  • Must act as a deterrent against a perpetrator's attempts to bypass security mechanisms

  • Must provide additional assurance that the attempts to bypass protection mechanisms are discovered and recorded

Finally, the auditing and monitoring process should be a continuous process of discovering vulnerabilities, applying patches, hardening the operating system by disabling unneeded services and ports, and then retesting functionality after security patches have been applied.


Previous page
Table of content
Next page
SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135
Authors: Jeffrey Posulns, Robert J. Shimonski, Jeremy Faircloth
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Comparing, Designing, and Deploying VPNs
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy