What is CISA – Protection of Information Assets & Tutorial? Defined, Explained, & Explored
Last updated on 19th Jul 2020, Blog, Tutorials
- Protection of Information Assets is the last domain in the CISA certification area and the most important. ISACA has stated that this domain represents 30 percent of the CISA examination which is approximately 60 questions. This is a make or break domain for you. This section has eight areas that you need to fully understand to ensure you pass the CISA exam.
1. Importance of Information Security Management
- Information Security Management is important to ensure the continued availability of information systems.
- Information Security Management is important to ensure the integrity of the stored information and the information in motion (in transit).
- Information Security Management is important to ensure the confidentiality of sensitive data.
- There’s the old CIA triad again (Confidentiality, Integrity, Availability)
- Key Elements in Information Security Management
- Senior Management Commitment and support
- Policies and Procedures
- Security Awareness and Training
- Monitoring and compliance, and
- Incident handling and response
- You should have an understanding of each of these key elements
- Information Security Management roles and responsibilities, in this area you need to have the IS Security Steering Committee responsibility down cold. I mean to the point of quoting it verbatim from the CISA manual.
- Understand the difference between Mandatory access controls (MACs) and discretionary access controls (DACs)
- One of the last sections in Information Security Management deals with computer crime issues and exposures. Exhibit 5.8 in the CISA manual lists some 30 different Common Attack Methods and Techniques. Pick 30 and have a working understanding. That’s right all 30. ISACA has chosen everything from Botnets to War Chalking for their exam.
2. Logical Access
- This is the primary means used to manage and protect information assets. Note the emphasis on PRIMARY!
- There are really only two points of entry – local and remote, and how do you identify local users and rights; and how do you identify and authenticate remote users?
- Authentication is typically categorized as something you know (password), something you have (token) and something you are (biometrics). And yes I know RSA has been breached, but there are other token vendors out there.
- Speaking of biometrics, there’s palm, hand geometry, Iris, retina, fingerprint, face and voice recognition. Which one costs the most and has the highest user rejection rate? HINT it has something to do with the eye.
3. Network Infrastructure Security
- You should know some of the advantages and disadvantages of virtualization.
- You need to know some of the security threats and risk mitigation techniques for wireless networking, including WEP, WPA WPA2, Authenticity, nonrepudiation, accountability and network availability
- You need to know the different types of firewall types (router packet filtering, application firewall systems, stateful inspection)
- You will need to know firewall implementations (Screened-host, dual-homed, DMZ or screened-subnet)
- What’s the difference between NIDS and HIDS and are they a substitute for firewalls? Answer: NO.
- You will need to know how a digital signature functions to protect data.
- You need a general understanding of viruses and some of the management procedural controls that should be in place.
4. Auditing Information Security Management Framework
- Review the written policies, procedures and standards
- Pay particular attention to the logical access security policies
- Make sure everyone has received current security awareness training
- Why are you interested in data ownership? Because the data owner is the person who defines who can access and use their data.
- Then you’ll need to audit the logical access to make sure the rules are being followed, pay particular attention to “JOB TRANSFERS” as there is a tendency to add access, but not to remove old access.
- Review access logs and make sure someone else is reviewing and acting upon unsuccessful login attempts
5. Auditing Network Infrastructure Security
- Who has remote access and has it been approved? Why do vendors have unrestricted access into your network to fix a network device? Has that unrestricted access been approved by management
- Now here’s the fun part, because as auditors you should be able to do Pen Testing, just make sure you’ve got approval before you start this part of the audit. HINT: PRIOR APPROVAL
- Make sure all network changes are going through change control, even emergency changes.
- Forensics comes into play here as well, so make sure you know the four major considerations in the chain of events regarding evidence (Identify, Preserve, Analyze, Present)
6. Environmental Exposures and Controls
- Know the differences between Total Failure (blackout), severely reduced voltage (brownout), and a snowstorm (whiteout)… If you’ve read this far and you get it, then you’ve got it.
- Halon is no longer legal. What is an acceptable replacement?
- Where should hand-held fire extinguishers be located, how often should they be inspected, and is security awareness training required for personnel who might have to use them? All good test questions.
- Surge protectors are used for power spikes. Enough said.
- UPS is used for power cleansing??? Yes… Like you use soap to wash your hands. UPSs are used to turn dirty power into clean power. Think about it, power fluctuations, sags and spikes are considered dirty power. A UPS ensures that wattage and voltage is consistent, flatlined, stable, etc.
- You need to be aware of the environmental detection equipment, smoke detectors, moisture detectors, etc.
7. Physical Access Exposures and Controls
- Unauthorized entry, principle of least privilege, only if your job requires it, and no visitor shall enter unescorted. That it’s PERIOD.
- Key focus for this area is mantraps, deadman doors, and visitor escorts.
8. Mobile Computing
- Hard drive encryption
- Back-ups on a regular basis
- Theft response team
- Special care needs to be taken to defend against malicious code. HINT: What’s one way of getting around your company’s firewall?
- Hand carry a laptop into the office from a remote location. Now you see the need for good malicious code defenses.
What Are the Main Types of Assets?
- An asset is a resource owned or controlled by an individual, corporation, or government with the expectation that it will generate future cash flows. Common types of assets include: current, non-current, physical, intangible, operating, and non-operating. Correctly identifying and classifying the types of assets is critical to the survival of a company, specifically its solvency and associated risks.
- The International Financial Reporting Standards (IFRS) framework defines an asset as follows:
- “An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”
Examples of assets include:
- Cash and cash equivalents
- PPE (Property, Plant, and Equipment)
- Patents (intangible asset)
Learn CISA Training with Real-Time Experience to Build Your Skills
- Instructor-led Sessions
- Real-life Case Studies
How do you protect information from assets?
1. Beware of threats from within
- Quite often threats to information assets lie inside of an organization and can manifest through simple errors. It is important that members of your organization understand the risk of actions like clicking on an attachment to an email from an unknown source or accessing a link through a social networking site.
- It is also important to understand threats that can exist through what is called social engineering which involves manipulating human behavior to achieve a specific purpose. For example, a call from your help desk or support provider asking for a password to help solve a problem should be questioned. If you are interested in more information about social engineering, I would recommend Mitnick’s book The Art of Deception. Awareness training is the key to addressing threats of this nature.
2. Keep desktop software up to date
- According to Mitnick, hackers are very much aware that businesses rarely update the software that resides on individual workstations and laptops. Out of date software often contains security flaws which can be exploited. To mitigate these risks, your information protection program should provide reasonable assurance that software updates and patches are applied and application software is kept up to date.
3. Limit outgoing connections to those required for business purposes
- It is very important to take steps to manage the risks associated with inbound traffic to your IT environment. A common example is the use of virus scanning software. In addition to inbound traffic, there are risks associated with outbound connections.
- More specifically, Mitnick suggests that a computer can become infected with malware that can connect back to the attacker through an outbound connection. His suggested strategy to address this situation is to restrict services a user can connect to outside the company to only those required for business purposes. This can be achieved through firewall connections.
4. Consider cloud computing, but do so wisely
- Cyber attacks are evolving daily and it is very challenging to keep up, especially for small organizations. Quite often cloud computing solutions offer better security than that which can be attained in-house because cloud providers have the capacity to keep experts on staff to address evolving threats. As such, cloud solutions can be a viable option.
- However, there are risks associated with this alternative and it is important to ensure that you carefully evaluate such risks or engage with a knowledgeable advisor to assist you. Some considerations you should think about include sensitivity of data you might store in the cloud, and encryption and access to your data should you decide to move on from your cloud provider.
5. Backup your data and test recovery from your backup
- I didn’t draw on the Mitnick article for this suggestion, but it is always wise to reiterate the importance of backups and testing of recovery from backups. Far too often we have observed an absence of an effective backup strategy.
- This issue also ties back to the importance of awareness training. We have also observed situations where backups are taken from a server, but significant valuable data resides on desktops or laptops and as such is not covered by the backup taken from the server. It is important to remind users to store their data in the appropriate location such that it is in fact covered by your backup routine.
Francis Liska, CPA CGA, CMC CISA, CICA is a partner at OTUS Group, a team of advisors to business, government and not-for-profit organizations.
4 Enlightening Facts About CISA Training and Certification
- Someone who is qualified as a CISA, or Certified Information Systems Auditor, is someone who will be in high demand throughout the IT world. In information technology, the most valuable company asset is information. Therefore, protecting that information, both for the company itself and for clients, is an overwhelming priority.
- Since the 1970s, the qualification of CISA has stood for excellence, professionalism and a desire to improve cyber security. While the curriculum might have changed over time, it remains a relevant and vital program to IT professionals.
- If you’re getting ready to enroll into a CISA training program, here are four facts to keep in mind about the whole process.
1. CISA Training Concludes With an Exam
- Anyone wishing to become a Certified Information Systems Auditor will have two primary options for study. First, they can complete an online or onsite training program that typically takes five full business days to complete. Second, they can study on their own, which can be challenging if you aren’t familiar with the testing process or what key areas need to be focused on.
- The training and studying is only part of the equation, however. The conclusion is an exam that contains roughly 200 multiple choice questions and is held three times annually. Passing the exam showcases your ability to understand the subject matter and help companies audit and protect their information systems.
2. CISA Training Covers Six Major Areas of Focus
- The curriculum covered during CISA training can be organized into six overarching categories. The one that receives the most attention is the protection of information assets, which might include new technologies and current threats. Also of significance on the curriculum will be topics like the IT auditing process and business continuity and disaster recovery.
- Finally, students enrolled in CISA training should expect to learn more about IT governance as a whole, IT service delivery and support and what role auditing plays in the grand scheme of systems and infrastructure lifecycle management.
3. Becoming a CISA Offers Major Benefits
- Becoming a Certified Information Systems Auditor brings with it more than just an official title or qualification. This specific training and exam, administered by the Information Systems Audit and Control Association, or ISACA, means that you can be trusted to protect information and handle sensitive or even classified information.
- Being a CISA will make you eligible for more important and challenging positions, and your earning potential will almost certainly go up as a direct result of these new opportunities.
4. Yearly Training is Required to Maintain the Qualification
- Keep in mind that passing the CISA exam doesn’t mean you can work under the qualification forever. To maintain your credentials, and to ensure your cyber security and auditing methods are staying updated as technology advances, you will need to complete ongoing education credits.
- Typically, you will need to complete 20 hours of training annually to remain a Certified Information Systems Auditor.
- At Ashford Global, there are courses available to help you prepare to become a Certified Information Systems Auditor. Earning this prestigious certification can benefit you financially and professionally in the future.