CISA All in one 2010 Guide

Chapter 6: Information Asset Protection 315that, IS needs to acquire and track several characteristics about every hardware asset,including: • Identification This includes make, model, serial number, asset tag number, and any other means for identifying the asset. • Value Initially, this may signify the purchased value, but may also include its depreciated value if an IS asset management program is associated with the organization’s financial asset management program. • Location The asset’s location needs to be specified so that its existence may be verified in a periodic inventory. • Security classification Security management programs almost always include a plan for classifying the sensitivity of information and/or information systems. Example classifications include top secret, secret, restricted, confidential, and public. • Asset group IS assets may be classified into a hierarchy of asset groups. For example, any of the servers in a data center that support a large application may be assigned to an asset group known as “Application X Servers.” • Owner This is usually the person or group responsible for the operation of the asset. • Custodian Occasionally, the ownership and operations of assets will be divided into two bodies, where the owner owns them but a custodian operates or maintains them. Because hardware assets are installed, moved, and eventually retired, it is importantto periodically verify the information in the asset inventory by physically verifying theexistence of the physical assets. Depending upon the value and sensitivity of systemsand data, this inventory “true-up” may be performed as often as monthly or as seldomas once per year. Discrepancies in actual inventory must be investigated in order toverify that assets have not been moved without authorization or stolen.Information AssetsSometimes overlooked because it is intangible, the information that is stored in sys-tems should be treated as an asset. In almost all cases, information such as software anddatabases has tangible value and should be included in the list of IS assets.Information Classification Overview In most organizations, various typesand sets of information will have varying degrees of sensitivity. These levels of sensitiv-ity will implicitly dictate that information in different levels should be handled some-what differently. For instance, the most sensitive information should be encryptedwhenever stored or transmitted and should be accessible to only those individuals whohave a justified need to use it. Would it be easier to simply handle all information the same way as the most sensi-tive information in the organization? While it would be easier to remember how tohandle and dispose of all information, it would also be onerous. Encrypting everythingand shredding everything would be a wasteful use of resources. That said, it is incum-

CISA Certified Information Systems Auditor All-in-One Exam Guide316 bent on an organization to build a simple information classification program that is easy to understand and follow. Too many levels of classification would be as burden- some as a single level. Information Classification Details In most organizations, an information classification program can be defined in detail in less than a dozen pages, and the prac- tical portions of it could almost fit on a single page. For many organizations, a simple four-level classification program is a good place to start. The four levels could be: secret, restricted, confidential, and public. Any information in the organization would be clas- sified into one of these four levels. Handling procedures for each of these levels is found in Table 6-1. The foregoing classification and handling guidelines are meant as an example to illustrate the differences in various forms of data handling for various classification levels. However, the contents of Table 6-1 can serve as a starting point for an actual data classification and handling procedure. Access Controls Access controls are the technology-based methods of controlling access to an informa- tion-based resource. Access controls must be actively managed by staff members who are authorized to perform this function and trained to perform it properly. The workings of access controls are discussed later in this chapter in the section “Logical Access Controls.” Access controls also exist in the physical world, and are discussed later in this chap- ter in the section “Physical Security Controls.” Access Control Management The management of access controls requires that processes and business rules be estab- lished that govern how access controls are managed. These processes and rules are used to decide which persons will be permitted to access which data and functions in the organization. The processes to manage access controls are: • Access control request Any new request for access must be formally made via an established request procedure. The request should be approved by the subject’s manager, as well as by the owner of the resource to which access is being requested. • Access control review A periodic review of all users’ access to systems must be performed to verify that everyone who has access is still entitled to that access and to verify that all access for terminated employees has been removed. • Segregation of duties review A periodic review of each user’s access rights in all systems must be performed to verify that each employee does not have a combination of access privileges that would constitute a violation of segregation of duties.

Chapter 6: Information Asset Protection 317 Secret Restricted Confidential PublicExamples Passwords; Credit card System Brochures; press merger and numbers; bank documentation; releases acquisition plans account numbers; end-user and terms Social Security documentation; numbers; detailed internal memos; financial records; network detailed system diagrams configuration; vulnerability scan reportsStorage on Must be Must be Access controls No restrictionsserver encrypted; store encrypted required only on servers labeled sensitiveStorage Must never be Must be Access controls No restrictionson mobile stored on mobile encrypted requireddevice deviceE-mail Must never be Must be Authorized No restrictions e-mailed encrypted recipients only No restrictionsWeb site Must never be Must be Access controls stored on any encrypted required web serverFax Encrypted, Manned fax only; Manned fax only No restrictions manned fax only no e-mail–based faxCourier Double wrapped; Signature and Signature No restrictions signature and secure storage required secure storage required requiredHard copy Double locked Double locked Locked No restrictionsstorage in authorized locations onlyHard copy Only with owner To authorized To authorized No restrictionsdistribution permission; must parties only; parties only be registered only with owner permissionHard copy Cross-cut shred; Cross-cut shred Cross-cut shred No restrictionsdestruction make record of or secure waste No restriction destruction binSoft copy Erase with DoD Erase with DoD Delete anddestruction 5220.22-M spec 5220.22-M spec empty recycle tool tool binTable 6-1 Information Handling Guidelines

CISA Certified Information Systems Auditor All-in-One Exam Guide318 • Employee transfer When an employee is transferred from one position to another, the access rights associated with the departed position must be removed and any new access rights for the new position established. • Employee termination When an employee is no longer employed by the organization, all access rights for that employee must be terminated immediately. All of these processes must have a robust recordkeeping plan so that all requests, reviews, transfers, and terminations are well documented. These records must them- selves be restricted so that only authorized persons may view them. These records also must be protected against tampering. In addition to these processes, there are several audit and monitoring procedures to verify correct operation of these procedures; auditing is discussed later in this chapter. Access Control Logs The preceding section discussed business processes and the records that are associated with them. In addition to those records, the information systems that persons are given permission to access must have automatic records of their own. These systems must record all accesses made by persons. And like the records associated with business pro- cesses, these records must also be protected from alteration. This topic is discussed in more detail later in this chapter in the section, “Logical Access Controls.” Privacy Privacy is the protection of personal information from unauthorized disclosure, use, and distribution. Personal information refers to a variety of elements about a private citi- zen, some of which are not well known, including their name in combination with one or more of the following: • Date and place of birth • Place of residence • Fixed and mobile telephone numbers • Social insurance (e.g., Social Security) number • Driver’s license number • Passport number • Financial account (e.g., credit card, bank account, retirement account) numbers Historically, the concern about privacy stemmed from organizations that collected, aggregated, and then distributed databases containing private citizens’ information, which was then used for targeted marketing and other purposes. More recently, the worry about privacy has concerned the rise in identity theft, which is made possible from the proliferation of private information and the failure to adequately secure that information. Cybercriminals have had an easy time discovering and stealing this information in order to conduct wide-scale identity theft.

Chapter 6: Information Asset Protection 319 Organizations that collect any of the previously mentioned items on behalf of cus-tomers or other constituents need to develop policies that define what the organizationis permitted to do with this information. Organizations also need to be aware of ap-plicable privacy laws and regulations, and ensure they are fully compliant with them.For each item of potentially sensitive information, an organization should be able tospecify: • Why it collects the information • How it uses the information • How long it retains the information • How the information can be corrected by its owners • To what other organizations the information is distributed and why • Who is responsible for protecting the information • How an owner can opt out (causing the cessation of storage of that information) Business processes, procedures, and records should exist for all of these associateduses and actions, which can then be monitored and audited by others as needed.Third-Party ManagementNearly every IS organization relies on one or more third-party organizations in the de-velopment, support, or operations of its information systems. There are so manyspecialties and subspecialties in information technology that even the largest organiza-tions need to utilize third-party organizations to build, support, or manage their ITenvironment.Third Parties and RiskThe use of any third-party organization should not be permitted to increase overall secu-rity risk to an organization. When considering outsourcing a service to a third party, a riskassessment should be performed to identify and characterize risks associated with this. Some of the types of services that third-party service organizations provide include: • Internet service providers (ISPs) • Internet hosting providers • Application service providers (for e-mail, CRM [customer relationship management], ERP [enterprise resource planning], MRP [materials resource planning], payroll, and expense reporting) • Managed security services • Software development and testing • Call centers • Collection services • Management and business consultants

CISA Certified Information Systems Auditor All-in-One Exam Guide320 • Auditors and security assessors • Vendors that support hardware and software solutions • Janitorial and other cleaning • Shipping and receiving • Building and equipment maintenance • Temporary employee services The primary risk with a third-party service provider is that the service provider will have access to some of the organization’s sensitive information. Whether the service provider will have access to the organization’s applications and data, or whether the organization will be sending data to the service provider, this overall risk needs to be broken down into each component and analyzed. For each risk identified, one or more compensating controls needs to be identified, ideally so that the risk can be reduced to the same level as though the organization were performing the service on its own. Types of Third-Party Access Depending upon the type of service, third-party service providers will have access to the organization’s information in a variety of ways, including: • Physical access to hard copy business records • Physical access to information systems • Physical access to media such as hard drives, backup tapes, and CD/DVD-ROM • Login to application as end user • Login to application as administrative user • Login to database • Login to operating system • Login to network device NOTE A third-party service provider does not necessarily need access to sensitive business records to pose a risk. A service provider that is familiar with the organization’s business practices can cause harm to the organization by interfering with business operations or disclosing business practices to outsiders such as customers or competitors. Risks Associated with Third-Party Access Knowing the type of access that a third-party service provider will have to an organiza- tion’s information, the types of risks can be identified. Some of these risks are: • Theft of business records • Exposure of business records to unauthorized parties • Alteration of business records

Chapter 6: Information Asset Protection 321 • Damage (both deliberate and accidental) to information systems hardware, software, or information • Failure to perform services in a timely manner • Failure to perform services accurately • Failure to perform services professionallyThird-Party Access CountermeasuresAs mentioned earlier in this section, the risks associated with a third-party service pro-vider should be no different than if the organization were performing the service on itsown. Even though new risks are introduced when transferring work to a service pro-vider, countermeasures and compensating controls should be introduced that will keepthe level of risk acceptably low. Some of the countermeasures that can be used to mitigate risk include: • Video surveillance with video recording • Logging all data access and associated accesses to named individuals in the third-party organization • Access controls that prevent the third party from accessing business records that it does not need to use • Logical access controls that limit the third party’s access to only those data fields required to perform their services • Recording of voice or data communications sessions • Periodic audits of the service provider’s activities Generally, an organization can require that a third-party service organization thathas logical access to the organization’s systems or stores any of the organization’s dataprotect this data with the same level of controls that the organization itself uses. Thisshould result in the third-party service organization’s not being in a situation where theorganization’s records are more vulnerable to theft, exposure, or compromise. For ex-ample, if your organization requires encryption of specific information when processedin your organization’s systems, any service provider that processes the same informa-tion should also be required to encrypt it. NOTE In any situation where treatment for a specific risk associated with a third-party service provider results in unavoidable residual risk, senior management will need to be made aware of the residual risk and determine if they are willing to accept it. When an organization is considering use of a third-party service provider, the orga-nization should require the service provider to answer a detailed questionnaire con-cerning security and other aspects of its operation. The organization should also askwhether the service provider has had any external audits of its services; if so, the orga-nization should request to see reports from those audits.

CISA Certified Information Systems Auditor All-in-One Exam Guide322 Addressing Third-Party Security in Legal Agreements The services performed by the third-party service provider should be succinctly de- scribed in a legal agreement. This will generally include a description of the services that are performed, measures of quantity and quality for services, remedies or penalties for failures in quality or quantity, rates and payments, and roles and responsibilities for both parties. Legal agreements with service providers need to include several security provisions, including: • A statement that all of the organization’s information and knowledge of its business practices will be kept confidential • Security and privacy-related liabilities, roles, and responsibilities • Security controls required to protect the organization’s information • Acceptable uses for the organization’s information • Persons who will be authorized to access the organization’s information • Background checks, nondisclosure agreements, and acceptable-use agreements for each person who is authorized to access the organization’s information • Required security training for persons authorized to access the organization’s information • Steps to be taken if a security breach should occur • Steps to be taken to reduce the likelihood of data loss caused by a natural or manmade disaster • Who is responsible for security and privacy in the third-party organization • The right to inspect and audit the third-party organization’s premises and operations on short notice • Compliance with all applicable laws and regulations • Agreement to destroy all copies of information on request or upon the termination of the agreement Many additional security-related terms and conditions may be warranted, depend- ing upon the nature of the services provided and the sensitivity and value of the infor- mation accessed and used by the service provider. Addressing Third-Party Security in Security Policy Many organizations provide commercial applications on the Web, which are as easy to set up as filling in a registration form, paying with a credit card, and uploading sensitive data right from a person’s workstation. These organizations operate as application ser- vice providers (ASPs), Software-as-a-Service (SaaS) or cloud service models. Often, the persons in an organization have little idea about the security controls that are used by service providers. Because of this, organizations can enact a security and business policy that forbids the use of any online service provider (ASP, SaaS, cloud, etc.) unless a risk assessment has first been performed for that service provider. Without

Chapter 6: Information Asset Protection 323such a policy, there is little to stop persons from signing up with various online serviceproviders and potentially putting the organization’s sensitive data at risk. NOTE An organization should have policies and processes in place to properly assess, measure, and monitor risks related to any third-party service provider.Human Resources SecurityThe heart of most organizations’ business operations are not computers, machinery, orbuildings, but people. People design and operate business processes; they design, build,and operate IT systems; they support processes and systems and help to improve themover time. And while people are an organization’s greatest asset, they may also be asource of significant risk. People are entrusted with access to sensitive information, and entrusted to designand create information systems to manage sensitive information properly. But an em-ployee in a position of trust can betray that trust and cause a tremendous amount ofdamage to the organization’s operations and long-term reputation. Trust is the key: Organizations provide access to sensitive information, trusting thattheir employees will honor that trust and treat information properly. The trust is recip-rocal: Employees also trust that their employer will treat them with respect and paythem a fair salary. Organizations need to take several measures to mitigate human resource–relatedrisks. These measures are described in the remainder of this section.Screening and Background ChecksPrior to hiring each employee, an organization should verify the facts that each candi-date presents on her resume or curriculum vitae. The confirmation of these and otherimportant facts is commonly known as a background check, and may consist of: • Verification of the candidate’s identity • Confirmation of the candidate’s right to work in the employer’s locale • Verification of previous employment • Verification of education • Verification of professional licenses and certifications • Investigation into the candidate’s criminal history • Investigation into the candidate’s financial history • Drug test Irregularities in any of these areas may be a signal to the employer that further in-vestigation is required if the employer is still intent on hiring the candidate. The orga-nization discovering irregularities in a candidate’s background may also rescind apending offer of employment or decide not to make an offer.

CISA Certified Information Systems Auditor All-in-One Exam Guide324 In addition to a background check, an employer will usually check references. This means that the employer will contact one or more professional colleagues in order to learn more about the candidate. The employer might also make inquiries through its network of professional acquaintances to gather intelligence about the candidate from people who are not references. For example, if a security manager is hiring a secu- rity analyst and receives a resume from an employee at a local organization, the se- curity manager could contact other known colleagues in the organization to see if any of them are familiar with the candidate. This can be a source of valuable information, since sometimes a candidate’s references may be coached to say certain things or avoid certain topics. NOTE Employers frequently search social networking sites such as MySpace and Facebook in order to gather additional intelligence on prospective employees.These and other social networking sites often reveal more about a person’s character than will be found on a resume, application for employment, or references. Another emerging trend in organization is the practice of repeating background checks throughout an employee’s tenure. This can help an employer discover certain facts about recent criminal convictions or significant financial events (such as judg- ments, collections, or bankruptcy) that may warrant action on the employer’s part. Job Descriptions A job description is an employer’s formal statement to an employee that says, “This is what we expect and require of you to perform this job.” Employers should have formal job descriptions for each position in the organization. The main reason for this is to formally document the expectations that the organization has for each employee. These expectations should include: • Name of the position (e.g., senior security auditor or database administrator) • Requirements This will include necessary education, skills, and work experience. • Duties and responsibilities This will include the tasks, projects, and other activities that the employee is expected to perform. The duties and responsibilities section should include a statement that says the employee is required to uphold all of the organization’s policies (including security policy). The job description could list the major policies by name. Employment Agreements In locales that permit them, organizations should utilize written employment agree- ments with each employee. The employment agreement should clearly specify the terms and conditions of employment, including: • Duties The employment agreement should describe the employee’s duties in his or her position. This may be similar to what is stated in the employee’s job description.