Académique Documents
Professionnel Documents
Culture Documents
Audit/Assurance Program
Information Security Management Audit/Assurance Program
ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider
of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and
security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors
international conferences, publishes the ISACA® Journal, and develops international IS auditing and control
standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA ®), Certified
Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in
Risk and Information Systems Control™ (CRISC™) designations.
ISACA offers the Business Model for Information Security™ (BMIS™) and the IT Assurance Framework™
(ITAF™). It also developed and maintains the COBIT®, Val IT™ and Risk IT frameworks, which help IT
professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
Disclaimer
ISACA has designed and created Information Security Management Audit/Assurance Program (the “Work”)
primarily as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any
of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper
information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed
to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit and
assurance professionals should apply their own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.
Reservation of Rights
© 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-156-7
Information Security Management Audit/Assurance Program
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.
Expert Reviewers
Bok Hai Suan, CISM, CGEIT, Singapore
Kerrie Douglas, CISA, CGEIT, Six Sigma Green Belt, DaVita, USA
Gbadamosi Folakemi Toyin, CGEIT, APDM, CGRC-IT, CICA, CIPM, Flooky-Tee Computers, Nigeria
Anuj Goel, Ph.D., CISA, CGEIT, Citigroup, Inc., USA
Michael Lloyd Jones, CISA, CIA, CISSP, FLMI, BMO Financial Group, Canada
Prashant Khopkar, CISA, CA, USA
Raul Millan, CISA, CISM, CCSE, CEH, CISSP, Consultores de Seguridad Informatica, Panama
Philippe Rivest, TransForce, Canada
Vinoth Sivasubramanian, ABRCCIP, CEH, ISO 27001 LA, UAE Exchange Center LLC, UAE
Babu Srinivas, CISA, CISM, SP AusNet, Australia
Vikrant V. Tanksale, CISA, ACWA, CMA, ALBahja Industrial Holdings LLC, Oman
Bart van Lodensteijn, CISA, CGEIT, Ordina Consultancy B.V., The Netherlands
Jeff Warren, CISM, JPW Consult, Australia
Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA
Frank Van Der Zwaag, CISA, CISSP, Westpac, New Zealand, New Zealand
ISACA and ITGI Affiliates and Sponsors
American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
Analytix Holdings Pty. Ltd.
BWise B.V.
Hewlett-Packard
IBM
Project Rx Inc.
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
Table of Contents
Table of Contents.........................................................................................................................................4
I. Introduction........................................................................................................................................4
II. Using This Document.........................................................................................................................5
IV. Assurance and Control Framework.....................................................................................................9
V. Executive Summary of Audit/Assurance Focus.................................................................................11
VI. Audit/Assurance Program.................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Information Security Management..............................................................................................16
3. Information Security Operations..................................................................................................20
4. Information Security Technology Management...........................................................................27
VII. Maturity Assessment.........................................................................................................................33
VIII. Assessment Maturity vs. Target Maturity..........................................................................................38
I. Introduction
Overview
ISACA has developed the IT Assurance Framework TM (ITAFTM) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools
and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance professionals with the requisite knowledge of the subject matter under review,
as described in ITAF, in section 2200—General Standards. The audit/assurance programs are part of
ITAF, section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objective is described—the reason for
performing the steps in the topic area; the specific controls follow. Each review step is listed below the
control. These steps may include assessing the control design by walking through a process, interviewing,
observing or otherwise verifying the process and the controls that address that process. In many cases,
once the control design has been verified, specific tests need to be performed to provide assurance that the
process associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearing—has been
excluded from this document since it is standard for the audit/assurance function and should be identified
elsewhere in the enterprise’s standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or
the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit/assurance professionals. This ties the assurance work to the enterprise’s control framework. While
the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and was extended to eight components.
The primary difference between the two frameworks is the additional focus on ERM and integration into
the business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in figure 1.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/
assurance programs. As more enterprises implement the ERM model, the additional three columns can be
added, if relevant. When completing the COSO component columns, consider the definitions of the
components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a workpaper for each line item,
which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the workpaper that supports it. The numbering system
of this document provides a ready numbering scheme for the workpapers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
workpaper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a workpaper describing the work performed.
The IT Assurance Guide: Using COBIT, Appendix VII—Maturity Model for Internal Control, seen in
figure 2, provides a generic maturity model showing the status of the internal control environment and
the establishment of internal controls in an enterprise. It shows how the management of internal control,
and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
1 Initial/ad hoc There is some recognition of the need for internal control. There is no awareness of the need for assessment of what is
The approach to risk and control requirements is ad hoc and needed in terms of IT controls. When performed, it is only on
disorganized, without communication or monitoring. an ad hoc basis, at a high level and in reaction to significant
Deficiencies are not identified. Employees are not aware of incidents. Assessment addresses only the actual incident.
their responsibilities.
2 Repeatable but Controls are in place but are not documented. Their operation Assessment of control needs occurs only when needed for
Intuitive is dependent on the knowledge and motivation of individuals. selected IT processes to determine the current level of control
Effectiveness is not adequately evaluated. Many control maturity, the target level that should be reached and the gaps
weaknesses exist and are not adequately addressed; the that exist. An informal workshop approach, involving IT
impact can be severe. Management actions to resolve control managers and the team involved in the process, is used to
issues are not prioritized or consistent. Employees may not define an adequate approach to controls for the process and to
be aware of their responsibilities. motivate an agreed-upon action plan.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception of the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholder’s concurrence before submitting the final report to management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page
of the document (section VIII), based on sample assessments.
3410—IT Governance
3425—IT Information Strategy
3427—IT Information Management
3450—IT Processes
3630—Auditing IT General Controls
Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the enterprise.
COBIT IT process DS5 Ensure systems security, from the Deliver and Support (DS) domain, is the
primary control framework and addresses good practices for ensuring security of corporate information.
Secondary COBIT processes are cross-referenced within the audit/assurance program.
unauthorized disclosure.
DS5.9 Malicious software prevention, detection and correction—Preventive, detective and
corrective measures are in place (especially up-to-date security patches and virus control) across the
enterprise to protect information systems and technology from malware (e.g., viruses, worms,
spyware, spam).
DS5.10 Network security—Information security management is included in the selection,
implementation and approval of security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorize access and
control information flows from and to networks.
DS5.11 Exchange of sensitive data—Information security has approved policies concerning the
exchange of sensitive transaction data through a trusted path or medium with controls to provide
authenticity of content, proof of submission, proof of receipt and nonrepudiation of origin. All
incidents involving the exchange of sensitive data are reported through the incident reporting system
and are directed to the CIRT team.
Information security management is an integral part of the entire IT infrastructure. The Information
Security Management Audit/Assurance Program cross-references numerous COBIT domains and
processes. These sections appear in the COBIT cross-reference of the audit/assurance program. For the
purposes of reporting, information security is a component of these areas, but the scope of the assessment
would be too limited to include these sections in the summary of the information security management
assessment.
Refer to the ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, 2007, for the related control practice value and risk drivers.
Information security is about minimizing exposures, based upon risk management. Failure to implement
and monitor risk mitigation processes in one area may compromise the entire organization.
It is not designed to replace or focus on audits that provide assurance of specific configurations or
operational processes.
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
management, staff members and all users of the enterprise IT infrastructure and that it
refers to detailed security standards and procedures.
5.1.1.4 Inquire whether and confirm that detailed security policies, standards and procedures
exist. Examples of policies, standards, procedures and best practices concerning these
topics (COBIT, ISO27001/2) include:
4. Security compliance policy
5. Management risk acceptance (security noncompliance acknowledgement)
6. External communications security policy
7. Firewall policy
8. E-mail security policy
9. An agreement to comply with IS policies
10. Laptop/desktop computer security policy
11. Internet usage policy
5.2 IT Security Plan
Audit/Assurance Objective: Translate business, risk and compliance requirements into an overall IT
security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the
plan is implemented in security policies and procedures, together with appropriate investments in
services, personnel, software and hardware. Communicate security policies and procedures to
stakeholders and users.
6. Security Plan Integration PO1 x x x
Control: Information security requirements are integrated into other processes. PO2
PO3
PO4
PO6
PO9
AI1
AI2
DS1
DS2
DS4
DS5.2
DS9
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
DS12
DS13
ME3
ME4
6.1.1.1 Determine whether a process exists to integrate information security requirements and
implementation advice from the IT security plan into the development of service level
agreements (SLAs) and operating level agreements (OLAs) (Refer to COBIT DS1 and
DS2).
6.1.1.2 Review the SLAs and OLAs for an information security focus. Determine whether the
information security function had been involved in the development of these
SLAs/OLAs.
6.1.1.3 Determine whether a process exists to integrate information security requirements and
implementation advice from the IT security plan into automated solution (AI1) and
application (AI2) requirements.
6.1.1.4 Obtain systems development methodology documentation and determine whether
information security involvement and review are required by the policies and
procedures.
6.1.1.5 Select several high-risk and/or high-profile development projects. Obtain requirements
documentation, and determine whether information security requirements were
included in the project requirements documentation.
6.1.1.6 Determine whether information security resources were regularly involved in key
information security decisions at appropriate points in the process.
6.1.1.7 Determine whether a process exists to integrate information security requirements and
implementation advice from the IT security plan into the IT infrastructure components
(AI3).
6.1.1.8 Obtain the IT infrastructure plan.
6.1.1.9 Determine whether the information security function is involved in the development of
the security components of the IT infrastructure.
6.1.1.10 Determine whether the IT infrastructure team and the information security function
routinely interface on common initiatives.
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
6.1.1.11 Determine whether the IT security plan addresses: IT tactical plans (PO1) data
classification (PO2), technology standards (PO3), HR/user access policies, i.e.,
segregation of duties, key personnel, contractors (PO4), security and control policies
(PO6), risk management (PO9), and external compliance requirements (ME3).
6.1.1.12 Obtain and review the IT security plan
6.1.1.13 Determine whether enterprise information security baselines for all major platforms
are commensurate with the overall IT security plan, whether the baselines have been
recorded in the configuration baseline (DS9) central repository and whether a process
exists to periodically update the baselines based on changes in the plan.
6.1.1.14 Determine that information security issues are included in the IT continuity plan.
7. Security Plan Maintenance AI2
Control: The security plan is reviewed on a regular basis to determine that it is updated to AI3
reflect changes to the operating environment and new threats. DS4
DS5.2 x x
DS9
DS12
DS13
7.1.1.1 Determine the effectiveness of the collection and integration of information security
requirements into an overall IT security plan that is responsive to the changing needs
of the organization.
7.1.1.2 Determine whether the appropriate triggers are built into the interfaces between IT,
business units and the information security organization to ensure that there is timely
notification of a need to update the information security plan.
7.1.1.3 Determine whether a process exists to periodically update the IT security plan and
whether the process requires appropriate levels of management review and approval of
changes
7.1.1.4 Determine the review process for updating the IT security plan; consider:
12. Quality of documentation including security policies
13. Approval process of changes
14. Job functions involved in the review process
8. INFORMATION SECURITY OPERATIONS
© 2010 ISACA. All rights reserved. Page 20
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
12.1.1.3.2 If an assessment has not been performed, consider using the ISACA User
Account Management Audit/Assurance Program to complete a detailed
review.
12.1.1.3.3 If an assessment has been performed, but not within the internal audit
definition of “recent,” consider reperforming key control process to update
the assessment and provide current findings.
12.2 Security Testing and Monitoring
Audit/Assurance Objective: The IT security implementation is tested and monitored in a proactive
way. IT security is reaccredited in a timely manner to ensure that the approved enterprise information
security baseline is maintained. A logging and monitoring function enables the early prevention
and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need
to be addressed.
13. Testing DS5.5
Control: Routine testing of information-security-related controls is performed in accordance PO9.4
x x x
with regulatory requirements and risk assessments that have identified high risk or vulnerable PO9.5
assets. ME4
13.1.1.1 Determine whether security baselines exist for all IT resources utilized by the
organization.
13.1.1.2 Determine whether the baselines are based upon best practices (COBIT, ISO27001/2
and/or ITIL). If not, determine the rationale for in-house-developed baselines.
13.1.1.3 Determine whether appropriate testing is performed to validate adherence to
minimum baselines.
13.1.1.4 Determine whether testing of information security assets are in conformance with
compliance requirements.
13.1.1.4.1 Determine whether the regulatory compliance requirements have been
documented.
13.1.1.4.2 Assess the completeness of the regulatory compliance.
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
Control: The information security function actively monitors CIRT activities and reports ME1
incidents and appropriate analyzes direct reports. ME2
17.1.1.1 Obtain the incident logs for a representative period of time.
17.1.1.2 Trace a representative sample of incidents per the incident/problem reporting system
to the CIRT management documentation to determine that all security-related incidents
have been reported to the CIRT.
17.1.1.3 Review the CIRTs for a representative period. Determine that:
33. The response was timely
34. The incident severity met the conditions for the response
35. The remediation process closed the issue
36. A risk assessment was performed, and a reasonable remediation process
was executed
37. An impact assessment was completed
38. Escalation procedures, including the notification of affected parties,
management and legal authorities were completed in conformance with the
escalation policy
39. The summary of activities was reported to the appropriate governance
committees
18. Incident Management Assessment PO8
Control: Perform an assurance assessment of the security incident management processes. DS5.6 x x
ME1
18.1.1.1 Determine whether a previous audit/assurance assessment of the incident
management process has been performed.
18.1.1.1.1 If an assessment has been performed recently, as defined by internal audit
procedures, review the findings of that review and determine whether
additional findings, including failure to complete previous open
recommendations are appropriate.
18.1.1.1.2 If an assessment has not been performed, consider using the ISACA
Incident Management Audit/Assurance Program to complete a detailed
review.
18.1.1.1.3 If an assessment has been performed, but within the internal audit definition
of “recent” consider reperforming key control process to update the
© 2010 ISACA. All rights reserved. Page 27
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
Control: Information security monitors the security technology processes to ensure adherence. ME1
ME2
21.1.1.1 Inspect security reports generated from system tools preventing network penetration
vulnerability attacks.
21.1.1.2 Verify that information security monitors information security processes that report
access authorization and approvals.
21.1.1.3 Verify that information security policy monitors the regular management reviews of
security features for physical and logical access to files and data.
21.1.1.4 Verify that information security receives summary reports of the activities controlling
granting and approving access and logging unsuccessful attempts, lockouts, authorized
access to sensitive files and/or data, and physical access to facilities. Verify that the
information security function investigates repeat offenders and high-risk situations.
21.2 Cryptographic Key Management
Audit/Assurance Objective: Policies and procedures are in place to organize the generation, change,
revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic
keys to ensure the protection of keys against modification and unauthorized disclosure.
22. Key Management
Control: Key management systems are implemented to protect sensitive information and to DS5.8 x
implement mutual authentication.
22.1.1.1 Determine whether an encryption key management role has been established to
manage the process of reviewing, distributing and disposing of keys.
22.1.1.1.1 Determine whether this role is segregated from other responsibilities and
has a trained backup.
22.1.1.2 Assess whether controls over private keys exist to enforce their confidentiality and
integrity. Consideration should be given to the following:
40. Storage of private signing keys within secure cryptographic devices
41. Private keys not exported from a secure cryptographic module
42. Private keys backed up, stored and recovered only by authorized personnel
using dual control in a physically secured environment
22.1.1.3 Determine whether a defined key life cycle management process exists. The process
should include:
© 2010 ISACA. All rights reserved. Page 29
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
43. Minimum key sizes required for the generation of strong keys
44. Use of required key generation algorithms
45. Identification of required standards for the generation of keys
46. Purposes for which keys should be used and restricted
47. Allowable usage periods or active lifetimes for keys
48. Acceptable methods of key distribution
49. Key backup, archival and destruction
22.2 Malicious Software Prevention, Detection and Correction
Audit/Assurance Objective: Preventive, detective and corrective measures are in place (especially
up-to-date security patches and virus control) across the organization to protect information systems
and technology from malware (e.g., viruses, worms, spyware, spam).
23. Malicious Software Prevention, Detection and Correction Policy PO6
Control: Policies have been implemented to prevent, detect and remove malicious software. DS2
DS5.9 x x x x
ME1
ME2
23.1.1.1 Inquire whether and confirm that a malicious software prevention policy is
established, documented and communicated throughout the organization.
23.1.1.2 Ensure that policies address the implementation of automated controls to provide
virus protection and that violations are appropriately communicated.
23.1.1.3 Inquire whether and confirm that policies require that protection software be centrally
distributed (version and patch-level) using a centralized configuration and change
management process.
23.1.1.4 Determine whether information security patch management implementation adheres
to manufacturer and external/outsourced provider requirements/recommendations.
24. Malicious Software Prevention, Detection and Correction Operating Effectiveness PO6
Control: Monitoring processes have been established to report the effectiveness of and DS5.9
x x x
incidents occurring from malicious software. ME1
ME2
24.1.1.1 Inquire whether key staff members are aware of the malicious software prevention
policy and their responsibility for ensuring compliance.
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
24.1.1.2 From a sample of user workstations, observe whether a virus protection tool has been
installed and includes virus definition files and the last time the definitions were
updated.
24.1.1.3 Review the distribution process against a known, up-to-date inventory to determine
the operating effectiveness.
24.1.1.4 Determine the review and evaluation process by information security to monitor the
operating effectiveness of the malicious software filtering process.
24.1.1.4.1 Verify whether there are processes in place for the information security 24.1.1.4.8 24.1.1.4.9 24.1.1.4.10
function to assess the competency and training of the malware team to 24.1.1.4.2 24.1.1.4.3
24.1.1.4.4
24.1.1.4.5
24.1.1.4.6
24.1.1.4.7
ensure that current threats are addressed.
24.1.1.5 Review the filtering process to determine operating effectiveness, or review the
automated process established for filtering purposes.
24.1.1.6 Determine whether routine internal/external vulnerability scans are performed.
24.1.1.6.1 Review the evaluation/assessment process of the scan results. 24.1.1.6.2 24.1.1.6.3
24.1.1.6.4
24.1.1.6.5 24.1.1.6.8 24.1.1.6.9 24.1.1.6.10
24.1.1.6.6
24.1.1.6.7
24.1.1.7 Determine whether penetration testing is performed. 24.1.1.8 24.1.1.9
24.1.1.10
24.1.1.11 24.1.1.14 24.1.1.15
24.1.1.12
24.1.1.13 24.1.1.16
4.3.2.7.1 Review the evaluation/assessment process of the penetration testing results. 24.1.1.17 24.1.1.18
24.1.1.19
24.1.1.20 24.1.1.23 24.1.1.24
24.1.1.21
24.1.1.22 24.1.1.25
24.2 Network Security
Audit/Assurance Objective: Information security management is included in the selection,
implementation and approval of security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorize access and
control information flows from and to networks.
25. Network Security DS1
Control: Information security management is actively involved and approves network security DS5.10
policies. DS9
x x x
ME2
ME3
ME4
25.1.1.1 Inquire whether and confirm that network security policies (e.g., provided services,
allowed traffic, types of connections permitted) have been established with the
approval of and monitored by the information security function.
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Practice link
DS5.1 Management of IT Security
1.Define a charter for IT security, defining for the security management function:
Scope and objectives for the security management function
Responsibilities
Drivers (e.g., compliance, risk, performance)
2. Confirm that the board, executive management and line management direct the policy
development process to ensure that the IT security policy reflects the requirements of the
business
3. Set up an adequate organisational structure and reporting line for information security,
ensuring that the security management and administration functions have sufficient authority.
Define the interaction with enterprise functions, particularly the control functions such as risk
management, compliance and audit.
4. Implement an IT security management reporting mechanism, regularly informing the board
and business and IT management of the status of IT security so that appropriate management
actions can be taken.
DS5.2 IT Security Plan
1. Define and maintain an overall IT security plan that includes:
A complete set of security policies and standards in line with the established information
security policy framework
Procedures to implement and enforce the policies and standards
Roles and responsibilities
Staffing requirements
Security awareness and training
Enforcement practices
Investments in required security resources
2. Collect information security requirements from IT tactical plans (PO1), data classification
(PO2), technology standards (PO3), security and control policies (PO6), risk management
(PO9), and external compliance requirements (ME3) for integration into the overall IT
security plan.
3. Translate the overall IT security plan into enterprise information security baselines for all
major platforms and integrate it into the configuration baseline (DS9).
4. Provide information security requirements and implementation advice to other processes,
© 2010 ISACA. All rights reserved. Page 34
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Practice link
including the development of SLAs and OLAs (DS1 and DS2), automated solution
requirements (AI1), application software (AI2), and IT infrastructure components (AI3).
5. Communicate to all stakeholders and users in a timely and regular fashion on updates of the
information security strategy, plans, policies and procedures.
DS5.3 Identity Management
1. Establish and communicate policies and procedures to uniquely identify, authenticate and
authorise access mechanisms and access rights for all users on a need-to-know/need-to-have
basis, based on predetermined and preapproved roles. Clearly state accountability of any user
for any action on any of the systems and/or applications involved.
2. Ensure that roles and access authorisation criteria for assigning user access rights take into
account:
Sensitivity of information and applications involved (data classification)
Policies for information protection and dissemination (legal, regulatory, internal policies
and contractual requirements)
Roles and responsibilities as defined within the enterprise
The need-to-have access rights associated with the function
Standard but individual user access profiles for common job roles in the organisation
Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorising users to establish responsibility and
enforce access rights in line with sensitivity of information and functional application
requirements and infrastructure components, and in compliance with applicable laws,
regulations, internal policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the
system owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in,
people out, people change). Grant, revoke and adapt user access rights in co-ordination with
human resources and user departments for users who are new, who have left the organisation,
or who have changed roles or jobs.
DS5.4 User Account Management
1. Ensure that access control procedures include but are not limited to:
Using unique user IDs to enable users to be linked to and held accountable for their
actions
Awareness that the use of group IDs results in the loss of individual accountability and
are permitted only when justified for business or operational reasons and compensated
by mitigating controls. Group IDs must be approved and documented
Checking that the user has authorisation from the system owner for the use of the