Info Sec MGMT Audit Program 22july10 Research

Information Security Management
Audit/Assurance Program
Information Security Management Audit/Assurance Program
ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider
of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and
security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors
international conferences, publishes the ISACA® Journal, and develops international IS auditing and control
standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA ®), Certified
Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in
Risk and Information Systems Control™ (CRISC™) designations.
ISACA offers the Business Model for Information Security™ (BMIS™) and the IT Assurance Framework™
(ITAF™). It also developed and maintains the COBIT®, Val IT™ and Risk IT frameworks, which help IT
professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
Disclaimer
ISACA has designed and created Information Security Management Audit/Assurance Program (the “Work”)
primarily as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any
of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper
information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed
to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit and
assurance professionals should apply their own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.
Reservation of Rights
© 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-156-7
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.
© 2010 ISACA. All rights reserved. Page 2

ISACA wishes to recognize:

Author
Norm Kelson, CISA, CGEIT, CPA, CPE Interactive Inc., USA
Expert Reviewers
Bok Hai Suan, CISM, CGEIT, Singapore
Kerrie Douglas, CISA, CGEIT, Six Sigma Green Belt, DaVita, USA
Gbadamosi Folakemi Toyin, CGEIT, APDM, CGRC-IT, CICA, CIPM, Flooky-Tee Computers, Nigeria
Anuj Goel, Ph.D., CISA, CGEIT, Citigroup, Inc., USA
Michael Lloyd Jones, CISA, CIA, CISSP, FLMI, BMO Financial Group, Canada
Prashant Khopkar, CISA, CA, USA
Raul Millan, CISA, CISM, CCSE, CEH, CISSP, Consultores de Seguridad Informatica, Panama
Philippe Rivest, TransForce, Canada
Vinoth Sivasubramanian, ABRCCIP, CEH, ISO 27001 LA, UAE Exchange Center LLC, UAE
Babu Srinivas, CISA, CISM, SP AusNet, Australia
Vikrant V. Tanksale, CISA, ACWA, CMA, ALBahja Industrial Holdings LLC, Oman
Bart van Lodensteijn, CISA, CGEIT, Ordina Consultancy B.V., The Netherlands
Jeff Warren, CISM, JPW Consult, Australia
ISACA Board of Directors

Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President
Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President
Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President
Rolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice President
Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director
Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director
Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee
Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA
Guidance and Practices Committee

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair
Kamal Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland
Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain
Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico

Frank Van Der Zwaag, CISA, CISSP, Westpac, New Zealand, New Zealand
ISACA and ITGI Affiliates and Sponsors
American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
Analytix Holdings Pty. Ltd.
BWise B.V.
Hewlett-Packard
IBM
Project Rx Inc.
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
Table of Contents
Table of Contents.........................................................................................................................................4
I. Introduction........................................................................................................................................4
II. Using This Document.........................................................................................................................5
IV. Assurance and Control Framework.....................................................................................................9
V. Executive Summary of Audit/Assurance Focus.................................................................................11
VI. Audit/Assurance Program.................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Information Security Management..............................................................................................16
3. Information Security Operations..................................................................................................20
4. Information Security Technology Management...........................................................................27
VII. Maturity Assessment.........................................................................................................................33
VIII. Assessment Maturity vs. Target Maturity..........................................................................................38
I. Introduction
Overview
ISACA has developed the IT Assurance Framework TM (ITAFTM) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools
and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use

by IT audit and assurance professionals with the requisite knowledge of the subject matter under review,
as described in ITAF, in section 2200—General Standards. The audit/assurance programs are part of
ITAF, section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
IT Governance, Risk and Control

IT governance, risk and control are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues are evaluated as steps in the audit/assurance program. Controls
are the primary evaluation point in the process. The audit/assurance program identifies the control
objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information
Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the
work and is supervised by a professional with the CISA designation and/or necessary subject matter
expertise to adequately review the work performed.
II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.
Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific workpaper for that
section. The physical document was designed in Microsoft ® Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the

purpose for the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objective is described—the reason for
performing the steps in the topic area; the specific controls follow. Each review step is listed below the
control. These steps may include assessing the control design by walking through a process, interviewing,
observing or otherwise verifying the process and the controls that address that process. In many cases,
once the control design has been verified, specific tests need to be performed to provide assurance that the
process associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearing—has been
excluded from this document since it is standard for the audit/assurance function and should be identified
elsewhere in the enterprise’s standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or
the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit/assurance professionals. This ties the assurance work to the enterprise’s control framework. While
the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and was extended to eight components.
The primary difference between the two frameworks is the additional focus on ERM and integration into
the business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in figure 1.

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Control Environment: The control environment sets the tone of an Internal Environment: The internal environment encompasses the
organization, influencing the control consciousness of its people. It is tone of an organization, and sets the basis for how risk is viewed and
the foundation for all other components of internal control, providing addressed by an entity’s people, including risk management
discipline and structure. Control environment factors include the philosophy and risk appetite, integrity and ethical values, and the
integrity, ethical values, management’s operating style, delegation of environment in which they operate.
authority systems, as well as the processes for managing and
developing people in the organization.
Objective Setting: Objectives must exist before management can

identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified, distinguishing
between risks and opportunities. Opportunities are channeled back to
management’s strategy or objective-setting processes.
Risk Assessment: Every entity faces a variety of risks from external Risk Assessment: Risks are analyzed, considering the likelihood and
and internal sources that must be assessed. A precondition to risk impact, as a basis for determining how they could be managed. Risk
assessment is establishment of objectives, and, thus, risk assessment is areas are assessed on an inherent and residual basis.
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Risk Response: Management selects risk responses—avoiding,
accepting, reducing or sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
Control Activities: Control activities are the policies and procedures Control Activities: Policies and procedures are established and
that help ensure management directives are carried out. They help implemented to help ensure the risk responses are effectively carried
ensure that necessary actions are taken to address risks to achievement out.
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key Information and Communication: Relevant information is
role in internal control systems as they produce reports, including identified, captured and communicated in a form and time frame that
operational, financial and compliance-related information that make it enable people to carry out their responsibilities. Effective
possible to run and control the business. In a broader sense, effective communication also occurs in a broader sense, flowing down, across
communication must ensure information flows down, across and up and up the entity.
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a Monitoring: The entirety of enterprise risk management is monitored
process that assesses the quality of the system’s performance over and modifications are made as necessary. Monitoring is accomplished
time. This is accomplished through ongoing monitoring activities or through ongoing management activities, separate evaluations or both.
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/
assurance programs. As more enterprises implement the ERM model, the additional three columns can be
added, if relevant. When completing the COSO component columns, consider the definitions of the
components as described in figure 1.

Reference/Hyperlink
Good practices require the audit and assurance professional to create a workpaper for each line item,
which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the workpaper that supports it. The numbering system
of this document provides a ready numbering scheme for the workpapers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
workpaper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a workpaper describing the work performed.
III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the enterprise, so it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
The IT Assurance Guide: Using COBIT, Appendix VII—Maturity Model for Internal Control, seen in
figure 2, provides a generic maturity model showing the status of the internal control environment and
the establishment of internal controls in an enterprise. It shows how the management of internal control,
and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
Figure 2—Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
0 Non-existent There is no recognition of the need for internal control. There is no intent to assess the need for internal control.
Control is not part of the organization’s culture or mission. Incidents are dealt with as they arise.
There is a high risk of control deficiencies and incidents.
1 Initial/ad hoc There is some recognition of the need for internal control. There is no awareness of the need for assessment of what is
The approach to risk and control requirements is ad hoc and needed in terms of IT controls. When performed, it is only on
disorganized, without communication or monitoring. an ad hoc basis, at a high level and in reaction to significant
Deficiencies are not identified. Employees are not aware of incidents. Assessment addresses only the actual incident.
their responsibilities.
2 Repeatable but Controls are in place but are not documented. Their operation Assessment of control needs occurs only when needed for
Intuitive is dependent on the knowledge and motivation of individuals. selected IT processes to determine the current level of control
Effectiveness is not adequately evaluated. Many control maturity, the target level that should be reached and the gaps
weaknesses exist and are not adequately addressed; the that exist. An informal workshop approach, involving IT
impact can be severe. Management actions to resolve control managers and the team involved in the process, is used to
issues are not prioritized or consistent. Employees may not define an adequate approach to controls for the process and to
be aware of their responsibilities. motivate an agreed-upon action plan.

Figure 2—Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
3 Defined Controls are in place and adequately documented. Operating Critical IT processes are identified based on value and risk
effectiveness is evaluated on a periodic basis and there is an drivers. A detailed analysis is performed to identify control
average number of issues. However, the evaluation process is requirements and the root cause of gaps and to develop
not documented. While management is able to deal improvement opportunities. In addition to facilitated
predictably with most control issues, some control workshops, tools are used and interviews are performed to
weaknesses persist and impacts could still be severe. support the analysis and ensure that an IT process owner
Employees are aware of their responsibilities for control. owns and drives the assessment and improvement process.
4 Managed and There is an effective internal control and risk management IT process criticality is regularly defined with full support
Measurable environment. A formal, documented evaluation of controls and agreement from the relevant business process owners.
occurs frequently. Many controls are automated and regularly Assessment of control requirements is based on policy and
reviewed. Management is likely to detect most control issues, the actual maturity of these processes, following a thorough
but not all issues are routinely identified. There is consistent and measured analysis involving key stakeholders.
follow-up to address identified control weaknesses. A limited, Accountability for these assessments is clear and enforced.
tactical use of technology is applied to automate controls. Improvement strategies are supported by business cases.
Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
5 Optimized An enterprise-wide risk and control program provides Business changes consider the criticality of IT processes and
continuous and effective control and risk issues resolution. cover any need to reassess process control capability. IT
Internal control and risk management are integrated with process owners regularly perform self-assessments to confirm
enterprise practices, supported with automated real-time that controls are at the right level of maturity to meet business
monitoring with full accountability for control monitoring, needs and they consider maturity attributes to find ways to
risk management and compliance enforcement. Control make controls more efficient and effective. The organization
evaluation is continuous, based on self-assessments and gap benchmarks to external best practices and seeks external
and root cause analyses. Employees are proactively involved advice on internal control effectiveness. For critical
in control improvements. processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception of the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholder’s concurrence before submitting the final report to management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page
of the document (section VIII), based on sample assessments.
IV. Assurance and Control Framework
ISACA IT Assurance Framework and Standards

ITAF section 3630.7—Information Security Management is of primary relevance to the audit/ assurance
of information security management. However, information security management is pervasive throughout
the IT organization and its functional responsibility. Components of information security are also included
in the following ITAF sections:

 3410—IT Governance
 3425—IT Information Strategy
 3427—IT Information Management
 3450—IT Processes
 3630—Auditing IT General Controls
ISACA Controls Framework

COBIT is a framework for the governance of IT and supporting tool set that allows managers to bridge
the gap among control requirements, technical issues and business risks. COBIT enables clear policy
development and good practice for IT control throughout enterprises.
Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the enterprise.
COBIT IT process DS5 Ensure systems security, from the Deliver and Support (DS) domain, is the
primary control framework and addresses good practices for ensuring security of corporate information.
Secondary COBIT processes are cross-referenced within the audit/assurance program.
The COBIT areas for this evaluation include:

 DS5.1 Management of IT security—Manage IT security at the highest appropriate organizational
level, so the management of security actions is in line with business requirements.
 DS5.2 IT security plan—Translate business, risk and compliance requirements into an overall IT
security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the
plan is implemented in security policies and procedures together with appropriate investments in
services, personnel, software and hardware. Communicate security policies and procedures to
stakeholders and users.
 DS5.3 Identity management—The information security function has defined policies and monitors
activities relating to unique user identification; authentication mechanisms; user access rights
according to job definition; and documented, appropriate authorization and approval mechanisms.
 DS5.4 User account management—The information security function has established policies and
monitoring procedures that address: requesting, establishing, issuing, suspending, modifying and
closing user accounts and related user privileges with a set of user account management procedures.
The process includes an approval procedure outlining the data or system owner granting the access
privileges and applies to all users, including administrators (privileged users) and internal and
external users, for normal and emergency cases.
 DS5.5 Security testing, surveillance and monitoring—Test and monitor the IT security
implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure
that the approved enterprise’s information security baseline is maintained. A logging and monitoring
function will enable the early prevention and/or detection and subsequent timely reporting of
unusual and/or abnormal activities that may need to be addressed.
 DS5.6 Security incident definition—The security incident management process is defined and
monitored by the information security function, and an incident response team has been established
and is operationally effective.
 DS5.7 Protection of security technology—Make security-related technology resistant to tampering,
and do not disclose security documentation unnecessarily.
 DS5.8 Cryptographic key management—Policies and procedures are in place to organize the
generation, change, revocation, destruction, distribution, certification, storage, entry, use and
archiving of cryptographic keys to ensure the protection of keys against modification and

unauthorized disclosure.
 DS5.9 Malicious software prevention, detection and correction—Preventive, detective and
corrective measures are in place (especially up-to-date security patches and virus control) across the
enterprise to protect information systems and technology from malware (e.g., viruses, worms,
spyware, spam).
 DS5.10 Network security—Information security management is included in the selection,
implementation and approval of security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorize access and
control information flows from and to networks.
 DS5.11 Exchange of sensitive data—Information security has approved policies concerning the
exchange of sensitive transaction data through a trusted path or medium with controls to provide
authenticity of content, proof of submission, proof of receipt and nonrepudiation of origin. All
incidents involving the exchange of sensitive data are reported through the incident reporting system
and are directed to the CIRT team.
Information security management is an integral part of the entire IT infrastructure. The Information
Security Management Audit/Assurance Program cross-references numerous COBIT domains and
processes. These sections appear in the COBIT cross-reference of the audit/assurance program. For the
purposes of reporting, information security is a component of these areas, but the scope of the assessment
would be too limited to include these sections in the summary of the information security management
assessment.
Refer to the ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, 2007, for the related control practice value and risk drivers.
V. Executive Summary of Audit/Assurance Focus
Information Security Management

Information security is an essential component of governance and management that affects all aspects of
entity-level controls. Audit and assurance professionals include appropriate information security
evaluations throughout their audit universe. However, the process of assessing the design and operating
effectiveness of information security management does not receive the focus it requires. The information
security management function is responsible for the governance, policy, enforcement, monitoring and
innovation necessary for the modern business to establish cost-effective information security processes,
while providing adequate information security assurance within the risk appetite and budget of the
organization.
The information security management function provides:

 Management direction, including policy creation, involvement in significant information security
strategies, establishment of and adherence to an information security architecture, and alignment of
information security strategies with business strategies
 Management oversight and execution of essential information security operations. The former focuses
on routine operations that affect information security, including access control; user identity
management; and configuration management of other security building blocks, including intrusion
detection and penetration testing systems, antimalware, and other processes. The latter includes
information security incident management and security forensics.
 Management of information security technologies utilized within the organization

Business Impact and Risk

Information security touches all aspects of the business environment. Failure to implement adequate
information security could result in the following operational issues:
 Security breaches, both detected and undetected
 Exposure of information
 Breach of trust with other enterprises
 Violations of legal and regulatory requirements
 Inadequate physical security measures
 Unauthorized external connections to remote sites
 Disclosure of corporate assets and sensitive information accessible to unauthorized parties
 Systems and data that are prone to malware
 Damage to the enterprise’s reputation
 Financial loss
The risks associated with inadequate information security management include:

 Information security strategies not aligned with IT or business requirements
 Information security value (cost-benefit) structure not aligned with business needs or goals
 Undefined or confusing information security accountability
 Noncompliance with internal and external requirements
 Ineffective use of financial resources allocated to information security
 Information security not included in portfolio selection and maintenance and/or architecture design
resulting in ineffective, inefficient or misguided information security solutions
 Information security not monitored and policies not applied uniformly with varying enforcement
Information security is about minimizing exposures, based upon risk management. Failure to implement
and monitor risk mitigation processes in one area may compromise the entire organization.
Objective and Scope

Objective—The information security management audit/assurance review will:
 Provide management with an assessment of the effectiveness of the information security management
function
 Evaluate the scope of the information security management organization and determine whether
essential security functions are being addressed effectively
It is not designed to replace or focus on audits that provide assurance of specific configurations or
operational processes.
Scope—The review will focus on:

 Information Security Management—Processes associated with governance, policy, monitoring,
incident management and management of the information security function
 Information Security Operations Management—Processes associated with the implementation of
security configurations
 Information Security Technology Management—Processes associated with the selection and
maintenance of security technologies
To ensure a comprehensive audit of information security management, it is recommended that the

following audit/assurance reviews be performed prior to the execution of the information security
management review and that appropriate reliance be placed on these assessments:
 Identity management

 Security incident management

 Network perimeter security
 Systems development
 Project management
 IT risk management
 Data management
 Vulnerability management
Minimum Audit Skills

Information security management addresses many IT processes. Since the focus is on the management of
information security, the audit and assurance professional should have the requisite knowledge of the
scope and requirements of information security, governance of IT and the information security
components therein, information security components of IT architecture, risk management, and the direct
information security processes. In addition, this audit/assurance program addresses organizational human
resource reporting, management planning and senior management interfaces. Therefore, it is
recommended that the audit and assurance professional conducting the assessment have the requisite
experience and organizational relationships to effectively execute the assurance processes.

VI. Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- link reference
reference
1. PLANNING AND SCOPING THE AUDIT

1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan
and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer should understand the information security
organization and function, and prepare a proposed scope, subject to a later risk assessment.
1.2.1 Obtain and review the information security organization chart and/or current job descriptions.
1.2.2 Obtain the information security organization charter (or a purpose, goals and objectives
statement).
1.2.3 Obtain and review any previous audit reports with remediation plans. Identify open issues and
assess updates of documents with respect to these issues.
1.2.4 Identify limitations and/or constraints affecting the audit of information security.
1.3 Identify and document risks.
The risk assessment is necessary to evaluate where audit resources should be focused. In most
enterprises, audit resources are not available for all processes. The risk-based approach assures
utilization of audit resources in the most effective manner.
1.3.1 Identify the business risk associated with information security with business owners and key
stakeholders.
1.3.2 Verify that the business risks are aligned, rated or classified with information security criteria
such as confidentiality, integrity or availability.
1.3.3 Review previous audits of information security management and/or information security
operations.
1.3.4 Determine whether issues identified previously have been remediated.
1.3.5 Evaluate the overall risk factor for performing the review.
1.3.6 Based on the risk assessment, identify changes to the scope.
1.3.7 Discuss the risks with IT management, and adjust the risk assessment.
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
1.3.8 Based on the risk assessment, revise the scope.

1.4 Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating environment and
associated risks. As further research and analysis are performed, changes to the scope and approach
may result.
1.4.1 Identify the senior IT assurance resource responsible for the review.
1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance
program, and the authorizations required.
1.5 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team, other
assurance teams and the enterprise is essential.
1.5.1 Identify the drivers for a successful review (this should exist in the assurance function’s
standards and procedures).
1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement.
1.6 Define the audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
1.6.1 Determine the audit/assurance skills necessary for the review.
1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end dates)
required for the review.
1.7 Define deliverables.
The deliverable is not limited to the final report. Communication between the audit/assurance teams
and the process owner is essential to assignment success.
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due
dates for responses or meetings, and the final report.
1.8 Communications
The audit/assurance process must be clearly communicated to the customer/client.
1.8.1 Conduct an opening conference to:
 Discuss the review objectives with the information security management assessment
 Identify documents and information security resources required to effectively perform the review
 Establish timelines and deliverables
2. INFORMATION SECURITY MANAGEMENT
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
2.1 Management of IT Security

Audit/Assurance Objective: Manage IT security at the highest appropriate organizational level so
that the management of security actions is in line with business requirements.
3. Governance PO4
Control: Processes are in practice to assure applicable management oversight of the DS5.1 x x x
information security function. ME4
3.1.1.1 Determine whether a security steering committee exists with representation from key
functional areas, including internal audit, HR, finance, operations, IT security and
legal.
3.1.1.2 Obtain the security steering committee charter.
3.1.1.3 Determine whether the committee membership is aligned with the organization and the
information security stakeholders.
3.1.1.4 Obtain the minutes of selected steering committee meetings.
3.1.1.5 Determine whether the committee members regularly attend committee meetings. 3.1.1.5.1 3.1.1.5.2
3.1.1.5.3
3.1.1.5.4 3.1.1.5.7
3.1.1.5.5
3.1.1.5.6 3.1.1.5.8 3.1.1.5.9
3.1.1.6 Inquire whether and confirm that a security management communication process
exists that informs the board, business and IT management of the status of information
security.
3.1.1.7 Review the security steering committee charter to identify the communication plan and
reporting relationships. Determine whether a common language (i.e., COBIT’s
information criteria) is in the communication plan and that the reporting lines are
clearly established.
3.1.1.8 Select several board meeting dates, obtain the information security presentations, and
determine the board-level discussions relating to information security.
3.1.1.9 Inquire whether and confirm that an adequate organizational structure and reporting
line for information security exist, and assess whether the security management and
administration functions have sufficient authority.
3.1.1.10 Based on the organization chart of the information security organization, determine
whether the structure provides for the information security function to report to and
interface with the upper levels of management.
3.1.1.11 Determine whether the placement of the information security function provides for
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
appropriate independence, objectivity and authority over its constituencies to be

effective.
3.1.1.12 Determine whether subordinate organizational hierarchy is adequate to provide
appropriate policy definition and monitoring.
4. Risk Assessment PO9
Control: Risk assessments are regularly conducted to prioritize information security initiatives DS5.2 x x x
and ensure alignment with business risks. ME4
4.1.1.1 Determine whether a process exists to prioritize proposed security initiatives and
directives, including required levels of policies, standards and procedures.
4.1.1.2 Obtain recent risk assessment documents.
4.1.1.3 Determine whether the risk assessment has been utilized and addresses reasonable
risks.
4.1.1.4 Determine whether the risk assessment is aligned with the IT risk assessment, if one
exists, and the enterprise risk methodology, if one exists.
4.1.1.5 Test the design of the risk assessment for completeness, relevancy, timeliness and
measurability.
5. Policies PO4
Control: Policies are created according to a defined format and are distributed following a PO6
distribution list based on subject matter and relevance, and the scope of the policies are PO9
x x x x
appropriate to ensure that the information security is adequate to address the risk tolerance. DS5.2
ME3
ME4
5.1.1.1 Determine whether and confirm that an information security charter exists. 5.1.1.1.1 5.1.1.1.2
5.1.1.1.3
5.1.1.1.4 5.1.1.1.7
5.1.1.1.5
5.1.1.1.6 5.1.1.1.8 5.1.1.1.9
5.1.1.2 Review and analyze the charter to verify that it refers to the organizational risk appetite
relative to information security and that the charter clearly includes:
1. Scope and objectives of the security management function
2. Responsibilities of the security management function
3. Compliance and risk drivers
5.1.1.3 Inquire whether and confirm that the information security policies cover the
responsibility and accountability of the board, executive management, line
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
management, staff members and all users of the enterprise IT infrastructure and that it
refers to detailed security standards and procedures.
5.1.1.4 Inquire whether and confirm that detailed security policies, standards and procedures
exist. Examples of policies, standards, procedures and best practices concerning these
topics (COBIT, ISO27001/2) include:
4. Security compliance policy
5. Management risk acceptance (security noncompliance acknowledgement)
6. External communications security policy
7. Firewall policy
8. E-mail security policy
9. An agreement to comply with IS policies
10. Laptop/desktop computer security policy
11. Internet usage policy
5.2 IT Security Plan
Audit/Assurance Objective: Translate business, risk and compliance requirements into an overall IT
security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the
plan is implemented in security policies and procedures, together with appropriate investments in
services, personnel, software and hardware. Communicate security policies and procedures to
stakeholders and users.
6. Security Plan Integration PO1 x x x
Control: Information security requirements are integrated into other processes. PO2
PO3
PO4
PO6
PO9
AI1
AI2
DS1
DS2
DS4
DS5.2
DS9

COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
DS12
DS13
ME3
ME4
6.1.1.1 Determine whether a process exists to integrate information security requirements and
implementation advice from the IT security plan into the development of service level
agreements (SLAs) and operating level agreements (OLAs) (Refer to COBIT DS1 and
DS2).
6.1.1.2 Review the SLAs and OLAs for an information security focus. Determine whether the
information security function had been involved in the development of these
SLAs/OLAs.
implementation advice from the IT security plan into automated solution (AI1) and
application (AI2) requirements.
6.1.1.4 Obtain systems development methodology documentation and determine whether
information security involvement and review are required by the policies and
procedures.
6.1.1.5 Select several high-risk and/or high-profile development projects. Obtain requirements
documentation, and determine whether information security requirements were
included in the project requirements documentation.
6.1.1.6 Determine whether information security resources were regularly involved in key
information security decisions at appropriate points in the process.
implementation advice from the IT security plan into the IT infrastructure components
(AI3).
6.1.1.8 Obtain the IT infrastructure plan.
6.1.1.9 Determine whether the information security function is involved in the development of
the security components of the IT infrastructure.
6.1.1.10 Determine whether the IT infrastructure team and the information security function
routinely interface on common initiatives.

COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
6.1.1.11 Determine whether the IT security plan addresses: IT tactical plans (PO1) data
classification (PO2), technology standards (PO3), HR/user access policies, i.e.,
segregation of duties, key personnel, contractors (PO4), security and control policies
(PO6), risk management (PO9), and external compliance requirements (ME3).
6.1.1.12 Obtain and review the IT security plan
6.1.1.13 Determine whether enterprise information security baselines for all major platforms
are commensurate with the overall IT security plan, whether the baselines have been
recorded in the configuration baseline (DS9) central repository and whether a process
exists to periodically update the baselines based on changes in the plan.
6.1.1.14 Determine that information security issues are included in the IT continuity plan.
7. Security Plan Maintenance AI2
Control: The security plan is reviewed on a regular basis to determine that it is updated to AI3
reflect changes to the operating environment and new threats. DS4
DS5.2 x x
DS9
DS12
DS13
7.1.1.1 Determine the effectiveness of the collection and integration of information security
requirements into an overall IT security plan that is responsive to the changing needs
of the organization.
7.1.1.2 Determine whether the appropriate triggers are built into the interfaces between IT,
business units and the information security organization to ensure that there is timely
notification of a need to update the information security plan.
7.1.1.3 Determine whether a process exists to periodically update the IT security plan and
whether the process requires appropriate levels of management review and approval of
changes
7.1.1.4 Determine the review process for updating the IT security plan; consider:
12. Quality of documentation including security policies
13. Approval process of changes
14. Job functions involved in the review process
8. INFORMATION SECURITY OPERATIONS
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
8.1 Identity Management

Audit/Assurance Objectives: The information security function has defined policies and monitors
activities relating to the following:
 Ensure that all users (internal, external and temporary) and their activity on IT systems (business
application, IT environment, system operations, development and maintenance) are uniquely
identifiable.
 Enable user identities via authentication mechanisms.
 Confirm that user access rights to systems and data are in line with defined and documented
business needs and that job requirements are attached to user roles.
 Ensure that user access rights are requested by user management, approved by system owners
and implemented by the person responsible for security.
 Ensure that information security operations functions maintain user roles and access rights in a
central repository. Deploy cost-effective technical and procedural measures, and keep them
current to establish user identification, implement authentication and enforce access rights.
9. Identity Management DS5.3
Control: The information security function has established identity management policies and DS11.6
x x
monitoring functions. DS12
ME4
9.1.1.1 Determine the role of the information security function relating to identity
management. If the information security function establishes policy and monitors
enforcement, the remainder of this section needs to be reviewed from a definition and
monitoring perspective. If the information security function also performs the
information security operations, the assessment must include the tests of the
operational follow-through.
9.1.1.2 Determine whether security policies require users and system processes to be uniquely
identifiable and systems to be configured to enforce authentication before access is
granted.
9.1.1.3 If policies require predetermined and preapproved roles to grant access, determine
whether the policies require the roles to clearly delineate responsibilities based on least
privileges and ensure that the establishment and modification of roles are approved by
process owner management.
9.1.1.4 Determine whether appropriate policies and monitoring have been implemented to
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
control access provisioning and whether authentication control mechanisms are

utilized for controlling logical access across all users, system processes and IT
resources for in-house and remotely managed users, processes and systems.
10. Identity Management Operations DS5.3
Control: Identity management policies are enforced, and appropriate review processes are in ME1
x x x
place to evaluate their operating effectiveness. ME2
ME3
10.1.1.1 Determine whether a previous audit/assurance assessment of the identity management
system has been performed.
10.1.1.2 If an audit/assurance assessment has been performed recently, as defined by internal
audit procedures, review the findings of that review, and determine whether additional
findings, including failure to complete previous open recommendations, are
appropriate.
10.1.1.2.1 If an assessment has not been performed, consider using the ISACA
Identity Management Audit/Assurance Program to complete a detailed
review.
10.1.1.2.2 If an assessment has been performed, but not within the internal audit
definition of “recent,” consider reperforming key control process to update
the assessment and provide current findings.
10.1.1.3 Determine whether the information security function performs annual assessments of
identity management operations and receives timely reports/scorecards of identity
management operations activities.
10.1.1.4 Determine whether the information security function has routinely monitored and
evaluated the effectiveness of identity management operations.
10.2 Account Management
Audit/Assurance Objective: The information security function has established policies and
monitoring procedures that address: requesting, establishing, issuing, suspending, modifying and
closing user accounts and related user privileges with a set of user account management procedures.
The process includes an approval procedure outlining the data or system owner granting the access
privileges and applies to all users, including administrators (privileged users); internal and external
users; normal and emergency cases; and system, shared and generic accounts.

COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
11. User Account Management Policy PO4

Control: The information security function has established policies and monitoring procedures DS5.4
x x x
to ensure the effectiveness of user account management controls. ME3
ME4
11.1.1.1 Obtain the information security policy addressing user account management.
11.1.1.2 Determine whether procedures exist to periodically assess and recertify system and
application access and authorities.
11.1.1.3 Determine whether access control procedures exist to control and manage system and
application rights and privileges according to the organization’s security policies and
compliance and regulatory requirements.
11.1.1.4 Determine whether user provisioning policies, standards and procedures extend to all
system users and processes, including vendors, service providers and business
partners.
11.1.1.5 Determine whether a data classification policy is in place.
11.1.1.5.1 Ensure that the protection controls implemented are adequate for the
classification of data (refer to the classification of data policy).
11.1.1.5.2 Determine whether the data classification affecting information security is
reviewed periodically.
11.1.1.5.3 Determine whether systems, applications and data have been classified by
levels of importance and risk and whether process owners have been
identified and assigned.
12. User Account Management Operations DS5.4
Control: The information security function monitors the control effectiveness of user account ME1
x x x
management operations on a timely basis and reports the operating efficiency and effectiveness. ME2
12.1.1.1 Obtain management reports for user account management.

12.1.1.2 Assess the level of information security oversight for the operational aspects of user
account management.
12.1.1.3 Determine whether a previous audit/assurance assessment of the user account
management has been performed.
12.1.1.3.1 If an assessment has been performed recently, as defined by internal audit
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
procedures, review the findings of that review, and determine whether

additional findings, including failure to complete previous open
recommendations are appropriate.
12.1.1.3.2 If an assessment has not been performed, consider using the ISACA User
Account Management Audit/Assurance Program to complete a detailed
review.
12.2 Security Testing and Monitoring
Audit/Assurance Objective: The IT security implementation is tested and monitored in a proactive
way. IT security is reaccredited in a timely manner to ensure that the approved enterprise information
security baseline is maintained. A logging and monitoring function enables the early prevention
and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need
to be addressed.
13. Testing DS5.5
Control: Routine testing of information-security-related controls is performed in accordance PO9.4
x x x
with regulatory requirements and risk assessments that have identified high risk or vulnerable PO9.5
assets. ME4
13.1.1.1 Determine whether security baselines exist for all IT resources utilized by the
organization.
13.1.1.2 Determine whether the baselines are based upon best practices (COBIT, ISO27001/2
and/or ITIL). If not, determine the rationale for in-house-developed baselines.
13.1.1.3 Determine whether appropriate testing is performed to validate adherence to
minimum baselines.
13.1.1.4 Determine whether testing of information security assets are in conformance with
compliance requirements.
13.1.1.4.1 Determine whether the regulatory compliance requirements have been
documented.
13.1.1.4.2 Assess the completeness of the regulatory compliance.

COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
13.1.1.4.3 Evaluate whether additional testing is required to be in compliance with

regulatory requirements.
14. Monitoring PO8
DS5.5
Control: Key information security controls are monitored on a regular and timely basis. ME1 x x x
ME2
14.1.1.1 Determine whether all organization-critical, higher-risk network assets are routinely
monitored for security events.
14.1.1.2 Determine whether the IT security management function has been integrated within
the organization’s project management initiatives to ensure that security is considered
in all IT projects.
14.2 Security Incident Management
Audit/Assurance Objective: The security incident management process is defined and monitored by
the information security function, and an incident response team has been established and is
operationally effective.
15. Incident Management Definition
Control: An incident management policy has been established that defines the classification of DS5.6
information security incidents and the actions to be executed when an information security DS8 x x x
incident is identified, and the process has been communicated to units who are first ME4
responders.
15.1.1.1 Determine whether the security incident management process appropriately interfaces
with key organization functions, including the help desk, external service providers
and network management.
15.1.1.2 Evaluate whether the security incident management process includes the following
key elements:
15. Event detection and classification
16. Correlation of events and evaluation of threat/incident
17. Resolution of threat, or creation and escalation work order
18. Criteria for initiating the organization’s incident response process
19. Who has authority to declare an incident
20. Escalation procedures
21. Verification and required levels of documentation of the resolution
22. Postremediation analysis
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
23. Work order/incident closure

16. Incident Management Response Team DS5.6
Control: A CIRT has been established; manages emergencies; and reports the existence, cause DS8
x x x
and effect, damage assessment, and closure to the information security function. ME2
ME3
16.1.1.1 Determine whether a CIRT exists to recognize and effectively manage security
incidents. The following areas should exist as part of an effective CIRT process:
24. Incident handling—General and specific procedures and other
requirements to ensure effective handling of incidents and reported vulnerabilities
25. Vendor relations—The role and responsibilities of vendors in incident
prevention and follow-up, software flaw correction, and other areas
26. Communications—Requirements, implementation and operation of
emergency and routine communications channels among key members of
management
27. Legal and criminal investigative issues—Issues driven by legal
considerations and the requirements or constraints resulting from the involvement
of criminal investigative organizations during an incident
28. Constituency relations—Response center support services and methods of
interaction with constituents, including training and awareness, configuration
management, and authentication
29. Research agenda and interaction—Identification of existing research
activities and requirements and rationale for needed research relating to response
center activities
30. Model of the threat—Development of a basic model that characterizes
potential threats and risks to help focus risk reduction activities and progress in
those activities
31. External issues—Factors that are outside the direct control of the enterprise
(e.g., legislation, policy, procedural requirements), but that could affect the
operation and effectiveness of enterprise activities
32. Postincident evaluation—CIRT assessment of incident response and
recommended changes to the CIRT process
17. Incident Management Response Team Monitoring PO8 x x x
DS5.6
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
Control: The information security function actively monitors CIRT activities and reports ME1
incidents and appropriate analyzes direct reports. ME2
17.1.1.1 Obtain the incident logs for a representative period of time.
17.1.1.2 Trace a representative sample of incidents per the incident/problem reporting system
to the CIRT management documentation to determine that all security-related incidents
have been reported to the CIRT.
17.1.1.3 Review the CIRTs for a representative period. Determine that:
33. The response was timely
34. The incident severity met the conditions for the response
35. The remediation process closed the issue
36. A risk assessment was performed, and a reasonable remediation process
was executed
37. An impact assessment was completed
38. Escalation procedures, including the notification of affected parties,
management and legal authorities were completed in conformance with the
escalation policy
39. The summary of activities was reported to the appropriate governance
committees
18. Incident Management Assessment PO8
Control: Perform an assurance assessment of the security incident management processes. DS5.6 x x
ME1
18.1.1.1 Determine whether a previous audit/assurance assessment of the incident
management process has been performed.
procedures, review the findings of that review and determine whether
additional findings, including failure to complete previous open
recommendations are appropriate.
18.1.1.1.2 If an assessment has not been performed, consider using the ISACA
Incident Management Audit/Assurance Program to complete a detailed
review.
18.1.1.1.3 If an assessment has been performed, but within the internal audit definition
of “recent” consider reperforming key control process to update the
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
assessment and provide current findings.

19. INFORMATION SECURITY TECHNOLOGY MANAGEMENT
19.1 Protection of Security Technology
Audit/Assurance Objective: The information security processes ensure that security-related
technology is resistant to tampering, and that documentation is only accessible to authorized
individuals.
20. Security Technology Policy DS5.7
Control: The information security function has defined the policies governing specific access DS9
control processes. DS11.2 x x
DS12
ME4
20.1.1.1 Inquire whether and confirm that policies and procedures have been established to
address security breach consequences (specifically to address controls to configuration
management, application access, data security and physical security requirements).
20.1.1.2 Obtain the policies concerning security breaches.
20.1.1.3 Determine whether appropriate disciplinary measures have been defined.
20.1.1.4 Inquire whether and confirm that the policies require annual management reviews of
security features for physical and logical access to files and data.
20.1.1.5 Obtain the policies documentation.
20.1.1.6 Determine whether the policies require management reviews of security features.
20.1.1.7 Determine how the management review is documented and reported.
20.1.1.8 Determine how follow-up activities are addressed.
20.1.1.9 Inquire whether and confirm that the policies require security design features that
facilitate password rules (e.g., maximum length, characters, expiration, reuse).
20.1.1.10 Obtain the policies for password rules.
20.1.1.11 Determine whether the policies are appropriate.
20.1.1.12 Determine whether data classification and job function sensitivity are a component
of and affect the security design process.
21. Security Technology Monitoring DS5.7 x x x
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
Control: Information security monitors the security technology processes to ensure adherence. ME1
ME2
21.1.1.1 Inspect security reports generated from system tools preventing network penetration
vulnerability attacks.
21.1.1.2 Verify that information security monitors information security processes that report
access authorization and approvals.
21.1.1.3 Verify that information security policy monitors the regular management reviews of
security features for physical and logical access to files and data.
21.1.1.4 Verify that information security receives summary reports of the activities controlling
granting and approving access and logging unsuccessful attempts, lockouts, authorized
access to sensitive files and/or data, and physical access to facilities. Verify that the
information security function investigates repeat offenders and high-risk situations.
21.2 Cryptographic Key Management
Audit/Assurance Objective: Policies and procedures are in place to organize the generation, change,
revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic
keys to ensure the protection of keys against modification and unauthorized disclosure.
22. Key Management
Control: Key management systems are implemented to protect sensitive information and to DS5.8 x
implement mutual authentication.
22.1.1.1 Determine whether an encryption key management role has been established to
manage the process of reviewing, distributing and disposing of keys.
22.1.1.1.1 Determine whether this role is segregated from other responsibilities and
has a trained backup.
22.1.1.2 Assess whether controls over private keys exist to enforce their confidentiality and
integrity. Consideration should be given to the following:
40. Storage of private signing keys within secure cryptographic devices
41. Private keys not exported from a secure cryptographic module
42. Private keys backed up, stored and recovered only by authorized personnel
using dual control in a physically secured environment
22.1.1.3 Determine whether a defined key life cycle management process exists. The process
should include:
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
43. Minimum key sizes required for the generation of strong keys
44. Use of required key generation algorithms
45. Identification of required standards for the generation of keys
46. Purposes for which keys should be used and restricted
47. Allowable usage periods or active lifetimes for keys
48. Acceptable methods of key distribution
49. Key backup, archival and destruction
22.2 Malicious Software Prevention, Detection and Correction
Audit/Assurance Objective: Preventive, detective and corrective measures are in place (especially
up-to-date security patches and virus control) across the organization to protect information systems
and technology from malware (e.g., viruses, worms, spyware, spam).
23. Malicious Software Prevention, Detection and Correction Policy PO6
Control: Policies have been implemented to prevent, detect and remove malicious software. DS2
DS5.9 x x x x
ME1
ME2
23.1.1.1 Inquire whether and confirm that a malicious software prevention policy is
established, documented and communicated throughout the organization.
23.1.1.2 Ensure that policies address the implementation of automated controls to provide
virus protection and that violations are appropriately communicated.
23.1.1.3 Inquire whether and confirm that policies require that protection software be centrally
distributed (version and patch-level) using a centralized configuration and change
management process.
23.1.1.4 Determine whether information security patch management implementation adheres
to manufacturer and external/outsourced provider requirements/recommendations.
24. Malicious Software Prevention, Detection and Correction Operating Effectiveness PO6
Control: Monitoring processes have been established to report the effectiveness of and DS5.9
x x x
incidents occurring from malicious software. ME1
ME2
24.1.1.1 Inquire whether key staff members are aware of the malicious software prevention
policy and their responsibility for ensuring compliance.

COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
24.1.1.2 From a sample of user workstations, observe whether a virus protection tool has been
installed and includes virus definition files and the last time the definitions were
updated.
24.1.1.3 Review the distribution process against a known, up-to-date inventory to determine
the operating effectiveness.
24.1.1.4 Determine the review and evaluation process by information security to monitor the
operating effectiveness of the malicious software filtering process.
24.1.1.4.1 Verify whether there are processes in place for the information security 24.1.1.4.8 24.1.1.4.9 24.1.1.4.10
function to assess the competency and training of the malware team to 24.1.1.4.2 24.1.1.4.3
24.1.1.4.4
24.1.1.4.5
24.1.1.4.6
24.1.1.4.7
ensure that current threats are addressed.
24.1.1.5 Review the filtering process to determine operating effectiveness, or review the
automated process established for filtering purposes.
24.1.1.6 Determine whether routine internal/external vulnerability scans are performed.
24.1.1.6.1 Review the evaluation/assessment process of the scan results. 24.1.1.6.2 24.1.1.6.3
24.1.1.6.4
24.1.1.6.5 24.1.1.6.8 24.1.1.6.9 24.1.1.6.10
24.1.1.6.6
24.1.1.6.7
24.1.1.7 Determine whether penetration testing is performed. 24.1.1.8 24.1.1.9
24.1.1.10
24.1.1.11 24.1.1.14 24.1.1.15
24.1.1.12
24.1.1.13 24.1.1.16
4.3.2.7.1 Review the evaluation/assessment process of the penetration testing results. 24.1.1.17 24.1.1.18
24.1.1.19
24.1.1.20 24.1.1.23 24.1.1.24
24.1.1.21
24.1.1.22 24.1.1.25
24.2 Network Security
Audit/Assurance Objective: Information security management is included in the selection,
implementation and approval of security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorize access and
control information flows from and to networks.
25. Network Security DS1
Control: Information security management is actively involved and approves network security DS5.10
policies. DS9
x x x
ME2
ME3
ME4
25.1.1.1 Inquire whether and confirm that network security policies (e.g., provided services,
allowed traffic, types of connections permitted) have been established with the
approval of and monitored by the information security function.

COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
25.1.1.2 Determine whether a previous audit/assurance assessment of the network perimeter

process has been performed.
procedures, review the findings of that review, and determine if additional
findings, including failure to complete previous open recommendations, are
appropriate.
4.4.1.2.2 If an assessment has not been performed, consider using the ISACA Network
Perimeter Audit/Assurance Program to complete a detailed review.
25.1.1.3 Inquire whether and confirm that information security policies have been
implemented such that corporate data is classified according to exposure level and
classification scheme (e.g., confidential, sensitive).
25.1.1.4 Determine that sensitive data incidents have been reported to information security
management.
25.1.1.4.1 Scan the problem log, identifying sensitive data incidents.
25.1.1.4.2 Trace the incident through the CIRT process to management reports.
25.2 Exchange of Sensitive Data
Audit/Assurance Objective: Information security has approved policies concerning exchange of
sensitive transaction data through a trusted path or medium with controls to provide authenticity of
content, proof of submission, proof of receipt and nonrepudiation of origin. All incidents involving
the exchange of sensitive data are reported through the incident reporting system and are directed to
the CIRT team.
26. Exchange of Sensitive Data
Control: Information security management is actively involved and approves exchange of DS5.11 x x x
sensitive data policies.
26.1.1.1 Inquire whether and confirm that policies addressing data transmissions outside the
organization require an encrypted format prior to transmission.
26.1.1.2 Inquire whether and confirm that information security policies have been
implemented such that corporate data are classified according to exposure level and
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference
classification scheme (e.g., confidential, sensitive).

26.1.1.3 Determine that sensitive data incidents have been reported to information security
management.
26.1.1.4 Scan the problem log, identifying sensitive data incidents.
26.1.1.5 Trace the incident through the CIRT process to management reports.

VII. Maturity Assessment
The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance review,
and the reviewer’s observations, assign a maturity level to each of the following COBIT control practices.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Practice link
DS5.1 Management of IT Security
1.Define a charter for IT security, defining for the security management function:
 Scope and objectives for the security management function
 Responsibilities
 Drivers (e.g., compliance, risk, performance)
2. Confirm that the board, executive management and line management direct the policy
development process to ensure that the IT security policy reflects the requirements of the
business
3. Set up an adequate organisational structure and reporting line for information security,
ensuring that the security management and administration functions have sufficient authority.
Define the interaction with enterprise functions, particularly the control functions such as risk
management, compliance and audit.
4. Implement an IT security management reporting mechanism, regularly informing the board
and business and IT management of the status of IT security so that appropriate management
actions can be taken.
DS5.2 IT Security Plan
1. Define and maintain an overall IT security plan that includes:
 A complete set of security policies and standards in line with the established information
security policy framework
 Procedures to implement and enforce the policies and standards
 Roles and responsibilities
 Staffing requirements
 Security awareness and training
 Enforcement practices
 Investments in required security resources
2. Collect information security requirements from IT tactical plans (PO1), data classification
(PO2), technology standards (PO3), security and control policies (PO6), risk management
(PO9), and external compliance requirements (ME3) for integration into the overall IT
security plan.
3. Translate the overall IT security plan into enterprise information security baselines for all
major platforms and integrate it into the configuration baseline (DS9).
4. Provide information security requirements and implementation advice to other processes,
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
including the development of SLAs and OLAs (DS1 and DS2), automated solution
requirements (AI1), application software (AI2), and IT infrastructure components (AI3).
5. Communicate to all stakeholders and users in a timely and regular fashion on updates of the
information security strategy, plans, policies and procedures.
DS5.3 Identity Management
1. Establish and communicate policies and procedures to uniquely identify, authenticate and
authorise access mechanisms and access rights for all users on a need-to-know/need-to-have
basis, based on predetermined and preapproved roles. Clearly state accountability of any user
for any action on any of the systems and/or applications involved.
2. Ensure that roles and access authorisation criteria for assigning user access rights take into
account:
 Sensitivity of information and applications involved (data classification)
 Policies for information protection and dissemination (legal, regulatory, internal policies
and contractual requirements)
 Roles and responsibilities as defined within the enterprise
 The need-to-have access rights associated with the function
 Standard but individual user access profiles for common job roles in the organisation
 Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorising users to establish responsibility and
enforce access rights in line with sensitivity of information and functional application
requirements and infrastructure components, and in compliance with applicable laws,
regulations, internal policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the
system owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in,
people out, people change). Grant, revoke and adapt user access rights in co-ordination with
human resources and user departments for users who are new, who have left the organisation,
or who have changed roles or jobs.
DS5.4 User Account Management
1. Ensure that access control procedures include but are not limited to:
 Using unique user IDs to enable users to be linked to and held accountable for their
actions
 Awareness that the use of group IDs results in the loss of individual accountability and
are permitted only when justified for business or operational reasons and compensated
by mitigating controls. Group IDs must be approved and documented
 Checking that the user has authorisation from the system owner for the use of the

Reference
Assessed Target
Hyper- Comments
Maturity Maturity
information system or service, and the level of access granted is appropriate to the
business purpose and consistent with the organisational security policy
 A procedure to require users to understand and acknowledge their access rights and the
conditions of such access
 Ensuring that internal and external service providers do not provide access until
authorisation procedures have been completed
 Maintaining a formal record, including access levels, of all persons registered to use the
service
 A timely and regular review of user IDs and access rights
2. Ensure that management reviews or reallocates user access rights at regular intervals using a
formal process. User access rights should be reviewed or reallocated after any job changes,
such as transfer, promotion, demotion or termination of employment. Authorisations for
special privileged access rights should be reviewed independently at more frequent intervals.
DS5.5 Security Testing, Surveillance And Monitoring
1. Implement monitoring, testing, reviews and other controls to:
 Promptly prevent/detect errors in the results of processing
 Promptly identify attempted, successful and unsuccessful security breaches and
incidents
 Detect security events and thereby prevent security incidents by using detection and
prevention technologies
 Determine whether the actions taken to resolve a breach of security are effective
2. Conduct effective and efficient security testing procedures at regular intervals to:
 Verify that identity management procedures are effective
 Verify that user account management is effective
 Validate that security-relevant system parameter settings are defined correctly and are in
compliance with the information security baseline
 Validate that network security controls/settings are configured properly and are in
compliance with the information security baseline
 Validate that security monitoring procedures are working properly
 Consider, where necessary, obtaining expert reviews of the security perimeter
DS5.6 Security Incident Definition
1. Describe what a security incident is considered to be. Document within the characteristics a
limited number of impact levels to allow commensurate response. Communicate and
distribute this information, or relevant parts thereof, to identified people who need to be
notified.
2. Ensure that security incidents and appropriate follow-up actions, including root cause
analysis, follow the existing incident and problem management processes.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
3. Define measures to protect confidentiality of information related to security incidents.
DS5.7 Protection Of Security Technology
1. Ensure that all hardware, software and facilities related to the security function and controls,
e.g., security tokens and encryptors, are tamperproof.
2. Secure security documentation and specifications to prevent unauthorised access. However,
do not make security of systems reliant solely on secrecy of security specifications.
3. Make the security design of dedicated security technology (e.g., encryption algorithms)
strong enough to resist exposure, even if the security design is made available to unauthorised
individuals.
4. Evaluate the protection mechanisms on a regular basis (at least annually) and perform
updates to the protection of the security technology, if necessary.
DS5.8 Cryptographic Key Management
1. Ensure that there are appropriate procedures and practices in place for the generation, storage
and renewal of the root key, including dual custody and observation by witnesses.
2. Make sure that procedures are in place to determine when a root key renewal is required
(e.g., the root key is compromised or expired).
3. Create and maintain a written certification practice statement that describes the practices that
have been implemented in the certification authority, registration authority and directory
when using a public-key-based encryption system.
4. Create cryptographic keys in a secure manner. When possible, enable only individuals not
involved with the operational use of the keys to create the keys. Verify the credentials of key
requestors (e.g., registration authority).
5. Ensure that cryptographic keys are distributed in a secure manner (e.g., offline mechanisms)
and stored securely, that is:
 In an encrypted form regardless of the storage media used (e.g., write-once disk with
encryption)
 With adequate physical protection (e.g., sealed, dual custody vault) if stored on paper
6. Create a process that identifies and revokes compromised keys. Notify all stakeholders as
soon as possible of the compromised key.
7. Verify the authenticity of the counterparty before establishing a trusted path.
DS5.9 Malicious Software Prevention, Detection And Correction
1. Establish, document, communicate and enforce a malicious software prevention policy in the
organisation. Ensure that people in the organisation are aware of the need for protection
against malicious software, and their responsibilities relative to same.
2. Install and activate malicious software protection tools on all processing facilities, with
malicious software definition files that are updated as required (automatically or semi-
automatically).
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
3. Distribute all protection software centrally (version and patch-level) using centralised
configuration and change management.
4. Regularly review and evaluate information on new potential threats.
5. Filter incoming traffic, such as e-mail and downloads, to protect against unsolicited
information (e.g., spyware, phishing e-mails).
DS5.10 Network Security
1. Establish, maintain, communicate and enforce a network security policy (e.g., provided
services, allowed traffic, types of connections permitted) that is reviewed and updated on a
regular basis (at least annually).
2. Establish and regularly update the standards and procedures for administering all networking
components (e.g., core routers, DMZ, VPN switches, wireless).
3. Properly secure network devices with special mechanisms and tools (e.g., authentication for
device management, secure communications, strong authentication mechanisms). Implement
active monitoring and pattern recognition to protect devices from attack.
4. Configure operating systems with minimal features enabled (e.g., features that are necessary
for functionality and are hardened for security applications). Remove all unnecessary
services, functionalities and interfaces (e.g., graphical user interface [GUI]). Apply all
relevant security patches and major updates to the system in a timely manner.
5. Plan the network security architecture (e.g., DMZ architectures, internal and external
network, IDS placement and wireless) to address processing and security requirements.
Ensure that documentation contains information on how traffic is exchanged through systems
and how the structure of the organisation’s internal network is hidden from the outside world.
6. Subject devices to reviews by experts who are independent of the implementation or
maintenance of the devices.
DS5.11 Exchange Of Sensitive Data
1. Determine by using the established information classification scheme how the data should be
protected when exchanged.
2. Apply appropriate application controls to protect the data exchange.
3. Apply appropriate infrastructure controls, based on information classification and technology
in use, to protect the data exchange.

VIII. Assessment Maturity vs. Target Maturity
This spider graph is an example of the assessment results and maturity target for a specific company.

Info Sec MGMT Audit Program 22july10 Research

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Info Sec MGMT Audit Program 22july10 Research

Transféré par

Droits d'auteur :

Formats disponibles

Information Security Management

© 2010 ISACA. All rights reserved. Page 2

ISACA wishes to recognize:

ISACA Board of Directors

Guidance and Practices Committee

© 2010 ISACA. All rights reserved. Page 3

© 2010 ISACA. All rights reserved. Page 4

IT Governance, Risk and Control

Responsibilities of IT Audit and Assurance Professionals

II. Using This Document

Work Program Steps

© 2010 ISACA. All rights reserved. Page 5

purpose for the substeps.

© 2010 ISACA. All rights reserved. Page 6

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Objective Setting: Objectives must exist before management can

© 2010 ISACA. All rights reserved. Page 7

III. Controls Maturity Analysis

Figure 2—Maturity Model for Internal Control

© 2010 ISACA. All rights reserved. Page 8

Figure 2—Maturity Model for Internal Control

IV. Assurance and Control Framework

ISACA IT Assurance Framework and Standards

© 2010 ISACA. All rights reserved. Page 9

ISACA Controls Framework

The COBIT areas for this evaluation include:

© 2010 ISACA. All rights reserved. Page 10

V. Executive Summary of Audit/Assurance Focus

Information Security Management

The information security management function provides:

© 2010 ISACA. All rights reserved. Page 11

Business Impact and Risk

The risks associated with inadequate information security management include:

Objective and Scope

Scope—The review will focus on:

To ensure a comprehensive audit of information security management, it is recommended that the

© 2010 ISACA. All rights reserved. Page 12

 Security incident management

Minimum Audit Skills

© 2010 ISACA. All rights reserved. Page 13

1. PLANNING AND SCOPING THE AUDIT

1.3.8 Based on the risk assessment, revise the scope.

2.1 Management of IT Security

appropriate independence, objectivity and authority over its constituencies to be

© 2010 ISACA. All rights reserved. Page 18

© 2010 ISACA. All rights reserved. Page 19

8.1 Identity Management

control access provisioning and whether authentication control mechanisms are

© 2010 ISACA. All rights reserved. Page 22

11. User Account Management Policy PO4

12.1.1.1 Obtain management reports for user account management.

procedures, review the findings of that review, and determine whether

© 2010 ISACA. All rights reserved. Page 24

13.1.1.4.3 Evaluate whether additional testing is required to be in compliance with

23. Work order/incident closure

assessment and provide current findings.

© 2010 ISACA. All rights reserved. Page 30

© 2010 ISACA. All rights reserved. Page 31

25.1.1.2 Determine whether a previous audit/assurance assessment of the network perimeter

classification scheme (e.g., confidential, sensitive).

© 2010 ISACA. All rights reserved. Page 33

© 2010 ISACA. All rights reserved. Page 35

© 2010 ISACA. All rights reserved. Page 38