CISA Domain 5 – Protection of Information Assets
The focus of Domain 5 is the evaluation of controls for protecting information assets. The syllabus covers:
- Logical security controls
- Physical and environmental security controls
- Information management
- Evaluating the effectiveness of the overall security system
This is the largest of the CISA domain and represents 25% of the syllabus – about 38 questions.
With the increase in the type and number of cyberthreats and highly visible cyber attacks, security and privacy have risen up the corporate agenda and underlines the importance of protecting data confidentiality, integrity, and availability (referred to as the CIA triad).
Information security is an organization-wide activity that needs leadership and support from senior management, a robust approach to risk management through policies and procedures, the use of appropriate technology tools, and ongoing training and monitoring. Collectively these are referred to as an Information Security Management System (ISMS).
Logical security controls
Logical access is the ability to interact with computing resources, through remote, direct or local network access. Logical access controls are used to prevent unwarranted access and cover all elements of the organization’s information systems. Auditors have a key role in ensuring the correct logical access controls are in place and being applied.
Although candidates don’t need to understand all controls in detail, they should have a good understanding of the main type and source of logical access threats and the controls used to address them.
The modern cyber threat landscape changes frequently, and auditors should also ensure that organizations have an ongoing risk assessment process in place that regularly searches for vulnerabilities and threats and updates controls to mitigate the associated risks.
The most common cyber attacks target individuals using techniques like malware downloads, phishing, and other social engineering techniques. Many organizations overemphasize their reliance on tech solutions – firewalls and the like – but don’t pay enough attention to the insider threat. Auditors, therefore, need to ensure that internal and external threats are given equal attention.
Physical and environmental security controls
Many organizations focus on logical security at the expense of physical security, meaning it can be a soft target for cybercriminals.
Physical access controls restrict the entry and exit of personnel to secure areas such as offices, data centers or information storage facilities. Controls should extend to everyone: permanent and temporary staff, third-party suppliers and occasional visitors.
Most controls are obvious – locked doors, security guards, electronic passes, video entry, laptop locks – but the auditor must evaluate how robust they are in practice. Keys can be copied, expiry dates for electronic passes not applied, and fire alarms can be falsely triggered to allow easier access to off-limit areas.
Auditors asked to conduct an audit of physical security need to visit the organization’s facilities, bearing in mind they might be in different locations, to visibly check security arrangements and review control documents such as access logs.
Data leakage is the unapproved transfer of sensitive information outside the organization and to prevent it there needs to be controls on the storage, retrieval, transport, and disposal of all data assets.
Most organizations use a classification scheme that has between 3 and 5 levels (e.g., public, sensitive, restricted) to apply different degrees of control to their information assets. Doing so reduces the risk of under or overprotecting assets, makes it clear who has access rights and eases the process of applying protection. Auditors should check the classification scheme is being adhered to.
Data leakage prevention tools catalog sensitive information and monitor and control its movement. They consider data at rest, in motion and in use, since the security risks will vary dependent on data state. System logs and reports are used to provide alerts, and properly configured tools can restrict data movement.
Employees cause many data leakages by sending email to the wrong recipient or mobile computing: data can be sent across insecure public wireless networks, devices can be stolen, portable drives might be used without data being encrypted and, If a bring-your-own-device (BYOD) policy is in place, the user might inadvertently share information. Fortunately, all of these threats can be reduced or removed by the use of tech tools and regular awareness training.
At the end of its life, data needs to be securely deleted, and hard disks that are no longer required should be destroyed. Unscrupulous vendors who offer a hardware removal/destroy service could try to re-cycle or sell disks, so the organization should have a standard procedure for witnessed destruction by grinding.
Evaluating overall effectiveness of the ISMS
Bearing in mind all of the points above, the auditor is expected to evaluate the ISMS to determine its effectiveness and alignment with the organization’s strategies and objectives.
In addition to looking at specific controls, they need to check the other elements of an ISMS are in place, for example:
- Written policies, procedures, and standards
- Data custodians & owners
- A nominated security administrator and deputy
- Regular security awareness and training
They should also satisfy themselves that an incident management process for handling any security breaches is in place (see also domain 4, where IM and problem management was covered). Security aware personnel should sit on the IM response teams to ensure security considerations are being addressed.
If a crime is suspected, then auditors might be required to conduct forensic analysis or provide an expert opinion to help with the correct interpretation of information gathered during the incident.
Auditors should consider the use of penetration testing – a controlled attempt to circumvent security features and exploit vulnerabilities – to evaluate the effectiveness of the ISMS.
Finally, data protection is increasingly important, as evidenced by the recently introduced EU GDPR regulation, and auditors can expect to be asked to perform a privacy impact assessment to identify what the organization is holding personally identifiable information (related to staff or customers) and ensure there are adequate processes for consent, collection, disclosure, and deletion.