Information Systems & Controls (ISC)

Back

Frameworks & Regulations

NIST Frameworks

The National Institute of Standards and Technology provides key cybersecurity and privacy guidance.

Cybersecurity Framework (CSF) Core

  • Identify: Understand assets, business environment, and risks.
  • Protect: Implement safeguards and access control.
  • Detect: Monitor for and identify cybersecurity events.
  • Respond: Take action upon detecting an incident.
  • Recover: Restore systems and return to normal operations.

Implementation Tiers

  • Tier 1 (Partial): Ad-hoc, reactive risk management.
  • Tier 2 (Risk-Informed): Aware of risks but management is not formalized.
  • Tier 3 (Repeatable): Formal, repeatable policies and procedures.
  • Tier 4 (Adaptive): Proactive, continuous improvement based on incidents.

Framework Profiles

Profiles are used to align cybersecurity activities with business requirements, risk tolerance, and resources.

  • Current Profile: The current state of organizational risk management.
  • Target Profile: The desired future state of risk management.
  • Gap Analysis: The difference between the current and target profiles, used to create an action plan.

NIST Privacy Framework Functions

A voluntary tool for managing privacy risk, with functions that overlap with and expand upon the CSF.

  • Identify-P: Understand privacy risks related to data activities.
  • Govern-P: Implement governance policies and procedures for privacy.
  • Control-P: Manage privacy risks related to data processing.
  • Communicate-P: Drive dialogue around privacy risks.
  • Protect-P: Implement safeguards for data privacy.

Key Data Regulations

GDPR (General Data Protection Regulation)

EU law regulating data privacy for all EU citizens. Key principles include:

  • Lawfulness, fairness, transparency: Process data in accordance with laws.
  • Purpose limitation: Use data only for its intended purpose.
  • Data minimization: Store only necessary data.
  • Accuracy: Keep data accurate and updated.
  • Storage limitation: Store data only for as long as needed.
  • Integrity and Confidentiality: Process data securely.

HIPAA & HITECH

Governs the privacy and security of Protected Health Information (PHI) in the US. HITECH increased penalties for violations and added breach notification rules.

Payment Card Industry (PCI DSS)

A framework with 6 goals and 12 requirements for processing payments and protecting cardholder data.

Goal Example Requirements
Build and Maintain a Secure Network Install and maintain a firewall; Do not use vendor-supplied defaults.
Protect Cardholder Data Protect stored cardholder data; Encrypt data transmission.
Maintain a Vulnerability Management Program Use and regularly update anti-virus software.
Implement Strong Access Control Restrict access by need-to-know; Assign unique IDs to users.
Regularly Monitor and Test Networks Track and monitor all access; Regularly test security systems.
Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel.

Governance & IT Controls

COBIT 2019 Framework

A framework for the governance and management of enterprise Information and Technology.

Governance vs. Management

  • Governance: Ensures stakeholder needs and enterprise objectives are met. This is the responsibility of the board of directors and covers the Evaluate, Direct, and Monitor (EDM) domain.
  • Management: Plans, builds, runs, and monitors activities to achieve enterprise objectives. This is divided into four domains:
    • Align, Plan, and Organize (APO)
    • Build, Acquire, and Implement (BAI)
    • Deliver, Service, and Support (DSS)
    • Monitor, Evaluate, and Assess (MEA)

COBIT Principles

  • For a Governance System: Six principles including providing stakeholder value, using a holistic approach, and having an end-to-end governance system.
  • For a Governance Framework: Three principles including being based on a conceptual model, being open and flexible, and aligning to major standards.

Design Factors

Factors that influence the design of a company's tailored IT governance system. Key factors include:

  • Enterprise Strategy
  • Risk Profile and IT Issues
  • Threat Landscape

COSO ERM Framework

Guidance for enterprise risk management, governance, and fraud deterrence that integrates with strategy and performance.

Five Core Components

Categorizes methods for addressing an organization's risk into five components and 20 supporting principles.

  1. Governance and Culture: Sets the organization's tone and reinforces the importance of risk oversight.
  2. Strategy and Objective-Setting: Aligns risk appetite with strategy during the planning process.
  3. Performance: Requires that risks are identified, assessed, prioritized, and responded to based on the entity's risk appetite.
  4. Review and Revision: Involves reviewing the company's performance over time and making revisions to functions as needed.
  5. Information, Communication, and Reporting: Recommends a continual process for sharing internal and external risk information.

Center for Internet Security (CIS) Controls

A prioritized set of 18 best practices to mitigate common cyber attacks.

Implementation Groups (IGs)

  • IG1 (Basic): "Essential Cyber Hygiene" for small businesses with limited expertise.
  • IG2 (Foundational): For mid-sized organizations that have sensitive client data.
  • IG3 (Organizational): For mature organizations with security experts and highly sensitive data subject to compliance.

Key Foundational Controls

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Assets and Software
  5. Account Management
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Data Recovery
  9. Security Awareness and Skills Training
  10. Penetration Testing

System and Organization Controls (SOC) Reports

SOC reports provide assurance over the controls at a service organization.

Report Subject Matter & Focus Primary Audience
SOC 1 Controls at the service organization relevant to a user entity's Internal Control over Financial Reporting (ICFR). Management of the user entity and their financial auditors.
SOC 2 Controls relevant to the Trust Services Criteria (Security, Availability, etc.). This is a restricted-use report. Management, regulators, and others with a sufficient understanding.
SOC 3 A general-use summary of the SOC 2 report. It reports on the Trust Services Criteria but is less detailed and can be freely distributed. General public, for marketing and demonstrating compliance.

Report Types: Type 1 vs. Type 2

  • Type 1 Report: Assesses the suitability of the design of controls at a specific point in time.
  • Type 2 Report: Assesses both the design and operating effectiveness of controls over a period of time (e.g., 6-12 months).

Trust Services Criteria (Focus of SOC 2 & 3)

A SOC 2 report must always include the Security criterion. The other four are optional.

  • Security (Required): The system is protected against unauthorized access, use, or modification.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with privacy commitments.

Subservice Organizations

For subservice organizations (vendors used by the service organization), the report must use one of two methods:

  • Carve-Out Method: The subservice organization's controls are excluded from the scope of the report. The service auditor provides no assurance on their controls.
  • Inclusive Method: The subservice organization's controls are included in the description and tested by the service auditor.

Other Key Concepts

  • Complementary User Entity Controls (CUECs): Controls that the service organization requires its customers (user entities) to implement for the system to function effectively. These are listed in the SOC report.
  • Modified Opinions: An auditor issues a modified opinion (Qualified, Adverse, or Disclaimer) if controls are not suitably designed or operating effectively. An adverse opinion is given for material and pervasive deficiencies.

IT General Controls (ITGCs)

ITGCs are the foundational controls that apply to the overall IT environment, including all systems, applications, and data. They create a reliable operating environment and are essential for application controls to be effective.

1. Change Management Controls

These controls ensure that changes to applications and underlying infrastructure are properly authorized, tested, and approved before being implemented. The goal is to prevent unauthorized or flawed changes.

  • Segregation of Duties: Developers should not be able to promote their own code to production. Separate environments (Development, Testing, Production) are used.
  • Formal Authorization: A formal process for requesting, documenting, and approving changes, often involving a Change Advisory Board (CAB).
  • Testing: Changes must be thoroughly tested in a separate environment to ensure they work as intended without causing other issues.
  • Emergency Changes: A specific, documented process for handling urgent changes that must bypass normal procedures, with retroactive review and approval.

2. Logical Access Controls

These controls ensure that only authorized individuals can access systems and data, and that their access is restricted to what is necessary for their job roles (least privilege).

  • User Provisioning: Formal process for creating new user accounts based on documented approval.
  • Authentication: Verifying a user's identity (e.g., passwords, multi-factor authentication, biometrics).
  • Authorization: Granting specific permissions to users based on their job function.
  • Periodic Access Reviews: Regularly reviewing and recertifying user access rights to ensure they remain appropriate.
  • De-provisioning: Timely removal of access when an employee is terminated or changes roles.

3. IT Operations Controls

These controls relate to the day-to-day functioning of the IT department and data center to ensure systems run as intended.

  • Backup and Recovery: Regularly backing up critical data and having a tested plan to restore it in case of data loss.
  • Job Scheduling: Controls over the processes that run automatically (batch jobs) to ensure they are completed successfully and on time.
  • Problem and Incident Management: A formal process for identifying, logging, tracking, and resolving system issues and security incidents.

IT Infrastructure & Operations

Core Network Hardware

The fundamental physical and virtual devices that enable network connectivity and communication.

  • Routers: Manage network traffic by connecting different devices to form a network. They act as a link between a modem and the organization's switches.
  • Switches: Connect and divide devices within a single computer network, essentially turning one network jack into several.
  • Firewalls: Protect a network by filtering incoming and outgoing traffic through security protocols with predefined rules.
  • Gateways: Act as an intermediary between different networks by transforming data from one protocol into another.

Network Topologies & OSI Model

Network Topologies

The physical layout or arrangement of equipment (nodes) in a network.

  • Star: Data passes through a central hub or switch. If a hub fails, only the nodes connected to it stop working.
  • Mesh: Features numerous connections between nodes, promoting network stability if one node is damaged, but can be costly to implement.
  • Ring: Nodes are connected in a circular path. This can result in very slow network performance.
  • Bus: Nodes are connected to a single line/cable. If the central line is compromised, the entire network goes offline.

OSI 7-Layer Model

A conceptual framework developed by ISO that segregates network functions into seven different layers to explain how devices communicate.

  1. Layer 7 (Application): Interface between user applications and the network.
  2. Layer 6 (Presentation): Transforms data into a format that other devices can interpret.
  3. Layer 5 (Session): Establishes and maintains sessions between devices.
  4. Layer 4 (Transport): Controls communication connections between devices.
  5. Layer 3 (Network): Adds routing and addressing headers to data.
  6. Layer 2 (Data Link): Formats data packets for transmission.
  7. Layer 1 (Physical): Converts messages into bits for physical transmission.

Cloud Computing

A model that uses shared computing resources (servers, storage, applications) over the internet.

Cloud Service Models

  • IaaS (Infrastructure-as-a-Service): A third party provides an entire virtual data center of resources, and organizations can outsource servers, storage, and networking services. The organization is typically responsible for managing the operating systems and applications.
  • PaaS (Platform-as-a-Service): A third party provides proprietary tools and solutions for a specific business purpose, such as building an online platform. The provider manages all the back-end infrastructure.
  • SaaS (Software-as-a-Service): A third party provides a business application or software that organizations use to perform specific functions, typically through a license.

Cloud Deployment Models

  • Public: Owned and managed by a Cloud Service Provider (CSP) and made available to people or organizations who want to purchase them.
  • Private: Created for a single organization and can exist on or off the organization's premises.
  • Hybrid: Composed of two or more clouds (e.g., one private, one public) that remain unique but have technology enabling data portability between them.
  • Community: Shared by multiple organizations to support a common interest or mission.

IT Audit & Testing Techniques

Auditors use specific techniques to test the effectiveness of IT controls and the accuracy of processed data.

Approaches to Auditing Systems

  • Auditing Around the Computer: The auditor treats the computer as a "black box," focusing only on the inputs and outputs of the system. This approach is simple but may fail to detect processing errors within the application.
  • Auditing Through the Computer: The auditor directly examines the processing operations within the IT system. This is a more complex but also more effective approach.

Computer-Assisted Audit Techniques (CAATs)

These are techniques used when auditing *through* the computer:

  • Test Data: The auditor processes a set of dummy transactions (with both valid and invalid data) through the client's live system under auditor control. The results are compared to predetermined outcomes to test application controls.
  • Integrated Test Facility (ITF): A "dummy" entity (e.g., a fake department or vendor) is created within the client's live production system. The auditor processes test transactions against this entity throughout the year, allowing for continuous monitoring of controls.
  • Parallel Simulation: The auditor uses their own software to re-process a subset of the client's actual data. The results produced by the auditor's system are then compared to the results from the client's system to verify processing accuracy.

Security & Risk Management

Common Cyberattacks

Network-Based

  • Denial-of-Service (DoS/DDoS): Flooding a network with traffic to make it unavailable.
  • Man-in-the-Middle (MITM): Intercepting communications between two parties.

Application & Host-Based

  • SQL Injection: Injecting malicious SQL code to gain database access.
  • Malware: Malicious software (viruses, ransomware, spyware) intended to damage or disable systems.
  • Brute Force Attack: Automated trial-and-error to guess passwords.

Social Engineering

  • Phishing: Using deceptive emails or messages to trick users into revealing sensitive information.
  • Business Email Compromise (BEC)/Whaling: Phishing that targets high-ranking executives.

Defensive Security Concepts

Zero Trust

A security model that eliminates implicit trust by requiring continuous verification for all users and devices, assuming the network is always at risk. It focuses on users, assets, and resources in real time to determine access.

Least Privilege & Need-to-Know

  • Least Privilege: Focuses on the minimum level of access and permissions a user needs to perform their job role.
  • Need-to-Know: Focuses on the specific data a user needs to perform their job, which is more granular than least privilege.

System Hardening

A comprehensive security approach that reduces risk by minimizing the number of access points (attack vectors) through which a company can be attacked.

Defense-in-Depth

A multilayered security strategy that combines people, policies, and technology. It uses redundant controls to ensure that a failure in one layer does not compromise the entire system.

Data Encryption & Authentication

Data Encryption Types

  • Symmetric Encryption: Uses a single, shared private key for both encrypting and decrypting data. It is fast but does not facilitate non-repudiation.
  • Asymmetric (Public Key) Encryption: Uses two keys—a public key to encrypt the message and a private key to decrypt it. This method is slower but foundational for digital signatures.
  • Hashing vs. Encryption: Hashing is a one-way process that converts a message into a fixed-length value to ensure data integrity. Encryption is a two-way process used to ensure confidentiality.

Authentication Methods

  • Multifactor Authentication (MFA): A technique that uses two or more factors to validate someone's identity.
  • Biometrics: A method that uses unique physical characteristics like fingerprints, eye scans, or facial recognition for identification.
  • Smart Cards: Plastic cards containing a microprocessor that can process data or act as a certificate to authenticate a user.

Incident Response Plan (IRP) Lifecycle

A formal plan for responding to security incidents.

  1. Preparation: Establishing the tools, roles, and training needed.
  2. Detection & Analysis: Identifying an incident has occurred.
  3. Containment: Isolating the affected systems to prevent further damage.
  4. Eradication: Removing the threat from the environment.
  5. Recovery: Restoring systems to normal operation.
  6. Reporting: Communicating incident details to relevant stakeholders.
  7. Lessons Learned (Post-Incident): Reviewing the response to make improvements.

Business Resiliency & Disaster Recovery

Core Concepts

  • Business Resiliency: Ability to continue or quickly return to operations after a disruption.
  • Business Continuity (BCP): Focuses on keeping business operational during a disaster.
  • Disaster Recovery (DRP): Focuses on restoring IT infrastructure after a disaster.

Recovery Sites

Site Type Description Cost
Hot Site Fully equipped and ready to operate immediately. Most Expensive
Warm Site Has hardware but may lack full processing capabilities. Moderate
Cold Site Has space and infrastructure but no equipment. Cheapest

Key Metrics

  • RTO (Recovery Time Objective): The target time to restore business operations.
  • RPO (Recovery Point Objective): The maximum acceptable amount of data loss.
  • MTD (Maximum Tolerable Downtime): The longest an outage can last without causing significant damage.

Systems, Data, & Change

Data Life Cycle Management

The sequence data goes through from creation to disposal.

  1. Definition: Defining data needs and sources.
  2. Capture/Creation: Obtaining the data.
  3. Preparation: Cleaning, validating, and formatting data.
  4. Synthesis: Creating calculated fields from existing data.
  5. Analytics & Usage: Using data for internal reporting and decisions.
  6. Publication: Sharing data with external users.
  7. Archival: Moving data from active to passive systems.
  8. Purging: Permanently removing data from all systems.

Database Concepts

Data Repositories (Largest to Smallest)

  • Data Lake: Stores vast amounts of raw data, both structured and unstructured.
  • Data Warehouse: Central repository of structured, organized data for reporting and analysis.
  • Data Mart: A subset of a data warehouse focused on a specific business line.

Relational Database Normalization

Ensures data is stored efficiently without redundancy.

  • 1NF ("The Key"): Each cell holds a single value, and each record is unique (has a Primary Key).
  • 2NF ("The Whole Key"): All non-key attributes depend on the entire composite primary key.
  • 3NF ("Nothing But The Key"): All attributes depend only on the primary key, not other non-key attributes.

Change Management

Development Methodologies

  • Waterfall: A linear, sequential approach where each phase must be completed before the next begins. Rigid and well-documented.
  • Agile: An iterative approach focused on flexibility and collaboration. Work is done in short cycles ("sprints") with continuous feedback.

System Conversion Methods

  • Direct: Turn off the old system and turn on the new one immediately. High risk.
  • Parallel: Run both the old and new systems simultaneously for a period. Low risk, but high effort.
  • Phased (Modular): Implement the new system in modules or stages.
  • Pilot: Implement the full new system for a small group of users first.

System Backups

  • Full: An exact copy of the entire database. Slow to create, fast to restore.
  • Incremental: Copies only data that has changed since the *last backup* (full or incremental). Fast to create, slow to restore.
  • Differential: Copies all changes made since the *last full backup*. Moderate create/restore time.

Accounting Systems & Emerging Tech

AIS & ERP Systems

Enterprise Resource Planning (ERP)

A cross-functional system that supports different business functions and integrates information from across departments (accounting, finance, HR) into a centralized database.

Accounting Information Systems (AIS)

The system that collects, records, stores, and compiles accounting information using accounting rules to report financial and nonfinancial information to decision makers.

AIS Subsystems

  • Transaction Processing System (TPS): Converts economic events into financial transactions (e.g., journal entries) and supports daily operations.
  • Financial Reporting System (FRS): Aggregates daily financial information from the TPS and other sources to enable timely financial reporting.
  • Management Reporting System (MRS): Provides internal financial information to solve daily business problems, such as for budgeting and variance analysis.

Emerging Tech & Blockchain

Technologies for Process Improvement

  • Robotic Process Automation (RPA): The use of software programs ("bots") capable of extracting information from a user interface and initiating further processes, designed to automate repetitive, rules-based tasks.
  • Blockchain: A control system, often decentralized, that records transactions with minimal human input into immutable (unchangeable) blocks, creating strong record integrity.