CIA REVIEW: PART 3

Study Unit 8
Information Security
and Disaster Recovery

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 1
CIA 3 SU 8
 Table of Contents
8.1 Information Security and Cybersecurity Related
Policies and Controls
8.2 Authentication, Authorization, and Encryption
8.3 Information Protection
8.4 Contingency Planning and Disaster Recovery

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 2
CIA 3 SU 8
 Information Security
and Cybersecurity Related
Policies and Controls
8.1

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 3
CIA 3 SU 8
 Computer Based Business
Information System Risks
• Safe computing can be achieved by using carefully crafted
policies and procedures in conjunction with antivirus and
access control software.
• The most comprehensive indicator of an information
system’s compliance with prescribed procedures is the
control the system has over the data. This includes the
capacity and complexity of the system as well as the
accessibility of the data to the end-user.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 4
CIA 3 SU 8
 Information Security
and Cybersecurity
• Information security involves securing data in any form
whereas cybersecurity concentrates on protecting electronic
data.
• Cybersecurity is information security applied to computer
hardware, software, and networks.
• The main objectives of information security and
cybersecurity are safeguarding against unauthorized access
to data and maintaining the integrity and availability of the
data.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 5
CIA 3 SU 8
 Information Security and
Cybersecurity Policies
• The successful planning, design, and implementation of
security procedures are initiated by strong policies and
management support.
• Policies govern how to resolve issues and the use of IT
infrastructure to resolve issues, Effective policy must
o Comply with laws and regulations
o Be communicated and explained to applicable personnel
o Be accepted by applicable personnel
o Be enforced

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 6
CIA 3 SU 8
 Standards
• Standards assist the implementation of policies by detailing
what actions must occur to comply with policy. Standards
are categorized as de facto and de jure.
• De facto standards are informal standards that have been
widely adopted and accepted.
• De jure standards are formal standards that have been
assessed, approved, and sanctioned.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 7
CIA 3 SU 8
 Data Integrity
• The difficulty of maintaining the integrity of the data is the
most significant limitation of computer-based audit tools.
• The most important control is to enact an organization wide
network security policy. This policy should promote the
following objectives:
o Availability. The intended and authorized users should
be able to access data to meet organizational goals.
o Security, privacy, and confidentiality. The secrecy of
information that could adversely affect the organization
if revealed to the public or competitors should be
ensured.
o Integrity. Unauthorized or accidental modification of
data should be prevented.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 8
CIA 3 SU 8
 Physical Security Controls
and Logical Controls
• Physical access controls limit who can physically access systems.
o Examples of physical access controls are keypad devices, card
readers, and biometric technologies such as fingerprints and retina
patterns.
• Environmental controls are designed to protect the organization’s
physical information assets. The most important are
o Temperature and humidity control.
o Gaseous fire-suppression system (not water).
o Data center not located on an outside wall.
o Building housing data center not located in a flood plain.
• Logical controls are needed because the use of communication
networks and connections to external systems. User identification and
authentication, restriction of access, and the generation of audit trails
are required in this environment.
o Access controls have been developed to prevent improper use or
manipulation of data files and programs.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 9
CIA 3 SU 8
 Internet Security
• Because connection to the internet presents security issues, the
organization wide network security policy should at the very least
include
o A user account management system
o Installation of an internet firewall
o Methods such as encryption to ensure that only the intended
user receives the information and that the information is
complete and accurate
• A firewall separates an internal network from an external network
and prevents passages of specific types of traffic. It identifies
names, internet protocol addresses, applications, etc., and
compares them with programmed access rules.
o Firewalls do not provide adequate protection against
computer viruses. Thus, an organization should include one
or more antivirus measures in its network security policy.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 10
CIA 3 SU 8
 Multiple-Choice Question
An Internet firewall is designed to provide adequate protection against
which of the following?

A. A computer virus.
B. Unauthenticated logins from outside users.
C. Insider leaking of confidential information.
D. A Trojan horse application.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 11
CIA 3 SU 8
 Multiple-Choice Answer
An Internet firewall is designed to provide adequate protection against
which of the following?

A. A computer virus.
B. Unauthenticated logins from outside users.
C. Insider leaking of confidential information.
D. A Trojan horse application.

A firewall is a combination of hardware and software that separates two

networks and prevents passage of specific types of network traffic while
maintaining a connection between the networks. Generally, an Internet
firewall is designed to protect a system from unauthenticated logins from
outside users, although it may provide several other features as well.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 12
CIA 3 SU 8
 Authentication, Authorization,
and Encryption
8.2

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 13
CIA 3 SU 8
 Application Authentication
• Application authentication is a means of taking a user’s
identity from the operating system on which the user is
working and passing it to an authentication server for
verification.
• There are three classes of authentication information:
1. Remembered information
2. Possessed objects
3. Personal characteristics

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 14
CIA 3 SU 8
 Encryption Overview
• Encryption technology converts data into a code.
• Encryption software uses a fixed algorithm (a step-by-step,
usually mathematical, procedure) to manipulate plaintext
(the understandable form of the encrypted text) and an
encryption key to introduce variation.
• Encryption technology may be either hardware- or
software-based.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 15
CIA 3 SU 8
 Public-Key (Asymmetric)
Encryption
• Public-key (asymmetric) encryption requires two keys, one public
and one private.
• This arrangement is more secure than a single-key system, in
which the parties must agree on and transmit a single key that
could be intercepted.
• A digital signature is a means of authentication of an electronic
document, for example, of the validity of a purchase order,
acceptance of a contract, or financial information.
• A digital certificate is another means of authentication used in
e-business.
• The public-key infrastructure permits secure monetary and
information exchange over the Internet. Thus, it facilitates e-
business.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 16
CIA 3 SU 8
 Private-Key (Symmetric)
Encryption
• Private-key, or symmetric, encryption is less secure than the
public-key method because it requires only a single (secret)
key for each pair of parties that want to send each other
coded messages.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 17
CIA 3 SU 8
 Multiple-Choice Question
A digital signature is used primarily to determine that a message is

A. Unaltered in transmission.
B. Not intercepted en route.
C. Received by the intended recipient.
D. Sent to the correct address.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 18
CIA 3 SU 8
 Multiple-Choice Answer
A digital signature is used primarily to determine that a message is

A. Unaltered in transmission.
B. Not intercepted en route.
C. Received by the intended recipient.
D. Sent to the correct address.

A digital signature is a means of authenticating an electronic document, such as a

purchase order, acceptance of a contract, or financial information. Because digital
signatures use public-key encryption, they are a highly secure means of ensuring
security over the Internet.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 19
CIA 3 SU 8
 Information Protection
8.3

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 20
CIA 3 SU 8
 Business Objective
• According to a publication of The IIA, the following five
categories are IT Business Assurance Objectives:
o Availability
o Capability
o Functionality
o Protectability
o Accountability

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 21
CIA 3 SU 8
 Malicious Software (Malware)
• Malicious software may exploit a known hole or weakness
in an application or operating system program to evade
security measures.
o A Trojan horse is an apparently innocent program (e.g.,
a spreadsheet) that includes a hidden function that may
do damage when activated.
o A worm copies itself not from file to file but from
computer to computer, often very rapidly.
o A logic bomb is much like a Trojan horse except it
activates only upon some occurrence.
• Malware may create a denial of service by overwhelming a
system or website with more traffic than it can handle.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 22
CIA 3 SU 8
 Controls against Malware
• Controls to prevent or detect infection by malware are
particularly significant for file servers in large networks.
• The following are some broad control objectives:
o A policy should require use only of authorized software.
o Antivirus software should continuously monitor the
system for viruses (or worms) and eradicate them.
o Procedures should be established and responsibility
assigned for coping with malware.
o Responsible personnel should be aware of the possibility
of hoaxes, which are false messages intending to create
fear of a malware attack.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 23
CIA 3 SU 8
 Controls against Malware
• The following are some specific controls to prevent or
detect infection by malware:
o All computer media (incoming or outgoing) may be
scanned by sheep dip (dedicated) computers.
o Software may reside in memory to scan for malware
communicated through a network.
o Scanning software on a standalone device should be
upgraded when it is networked.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 24
CIA 3 SU 8
 Types of Attacks
• Password attacks.
• A man-in-the-middle attack takes advantage of networking,
packet sniffing, and routing and transport protocols.
• A denial-of-service (DOS) attack is an attempt to overload a
system (e.g., a network or Web server) with false messages
so that it cannot function (a system crash).

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 25
CIA 3 SU 8
 Countermeasures --
Intrusion Detection Systems (IDS)
• If an organization’s computer system has external
connections, an IDS is needed to respond to security
breaches.
• An IDS responds to an attack by taking action itself and
alerting the management system.
• A host IDS provides maximum protection only when the
software is installed on each computer.
• A network IDS works by using sensors to examine packets
traveling on the network.
• The preferable IDS combines host IDS and network IDS
components.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 26
CIA 3 SU 8
 Countermeasures --
Intrusion Detection Systems (IDS)
• Knowledge-based detection is based on information about
the system’s weaknesses and searches for intrusions that
take advantage of them.
• Behavior-based detection presumes that an attack will
cause an observable anomaly.
• Responses to detection of an intrusion normally include an
automatic component.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 27
CIA 3 SU 8
 Information Integrity
and Reliability
• Internal auditors often assess the organization’s information
integrity and reliability practices.
o Internal auditors determine whether senior management and
the board have a clear understanding that information
reliability and integrity is a management responsibility.
o The chief audit executive (CAE) determines whether the
internal audit activity possesses, or has access to, competent
audit resources to evaluate information reliability and
integrity and associated risk exposures.
o Internal auditors assess the effectiveness of preventive,
detective, and mitigation measures against past attacks, as
appropriate, and future attempts or incidents deemed likely
to occur.
o Internal auditors periodically assess the organization’s
information reliability and integrity practices and
recommend, as appropriate, enhancements to, or
implementation of, new controls and safeguards.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 28
CIA 3 SU 8
 Privacy
• Management is responsible for ensuring that an
organization’s privacy framework is in place.
• Internal auditors’ primary role is to ensure that relevant
privacy laws and other regulations are being properly
communicated to the responsible parties.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 29
CIA 3 SU 8
 Multiple-Choice Question
Which of the following is the best policy for the protection of a company’s vital information
resources from computer viruses?

A. Stringent corporate hiring policies for staff working with computerized functions.
B. Existence of a software program for virus prevention.
C. Prudent management procedures instituted in conjunction with technological safeguards.
D. Physical protection devices in use for hardware, software, and library facilities.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 30
CIA 3 SU 8
 Multiple-Choice Answer
Which of the following is the best policy for the protection of a company’s vital information
resources from computer viruses?

A. Stringent corporate hiring policies for staff working with computerized functions.
B. Existence of a software program for virus prevention.
C. Prudent management procedures instituted in conjunction with technological safeguards.
D. Physical protection devices in use for hardware, software, and library facilities.

Acceptably safe computing can be achieved by carefully crafted policies and

procedures used in conjunction with antivirus and access control software.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 31
CIA 3 SU 8
 Contingency Planning
and Disaster Recovery
8.4

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 32
CIA 3 SU 8
 Overview
• The information security goal of data availability is primarily
the responsibility of the IT function.
• Contingency planning is the name commonly given to this
activity.
o Disaster recovery is the process of resuming normal
information processing operations after the occurrence
of a major interruption.
o Business continuity is the continuation of business by
other means during the period in which computer
processing is unavailable or less than normal.
• Plans must be made for two major types of contingencies:
those in which the data center is physically available and
those in which it is not.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 33
CIA 3 SU 8
 Backup and Rotation
• Periodic backup and offsite rotation of computer files is the
most basic part of any disaster recovery or business
continuity plan.
• A typical backup routine duplicates all data files and
application programs once a month.
• The offsite location must be temperature- and humidity-
controlled and guarded against physical intrusion.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 34
CIA 3 SU 8
 Risk Assessment Steps
• Identify and prioritize the organization’s critical applications.
• Determine the minimum recovery timeframes and
minimum hardware requirements.
• Develop a recovery plan.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 35
CIA 3 SU 8
 Disaster Recovery Plan (DRP)
• Disaster recovery is the process of regaining access to data (e.g.,
hardware, software, and records), communications, work areas,
and other business processes.
• The following are considerations for choosing DRP strategies:
o The DRP should be based on the business impact analysis.
o The recovery abilities of critical service providers must be
assessed.
o The recovery of IT components often must be combined to
recover a system.
o Service providers (internal and external) must furnish
recovery information.
o Strategies for components may be developed independently.
o Security and compliance standards must be considered.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 36
CIA 3 SU 8
 Contingencies with
Data Center Available
• The purchase of backup electrical generators protects
against power failures.
• Attacks such as viruses and denial-of-service require a
completely different response.
• The system must be brought down gracefully to halt the
spread of the infection.
• The IT staff must be well trained in the nature of the latest
virus threats to know how to isolate the damage and bring
the system back to full operation.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 37
CIA 3 SU 8
 Contingencies with
Data Center Unavailable
• The most extreme contingency is a disaster that makes the
organization’s main facility uninhabitable.
• An alternate processing facility is a physical location maintained
by an outside contractor for the purpose of providing processing
facilities for customers in case of disaster.
• Recovery centers take three basic forms:
o A hot site is a fully operational processing facility that is
immediately available.
o A warm site is a compromise between a cold and hot site,
combining features of both.
o A cold site is a shell facility with sufficient electrical power,
environmental controls, and communications lines to permit
the organization to install its own newly acquired equipment.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 38
CIA 3 SU 8
 Fault Tolerance
• A fault-tolerant computer has additional chips and disk
storage as well as a backup power supply.
• This technology is used for mission-critical applications that
cannot afford to suffer downtime.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 39
CIA 3 SU 8
 Business Continuity
Management (BCM) Overview
• The objective of BCM is to restore critical processes and to
minimize financial and other effects of a disaster or business
disruption.
• BCM is the third component of an emergency management
program. Its time frame is measured in hours and days if not
weeks.
• The other components are emergency response and crisis
management.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 40
CIA 3 SU 8
 Elements of BCM
• Management Support
o Management must assign adequate resources to preparing,
maintaining, and practicing a business continuity plan.
• Risk Assessment and Mitigation
o The entity must (1) define credible risk events (threats),
(2) assess their effects, and (3) develop risk mitigation strategies.
• Business Impact Analysis
o This analysis identifies business processes necessary to
functioning in a disaster and determines how soon they should
be recovered.
o The organization (1) identifies critical processes, (2) defines the
recovery time objective (RTO) and the recovery point objective
(RPO) for processes and resources, and (3) identifies the other
parties and physical resources.
Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 41
CIA 3 SU 8
 Elements of BCM
• Business Recovery and Continuity Strategy
o A crucial element of business recovery is the existence
of a comprehensive and current disaster recovery plan,
which addresses the actual steps, people, and resources
required to recover a critical business process.
• Education, Awareness, and Maintenance
o Education and awareness are vital to BCM and execution
of the business continuity plan.
o The BCM capabilities and documentation must be
maintained to ensure that they remain effective and
aligned with business priorities.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 42
CIA 3 SU 8
 Elements of BCM
• Business Continuity
o According to The IIA, large-scale exercises (or testing) of
the BCM programs and BC plans should be conducted at
least annually.
o The following are different types of exercises:
• Desk check
• Orientation
• Tabletop exercise
• Communication testing
• IT environment walk-through
• End-to-end testing

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 43
CIA 3 SU 8
 Multiple-Choice Question
Which of the following configurations of elements represents the most complete disaster recovery
plan?

A. Vendor contract for alternate processing site, backup procedures, names of persons on the
disaster recovery team.
B. Alternate processing site, backup and off-site storage procedures, identification of critical
applications, test of the plan.
C. Off-site storage procedures, identification of critical applications, test of the plan.
D. Vendor contract for alternate processing site, names of persons on the disaster recovery team,
off-site storage procedures.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 44
CIA 3 SU 8
 Multiple-Choice Answer
Which of the following configurations of elements represents the most complete disaster recovery
plan?

A. Vendor contract for alternate processing site, backup procedures, names of persons on the
disaster recovery team.
B. Alternate processing site, backup and off-site storage procedures, identification of critical
applications, test of the plan.
C. Off-site storage procedures, identification of critical applications, test of the plan.
D. Vendor contract for alternate processing site, names of persons on the disaster recovery team,
off-site storage procedures.

Disaster recovery is the process of resuming normal information processing

operations after the occurrence of a major interruption. Having an alternate
processing site up and running, actively backing up data and storing it off-site,
identifying critical applications, and testing the recovery plan is the most complete
option given.

Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 45
CIA 3 SU 8