CISA Domain 5 – Protection of Information Assets

Kenneth Magee
April 2, 2011 by
Kenneth Magee

Domain 5, Protection of Information Assets is the last domain in the CISA certification area and the most important. ISACA has stated that this domain represents 30 percent of the CISA examination which is approximately 60 questions. This is a make or break domain for you. This section has eight areas that you need to fully understand to ensure you pass the CISA exam.

1.     Importance of Information Security Management

  • Information Security Management is important to ensure the continued availability of information systems.
  • Information Security Management is important to ensure the integrity of the stored information and the information in motion (in transit).
  • Information Security Management is important to ensure the confidentiality of sensitive data.
  • There’s the old CIA triad again (Confidentiality, Integrity, Availability)
  • Key Elements in Information Security Management
    • Senior Management Commitment and support
    • Policies and Procedures
    • Organization
    • Security Awareness and Training
    • Monitoring and compliance, and
    • Incident handling and response
  • You should have an understanding of each of these key elements
  • Information Security Management roles and responsibilities, in this area you need to have the IS Security Steering Committee responsibility down cold. I mean to the point of quoting it verbatim from the CISA manual.
  • Understand the difference between Mandatory access controls (MACs) and discretionary access controls (DACs)
  • One of the last sections in Information Security Management deals with computer crime issues and exposures. Exhibit 5.8 in the CISA manual lists some 30 different Common Attack Methods and Techniques. Pick 30 and have a working understanding. That’s right all 30. ISACA has chosen everything from Botnets to War Chalking for their exam.

2.     Logical Access

  • This is the primary means used to manage and protect information assets. Note the emphasis on PRIMARY!
  • There are really only two points of entry – local and remote, and how do you identify local users and rights; and how do you identify and authenticate remote users?
  • Authentication is typically categorized as something you know (password), something you have (token) and something you are (biometrics). And yes I know RSA has been breached, but there are other token vendors out there.
  • Speaking of biometrics, there’s palm, hand geometry, Iris, retina, fingerprint, face and voice recognition. Which one costs the most and has the highest user rejection rate? HINT it has something to do with the eye.

3.     Network Infrastructure Security

  • You should know some of the advantages and disadvantages of virtualization.
  • You need to know some of the security threats and risk mitigation techniques for wireless networking, including WEP, WPA WPA2, Authenticity, nonrepudiation, accountability and network availability
  • You need to know the different types of firewall types (router packet filtering, application firewall systems, stateful inspection)
  • You will need to know firewall implementations (Screened-host, dual-homed, DMZ or screened-subnet)
  • What’s the difference between NIDS and HIDS and are they a substitute for firewalls? Answer: NO.
  • You will need to know how a digital signature functions to protect data.
  • You need a general understanding of viruses and some of the management procedural controls that should be in place.

4.     Auditing Information Security Management Framework

  • Review the written policies, procedures and standards
  • Pay particular attention to the logical access security policies
  • Make sure everyone has received current security awareness training
  • Why are you interested in data ownership? Because the data owner is the person who defines who can access and use their data.
  • Then you’ll need to audit the logical access to make sure the rules are being followed, pay particular attention to “JOB TRANSFERS” as there is a tendency to add access, but not to remove old access.
  • Review access logs and make sure someone else is reviewing and acting upon unsuccessful login attempts

5.     Auditing Network Infrastructure Security

  • Who has remote access and has it been approved? Why do vendors have unrestricted access into your network to fix a network device? Has that unrestricted access been approved by management
  • Now here’s the fun part, because as auditors you should be able to do Pen Testing, just make sure you’ve got approval before you start this part of the audit. HINT: PRIOR APPROVAL
  • Make sure all network changes are going through change control, even emergency changes.
  • Forensics comes into play here as well, so make sure you know the four major considerations in the chain of events regarding evidence (Identify, Preserve, Analyze, Present)

6.     Environmental Exposures and Controls

  • Know the differences between Total Failure (blackout), severely reduced voltage (brownout), and a snowstorm (whiteout)… If you’ve read this far and you get it, then you’ve got it.
  • Halon is no longer legal. What is an acceptable replacement?
  • Where should hand-held fire extinguishers be located, how often should they be inspected, and is security awareness training required for personnel who might have to use them? All good test questions.
  • Surge protectors are used for power spikes. Enough said.
  • UPS is used for power cleansing??? Yes… Like you use soap to wash your hands. UPSs are used to turn dirty power into clean power. Think about it, power fluctuations, sags and spikes are considered dirty power. A UPS ensures that wattage and voltage is consistent, flatlined, stable, etc.
  • You need to be aware of the environmental detection equipment, smoke detectors, moisture detectors, etc.

7.     Physical Access Exposures and Controls

  • Unauthorized entry, principle of least privilege, only if your job requires it, and no visitor shall enter unescorted. That it’s PERIOD.
  • Key focus for this area is mantraps, deadman doors, and visitor escorts.

8.     Mobile Computing

  • Hard drive encryption
  • Back-ups on a regular basis
  • Theft response team
  • Special care needs to be taken to defend against malicious code. HINT:  What’s one way of getting around your company’s firewall? Hand carry a laptop into the office from a remote location. Now you see the need for good malicious code defenses.

I hope you’ve enjoyed these articles on the CISA domains and I look forward to seeing you in class.


For more on the CISA certification, view our CISA certification hub.

Kenneth Magee
Kenneth Magee

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.