Exam Objectives Frequently Asked Questions
|
|
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.
| Why is separation of duties important? | ||
| A. | In any organization, if there is one person who has the ability to make a change that can impact something critical or release sensitive information, then that person can be considered a single point of failure. If there were two people whose participation was required for this to happen, then it would be a lot more difficult for one person to willingly or through negligence cause any damage. | |
| Why should controls be documented and categorized? If an administrator knows how to secure an information system, and does so effectively, what is the point of wasting so much time in documentation? | ||
| A. | Documentation, while often boring, serves a very critical purpose. One of the criteria most commonly found in security audits relates to the existence of documentation. If the administrator who set up all of the security were to leave the company or go rogue (become malicious), someone else will need to take over their job. If the administrator gets sick for a few days, and there is an attack on the organization, someone else will need to understand how things work. The shareholders of an organization will also need to be satisfied that things are done properly. Responding to their questions regarding the security of the organization with an answer of "the administrator said it was secure" is not going to satisfy most people. A response showing that documentation exists, and that this documentation has been audited by a third party to ensure compliance to industry security standards, is a much more likely way of satisfying these people's questions. | |
| If a CAAT can automate a lot of the functions within the audit process, should I as an auditor fear that my job is no longer necessary? | ||
| A. | A CAAT will make an auditor's job easier, but auditors are still needed to define criteria, review documentation, interact with people, and do most of the analysis work. The main area where a CAAT saves time is in the gathering of information and the statistical analysis thereof. | |
| BIAs seem like a waste of time and have nothing to do with the job of a security administrator. Why should I bother reading and participating in them? | ||
| A. | BIAs are what senior management will use to help decide how budgets will be allocated, and what departments will be changed or influenced as time goes by. Just telling the Chief Information Officer (CIO) that you need a new firewall is not going to make a purchase order appear out of thin air. A BIA will explain to the CIO issues like the organization is growing and the current firewall cannot handle the load, and the number of people using internet connectivity or partners with connections into the organization's networks is growing, and separation of duties requires that an additional firewall be implemented. | |
| How is an audit different from a vulnerability scan? | ||
| A. | A vulnerability scan is a type of audit. Remember that an audit is a review of specific criteria for compliance to a defined standard. A vulnerability scan will evaluate an information system's security based on a list of criteria, and will report on which of the criteria (tests) fail and where there are vulnerabilities. | |
| How are internal auditors different from external auditors? | ||
| A. | Internal auditors and external auditors usually perform the same functions. The primary reasons for hiring external auditors are:
|
|
|
EAN: 2147483647
Pages: 135