Sys Cert + Accreditation Exam 3

LAN to WAN domain devices

switches and routers, configuration plan for each to ensure they are configured the way the configuration plan says they are and that they are properly secured with ACLs (Access Control Lists) and hardened to minimize vulnerabilities.

DMZ

when auditing expect to see them if a company has them and ensure they are configured the way their documentation says, (is it current, is it updated, is the updates documented, is it working as detected, firewalls, IDS) and verify separation between internal networks and public-facing services to minimize risk of external attacks.

Configuration control board

board's job to find out how all systems are to be configured in the company, what kind of settings need to be set, what software are allowed, auditors look and see if what the board says is in place and if the CCB maintains documentation of versioning and approved change history for audit review.

How to make changes to the configuration

ensure that the layout made by the Control board is being followed and in place and that changes follow formal change management approval processes with documentation, testing, and rollback plans.

FCAPS

make sure organizations are looking at this

• Fault = detect/respond to faults

• Configuration = track settings

• Accounting = track user/device usage

• Performance = monitor efficiency

• Security = protect from threats

Maximizing LAN-to-WAN AIC

ensuring that organizations are sticking to CIA model (Confidentiality through encryption, Integrity through authentication and secure protocols, Availability through redundant systems and backup ISPs).

Steps in Pen testing

First step is to get written legal authorization from organization PRIOR to pen testing, then reconnaissance and then break into systems (Footprinting → Scanning → Vulnerability Identification → Attack Planning → Attack Execution → Reporting).

IT security framework for WAN service providers

what do you expect service providers to do, contracts for availability and speed, are they following the contracts (Preventive controls like encryption and configuration change control, Detective controls like traffic analysis and monitoring, Corrective controls like patching vulnerabilities and having BCP/DRP plans).

Components in the remote access domain

employees, computers, VPNs (also smartphones, authentication servers, and ISPs providing the connections).

VPN

a set route or routing for information that your internet service provider creates, for companies usually to create a VPN that routes the data a certain route that is deemed to be secure and safe, it hides the to and from address for the packets if they get intercepted (but encryption must be added separately for true confidentiality).

VPN plus encryption

(end-to-end encrypted is not automatic in a VPN, it needs to be included) if data is captured at links, it is encrypted. The danger point is at the nodes (routers, switches, gateways) because it gets unencrypted in the nodes and encrypted (therefore, securing endpoints and network devices is just as critical as encrypting traffic).

Relationship between performance and security

encryption is a bandwidth hog, the better the encryption the slower loading times (e.g., AES-256 encryption adds more processing overhead than AES-128 but is stronger, so there's always a balance between performance and protection).

IIA Code of Ethics

Integrity, Objectivity, Confidentiality, Competency — auditors must maintain independence, protect data, only take assignments within their qualifications, and report truthfully.

Certifying bodies

IC², ISACA, GCAC, orgs that offer certifications (and also EC-Council, CompTIA for different cybersecurity and audit-related certifications).

Types of certifications

CISA (gold standard for auditors), CISSP (plus CISM for managers, CCSP for cloud security, CEH for ethical hackers, GSEC for security essentials).

Prerequisites for certifications

usually need on the job experience and/or course work experience (usually 5 years of work, sometimes reduced to 4 years with a college degree depending on certification body).

Testing details

CISSP = 6-hour, 250 questions, pass at 70%; CISA = 4-hour, 200 questions, pass at 450/800.

Time in service requirements

generally 5 years of relevant work experience; college degree may waive 1 year

Maintaining certification

takes professional continuing education (conferences, webinars, luncheon) and annual fee (and reporting CPE credits annually to avoid re-examination penalties)

DRP Definition and primary focus

a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. It is a comprehensive statement of consistent actions to be taken before, during, and after a disaster (focuses specifically on IT systems and services availability after disruptive events like cyber-attacks, natural disasters, or hardware failures).

DRP Steps

10 steps like top management support, risk assessment, BIA, priorities, strategies, data collection, documenting plan, testing plan, approval) (each step builds on the last to create a living document that evolves as risks, business processes, and technology change

DRP Areas to be reviewed

functional operations, key personnel, information flow, processing systems, services provided, existing documentation (and the dependencies between departments and critical services to prioritize recovery order).

DRP Hot sites, cold sites, warm sites, reciprocal agreements, etc.

if you need to move and go to a new location for redundancy (Conoco Phillips is gold standard for hot sites)

• hot = immediately available with real-time replication

• warm = partial equipment ready

• cold = location and basic infrastructure only

• reciprocal = shared recovery between partners

DRP Collecting data

Who are our customers, how to get in touch with our employees, if we need to contact agencies (plus vendors, alternate suppliers, backup site information, insurance policies, and emergency response contacts).

DRP Testing the plan

dry run testing, checklist testing, simulation testing, parallel testing, full interruption testing to verify plan viability and team readiness.

DRP Issues and pitfalls

lack of buy-in, incomplete RTO and RPOs, system myopia (only focusing on one area like VPNs), failure to update as organization changes, lack of testing leading to unknown gaps.

BCP Definition and primary focus

a structured approach to protect people and property and to be able to resume critical operations (focused on the business as a whole, not just IT, including customer service, supply chains, finance, and regulatory compliance).

BCP Steps

identifying emergency contacts, writing organization policy, business descriptions, office locations, alternative work locations, data backup plans, risk assessments, mission critical systems, communications, banking relations, reporting plans, and regular review.

BCP Stakeholders and how you must communicate with

customers, employees, regulators, banks (methods include secure communications, redundant channels, emergency hotlines, public announcements, social media alerts for mass communications).

BCP Mission critical systems

order entry, order execution (also customer communications, logistics, manufacturing processes, and critical data systems).

BCP Constituents, banks and counter-parties

constituents are customers, banks are financial institutions, counter-parties are competitors (who may also act as emergency service providers or share capacity agreements during major disruptions).

BCP Business descriptions and office locations

list all key operational hubs, warehouse locations, data centers, and their risk exposure to threats like floods, earthquakes, etc.

BCP teams

various functional leaders, different functions of the organization have a team member on the BCP team (cross-functional teams ensure that every critical department has a say and can be recovered in priority order).

BCP Issues and pitfalls

failure to test plans, outdated emergency contacts, missing alternate vendors, no redundant ISPs or backup power, and over-reliance on single points of failure.

Guest Speaker Name

John Stoddard

What does he do?

Risk Manager and Compliance Officer (example: OSU Travel Program modernization and Air Force operational risk management)

What did he say was important?

Communication and teamwork in risk management, proactive stakeholder engagement, annual review and adjustment of plans, building strong relationships with partners and departments, cost-benefit analysis (Bang for Buck) (and that being proactive instead of reactive saves organizations time, money, and reputation).

RPO

Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. It defines how frequently data backups should occur to minimize loss during a disaster, ensuring any data created or modified within the RPO timeframe is saved.

RTO

Recovery Time Objective (RTO) is the maximum acceptable amount of time that a system can be down after a disaster. It establishes the target time to restore operations and services following a disruption, allowing organizations to plan recovery strategies effectively.

MTPoD

Maximum Tolerable Period of Disruption (MTPoD) is the maximum duration that a business can tolerate being unable to operate effectively due to a disaster. It takes into account the operational, financial, and reputational impacts of downtime, guiding organizations to develop robust business continuity plans.