Amendments in ISCA

Hey friends,

Hope u are doing well !!!!

Following are the amendments in ISCA and are applicable for Nov - 2012 exam :

Chapter - 5 : Risk Management Process :

Risk Management Process:  (Latest Amendment)

The process of Information Risk Management typically involves the following steps:

Step 1: Identification of Information Assets

Step 2: Valuation of Information Assets

Step 3: Identifying the potential threats & Vulnerabilities

Step 4: Information Risk Assessment

Step 5: Developing Strategies for Information Risk Management

The detail of each step is given as follows:

Step 1: Identification of Information Assets

ü  Identify the information assets supporting critical business operations that need to be protected.

The assets could fall under different groups which are:

a)    Conceptual / Intangible Assets :

1.    Data and Information:

ü  Business and related information contained in various storage devices such as hard disks or in transit may be subject to unauthorized disclosure, copying, theft, corruption or damage.

2.    Software:

ü  Application software (application packages for accounting, payroll, sales etc.) and system software (operating system, utility programs, compiler, communication software, DBMS etc.):

ü  Such programs may be susceptible to intentional or unintentional unauthorized modification by persons internal or external to the organization or by faulty technology processes.

b)   Physical / Tangible Assets :

Ø  People (e.g. skilled users, analysts, programmers etc.)

Ø  Hardware (e.g. mainframes, minicomputers, microcomputers, storage media, printers)

Ø  Networking devices (e.g. communication lines, concentrators, hubs and switches etc.)

Ø  Facilities: The computing and communication equipments such as servers could require special environment such as air-conditioned, dust free, humidity controlled facilities.

Ø  Documentation (e.g. printed forms, manuals, system and database documentation, IS policies & procedures)

Step 2: Valuation of Information Assets

ü  The information classification process focuses on business risk and data valuation.

ü  Information systems resources should be classified or categorized according to their sensitivity. In other words, information classification should be done based based upon their critical value it possess.

Ø  Critical info :  Startegic plans , formulas , trade secrets etc.

Ø  Less critical info : list of customers, details of employees’ salaries, etc

ü  With the loss of information relating to trade secrets, formulas , new product information organisation’s credibility might be questioned.

ü  Thus in order to ensure cost-effective controls, it is beneficial to classify the entire organizational information. Also it helps in avoiding the cost of over-protecting and under protecting the information.

The assets so identified and grouped may be categorized into different classes, which are:

a)    Top secret:  

·         This indicates the highest classification wherein the compromise of the confidentiality, integrity and availability can endanger the existence of the organization.   

·         Access to such information may be restricted to either a few named individuals in the organization or to a set of identified individuals.

b)    Secret:

·         Information in this category is strategic to the survival of the organization.

·         Unauthorized disclosure could cause severe damage to the organization and stakeholders.

c)    Confidential:

·         Information in this category also needs high levels of protection but unauthorized disclosure may cause significant loss or damage.

·         Such information is highly sensitive and should be well protected.

d)    Sensitive:

·         Such information requires higher classification as compared to unclassified information.

·         Disclosure may cause serious impact.

e)    Unclassified:

·         Information that does not fall in any of the above categories finds place here.

·         This also implies that the nature of the information is such that its unauthorized disclosure would not cause any adverse impact on the organization.

·         Such information may also be made freely available to the public.

Another type of classification, popular in commercial organizations, can be:

Public, Sensitive, Private and Confidential.

Step 3: Identifying the potential threats & Vulnerabilities:

·         Threat can be defined as an event that contributes to the interruption or destruction of any service, product or process.

·         Common classes of threats are:

ü  Errors , Malicious damage/attack

ü  Fraud , Theft , Equipment/software failure

·         Threats occur because of vulnerabilities associated with use of information resources.

·         Vulnerability is the weakness in the system safeguards that exposes the system to threats.

·         It may be weakness in a

ü  information system,

ü  cryptographic system (security systems),

ü  Hardware Design

ü  Internal control

·         Examples of vulnerabilities are:

ü  Lack of user knowledge , Lack of security functionality

ü  Poor choice of passwords , Untested technology

ü  Transmission over unprotected communication medium

Threats Computer systems could affect the confidentiality, integrity or availability of system information or resources.

a)    Confidentiality :

Ø  It involves the protection of the organization’s sensitive information from disclosure to unauthorized persons and processes.

b)    Integrity :

Ø  It involves protection against any intentional / accidental unauthorized modification, which may result in serious consequences to the business.

Ø  e.g: Computer virus may cause corruption of data/program thereby causing loss of transactions or state of integrity of such transactions.

c)    Availability :

Ø  It emphasis on whether the information systems and processes critical for conduct of business are available to authorized users as and when required.

Ø  E.g. Denial-of-service attack.

Step 4: Information Risk Assessment :

Ø  Once the assets and corresponding potential threats have been identified, the systems are reviewed for weaknesses that can be exploited and the likelihood of those being exploited.

This can be done by :

a)    Vulnerability Assessment :

ü  Vulnerability is the weakness in the system safeguards that exposes the system to threats.

ü  Sometimes the threat viewed in isolation may be misleading unless the vulnerabilities are taken into consideration. In most cases the threats attempt to exploit the vulnerabilities to cause loss or harm to the assets.

ü  For example, a hacker would look for loopholes in the architecture of the firewall to compromise the controls and gain unauthorized access to the networks.

b)    Probability or Likelihood Assessment :

ü  Likelihood is the chance of a threat happening.

ü  A likelihood assessment considers the presence, tenacity and strength of threats, as well as, the effectiveness of safeguards.

ü  In general, the greater the likelihood of a threat occurring, the greater is the risk.

ü  To some extent, the nature and value of information assets affect the likelihood of occurrence of a threat. If the asset is of high value, e.g. proprietary software packages, it is a prime target for piracy attempts.

ü  Periodically, the likelihood of occurrence of a threat needs to be reassessed due to changes occurring in the structure, direction, and environment of an organization.

c)    Impact Analysis :

ü  The threat that is successful in causing harm or loss to an asset results in an impact.

ü  Impact may be either in monetary or non – monetary terms. e.g. loss of profit & loss of goodwill .

Step 5: Developing Strategies for Information Risk Management

·         Once risks have been identified and assessed, appropriate corrections shall be made to the system, if required.

·         Immediate action may not be taken to correct some identified vulnerabilities but the process will at least analyse these vulnerabilities, document and recognize them for risk management decisions.

The strategies to manage the risk fall into one or more of these four major categories:

a)    Risk Avoidance:

ü  It means not doing an activity that involves risk.

ü  It involves losing out on the potential gain that accepting the risk might have provided.  

ü  E.g. not using Internet / public network on a system connected to organisation’s internal network, instead using a stand-alone PC for Internet usage.

b)    Risk Mitigation / Reduction:

ü  It involves implementing controls to protect IT infrastructure and to reduce the severity of the loss or the likelihood of the loss from occurring.

ü  E.g. Using Anti –virus s/w for Virus attack.

c)    Risk Transfer:

ü  It involves causing another party to accept the risk i.e. sharing risk with partners or insurance coverage.

d)    Risk Retention / Acceptance:  ( Do nothing stratergy – Residual Risk)

ü  It means formally acknowledging that the risk exists and monitoring it. These risks are called residual risks.

ü  Risk management aims to identify, select and implement the controls that are necessary to reduce residual exposures to acceptable levels.

o   The goals and mission of an organization should be considered in selecting any of these risk management strategies.

o   It may not be practical to address all identified risks, hence prioritization is required.

o   In prioritization process the risks with the greatest loss and the greatest probability of occurrence are handled first, and risks with lower probability of occurrence and lower loss are handled later. Practically this process can be difficult to be handeled. 

Understanding the Relationships Between IS Risks and Controls

      Risks that threaten the IS cannot be altogether eliminated but, through appropriate decisions and actions can be mitigated. ( Link : Residual risk )

      Any threat to the system or its components could result in a loss to the company as a consequence of exploitation of the vulnerabilities.

      A control is a check or restraint on a system which is designed to enhance its security.

      Controls can act to reduce :

o    threat

o   vulnerability to a threat

o   detect &  recover from an impact of a threat

      The objective of IS controls is to :

ü  prevent the threats from exploiting the vulnerabilities of the assets or the safeguards.

ü  Timely detect and trigger corrective action ( if threats can’t be prevented)

      In the event of failure of a control, threats could cause harm to the assets resulting in an actual impact.

      IS Auditor should be able to  evaluate whether available controls are adequate and appropriate to mitigate the IS risks.

      In the case of deficiency , auditor should report such weaknesses to the auditee management along with appropriate recommendations.

      Hence it is important for the IS auditor to understand the relationship between risks and controls.

The following rules apply in determining the use of new controls:

o   If control would reduce risk more than needed, then see whether a less expensive alternative exists.

o   If control does not reduce risk sufficiently, then look for more controls or a different control.

o   If control would cost more than the risk reduction provided, then find something else.

o   If control provides enough risk reduction and is cost-effective also, then use it