Cybercrime-Audit-Assurance-Program Icq Eng 1012

Cybercrime Audit/Assurance Program
About ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of
knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security,
enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit,
independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS
auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It
also advances and attests IT skills and knowledge through the globally respected Certified Information Systems
Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT®
(CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT®
framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management
responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created Cybercrime Audit/Assurance Program (the “Work”) primarily as an educational
resource for governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure
a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests
or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific information, procedure or test, governance and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or
information technology environment.
Reservation of Rights
© 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center

Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-1-60420-196-3
© ISACA 2012 All rights reserved. Page 2

Acknowledgments
ISACA wishes to recognize:

Author
Norm Kelson, CISA, CGEIT, CPA, CPE Interactive, Inc., USA
Expert Reviewers
David Alexander, Los Angeles Department of Water and Power, USA
Jeimy J. Cano M., PhD, CFE, Ecopetrol S.A., Colombia
Francis Kaitano, CISA, CISM, CISSP, ITIL, MCAD.Net, MCSD, Contact Energy, New Zealand
Kamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Arabia
Genemar Lazo, CISA, CGEIT, CRISC, MSBA, California State Polytechnic U, USA
Cheryl Santor, Metropolitan Water District of So. CA, USA
Ability Takuva, CISA, Ernst & Young, LLP, South Africa
ISACA Board of Directors

Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, 6 Sigma, Quest Software, Spain, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd. (retired), USA, Past International President
John Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, Singapore, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director
Knowledge Board
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Chairman
Steven A. Babb, CGEIT, CRISC, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Philip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA
Guidance and Practices Committee

Philip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
Dan Haley, CISA, CGEIT, CRISC, MCP, Johnson & Johnson, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Pelissari, Brazil
Jotham Nyamari, CISA, Deloitte, USA
Connie Lynn Spinelli, CISA, CRISC, CFE, CGMA, CIA, CISSP, CMA, CPA, GRC Solutions LLC, USA
John William Walker, CISM, CRISC, CITP, FBCS, ITPC Secure Bastion Ltd., UK
Siang Jun Julia Yeo, CISA, CPA (Australia), Visa Worldwide Pte. Limited, Singapore
Nikolaos Zacharopoulos, CISA, DeutschePost–DHL, Germany
ISACA and IT Governance Institute® (ITGI®) Affiliates and Sponsors

Information Security Forum
Institute of Management Accountants Inc.
ISACA chapters
ITGI France

ITGI Japan
Norwich University
Socitum Performance Management Group
Solvay Brussels School of Economics and Management
Strategic Technology Management Institute (STMI) of the National University of Singapore
University of Antwerp Management School
ASIS International
Hewlett-Packard
IBM
Symantec Corp.

Table of Contents
I. Introduction.......................................................................................................................................5
II. Using This Document........................................................................................................................6
III. Controls Maturity Analysis................................................................................................................9
IV. Assurance and Control Framework..................................................................................................10
V. Executive Summary of Audit/Assurance Focus...............................................................................11
VI. Audit/Assurance Program................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Understanding Supporting Infrastructure.....................................................................................16
3. Governance..................................................................................................................................17
4. Organization................................................................................................................................19
5. Organizational Policies................................................................................................................20
6. Business Role in Cybercrime Prevention.....................................................................................22
7. IT Management............................................................................................................................25
8. Incident Management Policy And Procedures.............................................................................28
9. Incident Management Implementation.........................................................................................38
10. Crisis Management....................................................................................................................46
VII. Maturity Assessment.......................................................................................................................49
VIII. Maturity Assessment vs. Target Assessment...................................................................................52
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-
setting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners with the requisite knowledge of the subject matter under review,
as described in ITAF, section 2200—General Standards. The audit/assurance programs are part of ITAF,
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT ® framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF,
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many enterprises have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,

it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
Governance, Risk and Control of IT

IT governance, risk and control are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program.
Controls are the primary evaluation point in the process. The audit/assurance program will identify the
control objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter
expertise required to conduct the work and is supervised by a professional with the CISA designation
and/or necessary subject matter expertise to adequately review the work performed.
II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.
Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific work paper for that
section. The physical document was designed in Microsoft ® Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.
Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g.,
1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for
the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify use, the
program describes the audit/assurance objective—the reason for performing the steps in the topic area and
the specific controls follow. Each review step is listed after the control. These steps may include assessing
the control design by walking through a process, interviewing, observing or otherwise verifying the
process and the controls that address that process. In many cases, once the control design has been
verified, specific tests need to be performed to provide assurance that the process associated with the
control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been

excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprise’s standards.
COBIT 4.1 Cross-reference

The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT 4.1 control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Subprocesses in the work program are too granular to be cross-referenced to COBIT. The
audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to
the development process. COBIT provides in-depth control objectives and suggested control practices at
each level. As professionals review each control, they should refer to COBIT 4.1 or the IT Assurance
Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function has COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance enterprises include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO issued an
Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM
Framework has a business decision focus when compared to the 2004 Internal Control—Integrated
Framework. Large enterprises are in the process of adopting ERM. The two frameworks are compared in
figure 1.
Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control—Integrated Framework ERM Integrated Framework
Control Environment: The control environment sets the tone of an Internal Environment: The internal environment encompasses the
organization, influencing the control consciousness of its people. It is tone of an organization, and sets the basis for how risk is viewed and
the foundation for all other components of internal control, providing addressed by an entity’s people, including risk management
discipline and structure. Control environment factors include the philosophy and risk appetite, integrity and ethical values, and the
integrity, ethical values, management’s operating style, delegation of environment in which they operate.
authority systems, as well as the processes for managing and
developing people in the organization.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channeled back to management’s strategy or objective-setting
processes.
Risk Assessment: Every entity faces a variety of risks from external Risk Assessment: Risks are analyzed, considering the likelihood and
and internal sources that must be assessed. A precondition to risk impact, as a basis for determining how they could be managed. Risk
assessment is establishment of objectives, and thus risk assessment is areas are assessed on an inherent and residual basis.
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control—Integrated Framework ERM Integrated Framework
Risk Response: Management selects risk responses—avoiding,
accepting, reducing, or sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
Control Activities: Control activities are the policies and procedures Control Activities: Policies and procedures are established and
that help ensure management directives are carried out. They help implemented to help ensure the risk responses are effectively carried
ensure that necessary actions are taken to address risks to achievement out.
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key Information and Communication: Relevant information is
role in internal control systems as they produce reports, including identified, captured, and communicated in a form and timeframe that
operational, financial and compliance-related information that make it enable people to carry out their responsibilities. Effective
possible to run and control the business. In a broader sense, effective communication also occurs in a broader sense, flowing down, across,
communication must ensure information flows down, across and up and up the entity.
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a Monitoring: The entirety of enterprise risk management is monitored
process that assesses the quality of the system’s performance over and modifications made as necessary. Monitoring is accomplished
time. This is accomplished through ongoing monitoring activities or through ongoing management activities, separate evaluations, or both.
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Information for figure 1 was obtained from the COSO web site www.coso.org/aboutus.htm.
The 1992 Internal Control—Integrated Framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for its audit/assurance
programs. When completing the COSO component columns, consider the definitions of the components
as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified, and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must

provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the organization, so it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control (figure 2)
provides a generic maturity model showing the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
Figure 2—Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
0 Non-existent There is no recognition of the need for internal control. There is no intent to assess the need for internal control.
Control is not part of the organization’s culture or mission. Incidents are dealt with as they arise.
There is a high risk of control deficiencies and incidents.
1 Initial/ad hoc There is some recognition of the need for internal control. There is no awareness of the need for assessment of what is
The approach to risk and control requirements is ad hoc and needed in terms of IT controls. When performed, it is only on
disorganized, without communication or monitoring. an ad hoc basis, at a high level and in reaction to significant
Deficiencies are not identified. Employees are not aware of incidents. Assessment addresses only the actual incident.
their responsibilities.
2 Repeatable but Controls are in place but are not documented. Their operation Assessment of control needs occurs only when needed for
Intuitive is dependent on the knowledge and motivation of individuals. selected IT processes to determine the current level of control
Effectiveness is not adequately evaluated. Many control maturity, the target level that should be reached and the gaps
weaknesses exist and are not adequately addressed; the that exist. An informal workshop approach, involving IT
impact can be severe. Management actions to resolve control managers and the team involved in the process, is used to
issues are not prioritized or consistent. Employees may not define an adequate approach to controls for the process and to
be aware of their responsibilities. motivate an agreed-upon action plan.
3 Defined Controls are in place and adequately documented. Operating Critical IT processes are identified based on value and risk
effectiveness is evaluated on a periodic basis and there is an drivers. A detailed analysis is performed to identify control
average number of issues. However, the evaluation process is requirements and the root cause of gaps and to develop
not documented. While management is able to deal improvement opportunities. In addition to facilitated
predictably with most control issues, some control workshops, tools are used and interviews are performed to
weaknesses persist and impacts could still be severe. support the analysis and ensure that an IT process owner
Employees are aware of their responsibilities for control. owns and drives the assessment and improvement process.
4 Managed and There is an effective internal control and risk management IT process criticality is regularly defined with full support
Measurable environment. A formal, documented evaluation of controls and agreement from the relevant business process owners.
occurs frequently. Many controls are automated and regularly Assessment of control requirements is based on policy and
reviewed. Management is likely to detect most control issues, the actual maturity of these processes, following a thorough
but not all issues are routinely identified. There is consistent and measured analysis involving key stakeholders.
follow-up to address identified control weaknesses. A Accountability for these assessments is clear and enforced.
limited, tactical use of technology is applied to automate Improvement strategies are supported by business cases.
controls. Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
5 Optimized An enterprisewide risk and control program provides Business changes consider the criticality of IT processes and
continuous and effective control and risk issues resolution. cover any need to reassess process control capability. IT
Internal control and risk management are integrated with process owners regularly perform self-assessments to confirm
enterprise practices, supported with automated real-time that controls are at the right level of maturity to meet
monitoring with full accountability for control monitoring, business needs and they consider maturity attributes to find
risk management and compliance enforcement. Control ways to make controls more efficient and effective. The
evaluation is continuous, based on self-assessments and gap organization benchmarks to external best practices and seeks
and root cause analyses. Employees are proactively involved external advice on internal control effectiveness. For critical
in control improvements. processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity level of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progress in

the enhancement of controls. However, the perception of the maturity level may vary between the
process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s
concurrence before submitting the final report to the management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create and effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last
page of the document (section VIII), based on sample assessments.
IV. Assurance and Control Framework
ISACA IT Assurance Framework and Standards

The following sections in ITAF are relevant to cybercrime prevention and incident management:
 3450—IT Processes
 3490—IT Support of Regulatory Compliance
 3630.7—Information Security Management
 3630.9—Business Continuity Plan and Disaster Recovery Plan
 3630.11—Network Management and Controls
ISACA Control Framework

Within the COBIT 4.1 Deliver and Support (DS) domain, DS5.5 Security testing, surveillance and
monitoring; DS5.6 Security incident definition; and DS8 Manage service desk and incidents1 address
security incident management. The COBIT areas for this evaluation include:
 DS5.5 Security testing, surveillance and monitoring—Test and monitor the IT security
implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure
that the approved enterprise’s information security baseline is maintained. A logging and monitoring
function will enable the early prevention and/or detection and subsequent timely reporting of unusual
and/or abnormal activities that may need to be addressed.
 DS5.6 Security incident definition—Clearly define and communicate the characteristics of potential
security incidents so they can be properly classified and treated by the incident and problem
management process.
 DS8.2 Registration of customer queries—Establish a function and system to allow logging and
tracking of calls, incidents, service requests and information needs. It should work closely with such
processes as incident management, problem management, change management, capacity management
and availability management. Incidents should be classified according to a business and service
priority and routed to the appropriate problem management team, where necessary. Customers should
be kept informed of the status of their queries.
 DS8.3. Incident escalation—Establish service desk procedures, so incidents that cannot be resolved
immediately are appropriately escalated according to limits defined in the SLA and, if appropriate,
workarounds are provided. Ensure that incident ownership and life cycle monitoring remain with the
service desk for user-based incidents, regardless which IT group is working on resolution activities.
1
DS8 scope will be limited to cybercrime information security incidents.

 DS8.4 Incident closure—Establish procedures for the timely monitoring of clearance of customer
queries. When the incident has been resolved, ensure that the service desk records the resolution
steps, and confirm that the action taken has been agreed to by the customer. Also record and report
unresolved incidents (known errors and workarounds) to provide information for proper problem
management.
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control
Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice
value and risk drivers.
V. Executive Summary of Audit/Assurance Focus

Cybercrime is a criminal offense that involves the use of a computer network, and it is a natural
manifestation of the increasing reliance on automation to process business activities. Although the act of
cybercrime is not a new phenomenon, the frequency and the damage potential has increased as more
reliance is placed on automated processes. To further exacerbate the problem, cybercrime activities may
operate under the radar until they become major fraud or a serious organizational embarrassment. It must
be emphasized that cybercrime is NOT an IT issue, but rather an integrated business issue.
Management needs to address cybercrime with processes covering:

 Awareness
 Prevention
 Detection
 Incident management
 Crisis management
 Cooperation with and investigatory organizations
Awareness is the initial starting point for all enterprises. This process includes an understanding of the
business impact and risk. Similar to a business continuity plan (BCP), the business impact analysis (BIA)
focusing on cybercrime events establishes a baseline for management to consider the effects of a
cybercrime event, and a risk assessment, evaluating the inherent risk and the residual risk before and after
controls are implemented respectively. To be effective, the cybercrime BIA is a joint effort of all business
and support units that could be affected by a cybercrime incident. Awareness also includes enterprisewide
vigilance with appropriate reminders instilled through the security awareness program.
Prevention involves ensuring that entry points into the enterprise are secured using best practices. This
includes: hardware/software configuration management; physical and logical access to IT and non-IT
assets; control of intellectual property, personal identifiable information, financial assets, etc.; and
alignment with the awareness processes discussed in the previous paragraph. Automated penetration tests
and vulnerability assessments often assist in identifying the IT-related issues. It is up to management to
identify prevention processes directed at the employee and contractor.
Detection addresses processes that identify potential “unusual events.” Enterprises may have integrated
exception reporting into their routine automated processes, and employ data mining and data analytics to
highlight unusual events.
Incident management is the process that manages a cybercrime incident once it is identified. The security
incident management process generally addresses the assessment of risk, securing enterprise assets
(including the shutting down of affected or potentially affected resources), escalation procedures,
remediation plan and implementation, and coordination with investigatory organizations.

Crisis management is the communications component of the cybercrime incident and involves
communication within the enterprise and a public relations focus for external parties. Crisis management
preparedness attempts to limit reputational damage.
A cybercrime incident may initiate investigations by law enforcement agencies, insurance adjustors,
regulatory bodies, and other third parties. The enterprise needs to establish liaisons with each
organization, as well as integration processes to minimize redundancy.
Based on this wide scope of activities, the audit of organizational preparedness is critical.
Business Impact and Risk

The impact on the business and the accompanying risk could be significant. Depending on the industry,
businesses may experience cybercrime intrusion attempts for financial gain, to obtain intellectual
property, to create a business disruption, to obtain private data or to compromise national security. The
perpetrators of the intrusion can be external or internal, private or government-sponsored. The resultant
activity may expose the enterprise to risk and issues such as:
• Reputational risk—Public relations issues with customers or the public
• Regulatory risk—The inability to satisfy regulatory processing requirements due to an outage or
violation of a regulation
• Operational risk—The inability to process critical business functions
• Internal human resources issues—Issues relating to payroll and employee privacy
• Financial risk—The loss of physical assets, the cost to remediate identified risk, or the inability to meet
contractual service level agreements (SLAs) with third parties, resulting in legal liability
Objective and Scope

Objective—The objective of the audit/assurance review is to provide management with an independent
assessment relating to the effectiveness of cybercrime prevention, detection and incident management
processes, policies, procedures and governance activities.
Scope—The review will focus on cybercrime management standards, guidelines and procedures as well
as the implementation and governance of these activities. The audit/assurance review will rely on other
operational audits of the incident management process, configuration management and security of
networks and servers, security management and awareness, business continuity management, information
security management, governance and management practices of both IT and the business units, and
relationships with third parties.
Minimum Audit Skills

The IT audit and assurance professional must have an understanding of good-practice information
security processes and cybercrime threats. Professionals who have achieved the CISA certification should
have these skills. Technical skills necessary to perform some audit steps may require specific
understanding of information security, network analysis, operating systems and database tools.
Feedback
Visit www.isaca.org/cybercrime-AP and use the feedback function to provide your comments and
suggestions on this document. Your feedback is a very important element in the development of ISACA
guidance for its constituents and is greatly appreciated.

VI. Audit/Assurance Program

COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
1. Planning and Scoping the Audit

1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan
and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer must understand the operating environment and
prepare a proposed scope, subject to a later risk assessment.
1.2.1 Perform a high-level walkthrough of the processes related to cybercrime management.
1.2.2 Establish initial boundaries of the audit/assurance review.
1.2.2.1 Identify limitations and/or constraints affecting the audit.
1.3 Define assurance.
The review requires two sources of standards. The corporate standards defined in the policy and
procedure documentation establish the corporate expectations. At minimum, corporate standards
should be implemented. The second source, a good-practice reference, establishes industry
standards. Enhancements should be proposed to address gaps between the two.
1.3.1 Determine if COBIT and the appropriate security incident management framework will be
used as a good-practice reference.
1.4 Identify and document risk.
The risk assessment is necessary to evaluate where audit resources should be focused. The risk-based
approach assures utilization of audit resources in the most effective manner.
1.4.1 Identify the inherent business risk associated with cybercrime threats.
1.4.2 Identify the technology risk associated with cybercrime threats.
1.4.3 Evaluate business and technology risk.
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
1.4.4 Based on risk assessment, identify changes to the scope.

1.4.5 Discuss risk with IT, business and operational audit management, and adjust the risk
assessment.
1.5 Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating environment and
associated risk. As further research and analysis are performed, changes to the scope and approach
will result.
1.5.1 Identify the senior IT audit/assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance
program, and the authorizations required.
1.6 Define assignment success.
Success factors need to be identified. Communication among the IT audit/assurance team, other
assurance teams and the enterprise is essential.
1.6.1 Identify the drivers for a successful review. (This should exist in the audit/assurance
function’s standards and procedures.)
1.6.2 Communicate success attributes to the process owner or stakeholder and obtain agreement.
1.7 Define audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
1.7.1 Determine the audit/assurance skills necessary for the review.
1.7.2 Determine the estimated total resources (hours) and time frame (start and end dates) required
for the review.
1.8 Define deliverables.
The deliverables are not limited to the final report. Communication between the audit/assurance teams
and the process owners is essential to assignment success.
1.8.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due
dates for responses and the final report.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
1.9 Communicate.
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the executive
responsible for operating systems and infrastructure.
2. Understanding Supporting Infrastructure
2.1 Cybercrime management is supported by entity standards, processes and procedures.
Audit/assurance objective: To properly evaluate the process, the supporting infrastructure and
documentation need to be reviewed and evaluated.
2.1.1 Obtain and review the cybercrime task force2 current organization chart and include dotted
line responsibility to the IT function and the business units.
2.1.2 Interview the senior security, compliance and legal officers as well as the IT security
manager/administrator and risk officer.
2.1.2.1 Identify who is responsible for cybercrime incident response/handling.
2.1.3 Obtain a copy of the following:
 Enterprise security policy
 Incident response plan
 Segregation of duties requirements
 Cybercrime and routine information security incident response/handling policy
 Cybercrime and routine incident response/handling strategy/process
 Security software change procedures and standards
 Security violation reports and management review procedures
 Relevant legal and regulatory requirements related to computer forensics and incident
response
 Incident reporting and escalation policies—for internal reporting, external referral to
law enforcement and legal representatives, and mandatory disclosure requirements
 Data classification schema and list of critical resources
2
In the audit program, the cybercrime task force is the primary team responsible for planning, managing and responding to security incidents involving fraud or attacks utilizing
computers, networks, etc. Different enterprises may use different names, but the scope and focus of the enterprise should be equivalent. The computer security incident response
team (CSIRT) may be a part of or comprise the cybercrime task force.
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
 Intrusion detection systems (IDS) and intrusion prevention systems (IPS) used, vendor,
model and configuration
 Firewall architecture, providers/vendors, configuration, audit trail logging, alarms,
suspicious activity definitions and monitoring activities
 List of tools available within the enterprise for forensic endeavors
 List of people trained to use the forensic tools and the last date tools were
applied/tested/utilized
 Incident response risk analysis reports
 Computer security incident response team (CSIRT) procedures
 Underlying contracts
 Crisis management procedures
 Any other information relevant to the infrastructure of the enterprise
 Evaluation of information security function and its effectiveness within the enterprise
3. Governance
3.1 Executive Management Involvement in Cybercrime Prevention Audit/Assurance
Audit/assurance objective: Cybercrime prevention is monitored on a regular basis by senior
management.
4. Senior Management Reviews Cybercrime Preparedness
ME1.5 X X X X
Control: Senior management routinely reviews cybercrime policies and assessments.
4.1.1.1 Obtain and review minutes of meetings or other documentation to confirm senior
management monitoring of cybercrime policies and assessments.
4.1.1.2 Determine if the business impact analysis (BIA) summary or similar document is
reviewed and approval is documented at least annually.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
4.2 Business and IT Unit Leader Involvement in Cybercrime Management

Audit/assurance objective: Business and IT unit leaders are trained and actively involved in the
oversight and significant decisions relating to cybercrime preparedness and incidents.
5. Business Executive Training in Cybercrime PO4.10
Control: Business executives are trained in cybercrime and information security issues appropriate to PO6.3 X X X
their functional position. ME2.1
5.1.1.1 Determine if business executives receive training at least annually in cybercrime
deterrence practices and anti-cybercrime issues.
6. Active Involvement in Cybercrime Planning and Management by IT and Business Unit Leaders PO4.10
Control: IT and business unit leaders are responsible for directing cybercrime prevention activities PO6.3 X X X
within their respective units. ME2.1
6.1.1.1 Select the business units with the greatest risk for cyberattacks.
6.1.1.2 Obtain communications, meeting minutes and other documentation to substantiate
consideration of cybercrime and cyberattacks by business unit management and staff.
7. Active Involvement in Cybercrime Communication by IT and Business Unit Leaders
Control: IT and business unit leaders receive regular communications from the cybercrime task PO6.5 X
force appropriate to their position (both functionally and administratively).
7.1.1.1 Determine communications protocol between the cybercrime task force and IT and
business management.
7.1.1.2 Identify issues requiring escalation to and immediate response by management.
7.1.1.3 Determine if appropriate governance and direction was provided by management.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
8. Organization
8.1 Cybercrime Task Force
Audit/assurance objective: A cybercrime task force has been established and includes appropriate
functional members.
9. Cybercrime Team Leadership PO4.4
Control: The cybercrime team is managed by an information security professional with knowledge PO4.5
PO4.8
X X
of cybercrime prevention and investigation as well as a thorough understanding of the
enterprise infrastructure. PO7.2
9.1.1.1 Identify cybercrime team leadership.
9.1.1.2 Evaluate team leader skill set and background.
10. Cybercrime Team Membership PO4.6
PO4.8
Control: Cybercrime members include representation from appropriate business, IT, and support X
PO7.2
units, and liaison to senior management.
PO7.3
10.1.1.1 Obtain cybercrime team membership.
10.1.1.2 Determine that the following representation and their responsibilities exist within the
team:
 Computer security incident response leader
 IT liaison
 Business unit(s) liaisons
 Legal counsel
 Public relations
 Business continuity management/disaster recovery
 Support unit liaisons:
– Accounting/finance
– Human resources
– Corporate Security (physical)

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
10.1.1.3 Obtain meeting minutes to determine active participation of team members.

10.2 Cybercrime Authority
Audit/assurance objective: The cybercrime team and leadership have the appropriate authority to
perform duties.
11. Cybercrime Authority
Control: Cybercrime task force and leadership have the authority to perform the necessary PO4.6 X
activities to protect the enterprise from and during cyberattacks.
11.1.1.1 Obtain cybercrime charter, certificate of authority and other documentation.
11.1.1.2 Determine if sufficient authority exists to respond to cyberattacks and cybercrime
incidents.
11.1.1.3 Determine if the authority permits executing appropriate actions within the time frame
required to protect enterprise assets.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
12. Organizational Policies

12.1 Policies
Audit/assurance objectives: Enterprise policies include appropriate cybercrime related policies to
protect data, intellectual property and the infrastructure.
13. Human Resources PO6.1
X X
Control: Human resources policies support the anti-cybercrime policies and initiatives. PO6.3
13.1.1.1 Ascertain whether there is adequate understanding with key IT function of relevant
policies and procedures.
13.1.1.2 Obtain the IT acceptable use policy.
13.1.1.3 Review the policy to determine that cybercrime awareness issues are included in the
policy.
13.1.1.4 Review the policy to determine that users are provided with warning signs of potential
cyberattacks and cybercrime, and the actions to be taken.
13.1.1.5 Obtain human resources policy relating to computer usage, identity management and
policy enforcement.
13.1.1.6 Determine that enforcement and associated penalties are uniformly executed.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
14. Change and Configuration Management

Control: Program, configuration, and associated change management policies and procedures to PO6.3
DS9.2
X
ensure access to data, networks, servers, mobile devices, etc., are protected from
unauthorized access and are appropriately configured.
14.1.1.1 Obtain a copy of any audits carried out on change management and ensure that
recommendations have been implemented by management.
14.1.1.2 Obtain and review change and configuration policies relating to the various computing
platforms and infrastructure affecting data considered susceptible to cybercrime.
15. Third-party Providers PO6.3
Control: Third-party providers, including outsourced (cloud) agreements, are included in all DS2.1 X
cybercrime/cyberattack prevention and management activities. DS2.4
15.1.1.1 Obtain third-party agreements.
15.1.1.2 Determine if cybercrime/cyberattack management issues are addressed in the
agreements and policies.
15.1.1.3 Determine if independent third-party reports or certifications (e.g., ISO 2700x, SOC 2,
SOC 3) are available for third-party providers.
15.1.1.3.1 Determine whether third-party reports address the services and
processes utilized by the enterprise.
15.1.1.3.2 Evaluate whether third-party providers comply with the enterprise’s
information security policies.
16. Cyberincident Response Policy PO4.6
DS5.5
Control: Cyberincident response policies and processes identify the scope, objectives and
requirements defining how and who should respond to an incident, what constitutes an DS5.6 X X
DS8
incident, and the specific processes for monitoring and reporting the incident activities.
DS10
16.1.1.1 Obtain the cyberincident response policies and plans.
16.1.1.2 Evaluate how the cyberincident response policies differ from the information security
incident response policies.
16.1.1.3 Determine if the cyberincident policies reflect appropriate requirements for
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
cyberattacks.
16.1.1.4 Obtain details of any incidents and verify that they were handled in line with the
policy.
17. Business Role in Cybercrime Prevention
17.1 Risk Management
Audit/assurance objective: Business units identify risk and vulnerabilities within their purview.
18. Business Impact Analysis
PO1.2
Control: A BIA is routinely performed as a basis for identifying business risk and includes a PO9
X
cybercrime component.
18.1.1.1 Obtain the BIA.
18.1.1.2 Determine if cybercrime is an evaluation component.
18.1.1.3 If cybercrime is included in the BIA, determine the quality, comprehensiveness and
conclusions generated by the work product.
18.2 Data Classification 3
Audit/assurance objective: A classification scheme has been defined and implemented that applies
throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top
secret) of enterprise data, specifically addressing data that could be utilized in cybercrime.
19. Data Classification Definition
PO2.3 X
Control: A classification scheme defines attributes for data classification.
19.1.1.1 Obtain the data classification definition.
19.1.1.2 Determine that the data classification defines the following attributes:
 Data ownership
 Definition of security levels
 Data protection controls
 Data retention and destruction requirements
 Definition of criticality and sensitivity
3
Data classification may have been covered in other audits. Cybercrime management relies on the results as a tool for evaluating risk.
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
19.1.1.3 Review the data classification definition for cybercrime related information:
 Personal identifiable information
 Financial information
 Intellectual property, patent, trademarked and copyrighted material
20. Data Classification Levels
Control: Data classification attributes as identified above are defined for each data classification PO2.3 X
level (e.g., for confidentiality: public, internal and confidential).
20.1.1.1 Review the data classification scheme and verify that all significant components are
covered and completed and that the scheme is reasonable in balancing cost vs. risk,
specifically focused on data that could be of use in a cybercrime.
21. Data Ownership PO2.3
PO4.9
Control: Business owners are identified as data owners and are held accountable for the X
DS11.1
maintenance and monitoring of their data.
DS11.6
21.1.1.1 This includes data ownership with business owners and definition of appropriate
security measures related to classification levels.
21.1.1.2 Select a sample and review data owners to determine that:
 The data owner classifies all information using the defined scheme and levels.
 Classification covers the whole life cycle of information from creation to disposal.
 Where an asset has been assessed as having a certain classification, any component
inherits the same classification.
 Owners understand the consequences of the classification and balance security
needs against cost considerations and other business requirements considering the
value of the assets they own.
 Information and data are labeled, handled, protected, disposed and otherwise
secured in a manner consistent with the data classification categories.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
21.2 Cybercrime Communications With Business Units

Audit/assurance objective: Communications between the business units, IT, the cybercrime task force
and related units are active and timely.
22. Active Communication of Cybercrime Planning and Management by IT and Business Unit
Leaders PO6.5
DS5.1
X X
Control: IT and business unit leaders receive regular communications from information security
appropriate to their position (both functionally and administratively).
22.1.1.1 Obtain examples of communications between IT and the business units.
22.1.1.2 Determine if lines of communication are adequate to address cyberattack issues within
the time frames required to protect enterprise data and information.
22.2 Data Mining and Data Analytics
Audit/assurance objective: Data mining and data analytic techniques are utilized to identify
cyberattacks and other fraudulent conditions.
23. Business Unit Development of Potential Fraudulent Conditions PO9
Control: Business units develop potential fraud situations and conditions to be designed into data DS11.1 X
analysis processes. DS11.6
23.1.1.1 Determine if the business units have performed a requirements definition of potential
fraudulent conditions within their applications.
23.1.1.2 Using the auditor's knowledge of the business processes, evaluate the effectiveness,
efficacy, and completeness of data mining and data analytics conditions.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
23.1.1.3 Determine if additional processes should be considered in the data mining and data
analytics process.
24. Development and Routine Processing of Data Mining and Analytics
Control: The system development life cycle (SLDC) and all applications revisions include a AI2.9 X
process for designing and implementing automated analysis of potential fraud producing
processes.
24.1.1.1 Obtain the SDLC and determine if data mining and data analytic processes are
included in the design/redesign of applications.
24.1.1.2 Evaluate the process to ensure active participation by appropriate subject matter
experts.
25. Analysis of Data Mining and Analytic Activities
Control: The results of data mining and analytic activities are analysed by subject matter experts, ME2 X X X
summarized and distributed to appropriate management teams.
25.1.1.1 Obtain recent summaries and details of data mining and analytic activities.
25.1.1.2 Determine if the analyses are complete, summarized effectively and reported on a
timely basis.
25.1.1.3 Obtain the distribution list of summary recipients.
25.1.1.4 Interview the recipients to determine actions taken based on the reports and the
effectiveness of reporting.
25.1.1.5 Evaluate remediation actions taken based on the summary reports.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
25.1.1.6 Coordinate data mining results with the forensics processes described in 36.2.
26. IT Management
26.1 Secure Infrastructure
Audit/assurance objective: IT management establishes, maintains and monitors a secure
infrastructure.
27. Secure Infrastructure PO4.8
PO8
Control: The IT infrastructure, which includes hardware and software configuration management,
active monitoring, and information security best practices are implemented. DS5 X X
DS9
27.1.1.1 Determine that the following audits have been performed with acceptable results. If
audits of these areas have not been performed, consider executing an audit of each
applicable area, and cross-reference the results to this audit:
 Web servers
 Backup and recovery
 Business continuity and disaster recovery planning
 Change management
 Cloud management
 Identity management
 Information security management
 Email servers (spam, malware, etc.)
 File servers
 Mobile computing security
 Database servers and tools
 Network perimeter security
 Outsourced IT environment
 Collaboration servers
 Social media
 Unix/Linux OS security management
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
 Web content and web browser management (obscene or offensive content,

malware attacks, etc.)
 Active Directory/LDAP servers
 z/OS
28. Monitor Infrastructure PO6.5
Control: IT management receives and reviews key reports and analyses of security, vulnerability, DS5.5 X X X
intrusions and penetration test results. ME2.2
28.1.1.1 Interview information security, IT management and operations management to
determine how they monitor key cybercrime related areas. Consider:
 Intrusion detection results
 Intrusion prevention activities
 Operations help desk and problem reports
 Penetration testing results
 Security incident reports
 Unusual change management activities that may include configuration
management
 Vulnerability assessment results
28.1.1.2 Obtain information security status reports/summaries distributed by information
security and received by key IT management.
28.1.1.3 Evaluate the focus and usefulness of the reports as they relate to cybersecurity.
28.1.1.4 Determine how often the reports are published, how they are used by the recipient and
the decisions made based on the reports.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
28.2 Support for Information Security and Cybercrime Task Force

Audit/assurance objective: IT management supports the cybercrime task force and information
security initiatives.
29. IT Organization
PO4.8
Control: IT management includes the information security function as a liaison with the cybercrime DS5.1
X
task force in its organization.
29.1.1.1 Determine how the information security and the cybercrime task force maintain
preparedness with the IT organization.
29.1.1.2 Determine how IT has delegated responsibility to cybercrime task force in response to
and during a cyberattack or cybercrime investigation.
30. Management During a Cyberincident
Control: IT management has defined procedures for transferring management of key IT processes PO4.6 X
to the cybercrime task force during a cyberattack/cybercrime investigation.
30.1.1.1 Obtain pertinent documentation to support procedures for IT leadership during a
cybercrime/cyberattack event.
30.1.1.2 Evaluate procedures to ensure a clearly defined chain of command structure has been
defined to effectively isolate and manage the incident. Permit the incident team to
assume responsibility and control of the necessary resources to initiate appropriate
actions.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
31. Incident Management Policy And Procedures

The establishment of policy and procedures is the starting point for a good-practice security incident
management system. The first phase of the audit/assurance process is to ensure that the policy and
standards on which the process is based are sound and address the essential issues.
31.1 Risk Analysis and Asset Prioritization
Audit/assurance objective: Policies and procedures should be established to ensure that a risk analysis
and asset prioritization is part of the incident evaluation process.
32. Incident Response Risk Analysis
DS5.6 X X
Control: Risk principles are used to determine incident response actions.
32.1.1.1 Verify that the risk analysis includes types of risk such as lack of segregation of duties;
loss of intellectual property; revenue loss from business interruptions; and loss from
liability of business partners and noncompliance with legal, regulatory and standards
requirements.
32.1.1.2 Determine if the risk analysis includes an up-to-date and detailed list of all information
assets, such as servers and workstations, software and data, services, and protocols
running on the platforms connected to the networks that need protection.
33. Asset Prioritization
DS5.6 X X
Control: Asset value and prioritization are components of the incident response analysis.
33.1.1.1 Determine if an owner has been identified for each information asset or service, and
verify that a value has been assigned to each asset or service. The value should represent
the priority and cost to the enterprise if the asset is compromised or the service is

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
interrupted.
33.1.1.2 Determine whether the incident response policy and procedures address the priority of
assets that can be compromised. Ensure that prioritization of assets and services were
determined based on risk.
33.1.1.3 Based on the prioritization of assets and services, ensure that each asset or service is
assigned an incident response/handling priority such as:
 High—System or service that is mission-critical to the enterprise. Examples are
systems/applications that deal with intellectual property, trade secrets, financial data
and confidential customer information. 4
 Medium—System or service that provides routine, but nonmission-critical support
to the enterprise and contains sensitive information regarding the enterprise and its
operations. Examples are systems/applications that deal with internal policies and
procedures, transactional data (without specific payment/credit information),
employee directories and service manuals.
 Low—Discretionary system or service for the enterprise, with nonoperational
support and containing unclassified information with no corporate sensitivity.
Examples are systems/applications that deal with unclassified data or publicly
disclosed information.
33.1.1.4 Verify that assets and services have appropriate security processes and procedures
according to risk.
33.1.1.5 Determine that the prioritization of assets and services has been reviewed with key
business owners, including legal, to ensure that appropriate notifications, legal disclosure
4
Cybercrime and cyberattacks are normally assigned a “high” priority.
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
requirements and referrals to law enforcement are defined.

33.2 Incident Response Policy
Audit/assurance objective: Incident response policies and processes should identify the scope,
objectives and requirements defining how and who should respond to an incident, what constitutes
an incident, and the specific processes for monitoring and reporting the incident activities.
8.2.1Incident Responsibilities
DS5.6 X X
Control: The incident response policy assigns responsibility, scope and reporting requirements.
33.2.1.1 Verify that an incident response/handling policy has been developed within the security
policy and documented as part of a security program.
33.2.1.2 Verify that the policy includes a section that assigns responsibility for identifying,
documenting and ensuring compliance with the relevant governmental and industry
regulations, legal requirements and best practices.
33.2.1.3 Verify that the incident response/handling policy sets clear direction. Executive
management should support the policy across the enterprise. The policy should contain:
 An agreed-on definition of “incident” and guidelines to identify a security incident
 A definition of incident response/handling, and its overall objectives and scope
 A statement of management intent, supporting the goals and principles of incident
response/handling
 A brief explanation of the incident response/handling policies, principles, standards
and compliance requirements that are of particular importance to the enterprise
 A definition of general and specific responsibilities for incident response/handling,
including handling of evidence and reporting
 References to documentation that may support the policy, e.g., detailed incident

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
response/handling, incident triage and computer forensic policies and procedures

 User awareness training pertaining to incident identification and reporting
33.2.1.4 Verify that an incident response/handling strategy/process has been developed and
documented and is based on the incident policy. The strategy should specify the types of
responses and techniques, such as:
 Identification of an incident and response (e.g., shutdown, containment, quarantine)
 Acquisition of affected systems and volatile and static data
 Retention and analysis of data
 Remediation
 Referral to law enforcement
 Handling of forensic data
 Escalation of incidents
 Reporting of findings
 Definition of the learning process from incidents to upgrade systems and processes
33.2.1.5 Verify that the strategy/process is supported by documented and detailed incident
response/handling procedures and standards.
33.2.1.6 Verify that the incident escalation triggers are specified and included in the incident
response/handling process. For example, different escalation triggers should be defined
based on asset prioritization, system/service type, or the results of the incident
examination and analysis.
34. Coordination with Law Enforcement
Control: Management has established liaison and relationships with appropriate law enforcement DS5.1 X X X
agencies.
34.1.1.1 Identify the liaison between the appropriate law enforcement agencies.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
34.1.1.2 Determine if coordination is established and regularly maintained.

35. Incident Response Team
Control: An incident response team has been organized with appropriate management, staffing and DS5.5 X X
senior management support.
35.1.1.1 Verify that roles and responsibilities for incident response are assigned to a formal
team. Depending on the enterprise there may or may not be a formal CSIRT5, but the
responsibility should be defined and assigned to the appropriate individuals.
35.1.1.2 Determine if the CSIRT has a charter approved by senior management and/or the board
of directors and if the charter identifies the team’s primary and secondary
responsibilities.
35.1.1.3 Verify whether CSIRT members have been selected with the following
background/skill sets:
 Understanding of known threats, attack signatures and vulnerabilities
 Understanding of the enterprise network, security infrastructure and platforms
 Experience in security response and/or troubleshooting techniques
 Experience in forensic techniques and best practices
 Understanding of regulations and laws as they pertain to privacy and disclosure and
evidentiary requirements
 Understanding of systems, threats and vulnerabilities, and remediation methods in
their area of business responsibility
35.1.1.4 Verify that the CSIRT has an executive sponsor and includes representation from the
following key areas:
 Information technology
 Information security
 Corporate communications
 Human resources
 Legal
 Business unit management and technology specialists
 Corporate security (including physical security)
5
CSIRT will be used through the remainder of the document to indicate the computer incident response function, whether it be a formal or informal CSIRT.
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
35.1.1.5 Determine if the CSIRT has a formal structure of authority that assigns different levels
of decision-making authority and identifies who has the authority to:
 Declare an incident
 Declare that an incident is truly an incident (i.e., not a false positive)
 Take systems offline
 Shut down portions of the network
 Declare the incident and invoke business continuity or recovery
 Contact law enforcement and the media
36. Incident response processes
Control: The incident response process has detailed and defined steps that address the appropriate DS5.5
X X X
requirements for explaining and documenting the incident, recognition of forensic DS5.6
documentation requirements, and escalation and notification procedures.
36.1.1.1 Confirm that the incident response and analysis process includes:
 Technical procedures and recommendations for quickly analyzing systems affected
by an incident
 Technical procedures and recommendations for quickly analyzing and collecting
data from multiple operating systems
 Procedures that are forensic-aware and documented to the detailed tool use level
 Procedures for a CSIRT postincident analysis report
36.1.1.2 Verify that the incident identification process has been defined and responsibilities have
been assigned. Ensure that incident alerts (intrusion detection, firewall, systems and
other alerts) identified by business requirements are routed to the CSIRT and/or those
responsible for incident response/handling, for evaluation and validation according to a
specific set of criteria.
36.1.1.3 Verify that the incident prioritization process has been defined and responsibilities have
been assigned to prioritize incidents.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
36.1.1.4 Verify that there is a clear definition of who needs to be notified when an incident
occurs, based on the incident classification. The notification should include the systems
involved and the business units affected, as specified in the business continuity plan.
36.2 Forensic Policy
Audit/assurance objective: Forensic policies and procedures should ensure that documented
management trails are preserved to permit internal investigations and support any legal or
regulatory investigations (internal and external).
37. Forensic Processes
Control: Technical procedures provide for unique identification, collection of data, prioritization DS5.5 X X X
of types of risk, notification of affected parties as soon as possible and preservation of
compromised systems.
37.1.1.1 Verify that the computer forensics methodology includes procedures for acquisition,
authentication, analysis and reporting.
38. Forensic Analysis of Data
Control: Procedures provide for the capture and analysis of volatile6 and static data in a timely DS5.5 X
manner.
38.1.1.1 Verify that procedures for forensic acquisition of volatile data exist and include:
 Procedures for the acquisition of volatile data from the operating system
 Tool usage, including macros, graphical user interface (GUI) screen shots and/or
command line switches
 Procedures for the acquisition of compromised system(s) that may be necessary as
evidence, including documentation of chain of command, quarantine of equipment,
and safe-handling and safe-keeping of the evidence until submission to law
enforcement or forensics team, as necessary under the circumstances
6
Volatile data are data that are overwritten or changed over time, where a snapshot cannot be obtained without capturing the information interactively or by regularly scheduled
data extracts.
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
38.1.1.2 Verify that appropriate steps to evaluate an incident in progress are in place and
include:
 How to determine the risk associated with allowing incidents to continue for analysis
and evidence-gathering purposes
 Procedures to quickly triage systems and determine the extent and scope of the
ongoing incident
 Procedures and processes for IP tracing and data traps relevant to the incident priority
and type
 Procedures for collecting volatile data on short notice
 Procedures to take custody of compromised systems for safe-keeping of last-state and
to ensure chain-of-command integrity and preservation of evidence
38.1.1.3 Verify that procedures for forensic acquisition of static data incorporate best practices
such as:
 Creation and analysis of log files—physical access logs, IDS logs, system event logs,
router and firewall logs, application logs (nonoperating system logs), and other logs
associated with tools or devices (backup and stored procedures for databases, and
appliances and local devices)
 Collection of static data, including disk images, Universal Serial Bus (USB) devices
and other common attached media on common Microsoft® Windows, UNIX and
LINUX or other platform used by the enterprise
 Detailed tool usage information, such as settings and macros, GUI screen shots, and
command line switches
 Typical write-blocking techniques and practices
 Verification of forensic data handling and storage procedures. These procedures
should document the requirements for forensic data handling and storage, including a
forensic “chain-of-custody” form and the archiving of evidence.
 Regular interaction and sharing of information (exceptions noted and remedial
actions initiated) among the affected functional teams (e.g., network monitoring,
firewall administration and intrusion detection teams)
38.1.1.4 Verify that procedures ensure that appropriate technical analysis of forensic data is

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
performed, including:
 Network and system log file analysis—physical access logs, IDS logs, system event
logs, router and firewall logs, and application logs
 Detailed technical descriptions of techniques to analyze file systems, time lines,
unknown binaries, image files, email, and the use of macros and filters
 When outside expertise is required, a list of criteria for evaluating and selecting
external certified forensics experts
 Procedures and processes for IP tracing and data traps relevant to the incident priority
and type
38.1.1.5 Verify that procedures include the review and analysis of physical security logs to
detect violations that correspond with the incidents.
38.1.1.6 Review corrective action and remediation procedures to ensure that these procedures:
 Determine the actions required for compromised systems, which can include
patching of the operating system or applications, reconfiguration of settings, and
authorizations for reloading selected data from backup media or complete system
restores.
 Determine if actions are defined to quarantine devices, for safe-handling and safe-
keeping of compromised systems, as a requirement for evidence for law enforcement
agencies or for forensics analysis.
 Document system-auditing techniques, including a CSIRT system acceptance form.
 Determine what internal and external referrals of findings and actions the CSIRT or
individuals responsible for incident response/handling should initiate.
39. Forensic Reporting
DS5.5
Control: The report generated from the forensic analysis, summarizing findings and DS5.6 X X
recommendations, is provided to management. The documentation and report will satisfy legal DS8.3
requirements if prosecution of the perpetrators of the incident is pursued.
39.1.1.1 Verify that procedures include the development of an executive report of the
investigation and its findings. The report should be presented to senior management and
should be adequate for presentation in court if required. (Seek legal counsel if

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
necessary.)
39.1.1.2 Review the policy and approval process for communicating information to authorities
and the public, including the disclosure of information based on fraud and transparency
legislation.
39.2 Incident Reporting Analysis and Management Tools
Audit/assurance objective: The process of selecting and implementing incident reports and analysis
and management tools should be performed by trained and technically competent professionals.
40. Software Selection
Control: The selection and implementation of incident management tools utilize the enterprise’s DS5.5 X
software acquisition processes and are managed by information security professionals with
experience in the products.
40.1.1.1 Verify that the appropriate individuals from the CSIRT are directly involved with the
selection of any new technology being acquired by the enterprise. This allows the
CSIRT to evaluate the impact on current infrastructure and how the team may need to
change current incident response procedures if the new technology is implemented.
40.1.1.2 Verify that enterprise software acquisition procedures were followed in the selection of
the incident management tools.
40.1.1.3 Verify that the tools:
 Maintain an exact bit-stream image of an original disk or partition
 Do not alter original drive contents
 Ensure that the integrity of a disk image file is verifiable
 Log input/output (I/O) errors
 Preserve data for future analysis and storage
41. Analysis Practices
Control: Analysis procedures and incident response/handling infrastructure are managed using DS5.5 X X
good practices, with appropriate senior management oversight.
41.1.1.1 Review the incident response/handling infrastructure, including systems and/or

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
services, to ensure that it:

 Identifies known threats, attack signatures and vulnerabilities
 Includes comprehensive security response and/or troubleshooting capabilities and
techniques
 Uses technology and services that follow forensic techniques and best practices
 Requires system or service providers to have an understanding of regulations and
laws as they pertain to privacy and disclosure and evidentiary requirements
 Employs only trusted staff members who have undergone background checks
 Has secure computer evidence lab facilities for forensic analysis
 Uses products and services that are easily customizable and automated for specific
response tasks
 Uses products and/or services that have been validated by organizations such as the
National Institute of Standards and Technology (NIST) of the US government, the
CERT Coordination Center at Carnegie Mellon University Software Engineering
Institute, the SANS Institute or other standards organizations. Organizations may
vary, depending on country and industry.
 Uses products and/or services that meet legal requirements and rules of evidence of
the enforcement agencies with jurisdiction for the enterprise and its subsidiaries
 Uses products and services that offer comprehensive client support, technical
services, expert testimony and training
41.2 Training and Professional Development
Audit/assurance objective: Training and ongoing professional development of information security
professionals responsible for incident management should be relevant and timely, and provide staff
members with adequate knowledge of current practices, threats, preventive approaches and
remediation action plans.
42. Training of Staff PO7.4
Control: The training of security incident management staff is actively managed to maintain current DS5.5 X
knowledge of good practices relating to threats, prevention, detection and remediation. DS7
42.1.1.1 Review the selection of training courses for:
 Tools for incident response
 Security and threat analysis

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
 Forensic techniques, best practices and chain of custody

 Internal network topology
 Internal incident response policies and legal guidelines
 Mandatory continuing technical and legal education
 Laws and regulations
42.2 Management Reporting
Audit/assurance objective: Reporting and escalation procedures should provide timely reporting and
escalation to management and relevant authorities, and should maintain a real-time notification
process with affected parties.
43. Reporting and Escalation Procedures DS5.5
DS5.6
Control: Reports and escalation documents are monitored and provided to appropriate X X X
DS8.3
management.
DS10
43.1.1.1 Ascertain if the escalation procedures are tested periodically.
43.1.1.2 Verify that management reports describing incident events, escalation efforts and
remediation plans are provided to senior management.
43.1.1.3 Verify that appropriate real-time notifications were initiated during documented
security incidents.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
44. Incident Management Implementation

Once the policies, standards and procedures are established, the audit/assurance function seeks to verify
that management adheres to and complies with the policies, standards and procedures.
44.1 Policies and Procedures
Audit/assurance objective: The enterprise should be in compliance with the security incident
management policies, standards and procedures previously established.
45. Technology Group DS5.5
DS5.6
Control: The IT group utilizes the policies, standards and tools established by the enterprise to
DS8.2
perform security incident management. X
DS8.3
DS8.4
DS10
45.1.1.1 Determine that the incident response/handling policy and process as defined in the
policy and procedures manual are in use.
45.1.1.2 Verify CSIRT and forensic teams and their specific responsibilities.
45.1.1.3 Identify the members of the CSIRT and forensic teams and their specific
responsibilities to senior management.
46. Enterprise
Control: The enterprise adheres to established policies concerning security incident prevention and DS5.6 X X
notification. These processes are actively monitored.
46.1.1.1 Determine that employee procedures for reporting and preventing security incidents
are appropriate to ensure timely notification and include good practices for their
prevention.
46.1.1.2 Determine if problem/help desk policies for notification of and escalation to the
CSIRT and forensic teams are followed.
46.1.1.3 Determine if CSIRT and forensic teams report security incidents to senior
management according to policy.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
47. Risk Analysis

DS5.6 X X
Control: Business risk is considered part of the incident response process.
47.1.1.1 Determine if risk and liabilities are considered part of the incident evaluation and
response.
47.1.1.2 Select a sample of security incidents; include a representative distribution of incident
types during the period.
47.1.1.3 For each security incident, verify the following:
 Timeliness of the incident reported to CSIRT by the first-line problem/help desk
function
 Timeliness of CSIRT establishing case and problem determination
 Use of risk analysis to determine response
 Effectiveness of initial containment of the intrusion
 Timeliness and completeness of reports to management
 Communication with affected entities
 Closure of the incident
 Formal report to management on incident identification, risk, losses if applicable,
cost to remediate and action plan to prevent repeat incident
 Review of the postincident action plan and report of evident success of the same
47.2 Training
Audit/assurance objective: Incident response training should be in compliance with the training policy.
48. CSIRT and Forensic Teams
Control: CSIRT and the forensic teams have received the necessary training to perform their DS5.5 X X
duties, and their training is monitored.
48.1.1.1 Determine that adequate training has been provided to CSIRT and the forensic teams.
Training should include chain of custody, evidence handling, hacking techniques, log
file analysis, volatile data analysis, remediation, and escalation and reporting procedures
to ensure adherence to best practices and laws.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
49. Management Team and Organization

DS5.5
Control: The management team and those affected in the enterprise have been trained and are X
DS5.6
aware of their responsibilities in the event of a security incident.
49.1.1.1 Review training programs and employee reminders focusing on the reporting and
prevention of security incidents.
49.2 Incident Response and Forensic Systems/Tools
Audit/assurance objective: Incident response tools should be installed, scheduled, monitored and
secured to avoid unauthorized access to investigation activities.
50. CSIRT Servers and/or Redundant Array of Independent Disks (RAID)
DS5.5 X
Control: CSIRT servers and/or RAID arrays are configured for maximum security.
50.1.1.1 Determine that CSIRT servers and/or RAID arrays are installed in physically secure
locations.
50.1.1.2 Determine and validate backup/recovery and change control of CSIRT servers to ensure
that only authorized changes to CSIRT servers have been applied, and restoration of
CSIRT servers is controlled, secured and tested.
50.1.1.3 Verify that firewall and access protection has been installed between CSIRT servers
(and peripheral equipment) and the network.
50.1.1.4 Verify that CSIRT equipment (servers, firewalls and other peripherals) has the latest
patches and maximum (as defined by the enterprise) security settings.
50.1.1.5 Verify that CSIRT equipment (servers, firewalls and other peripherals) has strong
logical access controls (restricted users, access according to functional responsibilities,
complex passwords, access logs).
50.1.1.6 Verify that secure administrative rights of CSIRT equipment are granted only to the
members of CSIRT or the forensic team leader and security executive who require
access.
50.1.1.7 Verify that virus software with the latest updates is installed on CSIRT equipment and

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
that a virus scan has been run in the last three to seven days.
51. CSIRT Team Workstations
DS5.5 X
Control: CSIRT workstations are configured for maximum security.
51.1.1.1 Determine that there are CSIRT and/or forensically dedicated laptops/computers for
CSIRT and forensic team members. Members should have equipment appropriate for
their roles/responsibilities.
51.1.1.2 Determine that CSIRT workstation security configurations are set for maximum
security as defined by the enterprise.
51.1.1.3 Verify that complex passwords are implemented.
51.1.1.4 Verify that all CSIRT and forensic workstations have physically secure storage
locations.
52. Incident Response and Forensics Server Software
Control: CSIRT and forensic software is appropriately configured on the servers for maximum DS5.5 X
security and appropriate monitoring.
52.1.1.1 Review the installation of the CSIRT and forensic server software. Verify that only
authorized software has been installed by obtaining a list of authorized software and
comparing the list to installed software.
52.1.1.2 Examine the CSIRT and forensic software default configurations to ensure that access
and administrative rights are set to reflect access policies.
52.1.1.3 Verify that complex passwords are set for all users and the administrator.
52.1.1.4 Verify that CSIRT and forensic server software is configured to sense all targeted
network segments.
52.1.1.5 For client server CSIRT and forensic server software, verify that client software is
deployed to all target nodes on target network segments (for enterprise installations).
52.1.1.6 Verify that data storage security is enabled through appropriate authentication and

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
encryption settings.
53. Vulnerability of CSIRT and Forensic Equipment
X
Control: CSIRT and forensic equipment is subject to routine vulnerability assessments.
53.1.1.1 Verify that a vulnerability assessment of all CSIRT and forensic workstations and
servers has been performed at a frequency prescribed by management within its policy
pronouncement.
53.1.1.1.1 Obtain vulnerability assessment documentation, and review for
thoroughness and management review.
53.1.1.1.2 Identify any remediation recommendations and determine the status of the
remediation.
53.2 Testing and Automation of Processes
Audit/assurance objective: Appropriate testing should be performed prior to implementation to ensure
that the applications are functioning as intended and that the availability of these processes will
ensure recording of all activities scheduled.
54. Testing
Control: The forensic and incident reporting software is tested prior to final acceptance and DS5.5 X
implementation.
54.1.1.1 Examine the acceptance and testing process and documentation to ensure that the
forensic and testing software has been adequately tested before implementation.
55. Automation of Processes and/or Tool Sets
DS5.5 X
Control: Scripts used to automate incident reporting tools are complete and tested.
55.1.1.1 Verify that the change management procedures necessary to ensure scripts used to
automate complex and/or repetitive CSIRT and forensic functions are adequate.
55.1.1.1.1 Test objective: To verify that change management of automated scripts is
authorized and documented
55.1.1.1.1.1 Select a sample of automated scripts.
55.1.1.1.1.2 Determine that changes have been appropriately documented
and authorized.
55.1.1.2 Verify that appropriate testing has been performed to ensure the reliability of each
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
script by setting target nodes in specific conditions and validating that the scripts return
the expected conditions.
55.1.1.3 Verify that appropriate testing has been performed to ensure that each script is verified
to operate on all target platforms.
55.2 Initial Implementation Testing and Evaluation
56. Initial Testing of the Incident Management/Forensic Tools
Controls: Drills are conducted to test the functionality and effectiveness of the incident DS5.5 X
management process, and the results are reported to management.
56.1.1.1 Determine if a physical security breach has been tested and validated.
56.1.1.2 Determine if hash values for “baseline installs” of issued equipment are available (to
provide a future means of verifying that software has not been modified).
56.1.1.3 Determine if the IDS alert response has been validated by injecting a known threat into
a test server.
56.1.1.4 Determine if the firewall alert response has been validated by simulating access breach
or security violation.
56.1.1.5 Determine if the mission-critical server alert response has been validated by simulating
access violation.
56.1.1.6 Determine if the forensic examination of network nodes has been validated by injecting
a known threat.
56.1.1.7 Determine if the forensic examination of mission-critical servers has been validated by
simulating unauthorized access to confidential information.
56.1.1.8 Determine if there has been a validation of all IDS and other system alerts being routed
to the CSIRT for evaluation.
56.1.1.9 Determine if the process of incidents being prioritized and assigned to CSIRT members
has been validated.
56.1.1.10 Determine if the IP tracing and data trap process has been validated.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
56.1.1.11 Determine if CSIRT and forensic workstations access to all target nodes (for enterprise
installations) has been validated.
56.1.1.12 Determine that log analysis software is able to access all network transport and
security device logs through validation. Ensure that the following logs can be obtained:
physical security logs, IDS logs, router and firewall logs, system event logs, and
application logs.
56.1.1.13 Verify that CSIRT access to all of the CSIRT policies and procedures has been
validated. Paper copies of these documents may mitigate the chance of electronic
copies not being available, since they may be located on compromised systems.
56.1.1.14 Determine that escalation procedures and notifications, with drills on high, medium
and low priority, have been validated.
56.1.1.15 Determine that referral to law enforcement has been validated by conducting a
cooperative drill with local law enforcement.
56.1.1.16 Determine that internal and external reporting procedures, including mandatory
disclosure, have been validated.
56.2 Ongoing Maintenance
Audit/assurance objective: Maintenance procedures should be in effect to ensure the security of the
incident/forensic tools and the continued effectiveness of the program.
57. Periodic Drills
Control: Periodic drills are conducted to ensure that the process operates as intended and staff DS5.5 X
members are ready for an incident.
57.1.1.1 Determine that testing of CSIRT and forensic team processes and targets is scheduled
to occur on a periodic basis. Review the documentation and analysis process.
57.1.1.2 Verify that the primary responsibilities of the CSIRT and the forensic team are
evaluated and updated periodically.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
58. Information Storage

Control: Information storage is controlled to maintain confidentiality of the incident management DS5.5 X
analysis, data and reports.
58.1.1.1 Verify appropriate security of and access to the following incident data:
 Contacts
 Actions taken
 Incidents
 Vulnerabilities and patches
 Exploits
 Supporting data; documentation; and other supporting programs, analysis, etc.
58.1.1.2 Verify that CSIRT and forensic information is sanitized and disposed of according to
the information classification policy.
59. Professional Development
DS5.5 X X
Control: Professional development of incident management staff is kept current.
59.1.1.1 Verify that routine training for the CSIRT occurs at industry-accredited (with
continuing professional education [CPE]) organizations.
59.1.1.2 Verify that routine training for forensic teams occurs at industry-accredited (with CPE)
organizations.
59.1.1.3 Verify that CISM,7 CISSP,8 forensic investigator, cybercrime professional or other
related certifications are earned and maintained by the CSIRT and forensic teams.
60. Legal, Regulatory and Best Practice Monitoring
Control: The incident management team and related organizations maintain their knowledge of DS5.5 X X
threats and remain current on related legislation through training and journals.
60.1.1.1 Verify that the legal organization maintains research or services to monitor updates on
new legislation or regulations affecting incident response and forensics.
60.1.1.2 Verify the methodology for incorporating new legislation and regulations into incident
7
Certified Information Security Manager, conferred by ISACA
8
Certified Information Systems Security Professional, conferred by the International Information Systems Security Certification Consortium (ISC) 2
COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
response/handling policies and processes.

60.1.1.3 Verify that the CSIRT and forensic teams receive periodic training on new regulations
and legislation.
60.1.1.4 Verify that appropriate insurance products protect the enterprise and the
CSIRT/forensic teams.
61. Crisis Management
61.1 Crisis Management Preparedness
62. Crisis Management Governance
Audit/assurance objective: The crisis management function is part of the cybercrime
preparedness process.
63. Crisis Management Governance
ME4 X X X X
Control: The crisis management committee considers cybercrime within the scope of crisis
management.
63.1.1.1.1 Obtain the crisis management committee charter or objectives.
63.1.1.1.2 Determine that cybercrime is within the scope and charter of the crisis
management committee.
64. Crisis Management Governance Oversight
ME4 X X X
Control: The crisis management committee is responsible for and actively reviews cybercrime
activities as part of the crisis management process.
64.1.1.1.1 Review crisis management committee meeting minutes to determine
the level of involvement and oversight directed towards cybercrime
prevention, detection, and monitoring where cybercrime incidents have
been experienced.
65. Crisis Scenarios DS4 X X
Control: Crisis scenarios are identified to establish crisis response and management processes. ME3
65.1.1.1.1 Obtain a list of crisis scenarios.
65.1.1.1.2 Determine if cybercrime is included in the scenarios.

COSO
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
link e
66. Plan Communications DS10 X X X X

Control: The plan identifies communication roles and messages for cybercrime. ME4
66.1.1.1.1 Review the crisis management communication plan for inclusion of
cybercrime incidents.
67. Crisis Management Plan Tests and Maintenance
Audit/assurance objective: Cybercrime incidents are included in the crisis management test plan.
68. Testing DS4 X X X
Control: Cybercrime scenarios are included in the crisis management test plans. ME4
68.1.1.1.1 Determine if the crisis plan includes cybercrime scenarios.
69. Plan Maintenance DS4 X X X
Control: The crisis plan is routinely reviewed to ensure alignment with current cybercrime threats. ME4
69.1.1.1.1 Determine if the plan’s risk assessment includes an evaluation cybercrime
threats.
69.1.1.1.2 Determine if the plan is updated to reflect identified cybercrime related
threats.

VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance
review, and the reviewer’s observations, assign a maturity level to each of the following COBIT 4.1 control practices.
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.5 Security Testing, Surveillance and Monitoring
1. Implement monitoring, testing, reviews and other controls to:
• Promptly prevent/detect errors in the results of processing
• Promptly identify attempted, successful and unsuccessful security breaches and incidents
• Detect security events and thereby prevent security incidents by using detection and
prevention technologies
• Determine whether the actions taken to resolve a breach of security are effective
2. Conduct effective and efficient security testing procedures at regular intervals to:
• Verify that identity management procedures are effective
• Verify that user account management is effective
• Validate that security-relevant system parameter settings are defined correctly and are in
compliance with the information security baseline
• Validate that network security controls/settings are configured properly and are in
compliance with the information security baseline
• Validate that security monitoring procedures are working properly
• Consider, where necessary, obtaining expert reviews of the security perimeter
DS5.6 Security Incident Definition
1. Describe what a security incident is considered to be. Document within the characteristics a
limited number of impact levels to allow commensurate response. Communicate and
distribute this information, or relevant parts thereof, to identify people who need to be
notified.
2. Ensure that security incidents and appropriate follow-up actions, including root cause
analysis, follow the existing incident and problem management processes.
3. Define measures to protect confidentiality of information related to security incidents.

Referenc
Assessed Target e
Comments
link
DS8.2 Registration of Customer Queries
1. Define priority levels through consultation with the business to ensure that events that are not
part of standard operations (incidents) are handled in a timely manner according to the
agreed-upon SLAs. Define priority levels on the business impact and urgency. Establish time
thresholds to determine when escalation should occur, based on the classification of the
request or incident.
2. Record all reported calls, incidents, service requests and information needs in an automated
tool. Capture information including, but not limited to, type (e.g., hardware, software), status
(e.g., new, assigned, escalated, closed) and the incident/problem owner.
3. Implement event detection mechanisms within systems monitoring tools for automated
incident logging and alerting.
4. Record details of closed queries in the organization’s service management system in support
of other processes, such as problem management, service level management, availability and
capacity management.
5. Update the record status with all activities relating to the progress of the event. Enable
involved parties to access relevant information in the service management system.
6. Use the service management system to report appropriate statistics and trends to senior
management.
DS8.3. Incident Escalation
1. Ensure that the service desk maintains ownership, monitoring and escalation of requests and
incidents on behalf of customers.
2. Notify management when high-impact incidents occur, e.g., major business impact or major
deviation from agreed-upon service levels.
3. Define and implement a process to ensure that the incident records are updated to show the
date, time and assignment to IT personnel.
4. Define and implement a process to ensure that IT staff members dealing with customer
queries update the request or incident records with relevant information, such as
classification, diagnosis, root cause and workarounds.

Referenc
Assessed Target e
Comments
link
DS8.4 Incident Closure
1. Define a process to manage the resolution and closure of each incident, including use of
predetermined categorisations to identify the likely root cause of the incident.
2. Record all resolved incidents in detail and review the information for possible update in the
knowledge base. Note the workaround and probable root cause for similar incidents arising
in the future.
3. Monitor all request and incident records through the complete life cycle, and review them on
a regular basis to guarantee timely resolution and fulfilment of customer queries.
4. Close requests and incidents only after confirmation of the initiator.

VIII. Maturity Assessment vs. Target Assessment

This spider graph is an example of the assessment results and maturity target for a cybercrime assessment .
DS5.5 Security Testing, Surveillance and Monitoring
2
DS8.4 Incident Closure DS5.6 Security Incident Definition
Assessment
Target
DS8.3 Incident Escalation DS8.2 Registration of Customer Queries

Cybercrime-Audit-Assurance-Program Icq Eng 1012

Uploaded by

Copyright:

Available Formats

Cybercrime-Audit-Assurance-Program Icq Eng 1012

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybercrime-Audit-Assurance-Program Icq Eng 1012

Uploaded by

Copyright:

Available Formats

Cybercrime Audit/Assurance Program

Cybercrime Audit/Assurance Program

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center

© ISACA 2012 All rights reserved. Page 2

ISACA wishes to recognize:

ISACA Board of Directors

Guidance and Practices Committee

ISACA and IT Governance Institute® (ITGI®) Affiliates and Sponsors

© ISACA 2012 All rights reserved. Page 3

© ISACA 2012 All rights reserved. Page 4

© ISACA 2012 All rights reserved. Page 5

Governance, Risk and Control of IT

Responsibilities of IT Audit and Assurance Professionals

II. Using This Document

Work Program Steps

© ISACA 2012 All rights reserved. Page 6

COBIT 4.1 Cross-reference

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

© ISACA 2012 All rights reserved. Page 7

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

III. Controls Maturity Analysis

© ISACA 2012 All rights reserved. Page 8

Figure 2—Maturity Model for Internal Control

© ISACA 2012 All rights reserved. Page 9

IV. Assurance and Control Framework

ISACA IT Assurance Framework and Standards

ISACA Control Framework

© ISACA 2012 All rights reserved. Page 10

V. Executive Summary of Audit/Assurance Focus

Management needs to address cybercrime with processes covering:

© ISACA 2012 All rights reserved. Page 11

Business Impact and Risk

Objective and Scope

Minimum Audit Skills

© ISACA 2012 All rights reserved. Page 12

VI. Audit/Assurance Program

1. Planning and Scoping the Audit

1.4.4 Based on risk assessment, identify changes to the scope.

© ISACA 2012 All rights reserved. Page 14

© ISACA 2012 All rights reserved. Page 16

4.2 Business and IT Unit Leader Involvement in Cybercrime Management

© ISACA 2012 All rights reserved. Page 17

© ISACA 2012 All rights reserved. Page 18

10.1.1.3 Obtain meeting minutes to determine active participation of team members.

© ISACA 2012 All rights reserved. Page 19

12. Organizational Policies

© ISACA 2012 All rights reserved. Page 20

14. Change and Configuration Management

© ISACA 2012 All rights reserved. Page 23

21.2 Cybercrime Communications With Business Units

© ISACA 2012 All rights reserved. Page 24

© ISACA 2012 All rights reserved. Page 25

 Web content and web browser management (obscene or offensive content,

© ISACA 2012 All rights reserved. Page 27

28.2 Support for Information Security and Cybercrime Task Force

© ISACA 2012 All rights reserved. Page 28

31. Incident Management Policy And Procedures

© ISACA 2012 All rights reserved. Page 29

requirements and referrals to law enforcement are defined.