Cybercrime-Audit-Assurance-Program Icq Eng 1012
Cybercrime-Audit-Assurance-Program Icq Eng 1012
Cybercrime-Audit-Assurance-Program Icq Eng 1012
About ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of
knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security,
enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit,
independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS
auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It
also advances and attests IT skills and knowledge through the globally respected Certified Information Systems
Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT®
(CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT®
framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management
responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created Cybercrime Audit/Assurance Program (the “Work”) primarily as an educational
resource for governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure
a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests
or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific information, procedure or test, governance and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or
information technology environment.
Reservation of Rights
© 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
ISBN 978-1-60420-196-3
Cybercrime Audit/Assurance Program
Acknowledgments
Expert Reviewers
David Alexander, Los Angeles Department of Water and Power, USA
Jeimy J. Cano M., PhD, CFE, Ecopetrol S.A., Colombia
Francis Kaitano, CISA, CISM, CISSP, ITIL, MCAD.Net, MCSD, Contact Energy, New Zealand
Kamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Arabia
Genemar Lazo, CISA, CGEIT, CRISC, MSBA, California State Polytechnic U, USA
Cheryl Santor, Metropolitan Water District of So. CA, USA
Ability Takuva, CISA, Ernst & Young, LLP, South Africa
Knowledge Board
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Chairman
Steven A. Babb, CGEIT, CRISC, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Philip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA
ITGI Japan
Norwich University
Socitum Performance Management Group
Solvay Brussels School of Economics and Management
Strategic Technology Management Institute (STMI) of the National University of Singapore
University of Antwerp Management School
ASIS International
Hewlett-Packard
IBM
Symantec Corp.
Table of Contents
I. Introduction.......................................................................................................................................5
II. Using This Document........................................................................................................................6
III. Controls Maturity Analysis................................................................................................................9
IV. Assurance and Control Framework..................................................................................................10
V. Executive Summary of Audit/Assurance Focus...............................................................................11
VI. Audit/Assurance Program................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Understanding Supporting Infrastructure.....................................................................................16
3. Governance..................................................................................................................................17
4. Organization................................................................................................................................19
5. Organizational Policies................................................................................................................20
6. Business Role in Cybercrime Prevention.....................................................................................22
7. IT Management............................................................................................................................25
8. Incident Management Policy And Procedures.............................................................................28
9. Incident Management Implementation.........................................................................................38
10. Crisis Management....................................................................................................................46
VII. Maturity Assessment.......................................................................................................................49
VIII. Maturity Assessment vs. Target Assessment...................................................................................52
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-
setting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners with the requisite knowledge of the subject matter under review,
as described in ITAF, section 2200—General Standards. The audit/assurance programs are part of ITAF,
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT ® framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF,
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many enterprises have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g.,
1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for
the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify use, the
program describes the audit/assurance objective—the reason for performing the steps in the topic area and
the specific controls follow. Each review step is listed after the control. These steps may include assessing
the control design by walking through a process, interviewing, observing or otherwise verifying the
process and the controls that address that process. In many cases, once the control design has been
verified, specific tests need to be performed to provide assurance that the process associated with the
control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been
excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprise’s standards.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function has COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance enterprises include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO issued an
Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM
Framework has a business decision focus when compared to the 2004 Internal Control—Integrated
Framework. Large enterprises are in the process of adopting ERM. The two frameworks are compared in
figure 1.
The 1992 Internal Control—Integrated Framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for its audit/assurance
programs. When completing the COSO component columns, consider the definitions of the components
as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified, and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the organization, so it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control (figure 2)
provides a generic maturity model showing the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity level of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progress in
the enhancement of controls. However, the perception of the maturity level may vary between the
process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s
concurrence before submitting the final report to the management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create and effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last
page of the document (section VIII), based on sample assessments.
1
DS8 scope will be limited to cybercrime information security incidents.
DS8.4 Incident closure—Establish procedures for the timely monitoring of clearance of customer
queries. When the incident has been resolved, ensure that the service desk records the resolution
steps, and confirm that the action taken has been agreed to by the customer. Also record and report
unresolved incidents (known errors and workarounds) to provide information for proper problem
management.
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control
Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice
value and risk drivers.
Awareness is the initial starting point for all enterprises. This process includes an understanding of the
business impact and risk. Similar to a business continuity plan (BCP), the business impact analysis (BIA)
focusing on cybercrime events establishes a baseline for management to consider the effects of a
cybercrime event, and a risk assessment, evaluating the inherent risk and the residual risk before and after
controls are implemented respectively. To be effective, the cybercrime BIA is a joint effort of all business
and support units that could be affected by a cybercrime incident. Awareness also includes enterprisewide
vigilance with appropriate reminders instilled through the security awareness program.
Prevention involves ensuring that entry points into the enterprise are secured using best practices. This
includes: hardware/software configuration management; physical and logical access to IT and non-IT
assets; control of intellectual property, personal identifiable information, financial assets, etc.; and
alignment with the awareness processes discussed in the previous paragraph. Automated penetration tests
and vulnerability assessments often assist in identifying the IT-related issues. It is up to management to
identify prevention processes directed at the employee and contractor.
Detection addresses processes that identify potential “unusual events.” Enterprises may have integrated
exception reporting into their routine automated processes, and employ data mining and data analytics to
highlight unusual events.
Incident management is the process that manages a cybercrime incident once it is identified. The security
incident management process generally addresses the assessment of risk, securing enterprise assets
(including the shutting down of affected or potentially affected resources), escalation procedures,
remediation plan and implementation, and coordination with investigatory organizations.
Crisis management is the communications component of the cybercrime incident and involves
communication within the enterprise and a public relations focus for external parties. Crisis management
preparedness attempts to limit reputational damage.
A cybercrime incident may initiate investigations by law enforcement agencies, insurance adjustors,
regulatory bodies, and other third parties. The enterprise needs to establish liaisons with each
organization, as well as integration processes to minimize redundancy.
Based on this wide scope of activities, the audit of organizational preparedness is critical.
Scope—The review will focus on cybercrime management standards, guidelines and procedures as well
as the implementation and governance of these activities. The audit/assurance review will rely on other
operational audits of the incident management process, configuration management and security of
networks and servers, security management and awareness, business continuity management, information
security management, governance and management practices of both IT and the business units, and
relationships with third parties.
Feedback
Visit www.isaca.org/cybercrime-AP and use the feedback function to provide your comments and
suggestions on this document. Your feedback is a very important element in the development of ISACA
guidance for its constituents and is greatly appreciated.
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
1.9 Communicate.
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the executive
responsible for operating systems and infrastructure.
2. Understanding Supporting Infrastructure
2.1 Cybercrime management is supported by entity standards, processes and procedures.
Audit/assurance objective: To properly evaluate the process, the supporting infrastructure and
documentation need to be reviewed and evaluated.
2.1.1 Obtain and review the cybercrime task force2 current organization chart and include dotted
line responsibility to the IT function and the business units.
2.1.2 Interview the senior security, compliance and legal officers as well as the IT security
manager/administrator and risk officer.
2.1.2.1 Identify who is responsible for cybercrime incident response/handling.
2.1.3 Obtain a copy of the following:
Enterprise security policy
Incident response plan
Segregation of duties requirements
Cybercrime and routine information security incident response/handling policy
Cybercrime and routine incident response/handling strategy/process
Security software change procedures and standards
Security violation reports and management review procedures
Relevant legal and regulatory requirements related to computer forensics and incident
response
Incident reporting and escalation policies—for internal reporting, external referral to
law enforcement and legal representatives, and mandatory disclosure requirements
Data classification schema and list of critical resources
2
In the audit program, the cybercrime task force is the primary team responsible for planning, managing and responding to security incidents involving fraud or attacks utilizing
computers, networks, etc. Different enterprises may use different names, but the scope and focus of the enterprise should be equivalent. The computer security incident response
team (CSIRT) may be a part of or comprise the cybercrime task force.
© ISACA 2012 All rights reserved. Page 15
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) used, vendor,
model and configuration
Firewall architecture, providers/vendors, configuration, audit trail logging, alarms,
suspicious activity definitions and monitoring activities
List of tools available within the enterprise for forensic endeavors
List of people trained to use the forensic tools and the last date tools were
applied/tested/utilized
Incident response risk analysis reports
Computer security incident response team (CSIRT) procedures
Underlying contracts
Crisis management procedures
Any other information relevant to the infrastructure of the enterprise
Evaluation of information security function and its effectiveness within the enterprise
3. Governance
3.1 Executive Management Involvement in Cybercrime Prevention Audit/Assurance
Audit/assurance objective: Cybercrime prevention is monitored on a regular basis by senior
management.
4. Senior Management Reviews Cybercrime Preparedness
ME1.5 X X X X
Control: Senior management routinely reviews cybercrime policies and assessments.
4.1.1.1 Obtain and review minutes of meetings or other documentation to confirm senior
management monitoring of cybercrime policies and assessments.
4.1.1.2 Determine if the business impact analysis (BIA) summary or similar document is
reviewed and approval is documented at least annually.
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
8. Organization
8.1 Cybercrime Task Force
Audit/assurance objective: A cybercrime task force has been established and includes appropriate
functional members.
9. Cybercrime Team Leadership PO4.4
Control: The cybercrime team is managed by an information security professional with knowledge PO4.5
PO4.8
X X
of cybercrime prevention and investigation as well as a thorough understanding of the
enterprise infrastructure. PO7.2
9.1.1.1 Identify cybercrime team leadership.
9.1.1.2 Evaluate team leader skill set and background.
10. Cybercrime Team Membership PO4.6
PO4.8
Control: Cybercrime members include representation from appropriate business, IT, and support X
PO7.2
units, and liaison to senior management.
PO7.3
10.1.1.1 Obtain cybercrime team membership.
10.1.1.2 Determine that the following representation and their responsibilities exist within the
team:
Computer security incident response leader
IT liaison
Business unit(s) liaisons
Legal counsel
Public relations
Crisis management
Business continuity management/disaster recovery
Support unit liaisons:
– Accounting/finance
– Human resources
– Corporate Security (physical)
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
cyberattacks.
16.1.1.4 Obtain details of any incidents and verify that they were handled in line with the
policy.
17. Business Role in Cybercrime Prevention
17.1 Risk Management
Audit/assurance objective: Business units identify risk and vulnerabilities within their purview.
18. Business Impact Analysis
PO1.2
Control: A BIA is routinely performed as a basis for identifying business risk and includes a PO9
X
cybercrime component.
18.1.1.1 Obtain the BIA.
18.1.1.2 Determine if cybercrime is an evaluation component.
18.1.1.3 If cybercrime is included in the BIA, determine the quality, comprehensiveness and
conclusions generated by the work product.
18.2 Data Classification 3
Audit/assurance objective: A classification scheme has been defined and implemented that applies
throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top
secret) of enterprise data, specifically addressing data that could be utilized in cybercrime.
19. Data Classification Definition
PO2.3 X
Control: A classification scheme defines attributes for data classification.
19.1.1.1 Obtain the data classification definition.
19.1.1.2 Determine that the data classification defines the following attributes:
Data ownership
Definition of security levels
Data protection controls
Data retention and destruction requirements
Definition of criticality and sensitivity
3
Data classification may have been covered in other audits. Cybercrime management relies on the results as a tool for evaluating risk.
© ISACA 2012 All rights reserved. Page 22
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
19.1.1.3 Review the data classification definition for cybercrime related information:
Personal identifiable information
Financial information
Intellectual property, patent, trademarked and copyrighted material
20. Data Classification Levels
Control: Data classification attributes as identified above are defined for each data classification PO2.3 X
level (e.g., for confidentiality: public, internal and confidential).
20.1.1.1 Review the data classification scheme and verify that all significant components are
covered and completed and that the scheme is reasonable in balancing cost vs. risk,
specifically focused on data that could be of use in a cybercrime.
21. Data Ownership PO2.3
PO4.9
Control: Business owners are identified as data owners and are held accountable for the X
DS11.1
maintenance and monitoring of their data.
DS11.6
21.1.1.1 This includes data ownership with business owners and definition of appropriate
security measures related to classification levels.
21.1.1.2 Select a sample and review data owners to determine that:
The data owner classifies all information using the defined scheme and levels.
Classification covers the whole life cycle of information from creation to disposal.
Where an asset has been assessed as having a certain classification, any component
inherits the same classification.
Owners understand the consequences of the classification and balance security
needs against cost considerations and other business requirements considering the
value of the assets they own.
Information and data are labeled, handled, protected, disposed and otherwise
secured in a manner consistent with the data classification categories.
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
23.1.1.3 Determine if additional processes should be considered in the data mining and data
analytics process.
24. Development and Routine Processing of Data Mining and Analytics
Control: The system development life cycle (SLDC) and all applications revisions include a AI2.9 X
process for designing and implementing automated analysis of potential fraud producing
processes.
24.1.1.1 Obtain the SDLC and determine if data mining and data analytic processes are
included in the design/redesign of applications.
24.1.1.2 Evaluate the process to ensure active participation by appropriate subject matter
experts.
25. Analysis of Data Mining and Analytic Activities
Control: The results of data mining and analytic activities are analysed by subject matter experts, ME2 X X X
summarized and distributed to appropriate management teams.
25.1.1.1 Obtain recent summaries and details of data mining and analytic activities.
25.1.1.2 Determine if the analyses are complete, summarized effectively and reported on a
timely basis.
25.1.1.3 Obtain the distribution list of summary recipients.
25.1.1.4 Interview the recipients to determine actions taken based on the reports and the
effectiveness of reporting.
25.1.1.5 Evaluate remediation actions taken based on the summary reports.
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
25.1.1.6 Coordinate data mining results with the forensics processes described in 36.2.
26. IT Management
26.1 Secure Infrastructure
Audit/assurance objective: IT management establishes, maintains and monitors a secure
infrastructure.
27. Secure Infrastructure PO4.8
PO8
Control: The IT infrastructure, which includes hardware and software configuration management,
active monitoring, and information security best practices are implemented. DS5 X X
DS9
27.1.1.1 Determine that the following audits have been performed with acceptable results. If
audits of these areas have not been performed, consider executing an audit of each
applicable area, and cross-reference the results to this audit:
Web servers
Backup and recovery
Business continuity and disaster recovery planning
Change management
Cloud management
Crisis management
Identity management
Information security management
Email servers (spam, malware, etc.)
File servers
Mobile computing security
Database servers and tools
Network perimeter security
Outsourced IT environment
Collaboration servers
Social media
Unix/Linux OS security management
© ISACA 2012 All rights reserved. Page 26
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
interrupted.
33.1.1.2 Determine whether the incident response policy and procedures address the priority of
assets that can be compromised. Ensure that prioritization of assets and services were
determined based on risk.
33.1.1.3 Based on the prioritization of assets and services, ensure that each asset or service is
assigned an incident response/handling priority such as:
High—System or service that is mission-critical to the enterprise. Examples are
systems/applications that deal with intellectual property, trade secrets, financial data
and confidential customer information. 4
Medium—System or service that provides routine, but nonmission-critical support
to the enterprise and contains sensitive information regarding the enterprise and its
operations. Examples are systems/applications that deal with internal policies and
procedures, transactional data (without specific payment/credit information),
employee directories and service manuals.
Low—Discretionary system or service for the enterprise, with nonoperational
support and containing unclassified information with no corporate sensitivity.
Examples are systems/applications that deal with unclassified data or publicly
disclosed information.
33.1.1.4 Verify that assets and services have appropriate security processes and procedures
according to risk.
33.1.1.5 Determine that the prioritization of assets and services has been reviewed with key
business owners, including legal, to ensure that appropriate notifications, legal disclosure
4
Cybercrime and cyberattacks are normally assigned a “high” priority.
© ISACA 2012 All rights reserved. Page 30
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
5
CSIRT will be used through the remainder of the document to indicate the computer incident response function, whether it be a formal or informal CSIRT.
© ISACA 2012 All rights reserved. Page 33
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
35.1.1.5 Determine if the CSIRT has a formal structure of authority that assigns different levels
of decision-making authority and identifies who has the authority to:
Declare an incident
Declare that an incident is truly an incident (i.e., not a false positive)
Take systems offline
Shut down portions of the network
Declare the incident and invoke business continuity or recovery
Contact law enforcement and the media
36. Incident response processes
Control: The incident response process has detailed and defined steps that address the appropriate DS5.5
X X X
requirements for explaining and documenting the incident, recognition of forensic DS5.6
documentation requirements, and escalation and notification procedures.
36.1.1.1 Confirm that the incident response and analysis process includes:
Technical procedures and recommendations for quickly analyzing systems affected
by an incident
Technical procedures and recommendations for quickly analyzing and collecting
data from multiple operating systems
Procedures that are forensic-aware and documented to the detailed tool use level
Procedures for a CSIRT postincident analysis report
36.1.1.2 Verify that the incident identification process has been defined and responsibilities have
been assigned. Ensure that incident alerts (intrusion detection, firewall, systems and
other alerts) identified by business requirements are routed to the CSIRT and/or those
responsible for incident response/handling, for evaluation and validation according to a
specific set of criteria.
36.1.1.3 Verify that the incident prioritization process has been defined and responsibilities have
been assigned to prioritize incidents.
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
36.1.1.4 Verify that there is a clear definition of who needs to be notified when an incident
occurs, based on the incident classification. The notification should include the systems
involved and the business units affected, as specified in the business continuity plan.
36.2 Forensic Policy
Audit/assurance objective: Forensic policies and procedures should ensure that documented
management trails are preserved to permit internal investigations and support any legal or
regulatory investigations (internal and external).
37. Forensic Processes
Control: Technical procedures provide for unique identification, collection of data, prioritization DS5.5 X X X
of types of risk, notification of affected parties as soon as possible and preservation of
compromised systems.
37.1.1.1 Verify that the computer forensics methodology includes procedures for acquisition,
authentication, analysis and reporting.
38. Forensic Analysis of Data
Control: Procedures provide for the capture and analysis of volatile6 and static data in a timely DS5.5 X
manner.
38.1.1.1 Verify that procedures for forensic acquisition of volatile data exist and include:
Procedures for the acquisition of volatile data from the operating system
Tool usage, including macros, graphical user interface (GUI) screen shots and/or
command line switches
Procedures for the acquisition of compromised system(s) that may be necessary as
evidence, including documentation of chain of command, quarantine of equipment,
and safe-handling and safe-keeping of the evidence until submission to law
enforcement or forensics team, as necessary under the circumstances
6
Volatile data are data that are overwritten or changed over time, where a snapshot cannot be obtained without capturing the information interactively or by regularly scheduled
data extracts.
© ISACA 2012 All rights reserved. Page 35
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
38.1.1.2 Verify that appropriate steps to evaluate an incident in progress are in place and
include:
How to determine the risk associated with allowing incidents to continue for analysis
and evidence-gathering purposes
Procedures to quickly triage systems and determine the extent and scope of the
ongoing incident
Procedures and processes for IP tracing and data traps relevant to the incident priority
and type
Procedures for collecting volatile data on short notice
Procedures to take custody of compromised systems for safe-keeping of last-state and
to ensure chain-of-command integrity and preservation of evidence
38.1.1.3 Verify that procedures for forensic acquisition of static data incorporate best practices
such as:
Creation and analysis of log files—physical access logs, IDS logs, system event logs,
router and firewall logs, application logs (nonoperating system logs), and other logs
associated with tools or devices (backup and stored procedures for databases, and
appliances and local devices)
Collection of static data, including disk images, Universal Serial Bus (USB) devices
and other common attached media on common Microsoft® Windows, UNIX and
LINUX or other platform used by the enterprise
Detailed tool usage information, such as settings and macros, GUI screen shots, and
command line switches
Typical write-blocking techniques and practices
Verification of forensic data handling and storage procedures. These procedures
should document the requirements for forensic data handling and storage, including a
forensic “chain-of-custody” form and the archiving of evidence.
Regular interaction and sharing of information (exceptions noted and remedial
actions initiated) among the affected functional teams (e.g., network monitoring,
firewall administration and intrusion detection teams)
38.1.1.4 Verify that procedures ensure that appropriate technical analysis of forensic data is
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
performed, including:
Network and system log file analysis—physical access logs, IDS logs, system event
logs, router and firewall logs, and application logs
Detailed technical descriptions of techniques to analyze file systems, time lines,
unknown binaries, image files, email, and the use of macros and filters
When outside expertise is required, a list of criteria for evaluating and selecting
external certified forensics experts
Procedures and processes for IP tracing and data traps relevant to the incident priority
and type
38.1.1.5 Verify that procedures include the review and analysis of physical security logs to
detect violations that correspond with the incidents.
38.1.1.6 Review corrective action and remediation procedures to ensure that these procedures:
Determine the actions required for compromised systems, which can include
patching of the operating system or applications, reconfiguration of settings, and
authorizations for reloading selected data from backup media or complete system
restores.
Determine if actions are defined to quarantine devices, for safe-handling and safe-
keeping of compromised systems, as a requirement for evidence for law enforcement
agencies or for forensics analysis.
Document system-auditing techniques, including a CSIRT system acceptance form.
Determine what internal and external referrals of findings and actions the CSIRT or
individuals responsible for incident response/handling should initiate.
39. Forensic Reporting
DS5.5
Control: The report generated from the forensic analysis, summarizing findings and DS5.6 X X
recommendations, is provided to management. The documentation and report will satisfy legal DS8.3
requirements if prosecution of the perpetrators of the incident is pursued.
39.1.1.1 Verify that procedures include the development of an executive report of the
investigation and its findings. The report should be presented to senior management and
should be adequate for presentation in court if required. (Seek legal counsel if
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
necessary.)
39.1.1.2 Review the policy and approval process for communicating information to authorities
and the public, including the disclosure of information based on fraud and transparency
legislation.
39.2 Incident Reporting Analysis and Management Tools
Audit/assurance objective: The process of selecting and implementing incident reports and analysis
and management tools should be performed by trained and technically competent professionals.
40. Software Selection
Control: The selection and implementation of incident management tools utilize the enterprise’s DS5.5 X
software acquisition processes and are managed by information security professionals with
experience in the products.
40.1.1.1 Verify that the appropriate individuals from the CSIRT are directly involved with the
selection of any new technology being acquired by the enterprise. This allows the
CSIRT to evaluate the impact on current infrastructure and how the team may need to
change current incident response procedures if the new technology is implemented.
40.1.1.2 Verify that enterprise software acquisition procedures were followed in the selection of
the incident management tools.
40.1.1.3 Verify that the tools:
Maintain an exact bit-stream image of an original disk or partition
Do not alter original drive contents
Ensure that the integrity of a disk image file is verifiable
Log input/output (I/O) errors
Preserve data for future analysis and storage
41. Analysis Practices
Control: Analysis procedures and incident response/handling infrastructure are managed using DS5.5 X X
good practices, with appropriate senior management oversight.
41.1.1.1 Review the incident response/handling infrastructure, including systems and/or
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
that a virus scan has been run in the last three to seven days.
51. CSIRT Team Workstations
DS5.5 X
Control: CSIRT workstations are configured for maximum security.
51.1.1.1 Determine that there are CSIRT and/or forensically dedicated laptops/computers for
CSIRT and forensic team members. Members should have equipment appropriate for
their roles/responsibilities.
51.1.1.2 Determine that CSIRT workstation security configurations are set for maximum
security as defined by the enterprise.
51.1.1.3 Verify that complex passwords are implemented.
51.1.1.4 Verify that all CSIRT and forensic workstations have physically secure storage
locations.
52. Incident Response and Forensics Server Software
Control: CSIRT and forensic software is appropriately configured on the servers for maximum DS5.5 X
security and appropriate monitoring.
52.1.1.1 Review the installation of the CSIRT and forensic server software. Verify that only
authorized software has been installed by obtaining a list of authorized software and
comparing the list to installed software.
52.1.1.2 Examine the CSIRT and forensic software default configurations to ensure that access
and administrative rights are set to reflect access policies.
52.1.1.3 Verify that complex passwords are set for all users and the administrator.
52.1.1.4 Verify that CSIRT and forensic server software is configured to sense all targeted
network segments.
52.1.1.5 For client server CSIRT and forensic server software, verify that client software is
deployed to all target nodes on target network segments (for enterprise installations).
52.1.1.6 Verify that data storage security is enabled through appropriate authentication and
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
encryption settings.
53. Vulnerability of CSIRT and Forensic Equipment
X
Control: CSIRT and forensic equipment is subject to routine vulnerability assessments.
53.1.1.1 Verify that a vulnerability assessment of all CSIRT and forensic workstations and
servers has been performed at a frequency prescribed by management within its policy
pronouncement.
53.1.1.1.1 Obtain vulnerability assessment documentation, and review for
thoroughness and management review.
53.1.1.1.2 Identify any remediation recommendations and determine the status of the
remediation.
53.2 Testing and Automation of Processes
Audit/assurance objective: Appropriate testing should be performed prior to implementation to ensure
that the applications are functioning as intended and that the availability of these processes will
ensure recording of all activities scheduled.
54. Testing
Control: The forensic and incident reporting software is tested prior to final acceptance and DS5.5 X
implementation.
54.1.1.1 Examine the acceptance and testing process and documentation to ensure that the
forensic and testing software has been adequately tested before implementation.
55. Automation of Processes and/or Tool Sets
DS5.5 X
Control: Scripts used to automate incident reporting tools are complete and tested.
55.1.1.1 Verify that the change management procedures necessary to ensure scripts used to
automate complex and/or repetitive CSIRT and forensic functions are adequate.
55.1.1.1.1 Test objective: To verify that change management of automated scripts is
authorized and documented
55.1.1.1.1.1 Select a sample of automated scripts.
55.1.1.1.1.2 Determine that changes have been appropriately documented
and authorized.
55.1.1.2 Verify that appropriate testing has been performed to ensure the reliability of each
© ISACA 2012 All rights reserved. Page 45
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
script by setting target nodes in specific conditions and validating that the scripts return
the expected conditions.
55.1.1.3 Verify that appropriate testing has been performed to ensure that each script is verified
to operate on all target platforms.
55.2 Initial Implementation Testing and Evaluation
56. Initial Testing of the Incident Management/Forensic Tools
Controls: Drills are conducted to test the functionality and effectiveness of the incident DS5.5 X
management process, and the results are reported to management.
56.1.1.1 Determine if a physical security breach has been tested and validated.
56.1.1.2 Determine if hash values for “baseline installs” of issued equipment are available (to
provide a future means of verifying that software has not been modified).
56.1.1.3 Determine if the IDS alert response has been validated by injecting a known threat into
a test server.
56.1.1.4 Determine if the firewall alert response has been validated by simulating access breach
or security violation.
56.1.1.5 Determine if the mission-critical server alert response has been validated by simulating
access violation.
56.1.1.6 Determine if the forensic examination of network nodes has been validated by injecting
a known threat.
56.1.1.7 Determine if the forensic examination of mission-critical servers has been validated by
simulating unauthorized access to confidential information.
56.1.1.8 Determine if there has been a validation of all IDS and other system alerts being routed
to the CSIRT for evaluation.
56.1.1.9 Determine if the process of incidents being prioritized and assigned to CSIRT members
has been validated.
56.1.1.10 Determine if the IP tracing and data trap process has been validated.
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
56.1.1.11 Determine if CSIRT and forensic workstations access to all target nodes (for enterprise
installations) has been validated.
56.1.1.12 Determine that log analysis software is able to access all network transport and
security device logs through validation. Ensure that the following logs can be obtained:
physical security logs, IDS logs, router and firewall logs, system event logs, and
application logs.
56.1.1.13 Verify that CSIRT access to all of the CSIRT policies and procedures has been
validated. Paper copies of these documents may mitigate the chance of electronic
copies not being available, since they may be located on compromised systems.
56.1.1.14 Determine that escalation procedures and notifications, with drills on high, medium
and low priority, have been validated.
56.1.1.15 Determine that referral to law enforcement has been validated by conducting a
cooperative drill with local law enforcement.
56.1.1.16 Determine that internal and external reporting procedures, including mandatory
disclosure, have been validated.
56.2 Ongoing Maintenance
Audit/assurance objective: Maintenance procedures should be in effect to ensure the security of the
incident/forensic tools and the continued effectiveness of the program.
57. Periodic Drills
Control: Periodic drills are conducted to ensure that the process operates as intended and staff DS5.5 X
members are ready for an incident.
57.1.1.1 Determine that testing of CSIRT and forensic team processes and targets is scheduled
to occur on a periodic basis. Review the documentation and analysis process.
57.1.1.2 Verify that the primary responsibilities of the CSIRT and the forensic team are
evaluated and updated periodically.
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
7
Certified Information Security Manager, conferred by ISACA
8
Certified Information Systems Security Professional, conferred by the International Information Systems Security Certification Consortium (ISC) 2
© ISACA 2012 All rights reserved. Page 48
Cybercrime Audit/Assurance Program
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
63.1.1.1.2 Determine that cybercrime is within the scope and charter of the crisis
management committee.
64. Crisis Management Governance Oversight
ME4 X X X
Control: The crisis management committee is responsible for and actively reviews cybercrime
activities as part of the crisis management process.
64.1.1.1.1 Review crisis management committee meeting minutes to determine
the level of involvement and oversight directed towards cybercrime
prevention, detection, and monitoring where cybercrime incidents have
been experienced.
65. Crisis Scenarios DS4 X X
Control: Crisis scenarios are identified to establish crisis response and management processes. ME3
65.1.1.1.1 Obtain a list of crisis scenarios.
65.1.1.1.2 Determine if cybercrime is included in the scenarios.
COSO
CommunicationInformation and
Control Environment
Referenc Issue
Control Activities
Risk Assessment
COBIT
Monitoring
Audit/Assurance Program Step Cross- e Cross- Comments
reference Hyper- referenc
link e
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.5 Security Testing, Surveillance and Monitoring
1. Implement monitoring, testing, reviews and other controls to:
• Promptly prevent/detect errors in the results of processing
• Promptly identify attempted, successful and unsuccessful security breaches and incidents
• Detect security events and thereby prevent security incidents by using detection and
prevention technologies
• Determine whether the actions taken to resolve a breach of security are effective
2. Conduct effective and efficient security testing procedures at regular intervals to:
• Verify that identity management procedures are effective
• Verify that user account management is effective
• Validate that security-relevant system parameter settings are defined correctly and are in
compliance with the information security baseline
• Validate that network security controls/settings are configured properly and are in
compliance with the information security baseline
• Validate that security monitoring procedures are working properly
• Consider, where necessary, obtaining expert reviews of the security perimeter
DS5.6 Security Incident Definition
1. Describe what a security incident is considered to be. Document within the characteristics a
limited number of impact levels to allow commensurate response. Communicate and
distribute this information, or relevant parts thereof, to identify people who need to be
notified.
2. Ensure that security incidents and appropriate follow-up actions, including root cause
analysis, follow the existing incident and problem management processes.
3. Define measures to protect confidentiality of information related to security incidents.
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS8.2 Registration of Customer Queries
1. Define priority levels through consultation with the business to ensure that events that are not
part of standard operations (incidents) are handled in a timely manner according to the
agreed-upon SLAs. Define priority levels on the business impact and urgency. Establish time
thresholds to determine when escalation should occur, based on the classification of the
request or incident.
2. Record all reported calls, incidents, service requests and information needs in an automated
tool. Capture information including, but not limited to, type (e.g., hardware, software), status
(e.g., new, assigned, escalated, closed) and the incident/problem owner.
3. Implement event detection mechanisms within systems monitoring tools for automated
incident logging and alerting.
4. Record details of closed queries in the organization’s service management system in support
of other processes, such as problem management, service level management, availability and
capacity management.
5. Update the record status with all activities relating to the progress of the event. Enable
involved parties to access relevant information in the service management system.
6. Use the service management system to report appropriate statistics and trends to senior
management.
DS8.3. Incident Escalation
1. Ensure that the service desk maintains ownership, monitoring and escalation of requests and
incidents on behalf of customers.
2. Notify management when high-impact incidents occur, e.g., major business impact or major
deviation from agreed-upon service levels.
3. Define and implement a process to ensure that the incident records are updated to show the
date, time and assignment to IT personnel.
4. Define and implement a process to ensure that IT staff members dealing with customer
queries update the request or incident records with relevant information, such as
classification, diagnosis, root cause and workarounds.
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS8.4 Incident Closure
1. Define a process to manage the resolution and closure of each incident, including use of
predetermined categorisations to identify the likely root cause of the incident.
2. Record all resolved incidents in detail and review the information for possible update in the
knowledge base. Note the workaround and probable root cause for similar incidents arising
in the future.
3. Monitor all request and incident records through the complete life cycle, and review them on
a regular basis to guarantee timely resolution and fulfilment of customer queries.
4. Close requests and incidents only after confirmation of the initiator.
2
DS8.4 Incident Closure DS5.6 Security Incident Definition
Assessment
Target