tailieunhanh - The CISA Prep Guide Mastering the Certified Information Systems Auditor Exam phần 3

Vì vậy, một bước kiểm toán phải được thiết kế để theo dõi một quá trình hoặc lưu lượng giao dịch trong khoảng thời gian của thời gian để đảm bảo kiểm soát đang làm việc đúng cách. Điều này đặc biệt các trường hợp nhiều quy trình nhỏ hơn hoặc giao dịch | 102 Chapter 2 hand and the relative costs of reducing the risks to acceptable levels sets the stage for adequate information security planning and management of the function. The overall information security plan will be the blueprint for the information security-related activities. This will necessarily be a dynamic plan that is periodically revisited and adjusted as changes occur in the threatvulnerability landscape. The information technology security plan should have several of the following common elements Periodic risk assessments and evaluations of current security status Incident identification and response and follow-up processes Policy standards and leading practices of identification creation and communication Security awareness and training processes Communication-related security activities phone or dial-up Internet trading partner connectivity and so forth Data access control activities such as information ownership data classification firewall management content control tool administration and so forth User account administration activities including adding users modifying access needs terminating accounts periodically revalidating access needs resetting password and managing accounts and data access pairings Systems security activities such as security plan and configuration documentation implementation of minimum-security baselines hardening of systems maintenance of proper patch levels on systems and investigation of new technologies Monitoring activities such as network- and host-based intrusion detection implementation and management and gathering log activity and reviewing it for violations in security policy Business partner access and risk management through vehicles like trust agreements third party security assessments and so on New project security design participation and implementation including risk assessment and the recommendations of appropriate security technology commensurate with the risk Security architecture design and .