Domain 5 of CISA Exam

Topics: Security, Computer security, Information security Pages: 13 (2217 words) Published: February 28, 2015

Domain 5 of CISA Exam
Protection of Information Assets
Clarence Murphy
ISSC471 IT Security: Auditing
American Military University
Dr. Eric Yocam
23 Oct 2014

Domain 5 of CISA Exam
Protection of Information Assets
Domain 5 of the CISA exam covers protection of information assets and includes eight areas of competence. This part of the CISA exam is weighted 30 percent of the overall score, which is the most of any domain. This emphasizes the importance of information asset protection to CISA and to organizations. This research considers each of those eight aspects. Importance of Information Security Management

Information security management focuses in three key areas: confidentiality, integrity and availability. Confidentiality refers to protecting the data so that private information remains private. Integrity refers to ensuring that the information is accurate and is not corrupted at any point during the data’s lifecycle, including while

being transferred from one location to another or during processing. Availability refers to having the right data available to the right users at the right time (Singleton, 2007). Information security management relies on six key elements: senior management commitment and support; policies and procedures; organization; security awareness and training; monitoring and compliance; and, incident handling and response (Magee, 2011). Without senior management commitment and support, the resources will not be available to support information security management. Policies and procedures, and organization, put the infrastructure in place with the necessary framework to ensure successful deployment of information security management. Security awareness and training provides necessary education for the organization, while monitoring and compliance provides the mechanism for ensuring that the policies and strategy of the information security management program are followed. Incident handling and response is the day-to-day operation that maintains the information security. Logical Access

Logical access is the key way that data is managed and protected. Two points of entry are commonly used in today's computing environments: on-site and remote. On-site access is used when users access data assets in the same facility where they are physically located. Remote access is accomplished when users are in a different physical location from the data assets. With today's technology, including smartphones, tablets, laptop computers and cloud computing/storage, remote users are increasingly common and pose significant challenges to information security management. However, whether users are local or remote, they must be identified and given appropriate rights (Magee, 2011). Authentication typically uses one or more of three characteristics: something the users knows (password or user name); something the user has (token); or, something the user is (biometric data such as a fingerprint or retina scan). Each type has advantages and disadvantages, with biometrics typically having the most cost associated with them while passwords or tokens can be lost or misplaced (Magee, 2011). Network Infrastructure Security

Network infrastructure security focuses on protecting the network itself. Virtualization is one of the areas that is covered by this section. With virtualization, multiple operating systems and associated applications can reside on a single piece of hardware with resources allocated to users according to required service levels and controlled by the operator. Virtualization reduces power consumption and hardware expenses, but not all applications support virtualization due to licensing or support agreements. Thus infrastructure security is also concerned with determining when virtualization is—and is not—appropriate (Natarajan, 2012). Network infrastructure security is also concerned with wireless security, including determining which wireless...

References: Ensure Networks. (2014). IT Security Auditing. Retrieved October 31, 2014, from Ensure Networks:
ISACA. (2014). Certified Information Systems Auditor (CISA) . Retrieved October 31, 2014, from ISACA:
LeGrand, C., & Sarel, D. (2008). Database Security, Compliance and Audit. Retrieved October 31, 2014, from ISACA:
Magee, K. (2011, April 1). CISA Domain 5 – Protection of Information Assets. Retrieved October 31, 2014, from Infosec Institute:
Mathias, C. (2013, September). Mobility Management: Beyond MDM and BYOD. Retrieved October 31, 2014, from Search CIO:
McFarland, S. (2014). The Future of Security. Cloud Security Alliance. Securosis. Retrieved October 31, 2014, from
Natarajan, S. (2012). Security Issues in Network Virtualization for the Future Internet. University of Massachusetts-Amherst. Scholar Works. Retrieved October 31, 2014, from
Singleton, T. W. (2007). What Every IT Auditor Should Know About Auditing Information Security. Retrieved October 31, 2014, from ISACA:
Trull, J. (2012). Security Through Effective Penetration Testing. Retrieved October 31, 2014, from ISACA:
Wood, M. (2014, October 1). Mobile Malware: Small Numbers, But Growing. Retrieved October 31, 2014, from New York Times:
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • MGMT 520 Week 5 Midterm Exam Essay
  • Stats Exam 5 Essay
  • Exam II- Chapter 5 Essay
  • Cisa Exam Notes
  • Coms 5 Exam Essay Example
  • CISA Essay
  • Cisa Essay

Become a StudyMode Member

Sign Up - It's Free