Recent Deliverables

Knowledge Center
- Browse All Topics
- COBIT (IT Governance & Control)
- Risk IT
- Val IT (IT Value Delivery)
- BMIS (Business Model For Information Security)
- ITAF (IT Assurance/Audit)
- Research
  - All Deliverables
  - Current Projects
  - Recent Deliverables
  - Issues and Solutions
  - White Papers
- Standards
- Academia
- Career Centre
- eLibrary
- Glossary
- ISACA Now

Virtualization Desktop Infrastructure (VDI)

Virtualization Desktop Infrastructure (VDI) Download (Registration Required, 416K)

Provide feedback on this document
Visit the Virtualization Knowledge Center community

The concept of virtualization has rapidly transformed data centers over the past few years. Beginning with the virtualization of servers, virtualization has facilitated the consolidation of resources, improved resource utilization, enabled improved disaster recovery solutions, reduced capital costs and increased sustainability. Now, a new phase of virtualization—virtualized desktop infrastructure (VDI)—has emerged, allowing for simpler provision of new desktops and applications, reduced downtime in the event of a desktop hardware failure, increased mobility, greater unification, and reductions in hardware costs.

Additional VDI resources:

Incident Management and Response

Incident Management and Response Download (Registration Required; 664K)

Provide feedback on this document
Visit the Incident Management Knowledge Center community

Incident response is a key component of an enterprise business continuity and resilience program. The increasing number and diversity of information security threats can disrupt enterprise business activities and damage enterprise information assets. A sound risk management program can help reduce the number of incidents, but there are some incidents that can neither be anticipated nor avoided. Therefore, the enterprise needs to have an incident response capability to detect incidents quickly, contain them, mitigate impact, and restore and reconstitute services in a trusted manner. This white paper examines incident response from security, risk, privacy and assurance perspectives; identifies some key issues to be considered in an incident response program; and outlines where the COBIT 4.1 framework can be applied to the development of an effective incident response capability.

Additional incident response resources:

Endorf, Carl; Eugene Schultz; Jim Mellander; Intrusion Detection and Prevention; McGraw-Hill, USA, 2004
Grance, T.; K. Kent; B. Kim; Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology, NIST Publication 800-61 rev. 1, USA, 2008
ISACA, Certified Information Security Manager (CISM) Review Manual 2012, Chapter 4, Information Security Incident Management, USA, 2012
ISACA, Cybercrime: Incident Response and Digital Forensics (out of print Nov. 2011)
ISACA, Security Incident Management Audit/Assurance Program, USA, 2009
Kabay, M.E.; CSIRT Management, USA, 2009, p. 15
Kent, K.; S. Chevalier; T. Grance; H. Dang; Guide to Integrating Forensic Techniques into Incident Response, NIST SP800-86, USA, 2006
Schultz, E.; R. Shumway; Incident Response: A Strategic Guide to Handling System and Network Security Breaches; New Riders, USA, 2002
Software Engineering Institute, CERT^® Coordination Center (CERT/CC), Carnegie Mellon University
Software Engineering Institute, CERT Coordination Center; Creating a Computer Security Incident Response Team: A Process for Getting Started, Carnegie Mellon University, 2006
Software Engineering Institute, Defining Incident Management Processes for CSIRTs: A Work in Progress, Carnegie Mellon University, USA, 2007
Sterneckert, Alan B.; Critical Incident Management, Auerbach, 2004
Symantec, Managing Security Incidents in the Enterprise, USA, 2003
United States Computer Emergency Readiness Team (US-CERT)
Vacca, John; K. Rudolph; System Forensics, Investigation and Response
West-Brown, Moira J.; Don Stikvoort; Klaus-Peter Kossakowski; Georgia Killcrece; Robin Ruefle; Mark Zajicek; Handbook for Computer Security Incident Response Teams, US-CERT: 2003-04-01, Carnegie Mellon University, USA, 2003

IPv6 Security Audit/Assurance Program

IPv6 Security Audit/Assurance Program Download (470K; Member Only)
Bookstore Purchase the Book

Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community

The major objectives of the IPv6 networking audit/assurance review are to:

Provide management with an independent assessment of the effectiveness of the IPv6 network’s architecture, security and alignment with the enterprise’s networking and IT security policies and architecture.
Provide management with an independent assessment of the effectiveness of the deployment of IPv6 technology in the enterprise and the conversion process.
Provide management with an evaluation of the IT function’s preparedness in the event of an intrusion.
Identify issues that affect the security of the enterprise’s network.

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.

Guiding Principles for Cloud Computing Adoption and Use

Guiding Principles for Cloud Computing Adoption and Use Download (Registration Required, 286K)

Provide feedback on this document
Visit the Cloud Computing Knowledge Center community

The drive for value, the need to reduce technology costs and the business demand for increased agility in how technology is used have caused enterprises to adopt cloud computing strategies. These strategies leverage the infrastructure, platforms or software services provided by cloud providers, transferring information technology (IT) from an in-house service to an outsourced capability. While enterprises have experience with the technology that makes cloud possible, and have used IT outsourcing to control costs or to enhance service levels, they have less experience transferring IT decision making away from the chief information officer (CIO) and technology specialists and to business unit leaders. Cloud represents a fundamental shift in how technology is acquired and managed in enterprises. This shift can result in pressure on the enterprise when its structure, culture, policies and practices, and enterprise architecture have not evolved to address the changes inherent in the cloud computing shift. This paper describes the nature of cloud computing and areas of pressure that, when not addressed, can increase risk to the enterprise. It also presents six principles for cloud computing adoption and use that can guide management toward more effective cloud implementation and use, reduction of pressure points, and mitigation of potential risk.

Additional resources:

Security, Audit and Control Features Oracle PeopleSoft, 3rd Edition

Security, Audit and Control Features Oracle PeopleSoft, 3rd Edition Download Excerpt (1.1M)
Bookstore Purchase the Book

  Download the ICQs and audit Programs (200K; Member Only)
  Provide feedback on this document
  Visit the PeopleSoft Knowledge Center community

Between the covers of this book, readers will find all the details needed to confidently plan and execute a detailed review of risk and controls in a PeopleSoft^® environment. A lot has changed in terms of new product features, new releases and various regulatory compliance requirements for enterprises since the second edition of this guide was published in 2005. This third edition aims to ensure that the audit programs, risk and controls are functional and relevant with current research for Oracle^® PeopleSoft HRMS release 9.1. In addition, chapter 12, New Directions for PeopleSoft and ERP Audit, discusses the changing compliance landscape, tools to assist with compliance and Oracle Fusion, and the pathway for PeopleSoft installations.

This publication has been written with the business manager in mind. IT and audit and assurance professionals will also find it highly informative and helpful. Other audiences include security and risk management professionals. Parts of the publication are written for those looking to learn more about how PeopleSoft applications work, as well as the strategic and risk management issues. However, for the most part, the book assumes that the reader has a fundamental working knowledge of PeopleSoft.

Although there are many books that have been written on PeopleSoft, they are more narrowly focused on the implementation, business aspects or how one of the PeopleSoft modules actually works. This publication is unique in that it deals with aspects of risk management, audit, security and control over PeopleSoft. These are important aspects that have not been dealt with previously in a comprehensive manner in one publication. The book is also unique in that it contains audit/assurance programs, audit suggestions and internal control questionnaires (ICQs) for the business cycles addressed within the publication.

This series of technical and risk management reference guides deals with security, audit and control features of ERP systems. The series is intended to be considered collectively; consequently, common business processes and the related risk and control features are not covered in each and every guide.

Voice-over Internet Protocol (VoIP) Audit/Assurance Program

Voice-over Internet Protocol (VoIP) Audit/Assurance Program Download (1.3M; Member Only)
Bookstore Purchase the Book

Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community

A typical VoIP network comprises a complex series of cooperating protocols, networks (wireless and wired), servers, security architectures, special services (such as E-911), backup and recovery systems, and interfaces to the PSTN.

During the audit planning process, the auditor must determine the scope of the audit. Depending on the specific implementation, this may include:

Evaluation of governance, policies and oversight relating to VoIP
Data classification policies and management
The appropriate VoIP business case, actual deployment or upgrade processes, strategy and implementation controls
Technical architecture(s), including security systems, multiple platforms (different vendors which supply and/or support VoIP), interfaces with data networks, backup and recovery, data retention and destruction policy, and technology
Assessments of IT infrastructure and personnel to support the VoIP architecture(s)
Baseline configurations of deployed hardware and software
Issues related to decentralized VoIP servers
Issues related to failover clustering, where appropriate

Security considerations for the public switched telephone network (PSTN or dial-up) are outside the scope of this document.

View all Research Deliverables


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?