Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Types of storage
Local Storage Options
These are hard drives similar to the type that is installed within a desktop
computer or laptop computer. The difference being that they can be plugged
in to the computer or remove and kept separate from the main computer.
Advantages:
Very good option for local backups of large amounts of data. The cheapest
storage option in terms of cost per GB. Very reliable when handled with care
Disadvantages:
With the prices of Solid State Drives coming down and is lower power usage,
SSD’s are used extensively on laptops and mobile de-vices. External SSD’s
are also a viable option for data backups.
Advantages:
Faster read and write performance More robust and reliable than traditional
magnetic hard drives Highly portable. Can be easily taken offsite
Disadvantages:
NAS are simply one or more regular IDE or SATA hard drives plugged in an
array storage en-closure and connected to a network Router or Hub through
a Ethernet port. Some of these
NAS enclosures have ventilating fans to pro-tect the hard drives from
overheating.
Advantages: Very good option for local backups especially for networks and
small businesses.
As several hard drives can be plugged in, NAS can hold very large amounts of
data Can be setup with Redundancy (RAID) in-creasing the reliability and/ or
read and write performance. Depending on the type of RAID level used, the
NAS can still function even if one hard drive in the RAID set fails. Or two hard
drives can be setup to double the read and write speed of single hard drive.
The drive is always connected and available to the network making the NAS a
good option for implementing automated scheduled backups.
Disadvantages:
Significantly more expensive than using single External Hard Drives Difficult
to bring offsite making it very much a local backup hence still susceptible to
some events like theft and floods, fire etc.
These are similar to Solid State Drives except that it is much smaller in size
and capacity.
They have no moving parts making them quite robust. They are extremely
portable and can fit on a keychain. They are Ideal for backing up a small
amount of data that need to be brought with you on the go.
Advantages:
The most portable storage option. Can fit on a keychain making it an offsite
backup when you bring it with you .Much more robust than traditional
magnetic hard drives
Disadvantages:
CD’s and DVD’s are ideal for storing a list of songs, movies, media or
software for distribution or for giving to a friend due to the very low cost per
disk. They do not make good storage options for backups due to their shorter
lifespan, small storage space and slower read and write speeds.
Advantages:
Relatively shorter life span than other storage options Not as reliable as other
storage options like external hard disk and SSD. One damaged disk in a
backup set can make the whole backup unusable.
6. Cloud Storage
Advantages: A very good offsite backup. Not affected by events and disasters
such as theft, floods, fire etc
Disadvantages:
Audits need to be planned and have a certain methodology to cover the total
mate-rial risks of an organization. This is important as the complexity of an
organization and its processes can be quite confusing for those looking at
uncovering risks and vulnerabilities.
Audit methodologies
There are two primary methods by which audits are performed. Start with the
overall view of the corporate structure and drill down to the minutiae; or
begin with a discovery process that builds up a view of the organization.
An internal audit is usually performed top-down. Implicitly aware of the
pieces and parts of the organization, staff has no need to assemble the
picture. Conversely, outsider audits are commonly performed by first
assembling a detailed list of the components and building up to the overall
structural view. In practice, parts of each methodology are often fused into
an audit process. This is wholly dependent upon access to information known
to the internal staff of the organization. Regardless of which method is used,
the goal is the same .Mitigate the risks to the organization.
three types
a. Testing – Pen tests and other testing methodologies are used to explore
vulnerability-ties. In other words, exercising one or more assessment objects
to compare actual and expected behaviors.
Auditing techniques:
Agree scope and objective of the audit .Agree on the level of support that will
be provided. Agree locations, duration and other parameters of the audit.
Agree finan-cial and other considerations. Confidentiality agreements and
contracting to be completed at this stage. Developing/creating a formal
agreement (e.g., statement of work, audit memorandum, or engagement
memo) to state the audit objectives, scope and audit protocol
perform automated and manual tests, and other tasks. Fieldwork activities
may be per-formed at the client’s worksite(s) or at re-mote locations,
depending on the nature of the audit.
• Analysis
end of this phase, the auditor will hold an Exit Meeting with the client to
discuss find-ings and recommendations, address client questions, discuss
corrective actions, andresolve any outstanding issues. A first draft of the
findings and recommendations may be presented to the client during the exit
meeting.
• Reporting
Generally, the Information Security Audit Program will provide a draft audit
report after completing fieldwork and analysis. Based on client response if
changes are required to the draft, the auditor may issue a second draft. Once
the client is satisfied that the terms of the audit are complied with the final
report will be issued with the auditor’s findings and recommendations.
• Follow-through
Depending on expectations and agreements the auditor will evaluate the
effectiveness of the corrective action taken by the client, and, if necessary,
advise the client on alternatives that may be utilized to achieve desired
improvements. In larger, more complex audit situations, follow-up
The level of risk and severity of the control weakness or vulnerability dictate
the time allowed between the reporting phase and the follow-up phase. The
follow-up phase may require additional documentation for the audit client.
• The auditor agree to undertake only those activities in which they are
professionally competent and will strive to improve their competency. Their
effectiveness in audit- ing depends on how evidence is gathered,analysed,
and reported.
• The auditor promise to disclose accurate results of all work and significant
facts to the appropriate parties.
• The auditor agree to support ongoing professional education to help
stakeholders enhance their understanding of information systems security
and control.
• The failure of a CISA to comply with this code of professional ethics may
result in an investigation with possible sanctions or disciplinary measures.