Ensuring Proper Functioning of Controls in an Operating System

B.

Various operating system software products provide parameters and options for the tailoring of the system and activation of features such as activity logging.

Parameters are important in determining how a system runs because they allow a standard piece of software to be customized to diverse environments.

The reviewing of software control features and/or parameters is the most effective means of determining how controls are functioning within an operating system and of assessing and operating system's integrity.

The operating system manual should provide information as to what settings can be used but will not likely give any hint as to how parameters are actually set.

The product vendor and computer operator are not necessarily aware of the detailed setting of all parameters.

The review of software control features and/or parameters would be part of your security audit.

A security audit is typically performed by an independent third party to the management of the system.

The audit determines the degree with which the required controls are implemented.

A security review is conducted by the system maintenance or security personnel to discover vulnerabilities within the system.

A vulnerability occurs when policies are not followed, miscon figurations are present, or flaws exist in the hardware or software of the system.

System reviews are sometimes referred to as a vulnerability assessment.

Official (ISC)2 Guide to the CISSP CBK, Third Edition: Security Operations, Page 1054, for users with the Kindle edition look at Locations 851-855 - and Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 102).

The most effective means of determining that controls are functioning properly within an operating system is by reviewing software control features and/or parameters. This option (B) is more effective because it involves analyzing the actual configuration and implementation of the system's controls, rather than relying solely on subjective opinions or sources that may be incomplete or biased.

The review of software control features and/or parameters involves analyzing the settings and parameters that are built into the software, as well as any additional controls that may have been implemented by the organization. This can be done through various methods such as reviewing configuration files, security policies, access control lists, or other system documentation.

By reviewing these parameters, an auditor can determine whether the controls are implemented as intended, and whether they are effective in preventing or detecting unauthorized access, data modification, or other security incidents. Additionally, this approach can reveal any gaps or weaknesses in the control environment, which can then be addressed by the organization.

The other options are less effective for various reasons:

• Interview with computer operator (Option A): This option relies on the opinion and expertise of a single individual, which may not be comprehensive or accurate. Additionally, an operator may not be aware of all the technical details of the system or the controls that have been implemented.

• Review of operating system manual (Option C): This option may provide general guidance on how to configure and manage the operating system, but it may not be specific to the organization's implementation. Additionally, the manual may not be up-to-date or comprehensive enough to cover all the controls that have been implemented.

• Interview with product vendor (Option D): This option may provide useful information on the intended use and features of the software, but it may not reflect the organization's specific implementation or customization of the software. Additionally, the vendor may have a bias towards promoting their product and may not be objective in assessing the effectiveness of the controls.