1. CISA Exam Passing Principles
2. The job profile of the CISA® (Certified Information Systems Auditor) was published in 1977. Ever since, innumerable individuals around the world have passed this demanding examination which has been consistently updated in line with changing requirements; the examination takes place simultaneously in 80 countries, currently in 12 languages. The successful graduates will, on the provision of meeting the requirement of professional practice / experience, obtain the coveted CISA® designation.
2.1. Covers
2.1.1. It covers 5 domains, 38 tasks and 79 knowledge statements (statements covering the required technical knowledge).
2.1.1.1. Since the task statements are consistently referenced to the pertaining COBIT® processes, COBIT® has thus become an integral component of the CISA® curriculum and certification.
2.2. Designation
2.2.1. The CISA® certification / designation reflects a solid achievement record in the area of audit, control and security of information systems.
2.2.2. CISA® is the only globally recognized certification in the are of audit, controls and security of information systems and is – in view of the stringent and globally identical requirements - internationally recognized.
2.2.2.1. Internationally operating corporations and locally operating enterprises appreciate these merits alike.
2.3. The CISA® job profile has so far been consistently revised in 4 to 6 year intervals (the last time in 2010).
3. Official Recommended exam study materials
3.1. Glossary
3.1.1. http://www.isaca.org/Knowledge-Center/Documents/Glossary/cisa_glossary.pdf
3.2. Development Guides
3.2.1. ISACA® CISA® Item Development Guide
3.2.1.1. https://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISA-Item-Development-Guide.pdf
3.2.2. ISACA® CISA® QAE Item Development Guide
3.2.2.1. https://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISA-QAE-Item-Development-Guide.pdf
3.3. ISACA® CISA® Review Manual 2015
3.3.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=CRM15
3.4. ISACA® CISA® Review Questions, Answers & Explanations Manual 2015 Supplement
3.4.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=QAE15ES
3.5. ISACA® CISA® Practice Question Database
3.5.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=XMXCA15-12M
4. CISA® Official website
4.1. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx
5. Basic audit related definitions (from ISACA® CISA® perspective)
5.1. Audit Risk
5.1.1. Inherent Risk
5.1.2. Control Risk
5.1.3. Overall Audit Risk
5.1.4. Detection Risk
5.2. Auditing
5.2.1. Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
5.3. Evidence
5.3.1. It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:
5.3.1.1. Independence of the provider of the evidence
5.3.1.2. Qualification of the individual providing the information or evidence
5.3.1.3. Objectivity of the evidence
5.3.1.4. Timing of the evidence
5.4. Information Systems Auditing
5.4.1. Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
5.5. Risk
5.5.1. Risk is the likelihood of a threat exploiting a vulnerability and the resulting impact on business mission.
6. Domain 1: The Process of Auditing Information Systems
6.1. Domain 1 - CISA® Exam Relevance
6.1.1. The content area for Domain 1 will represent ...
6.1.1.1. 14% of the CISA® examination
6.1.1.2. 62 questions
6.2. Audit Charter
6.2.1. Audit begins with the acceptance of an Audit Charter
6.2.2. Provides:
6.2.2.1. Authority for audit
6.2.2.2. Responsibility
6.2.2.3. Reporting requirements
6.2.3. Signed by Audit Committee / Senior Management / Steering Committee
6.3. Audit
6.3.1. Objectives
6.3.1.1. An audit compares (measures) actual activity against standards and policy
6.3.2. Specific goals of the audit
6.3.2.1. Confidentiality
6.3.2.2. Integrity
6.3.2.3. Reliability
6.3.2.4. Availability
6.3.2.5. Compliance with legal and regulatory requirements
6.3.3. Types
6.3.3.1. Financial audits
6.3.3.1.1. relates to financial information integrity and reliability.
6.3.3.2. Operational audits
6.3.3.2.1. examples: IS audits of application controls or logical security systems
6.3.3.3. Integrated audits
6.3.3.3.1. combines financial and operational audit steps.
6.3.3.4. Administrative audits
6.3.3.4.1. oriented to assess issues related to the efficiency of operational productivity within an organization.
6.3.3.5. IS audits
6.3.3.6. Specialized audits
6.3.3.6.1. examine areas such as services performed by third parties.
6.3.3.7. Forensic audits
6.3.3.7.1. Audits specifically related to a crime or serious incident
6.3.3.7.2. Obtain and examine evidence
6.3.3.7.3. Report for further action
6.3.3.7.4. auditing specialized in discovering, disclosing and following up on frauds and crimes. The primary purpose of such a review is the development of evidence for review by law enforcement and judicial authorities.
6.3.4. Elements
6.3.4.1. Audit scope
6.3.4.2. Audit objectives
6.3.4.3. Criteria
6.3.4.4. Audit procedures
6.3.4.5. Evidence
6.3.4.6. Conclusions and opinions
6.3.4.7. Reporting
6.4. Audit Planning
6.4.1. Involves short and long term planning (annual basis)
6.4.2. Based on the scope and objective of the particular assignment
6.4.3. Based on concerns of management or areas of higher risk
6.4.3.1. Process failures
6.4.3.2. Financial operations
6.4.3.3. Compliance requirements
6.4.4. New control issues.
6.4.5. Changes / Upgrades to technologies.
6.4.6. Business process / Need/ Goals.
6.4.7. Auditing / Evaluation Techniques.
6.4.8. IS auditor’s concerns:
6.4.8.1. Security (confidentiality, integrity and availability)
6.4.8.2. Quality (effectiveness, efficiency)
6.4.8.3. Fiduciary (compliance, reliability)
6.4.8.4. Service and capacity
6.4.9. Audit Planning Process
6.4.9.1. Gain an understanding of the business’s mission, objectives, purpose and processes
6.4.9.2. Identify stated contents (policies, standards, guidelines, procedures, and organization structure)
6.4.9.3. Evaluate risk assessment and privacy impact analysis
6.4.9.4. Perform a risk analysis
6.4.9.5. Conduct an internal control review
6.4.9.6. Set the audit scope and audit objectives
6.4.9.7. Develop the audit approach or audit strategy
6.4.9.8. Assign personnel resources to audit and address engagement logistics
6.4.10. Effect of Laws and Regulations on IS Audit Planning
6.4.10.1. Adequate controls
6.4.10.2. Privacy
6.4.10.3. Responsibilities
6.4.10.3.1. Oversight and Governance
6.4.10.4. Protection of assets
6.4.10.5. Financial Management
6.4.10.6. Correlation to financial, operational and IT audit functions
6.5. Performing the Audit
6.5.1. ISACA IT Audit and Assurance Tools and Techniques
6.5.1.1. Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement
6.5.1.2. The IS auditor should apply their own professional judgment to the specific circumstances
6.5.2. ISACA IT Audit and Assurance Standards Framework
6.5.2.1. Standards
6.5.2.1.1. Must be followed by IS auditors
6.5.2.2. Guidelines
6.5.2.2.1. Provide assistance on how to implement the standards
6.5.2.3. Procedures
6.5.2.3.1. Provide examples for implementing the standards
6.5.2.4. S1 Audit Charter
6.5.2.5. S2 Independence
6.5.2.6. S3 Ethics and Standards
6.5.2.7. S4 Competence
6.5.2.8. S5 Planning
6.5.2.9. S6 Performance of audit work
6.5.2.10. S7 Reporting
6.5.2.11. S8 Follow-up activities
6.5.2.12. S9 Irregularities and illegal acts
6.5.2.13. S10 IT Governance
6.5.2.14. S11 Use of risk assessment in audit planning
6.5.2.15. S12 Audit materiality
6.5.2.16. S13 Using the Work of Other Experts
6.5.2.17. S14 Audit Evidence
6.5.2.18. S15 IT Controls
6.5.2.19. S16 E-commerce
6.5.3. Gathering Evidence
6.5.3.1. Techniques
6.5.3.1.1. Review IS organization structures
6.5.3.1.2. Review IS policies and procedures
6.5.3.1.3. Review IS standards
6.5.3.1.4. Review IS documentation
6.5.3.1.5. Interview appropriate personnel
6.5.3.1.6. Observe processes and employee performance
6.5.3.2. Computer-assisted Audit Techniques (CAAT)
6.5.3.2.1. CAATs enable IS auditors to gather information independently
6.5.3.2.2. CAATs include:
6.5.3.2.3. CAATs as a continuous online audit approach:
6.5.4. General approaches to audit sampling
6.5.4.1. Statistical sampling
6.5.4.2. Non-statistical sampling
6.5.5. Using the Services of Other Auditors and Experts
6.5.5.1. Considerations when using services of other auditors and experts:
6.5.5.1.1. Audit charter or contractual stipulations
6.5.5.1.2. Impact on overall and specific IS audit objectives
6.5.5.1.3. Impact on IS audit risk and professional liability
6.5.5.1.4. Independence and objectivity of other auditors and experts
6.5.5.1.5. Professional competence, qualifications and experience
6.5.5.1.6. Scope of work proposed to be outsourced and approach
6.5.5.1.7. Supervisory and audit management controls
6.5.5.1.8. Method of communicating the results of audit work
6.5.5.1.9. Compliance with legal and regulatory stipulations
6.5.5.1.10. Compliance with applicable professional standards
6.6. IS Audit Resource Management
6.6.1. Audit Program Challenges
6.6.1.1. Limited number of IS auditors
6.6.1.2. Maintenance of their technical competence
6.6.1.3. Assignment of audit staff
6.7. Plan for an Audit
6.7.1. 1. Gather Information
6.7.2. 2. Identify System and Components
6.7.3. 3. Assess Risk
6.7.4. 4. Perform Risk Analysis
6.7.5. 5. Conduct Internal Control Review
6.7.6. 6. Set Audit Scope and Objectives
6.7.7. 7. Develop Auditing Strategy
6.7.8. 8. Assign Resources
6.8. Audit Methodology
6.8.1. A set of documented audit procedures designed to achieve planned audit objectives.
6.8.2. Composed of:
6.8.2.1. Statement of scope
6.8.2.2. Statement of audit objectives
6.8.2.3. Statement of audit programs
6.8.3. Set up and approved by the audit management
6.8.4. Communicated to all audit staff
6.9. Phases of an Audit
6.9.1. Audit subject
6.9.2. Audit objective
6.9.3. Audit scope
6.9.4. Pre-audit planning
6.9.5. Audit procedures and steps for data gathering
6.9.6. Procedures for evaluating the test or review
6.9.7. results
6.9.8. Procedures for communication with management
6.9.9. Audit report preparation
6.10. Audit Workpapers
6.10.1. Audit plans
6.10.2. Audit programs
6.10.3. Audit activities
6.10.4. Audit tests
6.10.5. Audit findings and incidents
6.11. Audit Procedures
6.11.1. Understanding of the audit area/subject
6.11.2. Risk assessment and general audit plan
6.11.3. Detailed audit planning
6.11.4. Preliminary review of audit area/subject
6.11.5. Evaluating audit area/subject
6.11.6. Verifying and evaluating controls
6.11.7. Compliance testing
6.11.8. Substantive testing
6.11.9. Reporting (communicating results)
6.11.10. Follow-up
6.12. Types of Tests for IS Controls
6.12.1. Use of audit software to survey the contents of data files
6.12.2. Assess the contents of operating system parameter files
6.12.3. Flow-charting techniques for documenting automated
6.12.4. applications and business process
6.12.5. Use of audit reports available in operation systems
6.12.6. Documentation review
6.12.7. Observation
6.13. Fraud Detection
6.13.1. Fraud detection is Management’s responsibility
6.13.2. Benefits of a well-designed internal control system
6.13.2.1. Deterring fraud at the first instance
6.13.2.2. Detecting fraud in a timely manner
6.13.3. Fraud detection and disclosure
6.13.4. Auditor’s role in fraud prevention and detection
6.14. Risk Management (based on ISACA Risk IT)
6.14.1. Risk Assessment
6.14.1.1. Identify and prioritize risk
6.14.1.2. Recommend risk-based controls
6.14.1.3. Assessing security risks
6.14.1.3.1. Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization.
6.14.1.3.2. Performed periodically to address changes in:
6.14.1.4. Treating security risks
6.14.1.4.1. Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk
6.14.1.4.2. Controls should be selected to ensure that risks are reduced to an acceptable level
6.14.2. Risk Mitigation
6.14.2.1. Reduce risk
6.14.2.2. Accept risk
6.14.2.3. Transfer risk
6.14.2.4. Avoid risk
6.14.3. Ongoing assessment of risk levels and control effectiveness
6.14.4. Purpose of Risk Analysis
6.14.4.1. Identity threats and vulnerabilities
6.14.4.2. Helps auditor evaluate countermeasures /
6.14.4.3. controls.
6.14.4.4. Helps auditor decide on auditing objectives.
6.14.4.5. Support Risk- Based auditing decision.
6.14.4.6. Leads to implementation of internal controls.
6.15. Risk-based Auditing
6.15.1. Why use Risk Based Auditing?
6.15.1.1. Enables management to effectively allocate limited audit resources
6.15.1.2. Ensures that relevant information has been obtained from all levels of management
6.15.1.3. Establishes a basis for effectively managing the audit plans
6.15.1.4. Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan
6.15.2. Performing an Audit Risk Assessment to identify
6.15.2.1. Business risks
6.15.2.2. Technological risks
6.15.2.3. Operational risks
6.15.3. Process
6.15.3.1. 1. Gather Information and Plan for the Audit
6.15.3.1.1. Knowledge of business and industry
6.15.3.1.2. Prior year’s audit results
6.15.3.1.3. Recent financial information
6.15.3.1.4. Regulatory statutes
6.15.3.1.5. Inherent risk assessments
6.15.3.2. 2. Obtain Understanding of Internal Control
6.15.3.2.1. Control environment
6.15.3.2.2. Control procedures
6.15.3.2.3. Detection risk assessment
6.15.3.2.4. Control risk assessment
6.15.3.2.5. Equate total risk
6.15.3.3. 3. Perform Compliance Tests
6.15.3.3.1. Identify key controls to be tested
6.15.3.3.2. Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures
6.15.3.4. 4. Perform Substantive Tests
6.15.3.4.1. Analytical procedures
6.15.3.4.2. Detailed tests of account balances
6.15.3.4.3. Other substantive audit procedures
6.15.3.5. 5. Conclude the Audit
6.15.3.5.1. Create recommendations
6.15.3.5.2. Write audit report
6.16. General Controls
6.16.1. Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
6.17. Internal Controls
6.17.1. Policies, procedures, practices and organizational structures implemented to reduce risks
6.17.2. Objectives
6.17.2.1. Safeguarding of IT assets
6.17.2.2. Compliance to corporate policies or legal requirements
6.17.2.3. Input
6.17.2.4. Authorization
6.17.2.5. Accuracy and completeness of processing of data input/transactions
6.17.2.6. Output
6.17.2.7. Reliability of process
6.17.2.8. Backup/recovery
6.17.2.9. Efficiency and economy of operations
6.17.2.10. Change management process for IT and related systems
6.17.3. Classification
6.17.3.1. Preventive controls
6.17.3.2. Detective controls
6.17.3.3. Corrective controls
6.17.4. Areas
6.17.4.1. Internal control system
6.17.4.2. Internal accounting controls
6.17.4.3. Operational controls
6.17.4.4. Administrative controls
6.17.5. IS Controls vs Manual Controls
6.17.5.1. Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.
6.17.6. IS Controls
6.17.6.1. Strategy and direction
6.17.6.2. General organization and management
6.17.6.3. Access to IT resources, including data and programs
6.17.6.4. Systems development methodologies and change control
6.17.6.5. Operations procedures
6.17.6.6. Systems programming and technical support functions
6.17.6.7. Quality assurance procedures
6.17.6.8. Physical access controls
6.17.6.9. Business continuity/disaster recovery planning
6.17.6.10. Networks and communications
6.17.6.11. Database administration
6.17.6.12. Protection and detective mechanisms against internal and external attacks
6.18. Audit Documentation
6.18.1. Planning and preparation of the audit scope and objectives
6.18.2. Description on the scoped audit area
6.18.3. Audit program
6.18.4. Audit steps performed and evidence gathered
6.18.5. Other experts used
6.18.6. Audit findings, conclusions and recommendations
6.19. Automated Work Papers
6.19.1. Risk analysis
6.19.2. Audit programs
6.19.3. Results
6.19.4. Test evidences
6.19.5. Conclusions
6.19.6. Reports and other complementary information
6.19.7. Minimum controls:
6.19.7.1. Access to work papers
6.19.7.2. Audit trails
6.19.7.3. Automated features to provide and record approvals
6.19.7.4. Security and integrity controls
6.19.7.5. Backup and restoration
6.19.7.6. Encryption techniques
6.20. Evaluation of Audit Strengths and Weaknesses
6.20.1. Assess evidence
6.20.2. Evaluate overall control structure
6.20.3. Evaluate control procedures
6.20.4. Assess control strengths and weaknesses
6.21. Communicating Audit Results
6.21.1. Exit interview
6.21.1.1. Implementation dates for agreed recommendations
6.21.1.2. Correct facts
6.21.1.3. Realistic recommendations
6.21.2. Presentation techniques
6.21.2.1. Executive summary
6.21.2.2. Visual presentation
6.21.3. Audit report structure and contents
6.21.3.1. Introduction to the report
6.21.3.2. Audit findings presented in separate sections
6.21.3.3. The IS auditor’s overall conclusion and opinion
6.21.3.4. The IS auditor’s reservations with respect to the audit – audit limitations
6.21.3.5. Detailed audit findings and recommendations
6.21.4. Audit recommendations may not be accepted
6.21.4.1. Negotiation
6.21.4.2. Conflict resolution
6.21.4.3. Explanation of results, findings and best practices or legal requirements
6.22. Management Implementation of Audit Recommendations
6.22.1. Ensure that accepted recommendations are implemented as per schedule
6.22.2. Auditing is an ongoing process
6.22.3. Timing a follow-up
6.23. Control Self-Assessment (CSA)
6.23.1. Objectives
6.23.1.1. Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas
6.23.1.2. Enhancement of audit responsibilities, not a replacement
6.23.1.3. Educate management about control design and monitoring
6.23.1.4. Empowerment of workers to assess the control environment
6.23.2. Benefits
6.23.2.1. Early detection of risks
6.23.2.2. More effective and improved internal controls
6.23.2.3. Increased employee awareness of organizational objectives
6.23.2.4. Highly motivated employees
6.23.2.5. Improved audit rating process
6.23.2.6. Reduction in control cost
6.23.2.7. Assurance provided to stakeholders and customers
6.23.3. Disadvantages
6.23.3.1. Could be mistaken as an audit function replacement
6.23.3.2. May be regarded as an additional workload
6.23.3.3. Failure to act on improvement suggestions could damage employee morale
6.23.3.4. Lack of motivation may limit effectiveness in the detection of weak controls
6.23.4. A management technique
6.23.5. A methodology
6.23.6. In practice, a series of tools
6.23.7. Can be implemented by various methods
6.23.8. Auditor Role in CSA
6.23.8.1. Internal control professionals
6.23.8.2. Assessment facilitators
6.23.9. Traditional vs. CSA
6.23.9.1. Traditional Approach
6.23.9.1.1. Assigns duties/supervises staff
6.23.9.1.2. Policy/rule driven
6.23.9.1.3. Limited employee participation
6.23.9.1.4. Narrow stakeholder focus
6.23.9.2. CSA Approach
6.23.9.2.1. Empowered/accountable employees
6.23.9.2.2. Continuous improvement/learning curve
6.23.9.2.3. Extensive employee participation and training
6.23.9.2.4. Broad stakeholder focus
6.24. Continuous Auditing vs Continuous Monitoring
6.24.1. Continuous monitoring
6.24.1.1. Provided by IS management tools
6.24.1.2. Based on automated procedures to meet fiduciary responsibilities
6.24.2. Continuous auditing
6.24.2.1. Audit-driven
6.24.2.2. Completed using automated audit procedures
6.24.2.3. Distinctive character
6.24.2.3.1. Short time lapse between the facts to be audited and the collection of evidence and audit reporting
6.24.2.4. Drivers
6.24.2.4.1. Better monitoring of financial issues
6.24.2.4.2. Allows real-time transactions to benefit from real-time monitoring
6.24.2.4.3. Prevents financial fiascoes and audit scandals
6.24.2.4.4. Uses software to determine proper financial controls
6.24.2.5. Application of continuous auditing due to:
6.24.2.5.1. New information technology developments
6.24.2.5.2. Increased processing capabilities
6.24.2.5.3. Standards
6.24.2.5.4. Artificial intelligence tools
6.24.2.6. Advantages
6.24.2.6.1. Instant capture of internal control problems
6.24.2.6.2. Reduction of intrinsic audit inefficiencies
6.24.2.7. Disadvantages
6.24.2.7.1. Difficulty in implementation
6.24.2.7.2. High cost
6.24.2.7.3. Elimination of auditors’ personal judgment and evaluation
6.25. ISACA Code of Professional Ethics
6.25.1. The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or holders of ISACA designations.
7. Domain 2: Governance and Management of IT
7.1. Domain 2 - CISA® Exam Relevance
7.1.1. The content area for Domain 1 will represent ...
7.1.1.1. 14% of the CISA® examination
7.1.1.2. 62 questions
7.2. Corporate Governance
7.2.1. Ethical corporate behaviour
7.2.2. Governance of IT systems and assets towards the preservation of value for all stakeholders
7.2.3. Resource management
7.2.4. Establishment of rules to manage and report on business risks
7.3. IT Governance (ITG)
7.3.1. Comprises the body of issues addressed in considering how IT is applied within the enterprise.
7.3.2. Effective enterprise governance focuses on:
7.3.2.1. Individual and group expertise
7.3.2.2. Experience in specific areas
7.3.3. Key element: alignment of business and IT
7.3.4. Two issues:
7.3.4.1. IT delivers value to the business
7.3.4.2. IT risks are managed
7.3.5. Best Practices for IT Governance
7.3.5.1. Strategic Alignment
7.3.5.1.1. Focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations
7.3.5.2. Value Delivery
7.3.5.2.1. Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and improving the intrinsic value of IT.
7.3.5.3. Resource Management
7.3.5.3.1. Is about the optimal investment in, and the proper management of, Critical IT resources: applications, information, infrastructure and people, Key issues relate to the optimisation of knowledge and infrastructure.
7.3.5.4. Risk Management
7.3.5.4.1. Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
7.3.5.5. Performance Measurement
7.3.5.5.1. Tracks and monitors strategy implementation, projection completion, resource usage, process performance and services delivery, using, for example, balanced scorecards that translate into action to achieve goals measurable beyond conventional accounting.
7.4. IS Governance (ISG)
7.4.1. Focused activity with specific value drivers
7.4.1.1. Integrity of information
7.4.1.2. Continuity of services
7.4.1.3. Protection of information assets
7.4.2. Integral part of IT Governance (ITG)
7.4.3. Importance of information security governance
7.4.4. Should be supported at the highest levels of the organization
7.4.5. IS Governance (ISG) broadens scope beyond simply protection of IT system and data – integration and over all security regardless of handling, processing, transporting, or storing.
7.4.6. Protects information assets at all times, in all forms (electronic, paper, communicated), and in all locations
7.4.7. Exposure to civil and legal liability, regulators.
7.4.7.1. Provide assurance of policy compliance.
7.4.8. Enhance business Ops continuity – lower risk: uncertainty.
7.4.9. Foundation for risk management, process enhanced and fast incident response procedures.
7.4.10. Optimize allocation of the limited security resources as well as procurement process.
7.4.11. Ensuring that important decisions are made on accurate data.
7.4.12. Results
7.4.12.1. Strategic link to business / Organization
7.4.12.2. Objectives.
7.4.12.3. Overall risk management.
7.4.12.4. Optimize investments.
7.4.12.5. Management of resources.
7.4.12.6. Report on performance / results.
7.4.12.7. Process integration
7.5. Information Technology Monitoring and Assurance Practices for Management
7.5.1. IT governance implies a system where all stakeholders provide input into the decision making process:
7.5.1.1. Board
7.5.1.2. Internal customers
7.5.1.3. Finance
7.6. IS Strategy
7.6.1. Strategic Planning.
7.6.2. Steering committee role.
7.6.3. Primary strategic functions
7.6.4. Strategic Enterprise Architecture Plans
7.6.4.1. Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments
7.6.4.2. Often involves both a current state and optimized future state representation
7.6.5. IT Strategy Committee
7.6.5.1. The creation of an IT strategy committee is an industry best practice
7.6.5.2. Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance
7.6.6. Techniques
7.6.6.1. Standard IT Balanced Scorecard
7.6.6.1.1. A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes
7.6.6.1.2. Method goes beyond the traditional financial evaluation
7.6.6.1.3. One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment
7.7. Enterprise Architecture
7.7.1. The Zachman Framework
7.7.2. Federal Enterprise Architecture (FEA)
7.7.2.1. Performance
7.7.2.2. Business
7.7.2.3. Service component
7.7.2.4. Technical
7.7.2.5. Data
7.8. Maturity and Process Improvement Models
7.8.1. IDEAL model
7.8.2. Capability Maturity Model Integration (CMMI)
7.8.3. Team Software Process (TSP)
7.8.4. Personal Software Process (PSP)
7.9. IT Investment and Allocation Practices
7.9.1. Financial benefits
7.9.1.1. Impact on budget and finances
7.9.2. Nonfinancial benefits
7.9.2.1. Impact on operations or mission performance and results
7.10. Auditing IT Governance Structure and Implementation
7.10.1. Indicators of potential problems include:
7.10.1.1. Unfavorable end-user attitudes
7.10.1.2. Excessive costs
7.10.1.3. Budget overruns
7.10.1.4. Late projects
7.10.1.5. High staff turnover
7.10.1.6. Inexperienced staff
7.10.1.7. Frequent hardware/software errors
7.11. Policies, Procedures, Standards
7.11.1. Reflect management guidance and direction in developing controls over:
7.11.1.1. Information systems
7.11.1.2. Related resources
7.11.1.3. IS department processes
7.11.2. Policies
7.11.2.1. High level documents
7.11.2.2. Must be clear and concise
7.11.2.3. Set tone for organization as a whole (top down)
7.11.2.4. Lower-level policies - defined by individual divisions and departments
7.11.2.5. Information Security Policy
7.11.2.5.1. Defines information security, overall objectives and scope
7.11.2.5.2. Statement of management intent
7.11.2.5.3. Framework for setting control objectives including risk management
7.11.2.5.4. Defines responsibilities for information security management
7.11.3. Procedures
7.11.3.1. Procedures are detailed documents that describe the steps a person must follow when undertaking an activity:
7.11.3.1.1. Define and document implementation policies
7.11.3.1.2. Must be derived from the parent policy
7.11.3.1.3. Must implement the spirit (intent) of the policy statement
7.11.3.1.4. Must be written in a clear and concise
7.11.4. Standards
7.11.4.1. Audits measure compliance with standards of:
7.11.4.1.1. Operational procedures
7.11.4.1.2. Best practices
7.11.4.1.3. Consistency of performance
7.12. Risk Management
7.12.1. IT risk management needs to operate at multiple levels including:
7.12.1.1. The strategic level
7.12.1.2. The program level
7.12.1.3. The project level
7.12.1.4. The operational level
7.12.2. Risk Analysis Methods
7.12.2.1. Qualitative
7.12.2.2. Semi quantitative
7.12.2.3. Quantitative
7.12.2.3.1. Probability and expectancy
7.12.2.3.2. Single Loss Expectancy (SLE)
7.12.2.3.3. Annual loss expectancy (ALE)
7.12.3. Risk Mitigation
7.13. Resource Management
7.13.1. Organization of the IT Function
7.13.1.1. The auditor must assess whether the IT department is correctly:
7.13.1.1.1. Funded
7.13.1.1.2. Aligned with business needs
7.13.1.1.3. Managed
7.13.1.1.4. Staffed (skills)
7.14. Human Resource Management
7.14.1. Hiring
7.14.2. Employee handbook
7.14.3. Promotion policies
7.14.4. Training
7.14.5. Scheduling and time reporting
7.14.6. Employee performance evaluations
7.14.7. Required vacations
7.14.8. Termination policies
7.14.9. Sourcing Practices
7.14.9.1. Sourcing practices relate to the way an organization obtains the IS function required to support the business
7.14.9.2. Organizations can perform all IS functions inhouse or outsource all functions across the globe
7.14.9.3. Sourcing strategy should consider each IS function and determine which approach (insourcing or outsourcing) allows the IS function to meet the organization’s goals
7.15. IS Roles and Responsibilities
7.15.1. Systems development manager
7.15.2. Project management
7.15.3. Service Desk (help desk)
7.15.4. End user
7.15.5. End user support manager
7.15.6. Data management
7.15.7. Quality assurance manager
7.15.8. Information security manager
7.15.9. Vendor and outsourcer management
7.15.10. Infrastructure operations and maintenance
7.15.11. Media management
7.15.12. Data entry
7.15.13. Systems administration
7.15.14. Security administration
7.15.15. Quality assurance
7.15.16. Database administration
7.15.17. Systems analyst
7.15.18. Security architect
7.15.19. Applications development and maintenance
7.15.20. Infrastructure development and maintenance
7.15.21. Network management
7.16. Segregation of Duties within IS
7.16.1. Avoids possibility of errors or misappropriations
7.16.2. Discourages fraudulent acts
7.16.3. Limits access to data
7.16.4. Controls
7.16.4.1. Control measures to enforce segregation of duties include:
7.16.4.1.1. Transaction authorization
7.16.4.1.2. Custody of assets
7.16.4.1.3. Access to data
7.16.4.1.4. Authorization forms
7.16.4.1.5. User authorization tables
7.16.4.2. Compensating controls for lack of segregation of duties include:
7.16.4.2.1. Audit trails
7.16.4.2.2. Reconciliation
7.16.4.2.3. Exception reporting
7.16.4.2.4. Transaction logs
7.16.4.2.5. Supervisory reviews
7.16.4.2.6. Independent reviews
7.17. Organizational Change Management
7.17.1. Managing changes to the organization’s:
7.17.1.1. Projects
7.17.1.2. Systems
7.17.1.3. Technology
7.17.1.4. Configurations
7.17.2. Identify and apply technology improvements at the infrastructure and application level
7.17.3. All changes must be documented, approved and tested
7.17.4. All changes must be performed correctly and monitored for successful execution
7.17.5. Changes must not degrade system security or performance
7.18. Quality Management
7.18.1. Software development, maintenance and implementation
7.18.2. Acquisition of hardware and software
7.18.3. Day-to-day operations
7.18.4. Service management
7.18.5. Security
7.18.6. Human resource management
7.18.7. General administration
7.19. Performance Optimization
7.19.1. Performance measures indicate the quality of the IT program
7.19.1.1. Measures should be set to evaluate services critical to business success
7.19.2. There are generally 5 ways to use performance measures:
7.19.2.1. 1. Measure products/services
7.19.2.2. 2. Manage products/services
7.19.2.3. 3. Ensure accountability
7.19.2.4. 4. Make budget decisions
7.19.2.5. 5. Optimize performance
7.20. Reviewing Documentation
7.20.1. IT strategies, plans and budgets
7.20.2. Security policy documentation
7.20.3. Organization/functional charts
7.20.4. Job descriptions
7.20.5. Steering committee reports
7.20.6. System development and program change procedures
7.20.7. Operations procedures
7.20.8. Human resource manuals
7.20.9. Quality assurance procedures
7.21. Reviewing Contractual Commitments
7.21.1. There are various phases to computer hardware, software and IS service contracts, including:
7.21.1.1. Development of contract requirements and service levels
7.21.1.2. Contract bidding process
7.21.1.3. Contract selection process
7.21.1.4. Contract acceptance
7.21.1.5. Contract maintenance
7.21.1.6. Contract compliance
7.22. Business Continuity Planning (BCP)
7.22.1. Business continuity planning (BCP) is a process designed to reduce the organization’s business risk
7.22.2. A BCP is much more than just a plan for the information systems
7.22.3. IS processing is of strategic importance
7.22.3.1. Critical component of overall BCP
7.22.3.2. Most key business processes depend on the availability of key systems and infrastructure components
7.22.4. Disasters and Other Disruptive Events
7.22.4.1. Disasters are disruptions that cause critical information resources to be inoperative for a period of time
7.22.4.2. Good BCP will take into account impacts on IS processing facilities
7.22.5. Process
7.22.6. Business Continuity Policy
7.22.6.1. Defines the extent and scope of business continuity for both internal and external stakeholders
7.22.6.2. Should be proactive
7.22.7. Business Continuity Planning Incident Management
7.22.7.1. All types of incidents should be categorized
7.22.7.1.1. Negligible
7.22.7.1.2. Minor
7.22.7.1.3. Major
7.22.7.1.4. Crisis
7.22.8. Business Continuity Plan (BCP)
7.22.8.1. Business continuity plan must:
7.22.8.1.1. Be based on the long-range IT plan
7.22.8.1.2. Comply with the overall business continuity strategy
7.22.8.2. Development of BCP (factors)
7.22.8.2.1. The clear identification of the various resources required for recovery and continued operation of the organization
7.22.8.2.2. Evacuation procedures
7.22.8.2.3. Procedures for declaring a disaster (escalation procedures)
7.22.8.2.4. Circumstances under which a disaster should be declared.
7.22.8.2.5. The clear identification of the responsibilities in the plan
7.22.8.2.6. The clear identification of the persons responsible for each function in the plan
7.22.8.2.7. The clear identification of contract information
7.22.8.2.8. The step-by-step explanation of the recovery process
7.22.8.2.9. Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes
7.22.8.3. Components of BCP
7.22.8.3.1. Continuity of operations plan (COOP)
7.22.8.3.2. Disaster recovery plan (DRP)
7.22.8.3.3. Business resumption plan
7.22.8.3.4. Continuity of support plan / IT contingency plan
7.22.8.3.5. Crisis communications plan
7.22.8.3.6. Incident response plan
7.22.8.3.7. Transportation plan
7.22.8.3.8. Occupant emergency plan (OEP)
7.22.8.3.9. Evacuation and emergency relocation plan
7.22.8.3.10. Key decision-making personnel
7.22.8.3.11. Backup of required supplies
7.22.8.3.12. Insurance
7.22.9. Other Issues in Plan Development
7.22.9.1. Management and user involvement is vital to the success of BCP
7.22.9.1.1. Essential to the identification of critical systems, recovery times and resources
7.22.9.1.2. Involvement from support services, business operations and information processing support
7.22.9.2. Entire organization needs to be considered for BCP
7.22.10. Auditing Business Continuity
7.22.10.1. Understand and evaluate business continuity strategy
7.22.10.2. Evaluate plans for accuracy and adequacy
7.22.10.3. Verify plan effectiveness
7.22.10.4. Evaluate offsite storage
7.22.10.5. Evaluate ability of IS and user personnel to
7.22.10.6. respond effectively
7.22.10.7. Ensure plan maintenance is in place
7.22.10.8. Evaluate readability of business continuity manuals and procedures
7.22.11. Reviewing the Business Continuity Plan
7.22.11.1. IS auditors should verify that the plan is up to date including:
7.22.11.1.1. Currency of documents
7.22.11.1.2. Effectiveness of documents
7.22.11.1.3. Interview personnel for appropriateness and completeness of plan
7.23. Business Impact Analysis (BIA)
7.23.1. Critical step in developing the business continuity plan
7.23.2. 3 main questions to consider during BIA phase:
7.23.2.1. 1. What are the different business processes?
7.23.2.2. 2. What are the critical information resources related to an organization’s critical business processes?
7.23.2.3. 3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?
7.23.3. What is the system’s risk ranking?
7.23.3.1. Critical
7.23.3.2. Vital
7.23.3.3. Sensitive
7.23.3.4. Non-sensitive
7.24. Business Continuity Plan
7.24.1. Development of Business Continuity Plans
7.24.1.1. Factors to consider:
7.24.1.1.1. Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes
7.24.1.1.2. Evacuation procedures
7.24.1.1.3. Procedures for declaring a disaster (escalation procedures)
7.24.1.1.4. Circumstances under which a disaster should be declared
7.24.1.1.5. The clear identification of the responsibilities in the plan
7.24.1.1.6. The clear identification of the persons responsible for each function in the plan
7.24.1.1.7. The clear identification of contract information
7.24.1.1.8. The step-by-step explanation of the recovery process
7.24.1.1.9. The clear identification of the various resources required for recovery and continued operation of the organization
7.24.2. Components of a Business Continuity
7.24.2.1. Continuity of operations plan (COOP)
7.24.2.2. Disaster recovery plan (DRP)
7.24.2.3. Business resumption plan
7.24.2.4. Continuity of support plan / IT contingency plan
7.24.2.5. Crisis communications plan
7.24.2.6. Incident response plan
7.24.2.7. Transportation plan
7.24.2.8. Occupant emergency plan (OEP)
7.24.2.9. Evacuation and emergency relocation plan
7.24.2.10. Key decision-making personnel
7.24.2.11. Backup of required supplies
7.24.2.12. Insurance
7.24.2.12.1. IS equipment and facilities
7.24.2.12.2. Media (software) reconstruction
7.24.2.12.3. Extra expense
7.24.2.12.4. Business interruption
7.24.2.12.5. Valuable papers and records
7.24.2.12.6. Errors and omissions
7.24.2.12.7. Fidelity coverage
7.24.2.12.8. Media transportation
8. Domain 3: Information Systems Acquisition, Development, and Implementation
8.1. Domain 3 - CISA® Exam Relevance
8.1.1. The content area for Domain 1 will represent ...
8.1.1.1. 19% of the CISA® examination
8.1.1.2. 62 questions
8.2. Business case
8.2.1. Provides the information required for an organization to decide whether a project should proceed
8.2.2. Is normally derived from a feasibility study as part of project planning
8.2.3. Should be of sufficient detail to describe the justification for setting up and continuing a project
8.3. Portfolio/Program Management (PPM)
8.3.1. Objectives
8.3.1.1. Optimization of the results of the project portfolio
8.3.1.2. Prioritizing and scheduling projects
8.3.1.3. Resource coordination (internal and external)
8.3.1.4. Knowledge transfer throughout the projects
8.3.2. Program
8.3.2.1. Programs have a limited time frame (start and end date) and organizational boundaries
8.3.2.2. Definition by ISACA:
8.3.2.2.1. ”A program is a group of projects and time-bound tasks that are closely linked together through common objectives, a common budget, intertwined schedules and strategies.”
8.3.2.3. Definition by AXELOS::
8.3.3. Portfolio
8.3.3.1. Definition by ISACA:
8.3.3.1.1. ”Groupings of ‘objects of interest’ (investment programmes, IT services, IT projects, other IT assets or resources) managed and monitored to optimise business value.”
8.3.3.2. Definition by AXELOS::
8.3.3.2.1. ”An organization’s change portfolio is the totality of its investment (or segment thereof) in the changes required to achieve its strategic objectives.”
8.3.4. Portfolio management
8.3.4.1. Definition by ISACA:
8.3.4.1.1. ”The goal of portfolio management (in relations to VAL IT) is to ensure that an enterprise secures optimal value across its portfolio of IT-enabled investments.”
8.3.4.2. Definition by AXELOS::
8.3.4.2.1. ”A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual (BAU).”
8.4. Benefits Realization Techniques
8.4.1. Describing benefits management or benefits realization
8.4.2. Assigning a measure and target
8.4.3. Establishing a tracking/measuring regime
8.4.4. Documenting the assumption
8.4.5. Establishing key responsibilities for realization
8.4.6. Validating the benefits predicted in the business
8.4.7. Planning the benefit that is to be realized
8.5. General IT Project Aspects
8.5.1. IS projects may be initiated from any part of an organization
8.5.2. A project is always a time-bound effort
8.5.3. Project management should be a business process of a project-oriented organization
8.5.4. The complexity of project management requires a careful and explicit design of the project management process
8.6. Project Context and Environment
8.6.1. A project context can be divided into a time and social context. The following must be taken into account:
8.6.1.1. Importance of the project in the organization
8.6.1.2. Connection between the organization’s strategy and the project
8.6.1.3. Relationship between the project and other projects
8.6.1.4. Connection between the project to the underlying business case
8.7. Project Organizational Forms
8.7.1. 3 major forms of organizational alignment for project management are:
8.7.1.1. Influence project organization
8.7.1.2. Pure project organization
8.7.1.3. Matrix project organization
8.8. Project Communication
8.8.1. Depending on the size and complexity of the project and the affected parties, communication may be achieved by:
8.8.1.1. One-on-one meetings
8.8.1.2. Kick-off meetings
8.8.1.3. Project start workshops
8.8.1.4. A combination of the three
8.9. Project Objectives
8.9.1. A project needs clearly defined results that are specific, measurable, achievable, relevant and time-bound (SMART)
8.9.2. A commonly accepted approach to define project objectives is to begin with an object breakdown structure (OBS)
8.9.3. After the OBS has been compiled, a work breakdown structure (WBS) is designed
8.10. Roles and Responsibilities of Groups and Individuals
8.10.1. Senior management
8.10.2. Senior Responsible Owner (SRO)
8.10.3. User management
8.10.4. Project steering committee
8.10.5. Project sponsor
8.10.6. Systems development management
8.10.7. Project manager
8.10.8. Systems development project team
8.10.9. User project team
8.10.10. Security officer
8.10.11. Quality assurance
8.11. Project Management Practices
8.11.1. Classic project management is bound by the iron triangle:
8.11.1.1. Resources
8.11.1.2. Schedule
8.11.1.3. Scope
8.11.2. PRINCE2® based project management is bound by the 6 project aspects:
8.11.2.1. Benefits
8.11.2.2. Quality
8.11.2.3. Resources
8.11.2.4. Risk
8.11.2.5. Schedule
8.11.2.6. Scope
8.12. Project Planning
8.12.1. The various tasks that need to be performed to produce the expected business application system
8.12.2. The sequence or the order in which these tasks need to be performed
8.12.3. The duration or the time window for each task
8.12.4. The priority of each task
8.12.5. The IT resources that are available and required to perform these tasks
8.12.6. Budget or costing for each of these tasks
8.12.7. Source and means of funding
8.12.8. Software size estimation
8.12.9. Lines of source code
8.12.10. Function point analysis (FPA)
8.12.10.1. FPA feature points
8.12.10.2. Cost budgets
8.12.10.3. Software cost estimation
8.12.11. Scheduling and establishing the time frame
8.12.12. Critical path methodology/method (CPM)
8.12.12.1. Time box management
8.12.12.2. PERT
8.12.12.3. Gantt Chart
8.13. Project Controlling
8.13.1. Includes management of:
8.13.1.1. Scope
8.13.1.2. Resource usage
8.13.1.3. Risk
8.13.1.3.1. Review & evaluate
8.13.1.3.2. Assess
8.13.1.3.3. Mitigate
8.13.1.3.4. Discover
8.13.1.3.5. Inventory
8.14. Project Risk
8.14.1. The CISA® must review the project for risks that the project will not deliver the expected benefits:
8.14.1.1. Scope creep
8.14.1.2. Lack of skilled resources
8.14.1.3. Inadequate requirements definition
8.14.1.4. Inadequate testing
8.14.1.5. Push to production without sufficient allotted time
8.15. Closing a Project
8.15.1. When closing a project, there may still be some issues that need to be resolved, ownership of which needs to be assigned
8.15.2. The project sponsor should be satisfied that the system produced is acceptable and ready for delivery
8.15.3. Custody of contracts may need to be assigned, and documentation archived or passed on to those who will need it
8.16. Systems Development Models (SDLC)
8.16.1. Business Application Development
8.16.1.1. The implementation process for business applications, commonly referred to as an SDLC, begins when an individual application is initiated as a result of one or more of the following situations:
8.16.1.1.1. A new opportunity that relates to a new or existing business process
8.16.1.1.2. A problem that relates to an existing business process
8.16.1.1.3. A new opportunity that will enable the organization to take advantage of technology
8.16.1.1.4. A problem with the current technology
8.16.2. Traditional SDLC Approach
8.16.2.1. Also referred to as the waterfall technique, this life cycle approach is the oldest and most widely used for developing business applications
8.16.2.2. Based on a systematic, sequential approach to software development that begins with a feasibility study and progresses through requirements definition, design, development, implementation and post implementation
8.16.2.3. Some of the issues encountered with this approach include:
8.16.2.3.1. Unanticipated events
8.16.2.3.2. Difficulty in obtaining an explicit set of requirements from the user
8.16.2.3.3. Managing requirements and convincing the user about the undue or unwarranted requirements in the system functionality
8.16.2.3.4. The necessity of user patience
8.16.2.3.5. A changing business environment that alters or changes the user’s requirements before they are delivered
8.16.2.4. Classic Waterfall: DoD-STD-2167A
8.16.2.5. Modified Waterfall: MIL-STD-498
8.16.2.6. V-model (may be considered an extension of the waterfall)
8.16.2.7. Boehm’s Spiral Model
8.16.3. Alternative Development Methods
8.16.3.1. Incremental
8.16.3.2. Iterative
8.16.3.3. Adaptive
8.16.3.4. Evolutionary
8.16.3.5. Agile (incremental + iterative + adaptive)
8.16.3.5.1. The Agile Mindset, Values and Principles
8.16.3.5.2. Agile is a umbrella term enclosing different methodologies, tools, techniques, practices and frameworks
8.16.3.5.3. Plan-Driven Projects vs. Change-driven Project Projects
8.16.3.5.4. Agile is best for complex projects
8.17. Types of Specialized Business Applications
8.17.1. Electronic Commerce
8.17.2. Electronic Data Interchange (EDI)
8.17.3. Electronic Mail
8.17.4. Electronic Banking
8.17.5. Electronic Finance
8.17.6. Electronic Funds Transfer (EFT)
8.17.7. Automated Teller Machine (ATM)
8.17.8. Artificial Intelligence and Expert Systems
8.17.9. Business Intelligence (BI)
8.17.10. Decision Support System
8.18. Acquisition
8.18.1. Hardware Acquisition
8.18.1.1. Organization type
8.18.1.2. Requirement for data processing
8.18.1.3. Hardware requirements
8.18.1.4. System software application
8.18.1.5. Support system
8.18.1.6. Adaptability needs
8.18.1.7. Constraint
8.18.1.8. Conversion needs
8.18.2. Software Acquisition
8.18.2.1. Business, technical, functional, collaborative needs
8.18.2.2. Security and reliability
8.18.2.3. Cost and benefits
8.18.2.4. Obsolescence and risk
8.18.2.5. System compatibility
8.18.2.6. Resource allocation
8.18.2.7. Training and personnel requirements
8.18.2.8. Need for scalability
8.18.2.9. Impact on present infrastructure
8.18.3. Auditing Systems Development Acquisition
8.18.3.1. Feasibility study
8.18.3.2. Requirements definition
8.18.3.3. Software acquisition Process
8.18.3.4. Design & Development
8.18.3.5. Testing
8.18.3.6. Implementation and review
8.18.3.7. Post-Implementation
8.19. Application Controls
8.19.1. Input/Origination Controls
8.19.1.1. Input authorization
8.19.1.2. Batch controls and balancing
8.19.1.3. Error reporting and handling
8.19.2. Processing Procedures and Controls
8.19.2.1. Data validation and editing procedures
8.19.2.2. Processing controls
8.19.2.3. Data file control procedures
8.19.3. Output Controls
8.19.3.1. Output controls provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner
8.19.4. Auditing Application Controls
8.19.4.1. Data integrity testing
8.19.4.2. Online Transaction Processing System
8.19.4.3. The ACID principle
8.19.4.3.1. Atomicity
8.19.4.3.2. Consistency
8.19.4.3.3. Isolation
8.19.4.3.4. Durability
8.19.4.4. Continuous Online audit
9. Domain 4: Information Systems Operations, Maintenance and Support
9.1. Domain 4 - CISA® Exam Relevance
9.1.1. The content area for Domain 1 will represent ...
9.1.1.1. 23% of the CISA® examination
9.1.1.2. 62 questions
9.2. Auditing System Operations and Maintenance
9.2.1. Information Security Management
9.2.1.1. Perform risk assessments on information assets
9.2.1.2. Perform business impact analyses (BIAs)
9.2.1.3. Develop & enforce information security policy, procedures, & standards
9.2.1.4. Conduct security assessments on a regular basis
9.2.1.5. Implement a formal vulnerability management process
9.2.2. Information Systems Operations
9.2.2.1. IS operations are in charge of the daily support of an organization’s IS hardware and software environment
9.2.2.2. IS operations include
9.2.2.2.1. Management of IS operations
9.2.2.2.2. Infrastructure support including computer operations
9.2.2.3. Technical support / help desk
9.2.2.4. Information security management
9.2.3. Management of IS Operations
9.2.3.1. Operations management functions include
9.2.3.1.1. Resource allocation
9.2.3.1.2. Standards and procedures
9.2.3.1.3. IS operation processes monitoring
9.2.4. IT Service Management
9.2.4.1. Service levels are auditing through review of
9.2.4.1.1. Exception reports
9.2.4.1.2. System and application logs
9.2.4.1.3. Operator problem reports
9.2.4.1.4. Operator work schedules
9.2.5. Support / Help Desk
9.2.5.1. Document incidents that arise from users and initiate problem resolution
9.2.5.2. Prioritize the issues and forward them to the appropriate IT personnel, and escalate to IT management, as necessary
9.2.5.3. Follow up on unresolved incidents
9.2.5.4. Close out resolved incidents, noting proper authorization to close out the incident by the user
9.2.6. Change Management Process
9.2.6.1. System, operations and program documentation
9.2.6.2. Job preparation, scheduling and operating instructions
9.2.6.3. System and program test
9.2.6.4. Data file conversion
9.2.6.5. System conversion
9.2.7. Release Management
9.2.7.1. Major releases
9.2.7.2. Minor software releases
9.2.7.3. Emergency software fixes
9.3. System and Communications Hardware
9.3.1. Computer Hardware Components and Architectures
9.3.1.1. Common enterprise back-end devices
9.3.1.2. Print servers
9.3.1.3. File servers
9.3.1.4. Application (program) servers
9.3.1.5. Web servers
9.3.1.6. Proxy servers
9.3.1.7. Database servers
9.3.1.8. Appliances (specialized devices)
9.3.1.9. Universal Serial Bus (USB)
9.3.1.10. Memory cards / flash drives
9.3.1.11. Radio Frequency Identification (RFID)
9.3.2. Security Risks with Portable Media
9.3.2.1. Memory Cards / Flash Drives Risks
9.3.2.1.1. Viruses and other malicious software
9.3.2.1.2. Data theft
9.3.2.1.3. Data and media loss
9.3.2.1.4. Corruption of data
9.3.2.1.5. Loss of confidentiality
9.3.2.2. Security Control
9.3.2.2.1. Encryption
9.3.2.2.2. Inventory of assets
9.3.2.2.3. Educate security personnel
9.3.2.2.4. Enforce “lock desktop” policy
9.3.2.2.5. Use only secure devices
9.3.3. Capacity Management
9.3.3.1. CPU utilization (processing power)
9.3.3.2. Computer storage utilization
9.3.3.3. Telecommunications, LAN & WAN bandwidth utilization
9.3.3.4. I/O channel utilization
9.3.3.5. Number of users
9.3.3.6. New technologies
9.3.3.7. New applications
9.3.3.8. Service level agreements (SLAs)
9.3.3.8.1. Vendor performance
9.3.4. IS Architecture and Software
9.3.4.1. Operating systems
9.3.4.1.1. Software control features or parameters
9.3.4.2. Access control software
9.3.4.3. Data communications software
9.3.4.4. Data management
9.3.4.5. Database management system (DBMS)
9.3.4.6. Tape and disk management system
9.3.4.7. Utility programs
9.3.4.8. Software licensing issues
9.3.5. Software Licensing Issues
9.3.5.1. Documented policies and procedures that guard against unauthorized use or copying of software
9.3.5.2. Listing of all standard, used and licensed application and system software
9.3.5.3. Centralizing control and automated distribution and the installation of software
9.3.5.4. Requiring that all PCs be diskless workstations and access applications from a secured LAN
9.3.5.5. Regularly scanning user PCs
9.3.6. Digital Rights Management (DRM)
9.3.6.1. DRM removes usage control from the person in possession of digital content & puts it in the hands of a computer program
9.3.6.2. Prevents copying or modifying of data by unauthorized users
9.4. Auditing Networks
9.4.1. Telecommunications links for networks can be
9.4.1.1. Analog
9.4.1.2. Digital
9.4.2. Methods for transmitting signals over telecommunication links are
9.4.2.1. Copper
9.4.2.2. Fibre
9.4.2.3. Coaxial
9.4.2.4. Radio Frequency
9.4.3. Types of Networks
9.4.3.1. Personal area networks (PANs)
9.4.3.2. Local area networks (LANs)
9.4.3.3. Wide area networks (WANS)
9.4.3.4. Metropolitan area networks (MANs)
9.4.3.5. Storage area networks (SANs)
9.4.4. Network Services
9.4.4.1. E-mail services
9.4.4.2. Print services
9.4.4.3. Remote access services
9.4.4.4. Directory services
9.4.4.5. Network management
9.4.4.6. Dynamic Host Configuration Protocol (DHCP)
9.4.4.7. DNS
9.4.5. Network Components
9.4.5.1. Repeaters
9.4.5.2. Hubs
9.4.5.3. Bridges
9.4.5.4. Switches
9.4.5.5. Routers
9.4.6. Communications Technologies
9.4.6.1. Asynchronous transfer mode
9.4.6.2. Circuit switching
9.4.6.3. Dial-up services
9.4.6.4. Digital subscriber lines
9.4.6.5. Frame Relay
9.4.6.6. Integrated services digital network (ISDN)
9.4.6.7. Message switching
9.4.6.8. Multiprotocol label switching
9.4.6.9. Packet switching
9.4.6.10. Point to point - leased lines
9.4.6.11. Virtual Private Networks (VPNs)
9.4.6.12. Virtual circuits
9.4.6.12.1. PVC
9.4.6.13. X.25
9.4.7. Wireless Networking
9.4.7.1. Wireless networks
9.4.7.2. Wireless wide area network (WWAN)
9.4.7.2.1. Microwave, Optical
9.4.7.3. Wireless local area network (WLAN)
9.4.7.3.1. 802.11
9.4.7.4. Wireless personal area network (WPAN)
9.4.7.4.1. 802.15 Bluetooth
9.4.7.5. Wireless ad hoc networks
9.4.7.6. Wireless application protocol (WAP)
9.4.7.7. Risks Associated with Wireless Communications
9.4.7.7.1. Interception of sensitive information
9.4.7.7.2. Loss or theft of devices
9.4.7.7.3. Misuse of devices
9.4.7.7.4. Loss of data contained in devices
9.4.7.7.5. Distraction caused by devices
9.4.7.7.6. Wireless user authentication
9.4.7.7.7. File security
9.4.7.7.8. Wireless encryption
9.4.7.7.9. Interoperability
9.4.7.7.10. Use of wireless subnets
9.4.7.7.11. Translation point
9.4.8. Auditing of Network Management
9.4.8.1. Applications in a networked environment
9.4.8.1.1. Client-server technology
9.4.8.1.2. Middleware
9.4.8.1.3. Cloud
9.4.8.1.4. Virtual
9.4.8.1.5. Software as a Service (SaaS)
9.4.8.1.6. Service Oriented Architecture (SOA)
9.5. Business Continuity and Disaster Recovery Audits
9.5.1. Auditing of Business Continuity Plans
9.5.2. Recovery Point Objective (RPO)
9.5.2.1. Based on acceptable data loss
9.5.2.2. Indicates the most current state of data that can be recovered
9.5.3. Recovery Time Objective (RTO)
9.5.3.1. Based on acceptable downtime
9.5.3.2. Indicates the point in time at which the business plans to resume sustainable service levels after a disaster
9.5.4. Business Continuity Strategies
9.5.4.1. Interruption window
9.5.4.2. Service delivery objective (SDO)
9.5.4.3. Maximum tolerable outages
9.5.5. Recovery Strategies
9.5.6. Recovery Alternatives
9.5.6.1. Cold sites
9.5.6.2. Mobile sites
9.5.6.3. Warm sites
9.5.6.4. Reciprocal agreements
9.5.6.5. Hot sites
9.5.6.6. Mirrored sites
9.5.6.7. Reciprocal agreements
9.5.7. Audit of Third Party Recovery Agreements
9.5.7.1. Provisions for use of third-party sites should cover:
9.5.7.1.1. Access
9.5.7.1.2. Audit
9.5.7.1.3. Availability
9.5.7.1.4. Communications
9.5.7.1.5. Configurations
9.5.7.1.6. Disaster declaration
9.5.7.1.7. Insurance
9.5.7.1.8. Preference
9.5.7.1.9. Priority
9.5.7.1.10. Reliability
9.5.7.1.11. Security
9.5.7.1.12. Speed of availability
9.5.7.1.13. Subscribers per site and area
9.5.7.1.14. Testing
9.5.7.1.15. Usage period
9.5.7.1.16. Warranties
9.5.8. Organization and Assignment of Responsibilities
9.5.8.1. Have recovery teams been set up to
9.5.8.1.1. Retrieve critical and vital data from offsite storage
9.5.8.1.2. Install and test systems software and applications at the systems recovery site
9.5.8.1.3. Acquire and install hardware at the system recovery site
9.5.8.1.4. Operate the system recovery site
9.5.8.2. Team Responsibilities
9.5.8.2.1. Rerouting communications traffic
9.5.8.2.2. Re-establish the local area user / system network
9.5.8.2.3. Transport users to the recovery facility
9.5.8.2.4. Restore databases, software and data
9.5.8.2.5. Supply necessary office goods, i.e., special forms, paper
9.5.9. Backup and Restoration
9.5.9.1. Offsite library controls
9.5.9.2. Security and control of offsite facilities
9.5.9.3. Media and documentation backup
9.5.9.4. Periodic backup procedures
9.5.9.5. Frequency of Rotation
9.5.9.6. Types of Media and Documentation Rotated
9.5.9.7. Backup Schemes
9.5.9.8. Method of Rotation
10. Domain 5: Protection of Information Assets
10.1. Domain 5 - CISA® Exam Relevance
10.1.1. The content area for Domain 1 will represent ...
10.1.1.1. 30% of the CISA® examination
10.1.1.2. 62 questions
10.2. Importance of IS Management
10.2.1. Security objectives to meet organization’s business requirements include:
10.2.1.1. Ensure compliance with laws, regulations and standards
10.2.1.2. Ensure the availability, integrity and confidentiality of information and information systems
10.3. Key Elements of IS Management
10.3.1. Senior management commitment and support
10.3.2. Policies and procedures
10.3.3. Organization
10.3.4. Security awareness and education
10.3.5. Monitoring and compliance
10.3.6. Incident handling and response
10.4. CSFs to IS Management
10.4.1. Strong commitment and support by the senior management on security training
10.4.2. Professional risk-based approach must be used systematically to identify sensitive and critical resources
10.5. Inventory and Classification of Information Assets
10.5.1. The inventory record of each information asset should include:
10.5.1.1. Identification of assets
10.5.1.2. Relative value of assets to the organization
10.5.1.3. Location (where the asset is located)
10.5.1.4. Security / risk classification
10.5.1.5. Asset group
10.5.1.6. Owner
10.5.1.7. Designated custodian
10.6. Privacy Management Issues and the Role of IS Auditors
10.6.1. Privacy impact analysis or assessments should:
10.6.1.1. Pinpoint the nature of personally identifiable information (pii) associated with business processes
10.6.1.2. Document the collection, use, disclosure and destruction of personally identifiable information
10.6.1.3. Ensure that accountability for privacy issues exists
10.6.1.4. Set the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk
10.6.2. Compliance with privacy policy and laws
10.6.2.1. Identify and understand legal requirements regarding privacy from laws, regulations and contract agreements
10.6.2.2. Check whether personal data are correctly managed in respect to these requirements
10.6.2.3. Verify that the correct security measures are adopted
10.6.2.4. Review management’s privacy policy to ascertain that it takes into consideration the requirement of applicable privacy laws and regulations.
10.7. Social Media Risks
10.7.1. Inappropriate sharing of information
10.7.1.1. Organizational activity
10.7.1.2. Staffing issues
10.7.1.3. Privacy-related sensitive data
10.7.2. Installation of vulnerable applications
10.8. Access Controls
10.8.1. System Access Permission
10.8.1.1. Who has access rights and to what?
10.8.1.2. What is the level of access to be granted?
10.8.1.3. Who is responsible for determining the access rights and access levels?
10.8.1.4. What approvals are needed for access?
10.8.2. Mandatory Access Controls (MAC)
10.8.2.1. Enforces corporate security policy
10.8.2.2. Compares sensitivity of information resources
10.8.3. Discretionary Access Controls (DAC)
10.8.3.1. Enforces data owner-defined sharing of information resources
10.8.4. IAAA
10.8.4.1. Identification
10.8.4.1.1. Method to distinguish each entity in a unique manner that is accessing resources
10.8.4.1.2. Knowledge
10.8.4.1.3. Ownership / possession
10.8.4.1.4. Characteristic
10.8.4.2. Authentication
10.8.4.2.1. Validate, verify or prove the identity
10.8.4.3. Authorization
10.8.4.3.1. Rights, permissions, privileges granted to an authenticated entity
10.8.4.3.2. Access restrictions at the file level include:
10.8.4.4. Accounting (Audit)
10.8.4.4.1. Track all activity
10.9. Challenges with Identity Management
10.9.1. Many changes to systems and users
10.9.2. Many types of users – employees, customers, guests, managers, regulators
10.9.3. Audit concerns
10.9.3.1. Unused IDs
10.9.3.2. Misconfigured IDs
10.9.3.3. Failure to follow procedures
10.9.3.4. Group IDs
10.10. Identification and Authentication
10.10.1. Vulnerabilities:
10.10.1.1. Weak authentication methods
10.10.1.2. Lack of confidentiality and integrity for the stored authentication information
10.10.1.3. Lack of encryption for authentication and protection of information transmitted over a network
10.10.1.4. User’s lack of knowledge on the risks associated with sharing passwords, security tokens, etc.
10.11. Logical Access
10.11.1. Logical Access Exposures
10.11.1.1. Technical exposures include:
10.11.1.1.1. Data leakage
10.11.1.1.2. Wire tapping
10.11.1.1.3. Trojan horses / backdoors
10.11.1.1.4. Viruses
10.11.1.1.5. Worms
10.11.1.1.6. Logic bombs
10.11.1.1.7. Denial-of-service attacks
10.11.1.1.8. Computer shutdown
10.11.1.1.9. War driving
10.11.1.1.10. Piggybacking
10.11.1.1.11. Trap doors
10.11.1.1.12. Asynchronous attacks
10.11.1.1.13. Rounding down
10.11.1.1.14. Salami technique
10.11.2. Paths of Logical Access
10.11.2.1. Network connectivity
10.11.2.2. Remote access
10.11.2.3. Operator console
10.11.2.4. Online workstations or terminals
10.11.3. Logical Access Control Software
10.11.3.1. Prevent unauthorized access and modification to an organization’s sensitive data and use of system critical functions.
10.11.3.2. General operating and/or application systems access control functions include the following:
10.11.3.2.1. Create or change user profiles
10.11.3.2.2. Assign user identification and authentication
10.11.3.2.3. Apply user logon limitation rules
10.11.3.2.4. Notification concerning proper use and access prior to initial login
10.11.3.2.5. Create individual accountability and auditability by logging user activities. Establish rules for access to specific information resources (e.g., system-level application resources and data)
10.11.3.2.6. Log events
10.11.3.2.7. Report capabilities
10.11.3.3. Database and / or application-level access control functions include:
10.11.3.3.1. Create or change data files and database profiles
10.11.3.3.2. Verify user authorization at the application and transaction levels
10.11.3.3.3. Verify user authorization within the application
10.11.3.3.4. Verify user authorization at the field level for changes within a database
10.11.3.3.5. Verify subsystem authorization for the user at the file level
10.11.3.3.6. Log database / data communications access activities for monitoring access violations
10.11.4. Auditing Logical Access
10.11.4.1. When evaluating logical access controls the IS auditor should:
10.11.4.1.1. Identify sensitive systems and data
10.11.4.1.2. Document and evaluate controls over potential access
10.11.4.1.3. Test controls over access paths to determine whether they are functioning and effective
10.11.4.1.4. Evaluate the access control environment to determine if the control objectives are achieved
10.11.4.1.5. Evaluate the security environment to assess its adequacy
10.11.5. Access Control Lists (ACLs)
10.11.5.1. Users who have permission to use a particular system resource
10.11.5.2. The types of access permitted
10.11.6. Logical Access security administration:
10.11.6.1. Centralized environment
10.11.6.2. Decentralized environment
10.11.6.2.1. Advantages
10.11.6.2.2. Risks
10.11.7. Single Sign-on (SSO)
10.11.7.1. Consolidating access functions for multiple systems into a single centralized administrative function
10.11.7.2. A single sign-on interfaces with:
10.11.7.2.1. Client-server and distributed systems
10.11.7.2.2. Mainframe systems
10.11.7.2.3. Network security including remote access mechanisms
10.11.7.3. Advantages
10.11.7.3.1. Elimination of multiple user IDs and passwords
10.11.7.3.2. It improves an administrator’s ability to centrally manage users’ accounts and authorizations
10.11.7.3.3. Reduces administrative overhead
10.11.7.3.4. It reduces the time taken by users to log into multiple applications and platforms
10.11.7.4. Disadvantages
10.11.7.4.1. May not support legacy applications or all operating environments
10.11.7.4.2. The costs associated with SSO development can be significant
10.11.7.4.3. The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets
10.12. Familiarization with the Organization’s IT Environment
10.12.1. Every layer of a system has to be reviewed for security controls including:
10.12.1.1. The network
10.12.1.2. Operating system platform
10.12.1.3. Applications software
10.12.1.4. Database
10.12.1.5. Physical and environmental security
10.13. Remote Access
10.13.1. Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives.
10.13.1.1. Consolidated
10.13.1.2. Monitored
10.13.1.3. Policies
10.13.1.4. Appropriate access levels
10.13.1.5. Encrypted
10.13.2. Risks
10.13.2.1. Denial of service
10.13.2.2. Malicious third parties
10.13.2.3. Misconfigured communications software
10.13.2.4. Misconfigured devices on the corporate computing infrastructure
10.13.2.5. Host systems not secured appropriately
10.13.2.6. Physical security issues on remote users’ computers
10.13.3. Auditing Remote Access
10.13.3.1. Assess remote access points of entry
10.13.3.2. Test dial-up access controls
10.13.3.3. Test the logical controls
10.13.3.4. Evaluate remote access approaches for costeffectiveness, risk and business requirements
10.13.3.5. Audit Internet points of presence:
10.13.3.5.1. E-mail
10.13.3.5.2. Marketing
10.13.3.5.3. Sales channel / electronic commerce
10.13.3.5.4. Channel of deliver for goods / services
10.13.3.5.5. Information gathering
10.14. Audit logging and monitoring system access
10.14.1. Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID
10.14.2. Record all activity for future investigation
10.15. Encryption
10.15.1. Symmetric vs. Asymmetric Summary
10.15.2. Summary of Cryptography Algorithms
10.16. Physical and Environmental Controls
10.16.1. Security Objectives & Controls
10.16.1.1. Administrative controls
10.16.1.1.1. Facility location, construction, and management
10.16.1.1.2. Physical security risks, threats, and countermeasures
10.16.1.2. Technical controls
10.16.1.2.1. Authenticating individuals and intrusion detection
10.16.1.2.2. Electrical issues and countermeasures
10.16.1.2.3. Fire prevention, detection, and suppression
10.16.1.3. Physical controls
10.16.1.3.1. Perimeter & Building Grounds
10.16.1.3.2. Building Entry Point
10.16.1.3.3. Box-within a box Floor Plan
10.16.1.3.4. Data Centers or Server Room Security
10.16.2. Physical Access Controls (non-exhaustive list)
10.16.2.1. Locks
10.16.2.1.1. Mechanical locks
10.16.2.1.2. Electronic locks
10.16.2.2. Entrance Protection
10.16.2.2.1. Turnstiles
10.16.2.2.2. Mantraps
10.16.2.2.3. Fail-safe
10.16.2.2.4. Fail-secure
10.16.2.3. Closed-circuit television (CCTV)
10.16.2.4. Security guards
10.16.2.5. Lighting
10.16.2.6. Electrical Power Supply
10.16.2.7. Electrostatic Discharge
10.16.2.8. HVAC
10.16.2.9. Fire Suppression Systems
10.16.2.9.1. Halon
10.16.2.9.2. FM-200
10.16.2.9.3. Carbon Dioxide
10.16.2.9.4. Dry Chemicals
10.16.2.9.5. Dry Pipe
10.16.2.9.6. Pre-action
10.16.2.10. Fire / Smoke Detection
10.16.2.10.1. Ionization-type smoke detector
10.16.2.10.2. Optical (photoelectric) smoke detector
10.16.2.10.3. Fixed / rate-of-rise temperature sensor
11. Overview of the CISA® certification
11.1. About the CISA® exam
11.1.1. CISA® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.
11.1.2. PBE & CBE (only pencil & eraser are allowed).
11.1.2.1. PBE - Paper based exam.
11.1.2.2. CBE - Closed book exam.
11.1.3. 4 hour exam.
11.1.4. 200 multiple choice questions designed with one best answer.
11.1.5. No negative points.
11.1.6. Pre-requisite for exam:
11.1.6.1. none
11.1.7. Pre-requisite for certification:
11.1.7.1. Read CISA® Application Form
11.1.7.1.1. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Apply-for-Certification/Documents/Application-form-download.pdf
12. Interactive Glossary
12.1. Interactive CISA® Glossary
13. Recommended additional study
13.1. CISA Essential Exam Notes 2014
13.2. Effective Approach and Practical Tips for CISA Exam
14. This freeware, non-commercial mind map (aligned with the newest version of CISA® exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CISA® qualification and as a learning tool for candidates wanting to gain CISA® qualification. (please share and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)
14.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com
14.1.1. http://www.miroslawdabrowski.com
14.1.2. http://www.linkedin.com/in/miroslawdabrowski
14.1.3. https://www.google.com/+MiroslawDabrowski
14.1.4. https://play.spotify.com/user/miroslawdabrowski/
14.1.5. https://twitter.com/mirodabrowski
14.1.6. miroslaw_dabrowski