ISACA® CISA® study guide mind map

시작하기. 무료입니다
또는 회원 가입 e메일 주소
ISACA® CISA® study guide mind map 저자: Mind Map: ISACA® CISA® study guide mind map

1. CISA Exam Passing Principles

2. The job profile of the CISA® (Certified Information Systems Auditor) was published in 1977. Ever since, innumerable individuals around the world have passed this demanding examination which has been consistently updated in line with changing requirements; the examination takes place simultaneously in 80 countries, currently in 12 languages. The successful graduates will, on the provision of meeting the requirement of professional practice / experience, obtain the coveted CISA® designation.

2.1. Covers

2.1.1. It covers 5 domains, 38 tasks and 79 knowledge statements (statements covering the required technical knowledge).

2.1.1.1. Since the task statements are consistently referenced to the pertaining COBIT® processes, COBIT® has thus become an integral component of the CISA® curriculum and certification.

2.2. Designation

2.2.1. The CISA® certification / designation reflects a solid achievement record in the area of audit, control and security of information systems.

2.2.2. CISA® is the only globally recognized certification in the are of audit, controls and security of information systems and is – in view of the stringent and globally identical requirements - internationally recognized.

2.2.2.1. Internationally operating corporations and locally operating enterprises appreciate these merits alike.

2.3. The CISA® job profile has so far been consistently revised in 4 to 6 year intervals (the last time in 2010).

3. Official Recommended exam study materials

3.1. Glossary

3.1.1. http://www.isaca.org/Knowledge-Center/Documents/Glossary/cisa_glossary.pdf

3.2. Development Guides

3.2.1. ISACA® CISA® Item Development Guide

3.2.1.1. https://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISA-Item-Development-Guide.pdf

3.2.2. ISACA® CISA® QAE Item Development Guide

3.2.2.1. https://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISA-QAE-Item-Development-Guide.pdf

3.3. ISACA® CISA® Review Manual 2015

3.3.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=CRM15

3.4. ISACA® CISA® Review Questions, Answers & Explanations Manual 2015 Supplement

3.4.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=QAE15ES

3.5. ISACA® CISA® Practice Question Database

3.5.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=XMXCA15-12M

4. CISA® Official website

4.1. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx

5. Basic audit related definitions (from ISACA® CISA® perspective)

5.1. Audit Risk

5.1.1. Inherent Risk

5.1.2. Control Risk

5.1.3. Overall Audit Risk

5.1.4. Detection Risk

5.2. Auditing

5.2.1. Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

5.3. Evidence

5.3.1. It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:

5.3.1.1. Independence of the provider of the evidence

5.3.1.2. Qualification of the individual providing the information or evidence

5.3.1.3. Objectivity of the evidence

5.3.1.4. Timing of the evidence

5.4. Information Systems Auditing

5.4.1. Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.

5.5. Risk

5.5.1. Risk is the likelihood of a threat exploiting a vulnerability and the resulting impact on business mission.

6. Domain 1: The Process of Auditing Information Systems

6.1. Domain 1 - CISA® Exam Relevance

6.1.1. The content area for Domain 1 will represent ...

6.1.1.1. 14% of the CISA® examination

6.1.1.2. 62 questions

6.2. Audit Charter

6.2.1. Audit begins with the acceptance of an Audit Charter

6.2.2. Provides:

6.2.2.1. Authority for audit

6.2.2.2. Responsibility

6.2.2.3. Reporting requirements

6.2.3. Signed by Audit Committee / Senior Management / Steering Committee

6.3. Audit

6.3.1. Objectives

6.3.1.1. An audit compares (measures) actual activity against standards and policy

6.3.2. Specific goals of the audit

6.3.2.1. Confidentiality

6.3.2.2. Integrity

6.3.2.3. Reliability

6.3.2.4. Availability

6.3.2.5. Compliance with legal and regulatory requirements

6.3.3. Types

6.3.3.1. Financial audits

6.3.3.1.1. relates to financial information integrity and reliability.

6.3.3.2. Operational audits

6.3.3.2.1. examples: IS audits of application controls or logical security systems

6.3.3.3. Integrated audits

6.3.3.3.1. combines financial and operational audit steps.

6.3.3.4. Administrative audits

6.3.3.4.1. oriented to assess issues related to the efficiency of operational productivity within an organization.

6.3.3.5. IS audits

6.3.3.6. Specialized audits

6.3.3.6.1. examine areas such as services performed by third parties.

6.3.3.7. Forensic audits

6.3.3.7.1. Audits specifically related to a crime or serious incident

6.3.3.7.2. Obtain and examine evidence

6.3.3.7.3. Report for further action

6.3.3.7.4. auditing specialized in discovering, disclosing and following up on frauds and crimes. The primary purpose of such a review is the development of evidence for review by law enforcement and judicial authorities.

6.3.4. Elements

6.3.4.1. Audit scope

6.3.4.2. Audit objectives

6.3.4.3. Criteria

6.3.4.4. Audit procedures

6.3.4.5. Evidence

6.3.4.6. Conclusions and opinions

6.3.4.7. Reporting

6.4. Audit Planning

6.4.1. Involves short and long term planning (annual basis)

6.4.2. Based on the scope and objective of the particular assignment

6.4.3. Based on concerns of management or areas of higher risk

6.4.3.1. Process failures

6.4.3.2. Financial operations

6.4.3.3. Compliance requirements

6.4.4. New control issues.

6.4.5. Changes / Upgrades to technologies.

6.4.6. Business process / Need/ Goals.

6.4.7. Auditing / Evaluation Techniques.

6.4.8. IS auditor’s concerns:

6.4.8.1. Security (confidentiality, integrity and availability)

6.4.8.2. Quality (effectiveness, efficiency)

6.4.8.3. Fiduciary (compliance, reliability)

6.4.8.4. Service and capacity

6.4.9. Audit Planning Process

6.4.9.1. Gain an understanding of the business’s mission, objectives, purpose and processes

6.4.9.2. Identify stated contents (policies, standards, guidelines, procedures, and organization structure)

6.4.9.3. Evaluate risk assessment and privacy impact analysis

6.4.9.4. Perform a risk analysis

6.4.9.5. Conduct an internal control review

6.4.9.6. Set the audit scope and audit objectives

6.4.9.7. Develop the audit approach or audit strategy

6.4.9.8. Assign personnel resources to audit and address engagement logistics

6.4.10. Effect of Laws and Regulations on IS Audit Planning

6.4.10.1. Adequate controls

6.4.10.2. Privacy

6.4.10.3. Responsibilities

6.4.10.3.1. Oversight and Governance

6.4.10.4. Protection of assets

6.4.10.5. Financial Management

6.4.10.6. Correlation to financial, operational and IT audit functions

6.5. Performing the Audit

6.5.1. ISACA IT Audit and Assurance Tools and Techniques

6.5.1.1. Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement

6.5.1.2. The IS auditor should apply their own professional judgment to the specific circumstances

6.5.2. ISACA IT Audit and Assurance Standards Framework

6.5.2.1. Standards

6.5.2.1.1. Must be followed by IS auditors

6.5.2.2. Guidelines

6.5.2.2.1. Provide assistance on how to implement the standards

6.5.2.3. Procedures

6.5.2.3.1. Provide examples for implementing the standards

6.5.2.4. S1 Audit Charter

6.5.2.5. S2 Independence

6.5.2.6. S3 Ethics and Standards

6.5.2.7. S4 Competence

6.5.2.8. S5 Planning

6.5.2.9. S6 Performance of audit work

6.5.2.10. S7 Reporting

6.5.2.11. S8 Follow-up activities

6.5.2.12. S9 Irregularities and illegal acts

6.5.2.13. S10 IT Governance

6.5.2.14. S11 Use of risk assessment in audit planning

6.5.2.15. S12 Audit materiality

6.5.2.16. S13 Using the Work of Other Experts

6.5.2.17. S14 Audit Evidence

6.5.2.18. S15 IT Controls

6.5.2.19. S16 E-commerce

6.5.3. Gathering Evidence

6.5.3.1. Techniques

6.5.3.1.1. Review IS organization structures

6.5.3.1.2. Review IS policies and procedures

6.5.3.1.3. Review IS standards

6.5.3.1.4. Review IS documentation

6.5.3.1.5. Interview appropriate personnel

6.5.3.1.6. Observe processes and employee performance

6.5.3.2. Computer-assisted Audit Techniques (CAAT)

6.5.3.2.1. CAATs enable IS auditors to gather information independently

6.5.3.2.2. CAATs include:

6.5.3.2.3. CAATs as a continuous online audit approach:

6.5.4. General approaches to audit sampling

6.5.4.1. Statistical sampling

6.5.4.2. Non-statistical sampling

6.5.5. Using the Services of Other Auditors and Experts

6.5.5.1. Considerations when using services of other auditors and experts:

6.5.5.1.1. Audit charter or contractual stipulations

6.5.5.1.2. Impact on overall and specific IS audit objectives

6.5.5.1.3. Impact on IS audit risk and professional liability

6.5.5.1.4. Independence and objectivity of other auditors and experts

6.5.5.1.5. Professional competence, qualifications and experience

6.5.5.1.6. Scope of work proposed to be outsourced and approach

6.5.5.1.7. Supervisory and audit management controls

6.5.5.1.8. Method of communicating the results of audit work

6.5.5.1.9. Compliance with legal and regulatory stipulations

6.5.5.1.10. Compliance with applicable professional standards

6.6. IS Audit Resource Management

6.6.1. Audit Program Challenges

6.6.1.1. Limited number of IS auditors

6.6.1.2. Maintenance of their technical competence

6.6.1.3. Assignment of audit staff

6.7. Plan for an Audit

6.7.1. 1. Gather Information

6.7.2. 2. Identify System and Components

6.7.3. 3. Assess Risk

6.7.4. 4. Perform Risk Analysis

6.7.5. 5. Conduct Internal Control Review

6.7.6. 6. Set Audit Scope and Objectives

6.7.7. 7. Develop Auditing Strategy

6.7.8. 8. Assign Resources

6.8. Audit Methodology

6.8.1. A set of documented audit procedures designed to achieve planned audit objectives.

6.8.2. Composed of:

6.8.2.1. Statement of scope

6.8.2.2. Statement of audit objectives

6.8.2.3. Statement of audit programs

6.8.3. Set up and approved by the audit management

6.8.4. Communicated to all audit staff

6.9. Phases of an Audit

6.9.1. Audit subject

6.9.2. Audit objective

6.9.3. Audit scope

6.9.4. Pre-audit planning

6.9.5. Audit procedures and steps for data gathering

6.9.6. Procedures for evaluating the test or review

6.9.7. results

6.9.8. Procedures for communication with management

6.9.9. Audit report preparation

6.10. Audit Workpapers

6.10.1. Audit plans

6.10.2. Audit programs

6.10.3. Audit activities

6.10.4. Audit tests

6.10.5. Audit findings and incidents

6.11. Audit Procedures

6.11.1. Understanding of the audit area/subject

6.11.2. Risk assessment and general audit plan

6.11.3. Detailed audit planning

6.11.4. Preliminary review of audit area/subject

6.11.5. Evaluating audit area/subject

6.11.6. Verifying and evaluating controls

6.11.7. Compliance testing

6.11.8. Substantive testing

6.11.9. Reporting (communicating results)

6.11.10. Follow-up

6.12. Types of Tests for IS Controls

6.12.1. Use of audit software to survey the contents of data files

6.12.2. Assess the contents of operating system parameter files

6.12.3. Flow-charting techniques for documenting automated

6.12.4. applications and business process

6.12.5. Use of audit reports available in operation systems

6.12.6. Documentation review

6.12.7. Observation

6.13. Fraud Detection

6.13.1. Fraud detection is Management’s responsibility

6.13.2. Benefits of a well-designed internal control system

6.13.2.1. Deterring fraud at the first instance

6.13.2.2. Detecting fraud in a timely manner

6.13.3. Fraud detection and disclosure

6.13.4. Auditor’s role in fraud prevention and detection

6.14. Risk Management (based on ISACA Risk IT)

6.14.1. Risk Assessment

6.14.1.1. Identify and prioritize risk

6.14.1.2. Recommend risk-based controls

6.14.1.3. Assessing security risks

6.14.1.3.1. Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization.

6.14.1.3.2. Performed periodically to address changes in:

6.14.1.4. Treating security risks

6.14.1.4.1. Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk

6.14.1.4.2. Controls should be selected to ensure that risks are reduced to an acceptable level

6.14.2. Risk Mitigation

6.14.2.1. Reduce risk

6.14.2.2. Accept risk

6.14.2.3. Transfer risk

6.14.2.4. Avoid risk

6.14.3. Ongoing assessment of risk levels and control effectiveness

6.14.4. Purpose of Risk Analysis

6.14.4.1. Identity threats and vulnerabilities

6.14.4.2. Helps auditor evaluate countermeasures /

6.14.4.3. controls.

6.14.4.4. Helps auditor decide on auditing objectives.

6.14.4.5. Support Risk- Based auditing decision.

6.14.4.6. Leads to implementation of internal controls.

6.15. Risk-based Auditing

6.15.1. Why use Risk Based Auditing?

6.15.1.1. Enables management to effectively allocate limited audit resources

6.15.1.2. Ensures that relevant information has been obtained from all levels of management

6.15.1.3. Establishes a basis for effectively managing the audit plans

6.15.1.4. Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan

6.15.2. Performing an Audit Risk Assessment to identify

6.15.2.1. Business risks

6.15.2.2. Technological risks

6.15.2.3. Operational risks

6.15.3. Process

6.15.3.1. 1. Gather Information and Plan for the Audit

6.15.3.1.1. Knowledge of business and industry

6.15.3.1.2. Prior year’s audit results

6.15.3.1.3. Recent financial information

6.15.3.1.4. Regulatory statutes

6.15.3.1.5. Inherent risk assessments

6.15.3.2. 2. Obtain Understanding of Internal Control

6.15.3.2.1. Control environment

6.15.3.2.2. Control procedures

6.15.3.2.3. Detection risk assessment

6.15.3.2.4. Control risk assessment

6.15.3.2.5. Equate total risk

6.15.3.3. 3. Perform Compliance Tests

6.15.3.3.1. Identify key controls to be tested

6.15.3.3.2. Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures

6.15.3.4. 4. Perform Substantive Tests

6.15.3.4.1. Analytical procedures

6.15.3.4.2. Detailed tests of account balances

6.15.3.4.3. Other substantive audit procedures

6.15.3.5. 5. Conclude the Audit

6.15.3.5.1. Create recommendations

6.15.3.5.2. Write audit report

6.16. General Controls

6.16.1. Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.

6.17. Internal Controls

6.17.1. Policies, procedures, practices and organizational structures implemented to reduce risks

6.17.2. Objectives

6.17.2.1. Safeguarding of IT assets

6.17.2.2. Compliance to corporate policies or legal requirements

6.17.2.3. Input

6.17.2.4. Authorization

6.17.2.5. Accuracy and completeness of processing of data input/transactions

6.17.2.6. Output

6.17.2.7. Reliability of process

6.17.2.8. Backup/recovery

6.17.2.9. Efficiency and economy of operations

6.17.2.10. Change management process for IT and related systems

6.17.3. Classification

6.17.3.1. Preventive controls

6.17.3.2. Detective controls

6.17.3.3. Corrective controls

6.17.4. Areas

6.17.4.1. Internal control system

6.17.4.2. Internal accounting controls

6.17.4.3. Operational controls

6.17.4.4. Administrative controls

6.17.5. IS Controls vs Manual Controls

6.17.5.1. Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.

6.17.6. IS Controls

6.17.6.1. Strategy and direction

6.17.6.2. General organization and management

6.17.6.3. Access to IT resources, including data and programs

6.17.6.4. Systems development methodologies and change control

6.17.6.5. Operations procedures

6.17.6.6. Systems programming and technical support functions

6.17.6.7. Quality assurance procedures

6.17.6.8. Physical access controls

6.17.6.9. Business continuity/disaster recovery planning

6.17.6.10. Networks and communications

6.17.6.11. Database administration

6.17.6.12. Protection and detective mechanisms against internal and external attacks

6.18. Audit Documentation

6.18.1. Planning and preparation of the audit scope and objectives

6.18.2. Description on the scoped audit area

6.18.3. Audit program

6.18.4. Audit steps performed and evidence gathered

6.18.5. Other experts used

6.18.6. Audit findings, conclusions and recommendations

6.19. Automated Work Papers

6.19.1. Risk analysis

6.19.2. Audit programs

6.19.3. Results

6.19.4. Test evidences

6.19.5. Conclusions

6.19.6. Reports and other complementary information

6.19.7. Minimum controls:

6.19.7.1. Access to work papers

6.19.7.2. Audit trails

6.19.7.3. Automated features to provide and record approvals

6.19.7.4. Security and integrity controls

6.19.7.5. Backup and restoration

6.19.7.6. Encryption techniques

6.20. Evaluation of Audit Strengths and Weaknesses

6.20.1. Assess evidence

6.20.2. Evaluate overall control structure

6.20.3. Evaluate control procedures

6.20.4. Assess control strengths and weaknesses

6.21. Communicating Audit Results

6.21.1. Exit interview

6.21.1.1. Implementation dates for agreed recommendations

6.21.1.2. Correct facts

6.21.1.3. Realistic recommendations

6.21.2. Presentation techniques

6.21.2.1. Executive summary

6.21.2.2. Visual presentation

6.21.3. Audit report structure and contents

6.21.3.1. Introduction to the report

6.21.3.2. Audit findings presented in separate sections

6.21.3.3. The IS auditor’s overall conclusion and opinion

6.21.3.4. The IS auditor’s reservations with respect to the audit – audit limitations

6.21.3.5. Detailed audit findings and recommendations

6.21.4. Audit recommendations may not be accepted

6.21.4.1. Negotiation

6.21.4.2. Conflict resolution

6.21.4.3. Explanation of results, findings and best practices or legal requirements

6.22. Management Implementation of Audit Recommendations

6.22.1. Ensure that accepted recommendations are implemented as per schedule

6.22.2. Auditing is an ongoing process

6.22.3. Timing a follow-up

6.23. Control Self-Assessment (CSA)

6.23.1. Objectives

6.23.1.1. Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas

6.23.1.2. Enhancement of audit responsibilities, not a replacement

6.23.1.3. Educate management about control design and monitoring

6.23.1.4. Empowerment of workers to assess the control environment

6.23.2. Benefits

6.23.2.1. Early detection of risks

6.23.2.2. More effective and improved internal controls

6.23.2.3. Increased employee awareness of organizational objectives

6.23.2.4. Highly motivated employees

6.23.2.5. Improved audit rating process

6.23.2.6. Reduction in control cost

6.23.2.7. Assurance provided to stakeholders and customers

6.23.3. Disadvantages

6.23.3.1. Could be mistaken as an audit function replacement

6.23.3.2. May be regarded as an additional workload

6.23.3.3. Failure to act on improvement suggestions could damage employee morale

6.23.3.4. Lack of motivation may limit effectiveness in the detection of weak controls

6.23.4. A management technique

6.23.5. A methodology

6.23.6. In practice, a series of tools

6.23.7. Can be implemented by various methods

6.23.8. Auditor Role in CSA

6.23.8.1. Internal control professionals

6.23.8.2. Assessment facilitators

6.23.9. Traditional vs. CSA

6.23.9.1. Traditional Approach

6.23.9.1.1. Assigns duties/supervises staff

6.23.9.1.2. Policy/rule driven

6.23.9.1.3. Limited employee participation

6.23.9.1.4. Narrow stakeholder focus

6.23.9.2. CSA Approach

6.23.9.2.1. Empowered/accountable employees

6.23.9.2.2. Continuous improvement/learning curve

6.23.9.2.3. Extensive employee participation and training

6.23.9.2.4. Broad stakeholder focus

6.24. Continuous Auditing vs Continuous Monitoring

6.24.1. Continuous monitoring

6.24.1.1. Provided by IS management tools

6.24.1.2. Based on automated procedures to meet fiduciary responsibilities

6.24.2. Continuous auditing

6.24.2.1. Audit-driven

6.24.2.2. Completed using automated audit procedures

6.24.2.3. Distinctive character

6.24.2.3.1. Short time lapse between the facts to be audited and the collection of evidence and audit reporting

6.24.2.4. Drivers

6.24.2.4.1. Better monitoring of financial issues

6.24.2.4.2. Allows real-time transactions to benefit from real-time monitoring

6.24.2.4.3. Prevents financial fiascoes and audit scandals

6.24.2.4.4. Uses software to determine proper financial controls

6.24.2.5. Application of continuous auditing due to:

6.24.2.5.1. New information technology developments

6.24.2.5.2. Increased processing capabilities

6.24.2.5.3. Standards

6.24.2.5.4. Artificial intelligence tools

6.24.2.6. Advantages

6.24.2.6.1. Instant capture of internal control problems

6.24.2.6.2. Reduction of intrinsic audit inefficiencies

6.24.2.7. Disadvantages

6.24.2.7.1. Difficulty in implementation

6.24.2.7.2. High cost

6.24.2.7.3. Elimination of auditors’ personal judgment and evaluation

6.25. ISACA Code of Professional Ethics

6.25.1. The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or holders of ISACA designations.

7. Domain 2: Governance and Management of IT

7.1. Domain 2 - CISA® Exam Relevance

7.1.1. The content area for Domain 1 will represent ...

7.1.1.1. 14% of the CISA® examination

7.1.1.2. 62 questions

7.2. Corporate Governance

7.2.1. Ethical corporate behaviour

7.2.2. Governance of IT systems and assets towards the preservation of value for all stakeholders

7.2.3. Resource management

7.2.4. Establishment of rules to manage and report on business risks

7.3. IT Governance (ITG)

7.3.1. Comprises the body of issues addressed in considering how IT is applied within the enterprise.

7.3.2. Effective enterprise governance focuses on:

7.3.2.1. Individual and group expertise

7.3.2.2. Experience in specific areas

7.3.3. Key element: alignment of business and IT

7.3.4. Two issues:

7.3.4.1. IT delivers value to the business

7.3.4.2. IT risks are managed

7.3.5. Best Practices for IT Governance

7.3.5.1. Strategic Alignment

7.3.5.1.1. Focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations

7.3.5.2. Value Delivery

7.3.5.2.1. Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and improving the intrinsic value of IT.

7.3.5.3. Resource Management

7.3.5.3.1. Is about the optimal investment in, and the proper management of, Critical IT resources: applications, information, infrastructure and people, Key issues relate to the optimisation of knowledge and infrastructure.

7.3.5.4. Risk Management

7.3.5.4.1. Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.

7.3.5.5. Performance Measurement

7.3.5.5.1. Tracks and monitors strategy implementation, projection completion, resource usage, process performance and services delivery, using, for example, balanced scorecards that translate into action to achieve goals measurable beyond conventional accounting.

7.4. IS Governance (ISG)

7.4.1. Focused activity with specific value drivers

7.4.1.1. Integrity of information

7.4.1.2. Continuity of services

7.4.1.3. Protection of information assets

7.4.2. Integral part of IT Governance (ITG)

7.4.3. Importance of information security governance

7.4.4. Should be supported at the highest levels of the organization

7.4.5. IS Governance (ISG) broadens scope beyond simply protection of IT system and data – integration and over all security regardless of handling, processing, transporting, or storing.

7.4.6. Protects information assets at all times, in all forms (electronic, paper, communicated), and in all locations

7.4.7. Exposure to civil and legal liability, regulators.

7.4.7.1. Provide assurance of policy compliance.

7.4.8. Enhance business Ops continuity – lower risk: uncertainty.

7.4.9. Foundation for risk management, process enhanced and fast incident response procedures.

7.4.10. Optimize allocation of the limited security resources as well as procurement process.

7.4.11. Ensuring that important decisions are made on accurate data.

7.4.12. Results

7.4.12.1. Strategic link to business / Organization

7.4.12.2. Objectives.

7.4.12.3. Overall risk management.

7.4.12.4. Optimize investments.

7.4.12.5. Management of resources.

7.4.12.6. Report on performance / results.

7.4.12.7. Process integration

7.5. Information Technology Monitoring and Assurance Practices for Management

7.5.1. IT governance implies a system where all stakeholders provide input into the decision making process:

7.5.1.1. Board

7.5.1.2. Internal customers

7.5.1.3. Finance

7.6. IS Strategy

7.6.1. Strategic Planning.

7.6.2. Steering committee role.

7.6.3. Primary strategic functions

7.6.4. Strategic Enterprise Architecture Plans

7.6.4.1. Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments

7.6.4.2. Often involves both a current state and optimized future state representation

7.6.5. IT Strategy Committee

7.6.5.1. The creation of an IT strategy committee is an industry best practice

7.6.5.2. Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance

7.6.6. Techniques

7.6.6.1. Standard IT Balanced Scorecard

7.6.6.1.1. A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes

7.6.6.1.2. Method goes beyond the traditional financial evaluation

7.6.6.1.3. One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment

7.7. Enterprise Architecture

7.7.1. The Zachman Framework

7.7.2. Federal Enterprise Architecture (FEA)

7.7.2.1. Performance

7.7.2.2. Business

7.7.2.3. Service component

7.7.2.4. Technical

7.7.2.5. Data

7.8. Maturity and Process Improvement Models

7.8.1. IDEAL model

7.8.2. Capability Maturity Model Integration (CMMI)

7.8.3. Team Software Process (TSP)

7.8.4. Personal Software Process (PSP)

7.9. IT Investment and Allocation Practices

7.9.1. Financial benefits

7.9.1.1. Impact on budget and finances

7.9.2. Nonfinancial benefits

7.9.2.1. Impact on operations or mission performance and results

7.10. Auditing IT Governance Structure and Implementation

7.10.1. Indicators of potential problems include:

7.10.1.1. Unfavorable end-user attitudes

7.10.1.2. Excessive costs

7.10.1.3. Budget overruns

7.10.1.4. Late projects

7.10.1.5. High staff turnover

7.10.1.6. Inexperienced staff

7.10.1.7. Frequent hardware/software errors

7.11. Policies, Procedures, Standards

7.11.1. Reflect management guidance and direction in developing controls over:

7.11.1.1. Information systems

7.11.1.2. Related resources

7.11.1.3. IS department processes

7.11.2. Policies

7.11.2.1. High level documents

7.11.2.2. Must be clear and concise

7.11.2.3. Set tone for organization as a whole (top down)

7.11.2.4. Lower-level policies - defined by individual divisions and departments

7.11.2.5. Information Security Policy

7.11.2.5.1. Defines information security, overall objectives and scope

7.11.2.5.2. Statement of management intent

7.11.2.5.3. Framework for setting control objectives including risk management

7.11.2.5.4. Defines responsibilities for information security management

7.11.3. Procedures

7.11.3.1. Procedures are detailed documents that describe the steps a person must follow when undertaking an activity:

7.11.3.1.1. Define and document implementation policies

7.11.3.1.2. Must be derived from the parent policy

7.11.3.1.3. Must implement the spirit (intent) of the policy statement

7.11.3.1.4. Must be written in a clear and concise

7.11.4. Standards

7.11.4.1. Audits measure compliance with standards of:

7.11.4.1.1. Operational procedures

7.11.4.1.2. Best practices

7.11.4.1.3. Consistency of performance

7.12. Risk Management

7.12.1. IT risk management needs to operate at multiple levels including:

7.12.1.1. The strategic level

7.12.1.2. The program level

7.12.1.3. The project level

7.12.1.4. The operational level

7.12.2. Risk Analysis Methods

7.12.2.1. Qualitative

7.12.2.2. Semi quantitative

7.12.2.3. Quantitative

7.12.2.3.1. Probability and expectancy

7.12.2.3.2. Single Loss Expectancy (SLE)

7.12.2.3.3. Annual loss expectancy (ALE)

7.12.3. Risk Mitigation

7.13. Resource Management

7.13.1. Organization of the IT Function

7.13.1.1. The auditor must assess whether the IT department is correctly:

7.13.1.1.1. Funded

7.13.1.1.2. Aligned with business needs

7.13.1.1.3. Managed

7.13.1.1.4. Staffed (skills)

7.14. Human Resource Management

7.14.1. Hiring

7.14.2. Employee handbook

7.14.3. Promotion policies

7.14.4. Training

7.14.5. Scheduling and time reporting

7.14.6. Employee performance evaluations

7.14.7. Required vacations

7.14.8. Termination policies

7.14.9. Sourcing Practices

7.14.9.1. Sourcing practices relate to the way an organization obtains the IS function required to support the business

7.14.9.2. Organizations can perform all IS functions inhouse or outsource all functions across the globe

7.14.9.3. Sourcing strategy should consider each IS function and determine which approach (insourcing or outsourcing) allows the IS function to meet the organization’s goals

7.15. IS Roles and Responsibilities

7.15.1. Systems development manager

7.15.2. Project management

7.15.3. Service Desk (help desk)

7.15.4. End user

7.15.5. End user support manager

7.15.6. Data management

7.15.7. Quality assurance manager

7.15.8. Information security manager

7.15.9. Vendor and outsourcer management

7.15.10. Infrastructure operations and maintenance

7.15.11. Media management

7.15.12. Data entry

7.15.13. Systems administration

7.15.14. Security administration

7.15.15. Quality assurance

7.15.16. Database administration

7.15.17. Systems analyst

7.15.18. Security architect

7.15.19. Applications development and maintenance

7.15.20. Infrastructure development and maintenance

7.15.21. Network management

7.16. Segregation of Duties within IS

7.16.1. Avoids possibility of errors or misappropriations

7.16.2. Discourages fraudulent acts

7.16.3. Limits access to data

7.16.4. Controls

7.16.4.1. Control measures to enforce segregation of duties include:

7.16.4.1.1. Transaction authorization

7.16.4.1.2. Custody of assets

7.16.4.1.3. Access to data

7.16.4.1.4. Authorization forms

7.16.4.1.5. User authorization tables

7.16.4.2. Compensating controls for lack of segregation of duties include:

7.16.4.2.1. Audit trails

7.16.4.2.2. Reconciliation

7.16.4.2.3. Exception reporting

7.16.4.2.4. Transaction logs

7.16.4.2.5. Supervisory reviews

7.16.4.2.6. Independent reviews

7.17. Organizational Change Management

7.17.1. Managing changes to the organization’s:

7.17.1.1. Projects

7.17.1.2. Systems

7.17.1.3. Technology

7.17.1.4. Configurations

7.17.2. Identify and apply technology improvements at the infrastructure and application level

7.17.3. All changes must be documented, approved and tested

7.17.4. All changes must be performed correctly and monitored for successful execution

7.17.5. Changes must not degrade system security or performance

7.18. Quality Management

7.18.1. Software development, maintenance and implementation

7.18.2. Acquisition of hardware and software

7.18.3. Day-to-day operations

7.18.4. Service management

7.18.5. Security

7.18.6. Human resource management

7.18.7. General administration

7.19. Performance Optimization

7.19.1. Performance measures indicate the quality of the IT program

7.19.1.1. Measures should be set to evaluate services critical to business success

7.19.2. There are generally 5 ways to use performance measures:

7.19.2.1. 1. Measure products/services

7.19.2.2. 2. Manage products/services

7.19.2.3. 3. Ensure accountability

7.19.2.4. 4. Make budget decisions

7.19.2.5. 5. Optimize performance

7.20. Reviewing Documentation

7.20.1. IT strategies, plans and budgets

7.20.2. Security policy documentation

7.20.3. Organization/functional charts

7.20.4. Job descriptions

7.20.5. Steering committee reports

7.20.6. System development and program change procedures

7.20.7. Operations procedures

7.20.8. Human resource manuals

7.20.9. Quality assurance procedures

7.21. Reviewing Contractual Commitments

7.21.1. There are various phases to computer hardware, software and IS service contracts, including:

7.21.1.1. Development of contract requirements and service levels

7.21.1.2. Contract bidding process

7.21.1.3. Contract selection process

7.21.1.4. Contract acceptance

7.21.1.5. Contract maintenance

7.21.1.6. Contract compliance

7.22. Business Continuity Planning (BCP)

7.22.1. Business continuity planning (BCP) is a process designed to reduce the organization’s business risk

7.22.2. A BCP is much more than just a plan for the information systems

7.22.3. IS processing is of strategic importance

7.22.3.1. Critical component of overall BCP

7.22.3.2. Most key business processes depend on the availability of key systems and infrastructure components

7.22.4. Disasters and Other Disruptive Events

7.22.4.1. Disasters are disruptions that cause critical information resources to be inoperative for a period of time

7.22.4.2. Good BCP will take into account impacts on IS processing facilities

7.22.5. Process

7.22.6. Business Continuity Policy

7.22.6.1. Defines the extent and scope of business continuity for both internal and external stakeholders

7.22.6.2. Should be proactive

7.22.7. Business Continuity Planning Incident Management

7.22.7.1. All types of incidents should be categorized

7.22.7.1.1. Negligible

7.22.7.1.2. Minor

7.22.7.1.3. Major

7.22.7.1.4. Crisis

7.22.8. Business Continuity Plan (BCP)

7.22.8.1. Business continuity plan must:

7.22.8.1.1. Be based on the long-range IT plan

7.22.8.1.2. Comply with the overall business continuity strategy

7.22.8.2. Development of BCP (factors)

7.22.8.2.1. The clear identification of the various resources required for recovery and continued operation of the organization

7.22.8.2.2. Evacuation procedures

7.22.8.2.3. Procedures for declaring a disaster (escalation procedures)

7.22.8.2.4. Circumstances under which a disaster should be declared.

7.22.8.2.5. The clear identification of the responsibilities in the plan

7.22.8.2.6. The clear identification of the persons responsible for each function in the plan

7.22.8.2.7. The clear identification of contract information

7.22.8.2.8. The step-by-step explanation of the recovery process

7.22.8.2.9. Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes

7.22.8.3. Components of BCP

7.22.8.3.1. Continuity of operations plan (COOP)

7.22.8.3.2. Disaster recovery plan (DRP)

7.22.8.3.3. Business resumption plan

7.22.8.3.4. Continuity of support plan / IT contingency plan

7.22.8.3.5. Crisis communications plan

7.22.8.3.6. Incident response plan

7.22.8.3.7. Transportation plan

7.22.8.3.8. Occupant emergency plan (OEP)

7.22.8.3.9. Evacuation and emergency relocation plan

7.22.8.3.10. Key decision-making personnel

7.22.8.3.11. Backup of required supplies

7.22.8.3.12. Insurance

7.22.9. Other Issues in Plan Development

7.22.9.1. Management and user involvement is vital to the success of BCP

7.22.9.1.1. Essential to the identification of critical systems, recovery times and resources

7.22.9.1.2. Involvement from support services, business operations and information processing support

7.22.9.2. Entire organization needs to be considered for BCP

7.22.10. Auditing Business Continuity

7.22.10.1. Understand and evaluate business continuity strategy

7.22.10.2. Evaluate plans for accuracy and adequacy

7.22.10.3. Verify plan effectiveness

7.22.10.4. Evaluate offsite storage

7.22.10.5. Evaluate ability of IS and user personnel to

7.22.10.6. respond effectively

7.22.10.7. Ensure plan maintenance is in place

7.22.10.8. Evaluate readability of business continuity manuals and procedures

7.22.11. Reviewing the Business Continuity Plan

7.22.11.1. IS auditors should verify that the plan is up to date including:

7.22.11.1.1. Currency of documents

7.22.11.1.2. Effectiveness of documents

7.22.11.1.3. Interview personnel for appropriateness and completeness of plan

7.23. Business Impact Analysis (BIA)

7.23.1. Critical step in developing the business continuity plan

7.23.2. 3 main questions to consider during BIA phase:

7.23.2.1. 1. What are the different business processes?

7.23.2.2. 2. What are the critical information resources related to an organization’s critical business processes?

7.23.2.3. 3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?

7.23.3. What is the system’s risk ranking?

7.23.3.1. Critical

7.23.3.2. Vital

7.23.3.3. Sensitive

7.23.3.4. Non-sensitive

7.24. Business Continuity Plan

7.24.1. Development of Business Continuity Plans

7.24.1.1. Factors to consider:

7.24.1.1.1. Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes

7.24.1.1.2. Evacuation procedures

7.24.1.1.3. Procedures for declaring a disaster (escalation procedures)

7.24.1.1.4. Circumstances under which a disaster should be declared

7.24.1.1.5. The clear identification of the responsibilities in the plan

7.24.1.1.6. The clear identification of the persons responsible for each function in the plan

7.24.1.1.7. The clear identification of contract information

7.24.1.1.8. The step-by-step explanation of the recovery process

7.24.1.1.9. The clear identification of the various resources required for recovery and continued operation of the organization

7.24.2. Components of a Business Continuity

7.24.2.1. Continuity of operations plan (COOP)

7.24.2.2. Disaster recovery plan (DRP)

7.24.2.3. Business resumption plan

7.24.2.4. Continuity of support plan / IT contingency plan

7.24.2.5. Crisis communications plan

7.24.2.6. Incident response plan

7.24.2.7. Transportation plan

7.24.2.8. Occupant emergency plan (OEP)

7.24.2.9. Evacuation and emergency relocation plan

7.24.2.10. Key decision-making personnel

7.24.2.11. Backup of required supplies

7.24.2.12. Insurance

7.24.2.12.1. IS equipment and facilities

7.24.2.12.2. Media (software) reconstruction

7.24.2.12.3. Extra expense

7.24.2.12.4. Business interruption

7.24.2.12.5. Valuable papers and records

7.24.2.12.6. Errors and omissions

7.24.2.12.7. Fidelity coverage

7.24.2.12.8. Media transportation

8. Domain 3: Information Systems Acquisition, Development, and Implementation

8.1. Domain 3 - CISA® Exam Relevance

8.1.1. The content area for Domain 1 will represent ...

8.1.1.1. 19% of the CISA® examination

8.1.1.2. 62 questions

8.2. Business case

8.2.1. Provides the information required for an organization to decide whether a project should proceed

8.2.2. Is normally derived from a feasibility study as part of project planning

8.2.3. Should be of sufficient detail to describe the justification for setting up and continuing a project

8.3. Portfolio/Program Management (PPM)

8.3.1. Objectives

8.3.1.1. Optimization of the results of the project portfolio

8.3.1.2. Prioritizing and scheduling projects

8.3.1.3. Resource coordination (internal and external)

8.3.1.4. Knowledge transfer throughout the projects

8.3.2. Program

8.3.2.1. Programs have a limited time frame (start and end date) and organizational boundaries

8.3.2.2. Definition by ISACA:

8.3.2.2.1. ”A program is a group of projects and time-bound tasks that are closely linked together through common objectives, a common budget, intertwined schedules and strategies.”

8.3.2.3. Definition by AXELOS::

8.3.3. Portfolio

8.3.3.1. Definition by ISACA:

8.3.3.1.1. ”Groupings of ‘objects of interest’ (investment programmes, IT services, IT projects, other IT assets or resources) managed and monitored to optimise business value.”

8.3.3.2. Definition by AXELOS::

8.3.3.2.1. ”An organization’s change portfolio is the totality of its investment (or segment thereof) in the changes required to achieve its strategic objectives.”

8.3.4. Portfolio management

8.3.4.1. Definition by ISACA:

8.3.4.1.1. ”The goal of portfolio management (in relations to VAL IT) is to ensure that an enterprise secures optimal value across its portfolio of IT-enabled investments.”

8.3.4.2. Definition by AXELOS::

8.3.4.2.1. ”A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual (BAU).”

8.4. Benefits Realization Techniques

8.4.1. Describing benefits management or benefits realization

8.4.2. Assigning a measure and target

8.4.3. Establishing a tracking/measuring regime

8.4.4. Documenting the assumption

8.4.5. Establishing key responsibilities for realization

8.4.6. Validating the benefits predicted in the business

8.4.7. Planning the benefit that is to be realized

8.5. General IT Project Aspects

8.5.1. IS projects may be initiated from any part of an organization

8.5.2. A project is always a time-bound effort

8.5.3. Project management should be a business process of a project-oriented organization

8.5.4. The complexity of project management requires a careful and explicit design of the project management process

8.6. Project Context and Environment

8.6.1. A project context can be divided into a time and social context. The following must be taken into account:

8.6.1.1. Importance of the project in the organization

8.6.1.2. Connection between the organization’s strategy and the project

8.6.1.3. Relationship between the project and other projects

8.6.1.4. Connection between the project to the underlying business case

8.7. Project Organizational Forms

8.7.1. 3 major forms of organizational alignment for project management are:

8.7.1.1. Influence project organization

8.7.1.2. Pure project organization

8.7.1.3. Matrix project organization

8.8. Project Communication

8.8.1. Depending on the size and complexity of the project and the affected parties, communication may be achieved by:

8.8.1.1. One-on-one meetings

8.8.1.2. Kick-off meetings

8.8.1.3. Project start workshops

8.8.1.4. A combination of the three

8.9. Project Objectives

8.9.1. A project needs clearly defined results that are specific, measurable, achievable, relevant and time-bound (SMART)

8.9.2. A commonly accepted approach to define project objectives is to begin with an object breakdown structure (OBS)

8.9.3. After the OBS has been compiled, a work breakdown structure (WBS) is designed

8.10. Roles and Responsibilities of Groups and Individuals

8.10.1. Senior management

8.10.2. Senior Responsible Owner (SRO)

8.10.3. User management

8.10.4. Project steering committee

8.10.5. Project sponsor

8.10.6. Systems development management

8.10.7. Project manager

8.10.8. Systems development project team

8.10.9. User project team

8.10.10. Security officer

8.10.11. Quality assurance

8.11. Project Management Practices

8.11.1. Classic project management is bound by the iron triangle:

8.11.1.1. Resources

8.11.1.2. Schedule

8.11.1.3. Scope

8.11.2. PRINCE2® based project management is bound by the 6 project aspects:

8.11.2.1. Benefits

8.11.2.2. Quality

8.11.2.3. Resources

8.11.2.4. Risk

8.11.2.5. Schedule

8.11.2.6. Scope

8.12. Project Planning

8.12.1. The various tasks that need to be performed to produce the expected business application system

8.12.2. The sequence or the order in which these tasks need to be performed

8.12.3. The duration or the time window for each task

8.12.4. The priority of each task

8.12.5. The IT resources that are available and required to perform these tasks

8.12.6. Budget or costing for each of these tasks

8.12.7. Source and means of funding

8.12.8. Software size estimation

8.12.9. Lines of source code

8.12.10. Function point analysis (FPA)

8.12.10.1. FPA feature points

8.12.10.2. Cost budgets

8.12.10.3. Software cost estimation

8.12.11. Scheduling and establishing the time frame

8.12.12. Critical path methodology/method (CPM)

8.12.12.1. Time box management

8.12.12.2. PERT

8.12.12.3. Gantt Chart

8.13. Project Controlling

8.13.1. Includes management of:

8.13.1.1. Scope

8.13.1.2. Resource usage

8.13.1.3. Risk

8.13.1.3.1. Review & evaluate

8.13.1.3.2. Assess

8.13.1.3.3. Mitigate

8.13.1.3.4. Discover

8.13.1.3.5. Inventory

8.14. Project Risk

8.14.1. The CISA® must review the project for risks that the project will not deliver the expected benefits:

8.14.1.1. Scope creep

8.14.1.2. Lack of skilled resources

8.14.1.3. Inadequate requirements definition

8.14.1.4. Inadequate testing

8.14.1.5. Push to production without sufficient allotted time

8.15. Closing a Project

8.15.1. When closing a project, there may still be some issues that need to be resolved, ownership of which needs to be assigned

8.15.2. The project sponsor should be satisfied that the system produced is acceptable and ready for delivery

8.15.3. Custody of contracts may need to be assigned, and documentation archived or passed on to those who will need it

8.16. Systems Development Models (SDLC)

8.16.1. Business Application Development

8.16.1.1. The implementation process for business applications, commonly referred to as an SDLC, begins when an individual application is initiated as a result of one or more of the following situations:

8.16.1.1.1. A new opportunity that relates to a new or existing business process

8.16.1.1.2. A problem that relates to an existing business process

8.16.1.1.3. A new opportunity that will enable the organization to take advantage of technology

8.16.1.1.4. A problem with the current technology

8.16.2. Traditional SDLC Approach

8.16.2.1. Also referred to as the waterfall technique, this life cycle approach is the oldest and most widely used for developing business applications

8.16.2.2. Based on a systematic, sequential approach to software development that begins with a feasibility study and progresses through requirements definition, design, development, implementation and post implementation

8.16.2.3. Some of the issues encountered with this approach include:

8.16.2.3.1. Unanticipated events

8.16.2.3.2. Difficulty in obtaining an explicit set of requirements from the user

8.16.2.3.3. Managing requirements and convincing the user about the undue or unwarranted requirements in the system functionality

8.16.2.3.4. The necessity of user patience

8.16.2.3.5. A changing business environment that alters or changes the user’s requirements before they are delivered

8.16.2.4. Classic Waterfall: DoD-STD-2167A

8.16.2.5. Modified Waterfall: MIL-STD-498

8.16.2.6. V-model (may be considered an extension of the waterfall)

8.16.2.7. Boehm’s Spiral Model

8.16.3. Alternative Development Methods

8.16.3.1. Incremental

8.16.3.2. Iterative

8.16.3.3. Adaptive

8.16.3.4. Evolutionary

8.16.3.5. Agile (incremental + iterative + adaptive)

8.16.3.5.1. The Agile Mindset, Values and Principles

8.16.3.5.2. Agile is a umbrella term enclosing different methodologies, tools, techniques, practices and frameworks

8.16.3.5.3. Plan-Driven Projects vs. Change-driven Project Projects

8.16.3.5.4. Agile is best for complex projects

8.17. Types of Specialized Business Applications

8.17.1. Electronic Commerce

8.17.2. Electronic Data Interchange (EDI)

8.17.3. Electronic Mail

8.17.4. Electronic Banking

8.17.5. Electronic Finance

8.17.6. Electronic Funds Transfer (EFT)

8.17.7. Automated Teller Machine (ATM)

8.17.8. Artificial Intelligence and Expert Systems

8.17.9. Business Intelligence (BI)

8.17.10. Decision Support System

8.18. Acquisition

8.18.1. Hardware Acquisition

8.18.1.1. Organization type

8.18.1.2. Requirement for data processing

8.18.1.3. Hardware requirements

8.18.1.4. System software application

8.18.1.5. Support system

8.18.1.6. Adaptability needs

8.18.1.7. Constraint

8.18.1.8. Conversion needs

8.18.2. Software Acquisition

8.18.2.1. Business, technical, functional, collaborative needs

8.18.2.2. Security and reliability

8.18.2.3. Cost and benefits

8.18.2.4. Obsolescence and risk

8.18.2.5. System compatibility

8.18.2.6. Resource allocation

8.18.2.7. Training and personnel requirements

8.18.2.8. Need for scalability

8.18.2.9. Impact on present infrastructure

8.18.3. Auditing Systems Development Acquisition

8.18.3.1. Feasibility study

8.18.3.2. Requirements definition

8.18.3.3. Software acquisition Process

8.18.3.4. Design & Development

8.18.3.5. Testing

8.18.3.6. Implementation and review

8.18.3.7. Post-Implementation

8.19. Application Controls

8.19.1. Input/Origination Controls

8.19.1.1. Input authorization

8.19.1.2. Batch controls and balancing

8.19.1.3. Error reporting and handling

8.19.2. Processing Procedures and Controls

8.19.2.1. Data validation and editing procedures

8.19.2.2. Processing controls

8.19.2.3. Data file control procedures

8.19.3. Output Controls

8.19.3.1. Output controls provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner

8.19.4. Auditing Application Controls

8.19.4.1. Data integrity testing

8.19.4.2. Online Transaction Processing System

8.19.4.3. The ACID principle

8.19.4.3.1. Atomicity

8.19.4.3.2. Consistency

8.19.4.3.3. Isolation

8.19.4.3.4. Durability

8.19.4.4. Continuous Online audit

9. Domain 4: Information Systems Operations, Maintenance and Support

9.1. Domain 4 - CISA® Exam Relevance

9.1.1. The content area for Domain 1 will represent ...

9.1.1.1. 23% of the CISA® examination

9.1.1.2. 62 questions

9.2. Auditing System Operations and Maintenance

9.2.1. Information Security Management

9.2.1.1. Perform risk assessments on information assets

9.2.1.2. Perform business impact analyses (BIAs)

9.2.1.3. Develop & enforce information security policy, procedures, & standards

9.2.1.4. Conduct security assessments on a regular basis

9.2.1.5. Implement a formal vulnerability management process

9.2.2. Information Systems Operations

9.2.2.1. IS operations are in charge of the daily support of an organization’s IS hardware and software environment

9.2.2.2. IS operations include

9.2.2.2.1. Management of IS operations

9.2.2.2.2. Infrastructure support including computer operations

9.2.2.3. Technical support / help desk

9.2.2.4. Information security management

9.2.3. Management of IS Operations

9.2.3.1. Operations management functions include

9.2.3.1.1. Resource allocation

9.2.3.1.2. Standards and procedures

9.2.3.1.3. IS operation processes monitoring

9.2.4. IT Service Management

9.2.4.1. Service levels are auditing through review of

9.2.4.1.1. Exception reports

9.2.4.1.2. System and application logs

9.2.4.1.3. Operator problem reports

9.2.4.1.4. Operator work schedules

9.2.5. Support / Help Desk

9.2.5.1. Document incidents that arise from users and initiate problem resolution

9.2.5.2. Prioritize the issues and forward them to the appropriate IT personnel, and escalate to IT management, as necessary

9.2.5.3. Follow up on unresolved incidents

9.2.5.4. Close out resolved incidents, noting proper authorization to close out the incident by the user

9.2.6. Change Management Process

9.2.6.1. System, operations and program documentation

9.2.6.2. Job preparation, scheduling and operating instructions

9.2.6.3. System and program test

9.2.6.4. Data file conversion

9.2.6.5. System conversion

9.2.7. Release Management

9.2.7.1. Major releases

9.2.7.2. Minor software releases

9.2.7.3. Emergency software fixes

9.3. System and Communications Hardware

9.3.1. Computer Hardware Components and Architectures

9.3.1.1. Common enterprise back-end devices

9.3.1.2. Print servers

9.3.1.3. File servers

9.3.1.4. Application (program) servers

9.3.1.5. Web servers

9.3.1.6. Proxy servers

9.3.1.7. Database servers

9.3.1.8. Appliances (specialized devices)

9.3.1.9. Universal Serial Bus (USB)

9.3.1.10. Memory cards / flash drives

9.3.1.11. Radio Frequency Identification (RFID)

9.3.2. Security Risks with Portable Media

9.3.2.1. Memory Cards / Flash Drives Risks

9.3.2.1.1. Viruses and other malicious software

9.3.2.1.2. Data theft

9.3.2.1.3. Data and media loss

9.3.2.1.4. Corruption of data

9.3.2.1.5. Loss of confidentiality

9.3.2.2. Security Control

9.3.2.2.1. Encryption

9.3.2.2.2. Inventory of assets

9.3.2.2.3. Educate security personnel

9.3.2.2.4. Enforce “lock desktop” policy

9.3.2.2.5. Use only secure devices

9.3.3. Capacity Management

9.3.3.1. CPU utilization (processing power)

9.3.3.2. Computer storage utilization

9.3.3.3. Telecommunications, LAN & WAN bandwidth utilization

9.3.3.4. I/O channel utilization

9.3.3.5. Number of users

9.3.3.6. New technologies

9.3.3.7. New applications

9.3.3.8. Service level agreements (SLAs)

9.3.3.8.1. Vendor performance

9.3.4. IS Architecture and Software

9.3.4.1. Operating systems

9.3.4.1.1. Software control features or parameters

9.3.4.2. Access control software

9.3.4.3. Data communications software

9.3.4.4. Data management

9.3.4.5. Database management system (DBMS)

9.3.4.6. Tape and disk management system

9.3.4.7. Utility programs

9.3.4.8. Software licensing issues

9.3.5. Software Licensing Issues

9.3.5.1. Documented policies and procedures that guard against unauthorized use or copying of software

9.3.5.2. Listing of all standard, used and licensed application and system software

9.3.5.3. Centralizing control and automated distribution and the installation of software

9.3.5.4. Requiring that all PCs be diskless workstations and access applications from a secured LAN

9.3.5.5. Regularly scanning user PCs

9.3.6. Digital Rights Management (DRM)

9.3.6.1. DRM removes usage control from the person in possession of digital content & puts it in the hands of a computer program

9.3.6.2. Prevents copying or modifying of data by unauthorized users

9.4. Auditing Networks

9.4.1. Telecommunications links for networks can be

9.4.1.1. Analog

9.4.1.2. Digital

9.4.2. Methods for transmitting signals over telecommunication links are

9.4.2.1. Copper

9.4.2.2. Fibre

9.4.2.3. Coaxial

9.4.2.4. Radio Frequency

9.4.3. Types of Networks

9.4.3.1. Personal area networks (PANs)

9.4.3.2. Local area networks (LANs)

9.4.3.3. Wide area networks (WANS)

9.4.3.4. Metropolitan area networks (MANs)

9.4.3.5. Storage area networks (SANs)

9.4.4. Network Services

9.4.4.1. E-mail services

9.4.4.2. Print services

9.4.4.3. Remote access services

9.4.4.4. Directory services

9.4.4.5. Network management

9.4.4.6. Dynamic Host Configuration Protocol (DHCP)

9.4.4.7. DNS

9.4.5. Network Components

9.4.5.1. Repeaters

9.4.5.2. Hubs

9.4.5.3. Bridges

9.4.5.4. Switches

9.4.5.5. Routers

9.4.6. Communications Technologies

9.4.6.1. Asynchronous transfer mode

9.4.6.2. Circuit switching

9.4.6.3. Dial-up services

9.4.6.4. Digital subscriber lines

9.4.6.5. Frame Relay

9.4.6.6. Integrated services digital network (ISDN)

9.4.6.7. Message switching

9.4.6.8. Multiprotocol label switching

9.4.6.9. Packet switching

9.4.6.10. Point to point - leased lines

9.4.6.11. Virtual Private Networks (VPNs)

9.4.6.12. Virtual circuits

9.4.6.12.1. PVC

9.4.6.13. X.25

9.4.7. Wireless Networking

9.4.7.1. Wireless networks

9.4.7.2. Wireless wide area network (WWAN)

9.4.7.2.1. Microwave, Optical

9.4.7.3. Wireless local area network (WLAN)

9.4.7.3.1. 802.11

9.4.7.4. Wireless personal area network (WPAN)

9.4.7.4.1. 802.15 Bluetooth

9.4.7.5. Wireless ad hoc networks

9.4.7.6. Wireless application protocol (WAP)

9.4.7.7. Risks Associated with Wireless Communications

9.4.7.7.1. Interception of sensitive information

9.4.7.7.2. Loss or theft of devices

9.4.7.7.3. Misuse of devices

9.4.7.7.4. Loss of data contained in devices

9.4.7.7.5. Distraction caused by devices

9.4.7.7.6. Wireless user authentication

9.4.7.7.7. File security

9.4.7.7.8. Wireless encryption

9.4.7.7.9. Interoperability

9.4.7.7.10. Use of wireless subnets

9.4.7.7.11. Translation point

9.4.8. Auditing of Network Management

9.4.8.1. Applications in a networked environment

9.4.8.1.1. Client-server technology

9.4.8.1.2. Middleware

9.4.8.1.3. Cloud

9.4.8.1.4. Virtual

9.4.8.1.5. Software as a Service (SaaS)

9.4.8.1.6. Service Oriented Architecture (SOA)

9.5. Business Continuity and Disaster Recovery Audits

9.5.1. Auditing of Business Continuity Plans

9.5.2. Recovery Point Objective (RPO)

9.5.2.1. Based on acceptable data loss

9.5.2.2. Indicates the most current state of data that can be recovered

9.5.3. Recovery Time Objective (RTO)

9.5.3.1. Based on acceptable downtime

9.5.3.2. Indicates the point in time at which the business plans to resume sustainable service levels after a disaster

9.5.4. Business Continuity Strategies

9.5.4.1. Interruption window

9.5.4.2. Service delivery objective (SDO)

9.5.4.3. Maximum tolerable outages

9.5.5. Recovery Strategies

9.5.6. Recovery Alternatives

9.5.6.1. Cold sites

9.5.6.2. Mobile sites

9.5.6.3. Warm sites

9.5.6.4. Reciprocal agreements

9.5.6.5. Hot sites

9.5.6.6. Mirrored sites

9.5.6.7. Reciprocal agreements

9.5.7. Audit of Third Party Recovery Agreements

9.5.7.1. Provisions for use of third-party sites should cover:

9.5.7.1.1. Access

9.5.7.1.2. Audit

9.5.7.1.3. Availability

9.5.7.1.4. Communications

9.5.7.1.5. Configurations

9.5.7.1.6. Disaster declaration

9.5.7.1.7. Insurance

9.5.7.1.8. Preference

9.5.7.1.9. Priority

9.5.7.1.10. Reliability

9.5.7.1.11. Security

9.5.7.1.12. Speed of availability

9.5.7.1.13. Subscribers per site and area

9.5.7.1.14. Testing

9.5.7.1.15. Usage period

9.5.7.1.16. Warranties

9.5.8. Organization and Assignment of Responsibilities

9.5.8.1. Have recovery teams been set up to

9.5.8.1.1. Retrieve critical and vital data from offsite storage

9.5.8.1.2. Install and test systems software and applications at the systems recovery site

9.5.8.1.3. Acquire and install hardware at the system recovery site

9.5.8.1.4. Operate the system recovery site

9.5.8.2. Team Responsibilities

9.5.8.2.1. Rerouting communications traffic

9.5.8.2.2. Re-establish the local area user / system network

9.5.8.2.3. Transport users to the recovery facility

9.5.8.2.4. Restore databases, software and data

9.5.8.2.5. Supply necessary office goods, i.e., special forms, paper

9.5.9. Backup and Restoration

9.5.9.1. Offsite library controls

9.5.9.2. Security and control of offsite facilities

9.5.9.3. Media and documentation backup

9.5.9.4. Periodic backup procedures

9.5.9.5. Frequency of Rotation

9.5.9.6. Types of Media and Documentation Rotated

9.5.9.7. Backup Schemes

9.5.9.8. Method of Rotation

10. Domain 5: Protection of Information Assets

10.1. Domain 5 - CISA® Exam Relevance

10.1.1. The content area for Domain 1 will represent ...

10.1.1.1. 30% of the CISA® examination

10.1.1.2. 62 questions

10.2. Importance of IS Management

10.2.1. Security objectives to meet organization’s business requirements include:

10.2.1.1. Ensure compliance with laws, regulations and standards

10.2.1.2. Ensure the availability, integrity and confidentiality of information and information systems

10.3. Key Elements of IS Management

10.3.1. Senior management commitment and support

10.3.2. Policies and procedures

10.3.3. Organization

10.3.4. Security awareness and education

10.3.5. Monitoring and compliance

10.3.6. Incident handling and response

10.4. CSFs to IS Management

10.4.1. Strong commitment and support by the senior management on security training

10.4.2. Professional risk-based approach must be used systematically to identify sensitive and critical resources

10.5. Inventory and Classification of Information Assets

10.5.1. The inventory record of each information asset should include:

10.5.1.1. Identification of assets

10.5.1.2. Relative value of assets to the organization

10.5.1.3. Location (where the asset is located)

10.5.1.4. Security / risk classification

10.5.1.5. Asset group

10.5.1.6. Owner

10.5.1.7. Designated custodian

10.6. Privacy Management Issues and the Role of IS Auditors

10.6.1. Privacy impact analysis or assessments should:

10.6.1.1. Pinpoint the nature of personally identifiable information (pii) associated with business processes

10.6.1.2. Document the collection, use, disclosure and destruction of personally identifiable information

10.6.1.3. Ensure that accountability for privacy issues exists

10.6.1.4. Set the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk

10.6.2. Compliance with privacy policy and laws

10.6.2.1. Identify and understand legal requirements regarding privacy from laws, regulations and contract agreements

10.6.2.2. Check whether personal data are correctly managed in respect to these requirements

10.6.2.3. Verify that the correct security measures are adopted

10.6.2.4. Review management’s privacy policy to ascertain that it takes into consideration the requirement of applicable privacy laws and regulations.

10.7. Social Media Risks

10.7.1. Inappropriate sharing of information

10.7.1.1. Organizational activity

10.7.1.2. Staffing issues

10.7.1.3. Privacy-related sensitive data

10.7.2. Installation of vulnerable applications

10.8. Access Controls

10.8.1. System Access Permission

10.8.1.1. Who has access rights and to what?

10.8.1.2. What is the level of access to be granted?

10.8.1.3. Who is responsible for determining the access rights and access levels?

10.8.1.4. What approvals are needed for access?

10.8.2. Mandatory Access Controls (MAC)

10.8.2.1. Enforces corporate security policy

10.8.2.2. Compares sensitivity of information resources

10.8.3. Discretionary Access Controls (DAC)

10.8.3.1. Enforces data owner-defined sharing of information resources

10.8.4. IAAA

10.8.4.1. Identification

10.8.4.1.1. Method to distinguish each entity in a unique manner that is accessing resources

10.8.4.1.2. Knowledge

10.8.4.1.3. Ownership / possession

10.8.4.1.4. Characteristic

10.8.4.2. Authentication

10.8.4.2.1. Validate, verify or prove the identity

10.8.4.3. Authorization

10.8.4.3.1. Rights, permissions, privileges granted to an authenticated entity

10.8.4.3.2. Access restrictions at the file level include:

10.8.4.4. Accounting (Audit)

10.8.4.4.1. Track all activity

10.9. Challenges with Identity Management

10.9.1. Many changes to systems and users

10.9.2. Many types of users – employees, customers, guests, managers, regulators

10.9.3. Audit concerns

10.9.3.1. Unused IDs

10.9.3.2. Misconfigured IDs

10.9.3.3. Failure to follow procedures

10.9.3.4. Group IDs

10.10. Identification and Authentication

10.10.1. Vulnerabilities:

10.10.1.1. Weak authentication methods

10.10.1.2. Lack of confidentiality and integrity for the stored authentication information

10.10.1.3. Lack of encryption for authentication and protection of information transmitted over a network

10.10.1.4. User’s lack of knowledge on the risks associated with sharing passwords, security tokens, etc.

10.11. Logical Access

10.11.1. Logical Access Exposures

10.11.1.1. Technical exposures include:

10.11.1.1.1. Data leakage

10.11.1.1.2. Wire tapping

10.11.1.1.3. Trojan horses / backdoors

10.11.1.1.4. Viruses

10.11.1.1.5. Worms

10.11.1.1.6. Logic bombs

10.11.1.1.7. Denial-of-service attacks

10.11.1.1.8. Computer shutdown

10.11.1.1.9. War driving

10.11.1.1.10. Piggybacking

10.11.1.1.11. Trap doors

10.11.1.1.12. Asynchronous attacks

10.11.1.1.13. Rounding down

10.11.1.1.14. Salami technique

10.11.2. Paths of Logical Access

10.11.2.1. Network connectivity

10.11.2.2. Remote access

10.11.2.3. Operator console

10.11.2.4. Online workstations or terminals

10.11.3. Logical Access Control Software

10.11.3.1. Prevent unauthorized access and modification to an organization’s sensitive data and use of system critical functions.

10.11.3.2. General operating and/or application systems access control functions include the following:

10.11.3.2.1. Create or change user profiles

10.11.3.2.2. Assign user identification and authentication

10.11.3.2.3. Apply user logon limitation rules

10.11.3.2.4. Notification concerning proper use and access prior to initial login

10.11.3.2.5. Create individual accountability and auditability by logging user activities. Establish rules for access to specific information resources (e.g., system-level application resources and data)

10.11.3.2.6. Log events

10.11.3.2.7. Report capabilities

10.11.3.3. Database and / or application-level access control functions include:

10.11.3.3.1. Create or change data files and database profiles

10.11.3.3.2. Verify user authorization at the application and transaction levels

10.11.3.3.3. Verify user authorization within the application

10.11.3.3.4. Verify user authorization at the field level for changes within a database

10.11.3.3.5. Verify subsystem authorization for the user at the file level

10.11.3.3.6. Log database / data communications access activities for monitoring access violations

10.11.4. Auditing Logical Access

10.11.4.1. When evaluating logical access controls the IS auditor should:

10.11.4.1.1. Identify sensitive systems and data

10.11.4.1.2. Document and evaluate controls over potential access

10.11.4.1.3. Test controls over access paths to determine whether they are functioning and effective

10.11.4.1.4. Evaluate the access control environment to determine if the control objectives are achieved

10.11.4.1.5. Evaluate the security environment to assess its adequacy

10.11.5. Access Control Lists (ACLs)

10.11.5.1. Users who have permission to use a particular system resource

10.11.5.2. The types of access permitted

10.11.6. Logical Access security administration:

10.11.6.1. Centralized environment

10.11.6.2. Decentralized environment

10.11.6.2.1. Advantages

10.11.6.2.2. Risks

10.11.7. Single Sign-on (SSO)

10.11.7.1. Consolidating access functions for multiple systems into a single centralized administrative function

10.11.7.2. A single sign-on interfaces with:

10.11.7.2.1. Client-server and distributed systems

10.11.7.2.2. Mainframe systems

10.11.7.2.3. Network security including remote access mechanisms

10.11.7.3. Advantages

10.11.7.3.1. Elimination of multiple user IDs and passwords

10.11.7.3.2. It improves an administrator’s ability to centrally manage users’ accounts and authorizations

10.11.7.3.3. Reduces administrative overhead

10.11.7.3.4. It reduces the time taken by users to log into multiple applications and platforms

10.11.7.4. Disadvantages

10.11.7.4.1. May not support legacy applications or all operating environments

10.11.7.4.2. The costs associated with SSO development can be significant

10.11.7.4.3. The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets

10.12. Familiarization with the Organization’s IT Environment

10.12.1. Every layer of a system has to be reviewed for security controls including:

10.12.1.1. The network

10.12.1.2. Operating system platform

10.12.1.3. Applications software

10.12.1.4. Database

10.12.1.5. Physical and environmental security

10.13. Remote Access

10.13.1. Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives.

10.13.1.1. Consolidated

10.13.1.2. Monitored

10.13.1.3. Policies

10.13.1.4. Appropriate access levels

10.13.1.5. Encrypted

10.13.2. Risks

10.13.2.1. Denial of service

10.13.2.2. Malicious third parties

10.13.2.3. Misconfigured communications software

10.13.2.4. Misconfigured devices on the corporate computing infrastructure

10.13.2.5. Host systems not secured appropriately

10.13.2.6. Physical security issues on remote users’ computers

10.13.3. Auditing Remote Access

10.13.3.1. Assess remote access points of entry

10.13.3.2. Test dial-up access controls

10.13.3.3. Test the logical controls

10.13.3.4. Evaluate remote access approaches for costeffectiveness, risk and business requirements

10.13.3.5. Audit Internet points of presence:

10.13.3.5.1. E-mail

10.13.3.5.2. Marketing

10.13.3.5.3. Sales channel / electronic commerce

10.13.3.5.4. Channel of deliver for goods / services

10.13.3.5.5. Information gathering

10.14. Audit logging and monitoring system access

10.14.1. Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID

10.14.2. Record all activity for future investigation

10.15. Encryption

10.15.1. Symmetric vs. Asymmetric Summary

10.15.2. Summary of Cryptography Algorithms

10.16. Physical and Environmental Controls

10.16.1. Security Objectives & Controls

10.16.1.1. Administrative controls

10.16.1.1.1. Facility location, construction, and management

10.16.1.1.2. Physical security risks, threats, and countermeasures

10.16.1.2. Technical controls

10.16.1.2.1. Authenticating individuals and intrusion detection

10.16.1.2.2. Electrical issues and countermeasures

10.16.1.2.3. Fire prevention, detection, and suppression

10.16.1.3. Physical controls

10.16.1.3.1. Perimeter & Building Grounds

10.16.1.3.2. Building Entry Point

10.16.1.3.3. Box-within a box Floor Plan

10.16.1.3.4. Data Centers or Server Room Security

10.16.2. Physical Access Controls (non-exhaustive list)

10.16.2.1. Locks

10.16.2.1.1. Mechanical locks

10.16.2.1.2. Electronic locks

10.16.2.2. Entrance Protection

10.16.2.2.1. Turnstiles

10.16.2.2.2. Mantraps

10.16.2.2.3. Fail-safe

10.16.2.2.4. Fail-secure

10.16.2.3. Closed-circuit television (CCTV)

10.16.2.4. Security guards

10.16.2.5. Lighting

10.16.2.6. Electrical Power Supply

10.16.2.7. Electrostatic Discharge

10.16.2.8. HVAC

10.16.2.9. Fire Suppression Systems

10.16.2.9.1. Halon

10.16.2.9.2. FM-200

10.16.2.9.3. Carbon Dioxide

10.16.2.9.4. Dry Chemicals

10.16.2.9.5. Dry Pipe

10.16.2.9.6. Pre-action

10.16.2.10. Fire / Smoke Detection

10.16.2.10.1. Ionization-type smoke detector

10.16.2.10.2. Optical (photoelectric) smoke detector

10.16.2.10.3. Fixed / rate-of-rise temperature sensor

11. Overview of the CISA® certification

11.1. About the CISA® exam

11.1.1. CISA® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.

11.1.2. PBE & CBE (only pencil & eraser are allowed).

11.1.2.1. PBE - Paper based exam.

11.1.2.2. CBE - Closed book exam.

11.1.3. 4 hour exam.

11.1.4. 200 multiple choice questions designed with one best answer.

11.1.5. No negative points.

11.1.6. Pre-requisite for exam:

11.1.6.1. none

11.1.7. Pre-requisite for certification:

11.1.7.1. Read CISA® Application Form

11.1.7.1.1. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Apply-for-Certification/Documents/Application-form-download.pdf

12. Interactive Glossary

12.1. Interactive CISA® Glossary

13. Recommended additional study

13.1. CISA Essential Exam Notes 2014

13.2. Effective Approach and Practical Tips for CISA Exam

14. This freeware, non-commercial mind map (aligned with the newest version of CISA® exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CISA® qualification and as a learning tool for candidates wanting to gain CISA® qualification. (please share and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

14.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com

14.1.1. http://www.miroslawdabrowski.com

14.1.2. http://www.linkedin.com/in/miroslawdabrowski

14.1.3. https://www.google.com/+MiroslawDabrowski

14.1.4. https://play.spotify.com/user/miroslawdabrowski/

14.1.5. https://twitter.com/mirodabrowski

14.1.6. miroslaw_dabrowski

15. ISO 19011:2011 (Guidelines for auditing management systems)