CISA® Prep Course, 28-30/3/2013

CISM® Prep Course, 1-3/4/2013

What you will learn:

• IntroductiontotheCISA&CISMExam

• OverviewofthecontentareasasdeterminedbyISACA

• Determinethelevelofknowledgerequiredforthecontentareastomeettheexamination’sexpectations

• Particulartopicswhicharepopularexamquestions

• Analyzethe“philosophy”oftheexaminations’questions

• Whatthetestingconditionswillbe,afterhavingdiscussed“model”answerstosamplequestions

• Referencetools

Course Leader: Dr. Derek Oliver, CISA, CISM, CRISC, CFE, FBCS, FIAP

CISA Prep Course 24 hours

Day 1Introduction to CISA: ApproachingtheCISAExamination• Percentageoftestquestionsandsurveyresults• Definitionofcontent,tasksquestions,modelanswers

Domain 1: TheProcessofAuditingInformationSystems—ProvideauditservicesinaccordancewithITauditstandardstoassisttheorganizationwithprotectingandcontrollinginformationsystems.• Developandimplementarisk-basedITauditstrategyincompliancewithITauditstandardstoensurethatkeyareasareincluded.

• Planspecificauditstodeterminewhetherinformationsystemsareprotected,controlledandprovidevaluetotheorganization.

• ConductauditsinaccordancewithITauditstandardstoachieveplannedauditobjectives.

• Reportauditfindingsandmakerecommendationstokeystakeholderstocommunicateresultsandeffectchangewhennecessary.

• Conductfollow-upsorpreparestatusreportstoensurethatappropriateactionshavebeentakenbymanagementinatimelymanner.

Domain 2:GovernanceandManagementofIT—Provideassurancethatthenecessaryleadershipandorganizationalstructuresandprocessesareinplacetoachieveobjectivesandtosupporttheorganization’sstrategy.• EvaluatetheeffectivenessoftheITgovernancestructuretodeterminewhetherITdecisions,directionsandperformancesupporttheorganization’sstrategiesandobjectives.

• EvaluateITorganizationalstructureandhumanresources(personnel)managementtodeterminewhethertheysupporttheorganization’sstrategiesandobjectives.

• EvaluatetheITstrategy,includingtheITdirection,andtheprocessesforthestrategy’sdevelopment,approval,implementationandmaintenanceforalignmentwiththeorganization’sstrategiesandobjectives.

• Evaluatetheorganization’sITpolicies,standards,andprocedures,andtheprocessesfortheirdevelopment,approval,implementation,maintenance,andmonitoring,todeterminewhethertheysupporttheITstrategyandcomplywithregulatoryandlegalrequirements.

• EvaluateITmanagementandmonitoringofcontrols(e.g.,continuousmonitoring,qualityassurance[QA])forcompliancewiththeorganization’spolicies,standardsandprocedures.

• EvaluateITresourceinvestment,useandallocationpractices,includingprioritizationcriteria,foralignmentwiththeorganization’sstrategiesandobjectives.

• EvaluateITcontractingstrategiesandpolicies,andcontractmanagementpracticestodeterminewhethertheysupporttheorganization’sstrategiesandobjectives.

• Evaluateriskmanagementpracticestodeterminewhethertheorganization’sIT-relatedrisksareproperlymanaged.

• EvaluatemonitoringandassurancepracticestodeterminewhethertheboardandexecutivemanagementreceivesufficientandtimelyinformationaboutITperformance.

• Evaluatetheorganization’sbusinesscontinuityplantodeterminetheorganization’sabilitytocontinueessentialbusinessoperationsduringtheperiodofanITdisruption.

Day 2 Domain 3:InformationSystemsAcquisition,DevelopmentandImplementation—Provideassurancethatthepracticesfortheacquisition,development,testing,andimplementationofinformationsystemsmeettheorganization’sstrategiesandobjectives.• Evaluatethebusinesscaseforproposedinvestmentsininformationsystemsacquisition,development,maintenanceandsubsequentretirementtodeterminewhetheritmeetsbusinessobjectives.

• Evaluatetheprojectmanagementpracticesandcontrolstodeterminewhetherbusinessrequirementsareachievedinacost-effectivemannerwhilemanagingriskstotheorganization.

• Conductreviewstodeterminewhetheraprojectisprogressinginaccordancewithprojectplans,isadequatelysupportedbydocumentationandstatusreportingisaccurate.

AGENDA

• Evaluatecontrolsforinformationsystemsduringtherequirements,acquisition,developmentandtestingphasesforcompliancewiththeorganization’spolicies,standards,proceduresandapplicableexternalrequirements.

• Evaluatethereadinessofinformationsystemsforimplementationandmigrationintoproductiontodeterminewhetherprojectdeliverablescontrolsandtheorganization’srequirementsaremet.

• Conductpost-implementationreviewsofsystemstodeterminewhetherprojectdeliverables,controlsandtheorganization’srequirementsaremet.

Domain 4:InformationSystemsOperations,MaintenanceandSupport—Provideassurancethattheprocessesforinformationsystemsoperations,maintenanceandsupportmeettheorganization’sstrategiesandobjectives.• Conductperiodicreviewsofinformationsystemstodeterminewhethertheycontinuetomeettheorganization’sobjectives.

• Evaluateservicelevelmanagementpracticestodeterminewhetherthelevelofservicefrominternalandexternalserviceprovidersisdefinedandmanaged.

• Evaluatethird-partymanagementpracticestodeterminewhetherthelevelsofcontrolsexpectedbytheorganizationarebeingadheredtobytheprovider.

• Evaluateoperationsandend-userprocedurestodeterminewhetherscheduledandnon-scheduledprocessesaremanagedtocompletion.

• EvaluatetheuseofcapacityandperformancemonitoringtoolsandtechniquestodeterminewhetherITservicesmeettheorganization’sobjectives.

• Evaluateproblemandincidentmanagementpracticestodeterminewhetherincidents,problemsorerrorsarerecorded,analyzedandresolvedinatimelymanner.

• Evaluatechange,configurationandreleasemanagementpracticestodeterminewhetherscheduledandnonscheduledchangesmadetotheorganization’sproductionenvironmentareadequatelycontrolledanddocumented.

• Evaluatetheadequacyofbackupandrestoreprovisionstodeterminetheavailabilityofinformationrequiredtoresumeprocessing.

• Evaluatetheorganization’sdisasterrecoveryplantodeterminewhetheritenablestherecoveryofITprocessingcapabilitiesintheeventofadisaster.

Day 3 Domain 5: ProtectionofInformationAssets—Provideassurancethattheorganization’ssecuritypolicies,standards,proceduresandcontrolsensuretheconfidentiality,integrityandavailabilityofinformationassets.• Evaluatetheinformationsecuritypolicies,standardsandproceduresforcompletenessandalignmentwithgenerallyacceptedpractices.

• Evaluatethedesign,implementationandmonitoringofsystemandlogicalsecuritycontrolstoverifytheconfidentiality,integrityandavailabilityofinformation.

• Evaluatethedesign,implementationandmonitoringofthedataclassificationprocessesandproceduresforalignmentwiththeorganization’spolicies,standards,proceduresandapplicableexternalrequirements.

• Evaluatethedesign,implementationandmonitoringofphysicalaccessandenvironmentalcontrolstodeterminewhetherinformationassetsareadequatelysafeguarded.

• Evaluatetheprocessesandproceduresusedtostore,retrieve,transportanddisposeofinformationassets(e.g.,backupmedia,offsitestorage,hardcopy/printdataandsoftcopymedia)todeterminewhetherinformationassetsareadequatelysafeguarded.

The Anatomy of a CISA Question• HowCISAquestionsarewritten• Theprocessofwritingtheexamination• Questionwriterrules• ThebestapproachtotheCISAexam

Ourthree-dayseminarfocusesontheessentialareascoveredinthenewCISAexam,asdesignedanddevelopedbytheISACACertificationBoard.CISAisanexamthattestsexperienceandexperiencecannotbetaught.Howeverthiscourse,whichisbaseduponISACA’sresearchprojectasevidencebytheCISASyllabus,willgiveyouspecificguidelinesinyourstudybyprovidinganoverviewofthecoreknowledgebasesincludedintheexamination‘CommonBodyofKnowledge’.Followingeachsection,youwillworkthroughaseriesofsamplequestionstogiveyoua“feel”fortheformatandthetypesofquestionsyouwillencounter.

Who should attend:InformationSecurityAuditors,ITAdministrators,ChiefInformationSecurityOfficers,Riskmanagersandcompliancepersonnel;ExecutiveandOperationalManagersseekinganoverallunderstandingofessentialITAuditmanagement,risksandcontrols.

AGENDA

CISM Prep Course24 hours

Ourthreedaypreparationseminarcoversthecoreknowledgeareasincludedintheexamination“CommonBodyofKnowledge”.

Thecoursewillhelpyoudiscoverpossibleareasofweaknessesinthesubjectscoveredinthetestandalsoenableyoutobecomefamiliarwiththetestingconditionsandquestion’sphilosophy.

Who should attend: InformationSecurityManagersandAdministrators,ChiefInformationSecurityOfficers,RiskManagersandcompliancepersonnel;ExecutiveandOperationalManagersseekinganoverallunderstandingofessentialsecuritymanagement,risksandcontrols.

Day 1

Information Security Governance• Developtheinformationsecuritystrategyinsupportofbusinessstrategyanddirection.

• Obtainseniormanagementcommitmentandsupportforinformationsecuritythroughouttheenterprise.

• Ensurethatdefinitionsofrolesandresponsibilitiesthroughouttheenterpriseincludeinformationsecuritygovernanceactivities.

• Establishreportingandcommunicationchannelsthatsupportinformationsecuritygovernanceactivities

• Identifycurrentandpotentiallegalandregulatoryissuesaffectinginformationsecurityandaccesstheirimpactontheenterprise.

• Establishandmaintaininformationsecuritypoliciesthatsupportbusinessgoalsandobjectives.

• Ensurethedevelopmentofproceduresandguidelinesthatsupportinformationsecuritypolicies.

• Developbusinesscaseandenterprisevalueanalysisthatsupportinformationsecurityprogram(me)investments.

Risk Management and Compliance• Developasystematic,analytical,andcontinuousriskmanagementprocess.

• Ensurethatriskidentification,analysis,andmitigationactivitiesareintegratedintolifecycleprocesses.

• Applyriskidentificationandanalysismethods.• Definestrategiesandprioritizeoptionstomitigaterisktolevelsacceptabletotheenterprise.

• Reportsignificantchangesinrisktoappropriatelevelsofmanagementonbothaperiodicandevent-drivenbasis.

Day 2

Information Security Program Management• Createandmaintainplanstoimplementtheinformationsecuritygovernanceframework.

• Developinformationsecuritybaseline(s).• Developproceduresandguidelinestoensurebusinessprocessesaddressinformationsecurityrisk.

• DevelopproceduresandguidelinesforITinfrastructureactivitiestoensurecompliancewithinformationsecuritypolicies.

• Integrateinformationsecurityprogramrequirementsintotheorganization’slifecycleactivities.

• Developmethodsofmeetinginformationsecuritypolicyrequirementsthatrecognizeimpactonend-users.

• Promoteaccountabilitybybusinessprocessownersandotherstakeholdersinmanaginginformationsecurityrisks.

• Establishmetricstomanagetheinformationsecuritygovernanceframework.

• Ensurethatinternalandexternalresourcesforinformationsecurityareidentified,appropriatedandmanaged.

Information Security Management• Ensurethattherulesofuseforinformationsystemscomplywiththeenterprise’sinformationsecuritypolicies.

• Ensurethattheadministrativeproceduresforinformationsystemscomplywiththeenterprise’sinformationsecuritypolicies.

• Ensurethatservicesprovidedbyotherenterprisesincludingoutsourcedprovidersareconsistentwithestablishedinformationsecuritypolicies.

• Usemetricstomeasure,monitor,andreportontheeffectivenessandefficiencyofinformationsecuritycontrolsandcompliancewithinformationsecuritypolicies.

• Ensurethatinformationsecurityisnotcompromisedthroughoutthechangemanagementprocess.

• Ensurethatvulnerabilityassessmentsareperformedtoevaluateeffectivenessofexistingcontrols.

• Ensurethatnon-complianceissuesandothervariancesareresolvedinatimelymanner.

• Ensurethedevelopmentanddeliveryoftheactivitiesthatcaninfluencecultureandbehaviourofstaffincludinginformationsecurityeducationandawareness.

Day 3

Information Security Incident Management• Developandimplementprocessesfordetecting,identifyingandanalyzingsecurityrelatedevents.

• Developresponseandrecoveryplansincludingorganizing,training,andequippingtheteams.

• Ensureperiodictestingoftheresponseandrecoveryplanswhereappropriate.

• Ensuretheexecutionofresponseandrecoveryplansasrequired.• Establishproceduresfordocumentinganeventasabasisforsubsequentactionincludingforensicswhennecessary.

• Manageposteventreviewstoidentifycausesandcorrectiveactions

The Anatomy of a CISM Question• HowCISMquestionsarewritten&evaluated• Theprocessofcompilingtheexamination• Questionwriterstyle“rules”• ThebestapproachtotheCISMexam.

AGENDA

The CISA Examination

TheexamsconsistoftasksthatareroutinelyperformedbyaCISAandtherequiredknowledgetoperformthesetasks.

Youaregivenfourhourstocompletea200multiple-choicequestionexamthatcoverthefollowingareas:

1. TheProcessofAuditingInformationSystems(14%)

2. GovernanceandManagementofIT(14%)

3. InformationSystemsAcquisition,DevelopmentandImplementation(19%)

4. InformationSystemsOperations,MaintenanceandSupport(23%)

5. ProtectionofInformationAssets(30%)

The CISM Examination

TheexamsconsistoftasksthatareroutinelyperformedbyanInformationSecurityManagerandtherequiredknowledgetoperformthesetasks.A

candidateisgivenfourhourstocompletea200multiple-choicequestionexamthatcoversthefollowingareas:

1. InformationSecurityGovernance(24%)

2. RiskManagementandCompliance(33%)

3. InformationSecurityProgramDevelopmentandManagement(25%)

4. InformationSecurityIncidentManagement(18%)

Youcanregisteron-lineatwww.isaca.org,providedyoumeetaboveeligibilityrequirementsforeachcertificate.

TheexamsarehostedattheHellenicAmericanUnion’sConferenceCenter.FormoreinformationonISACA,youmayalsocontacttheISACA

AthensChapter,Mr.AnestisDemopoulos,Tel:210-2886041orvisitwww.isaca.gr.

Course LeaderDrDerekJ.Oliver,CISA,CISM,CRISC,CFE,FBCS,FIAPanInformationAudit&Securityspecialistwithover25yearsexperience.HeisaCharteredFellowofthe

BritishComputerSociety,aFellowoftheInstituteofITServiceManagementandaFellowoftheInstituteofAnalysts&Programmers.In1996hewasmadeaFreemanoftheCityofLondon.AnMScininformationtechnologywasfollowedbyaPhDinInformationSecurityManagementandaDBAinRisk&SecurityManagement.HeisinternationallyregardedasanexpertinInformationSecurityandISO27001andhasspokenatinternationalconferencesandseminarsfromOslotoCapeTownbywayofOrlandoandCanberraonvariousinformationsecurityandaudittopics.HeispastPresidentoftheInformationSystemsAudit&ControlAssociationinLondon(ISACA),currentmemberofCISATestEnhancementcommitteeandamemberoftheInstituteofInternalAuditorsandtheInformationSystemsSecurityAssociation.HavingbeenamemberoftheISACACredentialingTaskForcethatcreatedtheCISMdesignation,hewasappointedthefoundingChairoftheCISMExaminationEnhancementCommitteein2004andcurrentlychairstheWorkingPartydevelopinganinternationalBusinessModelforInformationSecurity(BMIS);inadditiontothisandhisappointmentasco-chairoftheCobiT5TaskForceheisamemberofISACA’sFutureFrameworkCommittee.AsamemberoftheCISACertificationBoardhewasjointlyresponsibleforsettingtheannual,internationalCISAexamination.Followinghisearlyyearsinthe“TravelTrade”withThos.CooksandTransWorldAirlines,15years’servicewithH.M.Customs&

Excise,Mr.OliverbecameheadoftheUKinternalauditteamofFirstDataCorporation,theworld’slargestthird-partyprocessorofcreditanddebittransactions.

Since1985hehasconductedbothhighlevelandin-depthauditandsecurityreviewsacrosstheinformationprocessingspectrum,including:

-ISO17799“InformationSecurityGuidelines”Complianceauditing&consultancy

-AllaspectsofLANandWANsecurityfromstrategiesthroughaccesscontroltoinfrastructure

-Physicalsecurity&riskanalysis

-GeneralControlsReviews,includinginformationsecuritystrategies&policies

-Physicalandlogicalsecuritypenetration/invasiontesting

-DisasterRecoveryandBusinessContinuity,bothauditingandplandevelopment

-VariousaspectsofPCsecurityincludingtheuseofillegal/piratesoftware

-PICKsystemssecurity,AS400security

-IBMMainframesecurity,specificapplicationsecurityandaccesscontrol,includingfinancial,stockcontroletc.

AsamemberoftheBS7799workinggroupin1995/96,DerekwaspartlyresponsibleforthedevelopmentoftheBS7799“CodeofPracticefortheManagementof

InformationSecurity”;hehassincegivenadviceonimplementingtheStandardstobankingandgovernmentorganisationsinHungary,SlovakiaandSlovenia.He

alsoworkedontherevisedversion,issuedApril,1999,andwasamemberofthec:cure(BS7799compliancecertificationscheme)steeringgroup,whichwasdirected

bythedepartmentofTradeandIndustry.Hehaswrittenseveralarticlesforvariousnationalandinternationalmagazines,includingauditingsoftwarepiracy,

BS7799andthec:cureschemeandphysicalsecurity.

CISA & CISMExaminations 2013

Exam Date Early Registration Date Final Registration Date

8 June 2013 13 February 2013 3 April 2013

Contactdetails:

MsEleniTsirigoti,Tel:210-3680907,Fax:210-3633174,e-mail:etsirigoti@hau.gr

MsVasilikiZafiri:Tel:210-3680927,www.hau.gr/management