Embed Size (px)
DESCRIPTION
cisa study guidance
Citation preview
Second, Read one Domain then answer all the questions on the Q&A CD for that Domain until you can answer everyone correctly. As you answer the questions look in the Review Manual for that Domain for the supporting material and put a post-it flag on the page.
CISA – Domain 1 – The Process of Auditing Information Systems
There are 7 areas that you need to understand in Domain 1.
1) Management of the IS Audit Function
1. Need to know about the audit charter and what it contains2. Need to know the steps to perform audit planning. In the CISA review manual on
page 34, look at Exhibit 1.2 and commit those steps to memory3. Take an ink pen and write on your hand “Gain an understanding of the business’s
mission, objectives, purpose and processes.” IMPORTANT this shows up in about 3-4 questions on the exam.
4. Read through the section on “Effect of Laws and Regulations on IS Audit Planning, paying particular attention to the Basel II Accord on page 35.
2) ISACA IT Audit and Assurance Standards and Guidelines
1. Memorize S1, S2, S4, S9, and S10. Standards S12 thru S16 are recent additions to CISA and you should have a close intimate acquaintance with S12, S13 & S14.
2. Memorize G5, G10, G18, and G19. Guidelines G41 and G42 are recent additions to CISA and ROSI is receiving a lot of press. So be familiar with the concept of Return on Security Investment and how to calculate it. For example, let’s say you spend $500,000 of anti-virus software for your enterprise and your boss wants justification for why he/she should continue to spend that kind of money when there hasn’t been any virus infections in the last year. You respond with, “You’re absolutely right, there hasn’t been any virus infections in the last year. However, two years ago when we did have a virus infection it cost the company $15,000 in additional overtime to clean up after the virus infection. Our incident response team says we’re blocking about 500 to 700 virus a day, so if we say just 1 virus a day gets thru and multiplying it by the cost to recover $15,000 that comes out to about $5.4 million dollars in overtime savings alone.” I think your boss will be impressed with your ROSI.
3. Memorize P2, P5, P7, and P104. You should have an understanding of ITAF (Information Technology Assurance
Framework) particularly section 3000 on IT Assurance Guidelines
3) Risk Analysis
1. Know the definition of risk2. Know the remediation methods (Accept, Mitigate, Transfer, Avoid)
4) Internal Controls
1. Know the difference between Preventive, Detective, and Corrective controls
2. Understand how CobiT fits into ISACA’s idea of supporting IT governance and management
3. Understand the difference between IT control objectives and Internal control objectives
5) Performing an IS Audit
1. Know the definitions of Auditing and IS Auditing – they’re different2. Know the different types of audits, read closely integrated audits and forensic audits3. Know the different phases of an audit, in other words memorize Exhibit 1.5 on page
534. Understand the concept of risk based auditing including inherent, control, and
detection risks.5. Be able to give examples of both compliance testing and substantive testing6. Sampling is a section in the Review Manual that you just have to memorize, that’s it,
memorize page 60 of the CISA manual
6) Control Self-Assessment
1. Your role is as a facilitator
7) The Evolving IS Audit Process
1. Integrated auditing means you work with the financial auditor on an audit which is based on RISK
2. Understand the difference between continuous monitoring and continuous auditing
The first domain is a basis for understanding the whole area of Certified Information Systems Auditor, and without a grasp of the basic fundamentals you cannot be successful in the other domains
CISA – Domain 2 – Governance and Management of IT
ISACA has revamped the CISA material and this domain now contains the Business Continuity section from the old Domain 6. There are 13 areas that you need to understand in Domain 2.
1) Corporate Governance
Know the definition for corporate governance Know what ISO 26000 is (30,000 foot view) Familiarize yourself with OECD 2004, OECD Principles of Corporate Governance
2) IT Governance (ITG)
ITG is concerned with two issues; What are they and what drives them?
3) Information Technology Monitoring and Assurance Practices for Board and Senior Management
Who is responsible for ITG Name the five focus areas for ITG Familiarize yourself with the different IT Governance frameworks (COBIT, ISO27001,
ITIL, IBPC, ISM3, AS8015 and ISO38500) Know audit’s role in ITG Know what the responsibilities are for the IT Strategy Committee and the IT Steering
Committee (this is another one of those charts that you’ve just got to memorize) Another memory chart – know the relationships of Security Governance outcomes to
Management Responsibilities Look at the Zachman Framework and also the hierarchy of five reference models of
the Federal Enterprise Architecture (FEA)
4) Information Systems Strategy
Understand the importance of IT strategic planning and the primary function performed by the Steering Committee
5) Maturity and Process Improvement Models
Know the definitions for CMMI, TSP and PSP The IDEAL model from SEI is getting a lot of attention from ISACA
6) IT Investment and Allocation Practices
Go to the ISACA website and download the ValIT document and read it, enough said. What does IT Portfolio Management allow organizations to do that the Balanced
Scorecard doesn’t
7) Policies and Procedures
The highest policy is the organization’s information security policy Other security policies might include 1)data classification, 2)acceptable use, 3) End-
user computing, and 4) Access control Know the different things to look for when you review the information security policy Procedures are required and they are “step by step instructions” <– that’s a hint!!!!!
8) Risk Management
What are management’s options? Avoid, Mitigate, Transfer, Accept Know the different levels that IT Risk Management needs to operate at: Operational,
Project, and Strategic Understand the difference between Qualitative Analysis, Semiquantitative analysis
and Quantitative analysis Know how to calculate Annual Loss Expectancy (ALE)
9) IS Management Practices (Five sub areas you will need to understand)
Human Resources Management (before, during and after) Sourcing Practices (Insourced, Outsourced, Hybrid as well as the concepts and
defintions for Onsite, Offsite and Offshore) Organizational change management – nothing gets changed without management
approval Financial Management Practices – you need to understand the concept of
Chargeback Quality Management – You need to be aware of QM and ISO9000 but ISACA does not
test specifics on any ISO standard
10) IS Organizational Structure and Responsibilities
Roles and responsibilities – there’s a chart in the CISA manual entitled Segregation of Duties Control Matrix, this is another one of those things to MEMORIZE
There are also some definitions specific to DBA and the QA personnel that you will need to read about
11) Auditing IT Governance Structure and Implementation
In this area you need to know that the first thing you do is “Gain an Understanding of the Business” means reading the Information Security Policy
After that, go get the organization charts, job descriptions and your Memorized Segregation of Duties Control Matrix and see if you can find discrepancies
12) Business Continuity Planning (this is the new section which was moved from the old Disaster Recovery and Business Continuity Planning Domain 6)
First and foremost you have to have a Business Impact Analysis of all the business functions, then you need some evaluation criteria to determine which ones are critical
There are four (4) classifications for systems (Critical, Vital, Sensitive, Nonsensitive) memorize the definitions of each of the four
Why do you buy insurance? To transfer risk of course Another key element to BCP is testing and you should know the different types
included preparedness and full operational
13) Auditing Business Continuity
Review the BCP Review the test results, we’re assuming they tested the BCP of course and they
should have documented “Lessons Learned” <– Another hint, ISACA likes this term
It’s interesting to notice how ISACA is aligning itself with the International Organization of Standards ISO/IEC 27002. The title for Domain 3 is Information Systems Acquisition, Development and Implementation and the title for Section 12 of ISO/IEC 27002 is Information Systems Acquisition, Development and Maintenance.
There are 14 areas that you need to understand for Domain 3.
1) Business realization
Know the difference between portfolio management and program management Know the seven steps of benefit realization or benefits management (question might
refer to either)
2) Project Management Structure
Know the three major forms of organizational alignment Know three different ways to communicate during project initiation Project objectives are aligned with what? Business objectives,of course Know the roles and responsibilities for project steering committee, project sponsor,
and quality assurance
3) Project Management Practices
Know the three elements of a project and the effect of increasing or decreasing one of the elements
Of the nine ways of project planning, concentrate on LOSC, FPA, CPM, GANTT, PERT and TBM
4) Business Application Development
What is the major risk of any software development project – final outcome does not meet all requirements.
Understand the eight phases of the traditional SDLC approach In which phase does testing start In which phase does security start (control specs) In which phase does UAT occur What should be in an RFP What is software baselining and when does it occur What is the auditor’s focus in SDLC What’s an IDE Know the difference between Unit Testing, Interface/Integration Testing, System
Testing and Final Acceptance Testing When is it the most, or least, expensive time to make changes (which phase for each
condition) What’s a structured walkthrough test, white box test, black box test, blue team, red
team, yellow box testing and regression testing When does data conversion occur in which phase Know the different types of cutover
5) Business Application Systems
Be able to define authentication and nonrepudiation Know the difference between an RA and a CA If you are your own CA, who does the CRL and what is the biggest issue? In EDI what does the comm handler do? The appl interface do? What is the biggest risk in EDI? How do we get positive assurance in an EDI transaction world? What is a digital signature when speaking of eMail? What’s the objective of EMM and how do you audit eCash? Don’t forget: Neural networks are —
6) Alternative Forms of Software Project Organization
What is SCRUM Know the difference between Incremental and Iterative development Know the variants (Evolutionary, Spiral, Agile) Speaking of which, what is AGILE DEV? What is prototyping What is RAD and JAD
7) Alternative Development Methods
What’s the major advantage of OOSD What’s the advantage of component based development What’s the difference between reengineering and reverse reengineering
8) Infrastructure Development/Acquisition Practices
What are the phases of Physical architecture analysis and what happens during the functional requirement phase
What are the phases of “Planning the Implementation of Infrastructure” and know the details of each of the four phases.
Understand why change control procedures are critical in the acquisition process.
9) Information Systems Maintenance Practices
Why is change management important? How should emergency changes be handled? How do you audit for unauthorized changes?
10) System Development Tools and Productivity Aids
Care should be taken when using fourth-generation languages since some of them lack the lower level detail commands necessary to perform some of the more intense data operations.
11) Process Improvement Practices
Document the current existing baseline processes Major concern of BPR is that key controls may be reengineered out of a process. What does ISO 9126 define? Why was CMM by SEI developed? Need SPICE?
12) Application Controls
What are the objectives of Application Controls? Batch header forms are what type of control? Who uses batch anyway? There are two charts in this section. The first one is on Data Validation Edits and
Controls and the second is on Data File Controls. You need to memorize both
13) Auditing Application Controls
There’s a chart on testing application systems in the review manual which enumerates several different techniques – memorize this chart
Know the difference between atomicity and consistency. There are five types of automated evaluation techniques applicable to continuous
online auditing. These you’ll need to know, particularly: SCARF, ITF, CIS, snapshots and audit hooks.
14) Auditing Systems Development, Acquisition and Maintenance
What do you do if the development group is fast-tracking IV&V? Let the project steering committee know what the risks are, of course.
For 2011, ISACA has updated the domains reducing them from 6 to 5. Domain 4 now includes Disaster Recovery from the old Domain 6. This section has six areas that you need to understand for the CISA exam.
1) Information Systems Operations
One of the management control functions is to ensure that IS processing can recover in a timely manner from minor or major disruptions of operations.
Know what console logs are and why they are important. Why is documentation important? See note #1 above. Why is change management important? See note #1 above. What is the major objective of library software? You got it. See note #1 above.
2) Information Systems Hardware
Multitasking, multiprocessing, multiusing, multithreading, grid computing, know the difference.
Know the different computer roles and pay particular attention to “Load Balancer” role.
How do you as an auditor know that an organization is doing capacity management?
3) IS Architecture and Software
Why do you review the software control features or parameters? To determine how it is functioning.
Know the difference between the supervisory/administrator state and the general user state.
What does a PC need for communication with bisync data comm on a mainframe? What is metadata? How do you audit a tape library? How do you audit software licensing and why is that important?
4) IS Network Infrastructure
Name five network services. Now name the eight network services listed in the review manual. Ah!!! The old OSI model. Folks, you have to commit the transport layer, network layer
and data link layer to memory. Why is fiber optic better than copper? ISACA likes microware radio systems as a testing question. So read about it. STAR, BUS, RING, MESH. Need I say more? What do bridges do besides get you from one side to the other and what OSI layer do
they operate at? What do modems do? What are VPNs and why are they considered a good thing? Know the difference between WEP, WPA and WPA2. Know what CGI scripts do. Know the difference between applets, servlets, and ringlets. Define latency. What is middleware? No, it’s not a belt around your waist.
5) Auditing Infrastructure and Operations
Why do you review documentation? Because it describes the “desired state.” Name four things you as an auditor should identify when doing a network audit. Now compare your list of four things with ISACA’s list in the section on auditing
network infrastructure.
6) Disaster Recovery Planning
RPO (Recovery Point Objective) or what is the acceptable data loss – the question might be, “If you have an RPO of 1 hour what is your backup strategy?” In which case you would look for Mirroring or Real-time replication in the answer set.
RTO (Recovery Time Objective) or what is the acceptable downtime – the question might be, “If your RTO is 1 hour what clustering capability would you recommend?” And for this one, look for “Active-Active” in the answer set.
Know the difference between cold site, warm site, hot site, mobile site, mirrored site and reciprocal agreements.
Also know why reciprocal agreements really aren’t the solution for DRP. Know the difference between “active-active” and “active-passive” clustering and
which one would be used in DRP. Know the difference between alternative routing and diverse routing when talking
about network recovery and also be able to define last-mile circuit protection. Know the roles and responsibilities of the 22 different teams which comprise the
makeup of the DRP, particularly the incident response team, the damage assesment team and the emergency operations team.
When it comes to backups there are three different concepts you need to memorize: Full, Incremental, Differential. Which are more costly and why? Which one is most efficient and why — and HOW? Which one represents the middle of the road approach?
What is Grandfather, Father, Son rotation and how does it work.
Domain 5, Protection of Information Assets is the last domain in the CISA certification area and the most important. ISACA has stated that this domain represents 30 percent of the CISA examination which is approximately 60 questions. This is a make or break domain for you. This section has eight areas that you need to fully understand to ensure you pass the CISA exam.
1. Importance of Information Security Management
Information Security Management is important to ensure the continued availability of information systems.
Information Security Management is important to ensure the integrity of the stored information and the information in motion (in transit).
Information Security Management is important to ensure the confidentiality of sensitive data.
There’s the old CIA triad again (Confidentiality, Integrity, Availability) Key Elements in Information Security Management
o Senior Management Commitment and supporto Policies and Procedureso Organizationo Security Awareness and Trainingo Monitoring and compliance, ando Incident handling and response
You should have an understanding of each of these key elements Information Security Management roles and responsibilities, in this area you need to
have the IS Security Steering Committee responsibility down cold. I mean to the point of quoting it verbatim from the CISA manual.
Understand the difference between Mandatory access controls (MACs) and discretionary access controls (DACs)
One of the last sections in Information Security Management deals with computer crime issues and exposures. Exhibit 5.8 in the CISA manual lists some 30 different Common Attack Methods and Techniques. Pick 30 and have a working understanding. That’s right all 30. ISACA has chosen everything from Botnets to War Chalking for their exam.
2. Logical Access
This is the primary means used to manage and protect information assets. Note the emphasis on PRIMARY!
There are really only two points of entry – local and remote, and how do you identify local users and rights; and how do you identify and authenticate remote users?
Authentication is typically categorized as something you know (password), something you have (token) and something you are (biometrics). And yes I know RSA has been breached, but there are other token vendors out there.
Speaking of biometrics, there’s palm, hand geometry, Iris, retina, fingerprint, face and voice recognition. Which one costs the most and has the highest user rejection rate? HINT it has something to do with the eye.
3. Network Infrastructure Security
You should know some of the advantages and disadvantages of virtualization. You need to know some of the security threats and risk mitigation techniques for
wireless networking, including WEP, WPA WPA2, Authenticity, nonrepudiation, accountability and network availability
You need to know the different types of firewall types (router packet filtering, application firewall systems, stateful inspection)
You will need to know firewall implementations (Screened-host, dual-homed, DMZ or screened-subnet)
What’s the difference between NIDS and HIDS and are they a substitute for firewalls? Answer: NO.
You will need to know how a digital signature functions to protect data. You need a general understanding of viruses and some of the management
procedural controls that should be in place.
4. Auditing Information Security Management Framework
Review the written policies, procedures and standards Pay particular attention to the logical access security policies Make sure everyone has received current security awareness training Why are you interested in data ownership? Because the data owner is the person
who defines who can access and use their data. Then you’ll need to audit the logical access to make sure the rules are being
followed, pay particular attention to “JOB TRANSFERS” as there is a tendency to add access, but not to remove old access.
Review access logs and make sure someone else is reviewing and acting upon unsuccessful login attempts
5. Auditing Network Infrastructure Security
Who has remote access and has it been approved? Why do vendors have unrestricted access into your network to fix a network device? Has that unrestricted access been approved by management
Now here’s the fun part, because as auditors you should be able to do Pen Testing, just make sure you’ve got approval before you start this part of the audit. HINT: PRIOR APPROVAL
Make sure all network changes are going through change control, even emergency changes.
Forensics comes into play here as well, so make sure you know the four major considerations in the chain of events regarding evidence (Identify, Preserve, Analyze, Present)
6. Environmental Exposures and Controls
Know the differences between Total Failure (blackout), severely reduced voltage (brownout), and a snowstorm (whiteout)… If you’ve read this far and you get it, then you’ve got it.
Halon is no longer legal. What is an acceptable replacement? Where should hand-held fire extinguishers be located, how often should they be
inspected, and is security awareness training required for personnel who might have to use them? All good test questions.
Surge protectors are used for power spikes. Enough said. UPS is used for power cleansing??? Yes… Like you use soap to wash your hands. UPSs
are used to turn dirty power into clean power. Think about it, power fluctuations, sags
and spikes are considered dirty power. A UPS ensures that wattage and voltage is consistent, flatlined, stable, etc.
You need to be aware of the environmental detection equipment, smoke detectors, moisture detectors, etc.
7. Physical Access Exposures and Controls
Unauthorized entry, principle of least privilege, only if your job requires it, and no visitor shall enter unescorted. That it’s PERIOD.
Key focus for this area is mantraps, deadman doors, and visitor escorts.
8. Mobile Computing
Hard drive encryption Back-ups on a regular basis Theft response team Special care needs to be taken to defend against malicious code. HINT: What’s one
way of getting around your company’s firewall? Hand carry a laptop into the office from a remote location. Now you see the need for good malicious code defenses.
I hope you’ve enjoyed these articles on the CISA domains and I look forward to seeing you in
![CASE STUDY ASSIGNMENT [Additional Guidance]](https://img.pdfslide.net/doc/110x75/56815d8c550346895dcb996c/case-study-assignment-additional-guidance.jpg)
