CISA – Certified Information Systems Auditor Study Guide: Aligned with the CISA Review Manual 2019 to help you audit, monitor, and assess information systems

Title Page
Copyright and Credits
	CISA – Certified Information Systems Auditor Study Guide
Dedication
About Packt
	Why subscribe?
Contributors
	About the author
	About the reviewer
	Packt is searching for authors like you
Preface
	Who this book is for
	What this book covers
	To get the most out of this book
	Download the color images
	Conventions used
	Get in touch
	Reviews
Section 1: Information System Auditing Process
Audit Planning
	The content of an audit charter
	Key aspects from CISA exam perspective
	Self-evaluation questions
	Audit planning
	Benefits of audit planning
	Selection criteria
	Reviewing audit planning
	Individual audit assignments
	Key aspects from CISA exam perspective
	Self-evaluation questions
	Business process applications and controls
	E-commerce
	Electronic Data Interchange (EDI)
	Point of Sale (POS)
	Electronic banking
	Electronic funds transfer (EFT)
	Image processing
	Artificial intelligence and expert systems
	Key aspects from CISA exam perspective
	Self-evaluation questions
	Types of controls
	Preventive controls
	Detective controls
	Corrective controls
	Deterrent controls
	The difference between preventive and deterrent controls
	Compensating controls
	Control objectives
	Control measures
	Key aspects from CISA exam perspective
	Self-evaluation questions
	Risk-based audit planning
	What is risk?
	Understanding vulnerability and threat
	Understanding inherent risk and residual risk
	Advantages of risk-based audit planning
	Audit risk
	Risk-based auditing approach
	Risk assessments
	Risk response methodology
	Top-down and bottom-up approaches to policy development
	The top-down approach
	The bottom-up approach
	The best approach
	Key aspects from CISA exam perspective
	Self-evaluation questions
	Types of audit and assessment
	Self-evaluation questions
	Summary
	Assessments
	Content of the audit charter
	Audit planning
	Business process applications and controls
	Types of controls
	Risk-based audit planning
	Types of audit and assessment
Audit Execution
	Audit project management
	Audit objectives
	Audit phases
	Fraud, irregularities, and illegal acts
	Key aspects from CISA exam perspective
	Self-assessment questions
	Sampling methodology
	Sampling types
	Sampling risk
	Other sampling terms
	The confidence coefficient
	Level of risk
	Expected error rate
	Tolerable error rate
	Sample mean
	Sample standard deviation
	Compliance versus substantive testing
	The difference between compliance testing vis-à-vis substantive testing
	Examples of compliance testing and substantive testing
	The relationship between compliance testing and substantive testing
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Audit evidence collection techniques
	Reliability of evidence
	Independence of the evidence provider
	Qualifications of the evidence provider
	Objectivity of the evidence
	Timing of the evidence
	Evidence gathering techniques
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Data analytics
	Examples of the effective use of data analytics
	CAATs
	Examples of the effective use of CAAT tools
	Precautions while using CAAT
	Continuous auditing and monitoring
	Continuous auditing techniques
	Integrated test facility
	System control audit review file
	Snapshot technique
	Audit hook
	Continuous and Intermittent Simulation
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Reporting and communication techniques
	Exit interview
	Audit reporting
	Audit report objectives
	Audit report structure
	Follow-up activities
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Control self-assessment
	Objectives of CSA
	Benefits of CSA
	Disadvantages of CSA
	An IS auditor’s role in CSA
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Summary
	Assessments
	Audit project management
	Sampling methodology
	Audit evidence collection
	Data analytics
	Reporting and communication techniques
	Control self-assessment
Section 2: Governance and Management of IT
IT Governance
	IT enterprise governance (EGIT)
	EGIT processes
	Difference between governance and management
	EGIT good practices
	Effective information security governance
	EGIT – success factors
	Key aspects from the CISA exam perspective
	Self-assessment questions
	IT-related frameworks
	IT standards, policies, and procedures
	Standard
	Policies
	Procedures
	Guidelines
	Information security policy
	Content of the information security policy
	Information security policy users
	Information security policy audit
	Information security policy review
	Key aspects from CISA exam perspective
	Self-assessment questions
	Organizational structure
	Relationship between the IT strategy committee and the IT steering committee
	Differences between the IT strategy committee and the IT steering committee
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Enterprise architecture
	Enterprise security architecture
	Key aspects from CISA exam perspective
	Self-assessment questions
	Enterprise risk management
	Risk management process steps
	Risk analysis methods
	Risk treatment
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Maturity model
	Laws, regulations, and industry standards affecting the organization
	An IS auditor's role in determining adherence to laws and regulations
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Summary
	Assessments
	IT enterprise governance
	IT standards, policies, and procedures
	Organizational structure
	Enterprise architecture
	Enterprise risk management
	Laws, regulations, and industry standards affecting the organization
IT Management
	IT resource management
	Human resource management
	Hiring
	Training
	Scheduling and time reporting
	During employment
	Termination policies
	IT management practices
	Financial management practices
	Key aspects from CISA exam perspective
	Self-assessment questions
	IT service provider acquisition and management
	Evaluation criteria for outsourcing
	Steps for outsourcing
	Outsourcing – risk reduction options
	Provisions for outsourcing contracts
	Role of IS auditors in monitoring outsourced activities
	Globalization of IT functions
	Outsourcing and third-party audit reports
	Monitoring and review of third-party services
	Key aspects from CISA exam perspective
	Self-evaluation questions
	IT performance monitoring and reporting
	Steps for the development of performance metrics
	Effectiveness of performance metrics
	Tools and techniques
	Key aspects from CISA exam perspective
	Self-evaluation questions
	Quality assurance and quality management in IT
	Quality assurance
	Quality management
	Key aspects from CISA exam perspective
	Self-evaluation questions
	Summary
	Assessment answers
	IT resource management
	IT service provider acquisition and management
	IT performance monitoring and reporting
	Quality assurance and quality management in IT
Section 3: Information Systems Acquisition, Development, and Implementation
Information Systems Acquisition and Development
	Project management structure
	Project roles and responsibilities
	Board of Directors
	IT strategy committee
	Project steering committee
	Project sponsor
	System development management
	Project cost estimation methods
	Software size estimation methods
	Project evaluation methods
	Critical path methodology
	Program Evaluation Review Technique (PERT)
	Earned Value Analysis
	Timebox management
	Project objectives, OBS, and WBS
	Role of the IS auditor in project management
	Key aspects from the CISA exam perspective
	Self-assessments questions
	Business cases and feasibility analysis
	Business cases
	Feasibility analysis
	The IS auditor's role in business case development
	Self-assessment questions
	System development methodologies
	SDLC models
	Traditional waterfall
	V-shaped
	Iterative
	SDLC phases
	Phase 1 – Feasibility study
	Phase 2 – Requirements
	Phase 3 – Software selection and acquisition
	Phase 4 – Development
	Phase 5 – Testing and implementation
	Phase 6 – Post-implementation
	Software development methods
	Agile development
	Prototyping
	Rapid Application Development
	Object-Oriented System Development
	Component-based development
	Software engineering and reverse engineering
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Control identification and design
	Check digits
	Parity bits
	Checksums
	Forward error control
	Data integrity principles
	Limit checks
	Automated systems balancing
	Sequence checks
	Decision support systems
	Efficiency versus effectiveness
	Design and development
	Risk factors
	Decision trees
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Summary
	Assessments
	Project management structure
	The business case and feasibility analysis
	System development methodologies
	Control identification and design
Information Systems Implementation
	Testing methodology
	Unit testing
	Integrated testing
	System testing
	Final acceptance testing
	Regression testing
	Sociability test
	Pilot testing
	Parallel testing
	White box testing
	Black box testing
	Alpha testing
	Beta testing
	Testing approach
	Testing phases
	Key aspects from the CISA exam perspective
	Self-assessment questions
	System migration
	Parallel changeover
	Phased changeover
	Abrupt changeover
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Post-implementation review
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Summary
	Assessments
	Testing methodology
	System migration
	Post-implementation review
Section 4: Information System Operations and Business Resilience
Information System Operations
	Understanding common technology components
	The types of server
	USB
	USBs – Risks
	USBs – Security controls
	RFID
	RFID – Applications
	RFID – Risks
	RFID – Security controls
	Self-assessment questions
	IT asset management
	Self-assessment questions
	Job scheduling
	Self-assessment questions
	End user computing
	Self-assessment question
	System performance management
	Nucleus (kernel) functions
	Utility programs
	Parameter setting for the operating system
	Registry
	Activity logging
	Software licensing issues
	Source code management
	Capacity management
	Key aspects from a CISA exam perspective
	Self-assessment questions
	Problem and incident management
	Network management tools
	Key aspects from a CISA exam perspective
	Self-assessment questions
	Change management, configuration management, and patch management
	Change management process
	Patch management
	Configuration management
	Emergency change management
	Backout process
	The effectiveness of a change management process
	Key aspects from a CISA exam perspective
	Self-assessment questions
	IT service level management
	Key aspects from the CISA exam perspective
	Self evaluation questions
	Evaluating the database management process
	Advantages of database management
	Database structures
	Hierarchical database model
	Network database model
	Relational database model
	Object-oriented database model
	Database normalization
	Database checks and controls
	Segregation of duties
	Key aspects from a CISA exam perspective
	Self-assessment questions
	Summary
	Assessment
	Common technology components
	IT asset management
	Job scheduling
	End user computing
	System performance management
	Problem and incident management
	Change management, configuration management, and patch management
	IT service level management
	Database management
Business Resilience
	Business impact analysis
	Key aspects from the perspective of the CISA exam
	Self-assessment questions
	Data backup and restoration
	Types of backup strategy
	Storage capacity for each backup scheme
	Restoration capability for each backup scheme
	Advantages and disadvantages of each scheme
	Key aspects from the perspective of the CISA exam
	Self-assessment questions
	System resiliency
	Application resiliency – clustering
	Telecommunication network resiliency
	Alternative routing
	Diverse routing
	Self-assessment questions
	Business continuity plan
	Steps of the BCP life cycle
	Content of the BCP
	Responsibility for declaring the disaster
	A Single Plan
	Backup procedure for critical operations
	The involvement of process owners in the BCP
	BCP and risk assessment
	Testing the BCP
	Key aspects from the perspective of the CISA exam
	Self-assessment questions
	Disaster recovery plan
	The BCP versus the DRP
	Relationship between the DRP and the BIA
	Costs associated with disaster recovery
	Data backup
	DRP of a third-party service provider
	Resilient information assets
	Service delivery objective
	Key aspects from the CISA exam perspective
	Self-assessment questions
	DRP – test methods
	Checklist review
	Structured walkthrough
	Tabletop test
	Simulation test
	Parallel test
	Full interruption test
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
	RTO
	RPO
	RTO and RPO for critical systems
	RTO and RPO and maintenance costs
	RTO, RPO, and disaster tolerance
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Alternate recovery site
	Mirrored site
	Hot site
	Warm site
	Cold site
	Mobile site
	Reciprocal agreement
	Self-assessment questions
	Summary
	Assessment
	Business impact analysis
	Data backup and restoration
	System resiliency
	Business continuity plan
	Disaster recovery plan
	DRP – test methods
	Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
	Alternate recovery site
Section 5: Protection of Information Assets
Information Asset Security and Control
	Information asset security frameworks, standards, and guidelines
	Auditing the information security management framework
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Privacy principles
	Self-assessment questions
	Physical access and environmental controls
	Environmental controls
	Water and Smoke Detectors
	Fire suppression system
	Wet-based sprinkler (WBS)
	Dry pipe sprinkler
	Halon system
	Carbon dioxide systems
	Physical access control
	Bolting door locks
	Combination door locks (cipher locks)
	Electronic door locks
	Biometric door locks
	Deadman doors
	Identification badge
	CCTV camera
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Identity and access management
	Access control categories
	Steps for implementing logical access
	Control Effectiveness
	Default deny policy – allow all policy
	Degaussing (demagnetizing)
	Naming convention
	Factor of authentication
	Single sign-on
	Advantages of SSO
	Disadvantages of SSO
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Biometrics
	Biometrics – accuracy measure
	False acceptance rate (FAR)
	False rejection rate (FRR)
	Cross error rate (CER) or equal error rate (EER)
	Control over the biometric process
	Types of biometric attacks
	Self-assessment questions
	Summary
	Assessments
	Information asset security frameworks, standards, and guidelines
	Privacy principles
	Physical access and environmental controls
	Identity and access management
	Biometrics
Network Security and Control
	Network and endpoint devices
	Open system interconnection (OSI) layers
	Networking devices
	Repeaters
	Hubs and switches
	Bridges
	Routers
	Gateway
	Network devices and the OSI layer
	Network physical media
	Fiber optics
	Twisted pair (copper circuit)
	Infrared and radio (wireless)
	Identifying the risks of physical network media
	Attenuation
	EMI
	Cross talks
	Network diagram
	Network protocols
	Dynamic Host Configuration Protocol
	Transport Layer Security and Secure Socket Layer
	Transmission Control Protocol and User Data Protocol
	Secure Shell and Telnet
	Key aspects from CISA exam perspective
	Self-assessment questions
	Firewall types and implementation
	Types of firewall
	Packet filtering router
	Stateful inspection
	Circuit-level
	Application-level
	What is a bastion host?
	What is a proxy?
	Types of firewall implementation
	Dual-homed firewall
	Screened host firewall
	Screened subnet firewall (demilitarized zone)
	Firewall and the corresponding OSI layer
	Key aspects from the CISA exam perspective
	Self-assessment questions
	VPN
	Types of VPN
	VPNs – security risks
	VPNs – technical aspects
	Key aspects from the perspective of the CISA exam
	Self-assessment questions
	Voice over Internet Protocol (VoIP)
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Wireless networks
	Enabling MAC filtering
	Enabling encryption
	Disabling a service set identifier (SSID)
	Disabling DHCP
	Common attack methods and techniques for a wireless network
	War driving
	War walking
	War chalking
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Email security
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Summary
	Assessments
	Network and endpoint devices
	Firewall types and implementation
	Virtual Private Network (VPN)
	Voice over Internet Protocol (VoIP)
	Wireless networks
	Email security
Public Key Cryptography and Other Emerging Technologies
	Public key cryptography
	Symmetric encryption versus asymmetric encryption
	Encryption keys
	Confidentiality
	Authentication
	Non- Repudiation
	Integrity
	The hash of the message
	Combining symmetric and asymmetric methods
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Elements of PKI
	PKI terminology
	Processes involved in PKI
	Certifying Authority versus Registration Authority
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Cloud computing
	Cloud computing – deployment models
	The private cloud
	The public cloud
	The community cloud
	The hybrid cloud
	Cloud computing – the IS auditor's role
	Self-assessment questions
	Virtualization
	Mobile computing
	Internet of Things (IoT)
	Summary
	Assessments
	Public key cryptography
	Elements of public key infrastructure
	Cloud computing
Security Event Management
	Security awareness training and programs
	Participants
	Security awareness methods
	Social engineering attacks
	Evaluating the effectiveness of security programs
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Information system attack methods and techniques
	Malicious codes
	Biometric attacks
	Key aspects from the CISA exam perspective
	Assessment
	Security testing tools and techniques
	General security controls
	Terminal controls
	Logon IDs and passwords
	Authorization process
	Automatic logoff
	Account lockout
	Controls on bypassing software and utilities
	Log capturing and monitoring
	Time synchronization
	Network penetration tests
	Aspects to be covered within the scope of the audit
	Types of penetration tests
	External testing
	Internal testing
	Blind testing
	Double blind testing
	Targeted testing
	Risks associated with penetration testing
	Threat intelligence
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Security monitoring tools and techniques
	Intrusion detection system
	Network-based and host-based IDS
	Components of the IDS
	Limitations of the IDS
	Types of IDS
	Signature-based
	Statistical-based
	Neural network
	Placement of IDS
	Intrusion prevention system
	Honey pots and honey nets
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Incident response management
	Computer Security Incident Response Team
	Key aspects from the CISA exam perspective
	Self-assessment questions
	Evidence collection and forensics
	Chain of custody
	Identify
	Preserve
	Analyze
	Present
	Key elements of computer forensics
	Data protection
	Data acquisition
	Imaging
	Extraction
	Interrogation
	Ingestion/normalization
	Reporting
	Protection of evidence
	Self-assessment questions
	Summary
	Assessments
	Security awareness training and programs
	Information system attack methods and techniques
	Security testing tools and techniques
	Security monitoring tools and techniques
	Incident response management
	Evidence collection and forensics
Other Books You May Enjoy
	Leave a review - let other readers know what you think