CISA – Certified Information Systems Auditor Study Guide, Second Edition
Hemang Doshi
Table of Contents
Preface xiii
Audit Planning 1
The Contents of an Audit Charter 3
Key Aspects from the CISA Exam Perspective 4
Audit Planning 5
Benefits of Audit Planning 5
Selection Criteria 6
Reviewing Audit Planning 6
Individual Audit Assignments 6
Key Aspects from the CISA Exam Perspective 8
Business Process Applications and Controls 8
E-Commerce 8
Electronic Data Interchange (EDI) 9
Point of Sale (POS) 10
Electronic Banking 11
Electronic Funds Transfer (EFT) 12
Image Processing 12
Artificial Intelligence and Expert Systems 13
Key Aspects from the CISA Exam Perspective 14
Types of Controls 15
Preventive Controls 16
Detective Controls 17
Corrective Controls 17
Deterrent Controls 17
The Difference between Preventive and Deterrent Controls 18
Compensating Controls 18
Control Objectives 18
Control Measures 19
Key Aspects from the CISA Exam Perspective 19
Risk-Based Audit Planning 19
What Is Risk? 20
Understanding Vulnerability and Threats 20
Understanding Inherent Risk and Residual Risk 21
Advantages of Risk-Based Audit Planning 22
Audit Risk 22
Risk-Based Auditing Approach 23
Risk Assessments 24
Risk Response Methodology 24
Top-Down and Bottom-Up Approaches to Policy Development 25
Key Aspects from the CISA Exam Perspective 26
Types of Audits and Assessments 27
Summary 29
Chapter Review Questions 30
Audit Execution 35
Audit Project Management 36
Audit Objectives 37
Audit Phases 37
Fraud, Irregularities, and Illegal Acts 40
Key Aspects from the CISA Exam Perspective 40
Sampling Methodology 40
Sampling Types 41
Sampling Risk 42
Other Sampling Terms 42
Compliance versus Substantive Testing 44
Key Aspects from the CISA Exam Perspective 45
Audit Evidence Collection Techniques 47
Reliability of Evidence 47
Evidence-Gathering Techniques 48
Key Aspects from the CISA Exam Perspective 50
Data Analytics 51
Examples of the Effective Use of Data Analytics 51
CAATs 51
Examples of the Effective Use of CAAT Tools 52
Precautions while Using CAAT 52
Continuous Auditing and Monitoring 52
Continuous Auditing Techniques 53
Key Aspects from the CISA Exam Perspective 55
Reporting and Communication Techniques 56
Exit Interview 56
Audit Reporting 56
Audit Report Objectives 57
Audit Report Structure 57
Follow-Up Activities 57
Key Aspects from the CISA Exam Perspective 58
Control Self-Assessment 58
Objectives of CSA 58
Benefits of CSA 58
Precautions while Implementing CSA 59
An IS Auditor’s Role in CSA 59
Key Aspects from the CISA Exam Perspective 59
Summary 60
Chapter Review Questions 61
IT Governance 65
Enterprise Governance of IT (EGIT) 67
EGIT Processes 67
The Differences between Governance and Management 68
EGIT Good Practices 68
Effective Information Security Governance 68
EGIT – Success Factors 69
Key Aspects from the CISA Exam Perspective 70
IT-Related Frameworks 70
IT Standards, Policies, and Procedures 71
Policies 72
Standards 72
Procedures 72
Guidelines 72
Information Security Policy 73Table of Contents vii
Key Aspects from the CISA Exam Perspective 75
Organizational Structure 75
Relationship between the IT Strategy Committee and the IT Steering Committee 77
Differences between the IT Strategy Committee and the IT Steering Committee 78
Key Aspects from the CISA Exam Perspective 78
Enterprise Architecture 79
Enterprise Security Architecture 79
Key Aspects from the CISA Exam Perspective 80
Risk Management Process Steps 80
Risk Analysis Methods 81
Risk Treatment 83
Key Aspects from the CISA Exam Perspective 83
Maturity Model 84
Laws, Regulations, and Industry Standards Affecting the Organization 84
An IS Auditor’s Role in Determining Adherence to Laws and Regulations 84
Key Aspects from the CISA Exam Perspective 85
Summary 86
Chapter Review Questions 87
IT Management 91
IT Resource Management 91
Human Resource Management 92
IT Management Practices 94
Financial Management Practices 94
Key Aspects from the CISA Exam Perspective 94
IT Service Provider Acquisition and Management 95
Evaluation Criteria for Outsourcing 95
Steps for Outsourcing 96
Outsourcing – Risk Reduction Options 97
Provisions for Outsourcing Contracts 97
Role of IS Auditors in Monitoring Outsourced Activities 97
Globalization of IT Functions 97
Outsourcing and Third-Party Audit Reports 98
Monitoring and Review of Third-Party Services 98
Key Aspects from the CISA Exam Perspective 99
IT Performance Monitoring and Reporting 100
Development of Performance Metrics 100
Effectiveness of Performance Metrics 101
Tools and Techniques 101
Key Aspects from the CISA Exam Perspective 103
Quality Assurance and Quality Management in IT 103
Quality Assurance 104
Quality Management 105
Key Aspects from the CISA Exam Perspective 105
Summary 105
Chapter Review Questions 107Table of Contents viii
Information Systems Acquisition and Development 111
Project Management Structure 111
Project Roles and Responsibilities 112
Project Objectives, OBS, and WBS 116
Key Aspects from the CISA Exam Perspective 117
Business Case and Feasibility Analysis 117
Business Cases 118
Feasibility Analysis 118
The IS Auditor’s Role in Business Case Development 119
System Development Methodologies 119
SDLC Models 119
SDLC phases 120
Software Development Methods 121
Software Reengineering and Reverse Engineering 123
Key Aspects from the CISA Exam Perspective 123
Control Identification and Design 124
Check Digits 125
Parity Bits 125
Checksums 126
Forward Error Control 126
Decision Support Systems 127
Decision Trees 128
Key Aspects from the CISA Exam Perspective 128
Summary 130
Chapter Review Questions 131
Information Systems Implementation 135
Testing Methodology 135
Unit Testing 136
Integration Testing 136
System Testing 137
Testing Approach 140
Testing Phases 141
Key Aspects from the CISA Exam Perspective 142
System Migration 143
Parallel Changeover 144
Phased Changeover 144
Abrupt Changeover 144
Key Aspects from the CISA Exam Perspective 145
Post-Implementation Review 145
Key Aspects from the CISA Exam Perspective 146
Summary 146
Chapter Review Questions 148Table of Contents ix
Information Systems Operations 151
Understanding Common Technology Components 152
The Types of Servers 152
Universal Serial Bus 152
Radio Frequency Identification 153
IT Asset Management 155
Performance Reports 156
Job Scheduling 157
End User Computing 157
System Performance Management 158
Nucleus (Kernel) Functions 158
Utility Programs 158
Parameter Setting for the Operating System 158
Registry 158
Activity Logging 159
Software Licensing Issues 159
Source Code Management 159
Capacity Management 160
Key Aspects from a CISA Exam Perspective 160
Problem and Incident Management 160
Network Management Tools 161
Key Aspects from a CISA Exam Perspective 162
Change Management, Configuration Management, and Patch Management 162
Change Management Process 162
Patch Management 163
Configuration Management 163
Emergency Change Management 163
Backout Process 164
The Effectiveness of a Change Management Process 164
Key Aspects from a CISA Exam Perspective 164
IT Service-Level Management 165
Evaluating the Database Management Process 165
Advantages of Database Management 166
Database Structures 166
Key Aspects from a CISA Exam Perspective 171
Summary 172
Chapter Review Questions 173
Business Resilience 177
Business Impact Analysis 177
Key Aspects from the Perspective of the CISA Exam 179
Data Backup and Restoration 179
Types of Backup Strategy 179
Storage Capacity for Each Backup Scheme 181
Key Aspects from the Perspective of the CISA Exam 182
System Resiliency 182
Application Resiliency – Clustering 182
Telecommunication Network Resiliency 183Table of Contents x
Business Continuity Plan 184
Steps of the BCP Life Cycle 184
Contents of the BCP 184
Backup Procedure for Critical Operations 185
The Involvement of Process Owners in the BCP 185
BCP and Risk Assessments 185
Testing the BCP 186
Key Aspects from the Perspective of the CISA Exam 187
Disaster Recovery Plan 188
The BCP versus the DRP 188
Key Aspects from the CISA Exam Perspective 190
DRP – Test Methods 190
Checklist Review 190
Structured Walkthrough 191
Tabletop Test 191
Simulation Test 191
Parallel Test 191
Full Interruption Test 191
Key Aspects from the CISA Exam Perspective 191
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) 192
RPO 192
RTO and RPO for Critical Systems 193
RTO and RPO and Maintenance Costs 194
RTO, RPO, and Disaster Tolerance 194
Key Aspects from the CISA Exam Perspective 194
Alternate Recovery Sites 195
Mirrored Site 195
Hot Site 196
Warm Site 196
Cold Site 196
Mobile Site 197
Reciprocal Agreement 197
Summary 197
Summary 198
Chapter Review Questions 199
Information Asset Security and Control 203
Information Asset Security Frameworks, Standards, and Guidelines 203
Auditing the Information Security Management Framework 204
Key Aspects from the CISA Exam Perspective 204
Privacy Principles 205
Physical Access and Environmental Controls 205
Environmental Controls 205
Alarm Controls 206
Water and Smoke Detectors 206
Fire Suppression Systems 207
Physical Access Control 208
Key Aspects from the CISA Exam Perspective 209
Identity and Access Management 210
Access Control Categories 211
Default Deny Policy – Allow All Policy 212
Degaussing (Demagnetizing) 212
Naming Convention 213
Single Sign-On 213
Key Aspects from the CISA Exam Perspective 214Table of Contents xi
Biometrics 215
Biometrics Accuracy Measure 215
Control over the Biometric Process 216
Types of Biometric Attacks 216
Summary 217
Chapter Review Questions 218
Network Security and Control 223
Network and Endpoint Devices 223
Open System Interconnection (OSI) Layers 223
Networking Devices 225
Network Devices and the OSI Layer 226
Network Physical Media 227
Identifying the Risks of Physical Network Media 228
Network Protocols 229
Key Aspects from the CISA Exam Perspective 230
Firewall Types and Implementation 231
Types of Firewalls 231
What is a Bastion Host? 232
What is a Proxy? 233
Types of Firewall Implementation 233
The Firewall and the Corresponding OSI layer 236
Key Aspects from the CISA Exam Perspective 236
VPN 237
Types of VPN 237
VPNs – security risks 238
VPNs – Technical Aspects 238
Key Aspects from the Perspective of the CISA Exam 238
Voice over Internet Protocol (VoIP) 238
Key Aspects from the CISA Exam Perspective 240
Wireless Networks 241
Enabling MAC Filtering 241
Enabling Encryption 242
Disabling a Service Set Identifier (SSID) 242
Disabling DHCP 243
Common Attack Methods and Techniques for a Wireless Network 243
Key Aspects from the CISA Exam Perspective 244
Email Security 245
Key Aspects from the CISA Exam Perspective 246
Summary 246
Chapter Review Questions 248
Public Key Cryptography and Other Emerging Technologies 253
Public Key Cryptography 253
Symmetric Encryption versus Asymmetric Encryption 254
Encryption Keys 255
The Hash of the Message 257
Combining Symmetric and Asymmetric Methods 258
Key Aspects from the CISA Exam Perspective 258
Elements of PKI 259
PKI Terminology 259
Processes Involved in PKI 260Table of Contents xii
Certifying Authority versus Registration Authority 260
Key Aspects from the CISA Exam Perspective 261
Cloud Computing 261
Cloud Computing – Deployment Models 262
Types of Cloud Services 263
Cloud Computing – the IS Auditor’s Role 263
Virtualization 264
Mobile Computing 265
Internet of Things (IoT) 266
Summary 266
Chapter Review Questions 267
Security Event Management 271
Security Awareness Training and Programs 271
Participants 272
Security Awareness Methods 272
Social Engineering Attacks 272
Evaluating the Effectiveness of Security Programs 272
Key Aspects from the CISA Exam Perspective 273
Information System Attack Methods and Techniques 273
Malicious Code 275
Biometric Attacks 277
Key Aspects from the CISA Exam Perspective 278
Security Testing Tools and Techniques 278
General Security Controls 279
Network Penetration Tests 281
Key Aspects from the CISA Exam Perspective 283
Security Monitoring Tools and Techniques 283
IDS 283
IPS 286
Honeypots and Honey Nets 286
Key Aspects from the CISA Exam Perspective 286
Incident Response Management 287
Computer Security Incident Response Team 287
Key Aspects from the CISA Exam Perspective 288
Evidence Collection and Forensics 288
Chain of Custody 288
Key Elements of Computer Forensics 289
Summary 291
Chapter Review Questions 292
Index 295
Other Books You May Enjoy 300