You are previewing All-in-One CISA® Certified Information Systems Auditor: Exam Guide, Second Edition.
O'Reilly logo
All-in-One CISA® Certified Information Systems Auditor: Exam Guide, Second Edition

Book Description

"All-in-One is All You Need"

The new edition of this trusted resource offers complete, up-to-date coverage of all the material included on the latest release of the Certified Information Systems Auditor exam. Written by an IT security and audit expert, CISA Certified Information Systems Auditor All-in-One Exam Guide, Second Edition covers all five exam domains developed by the Information Systems Audit and Control Association (ISACA). You'll find learning objectives at the beginning of each chapter, exam tips, practice exam questions, and in-depth explanations. Designed to help you pass the CISA exam with ease, this comprehensive guide also serves as an essential on-the-job reference.

Covers all exam topics, including:

• IT governance and management

• IS audit process

• IT life-cycle management

• IT service delivery and infrastructure

• Information asset protection

CD-ROM features:

• 200+ practice exam questions

• PDF copy of the book

The ebook version does not provide access to the companion files.

Table of Contents

  1. Cover Page
  2. CISA® Certified Information Systems Auditor
  3. Copyright Page
  4. CD Page
  5. Contents
  6. Acknowledgments
  7. Introduction
  8. Chapter 1 Becoming a CISA
    1. Benefits of CISA Certification
    2. Becoming a CISA
      1. Experience Requirements
    3. ISACA Code of Professional Ethics
    4. ISACA IS Standards
      1. IT Audit and Assurance Standards
      2. Standards for IS Control Professionals
      3. ITAF: A Professional Practices Framework for IT Assurance
    5. The Certification Exam
    6. Exam Preparation
      1. Before the Exam
      2. Day of the Exam
      3. After the Exam
    7. Applying for CISA Certification
    8. Retaining Your CISA Certification
      1. Continuing Education
      2. CPE Maintenance Fees
    9. Revocation of Certification
    10. CISA Exam Preparation Pointers
    11. Summary
  9. Chapter 2 IT Governance and Management
    1. IT Governance Practices for Executives and Boards of Directors
      1. IT Governance
      2. IT Governance Frameworks
      3. IT Strategy Committee
      4. The Balanced Scorecard
      5. Information Security Governance
      6. Enterprise Architecture
    2. IT Strategic Planning
      1. The IT Steering Committee
    3. Policies, Processes, Procedures, and Standards
      1. Information Security Policy
      2. Privacy Policy
      3. Data Classification Policy
      4. System Classification Policy
      5. Site Classification Policy
      6. Access Control Policy
      7. Processes and Procedures
      8. Standards
      9. Applicable Laws, Regulations, and Standards
    4. Risk Management
      1. The Risk Management Program
      2. The Risk Management Process
      3. Risk Treatment
    5. IT Management Practices
      1. Personnel Management
      2. Sourcing
      3. Change Management
      4. Financial Management
      5. Quality Management
      6. Security Management
      7. Optimizing Performance
    6. Organization Structure and Responsibilities
      1. Roles and Responsibilities
      2. Segregation of Duties
    7. Business Continuity Planning
      1. Disasters
      2. The Business Continuity Planning Process
      3. Developing Continuity Plans
      4. Testing Recovery Plans
      5. Training Personnel
      6. Making Plans Available to Personnel When Needed
      7. Maintaining Recovery and Continuity Plans
      8. Sources for Best Practices
    8. Auditing IT Governance
      1. Auditing Documentation and Records
      2. Auditing Contracts
      3. Auditing Outsourcing
      4. Auditing Business Continuity Planning
    9. Summary
      1. Notes
      2. Questions
      3. Answers
  10. Chapter 3 The Audit Process
    1. Audit Management
      1. The Audit Charter
      2. The Audit Program
      3. Strategic Audit Planning
      4. Audit and Technology
      5. Audit Laws and Regulations
    2. ISACA Auditing Standards
      1. ISACA Code of Professional Ethics
      2. ISACA Audit Standards
      3. ISACA Audit Guidelines
      4. ISACA Audit Procedures
      5. Information Technology Assurance Framework (ITAF)
    3. Risk Analysis
      1. Auditors’ Risk Analysis and the Corporate Risk Management Program
      2. Evaluating Business Processes
      3. Identifying Business Risks
      4. Risk Mitigation
      5. Countermeasures Assessment
      6. Monitoring
    4. Internal Controls
      1. Control Classification
      2. Internal Control Objectives
      3. IS Control Objectives
      4. General Computing Controls
      5. IS Controls
    5. Performing an Audit
      1. Audit Objectives
      2. Types of Audits
      3. Compliance vs. Substantive Testing
      4. Audit Methodology
      5. Audit Evidence
      6. Reliance Upon the Work of Other Auditors
      7. Computer-Assisted Audit and Automated Work Papers
      8. Reporting Audit Results
      9. Other Audit Topics
    6. Control Self-Assessment
      1. Advantages and Disadvantages
      2. The Control Self-Assessment Life Cycle
      3. Self-Assessment Objectives
      4. Auditors and Self-Assessment
    7. Implementation of Audit Recommendations
    8. Summary
      1. Notes
      2. Questions
      3. Answers
  11. Chapter 4 IT Life Cycle Management
    1. Business Realization
      1. Portfolio and Program Management
      2. Business Case Development
      3. Measuring Business Benefits
    2. Project Management
      1. Organizing Projects
      2. Developing Project Objectives
      3. Managing Projects
      4. Project Roles and Responsibilities
      5. Project Planning
      6. Project Management Methodologies
    3. The Software Development Life Cycle (SDLC)
      1. SDLC Phases
      2. Software Development Risks
      3. Alternative Software Development Approaches and Techniques
      4. System Development Tools
      5. Acquiring Cloud-Based Infrastructure and Applications
    4. Infrastructure Development and Implementation
      1. Infrastructure
    5. Maintaining Information Systems
      1. The Change Management Process
      2. Configuration Management
    6. Business Processes
      1. The Business Process Life Cycle (BPLC) and Business Process Reengineering (BPR)
      2. Capability Maturity Models
    7. Application Controls
      1. Input Controls
      2. Processing Controls
      3. Output Controls
    8. Auditing the Software Development Life Cycle
      1. Auditing Project Management
      2. Auditing the Feasibility Study
      3. Auditing Requirements
      4. Auditing Design
      5. Auditing Software Acquisition
      6. Auditing Development
      7. Auditing Testing
      8. Auditing Implementation
      9. Auditing Post-implementation
      10. Auditing Change Management
      11. Auditing Configuration Management
    9. Auditing Business Controls
    10. Auditing Application Controls
      1. Transaction Flow
      2. Observations
      3. Data Integrity Testing
      4. Testing Online Processing Systems
      5. Auditing Applications
      6. Continuous Auditing
    11. Summary
      1. Notes
      2. Questions
      3. Answers
  12. Chapter 5 IT Service Delivery and Infrastructure
    1. Information Systems Operations
      1. Management and Control of Operations
      2. IT Service Management
      3. Infrastructure Operations
      4. Monitoring
      5. Software Program Library Management
      6. Quality Assurance
      7. Security Management
      8. Media Control
    2. Information Systems Hardware
      1. Computer Usage
      2. Computer Hardware Architecture
      3. Hardware Maintenance
      4. Hardware Monitoring
    3. Information Systems Architecture and Software
      1. Computer Operating Systems
      2. Data Communications Software
      3. File Systems
      4. Database Management Systems
      5. Media Management Systems
      6. Utility Software
      7. Software Licensing
      8. Digital Rights Management
    4. Network Infrastructure
      1. Network Architecture
      2. Network-Based Services
      3. Network Models
      4. Network Technologies
      5. Local Area Networks
      6. Wide Area Networks
      7. Wireless Networks
      8. TCP/IP Protocols and Devices
      9. The Global Internet
      10. Network Management
      11. Networked Applications
    5. Disaster Recovery Planning
      1. Disaster Response Teams’ Roles and Responsibilities
      2. Recovery Objectives
      3. Developing Recovery Strategies
      4. Developing Recovery Plans
      5. Data Backup and Recovery
      6. Testing DR Plans
    6. Auditing IS Infrastructure and Operations
      1. Auditing Information Systems Hardware
      2. Auditing Operating Systems
      3. Auditing File Systems
      4. Auditing Database Management Systems
      5. Auditing Network Infrastructure
      6. Auditing Network Operating Controls
      7. Auditing IS Operations
      8. Auditing Lights-Out Operations
      9. Auditing Problem Management Operations
      10. Auditing Monitoring Operations
      11. Auditing Procurement
      12. Auditing Disaster Recovery Planning
    7. Summary
      1. Notes
      2. Questions
      3. Answers
  13. Chapter 6 Information Asset Protection
    1. Information Security Management
      1. Aspects of Information Security Management
      2. Roles and Responsibilities
      3. Asset Inventory and Classification
      4. Access Controls
      5. Privacy
      6. Third-Party Management
      7. Human Resources Security
      8. Computer Crime
      9. Security Incident Management
      10. Forensic Investigations
    2. Logical Access Controls
      1. Access Control Concepts
      2. Access Control Models
      3. Access Control Threats
      4. Access Control Vulnerabilities
      5. Access Points and Methods of Entry
      6. Identification, Authentication, and Authorization
      7. Protecting Stored Information
      8. Managing User Access
      9. Protecting Mobile Computing
    3. Network Security Controls
      1. Network Security
      2. Securing Client-Server Applications
      3. Securing Wireless Networks
      4. Protecting Internet Communications
      5. Encryption
      6. Voice over IP
      7. Private Branch Exchange (PBX)
      8. Malware
      9. Information Leakage
    4. Environmental Controls
      1. Environmental Threats and Vulnerabilities
      2. Environmental Controls and Countermeasures
    5. Physical Security Controls
      1. Physical Access Threats and Vulnerabilities
      2. Physical Access Controls and Countermeasures
    6. Auditing Asset Protection
      1. Auditing Security Management
      2. Auditing Logical Access Controls
      3. Auditing Network Security Controls
      4. Auditing Environmental Controls
      5. Auditing Physical Security Controls
    7. Summary
      1. Notes
      2. Questions
      3. Answers
  14. Appendix A Conducting a Professional Audit
    1. Understanding the Audit Cycle
    2. How the Information Systems Audit Cycle Is Discussed
      1. “Client” and Other Terms in This Appendix
    3. Overview of the IS Audit Cycle
      1. Project Origination
      2. Engagement Letters and Audit Charters
      3. Ethics and Independence
    4. Launching a New Project: Planning an Audit
      1. Understanding the Client’s Needs
      2. Performing a Risk Assessment
      3. Audit Methodology
      4. Developing the Audit Plan
      5. Gathering Information—“PBC” Lists
      6. A Client’s Preparedness for an Audit
      7. Developing Audit Objectives
      8. Developing the Scope of an Audit
    5. Developing a Test Plan
      1. Understanding the Controls Environment
      2. Perform a Pre-audit (or “Readiness Assessment”)
      3. Organize a Testing Plan
      4. Resource Planning for the Audit Team
    6. Performing Control Testing
      1. Project Planning with the Client
      2. Gathering Testing Evidence
      3. Launching the Testing Phase
      4. Performing Tests of Control Existence
      5. Perform Testing of Control Operating Effectiveness
      6. Discovering Testing Exceptions
      7. Discovering Incidents Requiring Immediate Attention
      8. Materiality of Exceptions
      9. Developing Audit Opinions
      10. Developing Audit Recommendations
      11. Managing Supporting Documentation
    7. Delivering Audit Results
      1. Audit Report Contents
      2. Writing the Report
      3. Solicitation of Management’s Response
      4. Report Audiences
      5. Reviewing the Draft Report
      6. Delivery of the Report
      7. Additional Engagement Deliverables
    8. Audit Closing Procedures
      1. Audit Checklists
      2. Closing Meetings
      3. Final Sign-off with the Client
      4. Client Feedback and Evaluations
    9. Audit Follow-up
      1. Follow-up on Management’s Action Plans to Remediate Control Failures
      2. Retesting Issues in Succeeding Periods
    10. Summary
  15. Appendix B Popular Methodologies, Frameworks, and Guidance
    1. Common Terms and Concepts
      1. Governance
      2. Goals, Objectives, and Strategies
      3. Processes
      4. Capability Maturity Models
      5. Controls
      6. The Deming Cycle
      7. Projects
    2. Frameworks, Methodologies, and Guidance
      1. Business Model for Information Security (BMIS)
      2. COSO Internal Control Integrated Framework
      3. COBIT
      4. GTAG
      5. GAIT
      6. ISF Standard of Good Practice
      7. ISO/IEC 27001 and 27002
      8. ITAF
      9. ITIL
      10. PMBOK
      11. PRINCE2
      12. Risk IT
      13. Val IT
      14. Summary of Frameworks
      15. Pointers for Successful Use of Frameworks
    3. Notes
    4. References
  16. Appendix C About the CD-ROM
    1. System Requirements
    2. Installing and Running MasterExam
      1. MasterExam
    3. Electronic Book
    4. Help
    5. Removing Installation(s)
    6. Technical Support
      1. LearnKey Technical Support
  17. Glossary
  18. Index
  19. MediaCenter Page