You are previewing CISA® Certified Information Systems Auditor All-in-One Exam Guide.
O'Reilly logo
CISA® Certified Information Systems Auditor All-in-One Exam Guide

Book Description

"All-in-One is All You Need."

CISA Certified Information Systems Auditor All in One Exam Guide

Get complete coverage of all the material included on the Certified Information Systems Auditor exam inside this comprehensive resource. Written by an IT security and audit expert, this authoritative guide covers all six exam domains developed by the Information Systems Audit and Control Association (ISACA). You'll find learning objectives at the beginning of each chapter, exam tips, practice exam questions, and in-depth explanations. Designed to help you pass the CISA exam with ease, this definitive volume also serves as an essential on-the-job reference.

Covers all exam topics, including:

• IS audit process

• IT governance

• Network technology and security

• Systems and infrastructure lifestyle management

• IT service delivery and support

• Protection of information assets

• Physical security

• Business continuity and disaster recovery

Peter H. Gregory, DRCE, CISSP, CISA, is a security and risk manager at a financial management company. He is a member of the board of advisors and is the lead instructor for the University of Washington's certificate program in Information Systems Security.

Table of Contents

  1. Cover Page
  2. CISA Certified Information Systems Auditor All-in-One Exam Guide
  3. Copyright Page
  4. CD Page
  5. Contents at a Glance
  6. Contents
  7. Acknowledgments
  8. Introduction
  9. Chapter 1 Becoming a CISA
    1. Benefits of CISA Certification
    2. Becoming a CISA
    3. Experience Requirements
      1. Direct Work Experience
      2. Substitution of Experience
    4. ISACA Code of Professional Ethics
      1. ISACA IS Standards
    5. The Certification Exam
    6. Preparing for the Exam
      1. Before the Exam
      2. Day of the Exam
      3. After the Exam
    7. Applying for Certification
    8. Retaining Certification
      1. Continuing Education
      2. CPE Maintenance Fees
    9. Revocation of Certification
    10. CISA Exam Preparation Pointers
    11. Summary
  10. Chapter 2 IT Governance and Risk Management
    1. Practices for Executives and Board of Directors
      1. IT Governance
      2. IT Strategy Committee
      3. The Balanced Scorecard
      4. Information Security Governance
      5. Enterprise Architecture
    2. IT Strategic Planning
      1. The IT Steering Committee
    3. Policy, Processes, Procedures, and Standards
      1. Information Security Policy
      2. Privacy Policy
      3. Procedures
      4. Standards
    4. Risk Management
      1. The Risk Management Program
      2. The Risk Management Process
      3. Risk Treatment
    5. IT Management Practices
      1. Personnel Management
      2. Sourcing
      3. Change Management
      4. Financial Management
      5. Quality Management
      6. Security Management
      7. Optimizing Performance
    6. Organization Structure and Responsibilities
      1. Roles and Responsibilities
      2. Segregation of Duties
    7. Auditing IT Governance
      1. Reviewing Documentation and Records
      2. Reviewing Contracts
      3. Reviewing Outsourcing
    8. Summary
    9. Notes
      1. Questions
      2. Answers
  11. Chapter 3 The Audit Process
    1. Audit Management
      1. The Audit Charter
      2. The Audit Program
      3. Strategic Audit Planning
      4. Audit and Technology
      5. Audit Laws and Regulations
    2. ISACA Auditing Standards
      1. ISACA Code of Professional Ethics
      2. ISACA Audit Standards
      3. ISACA Audit Guidelines
      4. ISACA Audit Procedures
    3. Risk Analysis
      1. Auditors’ Risk Analysis and the Corporate Risk Management Program
      2. Evaluating Business Processes
      3. Identifying Business Risks
      4. Risk Mitigation
      5. Countermeasures Assessment
      6. Monitoring
    4. Internal Controls
      1. Control Classification
      2. Internal Control Objectives
      3. IS Control Objectives
      4. General Computing Controls
      5. IS Controls
    5. Performing an Audit
      1. Audit Objectives
      2. Types of Audits
      3. Compliance vs. Substantive Testing
      4. Audit Methodology
      5. Audit Evidence
      6. Computer-Assisted Audit
      7. Reporting Audit Results
      8. Other Audit Topics
    6. Using External Auditors
    7. Control Self-Assessment
      1. Advantages and Disadvantages
      2. The Self-Assessment Life Cycle
      3. Self-Assessment Objectives
      4. Auditors and Self-Assessment
    8. Implementation of Audit Recommendations
    9. Notes
    10. Summary
      1. Questions
      2. Answers
  12. Chapter 4 IT Life-Cycle Management
    1. Business Realization
      1. Portfolio and Program Management
      2. Business Case Development
      3. Measuring Business Benefits
    2. Project Management
      1. Organizing Projects
      2. Developing Project Objectives
      3. Managing Projects
      4. Project Roles and Responsibilities
      5. Project Planning
      6. Project Management Methodologies
    3. The Software Development Life Cycle (SDLC)
      1. SDLC Phases
      2. Software Development Risks
      3. Alternative Software Development Approaches and Techniques
      4. System Development Tools
    4. Infrastructure Development and Implementation
      1. Infrastructure
    5. Maintaining Information Systems
      1. The Change Management Process
      2. Configuration Management
    6. Business Processes
      1. The Business Process Life Cycle (BPLC)
      2. Capability Maturity Models
    7. Application Controls
      1. Input Controls
      2. Processing Controls
      3. Output Controls
    8. Auditing the Software Development Life Cycle
      1. Auditing Project Management
      2. Auditing the Feasibility Study
      3. Auditing Requirements
      4. Auditing Design
      5. Auditing Software Acquisition
      6. Auditing Development
      7. Auditing Testing
      8. Auditing Implementation
      9. Auditing Post-Implementation
      10. Auditing Change Management
      11. Auditing Configuration Management
    9. Auditing Business Controls
    10. Auditing Application Controls
      1. Transaction Flow
      2. Observations
      3. Data Integrity Testing
      4. Testing Online Processing Systems
      5. Auditing Applications
      6. Continuous Auditing
    11. Summary
    12. Notes
      1. Questions
      2. Answers
  13. Chapter 5 IT Service Delivery and Infrastructure
    1. Information Systems Operations
      1. Management and Control of Operations
      2. IT Service Management
      3. Infrastructure Operations
      4. Monitoring
      5. Software Program Library Management
      6. Quality Assurance
      7. Security Management
    2. Information Systems Hardware
      1. Computer Usage
      2. Computer Hardware Architecture
      3. Hardware Maintenance
      4. Hardware Monitoring
    3. Information Systems Architecture and Software
      1. Computer Operating Systems
      2. Data Communications Software
      3. File Systems
      4. Database Management Systems
      5. Media Management Systems
      6. Utility Software
    4. Network Infrastructure
      1. Network Architecture
      2. Network-Based Services
      3. Network Models
      4. Network Technologies
      5. Local Area Networks
      6. Wide Area Networks
      7. Wireless Networks
      8. The TCP/IP Suite of Protocols
      9. The Global Internet
      10. Network Management
      11. Networked Applications
    5. Auditing IS Infrastructure and Operations
      1. Auditing IS Hardware
      2. Auditing Operating Systems
      3. Auditing File Systems
      4. Auditing Database Management Systems
      5. Auditing Network Infrastructure
      6. Auditing Network Operating Controls
      7. Auditing IS Operations
      8. Auditing Lights-Out Operations
      9. Auditing Problem Management Operations
      10. Auditing Monitoring Operations
      11. Auditing Procurement
      12. Questions
      13. Answers
  14. Chapter 6 Information Asset Protection
    1. Information Security Management
      1. Aspects of Information Security Management
      2. Roles and Responsibilities
      3. Asset Inventory and Classification
      4. Access Controls
      5. Privacy
      6. Third-Party Management
      7. Human Resources Security
      8. Computer Crime
      9. Security Incident Management
      10. Forensic Investigations
    2. Logical Access Controls
      1. Access Control Concepts
      2. Access Control Models
      3. Threats
      4. Vulnerabilities
      5. Access Points and Methods of Entry
      6. Identification, Authentication, and Authorization
      7. Protecting Stored Information
      8. Managing User Access
      9. Protecting Mobile Devices
    3. Network Security Controls
      1. Network Security
      2. Securing Client-Server Applications
      3. Securing Wireless Networks
      4. Protecting Internet Communications
      5. Encryption
      6. Voice over IP (VoIP)
      7. Private Branch Exchange (PBX)
      8. Malware
      9. Information Leakage
    4. Environmental Controls
      1. Environmental Threats and Vulnerabilities
      2. Environmental Controls and Countermeasures
    5. Physical Security Controls
      1. Physical Access Threats and Vulnerabilities
      2. Physical Access Controls and Countermeasures
    6. Auditing Asset Protection
      1. Auditing Security Management
      2. Auditing Logical Access Controls
      3. Auditing Network Security Controls
      4. Auditing Environmental Controls
      5. Auditing Physical Security Controls
    7. Notes
    8. Summary
      1. Questions
      2. Answers
  15. Chapter 7 Business Continuity and Disaster Recovery
    1. Disasters
      1. Types of Disasters
      2. How Disasters Affect Organizations
    2. The BCP Process
      1. BCP Policy
      2. Business Impact Analysis (BIA)
      3. Criticality Analysis
      4. Establishing Key Targets
      5. Developing Recovery Strategies
      6. Developing Recovery and Continuity Plans
      7. Considerations for Continuity and Recovery Plans
      8. Components of a Business Continuity Plan
    3. Testing Recovery Plans
      1. Testing Recovery and Continuity Plans
      2. Documenting Test Results
      3. Improving Recovery and Continuity Plans
    4. Training Personnel
    5. Making Plans Available to Personnel When Needed
    6. Maintaining Recovery and Continuity Plans
    7. Sources for Best Practices
    8. Auditing Business Continuity and Disaster Recovery
      1. Reviewing Business Continuity and Disaster Recovery Plans
      2. Reviewing Prior Test Results and Action Plans
      3. Evaluating Off-Site Storage
      4. Evaluating Alternative Processing Facilities
      5. Interviewing Key Personnel
      6. Reviewing Service Provider Contracts
      7. Reviewing Insurance Coverage
    9. Summary
    10. Notes
      1. Questions
      2. Answers
  16. Appendix A Conducting a Professional Audit
    1. Introduction
      1. Understanding the Audit Cycle
      2. How the Information Systems Audit Cycle Is Discussed
      3. Use of the Word “Client” in This Appendix
    2. Overview of the IS Audit Cycle
      1. IS Audit Cycle at a High Level
        1. Project Origination
        2. Engagement Letters (“Contracts”) and Audit Charters
        3. Ethics and Independence
      2. Launching a New Project: Planning an Audit
        1. Understanding the Client’s Needs
        2. Performing a Risk Assessment
        3. Audit Methodology
      3. Developing the Audit Plan
      4. Gathering Information—“PBC” Lists
      5. A Client’s Preparedness for an Audit
      6. Developing Audit Objectives
      7. Developing the Scope of an Audit
    3. Developing a Testing Plan
      1. Understand the Controls Environment
      2. Perform a Pre-audit (or “Readiness Assessment”)
      3. Organize a Testing Plan
      4. Resource Planning for the Audit Team
    4. Project Execution
      1. Project Planning with the Client
      2. Gathering Testing Evidence
      3. Launching Testing
      4. Performing Tests of Control Existence
      5. Perform Testing of Control Operating Effectiveness
      6. Discovering Testing Exceptions
      7. Discovering Incidents Requiring Immediate Attention
      8. Materiality of Exceptions
      9. Developing Audit Opinions
      10. Developing Audit Recommendations
      11. Managing Supporting Documentation
    5. Delivering Final Reports
      1. Writing the Report
      2. Solicitation of Management’s Response
    6. Audit Closing Procedures
      1. Audit Checklists
      2. Delivery of the Report
      3. Final Sign-off with the Client
    7. Audit Follow-up
      1. Retesting the Previous Period’s Failed Controls
      2. Follow-up on Management’s Action Plans to Remediate Control Failures
      3. Client Feedback and Evaluations
  17. Appendix B Popular Methodologies, Frameworks, and Guidance
    1. Common Terms and Concepts
      1. Governance
      2. Goals, Objectives, Strategies
      3. Processes
      4. Capability Maturity Models
      5. Controls
      6. The Deming Cycle
      7. Projects
    2. Frameworks, Methodologies, and Guidance
      1. COSO Internal Control Integrated Framework
      2. COBIT
      3. GTAG
      4. GAIT
      5. ISF Standard of Good Practice
      6. ISO/IEC 27001 and 27002
      7. ITIL
      8. PMBOK
      9. PRINCE2
      10. Summary of Frameworks
      11. Pointers for Successful Use of Frameworks
    3. Summary
  18. Appendix C About the CD
    1. System Requirements
    2. Installing and Running MasterExam
      1. MasterExam
    3. Electronic Book
    4. Help
    5. Removing Installation(s)
    6. Technical Support
      1. LearnKey Technical Support
  19. Glossary
  20. Index
  21. Media Center Page