You are previewing CISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition, 3rd Edition.
O'Reilly logo
CISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition, 3rd Edition

Book Description

This up-to-date self-study system offers 100% coverage of every topic on the 2016 version of the CISA exam

The fully revised new edition delivers complete coverage of every topic on the latest release of the Certified Information Systems Auditor (CISA) exam. Written by an IT security and auditing expert, CISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition, covers all five exam domains developed by the Information Systems Audit and Control Association (ISACA).

This effective self-study system features learning objectives at the beginning of each chapter, in-depth explanations of each topic, and accurate practice questions. Each chapter includes Exam Tips that highlight key exam information, hands-on exercises, a chapter summary that serves as a quick review, and end-of-chapter questions that simulate those on the actual exam. Designed to help you pass the CISA exam with ease, this trusted guide also serves as an ideal on-the-job reference.

• Electronic content includes 400 multiple-choice practice questions and a PDF copy of the book
• Practice questions match the format, content, and tone of the actual exam
• Written by an experienced certification author with 30+ years of IT experience

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Acknowledgments
  7. Introduction
  8. Chapter 1 Becoming a CISA
    1. Benefits of CISA Certification
    2. The CISA Certification Process
      1. Experience Requirements
    3. ISACA Code of Professional Ethics
    4. ISACA IS Standards
    5. The Certification Exam
    6. Exam Preparation
      1. Before the Exam
      2. Day of the Exam
      3. After the Exam
    7. Applying for CISA Certification
    8. Retaining Your CISA Certification
      1. Continuing Education
      2. CPE Maintenance Fees
    9. Revocation of Certification
    10. CISA Exam Preparation Pointers
    11. Summary
  9. Chapter 2 IT Governance and Management
    1. IT Governance Practices for Executives and Boards of Directors
      1. IT Governance
      2. IT Governance Frameworks
      3. IT Strategy Committee
      4. The Balanced Scorecard
      5. Information Security Governance
    2. IT Strategic Planning
      1. The IT Steering Committee
    3. Policies, Processes, Procedures, and Standards
      1. Information Security Policy
      2. Privacy Policy
      3. Data Classification Policy
      4. System Classification Policy
      5. Site Classification Policy
      6. Access Control Policy
      7. Mobile Device Policy
      8. Social Media Policy
      9. Other Policies
      10. Processes and Procedures
      11. Standards
      12. Applicable Laws, Regulations, and Standards
    4. Risk Management
      1. The Risk Management Program
      2. The Risk Management Process
      3. Risk Treatment
    5. IT Management Practices
      1. Personnel Management
      2. Sourcing
      3. Change Management
      4. Financial Management
      5. Quality Management
      6. Portfolio Management
      7. Controls Management
      8. Security Management
      9. Performance and Capacity Management
    6. Organization Structure and Responsibilities
      1. Roles and Responsibilities
      2. Segregation of Duties
    7. Business Continuity Planning
      1. Disasters
      2. The Business Continuity Planning Process
      3. Developing Continuity Plans
      4. Testing Recovery Plans
      5. Training Personnel
      6. Making Plans Available to Personnel When Needed
      7. Maintaining Recovery and Continuity Plans
      8. Sources for Best Practices
    8. Auditing IT Governance
      1. Auditing Documentation and Records
      2. Auditing Contracts
      3. Auditing Outsourcing
      4. Auditing Business Continuity Planning
    9. Summary
      1. Notes
      2. Questions
      3. Answers
  10. Chatper 3 The Audit Process
    1. Audit Management
      1. The Audit Charter
      2. The Audit Program
      3. Strategic Audit Planning
      4. Audit and Technology
      5. Audit Laws and Regulations
    2. ISACA Auditing Standards
      1. ISACA Code of Professional Ethics
      2. ISACA Audit and Assurance Standards
      3. ISACA Audit and Assurance Guidelines
    3. Risk Analysis
      1. Auditors’ Risk Analysis and the Corporate Risk Management Program
      2. Evaluating Business Processes
      3. Identifying Business Risks
      4. Risk Mitigation
      5. Countermeasures Assessment
      6. Monitoring
    4. Controls
      1. Control Classification
      2. Internal Control Objectives
      3. IS Control Objectives
      4. General Computing Controls
      5. IS Controls
    5. Performing an Audit
      1. Audit Objectives
      2. Types of Audits
      3. Compliance vs. Substantive Testing
      4. Audit Methodology
      5. Audit Evidence
      6. Reliance Upon the Work of Other Auditors
      7. Computer-Assisted Audit and Automated Work Papers
      8. Reporting Audit Results
      9. Other Audit Topics
    6. Control Self-Assessment
      1. CSA Advantages and Disadvantages
      2. The Control Self-Assessment Life Cycle
      3. Self-Assessment Objectives
      4. Auditors and Self-Assessment
    7. Implementation of Audit Recommendations
    8. Summary
      1. Notes
      2. Questions
      3. Answers
  11. Chapter 4 IT Life Cycle Management
    1. Benefits Realization
      1. Portfolio and Program Management
      2. Business Case Development
      3. Measuring Business Benefits
    2. Project Management
      1. Organizing Projects
      2. Developing Project Objectives
      3. Managing Projects
      4. Project Roles and Responsibilities
      5. Project Planning
      6. Project Management Methodologies
    3. The System Development Life Cycle (SDLC)
      1. SDLC Phases
      2. Software Development Risks
      3. Alternative Software Development Approaches and Techniques
      4. System Development Tools
      5. Acquiring Cloud-Based Infrastructure and Applications
    4. Infrastructure Development and Implementation
      1. Review of Existing Architecture
      2. Requirements
      3. Design
      4. Procurement
      5. Testing
      6. Implementation
      7. Maintenance
    5. Maintaining Information Systems
      1. Change Management
      2. Configuration Management
    6. Business Processes
      1. The Business Process Life Cycle (BPLC) and Business Process Reengineering (BPR)
      2. Capability Maturity Models
    7. Managing Third Parties
      1. Risk Factors
      2. Onboarding and Due Diligence
      3. Classification
      4. Assessment
      5. Remediation
    8. Enterprise Architecture
      1. The Zachman Framework
      2. Data Flow Diagrams
    9. Application Controls
      1. Input Controls
      2. Processing Controls
      3. Output Controls
    10. Auditing the System Development Life Cycle
      1. Auditing Project Management
      2. Auditing the Feasibility Study
      3. Auditing Requirements
      4. Auditing Design
      5. Auditing Software Acquisition
      6. Auditing Development
      7. Auditing Testing
      8. Auditing Implementation
      9. Auditing Post-Implementation
      10. Auditing Change Management
      11. Auditing Configuration Management
    11. Auditing Business Controls
    12. Auditing Application Controls
      1. Transaction Flow
      2. Observations
      3. Data Integrity Testing
      4. Testing Online Processing Systems
      5. Auditing Applications
      6. Continuous Auditing
    13. Auditing Third-Party Management
    14. Summary
      1. Notes
      2. Questions
      3. Answers
  12. Chapter 5 IT Service Delivery and Infrastructure
    1. Information Systems Operations
      1. Management and Control of Operations
      2. IT Service Management
      3. IT Operations and Exception Handling
      4. End-User Computing
      5. Software Program Library Management
      6. Quality Assurance
      7. Security Management
      8. Media Control
      9. Data Management
    2. Information Systems Hardware
      1. Computer Usage
      2. Computer Hardware Architecture
      3. Hardware Maintenance
      4. Hardware Monitoring
    3. Information Systems Architecture and Software
      1. Computer Operating Systems
      2. Data Communications Software
      3. File Systems
      4. Database Management Systems
      5. Media Management Systems
      6. Utility Software
      7. Software Licensing
      8. Digital Rights Management
    4. Network Infrastructure
      1. Enterprise Architecture
      2. Network Architecture
      3. Network-Based Services
      4. Network Models
      5. Network Technologies
      6. Local Area Networks
      7. Wide Area Networks
      8. Wireless Networks
      9. TCP/IP Protocols and Devices
      10. The Global Internet
      11. Network Management
      12. Networked Applications
    5. Disaster Recovery Planning
      1. Disaster Response Teams’ Roles and Responsibilities
      2. Recovery Objectives
      3. Developing Recovery Strategies
      4. Developing Recovery Plans
      5. Data Backup and Recovery
      6. Testing DR Plans
    6. Auditing IT Infrastructure and Operations
      1. Auditing Information Systems Hardware
      2. Auditing Operating Systems
      3. Auditing File Systems
      4. Auditing Database Management Systems
      5. Auditing Network Infrastructure
      6. Auditing Network Operating Controls
      7. Auditing IT Operations
      8. Auditing Lights-Out Operations
      9. Auditing Problem Management Operations
      10. Auditing Monitoring Operations
      11. Auditing Procurement
      12. Auditing Disaster Recovery Planning
    7. Summary
      1. Notes
      2. Questions
      3. Answers
  13. Chapter 6 Information Asset Protection
    1. Information Security Management
      1. Aspects of Information Security Management
      2. Roles and Responsibilities
      3. Business Alignment
      4. Asset Inventory and Classification
      5. Access Controls
      6. Privacy
      7. Third-Party Management
      8. Human Resources Security
      9. Computer Crime
      10. Security Incident Management
      11. Forensic Investigations
    2. Logical Access Controls
      1. Access Control Concepts
      2. Access Control Models
      3. Access Control Threats
      4. Access Control Vulnerabilities
      5. Access Points and Methods of Entry
      6. Identification, Authentication, and Authorization
      7. Protecting Stored Information
      8. Managing User Access
      9. Protecting Mobile Computing
    3. Network Security Controls
      1. Network Security
      2. Securing Client-Server Applications
      3. Securing Wireless Networks
      4. Protecting Internet Communications
      5. Encryption
      6. Voice over IP
      7. Private Branch Exchange (PBX)
      8. Malware
      9. Information Leakage
    4. Environmental Controls
      1. Environmental Threats and Vulnerabilities
      2. Environmental Controls and Countermeasures
    5. Physical Security Controls
      1. Physical Access Threats and Vulnerabilities
      2. Physical Access Controls and Countermeasures
    6. Auditing Asset Protection
      1. Auditing Security Management
      2. Auditing Logical Access Controls
      3. Auditing Network Security Controls
      4. Auditing Environmental Controls
      5. Auditing Physical Security Controls
    7. Summary
      1. Notes
      2. Questions
      3. Answers
  14. Appendix A Conducting a Professional Audit
    1. Understanding the Audit Cycle
    2. How the Information Systems Audit Cycle Is Discussed
      1. “Client” and Other Terms in This Appendix
    3. Overview of the IS Audit Cycle
      1. Project Origination
      2. Engagement Letters and Audit Charters
      3. Ethics and Independence
      4. Launching a New Project: Planning an Audit
      5. Developing the Audit Plan
      6. Developing a Test Plan
      7. Performing a Pre-Audit (or “Readiness Assessment”)
      8. Organizing a Testing Plan
      9. Resource Planning for the Audit Team
      10. Performing Control Testing
      11. Developing Audit Opinions
      12. Developing Audit Recommendations
      13. Managing Supporting Documentation
      14. Delivering Audit Results
      15. Management Response
      16. Audit Closing Procedures
      17. Audit Follow-up
    4. Summary
  15. Appendix B Popular Methodologies, Frameworks, and Guidance
    1. Common Terms and Concepts
      1. Governance
      2. Goals, Objectives, and Strategies
      3. Processes
      4. Capability Maturity Models
      5. Controls
      6. The Deming Cycle
      7. Projects
    2. Frameworks, Methodologies, and Guidance
      1. Business Model for Information Security (BMIS)
      2. COSO Internal Control – Integrated Framework
      3. COBIT
      4. GTAG
      5. GAIT
      6. ISF Standard of Good Practice for Information Security
      7. ISO/IEC 27001 and 27002
      8. ITAF
      9. ITIL
      10. PMBOK Guide
      11. PRINCE2
      12. Risk IT
      13. Val IT
      14. Summary of Frameworks
      15. Pointers for Successful Use of Frameworks
    3. Notes
    4. References
  16. Appendix C About the Download
    1. System Requirements
    2. Installing and Running Total Tester
    3. Total Tester Premium Practice Exam Software
    4. Technical Support
  17. Glossary
  18. Index