You are previewing CISA Exam Cram™ 2.
O'Reilly logo
CISA Exam Cram™ 2

Book Description

Want an affordable yet innovative approach to studying for the Certified Information Systems Auditor (CISA) 2005 exam? CISA 2005 Exam Cram 2 is your solution. You will have the essential material for passing the CISA 2005 exam right at your fingertips. All exam objectives are covered and you'll find practice exams, exam alerts, notes, tips and cautions to help guide you through your exam preparation. A CD also provides you with a video introduction to the exam and complete explanations of answers to the practice questions from Certified Tech Trainers (CTT). As a special bonus, you will receive $75 in discounts on CTT products and services. For your smartest, most efficient way to get certified, choose CISA 2005 Exam Cram 2.

Table of Contents

  1. Copyright
    1. Dedication
  2. The CISA Cram Sheet
    1. IS Audit Process
    2. Management, Planning, and Organization of IS
    3. Technical Infrastructure and Operational Practices
    4. Protection of Information Assets
    5. Disaster Recovery and Business Continuity
    6. Business Application System Development, Acquisition, Implementation, and Maintenance
    7. Business Process Evaluation and Risk Management
  3. A Note from Series Editor Ed Tittel
  4. Acknowledgements
  5. About the Authors
  6. About the Technical Editor
  7. We Want to Hear from You!
  8. Introduction
    1. About the CISA Exam and Content Areas
    2. How to Prepare for the Exam
    3. Additional Exam-Preparation Resources
    4. What This Book Will Do
      1. Contacting the Authors
    5. What This Book Will Not Do
      1. About the Book
  9. Self-Assessment
    1. Certified Information Systems Auditors in the Real World
      1. The Ideal ISACA Certified Information Systems Auditor Candidate
      2. Put Yourself to the Test
        1. Educational Background
        2. Hands-On Experience
      3. Testing Your Exam Readiness
      4. Onward, Through the Fog!
  10. 1. The Information Systems (IS) Audit Process
    1. Conducting IS Audits in Accordance with Generally Accepted IS Audit Standards and Guidelines
    2. ISACA IS Auditing Standards and Guidelines and Code of Professional Ethics
      1. Auditing Standards Explained
        1. Codification
        2. Use
      2. The ISACA Code of Professional Ethics
    3. Ensuring That the Organization’s Information Technology and Business Systems Are Adequately Controlled, Monitored, and Assessed
      1. ISACA’S COBIT Framework
      2. Control Self-Assessment
    4. Risk-Based IS Audit Strategy and Objectives
    5. Aligning Controls with the Organization’s Business Objectives
      1. Steering Committee
      2. Strategic Planning
      3. Organizational Structure
      4. IT Department Head
      5. Security Department
      6. Quality Assurance
      7. Applications
      8. Data Management
      9. Technical Support
      10. Operations
    6. Segregation of Duties
    7. IS Auditing Practices and Techniques
    8. Audit Planning and Management Techniques
    9. Information Systems Audits
      1. Attestation
      2. Findings and Recommendations
      3. SAS 70
      4. SAS 94
      5. Attribute Sampling
      6. Variable Sampling
      7. Substantive Tests
      8. Compliance Tests
    10. Audit Conclusions
      1. Obtaining Evidence
      2. Organization’s Use of System Platforms, IT Infrastructure, and Applications
      3. Techniques to Gather Information and Preserve Evidence
    11. Control Objectives and Controls Related to IS (Such as Preventative and Detective)
    12. Reviewing the Audit
    13. Communicating Audit Results
    14. Facilitating Risk Management and Control Practices
      1. IS, Business, and Audit Risk (Such as Threats and Impacts)
    15. Risk-Analysis Methods, Principles, and Criteria
    16. Communication Techniques
    17. Personnel-Management Techniques
    18. Practice Questions
  11. 2. Management, Planning, and Organization of IS
    1. Strategy, Policies, Standards, and Procedures
      1. Strategic Planning
      2. IS Steering Committee
    2. The Components of IS Strategies, Policies, Standards, and Procedures
      1. Policy Development
      2. IT Policy
      3. Procedures
    3. Evaluating IS Management Practices to Ensure Compliance with IS Policies, Standards, and Procedures
    4. Evaluating the Process for Strategy Development, Deployment, and Maintenance
    5. Principles of IS Organizational Structure and Design
      1. Evaluating IS Organization and Structure
      2. Evaluating Use of Third-Party Services
    6. Examining IS Management and Practices
      1. IS Project-Management Strategies and Policies
    7. IT Governance, Risk Management, and Control Frameworks
    8. IS Problem- and Change-Management Strategies and Policies
    9. IS Quality-Management Strategies and Policies
    10. IS Information Security Management Strategies and Policies
    11. IS Business Continuity Management Strategies and Policies
    12. Contracting Strategies, Processes, and Contract-Management Practices
      1. Employee Contracts
      2. Confidentiality Agreement
      3. Trade Secret Agreements
      4. Discovery Agreements
      5. Noncompete Agreements
        1. Contract Audit Objectives
    13. Roles and Responsibilities of IS Functions (Including Segregation of Duties)
    14. Practices Related to the Management of Technical and Operational Infrastructure
      1. Problem Management/Resource Management Procedures
      2. Help Desk
      3. Scheduling
      4. Service-Level Agreements
      5. Key Performance Indicators and Performance-Measurement Techniques
    15. Exam Prep Questions
  12. 3. Technical Infrastructure and Operational Practices and Infrastructure
    1. IT Organizational Structure
    2. Evaluating Hardware Acquisition, Installation, and Maintenance
      1. Risks and Controls Relating to Hardware Platforms
      2. Change Control and Configuration Management Principles for Hardware
    3. Evaluating Systems Software Development, Acquisition, Implementation, and Maintenance
      1. Understanding Systems Software and Utilities Functionality
      2. Risks and Controls Related to System Software and Utilities
      3. Change Control and Configuration Management Principles for System Software
    4. Evaluating Network Infrastructure Acquisition, Installation, and Maintenance
      1. Understanding Network Components Functionality
        1. Step 1: Having and Managing a Thought (Data Encapsulation)
        2. Using OSI Layers 7–5 Within the Data PDU
        3. Using OSI Layer 4 Within the Segment PDU
        4. Using OSI Layer 3 Within the Packet PDU
        5. Using OSI Layer 2 Within the Frame PDU
        6. Using OSI Layer 1 Within the Bits PDU
      2. Networking Concepts and Devices
        1. Local Area Networks (LANs)
        2. How Ethernet Deals with Collisions
        3. Network Topologies
          1. Bus Topology
          2. Star Topology
          3. Ring Topology
        4. Wide Area Networks (WANs)
        5. Metropolitan Area Networks (MANs)
    5. The TCP/IP Protocol Suite
      1. Firewalls
      2. Packet-Filtering Firewalls
      3. Stateful Packet-Inspection Firewalls
      4. Proxy Firewalls
    6. Routers
      1. Modems
        1. Hubs and Switches
    7. Internet, Intranet, and Extranet
      1. Risks and Controls Related to Network Infrastructure
    8. Evaluating IS Operational Practices
      1. Risks and Controls Related to IS Operational Practices
    9. Evaluating the Use of System Performance and Monitoring Processes, Tools, and Techniques
    10. Exam Prep Questions
  13. 4. Protection of Information Assets
    1. Understanding and Evaluating Controls Design, Implementation, and Monitoring
    2. Logical Access Controls
      1. Techniques for Identification and Authentication
    3. Network Infrastructure Security
      1. Encryption Techniques
        1. Asymmetric Encryption (Public-Key Cryptography)
        2. Public Key Infrastructure (PKI)
      2. Digital Signature Techniques
      3. Network and Internet Security
      4. Security Software
      5. Voice Communications Security
    4. Environmental Protection Practices and Devices
    5. Physical Access
      1. Physical Security Practices
    6. Intrusion Methods and Techniques
      1. Passive and Active Attacks
      2. Viruses
    7. Security Testing and Assessment Tools
    8. Sources of Information on Information Security
    9. Security Monitoring, Detection, and Escalation Processes and Techniques
    10. The Processes of Design, Implementation, and Monitoring of Security
      1. Review Written Policies, Procedures, and Standards
      2. Logical Access Security Policy
      3. Formal Security Awareness and Training
      4. Data Ownership
      5. Security Administrators
      6. Access Standards
      7. Auditing Logical Access
    11. Exam Prep Questions
  14. 5. Disaster Recovery and Business Continuity
    1. Understanding and Evaluating Process Development
    2. Crisis Management and Business Impact Analysis Techniques
    3. Disaster Recovery and Business Continuity Planning and Processes
      1. Hot Sites
      2. Warm Sites
      3. Cold Site
      4. Duplicate Processing Facilities
      5. Reciprocal Agreements
    4. Backup and Storage Methods and Practices
      1. Backup Definitions
      2. Tape Storage
      3. Storage Area Networks and Electronic Vaulting
    5. Disaster Recovery and Business Continuity Testing Approaches and Methods
      1. Paper Test
      2. Walk-Through Testing
      3. Preparedness Test (Full Test)
      4. Full Operational Test
    6. Understanding and Evaluating Business Continuity Planning, Documentation, Processes, and Maintenance
      1. Evaluating the Organization’s Capability to Ensure Business Continuity in the Event of a Business Disruption
      2. Evaluating Backup and Recovery Provisions in the Event of a Short-Term Disruption
      3. Evaluating the Capability to Continue Information System Processing in the Event That the Primary Information-Processing Facilities Are Not Available
    7. Insurance in Relation to Business Continuity and Disaster Recovery
      1. Property Insurance
      2. Liability Insurance
    8. Human Resource Issues (Evacuation Planning, Response Teams)
    9. Exam Prep Questions
  15. 6. Business Application System Development, Acquisition, Implementation, and Maintenance
    1. Evaluating Application Systems Development and Implementation
    2. System-Development Methodologies and Tools
      1. Prototyping
      2. RAD
      3. The Phases of the SDLC
        1. Phase 1: Feasibility
        2. Phase 2: Requirements Definition
        3. Phase 3: Design
        4. Phase 4: Development
        5. Phase 5: Implementation
    3. Project-Management Principles, Methods, and Practices
    4. Application-Maintenance Principles
      1. Post-Implementation Review Techniques
    5. Evaluating Application Systems Acquisition and Implementation
      1. Application-Implementation Practices
      2. Application System-Acquisition Processes
      3. Application Change Control and Emergency Change-Management Procedures
    6. Evaluating Application Systems
      1. Application Architecture
      2. Software Quality-Assurance Methods
      3. Testing Principles, Methods, and Practices
    7. Exam Prep Questions
  16. 7. Business Process Evaluation and Risk Management
    1. Evaluating IS Efficiency and Effectiveness of Information Systems in Supporting Business Processes
      1. Methods and Approaches for Designing and Improving Business Procedures
        1. Benchmarking
        2. Business Process Re-engineering (BPR)
      2. Business Performance Indicators
    2. Evaluating the Design and Implementation of Programmed and Manual Controls
      1. Business Process Controls
        1. Input/Output Controls
          1. Input Authorization
          2. Batch Controls
          3. Processing, Validation, and Editing
          4. Processing Control Procedures
          5. Output Controls
          6. Data Integrity Controls
          7. Electronic Data Interchange (EDI)
    3. Evaluating Business Process Change Projects
    4. Evaluating the Implementation of Risk Management and Governance
    5. Exam Prep Questions
  17. 8. Practice Exam 1
  18. 9. Answer Key 1
  19. 10. Practice Exam 2
  20. 11. Answer Key 2
  21. A CD Contents and Installation Instructions
    1. Multiple Test Modes
      1. Wrong Answer Feedback
      2. Retake a Previous Exam from Your Exam History
      3. Configure Your Own Custom Exam
      4. Start Your Exam from a Predefined Set of Questions
      5. Custom Exam Mode
    2. Question Types
    3. Random Questions and Order of Answers
    4. Detailed Explanations of Correct and Incorrect Answers
    5. Attention to Exam Objectives
    6. Installing the CD
    7. Technical Support
  22. CISA Glossary