FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 1 of 40 ITaudit

FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 1 of 40 ITauditSecurity’s CISA Study Guide For a description of this guide, guidance on using it, and some warnings, see http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/ Table of Contents on next page Copyright 2012, ITauditSecurity Rev 2.0 NOTE: When this guide was created, the main sections of the exam were as follows: • IS Audit process • IT Governance • Systems & Lifecycle Mgmt • IT Service Delivery & Support • Protection of Info Assets • BCP and DRP ISACA has since reorganized the sections, but that doesn’t affect the information itself. Quick Review Info Yellow highlight notes where ISACA emphasizes CISA must-know this Blue highlight = good-to-know info List of key items to recite from memory: 5 Task Statements - SPCCA 10 Knowledge Statements – SPGE – CRP - CCC 7 Code of Ethics – IPS PC DE 3 types of Standards 6 Project Mgmt – IP EMC Projects: Triple restraint: QRS & CDT 10 Audit Stages OSI – PDNTSPA TCP/IP – NDITA Capability Maturity Model– zeroIRDMO 6 SDLC – FRD DIP (don’t forget differences if software purchased) 6 Benchmarking – PROAAI FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 2 of 40 Quick Review Info ................................................................................................................................................... 1 > IS Audit Process...................................................................................................................................................... 5 5 Task Statements - SPCCA .................................................................................................................................. 5 10 Knowledge Statements – SPGE – CRP - CCC ................................................................................................. 5 7 Code of Ethics – IPS PC DE ............................................................................................................................... 5 Information Tech Assurance Framework (ITAF) .................................................................................................... 6 3 types of Standards (+ Guidelines & Techniques = ITAF) .................................................................................................. 6 Policy/Standards .................................................................................................................................................................. 6 Misc Notes .............................................................................................................................................................. 6 Project Mgmt .......................................................................................................................................................... 6 Project Estimation ................................................................................................................................................................ 7 10 Audit Stages ...................................................................................................................................................... 7 Engagement Letter vs. Audit Charter ..................................................................................................................... 8 Charter - RAA ....................................................................................................................................................................... 8 Sampling .............................................................................................................................................................................. 8 Open Systems Interconnect (OSI) Model ............................................................................................................. 10 IP Addresses (32 bits) .......................................................................................................................................... 11 Packet Switching ................................................................................................................................................................ 11 > IT Governance ...................................................................................................................................................... 12 CMM vs. ISO 15504 (SPICE) – PME PO ........................................................................................................................... 13 Risk Management .............................................................................................................................................................. 13 Business Process Reengineering (BPR) ............................................................................................................................ 13 Risk Management .............................................................................................................................................................. 14 Systems & System Development Life Cycle (SDLC) ............................................................................................... 15 Alternatives to SDLC Project Organization......................................................................................................................... 16 Alternative Development Methods ..................................................................................................................................... 17 Physical Architecture Analysis (RADFFP) .......................................................................................................................... 18 Change Control Procedures ................................................................................................................................. 19 Change Management Auditing ........................................................................................................................................... 19 Emergency Changes .......................................................................................................................................................... 19 Computer-aided Software Engineering (CASE) ................................................................................................... 19 Key CASE Audit Issues ...................................................................................................................................................... 19 Programming Languages ..................................................................................................................................... 19 Fourth-generation Languages ............................................................................................................................................ 19 4GL Types.......................................................................................................................................................................... 20 Application Controls ................................................................................................................................................. 20 Input Controls ....................................................................................................................................................... 20 Input Control Techniques ................................................................................................................................................... 21 Processing Controls ............................................................................................................................................. 22 FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 3 of 40 Output Controls .................................................................................................................................................... 23 Data Integrity ............................................................................................................................................................ 24 Testing ............................................................................................................................................................................... 24 Data Integrity Requirements (ACID) ................................................................................................................................... 24 Application Testing Methods .............................................................................................................................................. 24 Continuous Auditing Techniques ............................................................................................................................. 24 E-commerce Risks ............................................................................................................................................................. 25 EDI Controls ....................................................................................................................................................................... 25 Auditing EDI ....................................................................................................................................................................... 26 Digital Signatures ............................................................................................................................................................... 26 Project Mgmt Organizational Alignment ............................................................................................................................. 28 > IT Service Delivery & Support ............................................................................................................................... 28 IS Operations ........................................................................................................................................................ 28 IS Hardware .......................................................................................................................................................... 28 IS Architecture & Software ................................................................................................................................... 28 Database Management System (DBMS) ........................................................................................................................... 28 Database Structures .......................................................................................................................................................... 29 Networking ............................................................................................................................................................ 29 Wireless ................................................................................................................................................................ 30 TCP/IP (32-bit) ...................................................................................................................................................... 30 System Control ................................................................................................................................................................... 30 > Protection of Information Assets ........................................................................................................................... 31 Key elements of Information Security Mgmt ....................................................................................................................... 31 Inventory Classification ...................................................................................................................................................... 31 Mandatory access control (MAC) ....................................................................................................................................... 31 Discretionary access control (DAC) ................................................................................................................................... 31 Biometrics .......................................................................................................................................................................... 31 Bypassing Security Controls .............................................................................................................................................. 32 Wireless Security .................................................................................................................................................. 32 Firewalls................................................................................................................................................................ 33 Application Firewalls - 2 levels/types .................................................................................................................................. 33 Stateful Inspection Firewalls............................................................................................................................................... 33 Firewall implementations .................................................................................................................................................... 34 Intrusion Detection Systems (IDS) ....................................................................................................................... 34 IDS Types .......................................................................................................................................................................... 34 Encryption ............................................................................................................................................................. 34 Digital signatures ................................................................................................................................................................ 35 Digital Envelope ................................................................................................................................................................. 35 Encryption Risks ................................................................................................................................................................ 36 Viruses ............................................................................................................................................................................... 37 FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 4 of 40 VOIP .................................................................................................................................................................................. 37 Auditing Infosec Management Framework ......................................................................................................................... 38 Computer Forensics (IPAP) ............................................................................................................................................... 38 > BCP/DRP .............................................................................................................................................................. 38 Difference between ISACA book and Sybex ........................................................................................................... 40 FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 5 of 40 > IS Audit Process 5 Task Statements - SPCCA Develop & implement risk-based IS audit strategy Plan specific audits Conduct audits Communicate issues, risks, results Advise on risk mgmt & control practices 10 Knowledge Statements – SPGE – CRP - CCC Standards/Code of Ethics Auditing practices/techniques Techniques to gather/preserve evidence Evidence lifecycle (collection, protection, chain of custody) Control objectives & controls Risk Assessment Audit planning & mgmt Reporting/Communication CSA Continuous audit techniques 7 Code of Ethics – IPS PC DE Support the implementation of appropriate policies, standards, guidelines, and procedures for information systems. Perform your duties with objectivity, professional care, and due diligence in accordance with professional standards. Support the use of best practices. Serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon your profession. Maintain privacy and confidentiality of information obtained during your audit except for required disclosure to legal authorities. Undertake only those activities in which you are professionally competent; strive to improve your competency. Disclose accurate results of all work and significant facts to the appropriate parties. Support ongoing professional education to help stakeholders enhance their understanding of information systems security and control. FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 6 of 40 Information Tech Assurance Framework (ITAF) • Provides guidance on design, conduct, and reporting of IT audit & assurance • Establishes IT audit standards • Consists of General, Performance, and Reporting standards; Guidelines; Tools & Techniques (TBA) 3 types of Standards (+ Guidelines & Techniques = ITAF) General – guiding principles for IT assurance profession Performance – how to conduct IT assurance engagements Reporting – address types of reports, means of communication, and info to be communicated Policy/Standards Policy, Standard, Procedure – mandatory Guideline– discretionary Misc Notes Purpose of audit: challenge mgmt assertions and determine whether evidence supports mgmt claims Types of audits: • Internal – audit own organization, scope restrictions, cannot use for licensing • External – customer auditing your organization or you auditing supplier • Independent – 3rd party audit used for licensing, certification, product approval. Compliance audit– verify presence or absence Substantive audit - check the content/substance and integrity of a claim Risk – the potential that a given threat will exploit vulnerabilities of an asset (or group of assets) and thereby cause harm to the organization CobiT – Control Objectives for Information and Related Technology. A framework consisting of strategies, processes, and procedures for leading IT organizations. Project Mgmt Project is unique, progressive (planning starts high-level and gets more detailed), and has start and end dates. Triple restraint: QRS • Quality • Resources (cost, time) • Scope 3 project elements: CDT • Cost/resources • Deliverables • Time/duration 5 Process groups/phases of project management – IP EMC • Initiating (2 components: scope & authorization) • Planning (detail scope, goals, deliverables) • Executing • Monitoring & Controlling • Closing Earned value – current value of work already performed in a project FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 7 of 40 Project Estimation • Source Lines of Code (SLOC) – traditional method (also Kilo LOC or KLOC) – direct size-oriented measures • Thousand Delivered Source Instructions (KDSI) – better with structured programming languages like BASIC, COBOL • Function Point Analysis (FPA) – indirect measure • Based on number and complexity of inputs, outputs, files, interfaces, and user queries • Functions are weighted by complexity Project Diagramming • Gantt: resource details;-schedule & sequence in waterfall-style (MS Project); serial view w/bars & diamonds o Shows concurrent and sequential activities o Show project progress and impact of completing a task early or late • PERT (Program Evaluation Review Technique)-illustrates relationships between planned activities o Critical path (minimum steps, longest route, shortest time estimate for completion)
Activities on critical path have no slack time; activities w/ no slack time are on critical path
Route on which a project can be shortened (accelerated) or lengthened (delayed) o Quantitative measure for risk analysis: risk of delays, failure, and likely completion o 3 hourly estimates for each task’s effort: Optimistic, Mostly likely, and Pessimistic
PERT time estimate for each task: [O + P + 4 (M)] / 6 Timebox Management • Define and deploy software deliverables in short/fixed period of time • Prevents cost overruns or delays from scheduled delivery • Design/development shortened due to newer development tools/techniques 10 Audit Stages 1. Approving audit charter/engagement letter 2. Preplanning audit 3. Risk Assessment 4. Determine whether audit is possible 5. Performing the actual audit 6. Gathering evidence 7. Performing audit tests 8. Analyzing results 9. Report Results 10. Follow-up activities FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 8 of 40 Engagement Letter vs. Audit Charter Diff is auditor independence (external vs. internal audit) Charter - RAA • Responsibility – scope with goals/objectives • Authority – right to access & audit • Accountability – agreement between auditor/Audit Committee; reporting requirements 2 foundational audit objectives: • Test control implementation to determine if adequate safeguards implemented • Comply with legal requirements Process technique – Shewhart - PDCA 1. Plan – plan or method? 2. Do – work match the plan? 3. Check – anyone monitoring the process? What uploads/Management/ free-cisa-study-guide.pdf

Documents similaires

Bibliographie Ouvrages :  Valeron Baron, pratiquer le management de l’environ 0 0

OFPPT ROYAUME DU MAROC SECTEUR : AÉRONAUTIQUE FILIÈRE : CHAUDRONNERIE AÉRONAUTI 0 0

1 Introduction Introduction 3    Mini-sommaire La genèse du guide du CBOK® ? 0 0

Guide pour l’analyse de l’existant technique JLN 1 Partie 6 La Fonction Techniq 0 0

Guide pratique sur la carrière de l’enseignant 2 SOMMAIRE PREFACE.............. 0 0

Guide d'aide à l'analyse et au choix d'un manuel de grammaire pour le cycle 3 N 0 0

Méthodologie générale - Version provisoire - Mise en application de la section 0 0

Pour une performance durable et solidaire 1 12 ACOR RG F°CG Guide V3 Audit et c 0 0

MANJRASOFT PTY LTD Installation and User Guide Aneka 2.0 Manjrasoft 10/22/2010 0 0

0 OFPPT ROYAUME DU MAROC MODULE N°25 CIRCUITS HYDRAULIQUES SECTEUR : ELECTRICIT 0 0

• Détails
• Publié le Aoû 09, 2022
• Catégorie Management
• Langue French
• Taille du fichier 0.3275MB