1. CISA Exam Passing Principles
2. The job profile of the CISA® (Certified Information Systems Auditor) was published in 1977. Ever since, innumerable individuals around the world have passed this demanding examination which has been consistently updated in line with changing requirements; the examination takes place simultaneously in 80 countries, currently in 12 languages. The successful graduates will, on the provision of meeting the requirement of professional practice / experience, obtain the coveted CISA® designation.
2.1. Covers
2.1.1. It covers 5 domains, 38 tasks and 79 knowledge statements (statements covering the required technical knowledge).
2.1.1.1. Since the task statements are consistently referenced to the pertaining COBIT® processes, COBIT® has thus become an integral component of the CISA® curriculum and certification.
2.2. Designation
2.2.1. The CISA® certification / designation reflects a solid achievement record in the area of audit, control and security of information systems.
2.2.2. CISA® is the only globally recognized certification in the are of audit, controls and security of information systems and is – in view of the stringent and globally identical requirements - internationally recognized.
2.2.2.1. Internationally operating corporations and locally operating enterprises appreciate these merits alike.
2.3. The CISA® job profile has so far been consistently revised in 4 to 6 year intervals (the last time in 2010).
3. Official Recommended exam study materials
3.1. Glossary
3.1.1. http://www.isaca.org/Knowledge-Center/Documents/Glossary/cisa_glossary.pdf
3.2. Development Guides
3.2.1. ISACA® CISA® Item Development Guide
3.2.1.1. https://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISA-Item-Development-Guide.pdf
3.2.2. ISACA® CISA® QAE Item Development Guide
3.2.2.1. https://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISA-QAE-Item-Development-Guide.pdf
3.3. ISACA® CISA® Review Manual 2015
3.3.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=CRM15
3.4. ISACA® CISA® Review Questions, Answers & Explanations Manual 2015 Supplement
3.4.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=QAE15ES
3.5. ISACA® CISA® Practice Question Database
3.5.1. https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=XMXCA15-12M
4. CISA® Official website
4.1. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx
5. Overview of the CISA® certification
5.1. About the CISA® exam
5.1.1. CISA® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.
5.1.2. PBE & CBE (only pencil & eraser are allowed).
5.1.2.1. PBE - Paper based exam.
5.1.2.2. CBE - Closed book exam.
5.1.3. 4 hour exam.
5.1.4. 200 multiple choice questions designed with one best answer.
5.1.5. No negative points.
5.1.6. Pre-requisite for exam:
5.1.6.1. none
5.1.7. Pre-requisite for certification:
5.1.7.1. Read CISA® Application Form
5.1.7.1.1. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Apply-for-Certification/Documents/Application-form-download.pdf
6. Recommended additional study
6.1. CISA Essential Exam Notes 2014
6.2. Effective Approach and Practical Tips for CISA Exam
7. This freeware, non-commercial mind map (aligned with the newest version of CISA® exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CISA® qualification and as a learning tool for candidates wanting to gain CISA® qualification. (please share and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)
7.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com
7.1.1. http://www.miroslawdabrowski.com
7.1.2. http://www.linkedin.com/in/miroslawdabrowski
7.1.3. https://www.google.com/+MiroslawDabrowski
7.1.4. https://play.spotify.com/user/miroslawdabrowski/
7.1.5. https://twitter.com/mirodabrowski
7.1.6. miroslaw_dabrowski
8. ISO 19011:2011 (Guidelines for auditing management systems)
9. Basic audit related definitions (from ISACA® CISA® perspective)
9.1. Audit Risk
9.1.1. Inherent Risk
9.1.2. Control Risk
9.1.3. Overall Audit Risk
9.1.4. Detection Risk
9.2. Auditing
9.2.1. Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
9.3. Evidence
9.3.1. It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:
9.3.1.1. Independence of the provider of the evidence
9.3.1.2. Qualification of the individual providing the information or evidence
9.3.1.3. Objectivity of the evidence
9.3.1.4. Timing of the evidence
9.4. Information Systems Auditing
9.4.1. Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
9.5. Risk
9.5.1. Risk is the likelihood of a threat exploiting a vulnerability and the resulting impact on business mission.
10. Domain 1: The Process of Auditing Information Systems
10.1. Domain 1 - CISA® Exam Relevance
10.1.1. The content area for Domain 1 will represent ...
10.1.1.1. 14% of the CISA® examination
10.1.1.2. 62 questions
10.2. Audit Charter
10.2.1. Audit begins with the acceptance of an Audit Charter
10.2.2. Provides:
10.2.2.1. Authority for audit
10.2.2.2. Responsibility
10.2.2.3. Reporting requirements
10.2.3. Signed by Audit Committee / Senior Management / Steering Committee
10.3. Audit
10.3.1. Objectives
10.3.1.1. An audit compares (measures) actual activity against standards and policy
10.3.2. Specific goals of the audit
10.3.2.1. Confidentiality
10.3.2.2. Integrity
10.3.2.3. Reliability
10.3.2.4. Availability
10.3.2.5. Compliance with legal and regulatory requirements
10.3.3. Types
10.3.3.1. Financial audits
10.3.3.1.1. relates to financial information integrity and reliability.
10.3.3.2. Operational audits
10.3.3.2.1. examples: IS audits of application controls or logical security systems
10.3.3.3. Integrated audits
10.3.3.3.1. combines financial and operational audit steps.
10.3.3.4. Administrative audits
10.3.3.4.1. oriented to assess issues related to the efficiency of operational productivity within an organization.
10.3.3.5. IS audits
10.3.3.6. Specialized audits
10.3.3.6.1. examine areas such as services performed by third parties.
10.3.3.7. Forensic audits
10.3.3.7.1. Audits specifically related to a crime or serious incident
10.3.3.7.2. Obtain and examine evidence
10.3.3.7.3. Report for further action
10.3.3.7.4. auditing specialized in discovering, disclosing and following up on frauds and crimes. The primary purpose of such a review is the development of evidence for review by law enforcement and judicial authorities.
10.3.4. Elements
10.3.4.1. Audit scope
10.3.4.2. Audit objectives
10.3.4.3. Criteria
10.3.4.4. Audit procedures
10.3.4.5. Evidence
10.3.4.6. Conclusions and opinions
10.3.4.7. Reporting
10.4. Audit Planning
10.4.1. Involves short and long term planning (annual basis)
10.4.2. Based on the scope and objective of the particular assignment
10.4.3. Based on concerns of management or areas of higher risk
10.4.3.1. Process failures
10.4.3.2. Financial operations
10.4.3.3. Compliance requirements
10.4.4. New control issues.
10.4.5. Changes / Upgrades to technologies.
10.4.6. Business process / Need/ Goals.
10.4.7. Auditing / Evaluation Techniques.
10.4.8. IS auditor’s concerns:
10.4.8.1. Security (confidentiality, integrity and availability)
10.4.8.2. Quality (effectiveness, efficiency)
10.4.8.3. Fiduciary (compliance, reliability)
10.4.8.4. Service and capacity
10.4.9. Audit Planning Process
10.4.9.1. Gain an understanding of the business’s mission, objectives, purpose and processes
10.4.9.2. Identify stated contents (policies, standards, guidelines, procedures, and organization structure)
10.4.9.3. Evaluate risk assessment and privacy impact analysis
10.4.9.4. Perform a risk analysis
10.4.9.5. Conduct an internal control review
10.4.9.6. Set the audit scope and audit objectives
10.4.9.7. Develop the audit approach or audit strategy
10.4.9.8. Assign personnel resources to audit and address engagement logistics
10.4.10. Effect of Laws and Regulations on IS Audit Planning
10.4.10.1. Adequate controls
10.4.10.2. Privacy
10.4.10.3. Responsibilities
10.4.10.3.1. Oversight and Governance
10.4.10.4. Protection of assets
10.4.10.5. Financial Management
10.4.10.6. Correlation to financial, operational and IT audit functions
10.5. Performing the Audit
10.5.1. ISACA IT Audit and Assurance Tools and Techniques
10.5.1.1. Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement
10.5.1.2. The IS auditor should apply their own professional judgment to the specific circumstances
10.5.2. ISACA IT Audit and Assurance Standards Framework
10.5.2.1. Standards
10.5.2.1.1. Must be followed by IS auditors
10.5.2.2. Guidelines
10.5.2.2.1. Provide assistance on how to implement the standards
10.5.2.3. Procedures
10.5.2.3.1. Provide examples for implementing the standards
10.5.2.4. S1 Audit Charter
10.5.2.5. S2 Independence
10.5.2.6. S3 Ethics and Standards
10.5.2.7. S4 Competence
10.5.2.8. S5 Planning
10.5.2.9. S6 Performance of audit work
10.5.2.10. S7 Reporting
10.5.2.11. S8 Follow-up activities
10.5.2.12. S9 Irregularities and illegal acts
10.5.2.13. S10 IT Governance
10.5.2.14. S11 Use of risk assessment in audit planning
10.5.2.15. S12 Audit materiality
10.5.2.16. S13 Using the Work of Other Experts
10.5.2.17. S14 Audit Evidence
10.5.2.18. S15 IT Controls
10.5.2.19. S16 E-commerce
10.5.3. Gathering Evidence
10.5.3.1. Techniques
10.5.3.1.1. Review IS organization structures
10.5.3.1.2. Review IS policies and procedures
10.5.3.1.3. Review IS standards
10.5.3.1.4. Review IS documentation
10.5.3.1.5. Interview appropriate personnel
10.5.3.1.6. Observe processes and employee performance
10.5.3.2. Computer-assisted Audit Techniques (CAAT)
10.5.3.2.1. CAATs enable IS auditors to gather information independently
10.5.3.2.2. CAATs include:
10.5.3.2.3. CAATs as a continuous online audit approach:
10.5.4. General approaches to audit sampling
10.5.4.1. Statistical sampling
10.5.4.2. Non-statistical sampling
10.5.5. Using the Services of Other Auditors and Experts
10.5.5.1. Considerations when using services of other auditors and experts:
10.5.5.1.1. Audit charter or contractual stipulations
10.5.5.1.2. Impact on overall and specific IS audit objectives
10.5.5.1.3. Impact on IS audit risk and professional liability
10.5.5.1.4. Independence and objectivity of other auditors and experts
10.5.5.1.5. Professional competence, qualifications and experience
10.5.5.1.6. Scope of work proposed to be outsourced and approach
10.5.5.1.7. Supervisory and audit management controls
10.5.5.1.8. Method of communicating the results of audit work
10.5.5.1.9. Compliance with legal and regulatory stipulations
10.5.5.1.10. Compliance with applicable professional standards
10.6. IS Audit Resource Management
10.6.1. Audit Program Challenges
10.6.1.1. Limited number of IS auditors
10.6.1.2. Maintenance of their technical competence
10.6.1.3. Assignment of audit staff
10.7. Plan for an Audit
10.7.1. 1. Gather Information
10.7.2. 2. Identify System and Components
10.7.3. 3. Assess Risk
10.7.4. 4. Perform Risk Analysis
10.7.5. 5. Conduct Internal Control Review
10.7.6. 6. Set Audit Scope and Objectives
10.7.7. 7. Develop Auditing Strategy
10.7.8. 8. Assign Resources
10.8. Audit Methodology
10.8.1. A set of documented audit procedures designed to achieve planned audit objectives.
10.8.2. Composed of:
10.8.2.1. Statement of scope
10.8.2.2. Statement of audit objectives
10.8.2.3. Statement of audit programs
10.8.3. Set up and approved by the audit management
10.8.4. Communicated to all audit staff
10.9. Phases of an Audit
10.9.1. Audit subject
10.9.2. Audit objective
10.9.3. Audit scope
10.9.4. Pre-audit planning
10.9.5. Audit procedures and steps for data gathering
10.9.6. Procedures for evaluating the test or review
10.9.7. results
10.9.8. Procedures for communication with management
10.9.9. Audit report preparation
10.10. Audit Workpapers
10.10.1. Audit plans
10.10.2. Audit programs
10.10.3. Audit activities
10.10.4. Audit tests
10.10.5. Audit findings and incidents
10.11. Audit Procedures
10.11.1. Understanding of the audit area/subject
10.11.2. Risk assessment and general audit plan
10.11.3. Detailed audit planning
10.11.4. Preliminary review of audit area/subject
10.11.5. Evaluating audit area/subject
10.11.6. Verifying and evaluating controls
10.11.7. Compliance testing
10.11.8. Substantive testing
10.11.9. Reporting (communicating results)
10.11.10. Follow-up
10.12. Types of Tests for IS Controls
10.12.1. Use of audit software to survey the contents of data files
10.12.2. Assess the contents of operating system parameter files
10.12.3. Flow-charting techniques for documenting automated
10.12.4. applications and business process
10.12.5. Use of audit reports available in operation systems
10.12.6. Documentation review
10.12.7. Observation
10.13. Fraud Detection
10.13.1. Fraud detection is Management’s responsibility
10.13.2. Benefits of a well-designed internal control system
10.13.2.1. Deterring fraud at the first instance
10.13.2.2. Detecting fraud in a timely manner
10.13.3. Fraud detection and disclosure
10.13.4. Auditor’s role in fraud prevention and detection
10.14. Risk Management (based on ISACA Risk IT)
10.14.1. Risk Assessment
10.14.1.1. Identify and prioritize risk
10.14.1.2. Recommend risk-based controls
10.14.1.3. Assessing security risks
10.14.1.3.1. Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization.
10.14.1.3.2. Performed periodically to address changes in:
10.14.1.4. Treating security risks
10.14.1.4.1. Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk
10.14.1.4.2. Controls should be selected to ensure that risks are reduced to an acceptable level
10.14.2. Risk Mitigation
10.14.2.1. Reduce risk
10.14.2.2. Accept risk
10.14.2.3. Transfer risk
10.14.2.4. Avoid risk
10.14.3. Ongoing assessment of risk levels and control effectiveness
10.14.4. Purpose of Risk Analysis
10.14.4.1. Identity threats and vulnerabilities
10.14.4.2. Helps auditor evaluate countermeasures /
10.14.4.3. controls.
10.14.4.4. Helps auditor decide on auditing objectives.
10.14.4.5. Support Risk- Based auditing decision.
10.14.4.6. Leads to implementation of internal controls.
10.15. Risk-based Auditing
10.15.1. Why use Risk Based Auditing?
10.15.1.1. Enables management to effectively allocate limited audit resources
10.15.1.2. Ensures that relevant information has been obtained from all levels of management
10.15.1.3. Establishes a basis for effectively managing the audit plans
10.15.1.4. Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan
10.15.2. Performing an Audit Risk Assessment to identify
10.15.2.1. Business risks
10.15.2.2. Technological risks
10.15.2.3. Operational risks
10.15.3. Process
10.15.3.1. 1. Gather Information and Plan for the Audit
10.15.3.1.1. Knowledge of business and industry
10.15.3.1.2. Prior year’s audit results
10.15.3.1.3. Recent financial information
10.15.3.1.4. Regulatory statutes
10.15.3.1.5. Inherent risk assessments
10.15.3.2. 2. Obtain Understanding of Internal Control
10.15.3.2.1. Control environment
10.15.3.2.2. Control procedures
10.15.3.2.3. Detection risk assessment
10.15.3.2.4. Control risk assessment
10.15.3.2.5. Equate total risk
10.15.3.3. 3. Perform Compliance Tests
10.15.3.3.1. Identify key controls to be tested
10.15.3.3.2. Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures
10.15.3.4. 4. Perform Substantive Tests
10.15.3.4.1. Analytical procedures
10.15.3.4.2. Detailed tests of account balances
10.15.3.4.3. Other substantive audit procedures
10.15.3.5. 5. Conclude the Audit
10.15.3.5.1. Create recommendations
10.15.3.5.2. Write audit report
10.16. General Controls
10.16.1. Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
10.17. Internal Controls
10.17.1. Policies, procedures, practices and organizational structures implemented to reduce risks
10.17.2. Objectives
10.17.2.1. Safeguarding of IT assets
10.17.2.2. Compliance to corporate policies or legal requirements
10.17.2.3. Input
10.17.2.4. Authorization
10.17.2.5. Accuracy and completeness of processing of data input/transactions
10.17.2.6. Output
10.17.2.7. Reliability of process
10.17.2.8. Backup/recovery
10.17.2.9. Efficiency and economy of operations
10.17.2.10. Change management process for IT and related systems
10.17.3. Classification
10.17.3.1. Preventive controls
10.17.3.2. Detective controls
10.17.3.3. Corrective controls
10.17.4. Areas
10.17.4.1. Internal control system
10.17.4.2. Internal accounting controls
10.17.4.3. Operational controls
10.17.4.4. Administrative controls
10.17.5. IS Controls vs Manual Controls
10.17.5.1. Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.
10.17.6. IS Controls
10.17.6.1. Strategy and direction
10.17.6.2. General organization and management
10.17.6.3. Access to IT resources, including data and programs
10.17.6.4. Systems development methodologies and change control
10.17.6.5. Operations procedures
10.17.6.6. Systems programming and technical support functions
10.17.6.7. Quality assurance procedures
10.17.6.8. Physical access controls
10.17.6.9. Business continuity/disaster recovery planning
10.17.6.10. Networks and communications
10.17.6.11. Database administration
10.17.6.12. Protection and detective mechanisms against internal and external attacks
10.18. Audit Documentation
10.18.1. Planning and preparation of the audit scope and objectives
10.18.2. Description on the scoped audit area
10.18.3. Audit program
10.18.4. Audit steps performed and evidence gathered
10.18.5. Other experts used
10.18.6. Audit findings, conclusions and recommendations
10.19. Automated Work Papers
10.19.1. Risk analysis
10.19.2. Audit programs
10.19.3. Results
10.19.4. Test evidences
10.19.5. Conclusions
10.19.6. Reports and other complementary information
10.19.7. Minimum controls:
10.19.7.1. Access to work papers
10.19.7.2. Audit trails
10.19.7.3. Automated features to provide and record approvals
10.19.7.4. Security and integrity controls
10.19.7.5. Backup and restoration
10.19.7.6. Encryption techniques
10.20. Evaluation of Audit Strengths and Weaknesses
10.20.1. Assess evidence
10.20.2. Evaluate overall control structure
10.20.3. Evaluate control procedures
10.20.4. Assess control strengths and weaknesses
10.21. Communicating Audit Results
10.21.1. Exit interview
10.21.1.1. Implementation dates for agreed recommendations
10.21.1.2. Correct facts
10.21.1.3. Realistic recommendations
10.21.2. Presentation techniques
10.21.2.1. Executive summary
10.21.2.2. Visual presentation
10.21.3. Audit report structure and contents
10.21.3.1. Introduction to the report
10.21.3.2. Audit findings presented in separate sections
10.21.3.3. The IS auditor’s overall conclusion and opinion
10.21.3.4. The IS auditor’s reservations with respect to the audit – audit limitations
10.21.3.5. Detailed audit findings and recommendations
10.21.4. Audit recommendations may not be accepted
10.21.4.1. Negotiation
10.21.4.2. Conflict resolution
10.21.4.3. Explanation of results, findings and best practices or legal requirements
10.22. Management Implementation of Audit Recommendations
10.22.1. Ensure that accepted recommendations are implemented as per schedule
10.22.2. Auditing is an ongoing process
10.22.3. Timing a follow-up
10.23. Control Self-Assessment (CSA)
10.23.1. Objectives
10.23.1.1. Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas
10.23.1.2. Enhancement of audit responsibilities, not a replacement
10.23.1.3. Educate management about control design and monitoring
10.23.1.4. Empowerment of workers to assess the control environment
10.23.2. Benefits
10.23.2.1. Early detection of risks
10.23.2.2. More effective and improved internal controls
10.23.2.3. Increased employee awareness of organizational objectives
10.23.2.4. Highly motivated employees
10.23.2.5. Improved audit rating process
10.23.2.6. Reduction in control cost
10.23.2.7. Assurance provided to stakeholders and customers
10.23.3. Disadvantages
10.23.3.1. Could be mistaken as an audit function replacement
10.23.3.2. May be regarded as an additional workload
10.23.3.3. Failure to act on improvement suggestions could damage employee morale
10.23.3.4. Lack of motivation may limit effectiveness in the detection of weak controls
10.23.4. A management technique
10.23.5. A methodology
10.23.6. In practice, a series of tools
10.23.7. Can be implemented by various methods
10.23.8. Auditor Role in CSA
10.23.8.1. Internal control professionals
10.23.8.2. Assessment facilitators
10.23.9. Traditional vs. CSA
10.23.9.1. Traditional Approach
10.23.9.1.1. Assigns duties/supervises staff
10.23.9.1.2. Policy/rule driven
10.23.9.1.3. Limited employee participation
10.23.9.1.4. Narrow stakeholder focus
10.23.9.2. CSA Approach
10.23.9.2.1. Empowered/accountable employees
10.23.9.2.2. Continuous improvement/learning curve
10.23.9.2.3. Extensive employee participation and training
10.23.9.2.4. Broad stakeholder focus
10.24. Continuous Auditing vs Continuous Monitoring
10.24.1. Continuous monitoring
10.24.1.1. Provided by IS management tools
10.24.1.2. Based on automated procedures to meet fiduciary responsibilities
10.24.2. Continuous auditing
10.24.2.1. Audit-driven
10.24.2.2. Completed using automated audit procedures
10.24.2.3. Distinctive character
10.24.2.3.1. Short time lapse between the facts to be audited and the collection of evidence and audit reporting
10.24.2.4. Drivers
10.24.2.4.1. Better monitoring of financial issues
10.24.2.4.2. Allows real-time transactions to benefit from real-time monitoring
10.24.2.4.3. Prevents financial fiascoes and audit scandals
10.24.2.4.4. Uses software to determine proper financial controls
10.24.2.5. Application of continuous auditing due to:
10.24.2.5.1. New information technology developments
10.24.2.5.2. Increased processing capabilities
10.24.2.5.3. Standards
10.24.2.5.4. Artificial intelligence tools
10.24.2.6. Advantages
10.24.2.6.1. Instant capture of internal control problems
10.24.2.6.2. Reduction of intrinsic audit inefficiencies
10.24.2.7. Disadvantages
10.24.2.7.1. Difficulty in implementation
10.24.2.7.2. High cost
10.24.2.7.3. Elimination of auditors’ personal judgment and evaluation
10.25. ISACA Code of Professional Ethics
10.25.1. The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or holders of ISACA designations.
11. Domain 2: Governance and Management of IT
11.1. Domain 2 - CISA® Exam Relevance
11.1.1. The content area for Domain 1 will represent ...
11.1.1.1. 14% of the CISA® examination
11.1.1.2. 62 questions
11.2. Corporate Governance
11.2.1. Ethical corporate behaviour
11.2.2. Governance of IT systems and assets towards the preservation of value for all stakeholders
11.2.3. Resource management
11.2.4. Establishment of rules to manage and report on business risks
11.3. IT Governance (ITG)
11.3.1. Comprises the body of issues addressed in considering how IT is applied within the enterprise.
11.3.2. Effective enterprise governance focuses on:
11.3.2.1. Individual and group expertise
11.3.2.2. Experience in specific areas
11.3.3. Key element: alignment of business and IT
11.3.4. Two issues:
11.3.4.1. IT delivers value to the business
11.3.4.2. IT risks are managed
11.3.5. Best Practices for IT Governance
11.3.5.1. Strategic Alignment
11.3.5.1.1. Focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations
11.3.5.2. Value Delivery
11.3.5.2.1. Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and improving the intrinsic value of IT.
11.3.5.3. Resource Management
11.3.5.3.1. Is about the optimal investment in, and the proper management of, Critical IT resources: applications, information, infrastructure and people, Key issues relate to the optimisation of knowledge and infrastructure.
11.3.5.4. Risk Management
11.3.5.4.1. Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
11.3.5.5. Performance Measurement
11.3.5.5.1. Tracks and monitors strategy implementation, projection completion, resource usage, process performance and services delivery, using, for example, balanced scorecards that translate into action to achieve goals measurable beyond conventional accounting.
11.4. IS Governance (ISG)
11.4.1. Focused activity with specific value drivers
11.4.1.1. Integrity of information
11.4.1.2. Continuity of services
11.4.1.3. Protection of information assets
11.4.2. Integral part of IT Governance (ITG)
11.4.3. Importance of information security governance
11.4.4. Should be supported at the highest levels of the organization
11.4.5. IS Governance (ISG) broadens scope beyond simply protection of IT system and data – integration and over all security regardless of handling, processing, transporting, or storing.
11.4.6. Protects information assets at all times, in all forms (electronic, paper, communicated), and in all locations
11.4.7. Exposure to civil and legal liability, regulators.
11.4.7.1. Provide assurance of policy compliance.
11.4.8. Enhance business Ops continuity – lower risk: uncertainty.
11.4.9. Foundation for risk management, process enhanced and fast incident response procedures.
11.4.10. Optimize allocation of the limited security resources as well as procurement process.
11.4.11. Ensuring that important decisions are made on accurate data.
11.4.12. Results
11.4.12.1. Strategic link to business / Organization
11.4.12.2. Objectives.
11.4.12.3. Overall risk management.
11.4.12.4. Optimize investments.
11.4.12.5. Management of resources.
11.4.12.6. Report on performance / results.
11.4.12.7. Process integration
11.5. Information Technology Monitoring and Assurance Practices for Management
11.5.1. IT governance implies a system where all stakeholders provide input into the decision making process:
11.5.1.1. Board
11.5.1.2. Internal customers
11.5.1.3. Finance
11.6. IS Strategy
11.6.1. Strategic Planning.
11.6.2. Steering committee role.
11.6.3. Primary strategic functions
11.6.4. Strategic Enterprise Architecture Plans
11.6.4.1. Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments
11.6.4.2. Often involves both a current state and optimized future state representation
11.6.5. IT Strategy Committee
11.6.5.1. The creation of an IT strategy committee is an industry best practice
11.6.5.2. Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance
11.6.6. Techniques
11.6.6.1. Standard IT Balanced Scorecard
11.6.6.1.1. A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes
11.6.6.1.2. Method goes beyond the traditional financial evaluation
11.6.6.1.3. One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment
11.7. Enterprise Architecture
11.7.1. The Zachman Framework
11.7.2. Federal Enterprise Architecture (FEA)
11.7.2.1. Performance
11.7.2.2. Business
11.7.2.3. Service component
11.7.2.4. Technical
11.7.2.5. Data
11.8. Maturity and Process Improvement Models
11.8.1. IDEAL model
11.8.2. Capability Maturity Model Integration (CMMI)
11.8.3. Team Software Process (TSP)
11.8.4. Personal Software Process (PSP)
11.9. IT Investment and Allocation Practices
11.9.1. Financial benefits
11.9.1.1. Impact on budget and finances
11.9.2. Nonfinancial benefits
11.9.2.1. Impact on operations or mission performance and results
11.10. Auditing IT Governance Structure and Implementation
11.10.1. Indicators of potential problems include:
11.10.1.1. Unfavorable end-user attitudes
11.10.1.2. Excessive costs
11.10.1.3. Budget overruns
11.10.1.4. Late projects
11.10.1.5. High staff turnover
11.10.1.6. Inexperienced staff
11.10.1.7. Frequent hardware/software errors
11.11. Policies, Procedures, Standards
11.11.1. Reflect management guidance and direction in developing controls over:
11.11.1.1. Information systems
11.11.1.2. Related resources
11.11.1.3. IS department processes
11.11.2. Policies
11.11.2.1. High level documents
11.11.2.2. Must be clear and concise
11.11.2.3. Set tone for organization as a whole (top down)
11.11.2.4. Lower-level policies - defined by individual divisions and departments
11.11.2.5. Information Security Policy
11.11.2.5.1. Defines information security, overall objectives and scope
11.11.2.5.2. Statement of management intent
11.11.2.5.3. Framework for setting control objectives including risk management
11.11.2.5.4. Defines responsibilities for information security management
11.11.3. Procedures
11.11.3.1. Procedures are detailed documents that describe the steps a person must follow when undertaking an activity:
11.11.3.1.1. Define and document implementation policies
11.11.3.1.2. Must be derived from the parent policy
11.11.3.1.3. Must implement the spirit (intent) of the policy statement
11.11.3.1.4. Must be written in a clear and concise
11.11.4. Standards
11.11.4.1. Audits measure compliance with standards of:
11.11.4.1.1. Operational procedures
11.11.4.1.2. Best practices
11.11.4.1.3. Consistency of performance
11.12. Risk Management
11.12.1. IT risk management needs to operate at multiple levels including:
11.12.1.1. The strategic level
11.12.1.2. The program level
11.12.1.3. The project level
11.12.1.4. The operational level
11.12.2. Risk Analysis Methods
11.12.2.1. Qualitative
11.12.2.2. Semi quantitative
11.12.2.3. Quantitative
11.12.2.3.1. Probability and expectancy
11.12.2.3.2. Single Loss Expectancy (SLE)
11.12.2.3.3. Annual loss expectancy (ALE)
11.12.3. Risk Mitigation
11.13. Resource Management
11.13.1. Organization of the IT Function
11.13.1.1. The auditor must assess whether the IT department is correctly:
11.13.1.1.1. Funded
11.13.1.1.2. Aligned with business needs
11.13.1.1.3. Managed
11.13.1.1.4. Staffed (skills)
11.14. Human Resource Management
11.14.1. Hiring
11.14.2. Employee handbook
11.14.3. Promotion policies
11.14.4. Training
11.14.5. Scheduling and time reporting
11.14.6. Employee performance evaluations
11.14.7. Required vacations
11.14.8. Termination policies
11.14.9. Sourcing Practices
11.14.9.1. Sourcing practices relate to the way an organization obtains the IS function required to support the business
11.14.9.2. Organizations can perform all IS functions inhouse or outsource all functions across the globe
11.14.9.3. Sourcing strategy should consider each IS function and determine which approach (insourcing or outsourcing) allows the IS function to meet the organization’s goals
11.15. IS Roles and Responsibilities
11.15.1. Systems development manager
11.15.2. Project management
11.15.3. Service Desk (help desk)
11.15.4. End user
11.15.5. End user support manager
11.15.6. Data management
11.15.7. Quality assurance manager
11.15.8. Information security manager
11.15.9. Vendor and outsourcer management
11.15.10. Infrastructure operations and maintenance
11.15.11. Media management
11.15.12. Data entry
11.15.13. Systems administration
11.15.14. Security administration
11.15.15. Quality assurance
11.15.16. Database administration
11.15.17. Systems analyst
11.15.18. Security architect
11.15.19. Applications development and maintenance
11.15.20. Infrastructure development and maintenance
11.15.21. Network management
11.16. Segregation of Duties within IS
11.16.1. Avoids possibility of errors or misappropriations
11.16.2. Discourages fraudulent acts
11.16.3. Limits access to data
11.16.4. Controls
11.16.4.1. Control measures to enforce segregation of duties include:
11.16.4.1.1. Transaction authorization
11.16.4.1.2. Custody of assets
11.16.4.1.3. Access to data
11.16.4.1.4. Authorization forms
11.16.4.1.5. User authorization tables
11.16.4.2. Compensating controls for lack of segregation of duties include:
11.16.4.2.1. Audit trails
11.16.4.2.2. Reconciliation
11.16.4.2.3. Exception reporting
11.16.4.2.4. Transaction logs
11.16.4.2.5. Supervisory reviews
11.16.4.2.6. Independent reviews
11.17. Organizational Change Management
11.17.1. Managing changes to the organization’s:
11.17.1.1. Projects
11.17.1.2. Systems
11.17.1.3. Technology
11.17.1.4. Configurations
11.17.2. Identify and apply technology improvements at the infrastructure and application level
11.17.3. All changes must be documented, approved and tested
11.17.4. All changes must be performed correctly and monitored for successful execution
11.17.5. Changes must not degrade system security or performance
11.18. Quality Management
11.18.1. Software development, maintenance and implementation
11.18.2. Acquisition of hardware and software
11.18.3. Day-to-day operations
11.18.4. Service management
11.18.5. Security
11.18.6. Human resource management
11.18.7. General administration
11.19. Performance Optimization
11.19.1. Performance measures indicate the quality of the IT program
11.19.1.1. Measures should be set to evaluate services critical to business success
11.19.2. There are generally 5 ways to use performance measures:
11.19.2.1. 1. Measure products/services
11.19.2.2. 2. Manage products/services
11.19.2.3. 3. Ensure accountability
11.19.2.4. 4. Make budget decisions
11.19.2.5. 5. Optimize performance
11.20. Reviewing Documentation
11.20.1. IT strategies, plans and budgets
11.20.2. Security policy documentation
11.20.3. Organization/functional charts
11.20.4. Job descriptions
11.20.5. Steering committee reports
11.20.6. System development and program change procedures
11.20.7. Operations procedures
11.20.8. Human resource manuals
11.20.9. Quality assurance procedures
11.21. Reviewing Contractual Commitments
11.21.1. There are various phases to computer hardware, software and IS service contracts, including:
11.21.1.1. Development of contract requirements and service levels
11.21.1.2. Contract bidding process
11.21.1.3. Contract selection process
11.21.1.4. Contract acceptance
11.21.1.5. Contract maintenance
11.21.1.6. Contract compliance
11.22. Business Continuity Planning (BCP)
11.22.1. Business continuity planning (BCP) is a process designed to reduce the organization’s business risk
11.22.2. A BCP is much more than just a plan for the information systems
11.22.3. IS processing is of strategic importance
11.22.3.1. Critical component of overall BCP
11.22.3.2. Most key business processes depend on the availability of key systems and infrastructure components
11.22.4. Disasters and Other Disruptive Events
11.22.4.1. Disasters are disruptions that cause critical information resources to be inoperative for a period of time
11.22.4.2. Good BCP will take into account impacts on IS processing facilities
11.22.5. Process
11.22.6. Business Continuity Policy
11.22.6.1. Defines the extent and scope of business continuity for both internal and external stakeholders
11.22.6.2. Should be proactive
11.22.7. Business Continuity Planning Incident Management
11.22.7.1. All types of incidents should be categorized
11.22.7.1.1. Negligible
11.22.7.1.2. Minor
11.22.7.1.3. Major
11.22.7.1.4. Crisis
11.22.8. Business Continuity Plan (BCP)
11.22.8.1. Business continuity plan must:
11.22.8.1.1. Be based on the long-range IT plan
11.22.8.1.2. Comply with the overall business continuity strategy
11.22.8.2. Development of BCP (factors)
11.22.8.2.1. The clear identification of the various resources required for recovery and continued operation of the organization
11.22.8.2.2. Evacuation procedures
11.22.8.2.3. Procedures for declaring a disaster (escalation procedures)
11.22.8.2.4. Circumstances under which a disaster should be declared.
11.22.8.2.5. The clear identification of the responsibilities in the plan
11.22.8.2.6. The clear identification of the persons responsible for each function in the plan
11.22.8.2.7. The clear identification of contract information
11.22.8.2.8. The step-by-step explanation of the recovery process
11.22.8.2.9. Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes
11.22.8.3. Components of BCP
11.22.8.3.1. Continuity of operations plan (COOP)
11.22.8.3.2. Disaster recovery plan (DRP)
11.22.8.3.3. Business resumption plan
11.22.8.3.4. Continuity of support plan / IT contingency plan
11.22.8.3.5. Crisis communications plan
11.22.8.3.6. Incident response plan
11.22.8.3.7. Transportation plan
11.22.8.3.8. Occupant emergency plan (OEP)
11.22.8.3.9. Evacuation and emergency relocation plan
11.22.8.3.10. Key decision-making personnel
11.22.8.3.11. Backup of required supplies
11.22.8.3.12. Insurance
11.22.9. Other Issues in Plan Development
11.22.9.1. Management and user involvement is vital to the success of BCP
11.22.9.1.1. Essential to the identification of critical systems, recovery times and resources
11.22.9.1.2. Involvement from support services, business operations and information processing support
11.22.9.2. Entire organization needs to be considered for BCP
11.22.10. Auditing Business Continuity
11.22.10.1. Understand and evaluate business continuity strategy
11.22.10.2. Evaluate plans for accuracy and adequacy
11.22.10.3. Verify plan effectiveness
11.22.10.4. Evaluate offsite storage
11.22.10.5. Evaluate ability of IS and user personnel to
11.22.10.6. respond effectively
11.22.10.7. Ensure plan maintenance is in place
11.22.10.8. Evaluate readability of business continuity manuals and procedures
11.22.11. Reviewing the Business Continuity Plan
11.22.11.1. IS auditors should verify that the plan is up to date including:
11.22.11.1.1. Currency of documents
11.22.11.1.2. Effectiveness of documents
11.22.11.1.3. Interview personnel for appropriateness and completeness of plan
11.23. Business Impact Analysis (BIA)
11.23.1. Critical step in developing the business continuity plan
11.23.2. 3 main questions to consider during BIA phase:
11.23.2.1. 1. What are the different business processes?
11.23.2.2. 2. What are the critical information resources related to an organization’s critical business processes?
11.23.2.3. 3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?
11.23.3. What is the system’s risk ranking?
11.23.3.1. Critical
11.23.3.2. Vital
11.23.3.3. Sensitive
11.23.3.4. Non-sensitive
11.24. Business Continuity Plan
11.24.1. Development of Business Continuity Plans
11.24.1.1. Factors to consider:
11.24.1.1.1. Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes
11.24.1.1.2. Evacuation procedures
11.24.1.1.3. Procedures for declaring a disaster (escalation procedures)
11.24.1.1.4. Circumstances under which a disaster should be declared
11.24.1.1.5. The clear identification of the responsibilities in the plan
11.24.1.1.6. The clear identification of the persons responsible for each function in the plan
11.24.1.1.7. The clear identification of contract information
11.24.1.1.8. The step-by-step explanation of the recovery process
11.24.1.1.9. The clear identification of the various resources required for recovery and continued operation of the organization
11.24.2. Components of a Business Continuity
11.24.2.1. Continuity of operations plan (COOP)
11.24.2.2. Disaster recovery plan (DRP)
11.24.2.3. Business resumption plan
11.24.2.4. Continuity of support plan / IT contingency plan
11.24.2.5. Crisis communications plan
11.24.2.6. Incident response plan
11.24.2.7. Transportation plan
11.24.2.8. Occupant emergency plan (OEP)
11.24.2.9. Evacuation and emergency relocation plan
11.24.2.10. Key decision-making personnel
11.24.2.11. Backup of required supplies
11.24.2.12. Insurance
11.24.2.12.1. IS equipment and facilities
11.24.2.12.2. Media (software) reconstruction
11.24.2.12.3. Extra expense
11.24.2.12.4. Business interruption
11.24.2.12.5. Valuable papers and records
11.24.2.12.6. Errors and omissions
11.24.2.12.7. Fidelity coverage
11.24.2.12.8. Media transportation
12. Domain 3: Information Systems Acquisition, Development, and Implementation
12.1. Domain 3 - CISA® Exam Relevance
12.1.1. The content area for Domain 1 will represent ...
12.1.1.1. 19% of the CISA® examination
12.1.1.2. 62 questions
12.2. Business case
12.2.1. Provides the information required for an organization to decide whether a project should proceed
12.2.2. Is normally derived from a feasibility study as part of project planning
12.2.3. Should be of sufficient detail to describe the justification for setting up and continuing a project
12.3. Portfolio/Program Management (PPM)
12.3.1. Objectives
12.3.1.1. Optimization of the results of the project portfolio
12.3.1.2. Prioritizing and scheduling projects
12.3.1.3. Resource coordination (internal and external)
12.3.1.4. Knowledge transfer throughout the projects
12.3.2. Program
12.3.2.1. Programs have a limited time frame (start and end date) and organizational boundaries
12.3.2.2. Definition by ISACA:
12.3.2.2.1. ”A program is a group of projects and time-bound tasks that are closely linked together through common objectives, a common budget, intertwined schedules and strategies.”
12.3.2.3. Definition by AXELOS::
12.3.3. Portfolio
12.3.3.1. Definition by ISACA:
12.3.3.1.1. ”Groupings of ‘objects of interest’ (investment programmes, IT services, IT projects, other IT assets or resources) managed and monitored to optimise business value.”
12.3.3.2. Definition by AXELOS::
12.3.3.2.1. ”An organization’s change portfolio is the totality of its investment (or segment thereof) in the changes required to achieve its strategic objectives.”
12.3.4. Portfolio management
12.3.4.1. Definition by ISACA:
12.3.4.1.1. ”The goal of portfolio management (in relations to VAL IT) is to ensure that an enterprise secures optimal value across its portfolio of IT-enabled investments.”
12.3.4.2. Definition by AXELOS::
12.3.4.2.1. ”A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual (BAU).”
12.4. Benefits Realization Techniques
12.4.1. Describing benefits management or benefits realization
12.4.2. Assigning a measure and target
12.4.3. Establishing a tracking/measuring regime
12.4.4. Documenting the assumption
12.4.5. Establishing key responsibilities for realization
12.4.6. Validating the benefits predicted in the business
12.4.7. Planning the benefit that is to be realized
12.5. General IT Project Aspects
12.5.1. IS projects may be initiated from any part of an organization
12.5.2. A project is always a time-bound effort
12.5.3. Project management should be a business process of a project-oriented organization
12.5.4. The complexity of project management requires a careful and explicit design of the project management process
12.6. Project Context and Environment
12.6.1. A project context can be divided into a time and social context. The following must be taken into account:
12.6.1.1. Importance of the project in the organization
12.6.1.2. Connection between the organization’s strategy and the project
12.6.1.3. Relationship between the project and other projects
12.6.1.4. Connection between the project to the underlying business case
12.7. Project Organizational Forms
12.7.1. 3 major forms of organizational alignment for project management are:
12.7.1.1. Influence project organization
12.7.1.2. Pure project organization
12.7.1.3. Matrix project organization
12.8. Project Communication
12.8.1. Depending on the size and complexity of the project and the affected parties, communication may be achieved by:
12.8.1.1. One-on-one meetings
12.8.1.2. Kick-off meetings
12.8.1.3. Project start workshops
12.8.1.4. A combination of the three
12.9. Project Objectives
12.9.1. A project needs clearly defined results that are specific, measurable, achievable, relevant and time-bound (SMART)
12.9.2. A commonly accepted approach to define project objectives is to begin with an object breakdown structure (OBS)
12.9.3. After the OBS has been compiled, a work breakdown structure (WBS) is designed
12.10. Roles and Responsibilities of Groups and Individuals
12.10.1. Senior management
12.10.2. Senior Responsible Owner (SRO)
12.10.3. User management
12.10.4. Project steering committee
12.10.5. Project sponsor
12.10.6. Systems development management
12.10.7. Project manager
12.10.8. Systems development project team
12.10.9. User project team
12.10.10. Security officer
12.10.11. Quality assurance
12.11. Project Management Practices
12.11.1. Classic project management is bound by the iron triangle:
12.11.1.1. Resources
12.11.1.2. Schedule
12.11.1.3. Scope
12.11.2. PRINCE2® based project management is bound by the 6 project aspects:
12.11.2.1. Benefits
12.11.2.2. Quality
12.11.2.3. Resources
12.11.2.4. Risk
12.11.2.5. Schedule
12.11.2.6. Scope
12.12. Project Planning
12.12.1. The various tasks that need to be performed to produce the expected business application system
12.12.2. The sequence or the order in which these tasks need to be performed
12.12.3. The duration or the time window for each task
12.12.4. The priority of each task
12.12.5. The IT resources that are available and required to perform these tasks
12.12.6. Budget or costing for each of these tasks
12.12.7. Source and means of funding
12.12.8. Software size estimation
12.12.9. Lines of source code
12.12.10. Function point analysis (FPA)
12.12.10.1. FPA feature points
12.12.10.2. Cost budgets
12.12.10.3. Software cost estimation
12.12.11. Scheduling and establishing the time frame
12.12.12. Critical path methodology/method (CPM)
12.12.12.1. Time box management
12.12.12.2. PERT
12.12.12.3. Gantt Chart
12.13. Project Controlling
12.13.1. Includes management of:
12.13.1.1. Scope
12.13.1.2. Resource usage
12.13.1.3. Risk
12.13.1.3.1. Review & evaluate
12.13.1.3.2. Assess
12.13.1.3.3. Mitigate
12.13.1.3.4. Discover
12.13.1.3.5. Inventory
12.14. Project Risk
12.14.1. The CISA® must review the project for risks that the project will not deliver the expected benefits:
12.14.1.1. Scope creep
12.14.1.2. Lack of skilled resources
12.14.1.3. Inadequate requirements definition
12.14.1.4. Inadequate testing
12.14.1.5. Push to production without sufficient allotted time
12.15. Closing a Project
12.15.1. When closing a project, there may still be some issues that need to be resolved, ownership of which needs to be assigned
12.15.2. The project sponsor should be satisfied that the system produced is acceptable and ready for delivery
12.15.3. Custody of contracts may need to be assigned, and documentation archived or passed on to those who will need it
12.16. Systems Development Models (SDLC)
12.16.1. Business Application Development
12.16.1.1. The implementation process for business applications, commonly referred to as an SDLC, begins when an individual application is initiated as a result of one or more of the following situations:
12.16.1.1.1. A new opportunity that relates to a new or existing business process
12.16.1.1.2. A problem that relates to an existing business process
12.16.1.1.3. A new opportunity that will enable the organization to take advantage of technology
12.16.1.1.4. A problem with the current technology
12.16.2. Traditional SDLC Approach
12.16.2.1. Also referred to as the waterfall technique, this life cycle approach is the oldest and most widely used for developing business applications
12.16.2.2. Based on a systematic, sequential approach to software development that begins with a feasibility study and progresses through requirements definition, design, development, implementation and post implementation
12.16.2.3. Some of the issues encountered with this approach include:
12.16.2.3.1. Unanticipated events
12.16.2.3.2. Difficulty in obtaining an explicit set of requirements from the user
12.16.2.3.3. Managing requirements and convincing the user about the undue or unwarranted requirements in the system functionality
12.16.2.3.4. The necessity of user patience
12.16.2.3.5. A changing business environment that alters or changes the user’s requirements before they are delivered
12.16.2.4. Classic Waterfall: DoD-STD-2167A
12.16.2.5. Modified Waterfall: MIL-STD-498
12.16.2.6. V-model (may be considered an extension of the waterfall)
12.16.2.7. Boehm’s Spiral Model
12.16.3. Alternative Development Methods
12.16.3.1. Incremental
12.16.3.2. Iterative
12.16.3.3. Adaptive
12.16.3.4. Evolutionary
12.16.3.5. Agile (incremental + iterative + adaptive)
12.16.3.5.1. The Agile Mindset, Values and Principles
12.16.3.5.2. Agile is a umbrella term enclosing different methodologies, tools, techniques, practices and frameworks
12.16.3.5.3. Plan-Driven Projects vs. Change-driven Project Projects
12.16.3.5.4. Agile is best for complex projects
12.17. Types of Specialized Business Applications
12.17.1. Electronic Commerce
12.17.2. Electronic Data Interchange (EDI)
12.17.3. Electronic Mail
12.17.4. Electronic Banking
12.17.5. Electronic Finance
12.17.6. Electronic Funds Transfer (EFT)
12.17.7. Automated Teller Machine (ATM)
12.17.8. Artificial Intelligence and Expert Systems
12.17.9. Business Intelligence (BI)
12.17.10. Decision Support System
12.18. Acquisition
12.18.1. Hardware Acquisition
12.18.1.1. Organization type
12.18.1.2. Requirement for data processing
12.18.1.3. Hardware requirements
12.18.1.4. System software application
12.18.1.5. Support system
12.18.1.6. Adaptability needs
12.18.1.7. Constraint
12.18.1.8. Conversion needs
12.18.2. Software Acquisition
12.18.2.1. Business, technical, functional, collaborative needs
12.18.2.2. Security and reliability
12.18.2.3. Cost and benefits
12.18.2.4. Obsolescence and risk
12.18.2.5. System compatibility
12.18.2.6. Resource allocation
12.18.2.7. Training and personnel requirements
12.18.2.8. Need for scalability
12.18.2.9. Impact on present infrastructure
12.18.3. Auditing Systems Development Acquisition
12.18.3.1. Feasibility study
12.18.3.2. Requirements definition
12.18.3.3. Software acquisition Process
12.18.3.4. Design & Development
12.18.3.5. Testing
12.18.3.6. Implementation and review
12.18.3.7. Post-Implementation
12.19. Application Controls
12.19.1. Input/Origination Controls
12.19.1.1. Input authorization
12.19.1.2. Batch controls and balancing
12.19.1.3. Error reporting and handling
12.19.2. Processing Procedures and Controls
12.19.2.1. Data validation and editing procedures
12.19.2.2. Processing controls
12.19.2.3. Data file control procedures
12.19.3. Output Controls
12.19.3.1. Output controls provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner
12.19.4. Auditing Application Controls
12.19.4.1. Data integrity testing
12.19.4.2. Online Transaction Processing System
12.19.4.3. The ACID principle
12.19.4.3.1. Atomicity
12.19.4.3.2. Consistency
12.19.4.3.3. Isolation
12.19.4.3.4. Durability
12.19.4.4. Continuous Online audit
13. Domain 4: Information Systems Operations, Maintenance and Support
13.1. Domain 4 - CISA® Exam Relevance
13.1.1. The content area for Domain 1 will represent ...
13.1.1.1. 23% of the CISA® examination
13.1.1.2. 62 questions
13.2. Auditing System Operations and Maintenance
13.2.1. Information Security Management
13.2.1.1. Perform risk assessments on information assets
13.2.1.2. Perform business impact analyses (BIAs)
13.2.1.3. Develop & enforce information security policy, procedures, & standards
13.2.1.4. Conduct security assessments on a regular basis
13.2.1.5. Implement a formal vulnerability management process
13.2.2. Information Systems Operations
13.2.2.1. IS operations are in charge of the daily support of an organization’s IS hardware and software environment
13.2.2.2. IS operations include
13.2.2.2.1. Management of IS operations
13.2.2.2.2. Infrastructure support including computer operations
13.2.2.3. Technical support / help desk
13.2.2.4. Information security management
13.2.3. Management of IS Operations
13.2.3.1. Operations management functions include
13.2.3.1.1. Resource allocation
13.2.3.1.2. Standards and procedures
13.2.3.1.3. IS operation processes monitoring
13.2.4. IT Service Management
13.2.4.1. Service levels are auditing through review of
13.2.4.1.1. Exception reports
13.2.4.1.2. System and application logs
13.2.4.1.3. Operator problem reports
13.2.4.1.4. Operator work schedules
13.2.5. Support / Help Desk
13.2.5.1. Document incidents that arise from users and initiate problem resolution
13.2.5.2. Prioritize the issues and forward them to the appropriate IT personnel, and escalate to IT management, as necessary
13.2.5.3. Follow up on unresolved incidents
13.2.5.4. Close out resolved incidents, noting proper authorization to close out the incident by the user
13.2.6. Change Management Process
13.2.6.1. System, operations and program documentation
13.2.6.2. Job preparation, scheduling and operating instructions
13.2.6.3. System and program test
13.2.6.4. Data file conversion
13.2.6.5. System conversion
13.2.7. Release Management
13.2.7.1. Major releases
13.2.7.2. Minor software releases
13.2.7.3. Emergency software fixes
13.3. System and Communications Hardware
13.3.1. Computer Hardware Components and Architectures
13.3.1.1. Common enterprise back-end devices
13.3.1.2. Print servers
13.3.1.3. File servers
13.3.1.4. Application (program) servers
13.3.1.5. Web servers
13.3.1.6. Proxy servers
13.3.1.7. Database servers
13.3.1.8. Appliances (specialized devices)
13.3.1.9. Universal Serial Bus (USB)
13.3.1.10. Memory cards / flash drives
13.3.1.11. Radio Frequency Identification (RFID)
13.3.2. Security Risks with Portable Media
13.3.2.1. Memory Cards / Flash Drives Risks
13.3.2.1.1. Viruses and other malicious software
13.3.2.1.2. Data theft
13.3.2.1.3. Data and media loss
13.3.2.1.4. Corruption of data
13.3.2.1.5. Loss of confidentiality
13.3.2.2. Security Control
13.3.2.2.1. Encryption
13.3.2.2.2. Inventory of assets
13.3.2.2.3. Educate security personnel
13.3.2.2.4. Enforce “lock desktop” policy
13.3.2.2.5. Use only secure devices
13.3.3. Capacity Management
13.3.3.1. CPU utilization (processing power)
13.3.3.2. Computer storage utilization
13.3.3.3. Telecommunications, LAN & WAN bandwidth utilization
13.3.3.4. I/O channel utilization
13.3.3.5. Number of users
13.3.3.6. New technologies
13.3.3.7. New applications
13.3.3.8. Service level agreements (SLAs)
13.3.3.8.1. Vendor performance
13.3.4. IS Architecture and Software
13.3.4.1. Operating systems
13.3.4.1.1. Software control features or parameters
13.3.4.2. Access control software
13.3.4.3. Data communications software
13.3.4.4. Data management
13.3.4.5. Database management system (DBMS)
13.3.4.6. Tape and disk management system
13.3.4.7. Utility programs
13.3.4.8. Software licensing issues
13.3.5. Software Licensing Issues
13.3.5.1. Documented policies and procedures that guard against unauthorized use or copying of software
13.3.5.2. Listing of all standard, used and licensed application and system software
13.3.5.3. Centralizing control and automated distribution and the installation of software
13.3.5.4. Requiring that all PCs be diskless workstations and access applications from a secured LAN
13.3.5.5. Regularly scanning user PCs
13.3.6. Digital Rights Management (DRM)
13.3.6.1. DRM removes usage control from the person in possession of digital content & puts it in the hands of a computer program
13.3.6.2. Prevents copying or modifying of data by unauthorized users
13.4. Auditing Networks
13.4.1. Telecommunications links for networks can be
13.4.1.1. Analog
13.4.1.2. Digital
13.4.2. Methods for transmitting signals over telecommunication links are
13.4.2.1. Copper
13.4.2.2. Fibre
13.4.2.3. Coaxial
13.4.2.4. Radio Frequency
13.4.3. Types of Networks
13.4.3.1. Personal area networks (PANs)
13.4.3.2. Local area networks (LANs)
13.4.3.3. Wide area networks (WANS)
13.4.3.4. Metropolitan area networks (MANs)
13.4.3.5. Storage area networks (SANs)
13.4.4. Network Services
13.4.4.1. E-mail services
13.4.4.2. Print services
13.4.4.3. Remote access services
13.4.4.4. Directory services
13.4.4.5. Network management
13.4.4.6. Dynamic Host Configuration Protocol (DHCP)
13.4.4.7. DNS
13.4.5. Network Components
13.4.5.1. Repeaters
13.4.5.2. Hubs
13.4.5.3. Bridges
13.4.5.4. Switches
13.4.5.5. Routers
13.4.6. Communications Technologies
13.4.6.1. Asynchronous transfer mode
13.4.6.2. Circuit switching
13.4.6.3. Dial-up services
13.4.6.4. Digital subscriber lines
13.4.6.5. Frame Relay
13.4.6.6. Integrated services digital network (ISDN)
13.4.6.7. Message switching
13.4.6.8. Multiprotocol label switching
13.4.6.9. Packet switching
13.4.6.10. Point to point - leased lines
13.4.6.11. Virtual Private Networks (VPNs)
13.4.6.12. Virtual circuits
13.4.6.12.1. PVC
13.4.6.13. X.25
13.4.7. Wireless Networking
13.4.7.1. Wireless networks
13.4.7.2. Wireless wide area network (WWAN)
13.4.7.2.1. Microwave, Optical
13.4.7.3. Wireless local area network (WLAN)
13.4.7.3.1. 802.11
13.4.7.4. Wireless personal area network (WPAN)
13.4.7.4.1. 802.15 Bluetooth
13.4.7.5. Wireless ad hoc networks
13.4.7.6. Wireless application protocol (WAP)
13.4.7.7. Risks Associated with Wireless Communications
13.4.7.7.1. Interception of sensitive information
13.4.7.7.2. Loss or theft of devices
13.4.7.7.3. Misuse of devices
13.4.7.7.4. Loss of data contained in devices
13.4.7.7.5. Distraction caused by devices
13.4.7.7.6. Wireless user authentication
13.4.7.7.7. File security
13.4.7.7.8. Wireless encryption
13.4.7.7.9. Interoperability
13.4.7.7.10. Use of wireless subnets
13.4.7.7.11. Translation point
13.4.8. Auditing of Network Management
13.4.8.1. Applications in a networked environment
13.4.8.1.1. Client-server technology
13.4.8.1.2. Middleware
13.4.8.1.3. Cloud
13.4.8.1.4. Virtual
13.4.8.1.5. Software as a Service (SaaS)
13.4.8.1.6. Service Oriented Architecture (SOA)
13.5. Business Continuity and Disaster Recovery Audits
13.5.1. Auditing of Business Continuity Plans
13.5.2. Recovery Point Objective (RPO)
13.5.2.1. Based on acceptable data loss
13.5.2.2. Indicates the most current state of data that can be recovered
13.5.3. Recovery Time Objective (RTO)
13.5.3.1. Based on acceptable downtime
13.5.3.2. Indicates the point in time at which the business plans to resume sustainable service levels after a disaster
13.5.4. Business Continuity Strategies
13.5.4.1. Interruption window
13.5.4.2. Service delivery objective (SDO)
13.5.4.3. Maximum tolerable outages
13.5.5. Recovery Strategies
13.5.6. Recovery Alternatives
13.5.6.1. Cold sites
13.5.6.2. Mobile sites
13.5.6.3. Warm sites
13.5.6.4. Reciprocal agreements
13.5.6.5. Hot sites
13.5.6.6. Mirrored sites
13.5.6.7. Reciprocal agreements
13.5.7. Audit of Third Party Recovery Agreements
13.5.7.1. Provisions for use of third-party sites should cover:
13.5.7.1.1. Access
13.5.7.1.2. Audit
13.5.7.1.3. Availability
13.5.7.1.4. Communications
13.5.7.1.5. Configurations
13.5.7.1.6. Disaster declaration
13.5.7.1.7. Insurance
13.5.7.1.8. Preference
13.5.7.1.9. Priority
13.5.7.1.10. Reliability
13.5.7.1.11. Security
13.5.7.1.12. Speed of availability
13.5.7.1.13. Subscribers per site and area
13.5.7.1.14. Testing
13.5.7.1.15. Usage period
13.5.7.1.16. Warranties
13.5.8. Organization and Assignment of Responsibilities
13.5.8.1. Have recovery teams been set up to
13.5.8.1.1. Retrieve critical and vital data from offsite storage
13.5.8.1.2. Install and test systems software and applications at the systems recovery site
13.5.8.1.3. Acquire and install hardware at the system recovery site
13.5.8.1.4. Operate the system recovery site
13.5.8.2. Team Responsibilities
13.5.8.2.1. Rerouting communications traffic
13.5.8.2.2. Re-establish the local area user / system network
13.5.8.2.3. Transport users to the recovery facility
13.5.8.2.4. Restore databases, software and data
13.5.8.2.5. Supply necessary office goods, i.e., special forms, paper
13.5.9. Backup and Restoration
13.5.9.1. Offsite library controls
13.5.9.2. Security and control of offsite facilities
13.5.9.3. Media and documentation backup
13.5.9.4. Periodic backup procedures
13.5.9.5. Frequency of Rotation
13.5.9.6. Types of Media and Documentation Rotated
13.5.9.7. Backup Schemes
13.5.9.8. Method of Rotation
14. Domain 5: Protection of Information Assets
14.1. Domain 5 - CISA® Exam Relevance
14.1.1. The content area for Domain 1 will represent ...
14.1.1.1. 30% of the CISA® examination
14.1.1.2. 62 questions
14.2. Importance of IS Management
14.2.1. Security objectives to meet organization’s business requirements include:
14.2.1.1. Ensure compliance with laws, regulations and standards
14.2.1.2. Ensure the availability, integrity and confidentiality of information and information systems
14.3. Key Elements of IS Management
14.3.1. Senior management commitment and support
14.3.2. Policies and procedures
14.3.3. Organization
14.3.4. Security awareness and education
14.3.5. Monitoring and compliance
14.3.6. Incident handling and response
14.4. CSFs to IS Management
14.4.1. Strong commitment and support by the senior management on security training
14.4.2. Professional risk-based approach must be used systematically to identify sensitive and critical resources
14.5. Inventory and Classification of Information Assets
14.5.1. The inventory record of each information asset should include:
14.5.1.1. Identification of assets
14.5.1.2. Relative value of assets to the organization
14.5.1.3. Location (where the asset is located)
14.5.1.4. Security / risk classification
14.5.1.5. Asset group
14.5.1.6. Owner
14.5.1.7. Designated custodian
14.6. Privacy Management Issues and the Role of IS Auditors
14.6.1. Privacy impact analysis or assessments should:
14.6.1.1. Pinpoint the nature of personally identifiable information (pii) associated with business processes
14.6.1.2. Document the collection, use, disclosure and destruction of personally identifiable information
14.6.1.3. Ensure that accountability for privacy issues exists
14.6.1.4. Set the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk
14.6.2. Compliance with privacy policy and laws
14.6.2.1. Identify and understand legal requirements regarding privacy from laws, regulations and contract agreements
14.6.2.2. Check whether personal data are correctly managed in respect to these requirements
14.6.2.3. Verify that the correct security measures are adopted
14.6.2.4. Review management’s privacy policy to ascertain that it takes into consideration the requirement of applicable privacy laws and regulations.
14.7. Social Media Risks
14.7.1. Inappropriate sharing of information
14.7.1.1. Organizational activity
14.7.1.2. Staffing issues
14.7.1.3. Privacy-related sensitive data
14.7.2. Installation of vulnerable applications
14.8. Access Controls
14.8.1. System Access Permission
14.8.1.1. Who has access rights and to what?
14.8.1.2. What is the level of access to be granted?
14.8.1.3. Who is responsible for determining the access rights and access levels?
14.8.1.4. What approvals are needed for access?
14.8.2. Mandatory Access Controls (MAC)
14.8.2.1. Enforces corporate security policy
14.8.2.2. Compares sensitivity of information resources
14.8.3. Discretionary Access Controls (DAC)
14.8.3.1. Enforces data owner-defined sharing of information resources
14.8.4. IAAA
14.8.4.1. Identification
14.8.4.1.1. Method to distinguish each entity in a unique manner that is accessing resources
14.8.4.1.2. Knowledge
14.8.4.1.3. Ownership / possession
14.8.4.1.4. Characteristic
14.8.4.2. Authentication
14.8.4.2.1. Validate, verify or prove the identity
14.8.4.3. Authorization
14.8.4.3.1. Rights, permissions, privileges granted to an authenticated entity
14.8.4.3.2. Access restrictions at the file level include:
14.8.4.4. Accounting (Audit)
14.8.4.4.1. Track all activity
14.9. Challenges with Identity Management
14.9.1. Many changes to systems and users
14.9.2. Many types of users – employees, customers, guests, managers, regulators
14.9.3. Audit concerns
14.9.3.1. Unused IDs
14.9.3.2. Misconfigured IDs
14.9.3.3. Failure to follow procedures
14.9.3.4. Group IDs
14.10. Identification and Authentication
14.10.1. Vulnerabilities:
14.10.1.1. Weak authentication methods
14.10.1.2. Lack of confidentiality and integrity for the stored authentication information
14.10.1.3. Lack of encryption for authentication and protection of information transmitted over a network
14.10.1.4. User’s lack of knowledge on the risks associated with sharing passwords, security tokens, etc.
14.11. Logical Access
14.11.1. Logical Access Exposures
14.11.1.1. Technical exposures include:
14.11.1.1.1. Data leakage
14.11.1.1.2. Wire tapping
14.11.1.1.3. Trojan horses / backdoors
14.11.1.1.4. Viruses
14.11.1.1.5. Worms
14.11.1.1.6. Logic bombs
14.11.1.1.7. Denial-of-service attacks
14.11.1.1.8. Computer shutdown
14.11.1.1.9. War driving
14.11.1.1.10. Piggybacking
14.11.1.1.11. Trap doors
14.11.1.1.12. Asynchronous attacks
14.11.1.1.13. Rounding down
14.11.1.1.14. Salami technique
14.11.2. Paths of Logical Access
14.11.2.1. Network connectivity
14.11.2.2. Remote access
14.11.2.3. Operator console
14.11.2.4. Online workstations or terminals
14.11.3. Logical Access Control Software
14.11.3.1. Prevent unauthorized access and modification to an organization’s sensitive data and use of system critical functions.
14.11.3.2. General operating and/or application systems access control functions include the following:
14.11.3.2.1. Create or change user profiles
14.11.3.2.2. Assign user identification and authentication
14.11.3.2.3. Apply user logon limitation rules
14.11.3.2.4. Notification concerning proper use and access prior to initial login
14.11.3.2.5. Create individual accountability and auditability by logging user activities. Establish rules for access to specific information resources (e.g., system-level application resources and data)
14.11.3.2.6. Log events
14.11.3.2.7. Report capabilities
14.11.3.3. Database and / or application-level access control functions include:
14.11.3.3.1. Create or change data files and database profiles
14.11.3.3.2. Verify user authorization at the application and transaction levels
14.11.3.3.3. Verify user authorization within the application
14.11.3.3.4. Verify user authorization at the field level for changes within a database
14.11.3.3.5. Verify subsystem authorization for the user at the file level
14.11.3.3.6. Log database / data communications access activities for monitoring access violations
14.11.4. Auditing Logical Access
14.11.4.1. When evaluating logical access controls the IS auditor should:
14.11.4.1.1. Identify sensitive systems and data
14.11.4.1.2. Document and evaluate controls over potential access
14.11.4.1.3. Test controls over access paths to determine whether they are functioning and effective
14.11.4.1.4. Evaluate the access control environment to determine if the control objectives are achieved
14.11.4.1.5. Evaluate the security environment to assess its adequacy
14.11.5. Access Control Lists (ACLs)
14.11.5.1. Users who have permission to use a particular system resource
14.11.5.2. The types of access permitted
14.11.6. Logical Access security administration:
14.11.6.1. Centralized environment
14.11.6.2. Decentralized environment
14.11.6.2.1. Advantages
14.11.6.2.2. Risks
14.11.7. Single Sign-on (SSO)
14.11.7.1. Consolidating access functions for multiple systems into a single centralized administrative function
14.11.7.2. A single sign-on interfaces with:
14.11.7.2.1. Client-server and distributed systems
14.11.7.2.2. Mainframe systems
14.11.7.2.3. Network security including remote access mechanisms
14.11.7.3. Advantages
14.11.7.3.1. Elimination of multiple user IDs and passwords
14.11.7.3.2. It improves an administrator’s ability to centrally manage users’ accounts and authorizations
14.11.7.3.3. Reduces administrative overhead
14.11.7.3.4. It reduces the time taken by users to log into multiple applications and platforms
14.11.7.4. Disadvantages
14.11.7.4.1. May not support legacy applications or all operating environments
14.11.7.4.2. The costs associated with SSO development can be significant
14.11.7.4.3. The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets
14.12. Familiarization with the Organization’s IT Environment
14.12.1. Every layer of a system has to be reviewed for security controls including:
14.12.1.1. The network
14.12.1.2. Operating system platform
14.12.1.3. Applications software
14.12.1.4. Database
14.12.1.5. Physical and environmental security
14.13. Remote Access
14.13.1. Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives.
14.13.1.1. Consolidated
14.13.1.2. Monitored
14.13.1.3. Policies
14.13.1.4. Appropriate access levels
14.13.1.5. Encrypted
14.13.2. Risks
14.13.2.1. Denial of service
14.13.2.2. Malicious third parties
14.13.2.3. Misconfigured communications software
14.13.2.4. Misconfigured devices on the corporate computing infrastructure
14.13.2.5. Host systems not secured appropriately
14.13.2.6. Physical security issues on remote users’ computers
14.13.3. Auditing Remote Access
14.13.3.1. Assess remote access points of entry
14.13.3.2. Test dial-up access controls
14.13.3.3. Test the logical controls
14.13.3.4. Evaluate remote access approaches for costeffectiveness, risk and business requirements
14.13.3.5. Audit Internet points of presence:
14.13.3.5.1. E-mail
14.13.3.5.2. Marketing
14.13.3.5.3. Sales channel / electronic commerce
14.13.3.5.4. Channel of deliver for goods / services
14.13.3.5.5. Information gathering
14.14. Audit logging and monitoring system access
14.14.1. Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID
14.14.2. Record all activity for future investigation
14.15. Encryption
14.15.1. Symmetric vs. Asymmetric Summary
14.15.2. Summary of Cryptography Algorithms
14.16. Physical and Environmental Controls
14.16.1. Security Objectives & Controls
14.16.1.1. Administrative controls
14.16.1.1.1. Facility location, construction, and management
14.16.1.1.2. Physical security risks, threats, and countermeasures
14.16.1.2. Technical controls
14.16.1.2.1. Authenticating individuals and intrusion detection
14.16.1.2.2. Electrical issues and countermeasures
14.16.1.2.3. Fire prevention, detection, and suppression
14.16.1.3. Physical controls
14.16.1.3.1. Perimeter & Building Grounds
14.16.1.3.2. Building Entry Point
14.16.1.3.3. Box-within a box Floor Plan
14.16.1.3.4. Data Centers or Server Room Security
14.16.2. Physical Access Controls (non-exhaustive list)
14.16.2.1. Locks
14.16.2.1.1. Mechanical locks
14.16.2.1.2. Electronic locks
14.16.2.2. Entrance Protection
14.16.2.2.1. Turnstiles
14.16.2.2.2. Mantraps
14.16.2.2.3. Fail-safe
14.16.2.2.4. Fail-secure
14.16.2.3. Closed-circuit television (CCTV)
14.16.2.4. Security guards
14.16.2.5. Lighting
14.16.2.6. Electrical Power Supply
14.16.2.7. Electrostatic Discharge
14.16.2.8. HVAC
14.16.2.9. Fire Suppression Systems
14.16.2.9.1. Halon
14.16.2.9.2. FM-200
14.16.2.9.3. Carbon Dioxide
14.16.2.9.4. Dry Chemicals
14.16.2.9.5. Dry Pipe
14.16.2.9.6. Pre-action
14.16.2.10. Fire / Smoke Detection
14.16.2.10.1. Ionization-type smoke detector
14.16.2.10.2. Optical (photoelectric) smoke detector
14.16.2.10.3. Fixed / rate-of-rise temperature sensor