Certified Information System Auditing (CISA)

This course is designed specifically for experienced information security professionals who are preparing to take the ISACA CISA exam.

IT professionals must have 5 years or more of IS audit, control, assurance and security experience.

• ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional ethics and other applicable standards.
• Risk assessment concepts, tools and techniques in an audit context.
• Control objectives and controls related to information systems.
• Audit planning and audit project management techniques, including follow-up.
• Fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) including relevant IT.
• Applicable laws and regulations which affect the scope, evidence collection and preservation, and frequency of audits.
• Evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis, fraud, investigation) used to gather, protect and preserve audit evidence different sampling methodologies.
• Reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure).
• Audit quality assurance systems and frameworks.

• IT governance, management, security and control frameworks, and related standards, guidelines, and practices
• The purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each organizational structure, roles and responsibilities related to IT.
• The processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures
• The organization’s technology direction and IT architecture and their implications for setting long-term strategic directions
• Relevant laws, regulations and industry standards affecting the organization
• Quality management systems
• The use of maturity models
• Process optimization techniques
• IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, project management)
• IT supplier selection, contract management, relationship management and performance monitoring
• Processes including third party outsourcing relationships
• Enterprise risk management
• Practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key performance indicators [KPI])
• IT human resources (personnel) management practices used to invoke the business continuity plan

business impact analysis (BIA) related to business continuity planning

• The standards and procedures for the development and maintenance of the business continuity plan and testing methods

• Benefits realization practices, (e.g., feasibility studies, business cases, total cost of ownership [TCO], ROI) project governance mechanisms (e.g., steering committee, project oversight board, project management office)
• Project management control frameworks, practices and tools
• Risk management practices applied to projects
• IT architecture related to data, applications and technology (e.g., distributed applications, web based applications, web services, n-tier applications)
• Acquisition practices (e.g., evaluation of vendors, vendor management, escrow)
• Requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management, security requirements)
• Project success criteria and risks
• Objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data
• System development methodologies and tools including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques)
• Testing methodologies and practices related to information systems development
• Configuration and release management relating to the development of information systems
• System migration and infrastructure deployment practices and data conversion tools, techniques and procedures.
• Post-implementation review objectives and practices (e.g., project closure, control implementation, benefits realization, performance measurement)

• Service level management practices and the components within a service level agreement
• Techniques for monitoring third party compliance with the organization’s internal controls
• Operations and end-user procedures for managing scheduled and non-scheduled processes The technology concepts related to hardware and network components, system software and database management systems
• Control techniques that ensure the integrity of system interfaces
• Software licensing and inventory practices
• System resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure, clustering)
• Database administration practices
• Capacity planning and related monitoring tools and techniques
• Systems performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports, load balancing)
• Problem and incident management practices (e.g., help desk, escalation procedures, tracking)
• Processes, for managing scheduled and non-scheduled changes to the production systems and/or infrastructure including change, configuration, release and patch management practices
• Data backup, storage, maintenance, retention and restoration practices
• Regulatory, legal, contractual and insurance issues related to disaster recovery
• Business impact analysis (BIA) related to disaster recovery planning
• The development and maintenance of disaster recovery plans
• Types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites, cold sites)
• Processes used to invoke the disaster recovery plans
• Disaster recovery testing methods

• Techniques for the design, implementation, and monitoring of security controls, including security awareness programs
• Processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team)
• Logical access controls for the identification, authentication and restriction of users to authorized functions and data
• The security controls related to hardware, system software (e.g., applications, operating systems), and database management systems.
• Risks and controls associated with virtualization of systems
• The configuration, implementation, operation and maintenance of network security controls
• Network and Internet security devices, protocols, and techniques
• Information system attack methods and techniques
• Detection tools and control techniques (e.g., malware, virus detection, spyware)
• Security testing techniques (e.g., intrusion testing, social engineering testing, vulnerability scanning)
• Risks and controls associated with data leakage
• Encryption-related techniques
• Public key infrastructure (PKI) components and digital signature techniques
• Risks and controls associated with peer-to-peer computing, instant messaging, and web-based technologies (e.g., social networking, message boards, blogs)
• Controls and risks associated with the use of mobile & wireless devices
• Voice communications security (e.g., PBX, VoIP)
• The evidence preservation techniques and processes followed in forensics investigations (e.g., IT, process, chain of custody, fraud evidence collection)
• Data classification standards and supporting procedures
• Physical access controls for the identification, authentication and restriction of users to authorized facilities

environmental protection devices and supporting practices

• The processes and procedures used to store, retrieve, transport and dispose of confidential information assets

• People, data, infrastructure, and other resources that support key business processes
• Dangers and threats to the organization
• Estimated probability of threat occurrence

• DRP plan
• Plan to restore operations to normal following disaster
• Improvement of security operations

• Create BCP policy
• Businesses Impact Analysis (BIA)
• Classify of operations and criticality
• Identify IS processes that support business criticality
• Develop BCP and IS DRP
• Develop resumption procedures
• Training and awareness programs
• Test and implement plan

• Should encompass preventative, detective, and corrective controls
• BCP most critical corrective control
• Incident management control
• Main severity criterion is service downtime
• Media backup control

• Different business processes & criticality
• Critical IS resources supporting critical business processes
• Critical recovery period before significant or unacceptable loses occur

Recovery point objective (RPO) – based on acceptable data loss; earliest time in which it is acceptable to recover; date/time or synchronization point to which systems/data will be restored.

Recovery time objective (RTO) – based on acceptable downtime; earliest time when business operations must resume.

Interruption window – how long a business can wait before operations resume (after this point, losses are unaffordable)

Maximum Tolerable outage (MTO) – maximum time business can operate in alternate processing mode before other problems occur

Service delivery objective (SDO) – acceptable level of services required during alternate processing Recovery Alternatives

• Hot site – fully configured and ready to operate within hours. Not for extended use.
• Warm site – partially configured (network and peripheral devices, but no main computers). Site ready in hours, operations ready in days or weeks.Cold site – has basic utilities, ready in weeks.
• Redundant site – dedicated, self-developed sites.
• Mobile site – data center in a box
• Reciprocal agreements with other businesses

• Level 0 -striped disk array, no fault tolerance; stripes multiple disks into one volume (faster when software based)
• Level 1 – mirroring; 2 drives, half the space (faster when software based)
• Level 2 – Hamming code ECC – interweaving data based on hamming code (EXPENSIVE and rare; HW based, resource intensive)
• Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 for parity (faster in HW)
• Level 5 – block level; independent disks with distributed parity blocks; at least 3 drives, stripes data and parity (faster in HW) _ mirrored sets
• Level 6 – Level 5 with 2 independent distributed parity schemes (faster in HW)
• Level 10 – high reliability & performance; at least 4 drives, stripes level 1 segments; hi I/O
• Level) 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major data loss

• IS equipment/facilities
• software media reconstruction
• media damage Extra expense – of continuing operations after disaster; loss due to computer
• Business interruption
• Valuable papers and records
• Errors and omissions
• Fidelity coverage – loss due to dishonest/fraudulent acts
• Media transportation
• Covers loss based on historical performance, not existing
• No compensation for loss of image/goodwill Grandfather (monthly), father (weekly), son (daily) backup rotation scheme