O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Certified Information Systems Auditor (CISA) Cert Guide

Book Description

Certification allows you to succeed on the latest CISA exam the first time, mastering all the knowledge you need to earn CISA certification. Worldrenowned enterprise IT security leaders Michael Gregg and Rob Johnson share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills.

This complete study package includes

  • A test-preparation routine proven to help you pass the exam
  • Do I Know This Already? quizzes, which allows you to decide how much time you need to spend on each section
  • Chapter-ending exercises, which helps you drill on key concepts you must know thoroughly
  • The powerful Pearson Test Prep practice test software, with two full sample exams containing well-reviewed, exam-realistic questions, customization options, and detailed performance reports
  • A final preparation chapter that guides you through tools and resources to help you craft your review and test-taking strategies
  • Study plan suggestions and templates to help you organize and optimize your study time

Well regarded for its level of detail, study plans, assessment features, challenging review questions and exercises, this study guide helps you master the concepts and techniques that ensure your exam success.

The study guide helps you master topics on the CISA exam, including the following:

  • Essential information systems audit techniques, skills, and standards
  • IT governance, management/control frameworks, and process optimization
  • Maintaining critical services: business continuity and disaster recovery
  • Acquiring information systems: build-or-buy, project management, and development methodologies
  • Auditing and understanding system controls
  • System maintenance and service management, including frameworks and networking infrastructure
  • Asset protection via layered administrative, physical, and technical controls
  • Insider and outsider asset threats: response and management

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Contents at a Glance
  5. Table of Contents
  6. About the Authors
  7. Dedication
  8. Acknowledgments
  9. About the Technical Reviewer
  10. Introduction
  11. Chapter 1 The CISA Certification
    1. Exam Intent
    2. Why the CISA Certification Is So Important
      1. CISA: The Gold Standard
    3. Exam Requirements
    4. CISA Exam Windows
      1. Scheduling to Take the Exam
      2. Deadline to Apply for the CISA Certification
      3. ISACA Agreements
      4. CISA Exam Domains
      5. Question Format and Grading
        1. Exam Grading
        2. Exam Questions
      6. Getting Exam Results and Retests
      7. Maintaining CISA Certification
        1. Reporting CPE Hours Earned
        2. Earning CPE Hours
    5. Top 10 Tips and Tricks
    6. Chapter Summary
    7. Define Key Terms
    8. Suggested Readings and Resources
  12. Chapter 2 The Information Systems Audit
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. Skills and Knowledge Required to Be an IS Auditor
      1. Work-Related Skills
    4. Knowledge of Ethical Standards
    5. ISACA Standards, Procedures, Guidelines, and Baselines
      1. Knowledge of Regulatory Standards
      2. Guidance Documents
      3. Auditing Compliance with Regulatory Standards
      4. Knowledge of Business Processes
      5. Types of Audits
    6. Risk Assessment Concepts
      1. Risk Management
    7. Auditing and the Use of Internal Controls
    8. The Auditing Life Cycle
      1. Audit Methodology
      2. The Auditing Life Cycle Steps
      3. Chain of Custody and Evidence Handling
      4. Automated Work Papers
      5. CAATs
      6. Audit Closing
      7. Report Writing
    9. The Control Self-Assessment Process
    10. Continuous Monitoring
    11. Quality Assurance
    12. The Challenges of Audits
      1. Communicating Results
      2. Negotiation and the Art of Handling Conflicts
    13. Chapter Summary
    14. Exam Preparation Tasks
    15. Review All the Key Topics
    16. Complete Tables from Memory
    17. Define Key Terms
    18. Exercises
      1. 2.1 Network Inventory
    19. Review Questions
    20. Suggested Readings and Resources
  13. Chapter 3 The Role of IT Governance
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. The IT Steering Committee
    4. Corporate Structure
    5. IT Governance Frameworks
      1. COBIT
      2. ITIL
      3. COBIT Versus ITIL
    6. Enterprise Risk Management
      1. The Risk Management Team
      2. Asset Identification
      3. Threat Identification
      4. Quantitative Risk Assessment
      5. Qualitative Risk Assessment
      6. The Three Lines of Defense Model
    7. Policy Development
      1. Policy
      2. Policy, Standards, Procedures, and Baselines
      3. Auditing Policies, Standards, Procedures, and Baselines
      4. Data Classification
      5. Security Policy
    8. Management Practices of Employees
      1. Forced Vacations, Rotation of Assignments, and Dual Control
      2. Separation Events
      3. Roles and Responsibilities
      4. Segregation of Duties (SoD)
      5. Compensating Controls
      6. Key Employee Controls
    9. Performance Management
      1. Key Performance Terms
    10. Management and Control Frameworks
      1. Enterprise Architecture
      2. Change Management
      3. Quality Management
    11. Maturity Models
      1. Implementing a Maturity Model
    12. Management’s Role in Compliance
    13. Process Optimization Techniques
      1. Taguchi
      2. PDCA
      3. Taguchi Versus PDCA
    14. Management of IT Suppliers
      1. Third-Party Outsourcing
      2. Third-Party Audits
      3. Contract Management
      4. Performance Monitoring
      5. Relationship Management
    15. Chapter Summary
    16. Exam Preparation Tasks
    17. Review All the Key Topics
    18. Complete Tables from Memory
    19. Key Terms
    20. Exercises
      1. 3.1 Determining the steps for quantitative risk assessment
    21. Review Questions
    22. Suggested Readings and Resources
  14. Chapter 4 Maintaining Critical Services
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. Threats to Business Operations
    4. The Business Continuity Planning (BCP) Process
      1. Project Management and Initiation
      2. Business Impact Analysis
        1. Criticality Analysis
      3. Development and Recovery Strategy
      4. Final Plan Design and Implementation
      5. Training and Awareness
      6. Implementation and Testing
        1. Paper Tests
        2. Preparedness Tests
        3. Full Operation Tests
      7. Monitoring and Maintenance
      8. Understanding BCP Metrics
    5. Recovery Strategies
      1. Alternate Processing Sites
        1. Alternate Processing Options
      2. Hardware Recovery
        1. Redundant Array of Independent Disks
      3. Software and Data Recovery
      4. Backup and Restoration
      5. Telecommunications Recovery
      6. Verification of Disaster Recovery and Business Continuity Process Tasks
      7. The Disaster Life Cycle
    6. Chapter Summary
    7. Exam Preparation Tasks
    8. Review All the Key Topics
    9. Define Key Terms
    10. Exercises
      1. 4.1 Business Impact and Risk
    11. Review Questions
    12. Suggested Readings and Resources
  15. Chapter 5 Information Systems Acquisition and Development
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. IT Acquisition and Project Management
      1. IT Acquisition
        1. Software Escrow Agreements
        2. Software Licensing
      2. Project Management
        1. Roles, Responsibility, and Structure of Project Management
        2. Project Culture and Objectives
        3. Making the Business Case for Investment
        4. Return on Investment
      3. Project Management Activities and Practices
        1. Project Initiation
        2. Project Planning
        3. Project Control and Execution
        4. Project Closing
    4. Business Application Development
      1. Systems-Development Methodology
        1. Phase 1: Initiation phase
        2. Phase 2: Development
        3. Phase 3: Implementation
        4. Phase 4: Operation and Maintenance
        5. Phase 5: Disposal
      2. Tools and Methods for Software Development
    5. Information Systems Maintenance
    6. Outsourcing and Alternative System Development
      1. Cloud Computing
        1. Cloud Threats
      2. Application-Development Approaches
      3. N-tier
      4. Virtualization
    7. Chapter Summary
    8. Exam Preparation Tasks
    9. Review All the Key Topics
    10. Complete Tables from Memory
    11. Define Key Terms
    12. Exercises
      1. 5.1 Project Management
      2. 5.2 Project Management
    13. Review Questions
    14. Suggested Readings and Resources
  16. Chapter 6 Auditing and Understanding System Controls
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. Audit Universe and Application Auditing
    4. Programmed and Manual Application Controls
      1. Business Process Controls
        1. Input Controls
        2. Processing Controls
        3. Data File Controls
        4. Output Controls
    5. Auditing Application Controls
      1. Understanding the Application
      2. Observation and Testing
      3. Data Integrity Controls
      4. Application System Testing
      5. Continuous Online Auditing
    6. Auditing Systems Development, Acquisition, and Maintenance
      1. Project Management
    7. Business Application Systems
      1. E-commerce
      2. Electronic Data Interchange
      3. Email
      4. Business Intelligence
        1. Decision Support Systems
        2. Artificial Intelligence and Expert Systems
        3. Customer Relationship Management
        4. Supply Chain Management
        5. Social Media
    8. Chapter Summary
    9. Exam Preparation Tasks
    10. Review All the Key Topics
    11. Define Key Terms
    12. Exercises
      1. 6-1 Software Application Audit
    13. Review Questions
    14. Suggested Readings and Resources
  17. Chapter 7 Systems Maintenance and Service Management
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. Service Management Frameworks
      1. COBIT
      2. FitSM
      3. ISO 20000
      4. eTOM
    4. Fundamental Technologies
      1. Operating Systems
      2. Secondary Storage
      3. Utility Software
      4. Database-Management Systems
      5. Database Structure
      6. Software Licensing Issues
      7. Digital Rights Management
    5. Network Infrastructure
      1. Network Types
      2. Network Standards and Protocols
      3. The OSI Reference Model
        1. The Application Layer
        2. The Presentation Layer
        3. The Session Layer
        4. The Transport Layer
        5. The Network Layer
        6. The Data Link Layer
        7. The Physical Layer
      4. Network Services and Applications
      5. Comparing the OSI Model to the TCP/IP Model
        1. The Network Access Layer
        2. The Internet Layer
        3. The Host-to-Host/Transport Layer
        4. The Application Layer
      6. Network Services
      7. Wireless Technologies
        1. Bluetooth
        2. 802.11 Wireless
        3. Smartphones, Tablets, and Hotspots
      8. Network Equipment
      9. Edge Devices
        1. DMZ
        2. Firewalls
        3. Firewall Configuration
        4. IDS/IPS
      10. Wide Area Networks
        1. Packet Switching
        2. Circuit Switching
    6. Capacity Planning and Systems Performance Monitoring
      1. Network Analyzers
      2. System Utilization and Load Balancing
        1. Third Parties and Cloud Providers
      3. Network Design
      4. Network Cabling
    7. Chapter Summary
    8. Exam Preparation Tasks
    9. Review All the Key Topics
    10. Define Key Terms
    11. Exercises
      1. 7.1 Organizing Network Components
    12. Review Questions
    13. Suggested Readings and Resources
  18. Chapter 8 Protection of Assets
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. Access Control
      1. Identification and Authentication (I&A)
        1. Authentication by Knowledge
        2. Authentication by Ownership
        3. Authentication by Characteristic
      2. Single Sign-on
      3. Federation
      4. Remote Access
        1. RADIUS
        2. Diameter
        3. TACACS
        4. Additional Remote Access Options
        5. SSH
        6. VPNs
      5. Physical and Environmental Access Controls
        1. Fences, Gates, and Bollards
        2. Other Physical and Environmental Controls
        3. Using Guards to Restrict Access
        4. Locks
        5. Lighting
        6. CCTV
        7. Heating, Ventilation, and Air Conditioning (HVAC)
    4. Security Controls for Hardware and Software
      1. Securing Voice Communications
      2. Encryption’s Role as a Security Control
      3. Private Key Encryption
        1. Data Encryption Standard (DES)
        2. Advanced Encryption Standard (AES)
      4. Public Key Encryption
        1. RSA Encryption
        2. Elliptic Curve Cryptography (ECC)
        3. Quantum Cryptography
        4. Hashing and Digital Signatures
        5. Public Key Infrastructure (PKI)
      5. Using Cryptography to Secure Assets
        1. Internet Security Protocols
    5. Protection of Information Assets
      1. Information Life Cycle
      2. Access Restriction
      3. Laws Related to the Protection of Information
      4. Maintaining Compliance
      5. Protection of Privacy
      6. Using Data Classification to Secure Critical Resources
    6. Data Leakage and Attacks
      1. Attacks Against Encryption
      2. Threats from Unsecured Devices
      3. Threats from Improper Destruction
      4. Threats to the Infrastructure
    7. Chapter Summary
    8. Exam Preparation Tasks
    9. Review All the Key Topics
    10. Complete Tables from Memory
    11. Define Key Terms
    12. Review Questions
    13. Suggested Reading and Resources
  19. Chapter 9 Asset Threats, Response, and Management
    1. “Do I Know This Already?” Quiz
    2. Foundation Topics
    3. Security Controls
      1. Technical Controls
        1. Cloud Computing
        2. Operating Systems
        3. Databases
        4. Virtualization
      2. Administrative Controls
    4. Attack Methods and Techniques
      1. Social Engineering and Nontechnical Attacks
      2. Sniffing
      3. Man-in-the-Middle Attacks and Hijacking
      4. Denial of Service
      5. Botnets
      6. Malware
      7. Wireless and Bluetooth
      8. SQL Injection
      9. Buffer Overflow
      10. XSS and XSRF
      11. Logic Bombs, Rounding Down, and Asynchronous Attacks
      12. Integer Overflow
      13. Password Attacks
    5. Prevention and Detection Tools and Techniques
      1. Audit and Log Review
      2. Security Testing Techniques
        1. Vulnerability Scanning
        2. Penetration Testing
    6. Problem and Incident Management Practices
      1. Tracking Change
      2. Fraud Risk Factors
        1. Insiders
        2. Outsiders
      3. Incident Response
        1. Emergency Incident Response Team
        2. Incident Response Process
        3. Incident Response and Results
        4. Forensic Investigation
        5. Forensics Steps
        6. Other Forensic Types
      4. Computer Crime Jurisdiction
    7. Chapter Summary
    8. Exam Preparation Tasks
    9. Review All the Key Topics
    10. Complete Tables from Memory
    11. Define Key Terms
    12. Review Questions
    13. Suggested Reading and Resources
  20. Chapter 10 Final Preparation
    1. Tools for Final Preparation
      1. Pearson Test Prep Practice Test Software and Questions on the Website
        1. Accessing the Pearson Test Prep Software Online
        2. Accessing the Pearson Test Prep Software Offline
      2. Customizing Your Exams
      3. Updating Your Exams
        1. Premium Edition
      4. Memory Tables
      5. Chapter-Ending Review Tools
    2. Suggested Plan for Final Review/Study
    3. Summary
  21. Glossary
  22. Appendix A Answers to the “Do I Know This Already” Quizzes and Review Questions
  23. Index
  24. Appendix B Memory Tables
  25. Appendix C Memory Tables Answer Key