CISA - Certified Information Systems Auditor Study Guide

Book description

This CISA study guide is for those interested in achieving CISA certification and provides complete coverage of ISACA's latest CISA Review Manual (2019) with practical examples and over 850 exam-oriented practice questions

Key Features

  • Gain tactical skills in auditing, control, and security to pass the CISA examination
  • Get up to speed with auditing business IT systems
  • Increase your value to organizations and be at the forefront of an evolving business landscape by achieving CISA certification

Book Description

Are you looking to prepare for the CISA exam and understand the roles and responsibilities of an information systems (IS) auditor?

The CISA - Certified Information Systems Auditor Study Guide is here to help you get started with CISA exam prep.

This book covers all the five CISA domains in detail to help you pass the exam. You'll start by getting up and running with the practical aspects of an information systems audit. The book then shows you how to govern and manage IT, before getting you up to speed with acquiring information systems. As you progress, you'll gain knowledge of information systems operations and understand how to maintain business resilience, which will help you tackle various real-world business problems. Finally, you'll be able to assist your organization in effectively protecting and controlling information systems with IT audit standards.

By the end of this CISA book, you'll not only have covered the essential concepts and techniques you need to know to pass the CISA certification exam but also have the ability to apply them in the real world.

What you will learn

  • Understand the information systems auditing process
  • Get to grips with IT governance and management
  • Gain knowledge of information systems acquisition
  • Assist your organization in protecting and controlling information systems with IT audit standards
  • Understand information systems operations and how to ensure business resilience
  • Evaluate your organization's security policies, standards, and procedures to meet its objectives

Who this book is for

This CISA exam study guide is designed for those with a non-technical background who are interested in achieving CISA certification and are currently employed or looking to gain employment in IT audit and security management positions.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. CISA – Certified Information Systems Auditor Study Guide
  3. Dedication
  4. About Packt
    1. Why subscribe?
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Reviews
  7. Section 1: Information System Auditing Process
  8. Audit Planning
    1. The content of an audit charter
    2. Key aspects from CISA exam perspective
    3. Self-evaluation questions
    4. Audit planning
    5. Benefits of audit planning
    6. Selection criteria
    7. Reviewing audit planning
    8. Individual audit assignments
    9. Key aspects from CISA exam perspective
    10. Self-evaluation questions
    11. Business process applications and controls
    12. E-commerce
    13. Electronic Data Interchange (EDI)
    14. Point of Sale (POS)
    15. Electronic banking
    16. Electronic funds transfer (EFT)
    17. Image processing
    18. Artificial intelligence and expert systems
    19. Key aspects from CISA exam perspective
    20. Self-evaluation questions
    21. Types of controls
    22. Preventive controls
    23. Detective controls
    24. Corrective controls
    25. Deterrent controls
    26. The difference between preventive and deterrent controls
    27. Compensating controls
    28. Control objectives
    29. Control measures
    30. Key aspects from CISA exam perspective
    31. Self-evaluation questions
    32. Risk-based audit planning
    33. What is risk?
    34. Understanding vulnerability and threat
    35. Understanding inherent risk and residual risk
    36. Advantages of risk-based audit planning
    37. Audit risk
    38. Risk-based auditing approach
    39. Risk assessments
    40. Risk response methodology
    41. Top-down and bottom-up approaches to policy development
    42. The top-down approach
    43. The bottom-up approach
    44. The best approach 
    45. Key aspects from CISA exam perspective
    46. Self-evaluation questions
    47. Types of audit and assessment
    48. Self-evaluation questions
    49. Summary
    50. Assessments
    51. Content of the audit charter
    52. Audit planning
    53. Business process applications and controls
    54. Types of controls
    55. Risk-based audit planning
    56. Types of audit and assessment 
  9. Audit Execution
    1. Audit project management
    2. Audit objectives
    3. Audit phases
    4. Fraud, irregularities, and illegal acts
    5. Key aspects from CISA exam perspective
    6. Self-assessment questions
    7. Sampling methodology
    8. Sampling types
    9. Sampling risk
    10. Other sampling terms
    11. The confidence coefficient
    12. Level of risk
    13. Expected error rate
    14. Tolerable error rate
    15. Sample mean
    16. Sample standard deviation
    17. Compliance versus substantive testing
    18. The difference between compliance testing vis-à-vis substantive testing
    19. Examples of compliance testing and substantive testing
    20. The relationship between compliance testing and substantive testing
    21. Key aspects from the CISA exam perspective
    22. Self-assessment questions
    23. Audit evidence collection techniques
    24. Reliability of evidence
    25. Independence of the evidence provider
    26. Qualifications of the evidence provider
    27. Objectivity of the evidence
    28. Timing of the evidence
    29. Evidence gathering techniques
    30. Key aspects from the CISA exam perspective
    31. Self-assessment questions
    32. Data analytics
    33. Examples of the effective use of data analytics
    34. CAATs
    35. Examples of the effective use of CAAT tools
    36. Precautions while using CAAT
    37. Continuous auditing and monitoring
    38. Continuous auditing techniques
    39. Integrated test facility
    40. System control audit review file
    41. Snapshot technique
    42. Audit hook
    43. Continuous and Intermittent Simulation
    44. Key aspects from the CISA exam perspective
    45. Self-assessment questions
    46. Reporting and communication techniques
    47. Exit interview
    48. Audit reporting
    49. Audit report objectives
    50. Audit report structure
    51. Follow-up activities
    52. Key aspects from the CISA exam perspective
    53. Self-assessment questions
    54. Control self-assessment
    55. Objectives of CSA
    56. Benefits of CSA
    57. Disadvantages of CSA
    58. An IS auditor’s role in CSA
    59. Key aspects from the CISA exam perspective
    60. Self-assessment questions
    61. Summary
    62. Assessments
    63. Audit project management
    64. Sampling methodology
    65. Audit evidence collection
    66. Data analytics
    67. Reporting and communication techniques
    68. Control self-assessment
  10. Section 2: Governance and Management of IT
  11. IT Governance
    1. IT enterprise governance (EGIT)
    2. EGIT processes
    3. Difference between governance and management
    4. EGIT good practices
    5. Effective information security governance
    6. EGIT – success factors
    7. Key aspects from the CISA exam perspective
    8. Self-assessment questions
    9. IT-related frameworks
    10. IT standards, policies, and procedures
    11. Standard
    12. Policies
    13. Procedures
    14. Guidelines
    15. Information security policy
    16. Content of the information security policy
    17. Information security policy users
    18. Information security policy audit
    19. Information security policy review
    20. Key aspects from CISA exam perspective
    21. Self-assessment questions
    22. Organizational structure
    23. Relationship between the IT strategy committee and the IT steering committee
    24. Differences between the IT strategy committee and the IT steering committee
    25. Key aspects from the CISA exam perspective
    26. Self-assessment questions
    27. Enterprise architecture
    28. Enterprise security architecture
    29. Key aspects from CISA exam perspective
    30. Self-assessment questions
    31. Enterprise risk management
    32. Risk management process steps
    33. Risk analysis methods
    34. Risk treatment
    35. Key aspects from the CISA exam perspective
    36. Self-assessment questions
    37. Maturity model
    38. Laws, regulations, and industry standards affecting the organization
    39. An IS auditor's role in determining adherence to laws and regulations
    40. Key aspects from the CISA exam perspective
    41. Self-assessment questions
    42. Summary
    43. Assessments
    44. IT enterprise governance
    45. IT standards, policies, and procedures
    46. Organizational structure
    47. Enterprise architecture
    48. Enterprise risk management
    49. Laws, regulations, and industry standards affecting the organization
  12. IT Management
    1. IT resource management
    2. Human resource management
    3. Hiring
    4. Training
    5. Scheduling and time reporting
    6. During employment
    7. Termination policies
    8. IT management practices
    9. Financial management practices
    10. Key aspects from CISA exam perspective
    11. Self-assessment questions
    12. IT service provider acquisition and management
    13. Evaluation criteria for outsourcing
    14. Steps for outsourcing
    15. Outsourcing – risk reduction options
    16. Provisions for outsourcing contracts
    17. Role of IS auditors in monitoring outsourced activities
    18. Globalization of IT functions
    19. Outsourcing and third-party audit reports
    20. Monitoring and review of third-party services
    21. Key aspects from CISA exam perspective
    22. Self-evaluation questions
    23. IT performance monitoring and reporting
    24. Steps for the development of performance metrics
    25. Effectiveness of performance metrics
    26. Tools and techniques
    27. Key aspects from CISA exam perspective
    28. Self-evaluation questions
    29. Quality assurance and quality management in IT
    30. Quality assurance
    31. Quality management
    32. Key aspects from CISA exam perspective
    33. Self-evaluation questions
    34. Summary
    35. Assessment answers
    36. IT resource management
    37. IT service provider acquisition and management
    38. IT performance monitoring and reporting
    39. Quality assurance and quality management in IT
  13. Section 3: Information Systems Acquisition, Development, and Implementation
  14. Information Systems Acquisition and Development
    1. Project management structure
    2. Project roles and responsibilities
    3. Board of Directors
    4. IT strategy committee
    5. Project steering committee
    6. Project sponsor
    7. System development management
    8. Project cost estimation methods
    9. Software size estimation methods
    10. Project evaluation methods
    11. Critical path methodology
    12. Program Evaluation Review Technique (PERT)
    13. Earned Value Analysis
    14. Timebox management
    15. Project objectives, OBS, and WBS
    16. Role of the IS auditor in project management
    17. Key aspects from the CISA exam perspective
    18. Self-assessments questions
    19. Business cases and feasibility analysis
    20. Business cases
    21. Feasibility analysis
    22. The IS auditor's role in business case development
    23. Self-assessment questions
    24. System development methodologies
    25. SDLC models
    26. Traditional waterfall
    27. V-shaped
    28. Iterative
    29. SDLC phases
    30. Phase 1 – Feasibility study
    31. Phase 2 – Requirements
    32. Phase 3 – Software selection and acquisition
    33. Phase 4 – Development
    34. Phase 5 – Testing and implementation
    35. Phase 6 – Post-implementation
    36. Software development methods
    37. Agile development
    38. Prototyping
    39. Rapid Application Development
    40. Object-Oriented System Development
    41. Component-based development
    42. Software engineering and reverse engineering
    43. Key aspects from the CISA exam perspective
    44. Self-assessment questions
    45. Control identification and design
    46. Check digits
    47. Parity bits
    48. Checksums
    49. Forward error control
    50. Data integrity principles
    51. Limit checks
    52. Automated systems balancing
    53. Sequence checks
    54. Decision support systems
    55. Efficiency versus effectiveness
    56. Design and development
    57. Risk factors
    58. Decision trees
    59. Key aspects from the CISA exam perspective
    60. Self-assessment questions
    61. Summary
    62. Assessments
    63. Project management structure
    64. The business case and feasibility analysis
    65. System development methodologies
    66. Control identification and design
  15. Information Systems Implementation
    1. Testing methodology
    2. Unit testing
    3. Integrated testing
    4. System testing
    5. Final acceptance testing
    6. Regression testing
    7. Sociability test
    8. Pilot testing
    9. Parallel testing
    10. White box testing
    11. Black box testing
    12. Alpha testing
    13. Beta testing
    14. Testing approach
    15. Testing phases
    16. Key aspects from the CISA exam perspective
    17. Self-assessment questions
    18. System migration
    19. Parallel changeover
    20. Phased changeover
    21. Abrupt changeover
    22. Key aspects from the CISA exam perspective
    23. Self-assessment questions
    24. Post-implementation review
    25. Key aspects from the CISA exam perspective
    26. Self-assessment questions
    27. Summary
    28. Assessments
    29. Testing methodology
    30. System migration
    31. Post-implementation review
  16. Section 4: Information System Operations and Business Resilience
  17. Information System Operations
    1. Understanding common technology components
    2. The types of server
    3. USB
    4. USBs – Risks
    5. USBs – Security controls
    6. RFID
    7. RFID – Applications
    8. RFID – Risks
    9. RFID – Security controls
    10. Self-assessment questions
    11. IT asset management
    12. Self-assessment questions
    13. Job scheduling
    14. Self-assessment questions
    15. End user computing
    16. Self-assessment question
    17. System performance management
    18. Nucleus (kernel) functions
    19. Utility programs
    20. Parameter setting for the operating system
    21. Registry
    22. Activity logging
    23. Software licensing issues
    24. Source code management
    25. Capacity management
    26. Key aspects from a CISA exam perspective
    27. Self-assessment questions
    28. Problem and incident management
    29. Network management tools
    30. Key aspects from a CISA exam perspective
    31. Self-assessment questions
    32. Change management, configuration management, and patch management
    33. Change management process
    34. Patch management
    35. Configuration management
    36. Emergency change management
    37. Backout process
    38. The effectiveness of a change management process
    39. Key aspects from a CISA exam perspective
    40. Self-assessment questions
    41. IT service level management
    42. Key aspects from the CISA exam perspective
    43. Self evaluation questions
    44. Evaluating the database management process
    45. Advantages of database management
    46. Database structures
    47. Hierarchical database model
    48. Network database model
    49. Relational database model
    50. Object-oriented database model
    51. Database normalization
    52. Database checks and controls
    53. Segregation of duties
    54. Key aspects from a CISA exam perspective
    55. Self-assessment questions
    56. Summary
    57. Assessment
    58. Common technology components
    59. IT asset management
    60. Job scheduling
    61. End user computing
    62. System performance management
    63. Problem and incident management
    64. Change management, configuration management, and patch management
    65. IT service level management
    66. Database management
  18. Business Resilience
    1. Business impact analysis
    2. Key aspects from the perspective of the CISA exam
    3. Self-assessment questions
    4. Data backup and restoration
    5. Types of backup strategy
    6. Storage capacity for each backup scheme
    7. Restoration capability for each backup scheme
    8. Advantages and disadvantages of each scheme
    9. Key aspects from the perspective of the CISA exam
    10. Self-assessment questions
    11. System resiliency
    12. Application resiliency – clustering
    13. Telecommunication network resiliency
    14. Alternative routing
    15. Diverse routing
    16. Self-assessment questions
    17. Business continuity plan
    18. Steps of the BCP life cycle
    19. Content of the BCP
    20. Responsibility for declaring the disaster
    21. A Single Plan
    22. Backup procedure for critical operations
    23. The involvement of process owners in the BCP
    24. BCP and risk assessment
    25. Testing the BCP
    26. Key aspects from the perspective of the CISA exam
    27. Self-assessment questions
    28. Disaster recovery plan
    29. The BCP versus the DRP
    30. Relationship between the DRP and the BIA
    31. Costs associated with disaster recovery
    32. Data backup
    33. DRP of a third-party service provider
    34. Resilient information assets
    35. Service delivery objective
    36. Key aspects from the CISA exam perspective
    37. Self-assessment questions
    38. DRP – test methods
    39. Checklist review
    40. Structured walkthrough
    41. Tabletop test
    42. Simulation test
    43. Parallel test
    44. Full interruption test
    45. Key aspects from the CISA exam perspective
    46. Self-assessment questions
    47. Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
    48. RTO
    49. RPO
    50. RTO and RPO for critical systems
    51. RTO and RPO and maintenance costs
    52. RTO, RPO, and disaster tolerance
    53. Key aspects from the CISA exam perspective
    54. Self-assessment questions
    55. Alternate recovery site
    56. Mirrored site
    57. Hot site
    58. Warm site
    59. Cold site
    60. Mobile site
    61. Reciprocal agreement
    62. Self-assessment questions
    63. Summary
    64. Assessment
    65. Business impact analysis
    66. Data backup and restoration
    67. System resiliency
    68. Business continuity plan
    69. Disaster recovery plan
    70. DRP – test methods
    71. Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
    72. Alternate recovery site
  19. Section 5: Protection of Information Assets
  20. Information Asset Security and Control
    1. Information asset security frameworks, standards, and guidelines
    2. Auditing the information security management framework
    3. Key aspects from the CISA exam perspective
    4. Self-assessment questions
    5. Privacy principles
    6. Self-assessment questions
    7. Physical access and environmental controls
    8. Environmental controls
    9. Water and Smoke Detectors
    10. Fire suppression system
    11. Wet-based sprinkler (WBS)
    12. Dry pipe sprinkler
    13. Halon system
    14. Carbon dioxide systems
    15. Physical access control
    16. Bolting door locks
    17. Combination door locks (cipher locks)
    18. Electronic door locks
    19. Biometric door locks
    20. Deadman doors
    21. Identification badge
    22. CCTV camera
    23. Key aspects from the CISA exam perspective
    24. Self-assessment questions
    25. Identity and access management
    26. Access control categories
    27. Steps for implementing logical access
    28. Control Effectiveness
    29. Default deny policy – allow all policy
    30. Degaussing (demagnetizing)
    31. Naming convention
    32. Factor of authentication
    33. Single sign-on
    34. Advantages of SSO
    35. Disadvantages of SSO
    36. Key aspects from the CISA exam perspective
    37. Self-assessment questions
    38. Biometrics
    39. Biometrics – accuracy measure
    40. False acceptance rate (FAR)
    41. False rejection rate (FRR)
    42. Cross error rate (CER) or equal error rate (EER)
    43. Control over the biometric process
    44. Types of biometric attacks
    45. Self-assessment questions
    46. Summary
    47. Assessments
    48. Information asset security frameworks, standards, and guidelines
    49. Privacy principles
    50. Physical access and environmental controls
    51. Identity and access management
    52. Biometrics
  21. Network Security and Control
    1. Network and endpoint devices
    2. Open system interconnection (OSI) layers
    3. Networking devices
    4. Repeaters
    5. Hubs and switches
    6. Bridges
    7. Routers
    8. Gateway
    9. Network devices and the OSI layer
    10. Network physical media
    11. Fiber optics
    12. Twisted pair (copper circuit)
    13. Infrared and radio (wireless)
    14. Identifying the risks of physical network media
    15. Attenuation
    16. EMI
    17. Cross talks
    18. Network diagram
    19. Network protocols
    20. Dynamic Host Configuration Protocol
    21. Transport Layer Security and Secure Socket Layer
    22. Transmission Control Protocol and User Data Protocol
    23. Secure Shell and Telnet
    24. Key aspects from CISA exam perspective
    25. Self-assessment questions
    26. Firewall types and implementation
    27. Types of firewall
    28. Packet filtering router
    29. Stateful inspection
    30. Circuit-level
    31. Application-level
    32. What is a bastion host?
    33. What is a proxy?
    34. Types of firewall implementation
    35. Dual-homed firewall
    36. Screened host firewall
    37. Screened subnet firewall (demilitarized zone)
    38. Firewall and the corresponding OSI layer
    39. Key aspects from the CISA exam perspective
    40. Self-assessment questions
    41. VPN
    42. Types of VPN
    43. VPNs – security risks
    44. VPNs – technical aspects
    45. Key aspects from the perspective of the CISA exam
    46. Self-assessment questions
    47. Voice over Internet Protocol (VoIP)
    48. Key aspects from the CISA exam perspective
    49. Self-assessment questions
    50. Wireless networks
    51. Enabling MAC filtering
    52. Enabling encryption
    53. Disabling a service set identifier (SSID)
    54. Disabling DHCP
    55. Common attack methods and techniques for a wireless network
    56. War driving
    57. War walking
    58. War chalking
    59. Key aspects from the CISA exam perspective
    60. Self-assessment questions
    61. Email security
    62. Key aspects from the CISA exam perspective
    63. Self-assessment questions
    64. Summary
    65. Assessments
    66. Network and endpoint devices
    67. Firewall types and implementation
    68. Virtual Private Network (VPN)
    69. Voice over Internet Protocol (VoIP)
    70. Wireless networks
    71. Email security
  22. Public Key Cryptography and Other Emerging Technologies
    1. Public key cryptography
    2. Symmetric encryption versus asymmetric encryption
    3. Encryption keys
    4. Confidentiality
    5. Authentication
    6. Non- Repudiation
    7. Integrity
    8. The hash of the message
    9. Combining symmetric and asymmetric methods
    10. Key aspects from the CISA exam perspective
    11. Self-assessment questions
    12. Elements of PKI
    13. PKI terminology
    14. Processes involved in PKI
    15. Certifying Authority versus Registration Authority
    16. Key aspects from the CISA exam perspective
    17. Self-assessment questions
    18. Cloud computing
    19. Cloud computing – deployment models
    20. The private cloud
    21. The public cloud
    22. The community cloud
    23. The hybrid cloud
    24. Cloud computing – the IS auditor's role
    25. Self-assessment questions
    26. Virtualization
    27. Mobile computing
    28. Internet of Things (IoT)
    29. Summary
    30. Assessments
    31. Public key cryptography
    32. Elements of public key infrastructure
    33. Cloud computing
  23. Security Event Management
    1. Security awareness training and programs
    2. Participants
    3. Security awareness methods
    4. Social engineering attacks
    5. Evaluating the effectiveness of security programs
    6. Key aspects from the CISA exam perspective
    7. Self-assessment questions
    8. Information system attack methods and techniques
    9. Malicious codes
    10. Biometric attacks
    11. Key aspects from the CISA exam perspective
    12. Assessment
    13. Security testing tools and techniques
    14. General security controls
    15. Terminal controls
    16. Logon IDs and passwords
    17. Authorization process
    18. Automatic logoff
    19. Account lockout
    20. Controls on bypassing software and utilities
    21. Log capturing and monitoring
    22. Time synchronization
    23. Network penetration tests
    24. Aspects to be covered within the scope of the audit
    25. Types of penetration tests
    26. External testing
    27. Internal testing
    28. Blind testing
    29. Double blind testing
    30. Targeted testing
    31. Risks associated with penetration testing
    32. Threat intelligence
    33. Key aspects from the CISA exam perspective
    34. Self-assessment questions
    35. Security monitoring tools and techniques
    36. Intrusion detection system
    37. Network-based and host-based IDS
    38. Components of the IDS
    39. Limitations of the IDS
    40. Types of IDS
    41. Signature-based
    42. Statistical-based
    43. Neural network
    44. Placement of IDS
    45. Intrusion prevention system
    46. Honey pots and honey nets
    47. Key aspects from the CISA exam perspective
    48. Self-assessment questions
    49. Incident response management
    50. Computer Security Incident Response Team
    51. Key aspects from the CISA exam perspective
    52. Self-assessment questions
    53. Evidence collection and forensics
    54. Chain of custody
    55. Identify
    56. Preserve
    57. Analyze
    58. Present
    59. Key elements of computer forensics
    60. Data protection
    61. Data acquisition
    62. Imaging
    63. Extraction
    64. Interrogation
    65. Ingestion/normalization
    66. Reporting
    67. Protection of evidence
    68. Self-assessment questions
    69. Summary
    70. Assessments
    71. Security awareness training and programs
    72. Information system attack methods and techniques
    73. Security testing tools and techniques
    74. Security monitoring tools and techniques
    75. Incident response management
    76. Evidence collection and forensics
  24. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: CISA - Certified Information Systems Auditor Study Guide
  • Author(s): Hemang Doshi
  • Release date: August 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838989583