CISA – Certified Information Systems Auditor Study Guide

CISA – Certified Information Systems Auditor Study Guide

by Hemang Doshi
Released August 2020
Publisher(s): Packt Publishing
ISBN: 9781838989583

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This CISA study guide is for those interested in achieving CISA certification and provides complete coverage of ISACA's latest CISA Review Manual (2019) with practical examples and over 850 exam-oriented practice questions

Key Features

    Book Description

    Are you looking to prepare for the CISA exam and understand the roles and responsibilities of an information systems (IS) auditor?

    The CISA - Certified Information Systems Auditor Study Guide is here to help you get started with CISA exam prep.

    This book covers all the five CISA domains in detail to help you pass the exam. You’ll start by getting up and running with the practical aspects of an information systems audit. The book then shows you how to govern and manage IT, before getting you up to speed with acquiring information systems. As you progress, you’ll gain knowledge of information systems operations and understand how to maintain business resilience, which will help you tackle various real-world business problems. Finally, you’ll be able to assist your organization in effectively protecting and controlling information systems with IT audit standards.

    By the end of this CISA book, you'll not only have covered the essential concepts and techniques you need to know to pass the CISA certification exam but also have the ability to apply them in the real world.

    What you will learn

    • Understand the information systems auditing process
    • Get to grips with IT governance and management
    • Gain knowledge of information systems acquisition
    • Assist your organization in protecting and controlling information systems with IT audit standards
    • Understand information systems operations and how to ensure business resilience
    • Evaluate your organization’s security policies, standards, and procedures to meet its objectives

    Who this book is for

    This CISA exam study guide is designed for those with a non-technical background who are interested in achieving CISA certification and are currently employed or looking to gain employment in IT audit and security management positions.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. CISA – Certified Information Systems Auditor Study Guide
  3. Dedication
  4. About Packt
    1. Why subscribe?
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  7. Section 1: Information System Auditing Process
  8. Audit Planning
    1. The content of an audit charter
      1. Key aspects from CISA exam perspective
      2. Self-evaluation questions
    2. Audit planning
      1. Benefits of audit planning
      2. Selection criteria
      3. Reviewing audit planning
      4. Individual audit assignments
      5. Key aspects from CISA exam perspective
      6. Self-evaluation questions
    3. Business process applications and controls
      1. E-commerce
      2. Electronic Data Interchange (EDI)
      3. Point of Sale (POS)
      4. Electronic banking
      5. Electronic funds transfer (EFT)
      6. Image processing
      7. Artificial intelligence and expert systems
      8. Key aspects from CISA exam perspective
      9. Self-evaluation questions
    4. Types of controls
      1. Preventive controls
      2. Detective controls
      3. Corrective controls
      4. Deterrent controls
      5. The difference between preventive and deterrent controls
      6. Compensating controls
      7. Control objectives
      8. Control measures
      9. Key aspects from CISA exam perspective
      10. Self-evaluation questions
    5. Risk-based audit planning
      1. What is risk?
      2. Understanding vulnerability and threat
      3. Understanding inherent risk and residual risk
      4. Advantages of risk-based audit planning
      5. Audit risk
      6. Risk-based auditing approach
      7. Risk assessments
      8. Risk response methodology
      9. Top-down and bottom-up approaches to policy development
        1. The top-down approach
        2. The bottom-up approach
        3. The best approach 
      10. Key aspects from CISA exam perspective
      11. Self-evaluation questions
    6. Types of audit and assessment
      1. Self-evaluation questions
    7. Summary
    8. Assessments
      1. Content of the audit charter
      2. Audit planning
      3. Business process applications and controls
      4. Types of controls
      5. Risk-based audit planning
      6. Types of audit and assessment 
  9. Audit Execution
    1. Audit project management
      1. Audit objectives
      2. Audit phases
      3. Fraud, irregularities, and illegal acts
      4. Key aspects from CISA exam perspective
      5. Self-assessment questions
    2. Sampling methodology
      1. Sampling types
      2. Sampling risk
      3. Other sampling terms
        1. The confidence coefficient
        2. Level of risk
        3. Expected error rate
        4. Tolerable error rate
        5. Sample mean
        6. Sample standard deviation
      4. Compliance versus substantive testing
        1. The difference between compliance testing vis-à-vis substantive testing
        2. Examples of compliance testing and substantive testing
        3. The relationship between compliance testing and substantive testing
      5. Key aspects from the CISA exam perspective
      6. Self-assessment questions
    3. Audit evidence collection techniques
      1. Reliability of evidence
        1. Independence of the evidence provider
        2. Qualifications of the evidence provider
        3. Objectivity of the evidence
        4. Timing of the evidence
      2. Evidence gathering techniques
      3. Key aspects from the CISA exam perspective
      4. Self-assessment questions
    4. Data analytics
      1. Examples of the effective use of data analytics
      2. CAATs
      3. Examples of the effective use of CAAT tools
      4. Precautions while using CAAT
      5. Continuous auditing and monitoring
      6. Continuous auditing techniques
        1. Integrated test facility
        2. System control audit review file
        3. Snapshot technique
        4. Audit hook
        5. Continuous and Intermittent Simulation
      7. Key aspects from the CISA exam perspective
      8. Self-assessment questions
    5. Reporting and communication techniques
      1. Exit interview
      2. Audit reporting
      3. Audit report objectives
      4. Audit report structure
      5. Follow-up activities
      6. Key aspects from the CISA exam perspective
      7. Self-assessment questions
    6. Control self-assessment
      1. Objectives of CSA
      2. Benefits of CSA
      3. Disadvantages of CSA
      4. An IS auditor’s role in CSA
      5. Key aspects from the CISA exam perspective
      6. Self-assessment questions
    7. Summary
    8. Assessments
      1. Audit project management
      2. Sampling methodology
      3. Audit evidence collection
      4. Data analytics
      5. Reporting and communication techniques
      6. Control self-assessment
  10. Section 2: Governance and Management of IT
  11. IT Governance
    1. IT enterprise governance (EGIT)
      1. EGIT processes
      2. Difference between governance and management
      3. EGIT good practices
      4. Effective information security governance
      5. EGIT – success factors
      6. Key aspects from the CISA exam perspective
      7. Self-assessment questions
    2. IT-related frameworks
    3. IT standards, policies, and procedures
      1. Standard
      2. Policies
      3. Procedures
      4. Guidelines
      5. Information security policy
        1. Content of the information security policy
        2. Information security policy users
        3. Information security policy audit
        4. Information security policy review
      6. Key aspects from CISA exam perspective
      7. Self-assessment questions
    4. Organizational structure
      1. Relationship between the IT strategy committee and the IT steering committee
      2. Differences between the IT strategy committee and the IT steering committee
      3. Key aspects from the CISA exam perspective
      4. Self-assessment questions
    5. Enterprise architecture
      1. Enterprise security architecture
      2. Key aspects from CISA exam perspective
      3. Self-assessment questions
    6. Enterprise risk management
      1. Risk management process steps
      2. Risk analysis methods
      3. Risk treatment
      4. Key aspects from the CISA exam perspective
      5. Self-assessment questions
    7. Maturity model
    8. Laws, regulations, and industry standards affecting the organization
      1. An IS auditor's role in determining adherence to laws and regulations
      2. Key aspects from the CISA exam perspective
      3. Self-assessment questions
    9. Summary
    10. Assessments
      1. IT enterprise governance
      2. IT standards, policies, and procedures
      3. Organizational structure
      4. Enterprise architecture
      5. Enterprise risk management
      6. Laws, regulations, and industry standards affecting the organization
  12. IT Management
    1. IT resource management
      1. Human resource management
        1. Hiring
        2. Training
        3. Scheduling and time reporting
        4. During employment
        5. Termination policies
      2. IT management practices
      3. Financial management practices
      4. Key aspects from CISA exam perspective
      5. Self-assessment questions
    2. IT service provider acquisition and management
      1. Evaluation criteria for outsourcing
      2. Steps for outsourcing
      3. Outsourcing – risk reduction options
      4. Provisions for outsourcing contracts
      5. Role of IS auditors in monitoring outsourced activities
      6. Globalization of IT functions
      7. Outsourcing and third-party audit reports
      8. Monitoring and review of third-party services
      9. Key aspects from CISA exam perspective
      10. Self-evaluation questions
    3. IT performance monitoring and reporting
      1. Steps for the development of performance metrics
      2. Effectiveness of performance metrics
      3. Tools and techniques
      4. Key aspects from CISA exam perspective
      5. Self-evaluation questions
    4. Quality assurance and quality management in IT
      1. Quality assurance
      2. Quality management
      3. Key aspects from CISA exam perspective
      4. Self-evaluation questions
    5. Summary
    6. Assessment answers
      1. IT resource management
      2. IT service provider acquisition and management
      3. IT performance monitoring and reporting
      4. Quality assurance and quality management in IT
  13. Section 3: Information Systems Acquisition, Development, and Implementation
  14. Information Systems Acquisition and Development
    1. Project management structure
      1. Project roles and responsibilities
        1. Board of Directors
        2. IT strategy committee
        3. Project steering committee
        4. Project sponsor
        5. System development management
        6. Project cost estimation methods
        7. Software size estimation methods
        8. Project evaluation methods
          1. Critical path methodology
          2. Program Evaluation Review Technique (PERT)
          3. Earned Value Analysis
          4. Timebox management
      2. Project objectives, OBS, and WBS
        1. Role of the IS auditor in project management
      3. Key aspects from the CISA exam perspective
      4. Self-assessments questions
    2. Business cases and feasibility analysis
      1. Business cases
      2. Feasibility analysis
      3. The IS auditor's role in business case development
      4. Self-assessment questions
    3. System development methodologies
      1. SDLC models
        1. Traditional waterfall
        2. V-shaped
        3. Iterative
      2. SDLC phases
        1. Phase 1 – Feasibility study
        2. Phase 2 – Requirements
        3. Phase 3 – Software selection and acquisition
        4. Phase 4 – Development
        5. Phase 5 – Testing and implementation
        6. Phase 6 – Post-implementation
      3. Software development methods
        1. Agile development
        2. Prototyping
        3. Rapid Application Development
        4. Object-Oriented System Development
        5. Component-based development
      4. Software engineering and reverse engineering
      5. Key aspects from the CISA exam perspective
      6. Self-assessment questions
    4. Control identification and design
      1. Check digits
      2. Parity bits
      3. Checksums
      4. Forward error control
      5. Data integrity principles
        1. Limit checks
        2. Automated systems balancing
        3. Sequence checks
      6. Decision support systems
        1. Efficiency versus effectiveness
        2. Design and development
        3. Risk factors
      7. Decision trees
      8. Key aspects from the CISA exam perspective
      9. Self-assessment questions
    5. Summary
    6. Assessments
      1. Project management structure
      2. The business case and feasibility analysis
      3. System development methodologies
      4. Control identification and design
  15. Information Systems Implementation
    1. Testing methodology
      1. Unit testing
      2. Integrated testing
      3. System testing
        1. Final acceptance testing
        2. Regression testing
        3. Sociability test
        4. Pilot testing
        5. Parallel testing
        6. White box testing
        7. Black box testing
        8. Alpha testing
        9. Beta testing
      4. Testing approach
      5. Testing phases
      6. Key aspects from the CISA exam perspective
      7. Self-assessment questions
    2. System migration
      1. Parallel changeover
      2. Phased changeover
      3. Abrupt changeover
      4. Key aspects from the CISA exam perspective
      5. Self-assessment questions
    3. Post-implementation review
      1. Key aspects from the CISA exam perspective
      2. Self-assessment questions
    4. Summary
    5. Assessments
      1. Testing methodology
      2. System migration
      3. Post-implementation review
  16. Section 4: Information System Operations and Business Resilience
  17. Information System Operations
    1. Understanding common technology components
      1. The types of server
      2. USB
        1. USBs – Risks
        2. USBs – Security controls
      3. RFID
        1. RFID – Applications
        2. RFID – Risks
        3. RFID – Security controls
      4. Self-assessment questions
    2. IT asset management
      1. Self-assessment questions
    3. Job scheduling
      1. Self-assessment questions
    4. End user computing
      1. Self-assessment question
    5. System performance management
      1. Nucleus (kernel) functions
      2. Utility programs
      3. Parameter setting for the operating system
      4. Registry
      5. Activity logging
      6. Software licensing issues
      7. Source code management
      8. Capacity management
      9. Key aspects from a CISA exam perspective
      10. Self-assessment questions
    6. Problem and incident management
      1. Network management tools
      2. Key aspects from a CISA exam perspective
      3. Self-assessment questions
    7. Change management, configuration management, and patch management
      1. Change management process
      2. Patch management
      3. Configuration management
      4. Emergency change management
      5. Backout process
      6. The effectiveness of a change management process
      7. Key aspects from a CISA exam perspective
      8. Self-assessment questions
    8. IT service level management
      1. Key aspects from the CISA exam perspective
      2. Self evaluation questions
    9. Evaluating the database management process
      1. Advantages of database management
      2. Database structures
        1. Hierarchical database model
        2. Network database model
        3. Relational database model
        4. Object-oriented database model
        5. Database normalization
        6. Database checks and controls
        7. Segregation of duties
      3. Key aspects from a CISA exam perspective
      4. Self-assessment questions
    10. Summary
    11. Assessment
      1. Common technology components
      2. IT asset management
      3. Job scheduling
      4. End user computing
      5. System performance management
      6. Problem and incident management
      7. Change management, configuration management, and patch management
      8. IT service level management
      9. Database management
  18. Business Resilience
    1. Business impact analysis
      1. Key aspects from the perspective of the CISA exam
      2. Self-assessment questions
    2. Data backup and restoration
      1. Types of backup strategy
        1. Storage capacity for each backup scheme
        2. Restoration capability for each backup scheme
        3. Advantages and disadvantages of each scheme
      2. Key aspects from the perspective of the CISA exam
      3. Self-assessment questions
    3. System resiliency
      1. Application resiliency – clustering
      2. Telecommunication network resiliency
        1. Alternative routing
        2. Diverse routing
      3. Self-assessment questions
    4. Business continuity plan
      1. Steps of the BCP life cycle
      2. Content of the BCP
        1. Responsibility for declaring the disaster
        2. A Single Plan
      3. Backup procedure for critical operations
      4. The involvement of process owners in the BCP
      5. BCP and risk assessment
      6. Testing the BCP
      7. Key aspects from the perspective of the CISA exam
      8. Self-assessment questions
    5. Disaster recovery plan
      1. The BCP versus the DRP
        1. Relationship between the DRP and the BIA
        2. Costs associated with disaster recovery
        3. Data backup
        4. DRP of a third-party service provider
        5. Resilient information assets
        6. Service delivery objective
      2. Key aspects from the CISA exam perspective
      3. Self-assessment questions
    6. DRP – test methods
      1. Checklist review
      2. Structured walkthrough
      3. Tabletop test
      4. Simulation test
      5. Parallel test
      6. Full interruption test
      7. Key aspects from the CISA exam perspective
      8. Self-assessment questions
    7. Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
      1. RTO
      2. RPO
      3. RTO and RPO for critical systems
      4. RTO and RPO and maintenance costs
      5. RTO, RPO, and disaster tolerance
      6. Key aspects from the CISA exam perspective
      7. Self-assessment questions
    8. Alternate recovery site
      1. Mirrored site
      2. Hot site
      3. Warm site
      4. Cold site
      5. Mobile site
      6. Reciprocal agreement
      7. Self-assessment questions
    9. Summary
    10. Assessment
      1. Business impact analysis
      2. Data backup and restoration
      3. System resiliency
      4. Business continuity plan
      5. Disaster recovery plan
      6. DRP – test methods
      7. Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
      8. Alternate recovery site
  19. Section 5: Protection of Information Assets
  20. Information Asset Security and Control
    1. Information asset security frameworks, standards, and guidelines
      1. Auditing the information security management framework
      2. Key aspects from the CISA exam perspective
      3. Self-assessment questions
    2. Privacy principles
      1. Self-assessment questions
    3. Physical access and environmental controls
      1. Environmental controls
      2. Water and Smoke Detectors
      3. Fire suppression system
        1. Wet-based sprinkler (WBS)
        2. Dry pipe sprinkler
        3. Halon system
        4. Carbon dioxide systems
      4. Physical access control
        1. Bolting door locks
        2. Combination door locks (cipher locks)
        3. Electronic door locks
        4. Biometric door locks
        5. Deadman doors
        6. Identification badge
        7. CCTV camera
      5. Key aspects from the CISA exam perspective
      6. Self-assessment questions
    4. Identity and access management
      1. Access control categories
        1. Steps for implementing logical access
        2. Control Effectiveness
      2. Default deny policy – allow all policy
      3. Degaussing (demagnetizing)
      4. Naming convention
        1. Factor of authentication
      5. Single sign-on
        1. Advantages of SSO
        2. Disadvantages of SSO
      6. Key aspects from the CISA exam perspective
      7. Self-assessment questions
    5. Biometrics
      1. Biometrics – accuracy measure
        1. False acceptance rate (FAR)
        2. False rejection rate (FRR)
        3. Cross error rate (CER) or equal error rate (EER)
      2. Control over the biometric process
      3. Types of biometric attacks
      4. Self-assessment questions
    6. Summary
    7. Assessments
      1. Information asset security frameworks, standards, and guidelines
      2. Privacy principles
      3. Physical access and environmental controls
      4. Identity and access management
      5. Biometrics
  21. Network Security and Control
    1. Network and endpoint devices
      1. Open system interconnection (OSI) layers
      2. Networking devices
        1. Repeaters
        2. Hubs and switches
        3. Bridges
        4. Routers
        5. Gateway
      3. Network devices and the OSI layer
      4. Network physical media
        1. Fiber optics
        2. Twisted pair (copper circuit)
        3. Infrared and radio (wireless)
      5. Identifying the risks of physical network media
        1. Attenuation
        2. EMI
        3. Cross talks
        4. Network diagram
      6. Network protocols
        1. Dynamic Host Configuration Protocol
        2. Transport Layer Security and Secure Socket Layer
        3. Transmission Control Protocol and User Data Protocol
        4. Secure Shell and Telnet
      7. Key aspects from CISA exam perspective
      8. Self-assessment questions
    2. Firewall types and implementation
      1. Types of firewall
        1. Packet filtering router
        2. Stateful inspection
        3. Circuit-level
        4. Application-level
      2. What is a bastion host?
      3. What is a proxy?
      4. Types of firewall implementation
        1. Dual-homed firewall
        2. Screened host firewall
        3. Screened subnet firewall (demilitarized zone)
      5. Firewall and the corresponding OSI layer
      6. Key aspects from the CISA exam perspective
      7. Self-assessment questions
    3. VPN
      1. Types of VPN
      2. VPNs – security risks
      3. VPNs – technical aspects
      4. Key aspects from the perspective of the CISA exam
      5. Self-assessment questions
    4. Voice over Internet Protocol (VoIP)
      1. Key aspects from the CISA exam perspective
      2. Self-assessment questions
    5. Wireless networks
      1. Enabling MAC filtering
      2. Enabling encryption
      3. Disabling a service set identifier (SSID)
      4. Disabling DHCP
      5. Common attack methods and techniques for a wireless network
        1. War driving
        2. War walking
        3. War chalking
      6. Key aspects from the CISA exam perspective
      7. Self-assessment questions
    6. Email security
      1. Key aspects from the CISA exam perspective
      2. Self-assessment questions
    7. Summary
    8. Assessments
      1. Network and endpoint devices
      2. Firewall types and implementation
      3. Virtual Private Network (VPN)
      4. Voice over Internet Protocol (VoIP)
      5. Wireless networks
      6. Email security
  22. Public Key Cryptography and Other Emerging Technologies
    1. Public key cryptography
      1. Symmetric encryption versus asymmetric encryption
      2. Encryption keys
        1. Confidentiality
        2. Authentication
        3. Non- Repudiation
        4. Integrity
      3. The hash of the message
      4. Combining symmetric and asymmetric methods
      5. Key aspects from the CISA exam perspective
      6. Self-assessment questions
    2. Elements of PKI
      1. PKI terminology
      2. Processes involved in PKI
      3. Certifying Authority versus Registration Authority
      4. Key aspects from the CISA exam perspective
      5. Self-assessment questions
    3. Cloud computing
      1. Cloud computing – deployment models
        1. The private cloud
        2. The public cloud
        3. The community cloud
        4. The hybrid cloud
      2. Cloud computing – the IS auditor's role
      3. Self-assessment questions
    4. Virtualization
    5. Mobile computing
      1. Internet of Things (IoT)
    6. Summary
    7. Assessments
      1. Public key cryptography
      2. Elements of public key infrastructure
      3. Cloud computing
  23. Security Event Management
    1. Security awareness training and programs
      1. Participants
      2. Security awareness methods
      3. Social engineering attacks
      4. Evaluating the effectiveness of security programs
      5. Key aspects from the CISA exam perspective
      6. Self-assessment questions
    2. Information system attack methods and techniques
      1. Malicious codes
      2. Biometric attacks
      3. Key aspects from the CISA exam perspective
      4. Assessment
    3. Security testing tools and techniques
      1. General security controls
        1. Terminal controls
        2. Logon IDs and passwords
        3. Authorization process
        4. Automatic logoff
        5. Account lockout
        6. Controls on bypassing software and utilities
        7. Log capturing and monitoring
        8. Time synchronization
      2. Network penetration tests
        1. Aspects to be covered within the scope of the audit
        2. Types of penetration tests
          1. External testing
          2. Internal testing
          3. Blind testing
          4. Double blind testing
          5. Targeted testing
        3. Risks associated with penetration testing
        4. Threat intelligence
      3. Key aspects from the CISA exam perspective
      4. Self-assessment questions
    4. Security monitoring tools and techniques
      1. Intrusion detection system
        1. Network-based and host-based IDS
        2. Components of the IDS
        3. Limitations of the IDS
        4. Types of IDS
          1. Signature-based
          2. Statistical-based
          3. Neural network
          4. Placement of IDS
      2. Intrusion prevention system
        1. Honey pots and honey nets
      3. Key aspects from the CISA exam perspective
      4. Self-assessment questions
    5. Incident response management
      1. Computer Security Incident Response Team
      2. Key aspects from the CISA exam perspective
      3. Self-assessment questions
    6. Evidence collection and forensics
      1. Chain of custody
        1. Identify
        2. Preserve
        3. Analyze
        4. Present
      2. Key elements of computer forensics
        1. Data protection
        2. Data acquisition
        3. Imaging
        4. Extraction
        5. Interrogation
        6. Ingestion/normalization
        7. Reporting
        8. Protection of evidence
      3. Self-assessment questions
    7. Summary
    8. Assessments
      1. Security awareness training and programs
      2. Information system attack methods and techniques
      3. Security testing tools and techniques
      4. Security monitoring tools and techniques
      5. Incident response management
      6. Evidence collection and forensics
  24. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: CISA – Certified Information Systems Auditor Study Guide
  • Author(s): Hemang Doshi
  • Release date: August 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838989583