CISA Certified Information Systems Auditor study guide

Introduction xix Assessment Test xlii Chapter 1 Secrets of a Successful Auditor 1 Understanding the Demand for IS Audits 2 Executive Misconduct 3 More Regulation Ahead 5 Basic Regulatory Objective 7 Governance is Leadership 8 Three Types of Data Target Different Uses 9 Audit Results Indicate the Truth 10 Understanding Policies, Standards, Guidelines, and Procedures 11 Understanding Professional Ethics 14 Following the ISACA Professional Code 14 Preventing Ethical Conflicts 16 Understanding the Purpose of an Audit 17 Classifying General Types of Audits 18 Determining Differences in Audit Approach 20 Understanding the Auditor’s Responsibility 21 Comparing Audits to Assessments 21 Differentiating between Auditor and Auditee Roles 22 Applying an Independence Test 23 Implementing Audit Standards 24 Where Do Audit Standards Come From? 25 Understanding the Various Auditing Standards 27 Specific Regulations Defining Best Practices 31 Audits to Prove Financial Integrity 34 Auditor is an Executive Position 35 Understanding the Importance of Auditor Confidentiality 35 Working with Lawyers 36 Working with Executives 37 Working with IT Professionals 37 Retaining Audit Documentation 38 Providing Good Communication and Integration 39 Understanding Leadership Duties 39 Planning and Setting Priorities 40 Providing Standard Terms of Reference 41 Dealing with Conflicts and Failures 42 Identifying the Value of Internal and External Auditors 43 Understanding the Evidence Rule 43 Stakeholders: Identifying Whom You Need to Interview 44 Understanding the Corporate Organizational Structure 45 Identifying Roles in a Corporate Organizational Structure 45 Identifying Roles in a Consulting Firm Organizational Structure 47 Summary 49 Exam Essentials 49 Review Questions 52 Chapter 2 Governance 57 Strategy Planning for Organizational Control 61 Overview of the IT Steering Committee 64 Using the Balanced Scorecard 69 IT Subset of the BSC 74 Decoding the IT Strategy 74 Specifying a Policy 77 Project Management 79 Implementation Planning of the IT Strategy 90 Using COBIT 94 Identifying Sourcing Locations 94 Conducting an Executive Performance Review 99 Understanding the Auditor’s Interest in the Strategy 100 Overview of Tactical Management 100 Planning and Performance 100 Management Control Methods 101 Risk Management 105 Implementing Standards 108 Human Resources 109 System Life‐Cycle Management 111 Continuity Planning 111 Insurance 112 Overview of Business Process Reengineering 112 Why Use Business Process Reengineering 113 BPR Methodology 114 Genius or Insanity? 114 Goal of BPR 114 Guiding Principles for BPR 115 Knowledge Requirements for BPR 116 BPR Techniques 116 BPR Application Steps 117 Role of IS in BPR 119 Business Process Documentation 119 BPR Data Management Techniques 120 Benchmarking as a BPR Tool 120 Using a Business Impact Analysis 121 BPR Project Risk Assessment 123 Practical Application of BPR 125 Practical Selection Methods for BPR 127 Troubleshooting BPR Problems 128 Understanding the Auditor’s Interest in Tactical Management 129 Operations Management 129 Sustaining Operations 130 Tracking Actual Performance 130 Controlling Change 131 Understanding the Auditor’s Interest in Operational Delivery 131 Summary 132 Exam Essentials 132 Review Questions 134 Chapter 3 Audit Process 139 Understanding the Audit Program 140 Audit Program Objectives and Scope 141 Audit Program Extent 143 Audit Program Responsibilities 144 Audit Program Resources 144 Audit Program Procedures 145 Audit Program Implementation 146 Audit Program Records 146 Audit Program Monitoring and Review 147 Planning Individual Audits 148 Establishing and Approving an Audit Charter 151 Role of the Audit Committee 151 Preplanning Specific Audits 153 Understanding the Variety of Audits 154 Identifying Restrictions on Scope 156 Gathering Detailed Audit Requirements 158 Using a Systematic Approach to Planning 159 Comparing Traditional Audits to Assessments and Self‐Assessments 161 Performing an Audit Risk Assessment 162 Determining Whether an Audit is Possible 163 Identifying the Risk Management Strategy 165 Determining Feasibility of Audit 167 Performing the Audit 167 Selecting the Audit Team 167 Determining Competence and Evaluating Auditors 168 Ensuring Audit Quality Control 170 Establishing Contact with the Auditee 171 Making Initial Contact with the Auditee 172 Using Data Collection Techniques 174 Conducting Document Review 176 Understanding the Hierarchy of Internal Controls 177 Reviewing Existing Controls 179 Preparing the Audit Plan 182 Assigning Work to the Audit Team 183 Preparing Working Documents 184 Conducting Onsite Audit Activities 185 Gathering Audit Evidence 186 Using Evidence to Prove a Point 186 Understanding Types of Evidence 187 Selecting Audit Samples 187 Recognizing Typical Evidence for IS Audits 188 Using Computer‐Assisted Audit Tools 189 Understanding Electronic Discovery 191 Grading of Evidence 193 Timing of Evidence 195 Following the Evidence Life Cycle 195 Conducting Audit Evidence Testing 198 Compliance Testing 198 Substantive Testing 199 Tolerable Error Rate 200 Recording Test Results 200 Generating Audit Findings 201 Detecting Irregularities and Illegal Acts 201 Indicators of Illegal or Irregular Activity 202 Responding to Irregular or Illegal Activity 202 Findings Outside of Audit Scope 203 Report Findings 203 Approving and Distributing the Audit Report 205 Identifying Omitted Procedures 205 Conducting Follow‐up (Closing Meeting) 205 Summary 206 Exam Essentials 207 Review Questions 210 Chapter 4 Networking Technology Basics 215 Understanding the Differences in Computer Architecture 217 Selecting the Best System 221 Identifying Various Operating Systems 221 Determining the Best Computer Class 224 Comparing Computer Capabilities 227 Ensuring System Control 228 Dealing with Data Storage 230 Using Interfaces and Ports 235 Introducing the Open Systems Interconnection Model 237 Layer 1: Physical Layer 240 Layer 2: Data‐Link Layer 240 Layer 3: Network Layer 242 Layer 4: Transport Layer 248 Layer 5: Session Layer 249 Layer 6: Presentation Layer 250 Layer 7: Application Layer 250 Understanding How Computers Communicate 251 Understanding Physical Network Design 252 Understanding Network Cable Topologies 253 Bus Topologies 254 Star Topologies 254 Ring Topologies 255 Meshed Networks 256 Differentiating Network Cable Types 258 Coaxial Cable 258 Unshielded Twisted‐Pair (UTP) Cable 259 Fiber‐Optic Cable 260 Connecting Network Devices 260 Using Network Services 263 Domain Name System 263 Dynamic Host Configuration Protocol 265 Expanding the Network 266 Using Telephone Circuits 268 Network Firewalls 271 Remote VPN Access 276 Using Wireless Access Solutions 280 Firewall Protection for Wireless Networks 284 Remote Dial‐Up Access 284 WLAN Transmission Security 284 Achieving 802.11i RSN Wireless Security 287 Intrusion Detection Systems 288 Summarizing the Various Area Networks 291 Using Software as a Service (SaaS) 292 Advantages 292 Disadvantages 293 Cloud Computing 294 The Basics of Managing the Network 295 Automated LAN Cable Tester 295 Protocol Analyzers 295 Remote Monitoring Protocol Version 2 297 Summary 298 Exam Essentials 298 Review Questions 301 Chapter 5 Information Systems Life Cycle 307 Governance in Software Development 308 Management of Software Quality 310 Capability Maturity Model 310 International Organization for Standardization 312 Typical Commercial Records Classification Method 316 Overview of the Executive Steering Committee 317 Identifying Critical Success Factors 318 Using the Scenario Approach 318 Aligning Software to Business Needs 319 Change Management 323 Management of the Software Project 323 Choosing an Approach 323 Using Traditional Project Management 324 Overview of the System Development Life Cycle 327 Phase 1: Feasibility Study 331 Phase 2: Requirements Definition 334 Phase 3: System Design 339 Phase 4: Development 343 Phase 5: Implementation 354 Phase 6: Postimplementation 361 Phase 7: Disposal 363 Overview of Data Architecture 364 Databases 364 Database Transaction Integrity 368 Decision Support Systems 369 Presenting Decision Support Data 370 Using Artificial Intelligence 370 Program Architecture 371 Centralization vs. Decentralization 372 Electronic Commerce 372 Summary 374 Exam Essentials 374 Review Questions 376 Chapter 6 System Implementation and Operations 381 Understanding the Nature of IT Services 383 Performing IT Operations Management 385 Meeting IT Functional Objectives 385 Using the IT Infrastructure Library 387 Supporting IT Goals 389 Understanding Personnel Roles and Responsibilities 389 Using Metrics 394 Evaluating the Help Desk 396 Performing Service‐Level Management 397 Outsourcing IT Functions 398 Performing Capacity Management 399 Using Administrative Protection 400 Information Security Management 401 IT Security Governance 401 Authority Roles over Data 402 Data Retention Requirements 403 Document Physical Access Paths 404 Personnel Management 405 Physical Asset Management 406 Compensating Controls 408 Performing Problem Management 409 Incident Handling 410 Digital Forensics 412 Monitoring the Status of Controls 414 System Monitoring 415 Document Logical Access Paths 416 System Access Controls 417 Data File Controls 420 Application Processing Controls 421 Log Management 423 Antivirus Software 424 Active Content and Mobile Software Code 424 Maintenance Controls 427 Implementing Physical Protection 430 Data Processing Locations 432 Environmental Controls 432 Safe Media Storage 440 Summary 442 Exam Essentials 442 Review Questions 444 Chapter 7 Protecting Information Assets 449 Understanding the Threat 450 Recognizing Types of Threats and Computer Crimes 452 Identifying the Perpetrators 454 Understanding Attack Methods 458 Implementing Administrative Protection 469 Using Technical Protection 472 Technical Control Classification 472 Application Software Controls 474 Authentication Methods 475 Network Access Protection 488 Encryption Methods 489 Public‐Key Infrastructure 496 Network Security Protocols 502 Telephone Security 507 Technical Security Testing 507 Summary 509 Exam Essentials 509 Review Questions 511 Chapter 8 Business Continuity and Disaster Recovery 517 Debunking the Myths 518 Myth 1: Facility Matters 519 Myth 2: IT Systems Matter 519 From Myth to Reality 519 Understanding the Five Conflicting Disciplines Called Business Continuity 520 Defining Disaster Recovery 521 Surviving Financial Challenges 522 Valuing Brand Names 522 Rebuilding after a Disaster 523 Defining the Purpose of Business Continuity 524 Uniting Other Plans with Business Continuity 527 Identifying Business Continuity Practices 527 Identifying the Management Approach 529 Following a Program Management Approach 531 Understanding the Five Phases of a Business Continuity Program 532 Phase 1: Setting Up the BC Program 532 Phase 2: The Discovery Process 535 Phase 4: Plan Implementation 560 Phase 5: Maintenance and Integration 562 Understanding the Auditor Interests in BC/DR Plans 563 Summary 564 Exam Essentials 564 Review Questions 566 Appendix Answers to Review Questions 571 Index 591