SlideShare uma empresa Scribd logo

CISA Summary V1.0

C
christianreina

Version: 1.0 Date: June 7, 2010

1 de 20
Baixar para ler offline
  CISA summary  Version 1.0  Christian Reina, CISSP    This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author.  2010 ‐ Christian Reina, CISSP. 
Risk Management IT Management Practices “Collection of top-down activities intended to control the IT Seek, identify, and manage risk. organization from a strategic perspective.”  Accept 1. Personnel Management  Policy  Mitigate a. Hiring: Background check, Employee Policy  Priorities  Transfer Manual, Job Description  Standards  Avoid b. Employee Development: Training,  Vendor Management Performance evaluation, Career path  Program/Project Management Risk Management Program c. Mandatory vacations: Audit, cross training,  Objectives: reduce costs, incidents reduced risk IT Strategy Committee  Scope d. Termination Advise board of directors on strategies.  Authority: Executive level of commitment e. Transfers and reassignments 2. Sourcing  Resources: a. Insource Balanced Scorecard  Policies, processes, procedures, and records Measure performance and effectiveness. b. Outsource: risks, SLA, policy, governance  Business contribution: Perception from Non-IT (service level agreements, change Risk Management Process executives management, security, quality, audits), SaaS  User: Satisfaction 3. Change Management 1. Asset Identification: Equipment, information, records, a. Request  Operational excellence: downtime, defects, support reputation, personnel b. Review tickets o Grouping Assets c. Approve  Innovation: increase IT value w/ innovation o Sources of asset data: Interviews, IT d. Perform change systems, Online data e. Verify change Information Security Governance o Organizing data: Business process, 4. Financial Management Roles and responsibilities Geography, OU, Sensitivity, Regulated a. Develop  Board of Directors: risk appetite and risk management 2. Risk Analysis b. Purchase  Steering Committee: Operational strategy for security o Threat analysis: All threats with realistic c. Rent Domain 1 – IT Governance  and risk management opportunity of occurrence 5. Quality Management  CISO: conducting risk assessment, developing security o Vulnerability Identification: Ranked by a. Software development policy, vulnerability management, incident severity or criticality b. Software acquisition management, compliance o Probability analysis: Requires research to c. Service desk  Employees: Comply with policies develop best guesses d. IT operations o Impact analysis: Study of estimating the e. Security Enterprise Architecture (EA) impact of specific threats on specific assets f. Standards: Map business functions into the IT environment as a model. o Qualitative: Subjective using numeric scale i. ISO 9000: Superseded by ISO Activities to ensure business needs are met o Quantitative: 9001:2008 Quality Management  Asset Value (AV) System Zachman Model  Exposure Factor (EF) ii. ISO 20000: IT Service IT Systems and environments are described at a high, functional  Single Loss Expectancy (SLE): AV Management for organization level, and then in increasing detail x EF adopting ITIL  Annualized rate of occurrence iii. ITIL DFD (ARO) 1. Service Delivery Illustrate the flow of information  Annualized loss expectancy (ALE): 2. Control Processes SLE x ARO 3. Release Processes 3. Risk Treatments 4. Relationship Processes o Risk Mitigation 5. Resolution Processes o Risk Transfer 6. Security Management o Risk Avoidance a. Security Governance o Risk Acceptance b. Risk Assessment o Residual Risk c. Incident Management d. Vulnerability Management e. Access and Identity management f. Compliance management
g. BCP 3. Reviewing Outsourcing 7. Performance Management a. Distance a. COBIT b. Lack of audit contract terms b. SEI CMMI c. Lack of cooperation Roles and Responsibilities 1. Executive Management: CIO, CTO, CSO, CISO, CPO 2. Software Development: Architect, Analyst, developer, programmer, tester 3. Data Management: architect, DBA, analyst 4. Network Management: architect, engineer, administrator, telecom 5. Systems Management: architect, engineer, storage, systems administrator 6. Operations: manager, analyst, controls analyst, data entry, media librarian 7. Security Operations: architect, engineer, analyst, account management, auditor 8. Service Desk: Help desk, technical support Segregation of Duties Controls 1. Transaction authorization 2. Split custody Domain 1 – IT Governance  3. Workflow: extra approval 4. Periodic reviews Auditing IT Governance 1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f. Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i. Quality management documents 2. Reviewing Contracts a. Service levels b. Quality levels c. Right to audit rd d. 3 party audit e. Conformance to policies, laws, regulations f. Incident notification g. Liabilities h. Termination terms i. Protection of PII
Assess and evaluate the effectiveness of IT  Provide Appropriate Tools Required to Intercept and 3. Serve in the interest of stakeholders in a Obstruct Terrorism Act (PATRIOT) 2001 lawful and honest manner, while maintaining  Sarbanes-Oxley Act 2002 high standards of conduct and character, and AUDIT MANAGEMENT  Federal Information Security Management Act (FISMA) not engage in acts discreditable to the 2002 profession. The Audit Charter: Define roles and responsibilities. Sufficient  Controlling the Assault of Non-Solicited Pornography 4. Maintain the privacy and confidentiality of authority and Marketing Act (CAN-SPAM) 2003 information obtained in the course of their  California Privacy Act SB1386 2003 duties unless disclosure is required by legal The Audit Program: scope, objectives, resources, procedures  Identity Theft and Assumption Deterrence Act 2003 authority. Such information shall not be used  Basel II 2004 for personal benefit or released to Strategic Audit Planning: inappropriate parties.  Payment Card Industry Data Security Standard (PCI-  Factors: Business goals and objectives, Initiatives, DSS) 2004 5. Maintain competency in their respective fields market conditions, changes in technology, regulatory and agree to undertake only those activities,  North American Electric Reliability Corporation (NERC) requirements. which they can reasonably expect to 1968/2006  Changes in Audit Activities: New internal audits, new complete with professional competence.  Massachusetts Security Breach Law 2007 6. Inform appropriate parties of the results of external audits, increase in audit scope, impact on business process work performed; revealing all significant facts Canadian Regulations:  Resource planning: Budget and manpower known to them.  Interception of Communications Section 184 7. Support the professional education of  Unauthorized Use of Computer, Section 342.1 stakeholders in enhancing their Audit and Technology: Continue learning about new technologies  Privacy Act 1983 understanding of information systems security  Personal Information Protection and Electronic and control. Audit Laws and Regulations: Documents Act (PIPEDA)  Characteristics: Security, Integrity, Privacy European Regulations Audit Standards  Computer Security and Privacy Regulations: o Categories: Computer trespass, protection of  Convention for the Protection of Individuals with Regard sensitive information, collection and use of to Automatic Processing of Personal Data 1981  S1, Audit Charter information, law enforcement investigative  Computer Misuse Act (CMA) 1990  S2, Independence powers  Directive on the Protection of Personal Data 2003  S3, Professional Ethics and Standards European Union  S4, Professional Competence main 2 – The Audit Process  o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits,  Data Protection Act (DPA) 1998  S5, Planning fines, prosecution  Regulation of Investigatory Powers Act 2000  S6, Performance of Audit Work  Anti-Terrorism Crime and Security Act 2001  S7, Reporting “An organization should take a systematic approach to determine  Privacy and Electronic Communications Regulations  S8, Follow-up Activities the applicability of regulations as well as the steps required to 2003  S9, Irregularities and Illegal Acts attain compliance and remain in this state. “  Fraud Act 2006  S10, IT Governance  Police and Justice Act 2006  S11, Use of Risk Assessment in Audit Planning US Regulations:  S12, Audit Materiality  Access Device Fraud 1984 Other Regulations  S13, Use the Work of Other Experts  Computer Fraud and Abuse Act 1984  Cybercrime Act 2001 Australia  S14, Audit Evidence  Electronic Communications Act 1986  Information Technology Act 2000 India  S15, IT Controls  Electronic Communications Privacy Act (ECPA) 1986  S16, E-Commerce  Computer Security Act 1987 ISACA AUDITING STANDARS  Computer Matching and Privacy Protection Act 1988 Audit Guidelines  Communications Assistance for Law Enforcement Act Code of Ethics: (CALEA) 1994  G1, Using the Work of Other Auditors  Economic and Protection of Proprietary Information Act Members and ISACA certification holders shall:  G2, Audit Evidence Requirement 1996  G3, Use of Computer-Assisted Audit Techniques  Health Insurance Portability and Accountability Act 1. Support the implementation of, and encourage compliance with, appropriate (CAATs) (HIPPA) 1996  G4, Outsourcing of IS Activities to Other Organizations  Children’s Online Privacy Protection Act (COPPA) 1998 standards, procedures and controls for information systems.  G5, Audit Charter  Identity Theft and Assumption Deterrence Act 1998  G6, Materiality Concepts for Auditing IS 2. Perform their duties with objectivity, due  Gramm-Leach-Bliley Act 1999  G7, Due Professional Care diligence and professional care, in  Federal Energy Regulatory Commission (FERC) accordance with professional standards and  G8, Audit Documentation best practices.
 G9, Audit Considerations for Irregularities and Illegal  P10, Business Application Change Control PERFORMING AN AUDIT Acts  P11, Electronic Funds Transfer  G10, Audit Sampling  Formal Planning:  G11, Effect of Pervasive IS Controls RISK ANALYSIS o Purpose  G12, Organizational Relationship and Independence o Scope  G13, Use of Risk Assessment in Audit Planning  Evaluating Business Processes o Risk Analysis  G14, Application Systems Review  Identifying Business Risks o Audit procedures  G15, Planning  Risk Mitigation o Resources  G16, Effect of Third Parties on an Organization’s IT  Countermeasures Assessment o Schedule Controls  Monitoring  Types  G17, Efect of Nonaudit Role on the IS Auditor’s o Operational Independence INTERNAL CONTROLS o Financial o IS audit  G18, IT Governance o Administrative  G19, Irregularities and Illegal Acts o Compliance  G20, Reporting o Forensic  G21, Enterprise Resource Planning (ERP) Systems o Service provider Review o Pre-audit  G22, Business to Consumer (B2C) E-Commerce  Compliance vs. Substantive Testing Review o Compliance: Determine if control procedures  G23, SDLC Review have been properly designed and  G24, Internet Banking implemented and operating properly.  G25, Review of VPN o Substantive: Determine accuracy and  G26, Business Process Reengineering (BRP) Review integrity of transactions that flow through  G27, Mobile Computing processes and information systems  G28, Computer Forensics  Audit Methodology  G29, Post-implementation Review o Audit Subject Domain 2 – The Audit Process  G30, Competence o Audit Objective  G31, Privacy o Audit type  G32, BCP o Audit Scope  G33, General Consideration on the Use of the Internet o Pre-Audit planning  G34, Responsibility, Authority, and Accountability o Audit SoW  G35, Follow up Activities  Control Classification o Audit Procedures  G36, Biometric Controls o Types: Technical, Administrative, Physical o Communication plan o Classes: Preventative, Detective, Deterrent, o Report preparation  G37, Configuration Management Corrective, Compensating, Recovery o Wrap-up  G38, Access Controls o Categories: Manual, Automatic o Post-audit Follow-up  G39, IT Organization  Internal Control Objectives: Statements of desired  Audit Evidence  G40, Review of Security Management Practices outcomes from business operations. Protection of IT o Independence of the evidence provider  assets, Availability of IT systems o Qualifications of the evidence provider Audit Procedures o IS Control Objectives: Protection of o Objectivity information from unauthorized personnel,  P1, Risk Assessment Integrity of Operating Systems o Timing  P2, Digital Signature and Key management  Gathering Evidence  General Computing Controls: GCCs are controls that Org Chart  P3, IDS apply across all applications and services. Passwords o  P4, Viruses o Review dept and project charters are encrypted, Strong passwords o rd Review 3 party contracts  P5, Control Risk Self-Assessment  IS Controls: Each GCC is mapped to a specific IS o Review IS policies and procedures  P6, Firewall control on each system type. o Review IS Standards  P7, Irregularities and Illegal Acts  P8, Security Assessment (Pen test, vulnerability analysis)  P9, Encryption    
o Review IS documentation o Ownership of controls o Personnel Interviews o Improved employee awareness o Passive observation o Improved relationship between  Observing Personnel departments and auditors o Real tasks  Disadvantages o Skills and experience o Mistaken as a substitute for internal audit o Security awareness o May be considered extra work o Segregation of Duties o May be considered an attempt by an  Sampling auditor to shrug off responsibilities o Statistical: Reflect the entire population o Lack of employee involvement has no o Judgmental: Subjectively selects samples results based on established criteria  Life Cycle o Attribute: Samples are examined and a o Identify and assess risks specific attribute is chosen o Identify and assess controls o Variable: Determine the characteristic of a o Develop questionnaire or workshop given population to determine total value o Analyze completed questionnaire o Stop-or-go: Sampling can stop at the earliest o Control remediation possible time due to low risk and rate of o Awareness training exceptions o Discovery: Trying to find at least one exception in a population o Stratified: Create different classes and review one attribute common to all classes  Computer-Assisted Audit: CAATs help examine and evaluate data across complex environments Domain 2 – The Audit Process  Reporting Audit Results o Cover letter o Intro o Summary o Description o Listing of systems and processes examined o Listing of interviewees o Listing of evidence obtained o Explanation of sampling technique o Description of findings and recommendations  Audit Risk o Control risk: undetected error by an internal control o Detection risk: IS auditor will overlook errors o Inherent risk: Inherent risks exist independent of the audit. o Overall audit risk: summation of all of the residual risks o Sampling risk: sampling technique will not detect  Materiality: A monetary threshold in financial audits CONTROL SELF-ASSESSMENT Methodology used by an organization to review key business objectives, and the key controls designed to manage those risks.  Advantages o Risks detected earlier o Improvement of internal controls
Organization’s methodologies and practices for the development  Managing Projects  Other costs: development tools, and management of software, infrastructure, and business o Managing the project schedule workstations, servers, software processes. o Recording task completion licenses, network devices, training, o Running project meetings equipment PORTFOLIO AND PROGRAM MANAGEMENT: o Tracking project expenditures o Scheduling Project Tasks: Critical phase o Communicating project status  Gantt Chart A program is an organization of many large, complex activities,  Project Roles and Responsibilities  Program Evaluation and Review and can be thought of as a set of projects that work to fulfill one or o Senior management: support the approval of Technique (PERT) more key business objectives or goals. the project  Critical path Methodology (CPM): It o IT steering committee: Commission the is important to identify the critical  Starting a Program: feasibility study, approve project path in a project, because this o Program charter o Project manager allows the project manager to o Identification of available resources o Project team members understand which tasks are most  Running a Program: o End-user management: Assign staff to the likely to impact the project schedule o Monitoring project schedules project team. Support development of cases and to determine when the project o Managing project budgets o End users will finally conclude. o Managing resources o Project sponsor: define project objectives,  Timebox Management: A period in o Identifying and managing conflicts provide budget which a project must be completed. o Creating status reports o Systems development management o Project Records:  Project Portfolio Management o System developers  Project plans Security manager  Project changes Domain 3 – IT Life­Cycle Management o Executive sponsor o o Program manager o IT Operations  Meetings agendas and minutes o Project manager  Project Planning  Resource consumption o Start and end dates  Task identification  Task information o Names of participants  Task estimation o Project Documentation: Helps users, support o Objectives or goals that the project supports  Task resources staff, IT operations, developers, and auditors o Budget  Task dependencies o Project Change Management: The o Resources  Milestone tracking procedures for making changes to the project o Dependencies  Task tracking should be done in two basic steps:  Business Case development o Estimating and sizing software projects  The project team should identify the o Business problem  Object Breakdown Structure (OBS) specific use, impact, and remedy. o Feasibility study results  Work Breakdown Structure (WBS) Make a formal request o High-level project plan  Source Lines of Code (SLOC):  This change request should be o Budget accurate estimate based on presented to management along o Metrics previous analysis for the time to with its impact. Management o Risks develop a program. should make a decision.  COCOMO: Constructive Cost o Project closure PROJECT MANAGEMENT Model method for estimating  Project debrief software development projects  Project documentation archival  Organizing Projects  Management review  Direct report: Project team leader  Training  Influencer: Influence members but  Formal turnover to users, does not manage them directly operations and support  Pure project: Given authority o Methodologies  Matrix: Authority over each project  Project Management Body of team member Knowledge (PMBOK): Process o Initiating a project based  Developing Project Objectives  Processes: o Object Breakdown Structure (OBS): Visual  Function Point Analysis (FPA): o Inputs representation of the system, software, or time-proven estimation technique o Techniques application, in a hierarchical form. for larger software projects. It o Outputs o Work Breakdown Structure (WBS): Logical studies the detailed design representation of the high-level and detailed specifications for an application tasks that must be performed to complete the program and counts the number of project. user inputs, user outputs, user queries, files, and external interfaces.
 Process groups  Access control o Unit testing: by developers during the coding  Initiating  Encryption phase. Should be a part of the development  Planning  Data validation of each module in the application.  Executing  Audit logging o System testing: end to end testing. Includes  Controlling and  Security operational requirements interface testing, migration testing. monitoring o DR/BCP Requirements o Functional testing: Verification of functional  Closing o Privacy Requirements requirements o Projects IN Controlled Environments o RFP Process: Request For Proposal o User Acceptance Testing (UAT): In most (PRINCE2): Project management framework  Requirements cases, it is a formal step to find out if  Starting up a project (SU)  Vendor financial stability organization accepts the software developed rd  Planning (PL)  Product roadmap by a 3 party.  Initiating a project (IP)  Experience o Quality Assurance Testing (QAT):  Directing a project (DP)  Vision 6. Implementation  Controlling a stage (CS)  References o Planning:  Managing product delivery (MP)  Questions for clients:  Prepare physical space for  Managing Stage Boundaries (SB)  Satisfaction with production systems  Closing a project (CP) installation  Build production systems  Scrum: Iterative and incremental  Satisfaction with  Install application software process most commonly used to migration  Migrate data project manage an agile software  Satisfaction with support o Training: development effort.  Satisfaction with long-  End users  Domain 3 – IT Life­Cycle Management   Scrum master: this is the term roadmap Customers project manager  What went well  Support staff  Product owner: This is  What did not go well  Trainers the customer  Contract negotiation o Data migration   Record counts  Team Closing the RFP  Batch totals  Users 3. Design: A top down approach  Checksums  Stakeholders 4. Development: o Cutover  Managers  Coding the application  Developing program and system  Parallel level documents  Geographic SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)  Module by module  Developing user procedures  Working with users  Roll-back 1. Feasibility Study: Determine whether a specific o Rollback Planning change or set of changes in business processes and  Developing in a software acquisition setting: 7. Post Implementation underlying applications is practical to undertake. o Implementation review o Time required to develop / acquire software  Customizations  System adequacy o A comparison between the cost of developing  Interfaces of other  Security review the application vs buying systems  Issues o Whether an existing system can meet the  Authentication  ROI business need  Reports o Software maintenance o Whether the application supports strategic  Debugging business objectives  Correct operations  Development Risks o Whether a solution can be developed that is  Input validation o Application inadequacy compatible with other IT systems  Proper output validation o Project risk o The impact of the proposed changes to the  Resource usage o Business inefficiency business on regulatory compliance  Source Code Management (SCM) o Market changes o Whether future requirements can be met by  Protection the system  Control  Development Approaches and Techniques 2. Requirements: Characteristics of a new application or  Version control o Agile Development changes being made.  Recordkeeping o Prototyping o Business functional requirements: Must have 5. Testing to support the business o Technical requirements and standards: Use the same basic technologies already in use as well as formal technical standards. o Security and Regulatory Requirements:  Authentication  Authorization
o Rapid Application Development (RAD) 4. Development o Existence o Data Oriented System Development (DOSD) 5. Testing o Consistency o Object-Oriented System Development (OO) 6. Implementation o Length o Component based development: CORBA, 7. Monitoring o Check digits DCOM, SOA 8. Post-implementation o Spelling o Web-Based Application Development: HTML, o Unwanted characters SOAP, XML Benchmarking a Process o Batch controls o Reverse Engineering  Plan  Error handling  Research o Batch rejection  System Development Tools  Measure and observe o Transaction rejection o Computer-Aided Software Engineering  Analyze o Request re-input (CASE)  Adapt: understand the fundamental reasons why other  Upper CASE: requirements organizations’ measurements are better than its own. gathering, DFDs, interfaces  Improve Processing Controls  Lower CASE: Creation of program source code and data schemas Capability Maturity Models  Editing Fourth Generation Languages Domain 3 – IT Life­Cycle Management  o  Calculations  Software Engineering Institute Capability Maturity Model o Run-to-run totals INFRASTRUCTURAL DEVELOPMENT AND (SEI CMM) IMPLEMENTATION o Limit checking o Initial o Batch totals o Repeatable o Manual recalculation 1. Review of existing architecture o Defined 2. Requirements o Reconciliation o Managed o Hash values a. Business functional requirements Optimizing b. Technical requirements and standards o  Data file controls  Capability Maturity Model Integration (CMMI): An o Data file security c. Security and regulatory requirements aggregation of these other models into an overall d. Privacy requirements o Error handling maturity model. o Internal and external labeling 3. Design  ISO 15504: Software Process Improvement and o Data file version a. Procurement Capability dEtermination (SPICE). o Source files 4. Testing o Level 0 incomplete o Transaction logs 5. Implementation 6. Maintenance o Level 1 performed  Processing errors o Level 2 managed o Level 3 established MAINTAINING INFORMATION SYSTEMS o Level 4 predictable Output Controls o Level 5 optimizing Change Management Process  Change request APPLICATION CONTROLS  Controlling special forms  Change review  Report distribution and receipt  Perform change Input Controls  Reconciliation  Emergency changes  Authorization  Retention o User access controls Configuration Management o Workstation identification  Recovery: stored independent of the systems o Approved transactions and batches themselves o Source documents  Consistency: It will simplify administration, reduce  Input validation mistakes, and result in less unscheduled downtime. o Type checking o Range and value checking BUSINESS PROCESSES Business Process Life Cycle (BPLC) 1. Feasibility study 2. Requirements definition 3. Design
Auditing Software Acquisition AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Change Management Auditing Project Management Auditing Development Auditing Configuration Management Auditing the Feasibility Study Domain 3 – IT Life­Cycle Management Auditing Requirements AUDITING BUSINESS CONTROLS Auditing Implementation Identify the key processes in an organization and to understand the controls that are in place or should be in place that govern the integrity of those processes AUDITING APPLICATION CONTROLS Transaction Flow Auditing Post-Implementation Auditing Design Observations
Data Integrity Testing: Used to confirm whether an application properly accepts, processes, and stores information. Testing Online Processing Systems: Auditing Applications Domain 3 – IT Life­Cycle Management Continuous Auditing: Several techniques are available to perform online auditing:
IT organizations are effective if their operations are effective. IT o Program checkout o Cloud Computing: dynamically scalable and organizations are service organizations – their existence is to o Program check in usually virtualized serve the organization and support its business processes. o Version control  Data Communication Software o Code analysis  File Systems: Directories, files, FAT, NTFS, HFS INFORMATION SYSTEMS OPERATIONS  Quality Assurance (Hierarchical File System) ISO 9660 (CD-ROM, DVD),  Security Management UDF (Universal Disk Format)   Domain 4 – IT Service Delivery & Infrastructure  Management and control of operations o Policies, procedures, processes, and Database Management Systems o Process and procedures standards o Relational DB Management (rDBMS): o Standards o Risk Assessments Primary key, one or more indexes, referential o Resource allocation o Impact analysis integrity, Encryption, Audit logging, access o Process management o Vulnerability management controls,  IT Service management (ITSM) o Object Database (ODBMS): Represented as o Service desk objects, Data and the programming method o Incident mgt INFORMATION SYSTEMS HARDWARE are contained in an object, o Problem mgt o Hierarchical Database : Top-down o Change mgt  Computer usage  Media Management System: Tape management o Configuration mgt o Types: supercomputer, mainframe, midrange, systems (TMS) or Disk Management Systems (DMS) o Release mgt: ITIL terms used to describe server, desktop, laptop, mobile  Utility software SDLC. Used for changes in a system such o Uses: app server, web server, file server, db o Software and data design as: server, print server, test server, thin client, o Software development  Incidents and problem resolution thick client, workstation o Software testing  Enhancements  Computer architecture o Security testing  Subsystem patches and changes o CPU: CISC (Complex Instruction Set o Data management o Service-level mgt Computer), RISC (Reduced Instruction Set o System health o Financial mgt Computer), Single processor, Multi-processor o Network o Capacity mgt o Bus: PCI, PC Card, MBus, Sbus  Periodic measurements o Main Storage NETWORK INFRASTRUCTURE  Considering planned changes o Secondary Storage: Program storage, data  Understanding long-term strategies storage, temporary files, OS, virtual memory,  Network Architecture  Changes in technology o Firmware: Flash, EPROM, PROM, ROM, o Physical network architecture o Service continuity mgt EEPROM o Logical network architecture o Availability mgt o I/O and Networking o Data flow architecture  Effective change mgt o Multi-computer: Blade computers, grid o Network standards and services  Effective application testing computing, server clusters, virtual servers  Types of networks  Resilient architecture  Hardware maintenance o Personal Area Network (PAN): up to 3 meters  Serviceable components  Hardware monitoring and use to connect peripherals for use by an  Infrastructure Operations individual o Running scheduled jobs o LAN o Restarting failed jobs/processes INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE o Campus Area Network (CAN) o Facilitating backup jobs o Metropolitan Area Network (MAN) o Monitoring systems/apps/networks  Computer Operating Systems o WAN  Monitoring  Access to peripherals  Network-based Services: email, print, file storage,  Software Program Library Management: System that  Storage mgt remote access, directory, terminal emulation, time is used to store and manage access to an  Process mgt synch, network authentication, web security, anti- organization’s application source and object code  Resource allocation malware, network management o Access and authorization controls  Communication  Network Models  Security o OSI: Application, presentation, session, o OS Virtualization transport, network, data link, physical o Clustering: using special software o TCP/IP: Link, internet, transport, application o Grid Computing: a form of distributed  Network Technologies computing o LAN  Physical topology: Star, Ring, Bus
CISA Summary V1.0
CISA Summary V1.0
CISA Summary V1.0
CISA Summary V1.0
CISA Summary V1.0
CISA Summary V1.0
CISA Summary V1.0
CISA Summary V1.0

Recomendados

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 

Recomendados

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
MEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEMEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEbbongio
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit ReportingSALIH AHMED ISLAM
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Richard Swartzbaugh
 
Compiling an internal audit universe
Compiling an internal audit universeCompiling an internal audit universe
Compiling an internal audit universeDavid Griffiths
 
IT Governance Introduction
IT Governance IntroductionIT Governance Introduction
IT Governance IntroductionKeith Rackley
 
Auditing Standard and Practice
Auditing Standard and Practice Auditing Standard and Practice
Auditing Standard and Practice Bikash Kumar
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4ShivamSharma909
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Jim Kaplan CIA CFE
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsGlobal Risk Forum GRFDavos
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
IT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfIT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfJacobYeboa1
 
The Future of Internal Audit through data analytics
The Future of Internal Audit through data analyticsThe Future of Internal Audit through data analytics
The Future of Internal Audit through data analyticsGrant Thornton LLP
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
Business continuity management fundamentals update
Business continuity management fundamentals updateBusiness continuity management fundamentals update
Business continuity management fundamentals updateExo Futures
 
Maintenance performance analysis_en_v1
Maintenance performance analysis_en_v1Maintenance performance analysis_en_v1
Maintenance performance analysis_en_v1Alexander Stuber
 

Mais conteúdo relacionado

Mais procurados

CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
MEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEMEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEbbongio
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Richard Swartzbaugh
 
Compiling an internal audit universe
Compiling an internal audit universeCompiling an internal audit universe
Compiling an internal audit universeDavid Griffiths
 
IT Governance Introduction
IT Governance IntroductionIT Governance Introduction
IT Governance IntroductionKeith Rackley
 
Auditing Standard and Practice
Auditing Standard and Practice Auditing Standard and Practice
Auditing Standard and Practice Bikash Kumar
 
Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Jim Kaplan CIA CFE
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsGlobal Risk Forum GRFDavos
 
IT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfIT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfJacobYeboa1
 
The Future of Internal Audit through data analytics
The Future of Internal Audit through data analyticsThe Future of Internal Audit through data analytics
The Future of Internal Audit through data analyticsGrant Thornton LLP
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 

Mais procurados (20)

CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
MEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCEMEASURING INTERNAL AUDIT PERFORMANCE
MEASURING INTERNAL AUDIT PERFORMANCE
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit Reporting
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writing
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing Presentation
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
 
Compiling an internal audit universe
Compiling an internal audit universeCompiling an internal audit universe
Compiling an internal audit universe
 
IT Governance Introduction
IT Governance IntroductionIT Governance Introduction
IT Governance Introduction
 
Auditing Standard and Practice
Auditing Standard and Practice Auditing Standard and Practice
Auditing Standard and Practice
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit ppt
 
Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in Telecoms
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
IT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfIT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdf
 
The Future of Internal Audit through data analytics
The Future of Internal Audit through data analyticsThe Future of Internal Audit through data analytics
The Future of Internal Audit through data analytics
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
 

Semelhante a CISA Summary V1.0

Business continuity management fundamentals update
Business continuity management fundamentals updateBusiness continuity management fundamentals update
Business continuity management fundamentals updateExo Futures
 
Maintenance performance analysis_en_v1
Maintenance performance analysis_en_v1Maintenance performance analysis_en_v1
Maintenance performance analysis_en_v1Alexander Stuber
 
Project Portfolio Management
Project Portfolio ManagementProject Portfolio Management
Project Portfolio ManagementAnand Subramaniam
 
Teti Presentation Metro Md Meeting 9 15 2010
Teti Presentation Metro Md Meeting 9 15 2010Teti Presentation Metro Md Meeting 9 15 2010
Teti Presentation Metro Md Meeting 9 15 2010cmteti
 
Assessing IT Situation
Assessing IT SituationAssessing IT Situation
Assessing IT SituationMike Batton
 
Computer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the CloudComputer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the CloudInstitute of Validation Technology
 
LSS Idea Generation to Project Execution
LSS Idea Generation to Project ExecutionLSS Idea Generation to Project Execution
LSS Idea Generation to Project ExecutionAnand Subramaniam
 
Pmp exam overview
Pmp exam overviewPmp exam overview
Pmp exam overviewguokejing
 
Sample Collections Review
Sample Collections ReviewSample Collections Review
Sample Collections Reviewteddnicholls
 
Human Resources Management Solution - iON Cloud ERP
Human Resources Management Solution - iON Cloud ERPHuman Resources Management Solution - iON Cloud ERP
Human Resources Management Solution - iON Cloud ERPChirantan Ghosh
 
Check Point Brochure 5 Governance Sprints 2012[1]
Check Point Brochure 5 Governance Sprints 2012[1]Check Point Brochure 5 Governance Sprints 2012[1]
Check Point Brochure 5 Governance Sprints 2012[1]Project Adventure Inc
 
BUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTBUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTTalkSahana
 
Peoplepro Management Services Pvt. Ltd.
Peoplepro Management Services Pvt. Ltd.Peoplepro Management Services Pvt. Ltd.
Peoplepro Management Services Pvt. Ltd.anibandha
 
Environment Agency The Right Skills In The Right Roles SFIA
Environment Agency The Right Skills In The Right Roles SFIA Environment Agency The Right Skills In The Right Roles SFIA
Environment Agency The Right Skills In The Right Roles SFIASFIA User Forum
 

Semelhante a CISA Summary V1.0 (20)

Business continuity management fundamentals update
Business continuity management fundamentals updateBusiness continuity management fundamentals update
Business continuity management fundamentals update
 
Maintenance performance analysis_en_v1
Maintenance performance analysis_en_v1Maintenance performance analysis_en_v1
Maintenance performance analysis_en_v1
 
Sourcing
SourcingSourcing
Sourcing
 
Project Portfolio Management
Project Portfolio ManagementProject Portfolio Management
Project Portfolio Management
 
Teti Presentation Metro Md Meeting 9 15 2010
Teti Presentation Metro Md Meeting 9 15 2010Teti Presentation Metro Md Meeting 9 15 2010
Teti Presentation Metro Md Meeting 9 15 2010
 
Assessing IT Situation
Assessing IT SituationAssessing IT Situation
Assessing IT Situation
 
Computer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the CloudComputer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the Cloud
 
LSS Idea Generation to Project Execution
LSS Idea Generation to Project ExecutionLSS Idea Generation to Project Execution
LSS Idea Generation to Project Execution
 
Pmp exam overview
Pmp exam overviewPmp exam overview
Pmp exam overview
 
4iiii Quick Overview
4iiii Quick Overview4iiii Quick Overview
4iiii Quick Overview
 
Sample Collections Review
Sample Collections ReviewSample Collections Review
Sample Collections Review
 
Mace Introduction
Mace IntroductionMace Introduction
Mace Introduction
 
Human Resources Management Solution - iON Cloud ERP
Human Resources Management Solution - iON Cloud ERPHuman Resources Management Solution - iON Cloud ERP
Human Resources Management Solution - iON Cloud ERP
 
Hr analytics overview
Hr analytics overviewHr analytics overview
Hr analytics overview
 
Check Point Brochure 5 Governance Sprints 2012[1]
Check Point Brochure 5 Governance Sprints 2012[1]Check Point Brochure 5 Governance Sprints 2012[1]
Check Point Brochure 5 Governance Sprints 2012[1]
 
BUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENTBUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENT
 
Growth dynamics for your innovation future
Growth dynamics for your innovation futureGrowth dynamics for your innovation future
Growth dynamics for your innovation future
 
Peoplepro Management Services Pvt. Ltd.
Peoplepro Management Services Pvt. Ltd.Peoplepro Management Services Pvt. Ltd.
Peoplepro Management Services Pvt. Ltd.
 
Environment Agency The Right Skills In The Right Roles SFIA
Environment Agency The Right Skills In The Right Roles SFIA Environment Agency The Right Skills In The Right Roles SFIA
Environment Agency The Right Skills In The Right Roles SFIA
 
TripleTree eDiscovery
TripleTree eDiscoveryTripleTree eDiscovery
TripleTree eDiscovery
 

CISA Summary V1.0

  • 1.   CISA summary  Version 1.0  Christian Reina, CISSP    This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author.  2010 ‐ Christian Reina, CISSP. 
  • 2. Risk Management IT Management Practices “Collection of top-down activities intended to control the IT Seek, identify, and manage risk. organization from a strategic perspective.”  Accept 1. Personnel Management  Policy  Mitigate a. Hiring: Background check, Employee Policy  Priorities  Transfer Manual, Job Description  Standards  Avoid b. Employee Development: Training,  Vendor Management Performance evaluation, Career path  Program/Project Management Risk Management Program c. Mandatory vacations: Audit, cross training,  Objectives: reduce costs, incidents reduced risk IT Strategy Committee  Scope d. Termination Advise board of directors on strategies.  Authority: Executive level of commitment e. Transfers and reassignments 2. Sourcing  Resources: a. Insource Balanced Scorecard  Policies, processes, procedures, and records Measure performance and effectiveness. b. Outsource: risks, SLA, policy, governance  Business contribution: Perception from Non-IT (service level agreements, change Risk Management Process executives management, security, quality, audits), SaaS  User: Satisfaction 3. Change Management 1. Asset Identification: Equipment, information, records, a. Request  Operational excellence: downtime, defects, support reputation, personnel b. Review tickets o Grouping Assets c. Approve  Innovation: increase IT value w/ innovation o Sources of asset data: Interviews, IT d. Perform change systems, Online data e. Verify change Information Security Governance o Organizing data: Business process, 4. Financial Management Roles and responsibilities Geography, OU, Sensitivity, Regulated a. Develop  Board of Directors: risk appetite and risk management 2. Risk Analysis b. Purchase  Steering Committee: Operational strategy for security o Threat analysis: All threats with realistic c. Rent Domain 1 – IT Governance  and risk management opportunity of occurrence 5. Quality Management  CISO: conducting risk assessment, developing security o Vulnerability Identification: Ranked by a. Software development policy, vulnerability management, incident severity or criticality b. Software acquisition management, compliance o Probability analysis: Requires research to c. Service desk  Employees: Comply with policies develop best guesses d. IT operations o Impact analysis: Study of estimating the e. Security Enterprise Architecture (EA) impact of specific threats on specific assets f. Standards: Map business functions into the IT environment as a model. o Qualitative: Subjective using numeric scale i. ISO 9000: Superseded by ISO Activities to ensure business needs are met o Quantitative: 9001:2008 Quality Management  Asset Value (AV) System Zachman Model  Exposure Factor (EF) ii. ISO 20000: IT Service IT Systems and environments are described at a high, functional  Single Loss Expectancy (SLE): AV Management for organization level, and then in increasing detail x EF adopting ITIL  Annualized rate of occurrence iii. ITIL DFD (ARO) 1. Service Delivery Illustrate the flow of information  Annualized loss expectancy (ALE): 2. Control Processes SLE x ARO 3. Release Processes 3. Risk Treatments 4. Relationship Processes o Risk Mitigation 5. Resolution Processes o Risk Transfer 6. Security Management o Risk Avoidance a. Security Governance o Risk Acceptance b. Risk Assessment o Residual Risk c. Incident Management d. Vulnerability Management e. Access and Identity management f. Compliance management
  • 3. g. BCP 3. Reviewing Outsourcing 7. Performance Management a. Distance a. COBIT b. Lack of audit contract terms b. SEI CMMI c. Lack of cooperation Roles and Responsibilities 1. Executive Management: CIO, CTO, CSO, CISO, CPO 2. Software Development: Architect, Analyst, developer, programmer, tester 3. Data Management: architect, DBA, analyst 4. Network Management: architect, engineer, administrator, telecom 5. Systems Management: architect, engineer, storage, systems administrator 6. Operations: manager, analyst, controls analyst, data entry, media librarian 7. Security Operations: architect, engineer, analyst, account management, auditor 8. Service Desk: Help desk, technical support Segregation of Duties Controls 1. Transaction authorization 2. Split custody Domain 1 – IT Governance  3. Workflow: extra approval 4. Periodic reviews Auditing IT Governance 1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f. Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i. Quality management documents 2. Reviewing Contracts a. Service levels b. Quality levels c. Right to audit rd d. 3 party audit e. Conformance to policies, laws, regulations f. Incident notification g. Liabilities h. Termination terms i. Protection of PII
  • 4. Assess and evaluate the effectiveness of IT  Provide Appropriate Tools Required to Intercept and 3. Serve in the interest of stakeholders in a Obstruct Terrorism Act (PATRIOT) 2001 lawful and honest manner, while maintaining  Sarbanes-Oxley Act 2002 high standards of conduct and character, and AUDIT MANAGEMENT  Federal Information Security Management Act (FISMA) not engage in acts discreditable to the 2002 profession. The Audit Charter: Define roles and responsibilities. Sufficient  Controlling the Assault of Non-Solicited Pornography 4. Maintain the privacy and confidentiality of authority and Marketing Act (CAN-SPAM) 2003 information obtained in the course of their  California Privacy Act SB1386 2003 duties unless disclosure is required by legal The Audit Program: scope, objectives, resources, procedures  Identity Theft and Assumption Deterrence Act 2003 authority. Such information shall not be used  Basel II 2004 for personal benefit or released to Strategic Audit Planning: inappropriate parties.  Payment Card Industry Data Security Standard (PCI-  Factors: Business goals and objectives, Initiatives, DSS) 2004 5. Maintain competency in their respective fields market conditions, changes in technology, regulatory and agree to undertake only those activities,  North American Electric Reliability Corporation (NERC) requirements. which they can reasonably expect to 1968/2006  Changes in Audit Activities: New internal audits, new complete with professional competence.  Massachusetts Security Breach Law 2007 6. Inform appropriate parties of the results of external audits, increase in audit scope, impact on business process work performed; revealing all significant facts Canadian Regulations:  Resource planning: Budget and manpower known to them.  Interception of Communications Section 184 7. Support the professional education of  Unauthorized Use of Computer, Section 342.1 stakeholders in enhancing their Audit and Technology: Continue learning about new technologies  Privacy Act 1983 understanding of information systems security  Personal Information Protection and Electronic and control. Audit Laws and Regulations: Documents Act (PIPEDA)  Characteristics: Security, Integrity, Privacy European Regulations Audit Standards  Computer Security and Privacy Regulations: o Categories: Computer trespass, protection of  Convention for the Protection of Individuals with Regard sensitive information, collection and use of to Automatic Processing of Personal Data 1981  S1, Audit Charter information, law enforcement investigative  Computer Misuse Act (CMA) 1990  S2, Independence powers  Directive on the Protection of Personal Data 2003  S3, Professional Ethics and Standards European Union  S4, Professional Competence main 2 – The Audit Process  o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits,  Data Protection Act (DPA) 1998  S5, Planning fines, prosecution  Regulation of Investigatory Powers Act 2000  S6, Performance of Audit Work  Anti-Terrorism Crime and Security Act 2001  S7, Reporting “An organization should take a systematic approach to determine  Privacy and Electronic Communications Regulations  S8, Follow-up Activities the applicability of regulations as well as the steps required to 2003  S9, Irregularities and Illegal Acts attain compliance and remain in this state. “  Fraud Act 2006  S10, IT Governance  Police and Justice Act 2006  S11, Use of Risk Assessment in Audit Planning US Regulations:  S12, Audit Materiality  Access Device Fraud 1984 Other Regulations  S13, Use the Work of Other Experts  Computer Fraud and Abuse Act 1984  Cybercrime Act 2001 Australia  S14, Audit Evidence  Electronic Communications Act 1986  Information Technology Act 2000 India  S15, IT Controls  Electronic Communications Privacy Act (ECPA) 1986  S16, E-Commerce  Computer Security Act 1987 ISACA AUDITING STANDARS  Computer Matching and Privacy Protection Act 1988 Audit Guidelines  Communications Assistance for Law Enforcement Act Code of Ethics: (CALEA) 1994  G1, Using the Work of Other Auditors  Economic and Protection of Proprietary Information Act Members and ISACA certification holders shall:  G2, Audit Evidence Requirement 1996  G3, Use of Computer-Assisted Audit Techniques  Health Insurance Portability and Accountability Act 1. Support the implementation of, and encourage compliance with, appropriate (CAATs) (HIPPA) 1996  G4, Outsourcing of IS Activities to Other Organizations  Children’s Online Privacy Protection Act (COPPA) 1998 standards, procedures and controls for information systems.  G5, Audit Charter  Identity Theft and Assumption Deterrence Act 1998  G6, Materiality Concepts for Auditing IS 2. Perform their duties with objectivity, due  Gramm-Leach-Bliley Act 1999  G7, Due Professional Care diligence and professional care, in  Federal Energy Regulatory Commission (FERC) accordance with professional standards and  G8, Audit Documentation best practices.
  • 5. G9, Audit Considerations for Irregularities and Illegal  P10, Business Application Change Control PERFORMING AN AUDIT Acts  P11, Electronic Funds Transfer  G10, Audit Sampling  Formal Planning:  G11, Effect of Pervasive IS Controls RISK ANALYSIS o Purpose  G12, Organizational Relationship and Independence o Scope  G13, Use of Risk Assessment in Audit Planning  Evaluating Business Processes o Risk Analysis  G14, Application Systems Review  Identifying Business Risks o Audit procedures  G15, Planning  Risk Mitigation o Resources  G16, Effect of Third Parties on an Organization’s IT  Countermeasures Assessment o Schedule Controls  Monitoring  Types  G17, Efect of Nonaudit Role on the IS Auditor’s o Operational Independence INTERNAL CONTROLS o Financial o IS audit  G18, IT Governance o Administrative  G19, Irregularities and Illegal Acts o Compliance  G20, Reporting o Forensic  G21, Enterprise Resource Planning (ERP) Systems o Service provider Review o Pre-audit  G22, Business to Consumer (B2C) E-Commerce  Compliance vs. Substantive Testing Review o Compliance: Determine if control procedures  G23, SDLC Review have been properly designed and  G24, Internet Banking implemented and operating properly.  G25, Review of VPN o Substantive: Determine accuracy and  G26, Business Process Reengineering (BRP) Review integrity of transactions that flow through  G27, Mobile Computing processes and information systems  G28, Computer Forensics  Audit Methodology  G29, Post-implementation Review o Audit Subject Domain 2 – The Audit Process  G30, Competence o Audit Objective  G31, Privacy o Audit type  G32, BCP o Audit Scope  G33, General Consideration on the Use of the Internet o Pre-Audit planning  G34, Responsibility, Authority, and Accountability o Audit SoW  G35, Follow up Activities  Control Classification o Audit Procedures  G36, Biometric Controls o Types: Technical, Administrative, Physical o Communication plan o Classes: Preventative, Detective, Deterrent, o Report preparation  G37, Configuration Management Corrective, Compensating, Recovery o Wrap-up  G38, Access Controls o Categories: Manual, Automatic o Post-audit Follow-up  G39, IT Organization  Internal Control Objectives: Statements of desired  Audit Evidence  G40, Review of Security Management Practices outcomes from business operations. Protection of IT o Independence of the evidence provider  assets, Availability of IT systems o Qualifications of the evidence provider Audit Procedures o IS Control Objectives: Protection of o Objectivity information from unauthorized personnel,  P1, Risk Assessment Integrity of Operating Systems o Timing  P2, Digital Signature and Key management  Gathering Evidence  General Computing Controls: GCCs are controls that Org Chart  P3, IDS apply across all applications and services. Passwords o  P4, Viruses o Review dept and project charters are encrypted, Strong passwords o rd Review 3 party contracts  P5, Control Risk Self-Assessment  IS Controls: Each GCC is mapped to a specific IS o Review IS policies and procedures  P6, Firewall control on each system type. o Review IS Standards  P7, Irregularities and Illegal Acts  P8, Security Assessment (Pen test, vulnerability analysis)  P9, Encryption    
  • 6. o Review IS documentation o Ownership of controls o Personnel Interviews o Improved employee awareness o Passive observation o Improved relationship between  Observing Personnel departments and auditors o Real tasks  Disadvantages o Skills and experience o Mistaken as a substitute for internal audit o Security awareness o May be considered extra work o Segregation of Duties o May be considered an attempt by an  Sampling auditor to shrug off responsibilities o Statistical: Reflect the entire population o Lack of employee involvement has no o Judgmental: Subjectively selects samples results based on established criteria  Life Cycle o Attribute: Samples are examined and a o Identify and assess risks specific attribute is chosen o Identify and assess controls o Variable: Determine the characteristic of a o Develop questionnaire or workshop given population to determine total value o Analyze completed questionnaire o Stop-or-go: Sampling can stop at the earliest o Control remediation possible time due to low risk and rate of o Awareness training exceptions o Discovery: Trying to find at least one exception in a population o Stratified: Create different classes and review one attribute common to all classes  Computer-Assisted Audit: CAATs help examine and evaluate data across complex environments Domain 2 – The Audit Process  Reporting Audit Results o Cover letter o Intro o Summary o Description o Listing of systems and processes examined o Listing of interviewees o Listing of evidence obtained o Explanation of sampling technique o Description of findings and recommendations  Audit Risk o Control risk: undetected error by an internal control o Detection risk: IS auditor will overlook errors o Inherent risk: Inherent risks exist independent of the audit. o Overall audit risk: summation of all of the residual risks o Sampling risk: sampling technique will not detect  Materiality: A monetary threshold in financial audits CONTROL SELF-ASSESSMENT Methodology used by an organization to review key business objectives, and the key controls designed to manage those risks.  Advantages o Risks detected earlier o Improvement of internal controls
  • 7. Organization’s methodologies and practices for the development  Managing Projects  Other costs: development tools, and management of software, infrastructure, and business o Managing the project schedule workstations, servers, software processes. o Recording task completion licenses, network devices, training, o Running project meetings equipment PORTFOLIO AND PROGRAM MANAGEMENT: o Tracking project expenditures o Scheduling Project Tasks: Critical phase o Communicating project status  Gantt Chart A program is an organization of many large, complex activities,  Project Roles and Responsibilities  Program Evaluation and Review and can be thought of as a set of projects that work to fulfill one or o Senior management: support the approval of Technique (PERT) more key business objectives or goals. the project  Critical path Methodology (CPM): It o IT steering committee: Commission the is important to identify the critical  Starting a Program: feasibility study, approve project path in a project, because this o Program charter o Project manager allows the project manager to o Identification of available resources o Project team members understand which tasks are most  Running a Program: o End-user management: Assign staff to the likely to impact the project schedule o Monitoring project schedules project team. Support development of cases and to determine when the project o Managing project budgets o End users will finally conclude. o Managing resources o Project sponsor: define project objectives,  Timebox Management: A period in o Identifying and managing conflicts provide budget which a project must be completed. o Creating status reports o Systems development management o Project Records:  Project Portfolio Management o System developers  Project plans Security manager  Project changes Domain 3 – IT Life­Cycle Management o Executive sponsor o o Program manager o IT Operations  Meetings agendas and minutes o Project manager  Project Planning  Resource consumption o Start and end dates  Task identification  Task information o Names of participants  Task estimation o Project Documentation: Helps users, support o Objectives or goals that the project supports  Task resources staff, IT operations, developers, and auditors o Budget  Task dependencies o Project Change Management: The o Resources  Milestone tracking procedures for making changes to the project o Dependencies  Task tracking should be done in two basic steps:  Business Case development o Estimating and sizing software projects  The project team should identify the o Business problem  Object Breakdown Structure (OBS) specific use, impact, and remedy. o Feasibility study results  Work Breakdown Structure (WBS) Make a formal request o High-level project plan  Source Lines of Code (SLOC):  This change request should be o Budget accurate estimate based on presented to management along o Metrics previous analysis for the time to with its impact. Management o Risks develop a program. should make a decision.  COCOMO: Constructive Cost o Project closure PROJECT MANAGEMENT Model method for estimating  Project debrief software development projects  Project documentation archival  Organizing Projects  Management review  Direct report: Project team leader  Training  Influencer: Influence members but  Formal turnover to users, does not manage them directly operations and support  Pure project: Given authority o Methodologies  Matrix: Authority over each project  Project Management Body of team member Knowledge (PMBOK): Process o Initiating a project based  Developing Project Objectives  Processes: o Object Breakdown Structure (OBS): Visual  Function Point Analysis (FPA): o Inputs representation of the system, software, or time-proven estimation technique o Techniques application, in a hierarchical form. for larger software projects. It o Outputs o Work Breakdown Structure (WBS): Logical studies the detailed design representation of the high-level and detailed specifications for an application tasks that must be performed to complete the program and counts the number of project. user inputs, user outputs, user queries, files, and external interfaces.
  • 8. Process groups  Access control o Unit testing: by developers during the coding  Initiating  Encryption phase. Should be a part of the development  Planning  Data validation of each module in the application.  Executing  Audit logging o System testing: end to end testing. Includes  Controlling and  Security operational requirements interface testing, migration testing. monitoring o DR/BCP Requirements o Functional testing: Verification of functional  Closing o Privacy Requirements requirements o Projects IN Controlled Environments o RFP Process: Request For Proposal o User Acceptance Testing (UAT): In most (PRINCE2): Project management framework  Requirements cases, it is a formal step to find out if  Starting up a project (SU)  Vendor financial stability organization accepts the software developed rd  Planning (PL)  Product roadmap by a 3 party.  Initiating a project (IP)  Experience o Quality Assurance Testing (QAT):  Directing a project (DP)  Vision 6. Implementation  Controlling a stage (CS)  References o Planning:  Managing product delivery (MP)  Questions for clients:  Prepare physical space for  Managing Stage Boundaries (SB)  Satisfaction with production systems  Closing a project (CP) installation  Build production systems  Scrum: Iterative and incremental  Satisfaction with  Install application software process most commonly used to migration  Migrate data project manage an agile software  Satisfaction with support o Training: development effort.  Satisfaction with long-  End users  Domain 3 – IT Life­Cycle Management   Scrum master: this is the term roadmap Customers project manager  What went well  Support staff  Product owner: This is  What did not go well  Trainers the customer  Contract negotiation o Data migration   Record counts  Team Closing the RFP  Batch totals  Users 3. Design: A top down approach  Checksums  Stakeholders 4. Development: o Cutover  Managers  Coding the application  Developing program and system  Parallel level documents  Geographic SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)  Module by module  Developing user procedures  Working with users  Roll-back 1. Feasibility Study: Determine whether a specific o Rollback Planning change or set of changes in business processes and  Developing in a software acquisition setting: 7. Post Implementation underlying applications is practical to undertake. o Implementation review o Time required to develop / acquire software  Customizations  System adequacy o A comparison between the cost of developing  Interfaces of other  Security review the application vs buying systems  Issues o Whether an existing system can meet the  Authentication  ROI business need  Reports o Software maintenance o Whether the application supports strategic  Debugging business objectives  Correct operations  Development Risks o Whether a solution can be developed that is  Input validation o Application inadequacy compatible with other IT systems  Proper output validation o Project risk o The impact of the proposed changes to the  Resource usage o Business inefficiency business on regulatory compliance  Source Code Management (SCM) o Market changes o Whether future requirements can be met by  Protection the system  Control  Development Approaches and Techniques 2. Requirements: Characteristics of a new application or  Version control o Agile Development changes being made.  Recordkeeping o Prototyping o Business functional requirements: Must have 5. Testing to support the business o Technical requirements and standards: Use the same basic technologies already in use as well as formal technical standards. o Security and Regulatory Requirements:  Authentication  Authorization
  • 9. o Rapid Application Development (RAD) 4. Development o Existence o Data Oriented System Development (DOSD) 5. Testing o Consistency o Object-Oriented System Development (OO) 6. Implementation o Length o Component based development: CORBA, 7. Monitoring o Check digits DCOM, SOA 8. Post-implementation o Spelling o Web-Based Application Development: HTML, o Unwanted characters SOAP, XML Benchmarking a Process o Batch controls o Reverse Engineering  Plan  Error handling  Research o Batch rejection  System Development Tools  Measure and observe o Transaction rejection o Computer-Aided Software Engineering  Analyze o Request re-input (CASE)  Adapt: understand the fundamental reasons why other  Upper CASE: requirements organizations’ measurements are better than its own. gathering, DFDs, interfaces  Improve Processing Controls  Lower CASE: Creation of program source code and data schemas Capability Maturity Models  Editing Fourth Generation Languages Domain 3 – IT Life­Cycle Management  o  Calculations  Software Engineering Institute Capability Maturity Model o Run-to-run totals INFRASTRUCTURAL DEVELOPMENT AND (SEI CMM) IMPLEMENTATION o Limit checking o Initial o Batch totals o Repeatable o Manual recalculation 1. Review of existing architecture o Defined 2. Requirements o Reconciliation o Managed o Hash values a. Business functional requirements Optimizing b. Technical requirements and standards o  Data file controls  Capability Maturity Model Integration (CMMI): An o Data file security c. Security and regulatory requirements aggregation of these other models into an overall d. Privacy requirements o Error handling maturity model. o Internal and external labeling 3. Design  ISO 15504: Software Process Improvement and o Data file version a. Procurement Capability dEtermination (SPICE). o Source files 4. Testing o Level 0 incomplete o Transaction logs 5. Implementation 6. Maintenance o Level 1 performed  Processing errors o Level 2 managed o Level 3 established MAINTAINING INFORMATION SYSTEMS o Level 4 predictable Output Controls o Level 5 optimizing Change Management Process  Change request APPLICATION CONTROLS  Controlling special forms  Change review  Report distribution and receipt  Perform change Input Controls  Reconciliation  Emergency changes  Authorization  Retention o User access controls Configuration Management o Workstation identification  Recovery: stored independent of the systems o Approved transactions and batches themselves o Source documents  Consistency: It will simplify administration, reduce  Input validation mistakes, and result in less unscheduled downtime. o Type checking o Range and value checking BUSINESS PROCESSES Business Process Life Cycle (BPLC) 1. Feasibility study 2. Requirements definition 3. Design
  • 10. Auditing Software Acquisition AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Change Management Auditing Project Management Auditing Development Auditing Configuration Management Auditing the Feasibility Study Domain 3 – IT Life­Cycle Management Auditing Requirements AUDITING BUSINESS CONTROLS Auditing Implementation Identify the key processes in an organization and to understand the controls that are in place or should be in place that govern the integrity of those processes AUDITING APPLICATION CONTROLS Transaction Flow Auditing Post-Implementation Auditing Design Observations
  • 11. Data Integrity Testing: Used to confirm whether an application properly accepts, processes, and stores information. Testing Online Processing Systems: Auditing Applications Domain 3 – IT Life­Cycle Management Continuous Auditing: Several techniques are available to perform online auditing:
  • 12. IT organizations are effective if their operations are effective. IT o Program checkout o Cloud Computing: dynamically scalable and organizations are service organizations – their existence is to o Program check in usually virtualized serve the organization and support its business processes. o Version control  Data Communication Software o Code analysis  File Systems: Directories, files, FAT, NTFS, HFS INFORMATION SYSTEMS OPERATIONS  Quality Assurance (Hierarchical File System) ISO 9660 (CD-ROM, DVD),  Security Management UDF (Universal Disk Format)   Domain 4 – IT Service Delivery & Infrastructure  Management and control of operations o Policies, procedures, processes, and Database Management Systems o Process and procedures standards o Relational DB Management (rDBMS): o Standards o Risk Assessments Primary key, one or more indexes, referential o Resource allocation o Impact analysis integrity, Encryption, Audit logging, access o Process management o Vulnerability management controls,  IT Service management (ITSM) o Object Database (ODBMS): Represented as o Service desk objects, Data and the programming method o Incident mgt INFORMATION SYSTEMS HARDWARE are contained in an object, o Problem mgt o Hierarchical Database : Top-down o Change mgt  Computer usage  Media Management System: Tape management o Configuration mgt o Types: supercomputer, mainframe, midrange, systems (TMS) or Disk Management Systems (DMS) o Release mgt: ITIL terms used to describe server, desktop, laptop, mobile  Utility software SDLC. Used for changes in a system such o Uses: app server, web server, file server, db o Software and data design as: server, print server, test server, thin client, o Software development  Incidents and problem resolution thick client, workstation o Software testing  Enhancements  Computer architecture o Security testing  Subsystem patches and changes o CPU: CISC (Complex Instruction Set o Data management o Service-level mgt Computer), RISC (Reduced Instruction Set o System health o Financial mgt Computer), Single processor, Multi-processor o Network o Capacity mgt o Bus: PCI, PC Card, MBus, Sbus  Periodic measurements o Main Storage NETWORK INFRASTRUCTURE  Considering planned changes o Secondary Storage: Program storage, data  Understanding long-term strategies storage, temporary files, OS, virtual memory,  Network Architecture  Changes in technology o Firmware: Flash, EPROM, PROM, ROM, o Physical network architecture o Service continuity mgt EEPROM o Logical network architecture o Availability mgt o I/O and Networking o Data flow architecture  Effective change mgt o Multi-computer: Blade computers, grid o Network standards and services  Effective application testing computing, server clusters, virtual servers  Types of networks  Resilient architecture  Hardware maintenance o Personal Area Network (PAN): up to 3 meters  Serviceable components  Hardware monitoring and use to connect peripherals for use by an  Infrastructure Operations individual o Running scheduled jobs o LAN o Restarting failed jobs/processes INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE o Campus Area Network (CAN) o Facilitating backup jobs o Metropolitan Area Network (MAN) o Monitoring systems/apps/networks  Computer Operating Systems o WAN  Monitoring  Access to peripherals  Network-based Services: email, print, file storage,  Software Program Library Management: System that  Storage mgt remote access, directory, terminal emulation, time is used to store and manage access to an  Process mgt synch, network authentication, web security, anti- organization’s application source and object code  Resource allocation malware, network management o Access and authorization controls  Communication  Network Models  Security o OSI: Application, presentation, session, o OS Virtualization transport, network, data link, physical o Clustering: using special software o TCP/IP: Link, internet, transport, application o Grid Computing: a form of distributed  Network Technologies computing o LAN  Physical topology: Star, Ring, Bus