CISA EXAM PREP COURSE: SUPPLEMENT

Transcription

1 Table of Contents Study Tips... 1 Key Concept Review Additional Details... 2 Chapter Chapter Chapter Chapter Chapter Audit Work Program ISACA. All Rights Reserved. 0

2 Study Tips 1. The CISA Review Manual is one helpful resource in preparing for your exam. a. Pay attention to the Task and Knowledge Statements as test questions are based on one task and associated with one knowledge statement. b. Section One also provides tables with explanations of the knowledge statements. Read these reference tables, and if the topic is not familiar to you, read the corresponding section in the book. c. The Quick Reference Guide in Section Two also provides a quick overview of the chapter content, which can help you to better focus your study efforts. 2. The ISACA glossary ( is another reference you may find useful for reviewing topics and concepts. The CISA Review Manual also contains a more focused glossary of terms pertinent to the CISA. 3. Work through the practice questions: a. A helpful approach to these questions includes the following: i. Read the entire stem and determine what the question is asking. Look for key words such as "BEST," "MOST," "FIRST," etc., and key terms that may indicate what domain or concept that is being tested. ii. Read all of the options, and then read the stem again to see if you can eliminate any of the options based on your immediate understanding of the question. iii. Re-read the remaining options and bring in any personal experience to determine which is the best answer to the question. 4. Watch the action verbs in the answers like verify, ensure, conduct, asset, implement, approve, initiate. Based on the audience, select the verb that best describes what they subject in the question would do. 5. Be familiar with roles and responsibilities related to IS audit. For example: the auditor provides reasonable assurance of the effectiveness of controls and governance is accountable. 6. Other ISACA sources to assist in your studies: a. COBIT 5 b. ITAF c. Audit and Assurance Programs d. Additional Test Questions i. CISA Review Questions, Answers and Explanations Manual 11 th Edition* ii. CISA Review Questions, Answers and Explanations Database 12 month subscription* *Note: The CISA Review QAE Manual and CISA Review QAE Database contain the same questions. If you are interested in purchasing these products, you will only need to select one. 1

3 Key Concept Review Additional Details Chapter 1 1. Control objective concepts include: a. Effectiveness b. Efficiency c. Confidentiality d. Integrity e. Availability f. Compliance g. Reliability 2. Annual audit risk assessment should start with understanding companies organizational structure, mission and strategic plan a. Organization, including structure b. Mission c. Strategic plan 3. Annual audit risk assessment for planning development a. As the COSO Internal Control Integrated Framework (2013) states, risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. b. IIA Professional Practices Framework (requirement to do the checklist) c. Goals for assessment (only ask open-ended questions and immediately ask follow-up questions of clarification is needed) d. Gather company s missions, goals and strategic and tactical objectives e. Gain understanding of company s risk appetite and tolerance as well as corporate culture toward risk f. Gain a detailed perspective of management concerns and opinions (toward both current processes, technology, regulations and toward meeting G&O) g. Seek understanding of process including up and down stream factors (SIPOC) h. Discuss state of exceptions related audit, incident management, disaster recovery and self-assessment findings i. Look for and document inconsistencies and one-offs between interviewees j. Analyze results and seek clarification where necessary (and validate with interviewee s all conclusions before presenting results) k. Identify vulnerabilities and threats (and loss events/risks) from discussions and loss data/analytics (including risk register, prior findings, service management, selfassessment, incident management and disaster recovery reports) l. Rank and classify risk m. Map the risk to the organizational objectives n. Map the results to proposed audit engagements to determine the risk-based audit plan and determine engagement priorities o. Build/enhance individual audit scope and objectives to address RA results along with regulatory, internal control and/or technology changes. 4. Laws and regulations relating to the organization (Note: The candidate will not be tested on specific laws or regulations): a. Security Act of 1933 b. Security Exchange Act of 1934 c. Trust Indenture Act of

4 d. Investment Company Act of 1940 e. Investment Advisors Act of 1940 f. Williams Act of 1968 g. GLBA Act of 1999 h. Fair and Accurate Credit Transaction Act of 2003 i. Credit Rating Agency Reform Act of 2006 j. Dodd Frank Wall Street Reform and Consumer Protection Act of 2010 k. Volcker Rule 2012 l. Jumpstart our Business Startups Jobs Act of 2012 m. OCIE Cybersecurity Initiative 5. Controls a. Controls should be designed based on documented control objectives and should be placed at control points b. Control classifications/categories i. Preventive invalid password lockout ii. Detective audit trail/logs iii. Corrective attribute masking or required field validation before saving iv. Compensating challenge phrase, avatar v. Deterrent warning banner vi. Directive policy c. Interdependencies: i. A threat creates a threat event that exploits a vulnerability, which results in an impact ii. A compensating control reduces the likelihood iii. A corrective control decrease the impact iv. A deterrent control reduces the likelihood v. A detective control discovers a threat event (and can trigger a preventive control) d. Control methods i. Technical encryption, single sign-on ii. Non-technical policy, standard operation procedure iii. Physical lock e. Control locations i. Network ii. Application iii. Database iv. Operating systems v. Platform vi. Physical f. Control rationalization g. Controls in depth example: Gartner 5 Styles of Advanced Threat Defense Framework h. When thinking about control effectiveness as well as risk, consider the impact of cascading and coincidental events. 6. Audit phases a. Audit subject area to audit b. Audit scope system, function, unit, process(es) included in review c. Pre-audit planning ID skills, info and venues d. Audit procedure and steps for data gathering ID approach, people, process and artifacts e. Procedures for evaluating test/review results f. Procedures for communicating with management 3

5 g. Audit report prep 7. Computer aided audit tools (CAATs) a. Common tools: TopCAATS (add-on to Excel), Excel, Access, ACL, IDEA 8. Risk-based audit approach a. Step 1: Gather and Plan i. Business info 1. Mission 2. Strategy ii. Prior audit info iii. Financial info iv. Regulatory info v. RA inherent results b. Step 2: Internal Controls Review i. IC environment ii. IC processes iii. RA (detection) iv. Control risk assessment v. Total risk calculation c. Step 3: Perform Compliance Testing i. ID key controls ii. Test reliability, prevention, adherence to policy/process d. Step 4: Perform Substantive Testing i. Review analytical procedures ii. Review account balances iii. Procedures testing for compliance e. Step 5: Conduct Audit i. Recommendation ii. Audit report 9. Risk-based auditing a. Helps determine nature and extent of testing b. Drives audit schedule c. Helps develop and improve continuous audit process d. Looks at risk, internal operational controls and nature of business knowledge e. Related cost-benefit analysis to known risk f. Risk model creates weights by risk type, nature of business and risk significance 10. Risk treatment a. In order to make a risk acceptable consider: i. Requirements and constraints laws and regulations ii. Organizational objectives iii. Operational requirements and constraints iv. Cost effectiveness 11. RBA a. Risk rating methods i. Scorings 1. Technical complexity 2. Financial loss 3. Regulatory impact 4. Speed to market 5. Type and effectiveness of control 4

6 ii. Judgmental 1. Business knowledge 2. Executive management directives 3. Historical perspective 4. Business goals 5. Environmental factors 12. Objectives a. Audit objective specific goals that must be accomplished during audit engagement b. Control objective describes how an internal control should function 5

7 Chapter 2 1. Risk Culture a. Behavior toward taking risk i. Conservative risk adverse ii. Aggressive risk taking b. Behavior toward policy compliance i. Compliance ii. Non-compliance c. Behavior toward negative outcomes i. Learning culture ii. Blaming culture 2. Risk factors a. External environment i. Market ii. Rate of change iii. Industry/competition iv. Geopolitical situation v. Regulatory environment vi. Technology status and evolution b. Internal environment i. Strategic importance of IT for the entity ii. Operational importance of IT for the entity iii. Complexity of IT iv. Complexity of organization v. Degree of change vi. Change management capability vii. Risk management philosophy and values viii. Risk appetite of the entity ix. Operating model c. Risk management capability i. Risk governance ii. Risk evaluation iii. Risk response d. IT capability i. Plan and organize ii. Acquire and implement iii. Deliver and support iv. Monitor and evaluate e. IT-related business capabilities i. Value governance ii. Program management iii. Investment management 3. Risk scenarios a. Actors b. Threat type c. Event d. Asset/resource e. Time 4. Quality management 6

8 a. Quality standards assist in making operational environment: i. Predictable ii. Repeatable iii. Certifiable 5. QA vs. QC a. Quality assurance develops and trains on the QA process and own the SDLC document b. Quality control perform reviews to make sure software meets user requirements 6. Insurance a. Policies need to be reviewed whenever an organization changes technology or services delivery offerings to ensure coverage is still correct. The policy should be carefully reviewed at or renew too. b. Additional IT related policies are: i. Data breach ii. Technical errors and omissions iii. Media liability iv. Intellectual property infringement v. Data protection vi. Cyber liability vii. Ocean marine viii. Inland marine 7

9 Chapter 3 1. Business realization of projects a. Portfolio/program management i. Group of projects and time bound tasks closely linked with common objectives, schedule and strategy b. Business case development i. Provides information for go/no go decisions c. Factors to consider include: i. Cost ii. Quality iii. Development and delivery time iv. Reliability v. Dependability d. Consider evaluating these factors for strengths and weakness for each proposed solution 2. Project content and environment a. These are points to consider 3. Project management practices a. Along with project planning are: i. Project control 1. Scope management 2. Resource management 3. Risk management ii. Project closure 4. Traditional SDLC a. Note that phases 3 and 4 have differing steps whether acquiring software of designing it in-house 5. Control objectives 6. These are the control objectives for auditing program changes 8

10 Chapter 4 1. IT service management a. Change/release b. Problem c. Incident d. Configuration e. Also includes: i. Knowledge ii. Asset 2. Common networks a. Also includes personal area networks 3. OSI a. Application layer application interfaces b. Presentation layer encryption/data conversion c. Session layer establish and terminates connections d. Transport layer transfers data e. Network layer creates virtual circuit f. Data link layer provides data transfer on physical link g. Physical layer provide HW to connect (cables, cards) h. Some sources have added three additional layers: i. Individual ii. Organization iii. Government or legal compliance 4. Remote access a. Ask how business partners are managed i. Process to grant access ii. Entitlement process iii. Process to remove access 5. Digital certificates a. Ask about how certificates are managed i. Who owns relationship with certificate provider ii. Where are certs stored iii. How are certs revoked early iv. How are certs updated when they are about to expire v. How are expiration dates managed 9

11 Chapter 5 1. Key elements of information security management Sr. leadership commitment/support important to implementation and continued success for ISM Policies and procedures framework established by top mgmt with gov t body approval. This is followed by standard minimum security baseline, measurement criteria and methods and specific guidelines, practices and procedures. Organization security roles and responsibilities Security awareness and education training and regular updates to foster awareness for employees and third parties through policy and procedure updates; information security training; certification programs; policy acknowledgements by staff; visible enforcement; simulated exercises; standard communications via approved company communication channels Monitoring and compliance audit assessment of information security program effectiveness Incident handling and response event adversely affecting processing/computer usage (virus/intrusion) 2. Data classification of information assets (IA) As a control measure defines o Importance o IA owner o Access granting process o Access approver o Extent and depth of security controls 3. Inventory record for each information asset should contain o Asset identification o Asset value (to organization, not necessary monetary/depreciation based) o Implications if asset out of order or rendered useless o Recovery priority if asset out of order o Asset location o Assets security classification o Assets risk classification o Asset group it is associated too o Asset owner o Asset data and/or physical custodian 4. Security should be built as layers: Tangible layers include: o Layer 1 perimeter devices o Layer 2 config of perimeter devices o Layer 3 security monitoring IDS/IPS solutions o Layer 4 enterprise devices o Layer 5 config of enterprise devices o Layer 6 authentication tools and techniques Intangible layers o Security awareness and training o Management support for security issues Logical security layers o Network o Platform (OS) 10

12 o Databases o Applications 5. Access controls (N/A) Mandatory access controls (MACs) are logical access controls that validate access credentials Discretionary access controls (DACs) are configured and modified by data and system owners. 6. Data classification of information assets a. These are the items to be defined in each entry as a control measure i. Also include the importance of the IA 7. Inventory in IAs a. This is the information that should be captured at a minimal for each IA 8. Privacy issues a. All IT policies dealing with data should contain a clause regarding privacy considerations/requirements. This should also be reiterated in related procedures and standards 9. Likely perpetrators a. Hackivists 10. About SIEM a. Ask for the business case used when SIEM was purchased b. Ask if adding the logs and rules are a part of device hardening and then have them show where recent devices were added with and without rule base (conditional) reporting/alerting c. Ask which of the following functions they use SIEM for: i. Access discovery ii. Vulnerability assessments iii. Network analysis iv. WIDS v. HIDS vi. NIDS vii. File integrity checking viii. Log management d. Ask if SIEM auto detects and if so, does subnet need to be added first 11. Ask about protections against advanced persistent threats: a. What tools and process are implemented or in plans for: i. Network threat analysis ii. Network forensic iii. Payload analysis iv. End point behavior analysis v. End point forensics 11

13 Audit Work Program For more information and detailed program example: Audit-Assurance-Program.aspx Audit-Assurance-Program1.aspx Audit-Assurance-Program.aspx 12