WIXLIB

Certified InformationSystems Auditor (CISA )Cert Guide Michael GreggRob Johnson800 East 96th StreetIndianapolis, Indiana 46240 USA

Certified Information Systems Auditor (CISA ) Cert GuideCopyright 2018 by Pearson Education, Inc.Editor-in-ChiefMark TaubAll rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission fromthe publisher. No patent liability is assumed with respect to the use of theinformation contained herein. Although every precaution has been taken inthe preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damagesresulting from the use of the information contained herein.Product Line ManagerBrett BartowISBN-13: 978-0-7897-5844-6ISBN-10: 0-7897-5844-XManaging EditorSandra SchroderLibrary of Congress Control Number: 2017950730Printed in the United States of America117Development EditorEllie C. BruProject EditorMandie FrankCopy EditorKitty WilsonTrademarksAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certificationcannot attest to the accuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of any trademark or servicemark. Acquisitions EditorMichelle Newcomb IndexerKen JohnsonProofreaderThe Wordsmithery LLC CISA , ISACA , and COBIT are registered trademarks of theInformation Systems Audit and Control Association.Technical EditorChris CraytonWarning and DisclaimerPublishing CoordinatorVanessa EvansEvery effort has been made to make this book as complete and as accurateas possible, but no warranty or fitness is implied. The information providedis on an “as is” basis. The authors and the publisher shall have neitherliability nor responsibility to any person or entity with respect to any lossor damages arising from the information contained in this book.Special SalesFor information about buying this title in bulk quantities, or for specialsales opportunities (which may include electronic versions; custom coverdesigns; and content particular to your business, training goals, marketingfocus, or branding interests), please contact our corporate sales departmentat corpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contact governmentsales@pearsoned.com.For questions about sales outside the U.S., please contact intlcs@pearson.com.DesignerChuti PrasertsithCompositorTricia Bronkella

Contents at a GlanceIntroductionxxiiiCHAPTER 1The CISA CertificationCHAPTER 2The Information Systems AuditCHAPTER 3The Role of IT GovernanceCHAPTER 4Maintaining Critical ServicesCHAPTER 5Information Systems Acquisition and DevelopmentCHAPTER 6Auditing and Understanding System ControlsCHAPTER 7Systems Maintenance and Service ManagementCHAPTER 8Protection of AssetsCHAPTER 9Asset Threats, Response, and ManagementCHAPTER 10 Final PreparationGLOSSARYAPPENDIX A32371137181231269333387437445Answers to the “Do I Know This Already” Quizzes and ReviewQuestions 467Index484Online Elements:APPENDIX B Memory TablesAPPENDIX C Memory Tables Answer Key

Table of ContentsIntroductionChapter 1xxiiiThe CISA Certification 3Exam Intent 3Why the CISA Certification Is So Important 4CISA: The Gold Standard 5Exam Requirements 6CISA Exam Windows 6Scheduling to Take the Exam 7Deadline to Apply for the CISA Certification 7ISACA Agreements 9CISA Exam Domains 10Question Format and Grading 13Exam Grading 13Exam Questions 14Getting Exam Results and Retests 15Maintaining CISA Certification 16Reporting CPE Hours Earned 16Earning CPE Hours 17Top 10 Tips and Tricks 18Chapter Summary 19Define Key Terms 20Suggested Readings and Resources 20Chapter 2The Information Systems Audit 23“Do I Know This Already?” Quiz 23Foundation Topics 27Skills and Knowledge Required to Be an IS Auditor 27Work-Related Skills 27Knowledge of Ethical Standards 28

ISACA Standards, Procedures, Guidelines, and Baselines 31Knowledge of Regulatory Standards 35Guidance Documents 36Auditing Compliance with Regulatory Standards 38Knowledge of Business Processes 38Types of Audits 39Risk Assessment Concepts 40Risk Management 43Auditing and the Use of Internal Controls 45The Auditing Life Cycle 47Audit Methodology 47The Auditing Life Cycle Steps 48Chain of Custody and Evidence Handling 49Automated Work Papers 50CAATs51Audit Closing 52Report Writing 53The Control Self-Assessment Process 54Continuous Monitoring 55Quality Assurance 56The Challenges of Audits 57Communicating Results 57Negotiation and the Art of Handling Conflicts 58Chapter Summary 59Exam Preparation Tasks 60Review All the Key Topics 60Complete Tables from Memory 61Define Key Terms 61Exercises 612.1 Network Inventory 61Review Questions 64Suggested Readings and Resources 68

viCertified Information Systems Auditor (CISA) Cert GuideChapter 3The Role of IT Governance 71“Do I Know This Already?” Quiz 71Foundation Topics 75The IT Steering Committee 75Corporate Structure 77IT Governance Frameworks 77COBITITIL7878COBIT Versus ITIL 79Enterprise Risk Management 80The Risk Management Team 81Asset Identification 82Threat Identification 82Quantitative Risk Assessment 84Qualitative Risk Assessment 86The Three Lines of Defense Model 87Policy Development 90Policy 91Policy, Standards, Procedures, and Baselines 92Auditing Policies, Standards, Procedures, and Baselines 93Data Classification 96Security Policy 98Management Practices of Employees 100Forced Vacations, Rotation of Assignments, and Dual Control 102Separation Events 102Roles and Responsibilities 103Segregation of Duties (SoD) 105Compensating Controls 106Key Employee Controls 106Performance Management 107Key Performance Terms 108

ContentsManagement and Control Frameworks 110Enterprise Architecture 111Change Management 113Quality Management 113Maturity Models 116Implementing a Maturity Model 118Management’s Role in Compliance 119Process Optimization Techniques 121TaguchiPDCA122123Taguchi Versus PDCA 124Management of IT Suppliers 125Third-Party Outsourcing 125Third-Party Audits 126Contract Management 127Performance Monitoring 128Relationship Management 129Chapter Summary 130Exam Preparation Tasks 130Review All the Key Topics 130Complete Tables from Memory 131Key Terms 131Exercises 1323.1 Determining the steps for quantitative risk assessment 132Review Questions 133Suggested Readings and Resources 135Chapter 4Maintaining Critical Services 137“Do I Know This Already?” Quiz 137Foundation Topics 140Threats to Business Operations 140The Business Continuity Planning (BCP) Process 142Project Management and Initiation 143Business Impact Analysis 144Criticality Analysis 147Development and Recovery Strategy 149vii

viiiCertified Information Systems Auditor (CISA) Cert GuideFinal Plan Design and Implementation 151Training and Awareness 152Implementation and Testing 153Paper Tests 155Preparedness Tests 155Full Operation Tests 156Monitoring and Maintenance 156Understanding BCP Metrics 157Recovery Strategies 159Alternate Processing Sites 159Alternate Processing Options 160Hardware Recovery 163Redundant Array of Independent Disks 164Software and Data Recovery 165Backup and Restoration 167Telecommunications Recovery 169Verification of Disaster Recovery and Business Continuity ProcessTasks 170The Disaster Life Cycle 172Chapter Summary 174Exam Preparation Tasks 174Review All the Key Topics 175Define Key Terms 175Exercises 1754.1 Business Impact and Risk 175Review Questions 177Suggested Readings and Resources 179Chapter 5Information Systems Acquisition and Development 181“Do I Know This Already?” Quiz 181Foundation Topics 185IT Acquisition and Project Management 185IT Acquisition 185Software Escrow Agreements 185Software Licensing 185

ContentsProject Management 187Roles, Responsibility, and Structure of Project Management 188Project Culture and Objectives 189Making the Business Case for Investment 190Return on Investment 191Project Management Activities and Practices 192Project Initiation 193Project Planning 193Project Control and Execution 199Project Closing 199Business Application Development 200Systems-Development Methodology 200Phase 1: Initiation phase 202Phase 2: Development 204Phase 3: Implementation 208Phase 4: Operation and Maintenance 210Phase 5: Disposal 211Tools and Methods for Software Development 212Information Systems Maintenance 213Outsourcing and Alternative System Development 214Cloud Computing 216Cloud Threats 218Application-Development Approaches 219N-tier220Virtualization 221Chapter Summary 222Exam Preparation Tasks 223Review All the Key Topics 223Complete Tables from Memory 223Define Key Terms 224Exercises 2245.1 Project Management 2245.2 Project Management 225Review Questions 226Suggested Readings and Resources 229ix

xCertified Information Systems Auditor (CISA) Cert GuideChapter 6Auditing and Understanding System Controls 231“Do I Know This Already?” Quiz 231Foundation Topics 235Audit Universe and Application Auditing 235Programmed and Manual Application Controls 236Business Process Controls 237Input Controls 237Processing Controls 239Data File Controls 241Output Controls 242Auditing Application Controls 243Understanding the Application 243Observation and Testing 244Data Integrity Controls 245Application System Testing 246Continuous Online Auditing 247Auditing Systems Development, Acquisition, and Maintenance 249Project Management 250Business Application Systems 252E-commerce 253Electronic Data Interchange 254Email255Business Intelligence 256Decision Support Systems 257Artificial Intelligence and Expert Systems 258Customer Relationship Management 258Supply Chain Management 259Social Media 260Chapter Summary 260Exam Preparation Tasks 261Review All the Key Topics 261Define Key Terms 262

ContentsExercises 2626-1 Software Application Audit 262Review Questions 263Suggested Readings and Resources 266Chapter 7Systems Maintenance and Service Management 269“Do I Know This Already?” Quiz 269Foundation Topics 273Service Management Frameworks 273COBITFitSM273274ISO 20000 274eTOM275Fundamental Technologies 275Operating Systems 275Secondary Storage 277Utility Software 277Database-Management Systems 278Database Structure 279Software Licensing Issues 282Digital Rights Management 283Network Infrastructure 283Network Types 284Network Standards and Protocols 285The OSI Reference Model 286The Application Layer 287The Presentation Layer 287The Session Layer 288The Transport Layer 288The Network Layer 288The Data Link Layer 289The Physical Layer 289Network Services and Applications 290xi

xiiCertified Information Systems Auditor (CISA) Cert GuideComparing the OSI Model to the TCP/IP Model 292The Network Access Layer 292The Internet Layer 293The Host-to-Host/Transport Layer 295The Application Layer 296Network Services 297Wireless Technologies 298Bluetooth298802.11 Wireless 299Smartphones, Tablets, and Hotspots 302Network Equipment 303Edge Devices 306DMZ306Firewalls 306Firewall Configuration 308IDS/IPS310Wide Area Networks 312Packet Switching 312Circuit Switching 313Capacity Planning and Systems Performance Monitoring 314Network Analyzers 316System Utilization and Load Balancing 317Third Parties and Cloud Providers 318Network Design 318Network Cabling 320Chapter Summary 323Exam Preparation Tasks 324Review All the Key Topics 324Define Key Terms 324Exercises 3257.1 Organizing Network Components 325Review Questions 328Suggested Readings and Resources 331