Transcription
Get25%Offyour print copy nowHead over toredeem using yourunique link belowhttps://packt.link/JJvkqfor a limitedtime only!
CISA – Certified InformationSystems Auditor Study GuideAligned with the CISA Review Manual 2019 to help you audit,monitor, and assess information systemsHemang DoshiBIRMINGHAM - MUMBAI
CISA – Certified Information SystemsAuditor Study GuideCopyright 2020 Packt PublishingAll rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any formor by any means, without the prior written permission of the publisher, except in the case of brief quotationsembedded in critical articles or reviews.Every effort has been made in the preparation of this book to ensure the accuracy of the information presented.However, the information contained in this book is sold without warranty, either express or implied. Neither theauthor, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged tohave been caused directly or indirectly by this book.Packt Publishing has endeavored to provide trademark information about all of the companies and productsmentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracyof this information.Acquisition Editor: Karan GuptaContent Development Editor: Kinnari ChohanSenior Editor: Rohit SinghTechnical Editor: Pradeep SahuCopy Editor: Safis EditingProject Coordinator: Deeksha ThakkarProofreader: Safis EditingIndexer: Manju ArasanProduction Designer: Aparna BhagatFirst published: August 2020Production reference: 1210820Published by Packt Publishing Ltd.Livery Place35 Livery StreetBirminghamB3 2PB, UK.ISBN 978-1-83898-958-3www.packt.com
To my mother, Jyoti Doshi, and to the memory of my father, Hasmukh Doshi,for their sacrifices and for exemplifying the power of determination.To my wife, Namrata Doshi, for being my loving partner throughout our life journey together,and to my 6 year-old daughter, Jia Doshi, for allowing me to write this book.To my sister, Pooja Shah, my brother-in-law, Hiren Shah, and my nephew, Phenil Shah,for their love, support, and inspiration.To my in-laws, Chandrakant Shah, Bharti Shah, and Ravish Shah,for their love and motivation.To my mentor and guide, Dipak Mazumder, for showing me how talent and creativity evolve.– Hemang Doshi
Packt.comSubscribe to our online digital library for full access to over 7,000 books and videos, as wellas industry leading tools to help you plan your personal development and advance yourcareer. For more information, please visit our website.Why subscribe?Spend less time learning and more time coding with practical eBooks and Videosfrom over 4,000 industry professionalsImprove your learning with Skill Plans built especially for youGet a free eBook or video every monthFully searchable for easy access to vital informationCopy and paste, print, and bookmark contentDid you know that Packt offers eBook versions of every book published, with PDF andePub files available? You can upgrade to the eBook version at www.packt.com and as a printbook customer, you are entitled to a discount on the eBook copy. Get in touch with us atcustomercare@packtpub.com for more details.At www.packt.com, you can also read a collection of free technical articles, sign up for arange of free newsletters, and receive exclusive discounts and offers on Packt books andeBooks.
ContributorsAbout the authorHemang Doshi is a chartered accountant and a Certified Information System Auditor withmore than 15 years' experience in the field of IS auditing/risk-based auditing/complianceauditing/vendor risk management/due diligence/system risk and control. He is the founderof www.cisaexamstudy.com and www.criscexamstudy.com, dedicated platforms for CISAand CRISC study, respectively. He has also authored other books on auditing.I wish to thank those people who have been close to me and supported me, especially mywife, Namrata, and my parents.
About the reviewerGokhan Polat works in the consulting department of EY Turkey and, in addition toimplementing business development activities for technology services, he has alsomanaged projects on cybersecurity assessments and data privacy consultancy.Previously, he created an internal audit department at Bakirkoy Municipality and headedup this department for 3 years. He also has 14 years' experience in the Turkish ArmedForces as an officer involved in various assignments with multinational teams.As a risk management professional, he has CISSP, CISA, CRISC, CDPSE, CIA, and CRMAqualifications, which bear testimony to his dedication to the profession. He has authoredarticles that have been published in the internal auditing magazine of IIA Turkey and theISACA journal of ISACA Global. Currently, he is a member of the ISACA Istanbul Chapterand sits on the board of CSA Turkey.Packt is searching for authors like youIf you're interested in becoming an author for Packt, please visit authors.packtpub.comand apply today. We have worked with thousands of developers and tech professionals,just like you, to help them share their insight with the global tech community. You canmake a general application, apply for a specific hot topic that we are recruiting an authorfor, or submit your own idea.
Table of ContentsPreface1Section 1: Information System Auditing ProcessChapter 1: Audit PlanningThe content of an audit charterKey aspects from CISA exam perspectiveSelf-evaluation questionsAudit planningBenefits of audit planningSelection criteriaReviewing audit planningIndividual audit assignmentsKey aspects from CISA exam perspectiveSelf-evaluation questionsBusiness process applications and controlsE-commerceElectronic Data Interchange (EDI)Point of Sale (POS)Electronic bankingElectronic funds transfer (EFT)Image processingArtificial intelligence and expert systemsKey aspects from CISA exam perspectiveSelf-evaluation questionsTypes of controlsPreventive controlsDetective controlsCorrective controlsDeterrent controlsThe difference between preventive and deterrent controlsCompensating controlsControl objectivesControl measuresKey aspects from CISA exam perspectiveSelf-evaluation questionsRisk-based audit planningWhat is risk?Understanding vulnerability and threatUnderstanding inherent risk and residual 2526262627272731313233
Table of ContentsAdvantages of risk-based audit planningAudit riskRisk-based auditing approachRisk assessmentsRisk response methodologyTop-down and bottom-up approaches to policy developmentThe top-down approachThe bottom-up approachThe best approachKey aspects from CISA exam perspectiveSelf-evaluation questionsTypes of audit and assessmentSelf-evaluation questionsSummaryAssessmentsContent of the audit charterAudit planningBusiness process applications and controlsTypes of controlsRisk-based audit planningTypes of audit and assessmentChapter 2: Audit ExecutionAudit project managementAudit objectivesAudit phasesFraud, irregularities, and illegal actsKey aspects from CISA exam perspectiveSelf-assessment questionsSampling methodologySampling typesSampling riskOther sampling termsThe confidence coefficientLevel of riskExpected error rateTolerable error rateSample meanSample standard deviationCompliance versus substantive testingThe difference between compliance testing vis-à-vis substantive testingExamples of compliance testing and substantive testingThe relationship between compliance testing and substantive testingKey aspects from the CISA exam perspectiveSelf-assessment questionsAudit evidence collection techniquesReliability of evidence[ ii 8606060646466666666676767676767686869707373
Table of ContentsIndependence of the evidence providerQualifications of the evidence providerObjectivity of the evidenceTiming of the evidenceEvidence gathering techniquesKey aspects from the CISA exam perspectiveSelf-assessment questionsData analyticsExamples of the effective use of data analyticsCAATsExamples of the effective use of CAAT toolsPrecautions while using CAATContinuous auditing and monitoringContinuous auditing techniquesIntegrated test facilitySystem control audit review fileSnapshot techniqueAudit hookContinuous and Intermittent SimulationKey aspects from the CISA exam perspectiveSelf-assessment questionsReporting and communication techniquesExit interviewAudit reportingAudit report objectivesAudit report structureFollow-up activitiesKey aspects from the CISA exam perspectiveSelf-assessment questionsControl self-assessmentObjectives of CSABenefits of CSADisadvantages of CSAAn IS auditor’s role in CSAKey aspects from the CISA exam perspectiveSelf-assessment questionsSummaryAssessmentsAudit project managementSampling methodologyAudit evidence collectionData analyticsReporting and communication techniquesControl self-assessmentSection 2: Governance and Management of IT[ iii 99090909195959596969697999999102104107108111
Table of ContentsChapter 3: IT GovernanceIT enterprise governance (EGIT)EGIT processesDifference between governance and managementEGIT good practicesEffective information security governanceEGIT – success factorsKey aspects from the CISA exam perspectiveSelf-assessment questionsIT-related frameworksIT standards, policies, and rmation security policyContent of the information security policyInformation security policy usersInformation security policy auditInformation security policy reviewKey aspects from CISA exam perspectiveSelf-assessment questionsOrganizational structureRelationship between the IT strategy committee and the IT steeringcommitteeDifferences between the IT strategy committee and the IT steeringcommitteeKey aspects from the CISA exam perspectiveSelf-assessment questionsEnterprise architectureEnterprise security architectureKey aspects from CISA exam perspectiveSelf-assessment questionsEnterprise risk managementRisk management process stepsRisk analysis methodsRisk treatmentKey aspects from the CISA exam perspectiveSelf-assessment questionsMaturity modelLaws, regulations, and industry standards affecting theorganizationAn IS auditor's role in determining adherence to laws and regulationsKey aspects from the CISA exam perspectiveSelf-assessment questions[ iv 141142142142145145146147147
Table of ContentsSummaryAssessmentsIT enterprise governanceIT standards, policies, and proceduresOrganizational structureEnterprise architectureEnterprise risk managementLaws, regulations, and industry standards affecting the organizationChapter 4: IT ManagementIT resource managementHuman resource managementHiringTrainingScheduling and time reportingDuring employmentTermination policiesIT management practicesFinancial management practicesKey aspects from CISA exam perspectiveSelf-assessment questionsIT service provider acquisition and managementEvaluation criteria for outsourcingSteps for outsourcingOutsourcing – risk reduction optionsProvisions for outsourcing contractsRole of IS auditors in monitoring outsourced activitiesGlobalization of IT functionsOutsourcing and third-party audit reportsMonitoring and review of third-party servicesKey aspects from CISA exam perspectiveSelf-evaluation questionsIT performance monitoring and reportingSteps for the development of performance metricsEffectiveness of performance metricsTools and techniquesKey aspects from CISA exam perspectiveSelf-evaluation questionsQuality assurance and quality management in ITQuality assuranceQuality managementKey aspects from CISA exam perspectiveSelf-evaluation questionsSummaryAssessment answersIT resource 173173179179180180181182183183184185185185186186
Table of ContentsIT service provider acquisition and managementIT performance monitoring and reportingQuality assurance and quality management in IT188192193Section 3: Information Systems Acquisition,Development, and ImplementationChapter 5: Information Systems Acquisition and DevelopmentProject management structureProject roles and responsibilitiesBoard of DirectorsIT strategy committeeProject steering committeeProject sponsorSystem development managementProject cost estimation methodsSoftware size estimation methodsProject evaluation methodsCritical path methodologyProgram Evaluation Review Technique (PERT)Earned Value AnalysisTimebox managementProject objectives, OBS, and WBSRole of the IS auditor in project managementKey aspects from the CISA exam perspectiveSelf-assessments questionsBusiness cases and feasibility analysisBusiness casesFeasibility analysisThe IS auditor's role in business case developmentSelf-assessment questionsSystem development methodologiesSDLC modelsTraditional waterfallV-shapedIterativeSDLC phasesPhase 1 – Feasibility studyPhase 2 – RequirementsPhase 3 – Software selection and acquisitionPhase 4 – DevelopmentPhase 5 – Testing and implementationPhase 6 – Post-implementationSoftware development methodsAgile developmentPrototypingRapid Application DevelopmentObject-Oriented System Development[ vi 211211211211211212212213
Table of ContentsComponent-based developmentSoftware engineering and reverse engineeringKey aspects from the CISA exam perspectiveSelf-assessment questionsControl identification and designCheck digitsParity bitsChecksumsForward error controlData integrity principlesLimit checksAutomated systems balancingSequence checksDecision support systemsEfficiency versus effectivenessDesign and developmentRisk factorsDecision treesKey aspects from the CISA exam perspectiveSelf-assessment questionsSummaryAssessmentsProject management structureThe business case and feasibility analysisSystem development methodologiesControl identification and designChapter 6: Information Systems ImplementationTesting methodologyUnit testingIntegrated testingSystem testingFinal acceptance testingRegression testingSociability testPilot testingParallel testingWhite box testingBlack box testingAlpha testingBeta testingTesting approachTesting phasesKey aspects from the CISA exam perspectiveSelf-assessment questionsSystem migrationParallel changeover[ vii 243244244244244245245246246247248251252
Table of ContentsPhased changeoverAbrupt changeoverKey aspects from the CISA exam perspectiveSelf-assessment questionsPost-implementation reviewKey aspects from the CISA exam perspectiveSelf-assessment questionsSummaryAssessmentsTesting methodologySystem migrationPost-implementation review252252253253255255256257257257260262Section 4: Information System Operations and BusinessResilienceChapter 7: Information System OperationsUnderstanding common technology componentsThe types of serverUSBUSBs – RisksUSBs – Security controlsRFIDRFID – ApplicationsRFID – RisksRFID – Security controlsSelf-assessment questionsIT asset managementSelf-assessment questionsJob schedulingSelf-assessment questionsEnd user computingSelf-assessment questionSystem performance managementNucleus (kernel) functionsUtility programsParameter setting for the operating systemRegistryActivity loggingSoftware licensing issuesSource code managementCapacity managementKey aspects from a CISA exam perspectiveSelf-assessment questionsProblem and incident managementNetwork management tools[ viii 73274274274274275275275276276276277278279
Table of ContentsKey aspects from a CISA exam perspectiveSelf-assessment questionsChange management, configuration management, and patchmanagementChange management processPatch managementConfiguration managementEmergency change managementBackout processThe effectiveness of a change management processKey aspects from a CISA exam perspectiveSelf-assessment questionsIT service level managementKey aspects from the CISA exam perspectiveSelf evaluation questionsEvaluating the database management processAdvantages of database managementDatabase structuresHierarchical database modelNetwork database modelRelational database modelObject-oriented database modelDatabase normalizationDatabase checks and controlsSegregation of dutiesKey aspects from a CISA exam perspectiveSelf-assessment questionsSummaryAssessmentCommon technology componentsIT asset managementJob schedulingEnd user computingSystem performance managementProblem and incident managementChange management, configuration management, and patch managementIT service level managementDatabase managementChapter 8: Business ResilienceBusiness impact analysisKey aspects from the perspective of the CISA examSelf-assessment questionsData backup and restorationTypes of backup strategyStorage capacity for each backup scheme[ ix 309310314315320320322322324325326
Table of ContentsRestoration capability for each backup schemeAdvantages and disadvantages of each schemeChecklist reviewStructured walkthroughTabletop testSimulation testParallel testFull interruption testKey aspects from the CISA exam perspectiveSelf-assessment 42347348348348348348348349349RTORPORTO and RPO for critical systemsRTO and RPO and maintenance costs350350351352352Key aspects from the perspective of the CISA examSelf-assessment questionsSystem resiliencyApplication resiliency – clusteringTelecommunication network resiliencyAlternative routingDiverse routingSelf-assessment questionsBusiness continuity planSteps of the BCP life cycleContent of the BCPResponsibility for declaring the disasterA Single PlanBackup procedure for critical operationsThe involvement of process owners in the BCPBCP and risk assessmentTesting the BCPKey aspects from the perspective of the CISA examSelf-assessment questionsDisaster recovery planThe BCP versus the DRPRelationship between the DRP and the BIACosts associated with disaster recoveryData backupDRP of a third-party service providerResilient information assetsService delivery objectiveKey aspects from the CISA exam perspectiveSelf-assessment questionsDRP – test methodsRecovery Time Objective (RTO) and Recovery Point Objective(RPO)[x]
Table of ContentsRTO, RPO, and disaster toleranceKey aspects from the CISA exam perspectiveSelf-assessment questionsAlternate recovery siteMirrored siteHot siteWarm siteCold siteMobile siteReciprocal agreementSelf-assessment questionsSummaryAssessmentBusiness impact analysisData backup and restorationSystem resiliencyBusiness continuity planDisaster recovery planDRP – test methodsRecovery Time Objective (RTO) and Recovery Point Objective (RPO)Alternate recovery 63363367371371373Section 5: Protection of Information AssetsChapter 9: Information Asset Security and ControlInformation asset security frameworks, standards, and guidelinesAuditing the information security management frameworkKey aspects from the CISA exam perspectiveSelf-assessment questionsPrivacy principlesSelf-assessment questionsPhysical access and environmental controlsEnvironmental controlsWater and Smoke DetectorsFire suppression systemWet-based sprinkler (WBS)Dry pipe sprinklerHalon systemCarbon dioxide systemsPhysical access controlBolting door locksCombination door locks (cipher locks)Electronic door locksBiometric door locksDeadman doorsIdentification badgeCCTV camera[ xi 84384384384385385385
Table of ContentsKey aspects from the CISA exam perspectiveSelf-assessment questionsIdentity and access managementAccess control categoriesSteps for implementing logical accessControl EffectivenessDefault deny policy – allow all policyDegaussing (demagnetizing)Naming conventionFactor of authenticationSingle sign-onAdvantages of SSODisadvantages of SSOKey aspects from the CISA exam perspectiveSelf-assessment questionsBiometricsBiometrics – accuracy measureFalse acceptance rate (FAR)False rejection rate (FRR)Cross error rate (CER) or equal error rate (EER)Control over the biometric processTypes of biometric attacksSelf-assessment questionsSummaryAssessmentsInformation asset security frameworks, standards, and guidelinesPrivacy principlesPhysical access and environmental controlsIdentity and access managementBiometricsChapter 10: Network Security and ControlNetwork and endpoint devicesOpen system interconnection (OSI) layersNetworking devicesRepeatersHubs and switchesBridgesRoutersGatewayNetwork devices and the OSI layerNetwork physical mediaFiber opticsTwisted pair (copper circuit)Infrared and radio (wireless)Identifying the risks of physical network mediaAttenuation[ xii 422422422422423423423424424424425425425
Table of ContentsEMICross talksNetwork diagramNetwork protocolsDynamic Host Configuration ProtocolTransport Layer Security and Secure Socket LayerTransmission Control Protocol and User Data ProtocolSecure Shell and TelnetKey aspects from CISA exam perspectiveSelf-assessment questionsFirewall types and implementationTypes of firewallPacket filtering routerStateful inspectionCircuit-levelApplication-levelWhat is a bastion host?What is a proxy?Types of firewall implementationDual-homed firewallScreened host firewallScreened subnet firewall (demilitarized zone)Firewall and the corresponding OSI layerKey aspects from the CISA exam perspectiveSelf-assessment questionsVPNTypes of VPNVPNs – security risksVPNs – technical aspectsKey aspects from the perspective of the CISA examSelf-assessment questionsVoice over Internet Protocol (VoIP)Key aspects from the CISA exam perspectiveSelf-assessment questionsWireless networksEnabling MAC filteringEnabling encryptionDisabling a service set identifier (SSID)Disabling DHCPCommon attack methods and techniques for a wireless networkWar drivingWar walkingWar chalkingKey aspects from the CISA exam perspectiveSelf-assessment questionsEmail securityKey aspects from the CISA exam perspective[ xiii 447448449449450450451451451451451452453454
Table of ContentsSelf-assessment questionsSummaryAssessmentsNetwork and endpoint devicesFirewall types and implementationVirtual Private Network (VPN)Voice over Internet Protocol (VoIP)Wireless networksEmail securityChapter 11: Public Key Cryptography and Other EmergingTechnologiesPublic key cryptographySymmetric encryption versus asymmetric encryptionEncryption keysConfidentialityAuthenticationNon- RepudiationIntegrityThe hash of the messageCombining symmetric and asymmetric methodsKey aspects from the CISA exam perspectiveSelf-assessment questionsElements of PKIPKI terminologyProcesses involved in PKICertifying Authority versus Registration AuthorityKey aspects from the CISA exam perspectiveSelf-assessment questionsCloud computingCloud computing – deployment modelsThe private cloudThe public cloudThe community cloudThe hybrid cloudCloud computing – the IS auditor's roleSelf-assessment questionsVirtualizationMobile computingInternet of Things (IoT)SummaryAssessmentsPublic key cryptographyElements of public key infrastructureCloud computing[ xiv 482482484485486486486487490492
Table of ContentsChapter 12: Security Event ManagementSecurity awareness training and programsParticipantsSecurity awareness methodsSocial engineering attacksEvaluating the effectiveness of security programsKey aspects from the CISA exam perspectiveSelf-assessment questionsInformation system attack methods and techniquesMalicious codesBiometric attacksKey aspects from the CISA exam perspectiveAssessmentSecurity testing tools and techniquesGeneral security controlsTerminal controlsLogon IDs and passwordsAuthorization processAutomatic logoffAccount lockoutControls on bypassing software and utilitiesLog capturing and monitoringTime synchronizationNetwork penetration testsAspects to be covered within the scope of the auditTypes of penetration testsExternal testingInternal testingBlind testingDouble blind testingTargeted testingRisks associated with penetration testingThreat intelligenceKey aspects from the CISA exam perspectiveSelf-assessment questionsSecurity monitoring tools and techniquesIntrusion detection systemNetwork-based and host-based IDSComponents of the IDSLimitations of the IDSTypes of IDSSignature-basedStatistical-basedNeural networkPlacement of IDSIntrusion prevention systemHoney pots and honey netsKey aspects from the CISA exam perspective[ xv 513513515515516516516516517517517517518518518
Table of ContentsSelf-assessment questionsIncident response managementComputer Security Incident Response TeamKey aspects from the CISA exam perspectiveSelf-assessment questionsEvidence collection and forensicsChain of custodyIdentifyPreserveAnalyzePresentKey elements of computer forensicsData protectionData /normalizationReportingProtection of evidenceSelf-assessment questionsSummaryAssessmentsSecurity awareness training and programsInformation system attack methods and techniquesSecurity testing tools and techniquesSecurity monitoring tools and techniquesIncident response managementEvidence collection and r Books You May Enjoy542Index545[ xvi ]
PrefaceCertified Information System Auditor (CISA) is one of the most sought-after courses infield of auditing, control, and information security. CISA is a globally recognizedcertification that validates your expertise and gives you the leverage you need in order toadvance in your career. CISA certification is key to a successful career in IT.CISA certification can showcase your expertise and assert your ability to apply a risk-basedapproach to planning, executing, and reporting on projects and engagements. It helps togain instant credibility as regards your interactions with internal stakeholders, regulators,external auditors, and customers.As per ISACA's official website (www.isaca.org), the average salary of a CISA holder isUSD110,000 .All errata related to this book can be found at https:/ / github. com/PacktPublishing/ CISA- Certified- Information- Systems- AuditorStudy- Guide#errata.Who this book is forIf you are a passionate auditor, risk practitioner, IT professional, or security professional,and are planning to enhance your career by obtaining a CISA certificate, this book is foryou.What this book coversChapter 1, Audit Planning, deals with the audit processes, standards, guidelines, practices,and techniques that an IS auditor is expected to use during audit assignments. An ISauditor must have a detailed knowledge of IS processes, business processes, and riskmanagement processes in order to protect an organization's assets.Chapter 2, Audit Execution, covers project management techniques, sampling methodology,and audit evidence collection techniques. It provides details regarding data analysistechniques, reporting and communication techniques, and quality assurance processes.
PrefaceChapter 3, IT Governance, provides an introduction to IT governance and aspects related toIT enterprise governance. Enterprise governance includes the active involvement ofmanagement in IT management. Effective IT governance and management involves anorganization's structure as well as IT standards, policies, and procedures.Chapter 4, IT Management, walks you through various aspects of designing and approvingIT management policy and effective information security governance. It will also teach youto audit and evaluate IT resource management, along with services provided by third-partyservice providers, while also covering IT performance monitoring and reporting.Chapter 5, Information Systems Acquisition and Development, provides information aboutproject governance and management techniques. This chapter discusses how anorganization evaluates, develops, implements, maintains, and disposes of its informationsystems and related components.Chapter 6, Information Systems Implementation, covers various aspects of informationsystems implementation. The implementation process comprises a variety of stages,including system migration, infrastructure deployment, data conversion or migration, usertraining, post-implementation review, and user acceptance testing.Chapter 7, Information Systems Operations, explains how to identify risk related totechnology components and how to audit and evaluate IT service management practices,systems performance management, problem and incident management policies andpractices, change, configuration, release and patch management processes, and databasemanagement processes.Chapter 8, Business Resilience, covers all aspects of the business impact analysis, systemresiliency, data backup, storage and restoration, the business continuity plan, and disasterrecovery plans.Chapter 9, Information Asset Security and Control, provides information about theinformation security management framework, privacy principles, physical access andenvironmental controls, and identity and access management.Chapter 10, Network Security and Control, provides an introduction to various componentsof networks, network-rela
To my mother, Jyoti Doshi, and to the memory of my father, Hasmukh Doshi, for their sacrifices and for exemplifying the power of determination. To my wife, Namrata Doshi, for bein
