WIXLIB

;1Certified InformationSystems Auditor"Study GuideThird Edition vjAf*fDavid CannonWILEYWiley Publishing, Inc.

ContentsIntroductionxxiiiAssessment TestxlviiChapter1Secrets ofaUnderstandingSuccessful Auditor1the Demand for IS Audits3Executive Misconduct3More Regulation Ahead5Basic Regulatory Objective6Governance is8Leadership9Audit Results Indicate the TruthPolicies, Standards, Guidelines, and ProceduresUnderstandingUnderstanding Professional EthicsFollowing the ISACA Code11Preventing Ethical ConflictsUnderstanding the Purpose of an Audit1314ClassifyingTypes of AuditsDifferencesin Audit sibilityBasicComparing Audits to AssessmentsDifferentiating Between Auditor and Auditee RolesApplying an IndependenceImplementing Audit Standards911Test15151616171819Where Do Audit Standards Come From?20Understanding the Various22AuditingStandardsBest PracticesSpecific Regulations DefiningAudits to Prove Financial Integrity28Auditor Is an Executive PositionUnderstanding the ImportanceWorking with Lawyers2529of AuditorConfidentiality3030Working with ExecutivesWorking with IT Professionals31Retaining Audit Documentation32Providing Good Communication and IntegrationUnderstanding Leadership DutiesPlanning and Setting PrioritiesProviding Standard Terms of Reference33Dealing with Conflicts and Failures36Identifying the Value of Internal and External Auditors36Understanding the Evidence Rule37Stakeholders:Identifying Who31You Need to Interview33343538

xiwContentsUnderstandingCorporate Organizational Structurea Corporate Organizational StructureRolesina Consulting FirmIdentifyingtheIdentifyingRoles in42Exam Essentials43QuestionsAnswers to Review239Organizational ng IT Governance53Strategy Planning for Organizational ControlOverview of the IT Steering CommitteeUsing the Balanced ScorecardIT Subset of the BSCDecoding4355586367the ITStrategySpecifying a PolicyProject ManagementImplementation Planning of the IT StrategyUsing COBITIdentifying Sourcing LocationsConducting an Executive Performance ReviewUnderstanding the Auditor's Interest in the StrategyOverview of Tactical ManagementPlanning and Performance68707280828388888889Management Control MethodsRisk Management89Implementing Standards96Human Resources97System Life-Cycle ManagementContinuity Planning98Insurance99Performance ManagementOverview of Business Process ReengineeringWhy Use Business Process Insanity?102Goal of BPR103for BPRGuiding PrinciplesKnowledge RequirementsBPR TechniquesBPR Application Stepsfor BPR103104105105Role of IS in BPR108Business Process Documentation109BPR Data109Management Techniques

ContentsBenchmarkingas aBusinessUsingBPR ProjectaPracticalBPR Tool110Impact Analysis112of BPR115ApplicationBPR ProblemsTroubleshootingUnderstanding the Auditor'sTactical ManagementOperations Management117118Interest in119119Sustaining Operations120Tracking Performance120Controlling ChangeUnderstanding the Auditor's120Interest inOperational DeliverySummary121Exam Essentials122Review121123QuestionsAnswers3111Risk AssessmentPractical Selection Methods for BPRChapterxvtoReview128QuestionsAudit Process131Understanding the Audit ProgramAudit Program Objectives and Scope132133Audit Program Extent134Audit Program Responsibilities135Audit Program Resources136Audit Program Procedures137Audit Program137ImplementationAudit Program Records138Audit Program Monitoring and ReviewPlanning Individual Audits139Establishing and ApprovinganAudit CharterRole of the Audit Committee140141143Preplanning Specific Audits144Understanding the Variety of AuditsIdentifying Restrictions on ScopeGathering Detailed Audit Requirements145Using a Systematic ApproachPlanningComparing Traditional Audits to Assessments150toand Self-AssessmentsPerforminganAudit Risk AssessmentDetermining Whether an Audit Is PossibleIdentify the Risk Management StrategyIs This Audit Feasible?147148151153154155156

xviContentsPerforming the AuditSelecting the Audit TeamDetermining Competence and EvaluatingEnsuring Audit Quality ControlEstablishing Contact with the Auditee158158AuditorsMaking Initial Contact with the AuditeeUsingData CollectionTechniquesDocument ReviewConductingUnderstanding the HierarchyReviewing Existing Controlsof Internal ControlsPreparing the Audit PlanAssigning Work to the Audit TeamPreparing WorkingConducting Onsite Audit ActivitiesGathering Audit EvidenceUsing Evidence to Prove a PointUnderstanding Types of EvidenceSelecting Audit SamplesRecognizing Typical Evidence for IS AuditsUsing Computer-Assisted Audit ToolsUnderstanding Electronic DiscoveryGrading of EvidenceDocumentsTiming of Evidencethe Evidence Life CycleFollowingConducting Audit Evidence TestingCompliance 78178181182184184187187188Record Your Test Results189Generate Audit190FindingsApprovingDistributing the Audit ReportProceduresOmittedIdentifyingandConducting Follow-Up (Closing Meeting)Summary4161Substantive TestingTolerable Error RateReport FindingsChapter158189192194194194195Exam Essentials196Review Questions198Answers203toReview QuestionsNetworking Technology BasicsUnderstanding the Differences in Computer ArchitectureSelecting the Best SystemIdentifying Various Operating SystemsDetermining the Best Computer Class205206211211214

ContentsComparing Computer CapabilitiesEnsuring System ControlDealing with Data StorageUsingInterfaces and PortsIntroducingtheLayer 1:Layer 2:Layer 3:Layer 4:Layer 5:Layer 6:Layer 7:Open Systems Interconnect Modelxvii216217218222225Physical LayerData-Link Layer228NetworkLayerTransport Layer230Session237LayerPresentation LayerApplication LayerUnderstanding How Computers CommunicateUnderstanding Physical Network DesignUnderstanding Network TopologiesIdentifying Bus TopologiesIdentifying Star TopologiesIdentifying Ring TopologiesIdentifying Meshed NetworksDifferentiating Network Cable Types228236237238239240241241242242244245Coaxial Cable246Unshielded Twisted-Pair (UTP) Cable246CableFiber-OpticConnecting Network DevicesUsing Network ServicesDomain Name SystemDynamic Host Configuration Protocolthe NetworkExpandingUsing TelephoneCircuitsUsing Wireless Access Solutionsthe Various Area Networks247248250251252254255259SummarizingUsing Software as a Service (SaaS)AdvantagesDisadvantages262Cloud ComputingManaging Your Network264263264264265Syslog266Automated Cable Tester267Protocol267AnalyzerSimpleManagement ProtocolRemote Monitoring Protocol Version 2SummaryNetworkExam EssentialsReview269269QuestionsAnswers to Review267268271Questions276

xviiiChapterContents5Information Systems LifeCycleGovernance in Software DevelopmentManagement of Software QualityCapability Maturity Model280International Organization for StandardizationOverview of the Executive Steering Committee283IdentifyingCritical Success FactorsUsing the Scenario ApproachAligning Software to Business Needs281287287288288292Management of the Software ProjectChoosing an Approach292Using Traditional Project ManagementOverview of the System Development Life CyclePhase 1: Feasibility StudyPhase 2: Requirements Definition294292295299303Phase 3: System DesignPhase 4: Development307Phase 5:322311ImplementationPostimplementation327Phase 7: DisposalOverview of Data Architecture329330Databases330Database TransactionIntegrity334DecisionSupport SystemsPresenting Decision Support DataUsing Artificial IntelligenceProgram tionElectronic Commerce337337338338Summary340Exam Essentials340ReviewQuestionsAnswers6281Change ManagementPhase 6:Chapter279toReview342QuestionsSystem Implementation346andOperationsUnderstanding the Nature of IT ServicesPerforming IT Operations Management349350352Meeting IT Functional Objectives352Using the IT Infrastructure LibrarySupporting IT GoalsUnderstanding Personnel Roles and ResponsibilitiesUsing Metrics353356356360

ContentsEvaluating the Help DeskPerforming Service-Level Management362IT Functions364Outsourcing365Using Administrative366ProtectionSecurity ManagementIT366Security GovernanceAuthority Roles over Data367Data Retention369Requirements368Document Access Paths370Personnel371ManagementPhysical Asset ManagementCompensating ControlsPerforming Problem ManagementIncident HandlingDigital ForensicsMonitoring the Status of ControlsSystem Monitoring372374375376378380381382Log ManagementSystem Access Controls382Data File Controls385Application ProcessingControls386Antivirus Software388Active Content and Mobile Software Code389Maintenance Controls391Implementing Physical ProtectionData Processing Locations394396Environmental Controls397Safe Media404StorageSummary406Exam Essentials407ReviewQuestionsAnswers7363Performing Capacity ManagementInformationChapterxixto ReviewProtecting409QuestionsInformation AssetsUnderstanding the ThreatRecognizing Types of Threats and Computer CrimesIdentifying the PerpetratorsUnderstanding Attack MethodsImplementing Administrative ProtectionUsing Technical Protection414417418420421424436439Technical Control Classification439Application Software Controls440Authentication Methods441

ContentsxxNetwork Access Protection453Firewall Protection for Wireless Networks468Intrusion DetectionEncryption470Methods472Public-Key InfrastructureNetwork Security ProtocolsDesign for Redundancy8487Telephone SecurityTechnical Security TestingSummary488Exam Essentials491Review uestionsBusiness Continuity and Disaster RecoveryDebunking the MythsMyth 1: Facility MattersMyth 2: IT Systems MatterFrom Myth to Reality501502503503503Understanding the Five Conflicting Disciplines CalledBusinessDefining504ContinuityDisaster Recovery505FinancialSurvivingChallengesValuing Brand NamesRebuilding after a DisasterDefining the Purpose of Business ContinuityUniting Other Plans with Business ContinuityBusinessIdentifyingContinuityFollowing a Program Management g the Five Phases of BusinessContinuity Program514Phase 1: Setting Up the BC ProgramPhase 2: The Discovery Process517Phase 3: PlanDevelopmentImplementation523Phase 5: Maintenance and IntegrationUnderstanding the Auditor Interests in BC/DR Plans544Summary545Exam Essentials545Phase 4: PlanReviewQuestionsAnswersto Review514541544547Questions551

ContentsAppendixAAbout the Companion CDWhat You'll FindSybexonIndex555,556EngineElectronic Flashcards556PDF of the Book556Adobe Reader556556System RequirementsUsing the CD556Troubleshooting557Customer CareGlossarythe CDTestxxi55755755960S

CISA : Certified Information Systems Auditor study guide ; [over 500 review questions ; includes real-world scenarios for insight into professional audit systems and controls, and leading-edge exam prep software featuring: custom test engine, hundreds of sample questions, electronic flashcards, entire book in PDF] Subject