ISACA Certified Information Systems Auditor Study Guide, Study notes of Information Systems

Download ISACA Certified Information Systems Auditor Study Guide and more Study notes Information Systems in PDF only on Docsity!

ISACA Certified

Information Systems

Auditor

Study Guide & Practice Questions

Table of Contents

The Process of Auditing Information Systems

The first domain of the CISA exam is the process of auditing information systems. It accounts for 21% of the questions on the exam and is the second largest domain on the exam. Particular attention should be paid to the process of building an audit program, the functions it supports, and the roles it plays within the organization. For an organization, having a charter, or written purpose statement, is critical for the internal audit function. This function should have independence and top-level support from within the organization. It should also be aligned with the overall goals and objectives of the organization. The ISACA auditing standards framework defines the mandatory audit standards and guidelines that facilitate consistent and comprehensive audits. The Information Technology Assurance Framework (ITAF) contains elements of both COBIT and ISACA auditing standards and guidelines—this framework is to be used as a comprehensive guide for instituting the assurance framework within and organization.

Risk Analysis

Risk analysis is a critical part of auditing. It should be done initially in order to help the IS auditor determine what warrants further investigation and to help them better structure an audit plan. ISACA provides the Risk IT Framework to help determine the processes of governing, evaluating, and responding to risks within an organization. Controls within an organization come in many forms such as policies, procedures, systems, and processes that reduce risk and support business goals and objectives. Each control should have a documented objective that states the control’s purpose. Controls can be either automatic or manual. General computing controls are applied across an organization, while most systems will have additional controls in place specific to itself.

The Audit Process

An Audit is a planned evaluation of internal controls and their corresponding objectives. The primary purpose of an audit is to gather evidence supporting the operation of controls within the environment that determine its effectiveness. The evidence typically contains screenshots of the control’s configuration, written notes, correspondence, process and procedure documentation, and business records.

The audit is typically guided by a methodology, which help ensure the audits are both repeatable and consistent from one organization to the next. This ensures the auditor provides the same level of value to each organization with which they work and that their goals and methods are easily identifiable. Audits come in many forms, including: operational, financial, integrated, IS, administrative, compliance, forensic, and service provider audits. Pre-audits are typically done to help facilitate planning and scope development. Key things an auditor should attempt to gather during an audit are: policies and procedures documentation, charters, third-party contract, organizational charts, incident logs, standards and systems documentation. Sampling is used when testing each individual component is untenable based upon size or time constraints. The method of sampling used needs to be carefully chosen to ensure a proper representation of the environment is used to support any findings. The main types of sampling are: statistical, judgmental, attribute, stop-or-go, discovery, and stratified sampling. Each type has its own use-case and benefits. A key component to a successful audit is the interviews of key staff and stakeholders. These interviews are critical to helping the auditor understand the dynamics of the workplace, along with specific roles and responsibilities. The interviews will also afford the auditor the chance to have a back and forth to ensure a solid understanding of any particular systems or processes. Of particular importance to the exam is understanding that in some cases, organizations will rely upon third-party audit reports. The most common example of this is the SSAE 16 audit of data center providers or other vendors that will handle some of the organization’s data or access to that data. SSAE 16 is formerly known as SAS 70. Sometimes audits are performed using automated solutions to help facilitate speed and repeatability. When these tools are used, an auditor needs to ensure they verify the findings of the tools and be sure to correspond them to any specific transactions used. This ensures the evidence is reliable, which is a key component of an audit. Another use-case for these automated tools is a continuous audit. Continuous audits are relatively new to many organizations, but provide tremendous value in that they can look at trends, provide real-time feedback, and are not confined by a specific window of time.

Risk Types and Decisions

As part of the CISA exam, a critical thing to understand is the different types of risk you will encounter within an environment. These risk types are: control, detection, inherent, audit, and sampling. The direct impact of an auditor on risk is solely confined to detection as this is the risk that an auditor will miss a risk during the course of an audit. Each risk combined is known as the audit risk.

Governance and Management of IT

The second domain of the CISA exam is governance and management of IT. 16% of the exam will be based upon this domain. The key takeaways here are understanding the IT process, the structure of the department, and the key management practices that make up IT. Another key component is understanding the process of developing a business continuity plan. The important thing to remember is that the first step in this process is always a business impact analysis to ensure emphasis is placed on the proper components. Proper IT governance cannot be achieved without a top-down approach. Upper management needs to be driving the governance. Typically, this is done through a steering committee comprised of top executives who set the strategic direction and policies for the organization that align with the business’ goals and objectives. These policies, and associated risk appetite, are carried out through chief information officers (CIO) or chief information risk officers (CIRO). The CIO and CIRO are responsible for many things including: developing security policies, handling incident management, vulnerability management, and identity and access management.

Risk Management and Assessments

Risk management is key to the governance and management of IT CISA domain. It refers to identifying key assets and their vulnerabilities. Once risks are identified, steps can be taken to either mitigate, transfer, avoid, or accept the risk. Risk mitigation is either completely resolving or greatly reducing the threat a risk poses to the organization. Risk transfer is the migration of the risk burden from one organization to another such as when an organization purchases insurance against a particular risk such as cyber liability insurance. Risk avoidance is simply when an organization avoids partaking in a process or application that poses the risk to the organization. Risk acceptance is the determination an organization makes that the risk does not pose a significant threat to the organization or that there is no other way around it. Risk assessments can be qualitative or quantitative. Qualitative risk assessments are probably the most common and categorize risks in the form of high, medium, low, informational or similar. Quantitative risk assessments focus on linking risks with dollar amounts. Quantitative risk assessments are typically harder to perform accurately. Key Management Practices Effective operation of an IT department or organization necessitates certain key management practices such as: personnel management, sourcing, change management, financial management, quality management, portfolio management, controls management, and security management. Personnel management focuses on hiring, development and evaluation of employees, on-boarding and off-boarding, and development and maintenance of an employee

handbook and other guiding policies. Sourcing is concerned with who is in charge of the business processes and whether or not those processes are insourced or outsourced. Change management is focused on controlling the change that occurs within an environment to minimize downtime, variables, and security issues. Financial management is concerned with keeping track of the complex IT expenditure to ensure efficiency. Quality management focuses on ensuring processes are measured and managed to drive continued improvement. Portfolio management is the systematic management of IT projects, investments, and activities. Controls management ensures proper implementation and management of controls and their objectives. Security management focuses on vulnerability and risk assessments, incident management, compliance management, identity and access management, business continuity and disaster recovery management, and capacity planning and management. Critical to the proper governance of the IT function is a formal management and reporting structure, along with documented roles, responsibilities, and job descriptions. Segregation of duties should be apparent and enforced to ensure there is no single point of failure in any critical business process.

Business Continuity and Disaster Recovery

Business continuity plans should be able to account for man-made and natural disasters allowing the organization to continue critical business functions in the event of a disaster. The process of developing a business continuity plan begins with a statement of the goals and objectives. A business impact analysis (BIA) is completed and each critical process is tied to a statement of impact. This statement can be qualitative or quantitative. The next step is a criticality analysis wherein each business process is ranked in terms of criticality. The rankings can be qualitative, quantitative, or subjective. A maximum tolerable downtime is then documented for each process. These metrics are what drive the recovery time objective and recovery point objective for each process. Recovery time objective is the time to restoration of services while recovery point objective is the maximum data loss. Continuity plans consist of procedures for safety, declaration of disaster, definitions of responsibilities, contact information for key individuals, procedures for recovery, continuity of operations, and restoration of assets. These plans should be tested periodically and the types of tests typically performed are: document review, walkthrough, simulation, parallel test, and cutover test. Parallel testing allows for live workloads to be replicated on DR equipment while real workloads continue on production equipment. A cutover test allows for full functionality of production data on DR equipment. This is the riskiest and most complex means of testing a BC/DR plan. It is not a requirement for organizations to perform cutover tests as they can introduce issues within the environment that are only acceptable during a true disaster. Parallel tests are often sufficient to prove the efficacy of the BC/DR plan. These plans need to be

Information Systems Acquisition, Development, and

Implementation

The third domain of the CISA exam is Information Systems acquisition, development, and implementation. It comprises 18% of the exam. This section is concerned with the management of the IT life cycle. As with many other domains on the CISA exam, this section puts emphasis on the written documentation of processes and procedures. The goal of written documentation is to lay out the goals and objectives of the organization and ensure processes are both repeatable and consistent—this domain is no different. IT Oversight and Program Management Program management is critical to the IT life cycle and pertains to oversight of IT projects. The leader of this effort is known as a program manager and they’re responsible for ensuring the project managers are on-task, budgets are adhered to, resource allocation is appropriate, and that status reports are prepared when needed for presentation to senior management. Business Process Management Lifecycle The key to development of a new project within IT is a business case that can be approved by management. The business case should state a business problem and how this project aims to Design Development Testing Implementation Monitoring

solve that in as many ways as possible. The business case ensures the project is not being undertaken without being properly supported and critical to the business in some aspect.

Business Cases and Project Planning

Business cases typically include: a description of the business problem, feasibility study results, high-level project plan, a budget, metrics, and risks. The business problem can be described in quantitative or qualitative terms. The high-level project plan should include the number of resources required and a basic timeline. The metrics included should be a description of how measurements will be taken to ensure business benefit, along with existing versus expected measurements after implementation. If possible, the estimates should include examples of how similar this project is to other projects that have been undertaken by the organization in the past. The risks section should include potential risks of the new application and how the organization can anticipate mitigating those risks. Projects require formal planning as well as formal change management processes in the event a change needs to be made to scope or implementation. Another critical component to an IT project is the review done after the completion of the project. This ensures that future projects will not meet the same stumbling blocks and that improvements can constantly be made in the process.

Software Development and Acquisition Lifecycle

Software development and acquisition is typically managed through a process—the most common method is the SDLC, which is a set of activities undertaken that ensure newly implemented applications meet organizational needs. SDLC phases are: feasibility study, requirements definition, design, development, testing, implementation, and post implementation. Each is formally documented, reviewed, and measured to ensure value to the organization and track improvement. The testing phase of the SDLC has different types of testing, each of which should be performed. Unit testing is where each individual component of an application is tested as it is built. This ensures the unit functions correctly and does what it was designed to do. Often, the testing procedures for this phase are explicitly documented by the developers so someone can verify the unit works. System testing occurs when an application and its modules have been implemented within an environment and are tested from beginning to end. That is, each unit is tested outside of its own vacuum and verified. Functional testing ensures the developmental requirements have been met. These test results should be recorded and used as proof of compliance to project requirements. User acceptance testing is conducted to ensure an application meets the needs of the users. The testing requirements should include clearly documented tests to determine the functionality of the application meets the needs of the users. Once this phase is completed, the company often agrees to pay for the application and

Application Controls

Any application that accepts data input should ensure the integrity of that data at some level through the process. Controls for applications of this type are: input validation, processing validation, and output validation. These validation schemes check the data at various points in the process of the application. They ensure the data is normalized and of the types expected given the application. During the course of an audit, auditors should expect to receive documentation explaining the applications, charters, and records pertaining to these applications for review. This helps the auditor understand how the programs work, the process involved in obtaining new applications, and the reviews in place to ensure any acquisition is in line with business goals and objectives.

Third Party Assessments

Any third parties used by an organization should be assessed as part of a comprehensive risk assessment to ensure compliance and alignment with organizational goals and objectives. A particular third-party relationship to pay attention to is the cloud-based infrastructure and application provider. The relationship can be broken up in to three main types: software as a service (SaaS), Infrastructure as a service (IaaS), and Platform as a service (PaaS). SaaS is when a cloud-based provider simply provides access to a software in the cloud. Users will use this service the same way they would if the application were hosted in-house. IaaS is when a cloud provider gives access to infrastructure in the cloud such as virtual machines or networking equipment. PaaS is when a cloud provider is giving access to their tools and platforms for an organization to leverage as part of their development lifecycle or a resell of services.

Information Systems Operations, Maintenance, and Support

The fourth domain of the CISA exam is Information Systems operations, maintenance, and support. It makes up 20% of the exam and is the third most focused section of the exam. The important information to understand from this domain is how day to day operations are run, how maintenance scheduled and backup retention is structured. Additionally, important is understanding the methods in which business continuity can be deployed to support the goals and objectives of the business. In order to support the overall business goals and objectives, all operations within the IT function should be managed and monitored. This necessitates documented processes, procedures, and projects to ensure they are measurable for continued improvement and alignment with other objectives within the organization.

Service Management Frameworks

Popular and proven service management frameworks to base IT operation upon are COBIT and ITIL. These frameworks provide a good benchmark for how operations should be managed and monitored and they fit most businesses and the IT processes within them.

Hardware and Software Business Goal Support

An important part of this domain is the understanding of common IS hardware and software and how they can be configured and leveraged to support business goals and objectives. The understanding must cover a wide range from virtualization and software-defined networking to RAID levels and common operating system configurations. Auditors should also be familiar with common network monitoring tools to facilitate a more seamless audit and help in understanding utilization and potential capacity planning issues within an organization.

OSI Model

The 7-layer OSI model is made up of: physical, data link, network, transport, session, presentation, and application layers. The physical layer is about the electrical and physical devices and specifications. Typically, this refers to cabling, signaling, and wireless waves. The data link layer is concerned with the way data is transferred across the network. The data in this layer is referred to as frames and some error correction and avoidance are built into this layer such as in switches. The network layer is focused on the actual delivery of data from one side of the network to another or to entirely different networks. This is where routing happens. The transport layer is focused on the reliability of data being transferred. Here is where we discuss connection-oriented versus connectionless protocols such as TCP and UDP. TCP ensures proper delivery from one station to another, while UDP simply sends the traffic without regard for order of packets or delivery at all. The session layer is concerned with controlling sessions

Database Management

Auditors should also be familiar with database management systems and their concepts such as relational databases that store information. Relational databases refers to the concept that disparate, but related data may be located in different tables within a single database that can be retrieved together using a query language for a single, unified report or correlation of information. Security in these databases is centered on three main tenets: access controls, encryption, and audit logging.

Enterprise and Network Architecture

Enterprise architecture is based on two different sides: infrastructure and on-going activities with long-term goals in mind. The main goals commonly associated with enterprise architecture are: scalability, agility, transparency, consistency, repeatability, efficiency, and resilience. Scalability refers to the ability of an infrastructure to scale to meet the demands of an enterprise. The key here is balancing cost with effectiveness. Agility refers to the flexibility of the design to adapt to new objectives of the organization. Transparency is concerned with documentation and ease of understanding. Consistency refers to the type of components and configurations used throughout the architecture. This should speed up troubleshooting and reduce downtime in the event of a failure. Repeatability refers to how simple things are to duplicate based on the configuration. Efficiency is a metric that is directly resultant from the combination of consistency and repeatability. Any issues that arise should be much simpler to resolve because of consistency and repeatability of the infrastructure. Resilience refers to reducing single points of failure within the architecture. Network architecture is comprised of multiple components and it means different things to different people. Typically, it is referring to one of the following: physical network architecture, logical network architecture, data flow architecture, or network standards and services. The network architecture helps build different types of networks such as: personal area network, local area network, campus area network, metropolitan area network, and wide area network. Network Type Distance Measurement Usage and Technology Personal Area Network Feet Personal devices, Bluetooth, NFC Local Area Network 100’s of feet Small home office, 802. Campus Area Network A few miles Business with multiple buildings in close proximity, wireless mesh, layer 2 connections between locations

Metropolitan Area Network Dozens of miles Business with multiple locations within a city or area, MPLS, T1, frame relay Wide Area Network 100’s or 1000’s of miles Multiple organizations, large distances, CSU/DSU The most common network cable types are twisted pairs and are: shielded twisted pairs, screened unshielded twisted pairs, screened shielded twisted pairs, unshielded twisted pairs. These cables come in various categories ranging from Category 3 to Category 8. The most common in use today is Category 6 or Category 7 in high-end applications where electromagnetic interference may be a concern.

Capacity Planning and Management

In order to understand capacity planning and management for networks, an auditor must understand subnetting and classless IP addressing schemes. These will tell the auditor how much available room there is on a particular subnet and help them determine if a recommendation should be made to increase or decrease the subnet scope. Subnetting will also help in ensuring security and routing between various networks within the same organization.

Disaster Recovery

Another important aspect to this domain is disaster recovery and planning. Continued operation in the event of a disaster is critical to the survivability of an organization and their overall security posture since disasters come in all shapes, sizes, and scopes. It is important to remember that disaster recovery goes beyond the technical aspects of the recovery methods and operating types of the remote sites. A proper DR plan also includes emergency communication plans and detailed steps for key personnel to perform in the event of a disaster. Site Type Typical RTO Cost Hot 0 - 24 hours $$$$ Warm 24 hours – 7 days $$$ Cold Over 7 days $$ Mobile 2 - 7 days $$$-$$$$ Hot sites are alternate processing centers where backup equipment is already configured and running ready to take the live production load whenever necessary. This is the most expensive type of recovery site and makes recovery much easier. Warm sites are similar, but the systems often need to be powered on or have data migrated over to ensure proper functionality. Cold sites range in readiness from rented rack space that is waiting for companies to bring physical

Another critical component of backups is the rotation of the backup media. The common methods for doing this are first in, first out, grandfather-father-son, and towers of Hanoi. First in, first out is simple and is typically used when long-term retention of not of particular concern. This means that once the retention limit is hit, the oldest backup is overwritten or deleted. Grandfather-father-son is the most common. This method uses a scheme where full backups are performed once a week, followed by incremental or differential backups daily. They are kept until retention has been reached. The towers of Hanoi method is by far the most complex and refers to the Towers of Hanoi puzzle. The storage of backup media should be off-site and secured. The destruction of backup media is also important. If the drives or tapes are to be discarded they should be physically destroyed to ensure the data is not recoverable. It is also critical that backups are routinely tested to ensure proper recovery is possible. The integrity of these backups is probably the most critical component. Another important backup concept is the service level agreement. The SLA is what determines how backup rotation and schemes are selected. SLA documentation and requirements should drive the processes and procedures behind the backup implementations. Auditing this domain centers around understanding technical complexities of hardware and software configuration and technical concepts related to the protection of data. Each component should have clear documentation for policies, procedures, and processes that the auditor can review.

Protection of Information Assets

The fifth, and most focused, domain on the CISA exam is the protection of information assets. This domain accounts for 25% of the exam. This domain is primarily about the identification and protection of assets deemed critical to the organization. As with each section, top-down support is critical.

Security Management Program Activities

The primary processes support information assets and security policy within the organization are security monitoring, auditing, security awareness training, incident response, information classification, vulnerability management, and corrective and preventative action processes. The roles within security should be clearly developed, defined, and communicated. Each person within the security team should have a clear understanding of their roles and responsibilities for securing the organization and supporting business goals and objectives.

Access Management

The most important activity in a security management program is access management. This is what controls access to sensitive data of an organization so it is critical to get it right. The overall concept of access management consists of: user access management, network access management, and access log review.

User Access Management

User access management is concerned with managing the many facets of user access to systems. Typically, this is made up of user access provisioning, user access termination, and internal job transfers. User access provisioning is the process where access is granted for users, including creation of accounts for new users. This process should be explicitly documented to include who is authorized to make the requests, how the requests are handled, and who is allowed to approve the requests—as well as how the requests are recorded and stored. Any request that involve administrative access to the domain should go through a more rigorous process involving multiple layers of approval. The risk for this process is great and should be managed very carefully. User access termination is concerned with how removal of access is handled when an employee is terminated or moves to another company. This access includes any physical and logical access. The criticality of the information being accessed will drive the timeline for this phase, but typically 24 hours is sufficient. When accounts are locked, they should not simply have the password changed, but the account should be invalidated for both the protection of the information assets as well as the terminated employee’s reputation. In some cases, additional steps should be taken such as notifying other employees of the termination and/or reviewing the employee’s actions prior to and after termination. Additionally, a periodic review should be conducted to ensure proper access is enforced and to