Domain 1—The Process of Auditing Information Systems (21%) 10.

10. Evaluate the organization’s business continuity plan (BCP), including alignment
1. Execute a risk-based IS audit strategy in compliance with IS audit standards to of the IT disaster recovery plan (DRP) with the BCP, to determine the
ensure that key risk areas are audited organization’s ability to continue essential business operations during the
2. Plan specific audits to determine whether information systems are protected, period of an IT disruption.
controlled and provide value to the organization.
3. Conduct audits in accordance with IS audit standards to achieve planned audit Domain 3—Information Systems Acquisition, Development and Implementation
objectives. (18%)
4. Communicate audit results and make recommendations to key stakeholders 1 Evaluate the business case for the proposed investments in information
through meetings and audit reports to promote change when necessary. systems acquisition, development, maintenance and subsequent retirement to
5. Conduct audit follow-ups to determine whether appropriate actions have been determine whether the business case meets business objectives.
taken by management in a timely manner. 2 Evaluate IT supplier selection and contract management processes to ensure
that the organization’s service levels and requisite controls are met.
Domain 2—Governance and Management of IT (16%) 3 Evaluate the project management framework and controls to determine
1. Evaluate the IT strategy, including IT direction, and the processes for the whether business requirements are achieved in a cost-effective manner while
strategy’s development, approval, implementation and maintenance for managing risk to the organization.
alignment with the organization’s strategies and objectives. 4 Conduct reviews to determine whether a project is progressing in accordance
2. Evaluate the effectiveness of the IT governance structure to determine with project plans, is adequately supported by documentation, and has timely
whether IT decisions, directions and performance support the organization’s and accurate status reporting.
strategies and objectives. 5 Evaluate controls for information systems during the requirements,
3. Evaluate IT organizational structure and human resources (personnel) acquisition, development and testing phases for compliance with the
management to determine whether they support the organization’s strategies organization's policies, standards, procedures and applicable external
and objectives. requirements.
4. Evaluate the organization’s IT policies, standards and procedures, and the 6 Evaluate the readiness of information systems for implementation and
processes for their development, approval, release/publishing, implementation migration into production to determine whether project deliverables, controls
and maintenance to determine whether they support the IT strategy and and the organization's requirements are met.
comply with regulatory and legal requirements. 7 Conduct post-implementation reviews of systems to determine whether
5. Evaluate IT resource management, including investment, prioritization, project deliverables, controls and the organization's requirements are met.
allocation and use, for alignment with the organization’s strategies and
objectives. Domain 4—Information Systems Operations, Maintenance and Service
6. Evaluate IT portfolio management, including investment, prioritization and Management (20%)
allocation, for alignment with the organization’s strategies and objectives. 1 Evaluate the IT service management framework and practices (internal or third
7. Evaluate risk management practices to determine whether the organization’s party) to determine whether the controls and service levels expected by the
IT-related risk is identified, assessed, monitored, reported and managed. organization are being adhered to and whether strategic objectives are met.
8. Evaluate IT management and monitoring of controls (e.g., continuous 2 Conduct periodic reviews of information systems to determine whether they
monitoring, quality assurance [QA]) for compliance with the organization’s continue to meet the organization’s objectives within the enterprise
policies, standards and procedures. architecture (EA).
9. Evaluate monitoring and reporting of IT key performance indicators (KPIs) to
determine whether management receives sufficient and timely information.
3 Evaluate IT operations (e.g., job scheduling, configuration management, 6 Evaluate the information security program to determine its effectiveness and
capacity and performance management) to determine whether they are alignment with the organization’s strategies and objectives.
controlled effectively and continue to support the organization’s objectives.
4 Evaluate IT maintenance (patches, upgrades) to determine whether they are
controlled effectively and continue to support the organization’s objectives.
5 Evaluate database management practices to determine the integrity and
optimization of databases.
6 Evaluate data quality and life cycle management to determine whether they
continue to meet strategic objectives.
7 Evaluate problem and incident management practices to determine whether
problems and incidents are prevented, detected, analyzed, reported and
resolved in a timely manner to support the organization´s objectives.
8 Evaluate change and release management practices to determine whether
changes made to systems and applications are adequately controlled and
documented.
9 Evaluate end-user computing to determine whether the processes are
effectively controlled and support the organization’s objectives.
10 Evaluate IT continuity and resilience (backups/restores, disaster recovery plan
[DRP]) to determine whether they are controlled effectively and continue to
support the organization’s objectives

Domain 5—Protection of Information Assets (25%)

1 Evaluate the information security and privacy policies, standards and
procedures for completeness, alignment with generally accepted practices and
compliance with applicable external requirements.
2 Evaluate the design, implementation, maintenance, monitoring and reporting
of physical and environmental controls to determine whether information
assets are adequately safeguarded.
3 Evaluate the design, implementation, maintenance, monitoring and reporting
of system and logical security controls to verify the confidentiality, integrity
and availability of information.
4 Evaluate the design, implementation and monitoring of the data classification
processes and procedures for alignment with the organization’s policies,
standards, procedures and applicable external requirements.
5 Evaluate the processes and procedures used to store, retrieve, transport and
dispose of assets to determine whether information assets are adequately
safeguarded.
Domain 1. The Process of Auditing Information Systems
● Data owner specifies controls, is responsible for acceptable use, and
1. 5 Task Statements
appoints the data custodian.
● Develop and implement a risk-based IT audit strategy in compliance with
● Data custodians: protect information and ensure its availability as well as
IT audit standards to ensure that key areas are included.
supporting the data users.
● Plan specific audits to determine whether information systems are
● Data users: comply with acceptable use and report violations.
protected, controlled and provide value to the organization.
● Conduct audits in accordance with IT audit standards to achieve planned
audit objectives.
● Report audit findings and make recommendations to key stakeholders to
4. CobiT – Control Objectives for Information and Related Technology. A
communicate results and effect change. framework consisting of strategies, processes, and procedures for leading IT
● Conduct follow ups or advise on risk management & control practice organizations.

2. Code of Ethics – IPS PC DE 5. Organizations typically have four types of documents in place:

● Support the implementation of appropriate policies, standards, guidelines, ● Policies = goals; policies provide emphasis, set directions, and must be
and procedures for information systems. backed by recognized management. Policies that are not managed in a
centralized manner may suggest a non-uniform measurement standard.
● Perform your duties with objectivity, professional care, and due diligence
● Standards = definition of requirement; mid-level documents containing
in accordance with professional standards. Support the use of best
practices. measurement control points to ensure uniform implementation in support
of a policy. A missing standard indicates negligence by failing to define the
● Serve the interests of stakeholders in an honest and lawful manner that requirement. Compliance is mandatory.
reflects a credible image upon your profession. i. Categories of standards (highest influence on lowest):
● Maintain privacy and confidentiality of information obtained during your ▪ Regulatory
audit except for required disclosure to legal authorities. ▪ Industry
● Undertake only those activities in which you are professionally competent;
▪ Organizational
strive to improve your competency.
● Disclose accurate results of all work and significant facts to the appropriate ▪ Personal
parties. ● Guidelines = general instructions; provides vague direction of to provide
● Support ongoing professional education to help stakeholders enhance their limited advice in absence of applicable standard. Guidelines are
understanding of information systems security and control. discretionary and can be used to create new standards.

3. Working with IT professionals

 ● Procedures = how to instructions; a step by step instructions to perform ● Audit charter:
desired actions. They provide support for standard, and compliance is i. Issued by executive management or the board of directors to grant the
mandatory. Lack of written procedures represents negligence of duty. right to audit and delegate management’s assertions.
ii. State management’s assertions:
6. Types of audit:
▪ Responsibility: goals & objectives
● Internal audits and assessments: self-assessment within an organization
▪ Authority: right to perform an audit and the right to obtain access
and the finding cannot be used for licensing.
relevant to the audit
● External audits: a customer audits their vendor/supplier to ensure the
▪ Accountability: defines mutually agreed-upon actions between the
expected level of performance as mutually agreed upon in their contracts.
audit committee and the auditor
● Independent audits: relied on for licensing, certification, or product
● Audit committee:
approval.
i. Provide advice to the executive accounting officers concerning internal
control strategies, priorities, and assurance.
ii. Issuing the audit charter to grant the authority for internal audits.
● Preplanning
i. Engagement letter: defines the responsibility, authority, and
accountability to an independent auditor for individual assignments.
7. Audit Program ii. Elements: All points outlined in the charter (responsibility, authority,
● An audit is requested by client, who is responsible for setting the scope, and accountability)
granting authority, and providing access to the auditee. iii. Selecting the type of audit:

● Program management vs. Project ▪ Product or service: efficiency, effectiveness, controls, and life-cycle
i. Program: ongoing activities managed by an executive. ▪ Processes: method or result
ii. Project: a short-term activity managed by a project manager operating
outside the normal organizational structure. ▪ System: design or configuration

● Audit program monitoring and review ▪ General controls: preventive, detective, and corrective
i. Key goal indicator (KGI): use goals as performance evaluation.
▪ Organizational plans: present and future objectives
ii. Key performance indicator (KPI): use metric as performance evaluation.
iv. Identify objectives and restriction on scope
● Planning audits:
▪ Undue restrictions on scope would be a major concern.
i. Scope: the boundaries to be reviewed
ii. Criteria: identify a set of policies to be measured against. ▪ Standards are mandatory, and any deviation would require
iii. Team justification
v. Audits vs assessments:
8. Audit process
 ▪ Traditional audit ▪ Technical testing and analysis (excellent)
iii. Fundamental issues concerning internal controls
▪ Assessments: for training and awareness purpose where the goal is
to determine value of current process. ▪ Management is often exempt from controls

▪ Control self-assessments (CSA): executed by the auditee with auditor ▪ How controls are implemented determines the level of assurance
as facilitator. The goal is self improvement of the client or identify iv. Hierarchy of internal controls (highest to lowest)
area with higher risk. Independence is not required.
▪ General control (overall): policies, structures, job description,
vi. Risk management strategies: applied to all organizational activities.
segregation of duties, budgeting, and auditing.
▪ Accept
▪ Pervasive controls (follows technology): they are those general
▪ Mitigate controls that focus on the management and monitoring of the
technology environment.
▪ Transfer
▪ Detailed controls (task): specific steps or tasks to be performed.
▪ Avoid
▪ Application controls (embedded in programs)
● Performing the audit
v. Internal control categories: detective, preventive, and corrective.
i. Determining competence and evaluating auditors vi. Implementation methods:
▪ Skills matrix: area of knowledge, proficiency, and specialized training ▪ Administrative ($): people-based control by using written policies
required to fulfill the audit and procedures
▪ Use the work of other requirements: ▪ Physical ($$): physical barriers or visual deterrents
o Independence and objectivity
o Competence, qualification, and experience ▪ Technical ($$$): using software or hardware process to calculate an
o Agreement on scope approval or denial based on specific attributes (special technology)
o Level of review and supervision required ● Audit planning
ii. Data collection technique
i. Work should be repeatable by another auditor (5Ws), and properly
▪ Observation (good) documented in working papers.
ii. Assign audit team: ensure adequate experience, competency, and
▪ Surveys (poor)
training of the members.
▪ Document review (good) iii. Shewhart’s process technique: plan-do-check-act cycle
● Gather evidence
▪ Interviews (good)
i. Direct evidence more preferable to indirect evidence
▪ Workshops (mixed) ii. Audit samples:
▪ Computer-assisted audit tools (good)
 iv. Evidence life cycle: failure to maintain a proper chain of custody may
▪ Statistic sampling: mathematical quantifiable and presented as a
disqualify the evidence: The ideal is to ensure the evidence is properly
percentage. Examples include: random, cell (predefined interval), collected, under appropriate custody, and unaltered during the process.
and fixed interval. v. Compliance testing: tests for the presence or absence of something.
▪ Non-statistic sampling: based on judgment. Example includes ▪ Attribute sampling: determine the presence of certain attribute
haphazard. Ideal is to focus on materiality rather than
representation of the actual population. ▪ Stop-and-go sampling: when few errors are expected
iii. Computer-Assisted Audit Tools methods
▪ Discovery sampling: 100% sampling to detect fraud or when the
CAAT method Characteristics Complexity
likelihood of evidence existing is low
Online event Read logs & alarms Low ▪ Precision or expected error rate: lower error rate = large sample in
monitor
testing; smaller sample is used when the population is expected to
Embedded program Flags selected transactions Low be error-free
audit hooks vi. Substantive testing: seek to verify the content and integrity of evidence
▪ Variable sampling: used to designate dollar values or weights of an
Continuous & Audits any transaction that Medium
intermittent meets preselected criteria entire subject population by prorating from a smaller sample.
simulation ▪ Unstratified mean estimation: attempt to project an estimated total
for the whole subject population.
Snapshot Assembles a sequence of Medium
data captures into an audit ▪ Stratified mean estimation: calculate an average by group.
trail.
▪ Difference estimation: used to determine the difference between
Embedded audit Processes dummy High audited and unaudited claims of value.
module transactions along with ● Audit findings:
genuine, live transaction
i. Independence is required in the report for external auditor.
System control audit System-level audit program High ii. Indicators of illegal or irregular activity:
review file with used to monitor multiple ▪ Questionable payments
embedded audit EAMs inside the application
modules software. This is a mainframe ▪ Unsatisfactory record control
class of control. ▪ Unsatisfactory explanations
CAATs are able to perform faster than humans and produce more ▪ Other questionable circumstance
accurate data in functional testing. However, costs, training, and
iii. Examples of irregular activities:
security of output are major consideration.
▪ Fraud
 ▪ Theft or embezzlement ● Capability Maturity Model (CMM): provides a framework for developing,
improving and sustaining business performance in your environment.
▪ Suppression: suppressing data or records
i. Level of maturity
▪ Racketeering: the process of repeated fraud or other crime # Level Description Process ISO

▪ Regulatory violations 1 Initial Adhoc Unique and chaotic; Performed

iv. Auditor should never take ownership of any problems found as such act project completion
would violate independence. depends on people
v. Subsequent events:
2 Repeatable Documented Project management Managed
▪ Type 1 event: events occur before the B/S date with basic standards
▪ Type 2 event: events occur after the B/S date and procedures
documented

3 Defined Well Standardization with Established

documented objectives in
and understood qualitative
measurement

4 Managed Management Predictable by Predictable

controls quantitative measures
processes

5 Optimized Continually Least freedom with Optimizing

improvement statistical process
control

● Key Performance Indicator (KPI)

i. Represent a historical average of monitored events
ii. KPI may indicate a failing score too late to implement a change
● The IT BSC is a tool that provides the bridge between IT objectives and
business objectives by supplementing the traditional financial evaluation
with measures to evaluate customer satisfaction, internal processes and
the ability to innovate.
Domain 2. Governance and Management of IT
1. Performance Reporting
 iii. Understand current process first
● Assessment methods provide a mechanism, whereby IS management can
iv. No leftovers
determine if the activities of the organization have deviated from planned
or expected levels. These methods include 3. Project Estimation
i. IS budgets
ii. Capacity and growth planning ●Source Lines of Code (SLOC) – traditional method (also Kilo LOC or KLOC) –
iii. Industry standards/benchmarking direct size-oriented measures
iv. Financial management practices, and
●Thousand Delivered Source Instructions (KDSI) – better with structured
v. Goal accomplishment.
2. Business process Reengineering: concerns with reducing costs of the existing programming languages like BASIC, COBOL
process while increasing performance. ●Function Point Analysis (FPA) – indirect measure based on number and
● Areas of improvement complexity of inputs, outputs, files, interfaces, and user queries • Functions
i. Business efficiency are weighted by complexity
ii. Improved techniques ●Project Diagramming
iii. New requirements i. Gantt: resource details; uses schedule & sequence in waterfall-style (MS
● Guiding Principles Project); serial view w/bars & diamonds
i. Think big: unconstrained top-down approach. ▪ Shows concurrent and sequential activities
ii. Incremental: bottom-up approach that identify improvement for
current processes. BPR teams tend to spend too much time ▪ Show project progress and impact of completing a task early or late
documenting the current processes. ii. PERT (Program Evaluation Review Technique)-illustrates relationships
iii. Hybrid: top-down strategy and planning with bottom-up research. between planned activities
● Application steps:
9. Organizational control
i. Envision: develop an estimate of the ROI from the proposed change
ii. Initiate: setting BPR goal with the sponsor and focus on planning the ● Goal of governance: hold executives at the top responsible for decision and
collection of detailed evidence necessary all the consequences.
iii. Diagnose: document existing processes and identify what is working
● IT steering committee: convey the current business requirements from
and the source of each requirement.
iv. Redesign: develop redesign plans to be review and approve by the business executives to the IT executive.
steering committee. i. Top management mediating between the imperatives of business and
v. Reconstruct: implementation of the new process through deconstruct technology is an IT strategic alignment best practice.
of current process. ii. Individuals that have the authority to act on behalf of their department
vi. Evaluate: ensure the new process is producing the strategic value as iii. Usually managed by executive chairperson (COO)
forecast and establish performance measure. iv. Authorized by a formal charter

● Rules ● Planning decision

i. Fix only broken processes Strategic Long-term Operational
ii. Calculate ROI
Time Frame 3+ year 1-3 years 1 year or less
 iii. Level 2 = repeatable: processes are documented in detail with specific
procedures for each worker that can be repeated with consistency.
Role Objective & Policy Standard Procedure Decisions are made by managers.
iv. Level 3 = defined: standardization and qualitative measurement for
Who? Board, CEO, COO, CEO, COO, CFO, Director,
detailed accounting. Decisions are made by formal review committees
CFO VP, Directors Managers,
while department managers have less authority.
Technical Leads v. Level 4 = managed: Quantitative measurements of ROI into all decision
Primary Business trend to Forecast financial What to buy and a formal project priority system is practiced with a project
question exploit trend management office governing projects.
vi. Level 5 = optimized: with continuous improvement using statistical
Expand or Major business Forecast Resize process control. Specific rules in place that anyone can perform the
contract components organizational tasks, controls reside in executives while department managers and
changes workers have no authority.

Concentration New product Forecast needs Minimum staffing 3. Executive Steering Committee
based on trend ● Goal: align IT functions with current business objective.
What products Tasks to meet Forecast costs vs Initiate new ● Methods: Critical success factors and scenario approach
and services long-term plan expected revenue support training
are planned ● Aligning software to business needs
i. Establish the need (internal vs. external)
Focus General Financial plan Daily support
ii. Identify the work effort
statement iii. Summarize the impact
Domain 3. Information Systems Acquisition, Development and Implementation iv. Conduct initial feasibility analysis
1. Strategic system (fundamental change) vs. tactical system (support) v. Present the benefit
● IT steering committee provides open communication of business objective
2. Capability Maturity Model for IT support. Focus is placed on fulfillment of the business objective.
● Goal: to eliminate decision-making authority from the department
manager and workers and shifts to executive management level.
4. Change Management
● A baseline reference to chart current progress or regression.
● Change control board: the board review all changes requires and
● Levels of CMM: determine whether authorization should be granted. Change control
i. Level 0 = Nonexistent: nothing is getting done and individual managers review must include input from business users.
hold the authority for decisions. ● Approaches:
ii. Level 1 = Initial: Decision authority resides in the individual workers and
i. Evolutionary
is supported by a local manager.
 ▪ Traditional viewpoint where number one source of failures is a result ● Phase 1: Feasibility Study
of error in planning and design. i. Goal: determine the strategic benefits to be accomplished and the
anticipated payback schedule of the project.
▪ System Development Life Cycle:
ii. Constructive Cost Model: a method to estimate the effort, schedule,
a. Waterfall model: The waterfall method helps ensure that errors and cost of developing a new software application.
are detected early in the development process. Waterfall
development is a procedure-focused development cycle with ▪ Source lines of code: forecasts estimate by counting the individual
formal sign-off at the completion of each level. lines of program source code regardless of the embedded design
b. Spiral model: It’s a risk-driven model which means that the quality.
overall success of a project highly depends on the risks analysis
▪ Function point analysis: divide program functions into classes and
phase. Risk analysis requires specific expertise on every iteration.
<Note> The waterfall and spiral are based on gather requirements, rank them by complexity. Based on complexity, the estimated of
forecasting, designing, and building. work is calculated.
c. Agile Prototyping model: It fits when the project is unable to iii. Statement of work: a formal approval by the executive management to
forecast, plan, or don’t have a detailed design. A repeated trial- grant the go-ahead of the project and force cooperation.
and-error process is utilized. iv. Auditor should focus on initial needs analysis and ensure the risk
ii. Revolutionary mitigation strategy is in place.

▪ Business users should be allowed to experiment in an effort to ● Phase 2: Requirements Definition

generate software program for their needs. The end user holds all i. Goal: define inputs, outputs, current environment, and proposed
the power of success or failure. interaction. The specification is defined in this step.
ii. Entity-relationship diagram: defines high-level relationships between
▪ Lack of internal controls and failure to obtain objectives are major the entities as well as data dictionary that standardize term of reference
concerns. for each data in the database.
iii. Change Management Auditing iii. Auditor’s interest: project plan and estimated costs have been
approved and requirements include sufficient security (not using default
▪ Program library access is restricted
configuration) to protect the data classified in the record management
▪ Supervisory reviews occur system.

▪ User approves change ● Phase 3: System Design and Selection

i. Goal: To plan a solution by using the objectives from phase 1 and the
▪ A LAN administrator should not have programming responsibilities specification from phase 2. The client has to determine to build the
but may have end-user responsibilities. system in-house or buy the hardware.
ii. Best time for software developer to work directly with the user.
▪ Emergency Changes: Emergency ID use is logged and monitored with
iii. Cost estimates are compared to the assumptions made.
normal change controls are applied, often retroactively iv. Auditor’s interest: verifying that processing and output controls are
incorporated into the system.

5. SDLC Phases ● Phase 4: Development

 i. Goal: Prototypes are built for functional testing and user acceptance ii. Certification: a technical process of testing against a known reference.
testing occur during this stage. iii. Accreditation: an administrative process based on management’s
ii. Software testing methods: comfort level with demonstrated performance or fitness of use. The
purpose is to hold a management executive responsible to ensure
▪ White-box: or crystal-box testing, assesses the effectiveness of
corporate governance.
software program logic. Specifically, test data are used in iv. User training: system custodians need to be trained for normal
determining procedural accuracy or conditions of a program's logic operations and emergency procedures.
paths. Verifying the program can operate successfully with other v. Go live:
parts of the system is sociability testing.
▪ Parallel operations: lowest risk
▪ Black-box testing: the process is to put data through the system to
see whether the results come out as expected. Testing the program's ▪ Phased changeover: best suited upgrade or conversion; it has
functionality without knowledge of internal structures. modest risk
▪ Sand-box testing: Controlled testing of programs in a semi-debugged ▪ Hard changeover: highest level of risk
environment, either heavily controlled step-by-step or via vi. Program-to-program passwords in static configuration files should be
monitoring in virtual machines. documented and ensure privileged passwords are listed for rotation.
▪ Functional, or validation testing: compares the system against the ● Phase 6: Postimplementation
desired functional requirements to determine if the product has met i. Goal: Compare performance metrics to the original objective, and
our objectives for its intended use. implement requests for new requirements, updates, or disposal.
ii. ROI calculation to compare cost to the actual benefit received.
▪ Regression testing: ensure that a change does not create a new
iii. Periodic reviews and monitoring procedures are necessary to verify that
problem or conflict with other functions in the program. It is part of the system is maintained in a manner that supports the original
the quality control process. objectives and controls.
iii. Auditor objective:
● Phase 7: Disposal
▪ Verify that a quality control process has been used to develop an
i. Goals: Archive old data, and management signs a formal authorization
computer program. for the disposal and accepting liability.
▪ Programs have undergone debugging with formal testing and
supporting document has been created to assure system integrity 6. A generation language may refer to any of the following:
and production use. ● 1GL: low-level languages that are machine language.
▪ The finished software capabilities have been verified for compliance ● 2GL: also low-level assembly languages. They are sometimes used in
to original objective and acquired user acceptance. kernels and hardware drives, but more commonly used for video editing
● Phase 5: Implementation and video games.
i. Goal: Final acceptance testing begins, and users are trained in the new ● 3GL: English-like statement language, such as C, C++, Java, JavaScript, and
system. System testing is undertaken by the developer team to Visual Basic.
determine if the software meets user requirements per specifications.
 iii. ACID model for fata base integrity:
● 4GL: English-like statement language with embedded database. Fourth
generation languages are commonly used in database programming and ▪ Atomicity guarantees that either the entire transaction is processed
scripts examples include Perl, PHP, Python, Ruby, and SQL. or none of it is.
● The fifth-generation languages, or 5GL, are programming languages that ▪ Consistency ensures that the database is in a legal state when the
contain artificial intelligence that are learning system. Examples of fifth transaction begins and ends.
generation languages include Mercury, OPS5, and Prolog.
▪ Isolation means that, while in an intermediate state, the transaction
7. Alternative development techniques: data is invisible to external operations.

● Agile development method ▪ Durability guarantees that a successful transaction will persist and
i. Uses time-box management techniques to force individual iterations of cannot be undone.
a prototype in a short time span by allowing programmers to start ● Decision support system
writing a program using lots of trial and error without spending time on i. Reference by context: value = low; supplies answers based on estimated
preplanning documentation. level of reference.
ii. It is designed for use by small teams of talented programmers. ii. Colleague, or associate, level: provides tedious calculation support but
iii. However, it does not scale very well. leaves the real decisions to the user.
iv. An ongoing team learning process to refine project management. iii. Expert level: written by capturing specialized data from a person who
v. It places greater reliance on the undocumented knowledge contained in has been performing the desired work for 20 or 30 years.
a person’s head.
● Rapid application development method
i. Well defined methodology that works for small, well-trained team
ii. Uses 4GL programming language Domain 4—Information Systems Operations, Maintenance and Service
Management
● Hueristic (prototyping) development 1. Personnel roles and responsibility
i. Combines best of the SDLC with an iterative approach that enables Job Role Authorized Production Development Security Execute
developer and customer to react to risks at each iteration Changes Library Library Access Administration Production
ii. Focuses on prototyping screens and reports Access Configuration Changes

System user Approve Use No No No

8. Data Architecture
(End user)
● Database architecture
System Request Monitor- No Implement When
i. Data-oriented database: Data entries have fixed length and format;
administration Control approved
thus, the information is predictable. It Is used when the structure and
format of the data is well known and predictable. (Custodian)
ii. Object-orient database: Data entries may be unpredictable as there is
Security Approve No No Specify control No
not fixed format. Each programmed object has its own data for administration
reference and its own method of accomplishing a required task.
 Job Role Authorized Production Development Security Execute
Changes Library Library Access Administration Production
● Privileged login accounts security control:
Access Configuration Changes i. Password must be changed every 30 days
(Custodian) ii. Retired passwords are to be backed up and protected in a controlled
environment that is offsite
Programming/ Request No Create No No
iii. Default login account should be disabled
development software
● Required data protection controls:
Change testing Test only No No Test only No
i. Standing data controls: requires additional controls such as storage in
(use isolated (use isolated
encrypted format
test) test)
ii. System control parameters: used to customize the configuration
Change Approve No No No NO settings and software application
control
iii. Logical access controls: direct access through open databased
connectivity should be prohibited and all access to data files should be
● Information security managements: ensures confidentiality, integrity, and
forced through authentication in a user right management program
availability of computing resources. (application processing control)
i. Chief information security office: define and enforce security policies for iv. Transaction processing controls: should be controlled with
organization, and review periodically. authentication and validation checks
ii. Chief privacy officer: protecting confidential information.
● Process control:
iii. Information systems security manager: day-to-day process of ensuring
compliance for system security. i.Batch totals: compare output
iv. Data owner: responsible for data content and authorization. ii.Total number of items: ensure each item was processed
v. Data custodian: responsible for safeguard and availability of data. iii.Transaction logs: record activity
iv. Run-to-run total: verify data values during the different stages of
● Compensating controls: goal is to reduce errors or omission when
processing
preferred control cannot be implemented. v. Limit checks
i. Job rotation vi. Exception reporting
ii. Audit / reconciliation vii. Job cost accounting
iii. Exception report
● Mobile software
iv. Transaction logs
v. Supervisor review Low Risk Moderate Risk High Risk

PDF Applets ActiveX

Adobe Flash PostScript

2. System access controls JavaScript Visual Basic

i. ActiveX places no restrictions on what the programmer can do.

 i. Recovery point objective (RPO) – based on acceptable data loss; earliest
time in which it is acceptable to recover; date/time or synchronization
point to which systems/data will be restored.
3. Business Continuity Plan ii. Recovery time objective (RTO) – based on acceptable downtime;
earliest time when business operations must resume.
● The strategy for which the sum of downtime cost and recovery cost is the
iii. Interruption window – how long a business can wait before operations
lowest is the optimal strategy. resume (after this point, losses are unaffordable)
● Components iv. Maximum Tolerable outage (MTO) – maximum time business can
i. DRP plan: It is critical to initially identify information assets that can be operate in alternate processing mode before other problems occur
made more resilient to disasters. v. Service delivery objective (SDO) – acceptable level of services required
ii. Plan to restore operations to normal following disaster during alternate processing
iii. Improvement of security operations ● Recovery Alternatives
● BCP Lifecycle i. Hot site – fully configured and ready to operate within hours. Not for
i. Create BCP policy extended use.
ii. Business Impact Analysis (BIA) should be conducted with input from a ii. Warm site – partially configured. Site ready in hours, operations ready
wide array of stakeholders, which identifies in days or weeks.
iii. Cold site – has basic utilities, ready in weeks.
▪ Protecting human resources during a disaster-related event should iv. Redundant site – dedicated, self-developed sites.
be addressed first. v. Mobile site – data center in a box
vi. Reciprocal agreements with other businesses
▪ Different business processes & criticality

▪ Critical IS resources supporting critical business processes 4. The IS auditor might need to review specific reports associated with availability
and response. This list identifies log types and characteristics:
▪ Critical recovery period before significant losses occur
● System logs identify the activities performed on a system and can be
▪ A determination of acceptable downtime is made analyzed to determine the existence of unauthorized access to data by a
iii. Classify of operations and criticality user or program.
iv. Identify IS processes that support business criticality ● The review of abnormal job-termination reports should identify application
v. Develop BCP and IS DRP
vi. Develop resumption procedures jobs that terminated before successful completion.
vii. Training and awareness programs ● Operator problem reports are used by operators to log computer
viii. Test and implement plan operations problems and their solutions. Operator work schedules are
ix. Monitoring: Periodic testing of the recovery plan is critical to ensure maintained by IS management to assist in human resource planning.
that whatever has been planned and documented is feasible.
● Capacity-monitoring software to monitor usage patterns and trends
● Terms
enables management to properly allocate resources and ensure
continuous efficiency of operations.
 ● Network-monitoring devices are used to capture and inspect network ● Level 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major
traffic data. The logs from these devices can be used to inspect activities data loss
from known or unknown users to find evidence of unauthorized access.
2. Open Systems Interconnection Model: a conceptual model that characterizes
● System downtime provides information regarding the effectiveness and
and standardizes the communication functions of a telecommunication or
adequacy of computer preventive maintenance programs and can be very computing system without regard to its underlying internal structure and
helpful to an IS auditor when determining the efficacy of a systems- technology.
maintenance program. Layer Name Example protocols Function

7 Application HTTP, FTP, DNS, Where user interact directly with

Layer SNMP, Telnet the software application and
calculation.

6 Presentation SSL, TLS Handles data and encryption;

Layer also translates in the format all
computers can understand.
Information Systems Operations, Maintenance and Service Management
1. Redundant Array of Inexpensive/Independent Disks (RAID) 5 Session NetBIOS, PPTP It is where communications
Layer between systems are managed.
● Level 0 Striping: It makes several disks appear as one big disk. It has the
best performance, but data loss is likely. 4 Transport TCP, UDP This layer specifies the method
Layer of delivery.
● Level 1: Disk mirroring, all the data is written to at least two separate
physical disks to prevent data loss. However, it cuts usable space in half. i. Confirmed delivery: TCP
● Level 2 – Hamming code ECC – interweaving data based on hamming code connection; however, slower
to provide error correction.
(EXPENSIVE and rare; hardware based, resource intensive)
ii. Unconfirmed delivery: User
● Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 Datagram Protocol (UDP). It
for parity (faster in HW) is faster with less overhead.
● Level 5 – block level; the most commonly used method. It uses less disk 3 Network IP, ARP, ICMP, This layer handles addressing
space than RAID-1 for the same amount of usable storage. It is cheap yet Layer IPSec and routing the data -- sending it
provides the best overall read and write performance. in the right direction to the right
● Level 6 – It uses independent disks with a very high transfer rate, and it is destination.
very expensive. The disks in the same string appear as one large disk. 2 Data Link PPP, ATM, It focuses on establishing data
● Level 10 – high reliability & performance; at least 4 drives, stripes level 1 Layer Ethernet, Switches communications via hardware
segments; hi I/O device drivers and the
 Layer Name Example protocols Function
3. Firewall
transmit/receive function
● Designs
1 Physical Ethernet, USB, The physical layer is responsible i. Screened host implementation: a single host computer through the
Layer Bluetooth, for sending computer bits from firewall. It is expected that the host computer to be attacked.
IEEE802.11 one device to another along the ii. Dual homed host: A special software application relays appropriate
network. communication between the two interface cards.
iii. Screened subnet (DMZ design): allows for several computers to be
placed in a protected subnet that is accessible from the outside and by
3. Network cables & topologies systems inside the network.
● Topologies iv. Stateful inspection: collects the history and nature of the connectionless
i. Bus: uses coaxial cable but runs the risk of interrupted transmission requests to determine whether the remote request should be
since computers are linked together with one cable. transmitted to the destination computer or discarded as hazardous.
ii. Star: computers are connected to a network hub (or switch) with ● Types of Firewall
additional cables. It offers flexibility but higher cost on more cables. i. Out of all types of firewall, Application-Level Firewall provides greatest
iii. Ring: allows the redundant path to create a fault-tolerant network. security environment (as it works on application layer of OSI model).
iv. Meshed: has alternate connections for major backbone point on the ii. In any given scenario, most robust configuration in firewall rule is ‘deny
network. It also has higher cost of implementation. all traffic and allow specific traffic’ (as against ‘allow all traffic and deny
● Cable types: specific traffic’).
i. Coaxial: for longer distance and in areas prone to electrical interference iii. Stateful Inspection Firewall allows traffic from outside only if it is in
or for outdoor connections. response to traffic from internal hosts.
ii. Unshielded twisted-pair cable: inexpensive and is commonly used in Firewall OSI Layer
star topologies. Application Level Application Layer
iii. Fiber optic cable: has an extremely wide bandwidth but is expensive
and fragile glass strands. Circuit Level Session Layer

2. IDP vs. IDS Stateful Inspection Network Layer

● A host-based intrusion prevention system (IPS) prevents unauthorized Packet Filtering Router Network Layer
changes to the host.
● A network-based intrusion detection system (IDS) relies on attack 4. In any given scenario, following are the best practises for Wireless (Wi-Fi)
signatures based on known exploits and attack patterns. security:
i. Statistical: calculation of network traffic and loadings ● Enable MAC (Media Access Control) address filtering.
ii. Signature: known patterns and techniques
iii. Neural: learning network ● Enable Encryption to protect data in transit.
iv. Honey bits, pot, net: sacrificial files, server, or subnet
● Disable SSID (service set identifier) broadcasting.

● Disable DHCP (Dynamic Host Configuration Protocol).

● Security ranking: randomly generated PSK > MAC-based PSK (MAC address
of a computer is fixed and often accessible) > WEP (very weak encryption
technique and can be cracked within minutes) > SSID.
● In any given scenario, WPA-2 (Wi-Fi Protected Access) is the strongest
encryption standard for the wireless connection.
● In any given scenario, confidentiality of the data transmitted in a wireless
LAN is BEST protected, if the session is encrypted using dynamic keys (as
compared to static keys)
● Electromagnetic emissions from a terminal can be detected by
sophisticated equipment and displayed, thus giving access to data to
unauthorized persons.
● Configuration management is one of the key components of any network
since it establishes how the network will function internally and externally.
Domain 5—Protection of Information Assets
● Task-based access control: bases on task requirement.
1. Security goal and matching control
Security Goal Primary Control Failure Consequence ● Attribute-based access controls: a selective control that is flexible.

▪ Data classification ▪ Unauthorized disclosure

Confidentiality
3. Application software control: Provide security by using a combination of user
▪ Separation of duties ▪ Data breach identity, authentication, authorization, and accountability.
● Database view: read restriction placed on particular columns in the
▪ Least privilege ▪ Organization failure
database.
▪ Controls appropriate in every
● Restricted user interface
step of users’ business
workflow ● Security label bypass: a metadata control in MAC control environments
Integrity Control & trust Loss of control that specifies who may access the file and how the file may be used.
Additional compensating controls are necessary in certain situations to
Availability Authentication of allowed users Unauthorized access with or protect against the bypass of MAC security level.
without detection
● Internal access control lists should be used to implement least privileged .
● An important benefit of a well-defined data classification process would be
4. Biometrics sensors:
to lower the cost of protecting data by ensuring that the appropriate
controls are applied with respect to the sensitivity of the data. ● The purpose of biometrics is to provide authentication of the person after
● The IS auditor must identify the assets, look for vulnerabilities, and then they identify him/herself.
identify the threats and the likelihood of occurrence. ● A biometrics sensor creates a new data template every time the sensor is
used, which is compared to the database by the template matcher.
2. Technical protection
● Drawbacks
● Mandatory access controls: use a set of rules determines which person i. Enrollment failure: sample of user fail to be accepted by the system
(subject) will be allowed to access he data (object). The access privileges ii. False rejection: system rejects a legitimate user
are predetermined based on a list. iii. Equal error vs. crossover error rate: trade off between speed &
i. Changed by admins making decisions derived from policy efficiency
ii. Example: password complexity requirements iv. Throughput rate: the samples system can process and still have
● Discretionary access controls: allows a designated individual to decide a accuracy; higher risk situation should have lower throughput rate.
broad level of user access. The IS auditor needs to investigate how the
5. Kerberos single sign-on
decisions are selected, authorized, managed, and viewed at lest annually.
i. Controls that CAN be changed by normal users/data owners ● User log in once to Kerberos, and the system authenticates the user and
ii. Example: access to departmental shared folder on server grants access to all resources
● Role-based access control: based on job requirement. ● A strong password and strong encryption will improve overall security
 ii. Encryption keys must be individually managed, tracked (in a library),
6. Encryption and unique to each task
iii. Separation of duties:
● Methods
i. Private-key: secrete key that is shared between the authorized person, ▪ Encryption keys need to be generated on a system that is physically
and the key must be protected with the highest due diligence. A shared and logically isolated from other system and transfer via read-only-
key between sender and receiver is referred to as symmetric-key media
cryptography. It is fast but must be protected with highest diligence.
▪ Users should never have direct access to encryption key
▪ Advanced encryption standard (AES) is a secure encryption algorithm iv. The use of specific encryption keys should be limited
that is appropriate for encrypting passwords. v. The use, archiving, and destruction of encryption keys require a formal
ii. Public-key: also known as asymmetric cryptography, uses a public key review
to encrypt and a private key to decrypt. Using two private keys would vi. Nonrepudiation, achieved through the use of digital signatures,
not be possible with asymmetric encryption. Asymmetric cryptography prevents the senders from later denying that they generated and sent
is typically used for the transmission of data. It has 4 components: the message.
▪ Certificate Authority (CA) issues certificates. The primary role of the ● Digital rights management (DRM): uses public-key encryption to enforce
CA is to authenticate the entity owning a certificate and to confirm digital rights.
the integrity of any certificate it issued. i. Steganography is a technique for concealing the existence of messages
or information.
▪ Registration authority: delegated bookkeeping and issuing function
from the CA
▪ Certificate revocation list: maintained by the CA to indicate that 7. Network security protocols
certificates have expired or are revoked ● Pretty Good Privacy: for personal file encryption
▪ Certification practice statement: disclosure document that specifies ● Transport Layer Security (TLS): for secure transmission internally and over
how a CA will issue certificates Internet. TLS replaced SSL which was used by most websites. TLS is the
● Problems when using encryption preferred method to use for all secure sessions.
i. Creating and issuing keys requires discipline or the key can be easily ● Secure Hypertext Transfer Protocol (HTTPS): older version still uses SSL.
compromised The newer sites should all use TLS.
ii. Separate keys should be used for separate classification of data
iii. Encryption key must be rotated ● Internet Protocol Security (IPsec): a secure network protocol suite that
iv. Encryption only protects the output file, not the original source file authenticates and encrypts the packets of data sent over an IPv4 network.
v. The system is still vulnerable to attack VPN’s primary purpose is to protect data in transit using tunnelling.
● Encryption-key management: ● The Secure Electronic Transaction (SET) protocol provides a method for
i. Proper authorization: never allow to encrypt files that management purchasing over the internet without disclosing the credit card information
cannot decrypt without the user to the merchant. The buyer will be liable for transactions that involve
his/her personal SET certificate.
 ● Email anti-spamming techniques: Bayesian > Heuristic > Signature Based >
Pattern Matching

8. Risk assessment
● First step is to identify the assets. (in some cases, critical process)

● Second step is to identify relevant risk. (vulnerability/threat)

● Third step is to do impact analysis. (qualitative or quantitative)

● Fourth step is prioritizing the risk on the basis of impact. (IT risk analysis)

● Fifth step is to evaluate controls.

● Sixth step is to apply appropriate controls.

9. Security Requirements
● Authenticity – verification that message not changed in transit

● Nonrepudiation – verification of origin or receipt of message

● Accountability – actions traceable to an entity

● Network availability