1

Certified Information Systems Auditor (CISA®)

Course

Introduction
2 Course Objectives
To help you understand
The concept of IS Audit
ISACA Audit Standards and Requirements
Understanding Information Systems and their life cycle
Understanding different types of technologies supporting
Information Systems
Auditing these technologies

 Additionally:
Preparing to challenge the CISA paper
3 History of ISACA

 ISACA was incorporated in 1969 by a small group of individuals who

recognized a need for a centralized source of information and guidance in
the growing field of auditing controls for computer systems.
 Previously known as the Information Systems Audit and Control Association.
 Now only referred by its acronym.
4 History of ISACA

Currently:
Engaged Professionals: More than 520,000
Members: More than 130,000 in 188 countries
Members and Certification-Holders: More than
159,000
Chapters: More than 215
Certified Information Systems Auditor®
(CISA®).More than 130,000 CISAs have been
certified since its inception in 1978.
5 Certified Information Systems Auditor
(CISA)
 Designed for personnel that will audit and review information systems.
 Assurance that systems are designed, developed, implemented and
maintained to support business needs and objectives.
 Requires understanding of the concepts behind information systems audit –
not just the definitions.
6 CISA Exam Review Course Overview

 The CISA Exam is based on the CISA job practice.

 The ISACA CISA Certification Committee oversees the development
of the exam and ensures the currency of its content.
 There are five content areas that the CISA candidate is expected to
know:
1. The Process of Auditing Information Systems
2. Governance and Management of IT
3. Information Systems Acquisition, Development and Implementation
4. Information Systems Operations, Maintenance and Support
5. Protection of Information Assets
7 Division of Areas
8 CISA Qualification

 To earn the CISA designation, information security professionals are required

to:
 Successfully pass the CISA exam
 Submit an Application for CISA certification
 Five (5) or more years of experience in IS audit, control, assurance, or security.
Waivers are available for a maximum of three (3) years.
 Adhere to the ISACA Code of Professional Ethics
 Adherence to the CISA continuing education policy
 Compliance with Information Systems Auditing Standards
9 The Examination

The exam consists of 150 multiple choice

questions that cover the CISA job practice
areas.
Four hours are allotted for completing the exam.
The 2017 examination content is the same as the
2016 examination.
Examination fee is:
Member: US $575
Non-Member: US $760
10 Grading the Exam

Candidate scores are reported as a

scaled score based on the conversion of
a candidate’s raw score on an exam to
a common scale.
ISACA uses and reports scores on a
common scale from 200 to 800. A
candidate must receive a score of 450
or higher to pass.
11 Study Book

CISA Review Manual 26th

Edition
12 Maintaining CISA Certification

 The CISA CPE policy requires the attainment of CPE hours over an annual and
three-year certification period. CISAs must comply with the following
requirements to retain certification:
 Attain and report an annual minimum of twenty (20) CPE hours.
 Submit annual CPE maintenance fees to ISACA international headquarters in full.
 ISACA members: US $45
 ISACA nonmembers: US $85
 Attain and report a minimum of one hundred and twenty (120) CPE hours for a three-
year reporting period.
 Respond and submit required documentation of CPE activities if selected for the
annual audit.
 Comply with ISACA’s Code of Professional Ethics.
 Abide by ISACA's IT auditing standards.
 Chapter 1
The Process of Auditing
Information Systems
13
14 OBJECTIVES

 The objective of this domain is to ensure that the CISA candidate has the
knowledge necessary to provide audit services in accordance with IS audit
standards to assist the organization with protecting and controlling
information systems.

 This area represents 21 percent of the CISA exam (approximately 32

questions).
15 Five Tasks within the Domain 1

1. Execute a risk-based IS audit strategy in compliance with IS audit

standards to ensure that key risk areas are audited.
2. Plan specific audits to determine whether information systems are
protected, controlled and provide value to the organization.
3. Conduct audits in accordance with IS audit standards to achieve
planned audit objectives.
4. Communicate audit results and make recommendations to key
stakeholders through meetings and audit reports to promote change
when necessary.
5. Conduct audit follow-ups to determine whether appropriate actions have
been taken by management in a timely manner.
16 Information Systems (IS) Vs.
Information Technology (IT)
 Information Systems (IS) are defined as the
combination of strategic, managerial and
operational activities involved in gathering,
processing, storing, distributing and using
information and its related technologies. Information Systems
 IT is defined as the hardware, software, Information Technology
communication, and other facilities used to Operational
Activities
store, process, transmit and output data in and
whatever form. processes
Hardware Software Infrastructure
17 Audit

 In simple words it can be defined as:

“A systematic evaluation or examination of something by a
person or group of people.”
 IS Audit can be defined as
IS Audit is the formal examination, interview and/or testing of
information systems to determine whether:
Information systems are in compliance with applicable laws,
regulations, contracts and/or industry guidelines.
IS data and information have appropriate levels of
confidentiality, integrity and availability.
IS operations are being accomplished efficiently and effectively
and targets are being met.
18 Audit
Key Documents
Audit Charter:
 An audit charter is an overarching document that covers the entire scope
of audit activities in an entity.

Engagement Letter:
 An engagement letter is more focused on a particular audit exercise that is
sought to be initiated in an organization with a specific objective in mind.
19 Audit
Internal vs. External
 Internal
 Internal audit function are established through Audit Charter approved by BoD
and Audit Committee.
 External
 Scope and objectives of the services should be documented in formal contract or
statement of work.

 Both types of audit report to an audit committee or highest level of

management.
20 Audit
IS Audit Resource Management
 Competency Requirement for Audit Team:
 Should be technically competent.
 Have the required skills and knowledge.
 Needs to maintain technical competence through appropriate continuing
professional education

 Skills and knowledge should be taken into consideration when planning audits
and assigning staff to specific audit assignments.
 Detailed training staff plan should be drawn for the year based on the
organization’s direction in terms of technology and related risk that needs to be
addressed.
21 Planning an Audit

Involves short and long term planning

(annual basis)
Short term
Audit issues to be covered during the year
Long term
Changes in the strategic direction of the
organization
Impact on the organization's IT environment
22 Planning an Audit

 Risk based approach by evaluating the risk in respect to defined and relevant risk factors that
influence the frequency and/or business impact of risk scenarios.
 Risk Assessment can be done by:
 Quantitative
 Qualitative
 Hybrid approach (mixture of both quantitative and qualitative can also be used).

An ideal audit plan can be developed based on all “High”

rated processes.
Risk analysis should be conducted at-least annually or if there
is any change in the risk environment e.g. acquisitions, new
regulatory issues, market conditions. Audit plan should be
updated accordingly.
23 Planning an Audit
Steps
 Gain an understanding of the business's mission, objectives, purpose and processes, which
include information and processing requirements such as availability, integrity, security and
business technology and information confidentiality.
 Understand changes in business environment of the auditee.
 Review prior work papers.
 Identify stated contents such as policies, standards and required guidelines, procedures
and organization structure.
 Perform a risk analysis to help in designing the audit plan.
 Set the audit scope and audit objectives.
 Develop the audit approach or audit strategy.
 Assign personnel resources to the audit.
 Address engagement logistics.
24 ISACA Code of Professional Ethics

1. Support the implementation of, and encourage compliance with, appropriate standards,
procedures for the effective governance and management of enterprise information systems
and technology, including: audit, control, security and risk management.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the Association.
4. Maintain the privacy and confidentiality of information obtained in the course of their activities
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities they
can reasonably expect to complete with the necessary skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed, including the disclosure of all
significant fact known to them that, if not disclosed, may distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their understanding of the
governance and management of enterprise information systems and technology including:
audit, control, security and risk management.
25 ISACA IS Audit and Assurance
Standards
 Standards contain statements of mandatory requirements for IS audit and
assurance. They inform:
 IS audit and assurance professionals of the minimum level of acceptable
performance required to meet the professional responsibilities set out in the ISACA
Code of Professional Ethics.
 Management and other interested parties of the profession's expectations
concerning the work of practitioners.
 Holders of the Certified Information Systems Auditor (CISA) designation of their
requirements. Failure to comply with these standards may result in an investigation
into the CISA holder's conduct by the ISACA Board of Directors or appropriate
ISACA group and, ultimately, in disciplinary action.
26 ISACA IS Audit and Assurance
Standards
There are three categories of standards and guidelines:
 General: The guiding principles under which the IS assurance profession
operates. They apply to the conduct of all assignments, and deal with the IS
audit and assurance professional's ethics, independence, objectivity and
due care as well as knowledge, competency and skill.
 Performance: Deal with the conduct of the assignment, such as planning
and supervision, scoping, risk and materiality, resource mobilization,
supervision and assignment management, audit and assurance evidence,
and the exercising of professional judgment and due care.
 Reporting: Address the types of reports, means of communication and the
information communicated.
27 ISACA IS Audit and Assurance
Standards
General Requirements:
 1001 Audit Charter: Document the audit function and agreed upon and
approved at an appropriate level within an enterprise.
 1002 Organizational Independence: Should be independent of the area or
activity being reviewed.
 1003 Professional Independence: IS audit professionals should be independent
and objective in both attitude and appearance in all matters of audit and
assurance engagements.
 1004 Reasonable Expectation: That the engagement can be completed in
accordance with IS Audit and Assurance standards and where required
industry’s standards and regulations. Enables conclusion on the subject matter
and addresses any restrictions. And Management understands its obligations
and responsibilities with respect to the provision of appropriate, relevant and
timely information required to perform the engagement.
28 ISACA IS Audit and Assurance
Standards
General Requirements:
 1005 Due Professional Care: Should exercise due professional care, including
observance of applicable professional audit standards, in planning,
performing and reporting on the results of engagements.
 1006 Proficiency: Should have the required skills and proficiency in conducting
IS audit and assurance and have the competency to perform work required.
 1007 Assertions: Should review the assertions against which audit will be
performed and should determine that these assertions are capable of being
audited and the assertions are sufficient, valid and relevant.
 1008 Criteria: Should select criteria on which the subject matter will be
assessed. This criteria should be objective, complete, relevant, measureable,
understandable, widely recognized, authoritative and understood by all
readers and users of the report. Should also consider the source of the criteria.
Focus should be on those issued by relevant authoritative bodies before
accepting lesser-known criteria.
29 ISACA IS Audit and Assurance
Standards
Performance Requirements:
 1201 Engagement Planning: Should plan engagement to address:
objective(s), scope, timeline and deliverables, compliance with
applicable laws and auditing standards, use of risk based approach
(where appropriate), engagement specific issues, documentation and
reporting requirements.
 1202 Risk Assessment in Planning: Should use an appropriate risk
assessment approach and supporting methodology to develop the
overall IS audit plan and determine priorities for the effective allocation of
IS audit resources. Should identify and assess risk relevant to the area
under review during planning individual engagements. Should also
consider subject matter risk, audit risk and related exposure to the
enterprise.
30 ISACA IS Audit and Assurance
Standards
Performance Requirements:
 1203 Performance and Supervision: Should conduct audit in accordance with approved IS
audit plan to cover identified risk and within agreed schedule. Audit and assurance
professionals should provide supervision to IS audit staff to accomplish audit objectives and
meet applicable professional audit standards. Should only accept task that are within their
knowledge and skills or for which they have a reasonable expectation of either acquiring the
skills during the engagement or achieving the task under supervision. Should obtain sufficient
and appropriate evidence to achieve the audit objective. Should document the audit process,
describing the audit work and the audit evidence that supports findings and conclusions.
Should also identify and conclude on findings.
 1204 Materiality: Should consider potential weaknesses or absences of controls while planning
an engagement and whether they could result in a significant deficiency or a material
weakness in relation to respective audit risk. Should also determine the cumulative effect of
minor control deficiencies or weaknesses and determine whether it is translated in to significant
deficiency or material weakness. Should disclose the following in the report:
 Absence of controls or ineffective controls.
 Significance of the control deficiency
 Probability of these weaknesses resulting in a significant deficiency or material weakness
31 ISACA IS Audit and Assurance
Standards
Performance Requirements:
 1205 Evidence: Sufficient and appropriate evidence should be obtain to draw
reasonable conclusions to base the engagement results. Should evaluate the sufficiency
of evidence obtained to support conclusions and achieve engagement objectives.
 1206 Using the work of other experts: Should consider using the work of other experts for
the engagement where appropriate. Before using the work, adequacy of other expert’s
professional qualifications, competencies, relevant experience, resources,
independence and quality-control processes should be assessed before engagement.
Should be determine whether the work of other experts will be relied upon and
incorporate directly or referred separately in the report. Should apply additional test
procedures to gain sufficient and appropriate evidence in circumstances where the work
of other experts does not provide sufficient and appropriate evidence.
 1207 Irregularity and Illegal Acts: Should consider the risk of irregularities and illegal acts
and document and communicate it to the appropriate party in a timely manner. Should
also maintain professional skepticism during the engagement.
32 ISACA IS Audit and Assurance
Standards
Reporting:
 1401 Reporting: Should provide a report to communicate the results upon completion that may
include:
 the intended recipients,
 any restriction on content and circulation,
 scope,
 engagement objectives,
 period of coverage and the nature,
 timing and extent of the work performed,
 findings,
 conclusions and recommendations.
 Any qualification or limitation, signature, date and distribution according to the terms of the audit charter or
engagement letter.
Should also ensure that findings in the audit report are supported by sufficient and appropriate evidence.
33 ISACA IS Audit and Assurance
Standards
Reporting:
 1402 Follow-up Activities: Should monitor relevant information to conclude
whether management has planned / taken appropriate, timely action to
address reported audit findings and recommendations.
34 Internal Controls

 Preventive
 Detect problems before they arise.

 Monitor both operation and inputs.

 Attempt to predict potential problems before they occur and make adjustments.

 Prevent an error, omission or malicious act from occurring.

 Segregate duties (deterrent factor).

 Control access to physical facilities.

 Use well-designed documents (prevent errors).

 Detective
 Use controls that detect and report the occurrence of an error, omission or malicious act.

 Corrective
 Minimize the impact of a threat.

 Remedy problems discovered by detective controls.

 Identify the cause of a problem.

 Correct errors arising from a problem.

 Modify the processing system(s) to minimize future occurrences of the problem.

35 Performing an IS Audit

Plan the Monitor

Build the Execute the
Audit Project
Audit Plan Plan
Engagement Activity
36 Types of Audits

 Compliance Audits: Include specific test of controls to demonstrate adherence to specific regulatory or
industry standards.
 Financial Audits: Conducted to assess the accuracy of financial reporting. Emphasis is financial
information integrity and reliability.
 Operational Audits: Evaluate the internal control structure in a given process or area. E.g. IS audits of
application controls.
 Integrated Audits: Combines financial and operational audit sets. Targeted to assess overall objectives
within an organization.
 Administrative Audits: Oriented to assess issues related to the efficiency of operational productivity within
an organization.
 IS Audits: Conducted to determine whether the information systems and related resources adequately
safeguard and maintain assets’ confidentiality, integrity and availability.
 Specialized Audit: Targets specific area or requirement dictated by other auditing standards. E.g.
Specialized reviews of examining services performed by third parties.
 Forensic Audits: They are specialized audits to discover, disclose and follow up on fraud and crime
activities. The primary purpose is the development of evidence for review by law enforcement and
judicial authorities.
37 Audit Phases

Identify the Identify the Identify the Identify:

Audit Scope
Audit Subject

Audit Objective

Pre-Audit Planning
area to be purpose of the specific systems, Technical Skills
audited. audit. function or unit & resources,
of the sources of
organization to information,
be included in locations or
the review. facilities and
develop
communication
plan.

Cont……
38 Audit Phases

data gathering Identify and select Identify methods Determine frequency Disclose procedures of

with management
or review results

Audit report preparation

Procedures for communication
Procedures for evaluating the test
Audit Procedures and steps for

audit approach to (including tools) to of communication and follow-up review,

verify and test the perform the evaluation. prepare evaluate/test
controls. Identify criteria for documentation for final operational efficiency
Identify list of individuals evaluating the test and report. and effectiveness, and
to interview and obtain means and resources to test controls.
departmental policies, to confirm that the Review and evaluate
standards, and evaluation was the soundness of
guidelines for review. accurate. documents, policies
Develop audit tools and procedures.
and methodology to
test and verify control.
39 Risk Based Auditing

Effective risk-based auditing is driven

by two processes:
1. The risk assessment that drives the audit
schedule.
2. The risk assessment that minimizes the
audit risk during the execution of an
audit.
40 Audit Risk and Materiality

 Audit risk can be defined as the risk that information may contain a material
error that may go undetected during the course of the audit. It is influenced by:
 Inherent Risk: It is the risk level or exposure of the process/entity to be audited without
taking into account the controls that management has implemented. Inherent risk
exists independent of an audit and can occur because of the nature of the business.
 Control Risk: The risk that a material error exists that would not be prevented or
detected on a timely basis by the system of internal controls.
 Detection risk: The risk that material errors or misstatements that have occurred will not
be detected by the IS auditor.
 Overall audit risk: The probability that information or financial reports may contain
material errors and that the auditor may not detect an error that has occurred. An
objective in formulating the audit approach is to limit the audit risk in the area under
scrutiny so the overall audit risk is at a sufficiently low level at the completion of the
examination.
41 Risk Assessment and Treatment

 Risk assessments: It should identify, quantify and prioritize risk against criteria
for risk acceptance and objectives relevant to the organization. It should
be performed periodically to address changes in the environment, security
requirements, risk situation and when significant changes occur.
 Treating Risk: Risk is treated through the given possible responses:
 Risk mitigation: Applying appropriate controls to reduce the risk.
 Risk acceptance: Knowingly and objectively not taking action, providing the risk
clearly satisfies the organization's policy and criteria for risk acceptance.
 Risk avoidance: Avoiding risk by not allowing actions that would cause the risk to
occur.
 Risk transfer/sharing: Transferring the associated risk to other parties (e.g., insurers
or suppliers).
42 Evidence

 Evidence is any information used by the IS auditor to determine whether the

entity or data being audited follows the established criteria or objectives
and supports audit conclusions.
 Audit evidence may include:
 The IS auditor's observations (presented to management).
 Notes taken from interviews.
 Results of independent confirmations obtained by the IS auditor from different
stakeholders.
 Material extracted from correspondence and internal documentation or
contracts with external partners.
 The results of audit test procedures.
43 Evidence

Reliability of Audit Evidence Include:

Independence of the provider of the
evidence.
Qualifications of the individual providing
the information / evidence.
Objectivity of the evidence.
Timing of the evidence.
44 Evidence

 Techniques for gathering evidences:

 Reviewing IS organization structures
 Reviewing IS policies and procedures
 Reviewing IS standards
 Reviewing IS documentation
 Interviewing appropriate personnel
 Observing processes and employee performance
 Walk-throughs
45 Communicating Audit Results

 The exit interview, conducted at the end of the audit,

provides the IS auditor with the opportunity to discuss
findings and recommendations with management.
During the exit interview, the IS auditor should:
 Ensure that the facts presented in the report are correct.
 Ensure that the recommendations are realistic and cost-
effective and, if not, seek alternatives through negotiation
with auditee management.
 Recommend implementation dates for agreed-on
recommendations
46 Audit Report Structure and Contents

 There is no specific format for an IS Audit report. The exact format may vary
depending on the organization. However, every audit report should have the
following structure and content.
 An introduction to the report, statement of audit objectives, limitations to the audit and
scope, period of audit coverage, IS audit methodology and guidelines
 Audit findings included in separate sections and often grouped in sections by
materiality and/or intended recipient
 The IS auditor's overall conclusion and opinion on the adequacy of controls and
procedures examined during the audit, and the actual potential risk identified as a
consequence of detected deficiencies
 The IS auditor's reservations or qualifications with respect to the audit. This may state
that the controls or procedures examined were found to be adequate or inadequate.
 Detailed audit findings and recommendations.
 A variety of findings that may include minor in nature which can be presented to the
management in an alternate format such as by memorandum.
47 Audit Documentation

 Audit documentation should include, at a minimum, a record of the

following:
 Planning and preparation of the audit scope and objectives.
 Description and/or walk-throughs on the scoped audit area.
 Audit program.
 Audit steps performed and audit evidence gathered.
 Use of services of other auditors and experts.
 Audit findings, conclusions and recommendations.
 Audit documentation relation with document identification and dates.
 A copy of the report issued as a result of the audit work.
 Evidence of audit supervisory review.
 Chapter 2
Governance and
Management of IT
48
49 OBJECTIVES

 The objective of this domain is to ensure that the CISA candidate

understands and can provide assurance that the necessary leadership and
organizational structures and processes are in place to achieve the
objectives and to support the enterprise’s strategy.

 This domain represents 16 percent of the CISA examination (approximately

24 questions).
50 Ten Tasks within the Domain 2

1. Evaluate the IT strategy, including the IT direction, and the processes for the strategy’s
development, approval, implementation and maintenance for alignment with the
organization's strategies and objectives.
2. Evaluate the effectiveness of the IT governance structure to determine whether IT
decisions, directions and performance support the organization's strategies and
objectives.
3. Evaluate IT organizational structure and human resources (personnel) management to
determine whether they support the organization's strategies and objectives.
4. Evaluate the organization's IT policies, standards and procedures and the processes for
their development, approval, release/publishing, implementation and maintenance to
determine whether they support the IT strategy and comply with regulatory and legal
requirements.
5. Evaluate IT resource management, including investment, prioritization, allocation and
use for alignment with the organization's strategies and objectives.
6. Evaluate IT portfolio management, including investment, prioritization and allocation, for
alignment with the organization's strategies and objectives.
51 Ten Tasks within the Domain 2

7. Evaluate risk management practices to determine whether the

organization's IT-related risks are identified, assessed, monitored, reported
and managed.
8. Evaluate IT management and monitoring of controls (e.g. continuous
monitoring, quality assurance [QA]) for compliance with the
organization's policies, standards and procedures.
9. Evaluate monitoring and reporting or IT key performance indicators (KPIs)
to determine whether management receives sufficient and timely
information.
10. Evaluate the organization’s business continuity plan (BCP), including the
alignment of the IT disaster recovery plan (DRP) with the BCP, to
determine the organization's ability to continue essential business
operations during the period of an IT disruption.
52 Corporate Governance

 It is defined as “system by which business corporations are directed and

controlled”.
 It is a set of responsibilities and practices used by an organization's
management to provide strategic direction, thereby ensuring that goals
are achievable, risk is properly addressed and organizational resources are
properly utilized.
 Senior management sign off on the adequacy of internal controls and
include an assessment of internal controls in financial reports.
 Involves all the stakeholders in the decision-making process.
53 Governance of Enterprise IT (GEIT)

Responsibility of the Board of

Directors and Senior Management
It includes:
IT resource management
Performance measurement
Compliance management
54 Governance of Enterprise IT (GEIT)

Two Goals of GEIT

 It delivers value to the business driven by strategic
alignment of IT with the business.
 IT risk is managed based on embedding
accountability into the business.
Three Focus Areas of GEIT
Resource Optimization
Benefits Realization
Risk Optimization
55 Drivers for GEIT

 Return on IT investment increasing

 Levels of IT expenditure
 Compliance and regulatory requirements
 Management of outsourcing solutions (Cloud)
 Adoption of control frameworks
 Optimize costs through standardized rather than custom solutions
 Need for enterprise assessment
56 GEIT Frameworks

 COBIT 5
 ISO/IEC 27001 - Information security management systems
 ITIL® - IT Service Management (ITSM)
 ISO/IEC 38500 - Governance of IT for the organization
 ISO/IEC 20000 - Service Management System (SMS) standard
57 Audit Role in Governance of Enterprise
IT
Organizations adopt generally
accepted good practices ensured by
the establishment of controls.
Audit provides good practice
recommendations.
Improve the quality of IT governance.
Monitoring of compliance.
58 IT Governance Committees

The role and structure of

committees are:
IT Strategy Committee
Advises the Board.
IT Steering Committee
Assists management with the delivery of
IT strategy.
59 IT Balanced Scorecard

 The IT balanced scorecard (BSC), is a process management evaluation

technique that can be applied to the GEIT process in assessing IT functions
and processes.
 To apply the BSC to IT a multi-layered structure (determined by each
organization) is used in addressing four perspectives:
 Mission – for example:
 Become the preferred supplier of information systems.
 Deliver economic, effective and efficient IT applications and services.
 Obtain a reasonable business contribution from IT investment.
 Develop opportunities to answer future challenges.
60 IT Balanced Scorecard

 Strategies – for example:

 Develop superior applications and operations.
 Develop user partnerships and greater customer services.
 Provide enhanced service levels and pricing structures.
 Control IT expenses.
 Provide business value to IT projects.
 Provide new business capabilities.
 Train and educate IT staff and promote excellence.
 Provide support for research and development.
61 IT Balanced Scorecard

 Measures – for example:

 Provide a balanced set of metrics (i.e., key performance indicators [KPIs]) to
guide business-oriented IT decisions.
 Sources – for example:
 End-user personnel (specific by function)
 COO
 Process owners
62 IT Balanced Scorecard
63 Effective Information Security
Governance
 It consists of:
 Security strategy
 Security policies
 Set of standards for each policy
 Effective organizational security structure
 Void of conflicts of interest
 Institutionalized monitoring program
 Ensure compliance and feedback
64 Effective Governance

 Requires the involvement of the Board of Directors

 Required Resources
 Commitment
 Assignment of responsibilities
 Set the tone at the top
 Informed of risk
65 Enterprise Architecture

 An enterprise architecture (EA) is a conceptual blueprint that

defines the structure and operation of an organization. The
intent of an enterprise architecture is to determine how an
organization can most effectively achieve its current and
future objectives.
 Effective EA is implemented through:
 Documenting IT assets in a structured manner.
 Managing and planning for IT investments.
 Framework for Enterprise Architecture such as by Zachman.
66

Information Systems Strategy

Strategic alignment
Return on Investment (ROI)
IT Steering Committee
High level committee to ensure IT is in harmony
with the business goals and objectives.
Representatives from senior management,
business units, HR, finance, IT.
67 Maturity and Process Improvement

It is an ongoing performance measurement.

Maintain consistent efficiency and
effectiveness.
Maturity frameworks such as:
Capability Maturity Model Integration (CMMI)
Initiating, Diagnosing, Establishing, Acting, and
Learning Model (IDEAL)
COBIT Process Assessment Model (PAM)
68 Maturity and Process Improvement

Capability Maturity Model Integration

(CMMI)
69 Investment and Allocation Practices

Return on Investment (ROI)

Investment made in one area results in lost
opportunity in other area.
Consider both financial and non-financial
benefits.
Improved customer satisfaction.
Measure value of IT - value optimization
70 Policies

High level documents that represent

corporate philosophy.
Must be communicated to all staff and
contractors.
Should be reviewed periodically.
May be supported through low level policies
at the department level.
Auditors must test policies for compliance.
71

Information Security Policy

Communicates coherent security

standards to all staff and management
Balance control with productivity
Approved by senior management
Required by ISO/IEC27001
Reviewed at least annually
72 Audit of Policies

The auditor should check for:

 Is the policy based on risk
 Appropriate
 Approved
 Implemented and communicated
 Reviewed
 Exceptions
73 Procedures

Documented, defined steps for

achieving policy objectives
Implement the intent (spirit) of policy
Formulated by process owners
Reviewed and tested to ensure that the
procedures meet control objectives
74 Risk Management Process

Step 2
Step 1 Evaluation of Step 3 Step 4 Step 5
Asset Threats and Evaluation of the Calculation of Evaluation of and
Identification Vulnerabilities to Impact Risk Response to Risk
Assets
75 Risk Analysis Methods

Qualitative Analysis
Method – Subjective
Quantitative Analysis
Method
Semi-Quantitative
Analysis Method
76 Information Technology Management
Practices
Human Resource Management
 Hiring - Some of the common controls include:
 Background checks (e.g., criminal, financial, professional, references, qualifications)
 Confidentiality agreements or nondisclosure agreements. Specific provision may be made in these agreements to abide by the
security policies of the previous employer and not to exploit the knowledge of internal controls in that organization.
 Employee bonding to protect against losses due to theft, mistakes and neglect. (Note: Employee bonding is not always an
accepted practice all over the world; in some countries, it is not legal.)
 Conflict of interest agreements
 Codes of professional conduct/ethics
 Non-compete agreements
 Nondisclosure agreements

 Employee Handbook
 Training
 Mandatory vacations (fraud prevention/detection)
 Changes in job role and access levels
 Termination Policies
77 Information Security Management

 Information security management provides the lead role to ensure that the
organization's information and the information processing resources under
its control are properly protected.
 This would include leading and facilitating the implementation of an
organization wide information security program that includes the
development of a BIA, a BCP and a DRP related to IT department functions
in support of the organization's critical business processes.
 A major component in establishing such programs is the application of risk
management principles to assess the risk to IT assets, mitigate the risk to an
appropriate level as determined by management and monitor the
remaining residual risk.
78 Performance Optimization

Includes:
Plan
Continuous
improvement
methodologies, such as Act Do
the PDCA cycle.
Comprehensive best
practices, such as ITIL Check
Frameworks, such as
COBIT
79 IT Roles and Responsibilities

Some of the important roles the

CISA candidate must be familiar
with:
Executive management
Business / Information owner
Custodian
End User
80 Separation/Segregation of Duties

 Roles that should be separated and which require compensating controls.

 Compensating controls are internal controls that are intended to reduce
the risk of an existing or potential control weakness when duties cannot be
properly segregated. Such as,
 Authorizations,
 Audit trails,
 Reconciliation
 Privileged users
 Remote logging
81 Auditing IT Governance Structure and
Implementation
Significant indicators of potential
problems include:
Unfavorable end-user attitudes/high
turnover
Excessive costs/budget overruns
Extensive exception reports
Slow response to user requests
Lack of training/succession plans
82 Business Continuity Planning (BCP)
 Enable the business to continue offering critical services in the event of a disruption and to
survive a disruption to critical activities.
 Identify business processes of strategic value.
 BCP is primarily the responsibility of senior management.
 Disaster Recovery Planning is used to recover a facility rendered inoperable including
relocating operations to a new location.

 IT Business Continuity Planning – minimize the threat to IT Systems.

 Understand dependencies between IT and business operations
 Understand risk
83 Business Continuity Planning Process

 Project Planning
 Risk Assessment
 Business Impact Assessment
 BC Strategy Development
 BC Plan Development (Strategy Execution)
 BC Awareness Training
 BC Plan Testing
 BC Plan Monitoring, Maintenance and Updating
84 Incident Management

 An incident is an unexpected event, even if it causes no significant

damage.
 Incident classification:
 Negligible
 Minor
 Major
 Crisis/Catastrophic
 All incidents should be documented.
85 Business Impact Analysis (BIA)

Evaluate critical processes and IT

components supporting them.
Determine time frames, priorities,
resources, interdependencies.
Often based on risk assessment.
The auditor must be able to evaluate the
BIA.
86 Recovery Strategies

The cost of recovery is often inverse to

the time of recovery – the shorter the
recovery time the greater the cost.
Senior management must approve the
selected recovery strategy based on
cost and other factors (available
solutions, priorities).
87 Development of Business Continuity
Plans
 Plans for all types of incidents, that is from malware to fire or catastrophic
earthquake.
 Step-by-step actions to be taken
 Roles and responsibilities
 Identification of required resources
 Contact information for staff and suppliers
 Communications plan
88 Business Continuity Planning (BCP)
Testing
 Plan Testing
 Verify completeness of the plan.
 Appraise training of staff.
 Measure ability to meet timelines and service levels.
 Test should be planned – pretest, test, posttest.
 Types of Tests
 Desk-based Evaluation/Paper Test (walkthrough)
 Preparedness Test (simulation)
 Full Operational Test
 Lessons learned from each test are used to improve the plan
89 Business Continuity Planning (BCP)
Plan Maintenance
Plans must be maintained as they are
quickly out of date due to:
Changes in business
Lessons learned from tests and incidents
Changes in personnel
Changes in technology
Reviewed at least annually
90 Reviewing Insurance Coverage

Insurance coverage must reflect actual

cost of recovery.
Coverage of the following must be
reviewed for adequacy
Insurance premium
The coverage of media damage
Business interruption
Equipment replacement
 Chapter 3
Information Systems
Acquisition, Development
and Implementation
91
92 OBJECTIVES

 The objective of this domain is to ensure that the CISA candidate

understands and can provide assurance that the practices for the
acquisition, development, testing and implementation of information
systems meet the organization's strategies and objectives.

 This domain represents 18 percent of the CISA examination. (approximately

27 questions).
93 Seven Tasks within the Domain 3

1. Evaluate the business case for the proposed investments in information systems acquisition,
development, maintenance and subsequent retirement to determine whether it meets the
business objectives.
2. Evaluate IT supplier selection and contract management processes to ensure that the
organization's service levels and requisite controls are met.
3. Evaluate the project management framework and controls to determine whether business
requirement are achieved in a cost-effective manner while managing risks to the organization.
4. Conduct reviews to determine whether a project is progressing in accordance with project plans,
is adequately supported by documentation and has timely and accurate status reporting.
5. Evaluate controls for information systems during the requirements, acquisition, development and
testing phases for compliance with the organization's policies, standards, procedures and
applicable external requirements.
6. Evaluate the readiness of information systems for implementation and migration into production
to determine whether project deliverables, controls and organization's requirements are met.
7. Conduct post-implementation reviews of systems to determine whether project deliverables,
controls and organization's requirements are met.
94 Portfolio/Program Management
 A program is a group of projects and time-bound tasks that are closely linked together
through common objectives, a common budget, intertwined schedules and strategies.
 Programs have a limited time frame (start and end date) and organizational boundaries.
 The objectives of project portfolio management are:
 Optimization of the results of the project portfolio
 Prioritizing and scheduling projects
 Resource coordination (internal and external)
 Knowledge transfer throughout the projects
95 Business Case Development and
Approval
A business case:
Provides the information required for an
organization to decide whether a project should
proceed.
Is normally derived from a feasibility study as part
of project planning.
Should be of sufficient detail to describe the
justification for setting up and continuing a
project.
General IT Project Aspects
96

IS projects may be initiated from any part of

an organization.
A project is always a time-bound effort.
Project management should be a business
process of a project-oriented organization.
The complexity of project management
requires a careful and explicit design of the
project management process.
97 Project Context and Environment

 A project context can be divided into a time and social

context. The following must be taken into account:
 Importance of the project in the organization.
 Connection between the organization's strategy and the
project.
 Relationship between the project and other projects.
 Connection between the project to the underlying business case.
98 Project Organizational Forms
Three major forms of organizational alignment for project management are:
 Influence project organization: the project manager has only a staff function without formal
management authority. The project manager is only allowed to advise peers and team
members as to which activities should be completed.
 Pure project organization: the project manager has formal authority over those taking part in
the project. Often, this is bolstered by providing a special working area for the project team
that is separated from their normal office space.
 Matrix project organization: In a matrix project organization, management authority is shared
between the project manager and the department heads.
99 Project Communication

Depending on the size and complexity

of the project and the affected parties,
communication may be achieved by:
One-on-one meetings
Kick-off meetings
Project start workshops
A combination of the three
100 Project Objectives

A project needs clearly defined results that

are specific, measurable, achievable,
relevant and time-bound (SMART).
A commonly accepted approach to define
project objectives is to begin with an object
breakdown structure (OBS).
After the OBS has been compiled, a work
breakdown structure (WBS) is designed.
101 Project Management Practices

Project management is bound by three

interrelated factors:
Duration
Budget
Deliverables
Changing any one element will
invariably affect the other two.
102 Project Planning

 The project manager needs to determine:

 The various tasks that need to be performed to produce the expected business
application system.
 The sequence or the order in which these tasks need to be performed.
 The duration or the time window for each task.
 The priority of each task.
 The IT resources that are available and required to perform these tasks.
 Budget or costing for each of these tasks.
 Source and means of funding.
103 Project Controlling

Includes management of:

Scope
Resource usage
Risk
 Identify
 Assess
 Manage
 Monitor
Evaluate the risk management process.
104 Project Risk

The IS auditor must review the project for risks

that the project will not deliver the expected
benefits due to:
Scope creep
Lack of skilled resources
Inadequate requirements definition
Inadequate testing
Push to production without sufficient allotted time.
105 Closing a Project

When closing a project, there may still be

some issues that need to be resolved,
ownership of which needs to be assigned.
The project sponsor should be satisfied that
the system produced is acceptable and
ready for delivery.
Custody of contracts may need to be
assigned, and documentation archived or
passed on to those who will need it.
106 Business Application Development
 The implementation process for business applications, commonly
referred to as an SDLC, begins when an individual application is
initiated as a result of one or more of the following situations:
 A new opportunity that relates to a new or existing business process.
 A problem that relates to an existing business process.
 A new opportunity that will enable the organization to take advantage of
technology.
 A problem with the current technology.
 Major Risk in Business Application Development:
 The project may not meet requirements
 Problems with defining the requirements
107 Traditional SDLC Approach
Waterfall technique
 Also referred to as the waterfall technique, this life cycle approach is the oldest and most widely used
for developing business applications.
 Based on a systematic, sequential approach to software development that begins with a feasibility
study and progresses through requirements definition, design, development, implementation and post
implementation.
 Some of the problems encountered with this approach include:
 Unanticipated events.
 Difficulty in obtaining an explicit set of requirements from the user.
 Managing requirements and convincing the user about the undue or unwarranted requirements in the system
functionality.
 The necessity of user patience.
 A changing business environment that alters or changes the user’s requirements before they are delivered.
 It is a very rigid approach that could be useful for smaller projects that have all of the requirements fully understood.
 Very dangerous model for complex projects.
 There are NO ITERATION.
108 Traditional SDLC Approach

Feasibility

Requirement

Design or
Purchase
Configure or
Development
Final Testing &
Implementatio
n
Post
Implementatio
n
109 Software Testing

 Verification and Validation that software performs the functions it was

designed for.
 Detect any errors or malfunctions in the operation of the software.
 Bottom Up Testing – testing individual units of code.
 Top Down Testing – Testing of major functions.
 Better user involvement.
110

Testing
 Type of Testing:
 Unit Testing
 Interface or Integration Testing
 System Testing
 Final Acceptance Testing (User Acceptance Testing)
 Quality assurance
 Documentation
 Coding Standards
 Testing should first be done in a secure area separate from production.
 Integrated Test Facilities (ITF) tests the system under production-like conditions.
 Load Tests
 May use (sanitized) production data
111 Implementation Planning

Train and advise staff of new system.

Schedule at a time (most)
convenient for the business.
Data migration/conversion plan.
Fallback/Rollback Scenario.
112 Cutover Planning

Parallel Changeover System

Old

Phased Changeover
Abrupt ChangeoverCutover

New
System
113 Post-Implementation

 Verify that the system meets user requirements and expectations.

 Ensure security controls have been built-in.
 Assess cost-benefit.
 Develop recommendations for deficiencies.
 Assess the development project.
114 Electronic Mail

 At the most basic level, the e-mail process can be divided into two principal
components:
 Mail servers, which are hosts that deliver, forward and store mail
 Clients, which interface with users and allow users to read, compose, send and store e-
mail messages
 Security of Email
 SMTP (simple mail transfer protocol) is inherently insecure
 Phishing
 Spoofing
 Insecure configuration of email servers
 Denial of Service attacks
 Distribution of malware
115 Point of Sale (PoS) Devices

 Payment card processing units used by merchants to

process credit and debit card transactions
 One of the most common targets used by criminals
today to steal personal data
 Often have default passwords
 Follow PCI-DSS standards
116 Artificial Intelligence and Expert
Systems
 Artificial Intelligence is the science of programming electronic computers to
“think” more intelligently, sometimes mimicking the ability of mammal brains.
Expert Systems
 Expert systems consist of two main components:
 The first is a knowledge base that consists of “if/then” statements. These
statements contain rules that the expert system uses to make decisions.
 The second component is an inference engine that follows the tree formed by
the knowledge base, and fires a rule when there is a match.
 Integrity of the knowledge base is critical.
 The entire knowledge base should form a logical tree, beginning with a trunk.
The knowledge base should then branch out.
 The inference engine follows the tree, branching or firing as if/then statements
are answered.
117 Artificial Intelligence and Expert
Systems
Role of Audit with AI and Expert Systems
Understand purpose of system
Assess risk and criticality
Review decision logic
Review change procedures for rules
Review security access
Review procedures
118 Development Methods
Agile Software Development Models
 Agile Software Development evolved as a reaction to
rigid software development models such as the Waterfall
Model.
 Agile is an umbrella terms that includes methods such as
Scrum and Extreme Programming (XP).
 The Agile models do not use prototypes to represent the
full product, but break the product down into individual
features that are constantly being delivered.
 They are more efficient as compared to rigid models.
 The model focuses on individual (such as customer)
interaction and collaboration instead of processes, tools
and laborious documentation.
 Based on this collaboration it provides the abilities to
respond to change instead of strictly following a plan.
119 Development Methods
Scrum
 It is one of the most widely adopted agile methodologies in use today.
 It lends itself to projects of any size and complexity and is very lean
and customer focused.
 Scrum is a methodology that acknowledges the fact that customer
needs cannot be completely understood and will change over time.
 It focuses on team collaboration, customer involvement, and
continuous delivery.
 It is named after a scrum in the sport of rugby. Contain small teams of
developers, called the Scrum Team supported by a Scrum Master, a
senior member of the organization who acts like a coach for the
team. Product Owner is the voice of the business unit.
 Scrum methodology allows the project to be reset by allowing product
features to be added, changed, or removed at clearly defined points.
Since the customer is intimately involved in the development process,
there should be no surprises, cost overruns, or the schedule delays. This
allows a product to be iteratively developed and changed even as it
is being built.
120 Software Development Models
Prototyping
 It creates a sample or model of the code for proof-of-concept purposes.
 It is an iterative approach which breaks projects into smaller tasks, creating
multiple mockups (prototypes) of system design features.
 Lowers risk by allowing the customer to see realistic-looking results long
before the final product is completed.
121 Application Controls
 Application controls are controls over input, processing and output functions. They include
methods for ensuring that:
 Only complete, accurate and valid data are entered and updated in a computer system.
 Processing accomplishes the correct task.
 Processing results meet expectations.
 Data are maintained.
 Input/Origination Controls:
 Input authorization
 Batch controls and balancing
 Error reporting and handling
122 Processing Procedures and Controls

 Data validation and editing procedures

 Sequence, limit, range, validity, reasonableness, existence, check digit,
completeness, duplicate, logical relationship checks
 Processing controls
 Data file control procedures
 Before and after images, source doc retention, labels, transaction logs, file
updating, etc.
123 Output Controls

 Output controls provide assurance that the data delivered to users will be
presented, formatted and delivered in a consistent and secure manner.
 Types of Output Controls
 Logging and storage of negotiable, sensitive and critical forms in a secure place.
 Computer generation of negotiable instruments, forms and signatures.
 Report distribution
 Balancing and reconciling
 Output error handling
 Output report retention
 Verification of receipt of reports
124 Observing and Testing Users

Auditor should verify:

Separation of duties
Authorization of input
Balancing
Error control and correction
Distribution of reports
Access authorization review
Activity reports
Violation reports
125 Auditing System Development
The auditor should:
Determine system criticality and functions with
project team
Identify and test controls to mitigate risk
Review documentation
Participate in post-implementation reviews
Review test plans
Test system maintenance
 Chapter 4
Information Systems Operations,
Maintenance and Service
Management
126
127 OBJECTIVES

The objective of this domain is to ensure that

the CISA candidate understands and can
provide assurance that the processes for
information systems operations, maintenance
and service management meet the
organization's strategies and objectives.
This domain represents 20 percent of the
CISA examination (approximately 30
questions).
128 Ten Tasks within the Domain 4

1. Evaluate IT service management framework and practices (internal or third

party) to determine whether the controls and service levels expected by the
organization are being adhered to and whether strategic objectives are met.
2. Conduct periodic reviews of information systems to determine whether they
continue to meet the organization's objectives within the enterprise
architecture (EA).
3. Evaluate IT operations (e.g. job scheduling, configuration management,
capacity and performance management) to determine whether they are
controlled effectively and continue to support the organization's objectives.
4. Evaluate IT maintenance (patches, upgrades) to determine whether they are
controlled effectively and continue to support the organization's objectives.
5. Evaluate database management practices to determine the integrity and
optimization of databases.
129 Ten Tasks within the Domain 4

6. Evaluate data quality and life cycle management to determine whether they
continue to meet strategic objectives.
7. Evaluate problem and incident management practices to determine whether
problems and incidents are prevented, detected, analyzed, reported and
resolved in a timely manner to support organization's objectives.
8. Evaluate change and release management practice to determine whether
changes made to systems and applications are adequately controlled and
documented.
9. Evaluate end-user computing to determine whether the processes for end-user
computing are effectively controlled and support the organization's objectives.
10. Evaluate IT continuity and resilience (backups/restores, disaster recovery plan
[DRP]) to determine whether it is controlled effectively and continues to
support the organization’s objectives.
130 Management of IS Operations

The IS operations function is responsible for the

ongoing support of an organization's computer
and IS environment.
Ensuring that processing requirements are met,
end users are satisfied and information is
processed securely.
Based on the concepts of:
Governance
Management
131 Management of IS Operations

 Governance: Governance ensures that stakeholder

needs, conditions and options are evaluated to
determine balanced, agreed on enterprise objectives
to be achieved; setting direction through prioritization
and decision making; and monitoring performance
and compliance against agreed on direction and
objectives.
 In most enterprises, overall governance is the
responsibility of the board of directors under the
leadership of the chairperson.
132 Management of IS Operations

Management: Management plans, builds,

runs and monitors activities in alignment
with the direction set by the governance
body to achieve the enterprise objectives.
In most enterprises, management is the
responsibility of the executive management
under the leadership of the chief executive
officer (CEO).
133 IT Service Management

 The fundamental premise associated with ITSM is that IT can be managed

through a series of discrete processes that provide "service'' to the business.
 Although each process area may have separate and distinct characteristics,
each process is also highly interdependent with other processes.
 The processes, once defined, can be better managed through service level
agreements (SLAs) that serve to maintain and improve customer satisfaction
(i.e., with the end business).
 ITSM focuses on the business deliverables and covers infrastructure
management of IT applications that support and deliver these IT services.
 This includes fine-tuning IT services to meet the changing demands of the
enterprises as well as measuring and demonstrating improvements in the quality
of IT services offered with a reduction in the cost of service in the long term.
134 IS Operations

 IS operations are processes and activities that support and manage the entire IS
infrastructure, systems, applications and data, focusing on day-to-day activities.
 Procedures detailing instructions for operational tasks and procedures coupled
with appropriate IS management oversight are necessary parts of the IS control
environment.
 This documentation should include:
 Operations procedures based on operating instructions and job flows for computer and
peripheral equipment.
 Procedures for monitoring systems and applications.
 Procedures for detecting systems and applications errors and problems.
 Procedures for handling IS problems and escalation of unresolved issues.
 Procedures for backup and recovery.
135 Software Licensing

 Follow software copyright laws. May lead to:

 Penalties
 Reputational risk
 Open source
 Freeware
 Shareware
 Verify number of users against licenses.
136 Software Licensing
Issues to be Considered
 Documented policies and procedures that guard against unauthorized use
or copying of software should be available.
 Listing of all standard, used and licensed application and system software
should be available.
 Centralizing control and automated distribution and the installation of
software.
 Requiring that all PCs be diskless workstations and access applications from
a secured LAN.
 Regularly scanning user PCs.
137 Incident and Problem Management

 Event: It is any occurrence that can be observed, verified, and

documented.
 Incident: It is one or more related events that negatively affect the
company and/or impact its security posture.
 Incident Management: It includes proactive and reactive processes.
Proactive measures need to be put into place so that incidents can
actually be detected in a controllable manner, and reactive measures
need to be put into place so those incidents are then dealt with properly.
138 Incident and Problem Management

Problem management aims to

resolve issues through the
investigation and in-depth
analysis of a major incident or
several incidents that are similar
in nature in order to identify the
root cause.
139 Incident and Problem Management
Difference between them
Problem management's objective is to reduce
the number and/or severity of incidents.
While incident management's objective is to
return the effected business process back to its
"normal state" as quickly as possible, minimizing
the impact on the business.
Effective problem management can show a
significant improvement in the quality of service
of an IS organization.
140 Change Management

Change Management is established by IS

management to control the movement of
application changes (programs, jobs,
configurations, parameters, etc.) from the
test environment, where development and
maintenance occurs, to the quality
assurance (QA) environment, where
thorough testing occurs, to the production
environment and any hardware or network
changes.
141 Change Management
 It ensures that:
 All relevant personnel are informed of the change and when it is happening.
 System, operations and program documentation are complete, up to date and in
compliance with the established standards.
 Job preparation, scheduling and operating instructions have been established.
 System and program test results have been reviewed and approved by user and project
management.
 Data file conversion, if necessary, has occurred accurately and completely as evidenced
by review and approval by user management.
 System conversion has occurred accurately and completely as evidenced by review and
approval by user management.
 All aspects of jobs turned over have been tested, reviewed and approved by
control/operations personnel.
 Legal or compliance aspects have been considered.
 The risk of adversely affecting the business operation are reviewed and a rollback plan is
developed to back out the changes, if necessary.
142 Disaster Recovery Planning
Business Continuity Planning (BCP)
 Focuses on sustaining operations and protecting the viability of the business following a
disaster, until normal business conditions can be restored.
 The BCP is an “umbrella” term that includes many other plans including the DRP.
 It is long term focused.

Disaster Recovery Plan (DRP)

 Its goal is to minimize the effects of a disaster and to take the necessary steps to ensure that
the resources, personnel and business processes are able to resume operations in a timely
manner.
 Deals with the immediate aftermath of the disaster, and is often IT focused.
 It is short term focused.
143 Disaster Recovery Planning
Disaster recovery and continuity planning deal with
uncertainty and chance
o Must identify all possible threats and estimate possible damage
o Develop viable alternatives
Threat Types:
o Man-made
- Strikes, riots, fires, terrorism, hackers, vandals
o Natural
- Torando, flood, earthquake
o Technical
- Power outage, device failure, loss of connectivity
144 Disaster Recovery Planning
 Categories of Disruptions
 Non-disaster: Inconvenience. Hard drive failure
- Disruption of service
- Device malfunction
 Emergency/Crisis
- Urgent, immediate event where there is the potential for loss of life or property
 Disaster
- Entire facility unusable for a day or longer
 Catastrophe
- Destroys facility

 A company should understand and be prepared for each category.

 ANYONE CAN DECLARE AN EMERGENCY, ONLY THE BCP COORDINATOR CAN DECLARE A DISASTER (Anyone
can pull the fire alarm or trigger an emergency alarm. Only the BCP coordinator or someone specified in the
BCP can declare a disaster which will then trigger failover to another facility)
145 Disaster Recovery Planning
Business Impact Analysis (BIA)
 Initiated by BCP Committee
 Identifies and prioritizes all business processes based on criticality
 Addresses the impact on the organization in the event of loss of a specific
services or process
 Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.
 Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.
 Establishes key metrics for use in determining appropriate counter-measures
and recovery strategy
 IMPORTANCE (relevance) vs. CRITICALITY (downtime)
 The Auditing Department is certainly important, though not usually critical.
 THE BIA FOCUSES ON CRITICALITY
146 Disaster Recovery Planning
Business Impact Analysis (BIA)
147 Disaster Recovery Planning
Recovery Alternatives
148 Disaster Recovery Planning
Backup and Restoration
Full backup
Complete backup of all files.
Archive Bit is reset.
Incremental backup
Backs up all files that have been modified
since last backup.
Archive Bit is reset.
149 Disaster Recovery Planning
Testing
 The test should strive to accomplish the following tasks:
 Verify the completeness and precision of the response and recovery plan.
 Evaluate the performance of the personnel involved in the exercise.
 Appraise the demonstrated level of training and awareness of individuals who are not
part of the recovery/response team.
 Evaluate the coordination among the team members and external vendors and
suppliers.
 Measure the ability and capacity of the backup site to perform prescribed processing.
 Assess the vital records retrieval capability.
 Evaluate the state and quantity of equipment and supplies that have been relocated
to the recovery site.
 Measure the overall performance of operational and information systems processing
activities related to maintaining the business entity.
150 Development Of Disaster Recovery Plans
IT DRP Contents

Procedures for declaring a disaster (escalation

procedures).
Criteria for plan activation (i.e. in which
circumstances the disaster is declared, when the IT
DRP is put to action, which scenarios are covered
by the plan [loss of the IT system, loss of the
processing site, loss of the office]).
Its linkage with the overarching plans (for instance,
emergency response plan or crisis management
plan or BCPs for different lines of business).
The person (or people) responsible for each function
151 Development Of Disaster Recovery Plans
IT DRP Contents

 Contact and notification lists (contact information for recovery teams,

recovery managers, stakeholders, etc.).
 The step-by-step explanation of the whole recovery process (where and
when the recovery should take place [the same site or the backup site],
what has to be recovered [IT systems, networks, etc.], the order of
recovery).
 Recovery procedures for each IT system or component.
 Contacts for important vendors and suppliers.
 The clear identification of the various resources required for recovery and
continued operation of the organization.
 Chapter 5
Protection of Information Assets
152
153 OBJECTIVES

The objective of this domain is to ensure that

the CISA candidate understands and can
provide assurance that the enterprise's
security policies, standards, procedures and
controls ensure the confidentiality, integrity
and availability of information assets.
This area represents 25 percent of the CISA
examination (approximately 38 questions).
154 Six Tasks within the Domain 5

1. Evaluate the information security and privacy policies, standards and procedures for
completeness, alignment with generally accepted practices and compliance with
applicable external requirements.
2. Evaluate the design, implementation, maintenance, monitoring and reporting of physical
and environmental controls to determine whether information assets are adequately
safeguarded.
3. Evaluate the design, implementation, maintenance, monitoring and reporting of system
and logical security controls to verify the confidentiality, integrity and availability of
information.
4. Evaluate the design, implementation and monitoring of the data classification processes
and procedures for alignment with the organization's policies, standards, procedures and
applicable external requirements.
5. Evaluate the processes and procedures used to store, retrieve, transport and dispose of
assets to determine whether information assets are adequately safeguarded.
6. Evaluate the information security program to determine its effectiveness and alignment
with the organization's strategies and objectives.
155 Importance of Information Security
Management
Security objectives to meet
organization's business requirements
include:
Ensure the availability, integrity and
confidentiality of information and
information systems.
Ensure compliance with laws,
regulations and standards.
156 Key Elements of Information Security
Management
Key elements of information security
management:
Senior management commitment and support
Policies and procedures
Security awareness and education
Risk Management
Monitoring and compliance
Incident handling and response
157 Critical Success Factors to Information
Security Management
Strong commitment and support by the
senior management on security training.
Professional risk-based approach must
be used systematically to identify
sensitive and critical resources.
Clearly defined roles and responsibility
for information security.
158 Classification of Information Assets
Sensitivity vs. Criticality
Sensitivity of Information
 is commensurate with the losses to an organization if that information is
revealed to unauthorized individuals.

Criticality of Information
 on the other hand, is an indicator of how the loss of the information would
impact the fundamental business processes of the organization.
159 Classification of Information Assets

 Classification aims to quantify how much loss an organization would likely suffer
if the information was lost.
 Information assets can be classified by sensitivity, criticality, or both.
 Each classification level should have its own handling and destruction
requirements.
 Classification reduces risk
 The inventory record of each information asset should include:
 Importance of the asset
 The information asset owner
 The process for granting access
 The person responsible for approving access rights and access levels
 The extent and depth of security controls
160 Information Security Control Design

 Main categories of controls:

 Managerial (Administrative) controls
 Technical controls
 Physical controls
 Some of the sub-categories of controls:
 Preventive controls
 Detective controls
 Corrective controls

 Monitor control effectiveness

161 Security Awareness Training and
Education
 Important aspect of ensuring compliance.
 All personnel must be trained.
 Methodical approach in developing the program:
 Who is the audience
 What is the message
 What is the intended result
 What communication method will be used
 What is the structure and culture of the organization
 Security awareness programs should consist of the following:
 Training (often administered online)
 Quizzes to gauge retention of training concepts
 Security awareness reminders such as posters, newsletters, or screensavers
 A regular schedule of refresher training
162 Information Security and External
Parties
Agreements on controls
Right to audit clause
Controls in place to protect assets
Legal and regulatory issues
Proper disposal of information held by
third parties
163 Human Resources Security

 Employees, contractors and third party users must understand their

responsibilities for asset protection
 Hiring/Screening
 Terms and Conditions of Employment
 During Engagement
 Termination or Change of Employment
 Removal of access rights
164 Computer Crime Issues and Exposures

 Financial loss
 Legal repercussions
 Loss of credibility or competitive edge
 Blackmail / industrial espionage / organized crime
 Disclosure of confidential, sensitive or embarrassing information
 Sabotage
165 Perpetrators

 Hackers (crackers)
 Script kiddies
 Employees (authorized or unauthorized)
 IT Personnel
 End users
 Former employees
 Nations
 Interested or educated outsiders
166 Common Attacks

 Botnets
 Brute Force Attack
 Denial of Service (DoS) attack / Distributed DoS
 Email Spoofing
 Phishing
 Trojan Horses
 Logic Bomb
 Trap Doors (Back doors)
 Man in the Middle (MITM) attack
 Pharming
 Salami
 Viruses / Worms / Spyware
167 Logical Access Exposures

 They are exposure that exists due to accidental or intentional exploitation of

logical access control weaknesses.
 Technical exposures include:
 Data leakage – Involves siphoning or leaking information out of the computer.
 Wiretapping – Involves eavesdropping on information being transmitted over
telecommunications lines.
 Computer shutdown – Initiated through terminals or personal computers
connected directly (online) or remotely (via the Internet) to the computer.
168 Paths of Logical Access

 General modes of access into this infrastructure occur through the

following:
 Network Connectivity – Access is gained by linking a PC to a segment of an
organizations' network infrastructure, either through a physical or a wireless
connection. At a minimum, such access requires user identification and
authentication to a domain-controlling server.
 Remote access – A user connects remotely to an organization’s server,
which generally requires the user to identify and authenticate him/herself to
the server for access to specific functions that can be performed remotely
(e.g., email, File Transfer Protocol [FTP] or some application-specific
function).
169 Identification and Authentication

Controls access to buildings, systems,

networks and data.
Sets up user accountability.
Prevents access by unauthorized
personnel, and unauthorized
operations by authorized personnel.
170 IAAA

Identification – Method to distinguish

each entity in a unique manner that
is accessing resources.
Authentication – Validate, verify or
prove the identity.
Authorization – Rights, permissions,
privileges granted to an
authenticated entity.
171 Authentication

 Once a person has been identified through the user ID or a similar value, he
must be authenticated, which means he must prove he is who he says he is.
 There are three types of authentication factors:
1. Something a person knows (authentication by knowledge) can be a password, PIN,
mother’s maiden name or a combination to a lock. It is the least expensive
mechanism to implement.
2. Something a person has (authentication by ownership) can be a key, swipe card,
access card, or badge. A downside to this method is that the item can be lost or
stolen, which could result in unauthorized access.
3. Something specific to a person (authentication by characteristic) is based on a
physical attribute of a person referred to as biometrics such as finger print, facial
recognition, voice recognition, iris scanner etc.
 Strong authentication contains two or all of these three methods.
172 Passwords

People often choose weak

passwords or share them.
Passwords may be transmitted
or stored in clear text.
Clipping levels should lock out
accounts after repeated
invalid attempts.
Reactivation of a password
should only be done if the user
can be verified.
173 Identification and Authentication
Best Practices
Logon IDs should follow a standard
naming rule.
Default accounts (Guest, Administrator)
should be renamed or disabled.
Unused IDs should be disabled after a
period of time.
Accounts should be locked out after a
period of inactivity.
Password rules should address length,
composition and frequency of changes.
174 Biometrics (Something You Are)

 Type I Error: False Rejection Rate (FRR) - A legitimate user is

barred from access. It is caused when a system identifies
too much information. This causes excessive overhead.
 Type II Error: False Acceptance Rate (FAR) - An impostor is
allowed access. This is a security threat and comes when a
system doesn’t evaluate enough information.
 As FRR goes down, FAR goes up and vice versa.
 The level at which the two meet is called CER (Crossover
Error Rate). The lower the number, the more accurate the
system.
 Iris Scans are the most accurate.
 Biometrics can be physically oriented or behavioral
oriented.
175 Biometrics (Something You Are)
Different Types
 Fingerprint
 Palm Scan
 Hand Geometry
 Retina Scan
 Iris Scan
 Signature Dynamics
 Keystroke Dynamics
 Voice Print
 Facial Scan
 Hand Topography
 Vascular Patterns
176 Causes of Internet Attacks

Freely available tools and techniques.

Lack of security awareness and training.
Exploitation of security vulnerabilities.
Poor configuration of network
equipment.
Lack of encryption.
177 Environmental Exposures and Controls
Controls for Environmental Exposures
 Alarm control panels  Documented and tested
emergency evacuation plans
 Water detectors
 Fireproof walls, floors and
 Handheld fire extinguishers ceilings of the datacenter
 Manual fire alarms room
 Smoke detectors  Electrical surge protectors
 Fire suppression systems
 Uninterruptible power supply /
generator
 Strategically locating the datacenter
 Emergency power-off switch
room
 Proper HVAC and humidifiers
 Regular inspection by fire department installed in datacenter room.
 Power supply leads from two
substations
 Thank You
178