ALL IN ONE CISA® Certified InformationSystems Auditor EXAM GUIDE
This page intentionally left blank
ALL IN ONE CISA® Certified InformationSystems Auditor EXAM GUIDE Peter H. Gregory New York • Chicago • San Francisco • Lisbon London • Madrid • Mexico City • Milan • New Delhi San Juan • Seoul • Singapore • Sydney • Toronto
Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States CopyrightAct of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database orretrieval system, without the prior written permission of the publisher.ISBN: 978-0-07-164371-9MHID: 0-07-164371-0The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-148755-9, MHID: 0-07-148755-7.All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of atrademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention ofinfringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporatetraining programs. To contact a representative please e-mail us at [email protected] has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of humanor mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, orcompleteness of any information and is not responsible for any errors or omissions or the results obtained from the use of suchinformation.McGraw-Hill is an independent entity from ISACA® and is not affiliated with ISACA in any manner. This study/training guideand/or material is not sponsored by, endorsed by, or affiliated with ISACA in any manner. This publication and CD may be usedin assisting students to prepare for the CISA exam. Neither ISACA nor McGraw-Hill warrant that use of this publication and CDwill ensure passing any exam. ISACA®, CISM®, and CISA® are trademarks or registered trademarks of ISACA in the UnitedStates and certain other countries. All other trademarks are trademarks of their respective owners.TERMS OF USEThis is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and tothe work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to storeand retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivativeworks based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’sprior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictlyprohibited. Your right to use the work may be terminated if you fail to comply with these terms.THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIESAS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THEWORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OROTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMIT-ED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hilland its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that itsoperation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for anyinaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has noresponsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or itslicensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of orinability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shallapply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. Disclaimer: This eBook does not include the ancillary media that was packaged with the original printed version of the book.
To Rebekah and Shannon
ABOUT THE AUTHORPeter Gregory, CISA, CISSP, DRCE, is a 30-year career technologist and the manager ofinformation security and risk management at Concur, a Redmond, WA based providerof on-demand employee spend management services. He has been deeply involved inthe development of IT controls and internal IT audit since 2002, and has been buildingand testing secure IT infrastructures since 1990. Additionally, he has spent many yearsas a software engineer and architect, systems engineer, programmer, and systems opera-tor. Throughout his career, he has written many articles, whitepapers, user manuals,processes, and procedures, and he has conducted numerous training classes. Peter is the author of 20 books in information security and technology includingSolaris Security, CISSP Guide to Security Essentials, Securing the Vista Environment, and ITDisaster Recovery Planning For Dummies. He is a columnist for Software Magazine and hasspoken at numerous industry conferences including RSA, SecureWorld Expo, WestCoast Security Forum, IP3, the Society for Information Management, the WashingtonTechnology Industry Association, and InfraGard. Peter is an advisory board member at the University of Washington’s certificateprogram in information assurance, the lead instructor and advisory board member forthe University of Washington certificate program in information security, a board mem-ber of the Washington state chapter of InfraGard, and a founding member of the Pa-cific CISO Forum. He is a 2008 graduate of the FBI Citizens’ Academy and a member ofthe FBI Citizens’ Academy Alumni Association. Peter and his family reside in the Seattle, Washington area and can be reached atwww.peterhgregory.com.About the Technical EditorBobby E. Rogers is a principal information security analyst with Dynetics, Inc., a na-tional technology firm specializing in the certification and accreditation process for theU.S. government. He also serves as a penetration testing team lead for various govern-ment and commercial engagements. Bobby recently retired from the U.S. Air Force afteralmost 21 years, where he served as a computer networking and security specialist anddesigned and managed networks all over the world. His IT security experience includesseveral years working as an information assurance manager and a regular consultant toU.S. Air Force military units on various cybersecurity/computer abuse cases. He hasheld several positions of responsibility for network security in both the Department ofDefense and private company networks. His duties have included perimeter security,client-side security, security policy development, security training, and computer crimeinvestigations. As a trainer, he has taught a wide variety of IT-related subjects in bothmakeshift classrooms in desert tents as well as formal training centers. Bobby is also anaccomplished author, having written numerous IT articles in various publications andtraining materials for the U.S. Air Force. He has also authored numerous security train-ing videos.
He has a Bachelor of Science degree in computer information systems from Excel-sior College and two Associates in Applied Science degrees from the Community Col-lege of the Air Force. Bobby’s professional IT certifications include A+, Security+, ACP,CCNA, CCAI, CIW, CIWSA, MCP+I, MCSA (Windows 2000 & 2003), MCSE (WindowsNT4, 2000, & 2003), MCSE: Security (Windows 2000 & 2003), CISSP, CIFI, CEH, CHFI,and CPTS, and he is also a certified trainer.
This page intentionally left blank
CONTENTS AT A GLANCE Chapter 1 Becoming a CISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 2 IT Governance and Risk Management . . . . . . . . . . . . . . . . . . . . . . . 17 Chapter 3 The Audit Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Chapter 4 IT Life-Cycle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Chapter 5 IT Service Delivery and Infrastructure . . . . . . . . . . . . . . . . . . . . . . 221 Chapter 6 Information Asset Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Chapter 7 Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . 421Appendix A Conducting a Professional Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . 485Appendix B Popular Methodologies, Frameworks, and Guidance . . . . . . . . . . . 547Appendix C About the CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 ix
This page intentionally left blank
CONTENTS Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiiChapter 1 Becoming a CISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Benefits of CISA Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Becoming a CISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Experience Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 Direct Work Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Substitution of Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 ISACA Code of Professional Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . 6 ISACA IS Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 The Certification Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Preparing for the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Before the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Day of the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 After the Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Applying for Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Retaining Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Continuing Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 CPE Maintenance Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Revocation of Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 CISA Exam Preparation Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 2 IT Governance and Risk Management . . . . . . . . . . . . . . . . . . . . . . . 17 Practices for Executives and Board of Directors . . . . . . . . . . . . . . . . 18 18 IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 IT Strategy Committee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 The Balanced Scorecard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Information Security Governance . . . . . . . . . . . . . . . . . . . . . . 20 Enterprise Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 IT Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 The IT Steering Committee . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Policy, Processes, Procedures, and Standards . . . . . . . . . . . . . . . . . 25 Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Privacy Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
CISA Certified Information Systems Auditor All-in-One Exam Guidexii The Risk Management Program . . . . . . . . . . . . . . . . . . . . . . . 28 The Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . . 30 Risk Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 IT Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Personnel Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Sourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Financial Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Quality Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Optimizing Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Organization Structure and Responsibilities . . . . . . . . . . . . . . . . . . 59 Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Segregation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Auditing IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Reviewing Documentation and Records . . . . . . . . . . . . . . . . . 68 Reviewing Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Reviewing Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Chapter 3 The Audit Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Audit Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 79 The Audit Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 The Audit Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Strategic Audit Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Audit and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Audit Laws and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . 87 ISACA Auditing Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 ISACA Code of Professional Ethics . . . . . . . . . . . . . . . . . . . . . 88 ISACA Audit Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 ISACA Audit Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 ISACA Audit Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditors’ Risk Analysis and the Corporate Risk 101 101 Management Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Evaluating Business Processes . . . . . . . . . . . . . . . . . . . . . . . . 104 Identifying Business Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Countermeasures Assessment . . . . . . . . . . . . . . . . . . . . . . . . . 105 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents xiii Control Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Internal Control Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 107 IS Control Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 General Computing Controls . . . . . . . . . . . . . . . . . . . . . . . . . 109 IS Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Performing an Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Audit Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Types of Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Compliance vs. Substantive Testing . . . . . . . . . . . . . . . . . . . . 113 Audit Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Audit Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Computer-Assisted Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Reporting Audit Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Other Audit Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Using External Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Control Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Advantages and Disadvantages . . . . . . . . . . . . . . . . . . . . . . . . 127 The Self-Assessment Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . 128 Self-Assessment Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Auditors and Self-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . 129 Implementation of Audit Recommendations . . . . . . . . . . . . . . . . . . 129 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Chapter 4 IT Life-Cycle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Business Realization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 136 Portfolio and Program Management . . . . . . . . . . . . . . . . . . . 138 Business Case Development . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Measuring Business Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Organizing Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Developing Project Objectives . . . . . . . . . . . . . . . . . . . . . . . . 142 Managing Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Project Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . 145 Project Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Project Management Methodologies . . . . . . . . . . . . . . . . . . . 161 The Software Development Life Cycle (SDLC) . . . . . . . . . . . . . . . . . 161 SDLC Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Software Development Risks . . . . . . . . . . . . . . . . . . . . . . . . . Alternative Software Development Approaches 187 190 and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 System Development Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . Infrastructure Development and Implementation . . . . . . . . . . . . . .
CISA Certified Information Systems Auditor All-in-One Exam Guidexiv Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Maintaining Information Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 194 195 The Change Management Process . . . . . . . . . . . . . . . . . . . . . . 196 Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Business Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 The Business Process Life Cycle (BPLC) . . . . . . . . . . . . . . . . . 199 Capability Maturity Models . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Application Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Input Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Processing Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Output Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Auditing the Software Development Life Cycle . . . . . . . . . . . . . . . . 207 Auditing Project Management . . . . . . . . . . . . . . . . . . . . . . . . . 207 Auditing the Feasibility Study . . . . . . . . . . . . . . . . . . . . . . . . . 207 Auditing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Auditing Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Auditing Software Acquisition . . . . . . . . . . . . . . . . . . . . . . . . 209 Auditing Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Auditing Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Auditing Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Auditing Post-Implementation . . . . . . . . . . . . . . . . . . . . . . . . 210 Auditing Change Management . . . . . . . . . . . . . . . . . . . . . . . . 210 Auditing Configuration Management . . . . . . . . . . . . . . . . . . . 211 Auditing Business Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Auditing Application Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Transaction Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Data Integrity Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Testing Online Processing Systems . . . . . . . . . . . . . . . . . . . . . 213 Auditing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Continuous Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 5 IT Service Delivery and Infrastructure . . . . . . . . . . . . . . . . . . . . . . 221 Information Systems Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 221 221 Management and Control of Operations . . . . . . . . . . . . . . . 222 IT Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Infrastructure Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Software Program Library Management . . . . . . . . . . . . . . . . 234 Quality Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents xv Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Information Systems Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 235 Computer Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Computer Hardware Architecture . . . . . . . . . . . . . . . . . . . . . . 244 Hardware Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Hardware Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Information Systems Architecture and Software . . . . . . . . . . . . . . . 245 Computer Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . 247 Data Communications Software . . . . . . . . . . . . . . . . . . . . . . 247 File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Database Management Systems . . . . . . . . . . . . . . . . . . . . . . . 252 Media Management Systems . . . . . . . . . . . . . . . . . . . . . . . . . 252 Utility Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Network-Based Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Network Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Network Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Local Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Wide Area Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 The TCP/IP Suite of Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 293 The Global Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Networked Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Auditing IS Infrastructure and Operations . . . . . . . . . . . . . . . . . . . 299 Auditing IS Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Auditing Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Auditing File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Auditing Database Management Systems . . . . . . . . . . . . . . . . 301 Auditing Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . 302 Auditing Network Operating Controls . . . . . . . . . . . . . . . . . . 302 Auditing IS Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Auditing Lights-Out Operations . . . . . . . . . . . . . . . . . . . . . . . 304 Auditing Problem Management Operations . . . . . . . . . . . . . . 305 Auditing Monitoring Operations . . . . . . . . . . . . . . . . . . . . . . 305 Auditing Procurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 6 Information Asset Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Information Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . 309 309 Aspects of Information Security Management . . . . . . . . . . . . 313 Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . .
CISA Certified Information Systems Auditor All-in-One Exam Guidexvi Asset Inventory and Classification . . . . . . . . . . . . . . . . . . . . . 314 Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Third-Party Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Human Resources Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Computer Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Security Incident Management . . . . . . . . . . . . . . . . . . . . . . . . 331 Forensic Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Logical Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Access Control Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Access Points and Methods of Entry . . . . . . . . . . . . . . . . . . . . 340 Identification, Authentication, and Authorization . . . . . . . . . 343 Protecting Stored Information . . . . . . . . . . . . . . . . . . . . . . . . 351 Managing User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Protecting Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Network Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Securing Client-Server Applications . . . . . . . . . . . . . . . . . . . 365 Securing Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Protecting Internet Communications . . . . . . . . . . . . . . . . . . . 370 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Voice over IP (VoIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Private Branch Exchange (PBX) . . . . . . . . . . . . . . . . . . . . . . . 386 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Information Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Environmental Threats and Vulnerabilities . . . . . . . . . . . . . . 394 Environmental Controls and Countermeasures . . . . . . . . . . . 395Physical Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Physical Access Threats and Vulnerabilities . . . . . . . . . . . . . . 400 Physical Access Controls and Countermeasures . . . . . . . . . . . 400Auditing Asset Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Auditing Security Management . . . . . . . . . . . . . . . . . . . . . . . . 402 Auditing Logical Access Controls . . . . . . . . . . . . . . . . . . . . . . 403 Auditing Network Security Controls . . . . . . . . . . . . . . . . . . . . 410 Auditing Environmental Controls . . . . . . . . . . . . . . . . . . . . . 413 Auditing Physical Security Controls . . . . . . . . . . . . . . . . . . . 414Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Contents xviiChapter 7 Business Continuity and Disaster Recovery . . . . . . . . . . . . . . . . . . 421 Disasters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 422 Types of Disasters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 How Disasters Affect Organizations . . . . . . . . . . . . . . . . . . . . 428 The BCP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 BCP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Business Impact Analysis (BIA) . . . . . . . . . . . . . . . . . . . . . . . 432 Criticality Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Establishing Key Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Developing Recovery Strategies . . . . . . . . . . . . . . . . . . . . . . . 447 Developing Recovery and Continuity Plans . . . . . . . . . . . . . . 458 Considerations for Continuity and Recovery Plans . . . . . . . . 463 Components of a Business Continuity Plan . . . . . . . . . . . . . . 464 Testing Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 Testing Recovery and Continuity Plans . . . . . . . . . . . . . . . . . . 468 Documenting Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Improving Recovery and Continuity Plans . . . . . . . . . . . . . . . 469 Training Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Making Plans Available to Personnel When Needed . . . . . . . . . . . . 471 Maintaining Recovery and Continuity Plans . . . . . . . . . . . . . . . . . . 471 Sources for Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Auditing Business Continuity and Disaster Recovery . . . . . . . . . . . Reviewing Business Continuity and Disaster 474 476 Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Reviewing Prior Test Results and Action Plans . . . . . . . . . . . . 478 Evaluating Off-Site Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Evaluating Alternative Processing Facilities . . . . . . . . . . . . . . 479 Interviewing Key Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Reviewing Service Provider Contracts . . . . . . . . . . . . . . . . . . . 480 Reviewing Insurance Coverage . . . . . . . . . . . . . . . . . . . . . . . . 481 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Appendix A Conducting a Professional Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 485 Understanding the Audit Cycle . . . . . . . . . . . . . . . . . . . . . . . . 486 How the Information Systems Audit Cycle Is Discussed . . . . 486 Use of the Word “Client” in This Appendix . . . . . . . . . . . . . . 487 Overview of the IS Audit Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 IS Audit Cycle at a High Level . . . . . . . . . . . . . . . . . . . . . . . . . 488 Project Origination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Engagement Letters (“Contracts”) and Audit Charters . . . . . . 497 Ethics and Independence . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CISA Certified Information Systems Auditor All-in-One Exam Guidexviii Launching a New Project: Planning an Audit . . . . . . . . . . . . . . . . . . 499 Understanding the Client’s Needs . . . . . . . . . . . . . . . . . . . . . 499 Performing a Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . 500 Audit Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Developing the Audit Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Gathering Information—“PBC” Lists . . . . . . . . . . . . . . . . . . . 503 A Client’s Preparedness for an Audit . . . . . . . . . . . . . . . . . . . 503 Developing Audit Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 504 Developing the Scope of an Audit . . . . . . . . . . . . . . . . . . . . . 505 506 Developing a Testing Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Understand the Controls Environment . . . . . . . . . . . . . . . . . 515 Perform a Pre-audit (or “Readiness Assessment”) . . . . . . . . . 516 Organize a Testing Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 Resource Planning for the Audit Team . . . . . . . . . . . . . . . . . . 521 521 Project Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Project Planning with the Client . . . . . . . . . . . . . . . . . . . . . . . 523 Gathering Testing Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Launching Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Performing Tests of Control Existence . . . . . . . . . . . . . . . . . . 530 Perform Testing of Control Operating Effectiveness . . . . . . . 531 Discovering Testing Exceptions . . . . . . . . . . . . . . . . . . . . . . . 533 Discovering Incidents Requiring Immediate Attention . . . . . 535 Materiality of Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Developing Audit Opinions . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Developing Audit Recommendations . . . . . . . . . . . . . . . . . . . 541 Managing Supporting Documentation . . . . . . . . . . . . . . . . . . 541 542 Delivering Final Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Writing the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544 Solicitation of Management’s Response . . . . . . . . . . . . . . . . . 544 544 Audit Closing Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544 Audit Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Delivery of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Final Sign-off with the Client . . . . . . . . . . . . . . . . . . . . . . . . . 545 545 Audit Follow-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Retesting the Previous Period’s Failed Controls . . . . . . . . . . . Follow-up on Management’s Action Plans to Remediate Control Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client Feedback and Evaluations . . . . . . . . . . . . . . . . . . . . . .Appendix B Popular Methodologies, Frameworks, and Guidance . . . . . . . . . . . 547 Common Terms and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 548 Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Goals, Objectives, Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 Capability Maturity Models . . . . . . . . . . . . . . . . . . . . . . . . . . 550 Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents xix The Deming Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 Frameworks, Methodologies, and Guidance . . . . . . . . . . . . . . . . . . 554 COSO Internal Control Integrated Framework . . . . . . . . . . . 554 COBIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 GTAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 GAIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 ISF Standard of Good Practice . . . . . . . . . . . . . . . . . . . . . . . . 562 ISO/IEC 27001 and 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 ITIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 PMBOK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 PRINCE2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Summary of Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Pointers for Successful Use of Frameworks . . . . . . . . . . . . . . 568 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570Appendix C About the CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 571 Installing and Running MasterExam . . . . . . . . . . . . . . . . . . . . . . . . 571 MasterExam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 572 Electronic Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Removing Installation(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LearnKey Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619Figure CreditsFigure 5-2 courtesy of Fir0002/Flagstaffotos with permission granted under the terms of the GNUFree Documentation License, Version 1.2, http://commons.wikimedia.org/wiki/Commons:GNU_Free_Documentation_License,_version_1.2.Figure 5-3 courtesy of Sassospicco with permission granted under the terms of the CreativeCommons Attribution Share-Alike 2.5 License, http://creativecommons.org/licenses/by-sa/2.5/.Figure 5-4, courtesy of Rjt, has been released into the public domain by its author at the PolishWikipedia project.Figure 5-5 courtesy of Robert Kloosterhuis with permission granted under the terms of theCreative Commons Attribution Share-Alike 2.5 License, http://creativecommons.org/licenses/by-sa/2.5/.Figure 5-13 courtesy of Rebecca Steele.
Figure 5-14 courtesy of Poil with permission granted under the terms of the GNU FreeDocumentation License, Version 1.2, http://commons.wikimedia.org/wiki/Commons:GNU_Free_Documentation_License, _version_1.2, and the Creative Commons AttributionShareAlike 3.0 License, http://creativecommons.org/licenses/by-sa/3.0/.Figure 5-15 courtesy of Hhedeshian with permission granted under the terms of the CreativeCommons Attribution 3.0 Unported License, http://creativecommons.org/licenses/by/3.0/.Figure 5-16 courtesy of FDominec with permission granted under the terms of the GNU FreeDocumentation License, Version 1.2, http://commons.wikimedia.org/wiki/Commons:GNU_Free_Documentation_License,_version_1.2.
ACKNOWLEDGMENTSI am especially grateful to Timothy Green for his leadership and vision to see this proj-ect to its successful conclusion. Tim helped to steer us around some big obstacles andreaffirmed McGraw-Hill’s need to invest resources in this book, even during the uncer-tain economic conditions that haunted business markets throughout this project. A heartfelt thanks to Meghan Riley for proficiently managing this project, jugglingresources, and equipping me with information I needed to produce the manuscript. Many thanks to Emilia Thiuri, Jan Jue, Jody McKenzie, and Paul Tyler for their greatcopyediting and eyes for readability. Much appreciation to Lyssa Wald who expertlyrendered my sketches into beautifully clear line art, and to Apollo Publishing Servicesfor their page layout. I would like to thank Bobby Rogers who, in addition to his day job, took on the taskof tech reviewing the manuscript. Bobby pointed out my mistakes and made many use-ful suggestions that have improved the book’s quality. Many thanks to contributors Tanya Scott and Chris Tarnstrom, who wrote impor-tant sections for this book that will help readers better understand the CISA certifica-tion process and IS auditors to be more effective in their work. Tanya’s and Chris’expertise and insight add considerable value to this book, long after readers becomeCISA certified. My vision for this book includes value for new and practicing IS audi-tors; these contributions allow this book to fulfill this vision. Many thanks to my literary agent, Carole Jelen, for help at key moments through-out this project. Sincere thanks to Rebecca Steele, my business manager and publicist, for her long-termvision, for keeping me on track, and for photos that she obtained for the manuscript. My wife Rebekah and I knew that writing this book would require considerable sac-rifice. Several times I had to dig deeper than I had anticipated at the beginning of thisproject. We both knew that this was an important book for the IT audit and securityprofession, and that considerable team effort would be required to produce it. This bookcould not have been completed without her unfailing support. She deserves the credit. xxi
This page intentionally left blank
INTRODUCTIONFor the first three decades of computing and networking, computer systems supporteda limited set of business activities. Advancements in information technology led to vastincreases in IT support of business processes. Rapid application development technolo-gies meant that organizations could build application environments so quickly thatrequirements, security, and design considerations could be (and often were) set aside.Information systems don’t just support business processes—often they are businessprocesses. Throughout human history, we have invented tools and put them to work beforefully understanding their safety or security implications. It is only after a new productor technology is put into general use that the risks become known. This often results inhasty fixes and protection laws. Readers of this book may be aware that there is a grow-ing array of laws in place that require organizations to enact processes and controls toprotect information and information systems. Laws like Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, PIPEDA, and the multitude of U.S. state laws requiring public disclosureof security breaches involving private information have created a backlash. Organiza-tions are either required or incentivized to perform audits that measure compliance inorder to avoid penalties, sanctions, and embarrassing news headlines. These laws have caused a surge in demand for IT security professionals and IS audi-tors. These professionals, now in high demand, play a crucial role in the developmentof better compliance programs. The Certified Information Systems Auditor (CISA) certification, established in1978, is indisputably the leading certification for IS auditing. Demand for profession-als with the CISA certification has been growing so much that the once-per-year certifi-cation exam was changed to twice per year in 2005. That same year, the CISA certificationwas awarded accreditation by the American National Standards Institute (ANSI) underinternational standard ISO/IEC 17024. In mid-2009, there were over 60,000 profes-sionals holding the certification. IS auditing is not a “bubble” or a flash in the pan. Rather, IS auditing is a permanentfixture in IS/IT organizations that have to contend with new technologies, new systems,and new data security and privacy laws. The CISA certification is the gold standard cer-tification for professionals who work in this domain.Purpose of this BookLet’s get the obvious out of the way: this is a comprehensive study guide for the IT oraudit professional who needs a serious reference for individual or group-led study forthe Certified Information Systems Auditor certification. Plus Chapter 1 explains thecertification process itself. xxiii
CISA Certified Information Systems Auditor All-in-One Exam Guidexxiv This book is also an IS auditor’s desk reference. Chapters 2–7 explain key technolo- gies found in today’s information systems, plus the details and principles of IS auditing that auditors must thoroughly understand to be effective. Appendix A walks the reader through the entire performance of a professional au- dit. This section discusses IS audits from internal and external perspectives, from audit planning to delivering the final report. Appendix B discusses control frameworks; this section will help an IS auditor who needs to understand how control frameworks function, or who is providing guidance to an organization that needs to implement a control framework. Appendix C provides instructions on how to use the accompanying CD, which comes complete with MasterExam and the electronic version of the book. This book is an excellent guide for someone exploring the IS audit profession. The study chapters explain all of the technologies and audit procedures, and the appendices explain process frameworks and the practical side of professional audits. This is useful for those readers who wonder what the IS audit profession is all about.
CHAPTER 1Becoming a CISAThis chapter discusses the following major topics: • What it means to be a CISA-certified professional • Getting to know ISACA, its code of ethics, and its standards • The certification process • Applying for the exam • Maintaining your certification • Getting the most from your CISA journeyCongratulations on choosing to become a Certified Information Systems Auditor(CISA). Whether you have worked several years in the field of information systemsauditing or have just recently been introduced to the world of controls, assurance, andsecurity, don’t underestimate the hard work and dedication required to obtain andmaintain CISA certification. Although ambition and motivation are required, therewards can far exceed the effort. You probably never imagined you would find yourself working in the world ofauditing or looking to obtain a professional audit certification. Perhaps the increase inlegislative or regulatory requirements for information system security led to your intro-duction to this field. Or possibly you have noticed that CISA-related career options areincreasing exponentially, and you have decided to get ahead of the curve. You aren’talone: 55,000 professionals worldwide reached the same conclusion and have earnedthe well-respected CISA certification. Welcome to the journey and the amazing oppor-tunities that await you. I have put together this information to help you further understand the commit-ment needed, prepare for the exam, and maintain your certification. Not only is it mywish to see you pass the exam with flying colors, but I also provide you with the infor-mation and resources to maintain your certification and to proudly represent yourselfand the professional world of IS auditing with your new credentials. The Information Systems Audit and Control Association (ISACA) is a recognizedleader in the areas of control, assurance, and IT governance. This nonprofit organizationrepresents more than 86,000 professionals in approximately 160 different countries.ISACA administers several exams and controls certifications including the CISA, the CISM(Certified Information Systems Management), and the CGEIT (Certified Governance ofEnterprise Information Technology) certifications. The certification program itself 1
CISA Certified Information Systems Auditor All-in-One Exam Guide2 has been accredited by the American National Standards Institute (ANSI) under Inter- national Organization for Standardization (ISO) 17024, which means that ISACA’s procedures for accreditation meet international requirements for quality, continuous improvement, and accountability. If you’re new to ISACA, I recommend that you tour the web site and familiarize yourself with the guides and resources available. In addition, if you’re near one of the 175 local ISACA chapters in 70 countries, consider taking part in the activities and even reaching out to the chapter board for information on local training days or study sessions. The CISA certification was established in 1978 and primarily focuses on audit, controls, assurance, and security. It certifies the individual’s knowledge around testing and documenting IS controls, and ability to conduct formal IS audits. Organizations seek out qualified personnel for assistance with developing and maintaining strong controls environments. A CISA-certified individual is a great candidate for this. Benefits of CISA Certification Obtaining the CISA certification offers several significant benefits: • Expands knowledge and skills, builds confidence Developing knowledge and skills around the areas of audit, controls, assurance, and security can prepare you for advancement or to expand your scope of responsibilities. The personal and professional achievement can boost confidence that encourages you to move forward and seek new career opportunities. • Increases marketability and career options Because of various legal and regulatory requirements such as HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry data security standard), Sarbanes-Oxley, GLBA (Gramm Leach Bliley Act), FDA (Food and Drug Administration), and FERC/NERC (Federal Energy Regulatory Commission/ North American Electric Reliability Corporation), and the growing need for information systems and automation, controls, assurance, and audit experience, demand is growing for individuals with experience in testing and documenting controls. Many government agencies and organizations are requiring CISA certifications for positions involving IS audit activities. Having a CISA can open up many doors of opportunity in various industries and countries. • Builds customer confidence/international credibility Prospective customers needing control or audit work will have faith that the quality of the audits and controls documented or tested are in line with internationally recognized standards. Regardless of your current position, demonstrating knowledge and experience in the areas of IS controls, audit, assurance, and security can expand your career options. The certification does not limit you to auditing; it can provide additional value and insight to those in or seeking the following positions:
Chapter 1: Becoming a CISA 3 • Executives such as CEOs, CFOs, and CIOs • Chief audit executives, audit partners, and audit directors • Security and IT operations executives (CTOs, CISOs, CSOs), directors, managers, and staff • Compliance executives and management • ConsultantsBecoming a CISAThe following list outlines the major requirements for becoming certified: • Experience A CISA candidate must be able to submit verifiable evidence of five years’ experience, with a minimum of two years’ professional work experience in IS auditing, control, or security. Experience can be in any of the job content areas, but must be verified. For those with less than five years’ experience, experience substitution options are available. • Ethics Candidates must commit to adhere to ISACA’s Code of Professional Ethics, which guides the personal and professional conduct of those certified. • Exam Candidates must receive a passing score on the CISA exam. • Education Those certified must adhere to the CISA Continuing Education Policy, which requires a minimum of 20 continuing professional education (CPE) hours each year, with a total requirement of 120 CPEs over the course of the certification period (three years). • Standards Those certified agree to abide by IS auditing standards and minimum guidelines for performing IS audits. • Application After successfully passing the exam, meeting the experience requirements, and having read through the Code of Professional Ethics, a candidate is ready to apply for certification.Experience RequirementsTo qualify for CISA certification, you must have completed the equivalent of five years’total work experience. These five years can take many forms, with several substitutionsavailable. Additional details on the minimum certification requirements, substitutionoptions, and various examples are discussed next. NOTE Although it is not recommended, a CISA candidate can take the exam before completing any work experience directly related to IS audit. As long as the candidate passes the exam and the work experience requirements are filled within five years of the exam date and within ten years from application for certification, the candidate is eligible for certification.
CISA Certified Information Systems Auditor All-in-One Exam Guide4 Direct Work Experience You are required to have a minimum of two years’ work experience in the fields of IS audit, controls, or security. This is equivalent to 4,000 actual work hours, which must be related to the six CISA job practice areas: • IS Audit Process Planning and conducting information systems audits in accordance with IS Standards and best practices, communicating results, and advising on risk management and control practices. • IT Governance Ensuring that adequate human resource, performance, value, and risk management are in place to align and support the organization’s strategies and objectives. • Systems and Infrastructure Life-Cycle Management Ensuring that systems and infrastructure have appropriate controls in place (acquisition, development, testing implementation, maintenance, and disposal) to provide reasonable assurance that the organization’s objectives will be met. • IT Service Delivery and Support Evaluating or implementing IT service management practices to ensure an organization’s objectives are met. • Protection of Information Assets Evaluating, designing, or implementing a security architecture with the intent of ensuring the confidentiality, integrity, and availability of information assets. • Business Continuity and Disaster Recovery Evaluating, developing, or managing business continuity and disaster recovery processes that minimize impact to the organization in the event of disruption. All work experience must be completed within the ten years before completing the certification application, and five years from the date of initially passing the CISA exam. You will need to complete a separate Verification of Work Experience form for each seg- ment of experience. There is only one exception to this minimum two-year direct work experience requirement: if you are a full-time instructor. This option is discussed in the next section. Substitution of Experience Up to a maximum of three years’ direct work experience can be substituted with the following to meet the five-year experience requirement: • One year of information systems or one year of non-IS auditing experience can be substituted for up to one year of direct work experience. • If you have completed a two- or four-year degree, 60–120 completed university semester credit hours, regardless of when completed, can substitute for one or two years of direct work experience, respectively. Transcripts or a letter confirming degree status must be sent from the university attended to obtain the experience waiver.
Chapter 1: Becoming a CISA 5 • If you have completed a bachelor’s or master’s degree from a university that enforces an ISACA-sponsored curriculum, it can be substituted for one or two years of direct work experience, respectively (for information on ISACA-sponsored curricula and participating universities, see www.isaca.org/ modeluniversities). Transcripts or a letter confirming degree status will need to be sent from the university to obtain an experience waiver. • Association of Chartered Certified Accountants (ACCA) members and Chartered Institute of Management Accountants (CIMA) members with full certification can apply for a two-year experience waiver. • Those applying with a master’s degree in information systems or IT from a university can apply for a one-year experience waiver. As noted earlier, there is only one exception to the experience requirements. Shouldyou have experience as a full-time university instructor in a related field (that is, infor-mation security, computer science, and accounting), each year of your experience canbe substituted for one year of required direct work experience, without limitation. Here is an example CISA candidate whose experience and education are consideredfor CISA certification: Jane Doe graduated in 1995 with a bachelor’s degree in accounting. She spent fiveyears working for an accounting firm conducting non-IS audits, and in January 2000,she began conducting IS audits full time. In January 2002, she took some time off workfor personal reasons and rejoined the workforce in December 2007, working for apublic company in their internal audit department documenting and testing financialcontrols. Jane passed the CISA exam in June 2008 and applied for CISA certification inJanuary 2009. Does Jane have all of the experience required? What evidence will sheneed to submit? • Two-year substitution Jane obtained a bachelor’s degree in accounting, which equates to two years’ experience substitution. • Jane can count all work experience after January 1999: • Two years’ direct experience She can count her two full years of IS audit experience in 2000 and 2001. • One-year substitution She can also take into account one year of non-IS audit experience completed between January 1999 to January 2000. • One-year substitution Should she want to utilize her new internal audit financial controls experience, Jane has the option to use this for experience substitution rather than her earlier non-IS audit experience. The choice is hers. Jane would need to send the following with her application to prove experiencerequirements are met: • Verification of Work Experience forms filled out and signed by her supervisors (or any superior) at the accounting firm, verifying both the IS and non-IS audit work conducted. • Transcripts or letter confirming degree status sent from the university.
CISA Certified Information Systems Auditor All-in-One Exam Guide6 ISACA Code of Professional Ethics Becoming a CISA means that you agree to adhere to the ISACA Code of Professional Ethics. The code of ethics is a formal document outlining those things you will do to ensure the utmost integrity and that best support and represent the organization and certification. The following summarizes the code of ethics: • Support the implementation of standards, procedures, and controls for IS. • Encourage compliance with standards, procedures, and controls for IS. • Conduct audits and related tasks with objectivity, due diligence, and professional care. • Conduct audits in accordance with standards and best practices. • Serve in the interest of stakeholders, lawfully and with integrity. • Avoid engaging in acts that may be disreputable to the profession. • Maintain privacy and confidentiality of information unless legally required to disclose it. • Never disclose information for personal benefit or to inappropriate parties. • Maintain competencies and agree to undertake only those activities that you can reasonably complete with professional competence. • Inform appropriate parties of audit results, stating all significant facts known. • Educate stakeholders and enhance their understanding of IS security and controls. Failure to follow the code can result in investigation of the member’s conduct and potential disciplinary measures that range from warning to revocation of certification and/or membership. For more information on the complaint-handling process and for information on the Investigations Committee, see the Code of Professional Ethics section on the ISACA web site. ISACA IS Standards An auditor can gather information from several credible resources to conduct an audit with integrity and confidence. ISACA has developed its own set of standards of manda- tory requirements for IS auditing and reporting. As a CISA, you agree to abide by and promote the IS Standards where applicable, encouraging compliance and supporting their implementation. As you prepare for certification and beyond, you will need to read through and become familiar with these standards. The following standards were created to define the minimum level of acceptable performance required to meet the professional requirements as required in the ISACA and to help set expectations. They have been established, vetted, and approved by ISACA:
Chapter 1: Becoming a CISA 7• S1: Audit Charter This standard describes the importance of having a documented audit charter or engagement letter to clearly state the purpose, responsibilities, authority, and accountability of the information systems audit function or audits.• S2: Independence This standard describes the importance of the IS auditor’s independence with regard to the audit work and the auditee, in activity and perception.• S3: Professional Ethics and Standards The IS auditor should exercise due professional care, adhere to the code of ethics, and abide by professional auditing standards.• S4: Professional—Competence Each IS auditor should obtain and maintain professional competence and only conduct assignments in which he or she has the skills and knowledge.• S5: Planning This standard describes planning best practices including those concerning scope and audit objectives, developing and documenting a risk-based audit approach, the creation of an audit plan, and development of an audit program and procedures.• S6: Performance of Audit Work When conducting an audit, it is critical to provide reasonable assurance that audit objectives have been met; sufficient, reliable, and relevant evidence is collected; and all audit work is appropriately documented to support conclusions and findings.• S7: Reporting This standard provides guidance on audit reporting, including guidance on stating scope, objectives, audit work performed, and on stating findings, conclusions, and recommendations.• S8: Follow-up Activities IS auditors are responsible for particular follow-up activities once the findings and recommendations have been reported.• S9: Irregularities and Illegal Acts This standard thoroughly describes those considerations of irregularities and illegal acts the IS auditor should have throughout the audit process.• S10: IT Governance This standard provides guidance to the IS auditor as to what governance areas should be considered during the audit process, including whether the IS function is strategically aligned with the organization, performance management, compliance, risk management, resource management, and the control environment.• S11: Use of Risk Analysis in Audit Planning An appropriate risk assessment methodology should be utilized when developing the IS audit plan, prioritizing activities, and planning individual audits.• S12: Audit Materiality This standard provides guidance on audit materiality, how it relates to audit risk, and how to rate the significance of control deficiencies and whether they lead to significant deficiencies or material weakness.
Search
Read the Text Version
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356
- 357
- 358
- 359
- 360
- 361
- 362
- 363
- 364
- 365
- 366
- 367
- 368
- 369
- 370
- 371
- 372
- 373
- 374
- 375
- 376
- 377
- 378
- 379
- 380
- 381
- 382
- 383
- 384
- 385
- 386
- 387
- 388
- 389
- 390
- 391
- 392
- 393
- 394
- 395
- 396
- 397
- 398
- 399
- 400
- 401
- 402
- 403
- 404
- 405
- 406
- 407
- 408
- 409
- 410
- 411
- 412
- 413
- 414
- 415
- 416
- 417
- 418
- 419
- 420
- 421
- 422
- 423
- 424
- 425
- 426
- 427
- 428
- 429
- 430
- 431
- 432
- 433
- 434
- 435
- 436
- 437
- 438
- 439
- 440
- 441
- 442
- 443
- 444
- 445
- 446
- 447
- 448
- 449
- 450
- 451
- 452
- 453
- 454
- 455
- 456
- 457
- 458
- 459
- 460
- 461
- 462
- 463
- 464
- 465
- 466
- 467
- 468
- 469
- 470
- 471
- 472
- 473
- 474
- 475
- 476
- 477
- 478
- 479
- 480
- 481
- 482
- 483
- 484
- 485
- 486
- 487
- 488
- 489
- 490
- 491
- 492
- 493
- 494
- 495
- 496
- 497
- 498
- 499
- 500
- 501
- 502
- 503
- 504
- 505
- 506
- 507
- 508
- 509
- 510
- 511
- 512
- 513
- 514
- 515
- 516
- 517
- 518
- 519
- 520
- 521
- 522
- 523
- 524
- 525
- 526
- 527
- 528
- 529
- 530
- 531
- 532
- 533
- 534
- 535
- 536
- 537
- 538
- 539
- 540
- 541
- 542
- 543
- 544
- 545
- 546
- 547
- 548
- 549
- 550
- 551
- 552
- 553
- 554
- 555
- 556
- 557
- 558
- 559
- 560
- 561
- 562
- 563
- 564
- 565
- 566
- 567
- 568
- 569
- 570
- 571
- 572
- 573
- 574
- 575
- 576
- 577
- 578
- 579
- 580
- 581
- 582
- 583
- 584
- 585
- 586
- 587
- 588
- 589
- 590
- 591
- 592
- 593
- 594
- 595
- 596
- 597
- 598
- 599
- 600
- 601
- 602
- 603
- 604
- 605
- 606
- 607
- 608
- 609
- 610
- 611
- 612
- 613
- 614
- 615
- 616
- 617
- 618
- 619
- 620
- 621
- 622
- 623
- 624
- 625
- 626
- 627
- 628
- 629
- 630
- 631
- 632
- 633
- 634
- 635
- 636
- 637
- 638
- 639
- 640
- 641
- 642
- 643
- 644
- 645
- 646
- 647
- 648
- 649
- 650
- 651
- 652
- 653
- 654
- 655
- 656
- 657
- 658
- 659
- 660
- 661
- 662
- 663
- 664
- 665
- 666
- 667
- 668
- 669
- 670
- 671
- 672
- 673
- 674
- 675
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 600
- 601 - 650
- 651 - 675
Pages: