CONTENTS
Acknowledgments
Introduction
Chapter 1 Becoming a CISA
Benefits of CISA Certification
The CISA Certification Process
Experience Requirements
ISACA Code of Professional Ethics
ISACA IS Standards
The Certification Exam
Exam Preparation
Before the Exam
Day of the Exam
After the Exam
Applying for CISA Certification
Retaining Your CISA Certification
Continuing Education
CPE Maintenance Fees
Revocation of Certification
CISA Exam Preparation Pointers
Summary
Chapter 2 IT Governance and Management
IT Governance Practices for Executives and Boards of Directors
IT Governance
IT Governance Frameworks
IT Strategy Committee
The Balanced Scorecard
Information Security Governance
IT Strategic Planning
The IT Steering Committee
Policies, Processes, Procedures, and Standards
Information Security Policy
Privacy Policy
Data Classification Policy
System Classification Policy
Site Classification Policy
Access Control Policy
Mobile Device Policy
Social Media Policy
Other Policies
Processes and Procedures
Standards
Enterprise Architecture
Applicable Laws, Regulations, and Standards
Risk Management
The Risk Management Program
The Risk Management Process
Risk Treatment
IT Management Practices
Personnel Management
Sourcing
Change Management
Financial Management
Quality Management
Portfolio Management
Controls Management
Security Management
Performance and Capacity Management
Organization Structure and Responsibilities
Roles and Responsibilities
Segregation of Duties
Auditing IT Governance
Auditing Documentation and Records
Auditing Contracts
Auditing Outsourcing
Chapter Review
Quick Review
Questions
Answers
Chapter 3 The Audit Process
Audit Management
The Audit Charter
The Audit Program
Strategic Audit Planning
Audit and Technology
Audit Laws and Regulations
ISACA Auditing Standards
ISACA Code of Professional Ethics
ISACA Audit and Assurance Standards
ISACA Audit and Assurance Guidelines
Risk Analysis
Auditors’ Risk Analysis and the Corporate Risk Management Program
Evaluating Business Processes
Identifying Business Risks
Risk Mitigation
Countermeasures Assessment
Monitoring
Controls
Control Classification
Internal Control Objectives
IS Control Objectives
General Computing Controls
IS Controls
Performing an Audit
Audit Objectives
Types of Audits
Compliance vs. Substantive Testing
Audit Methodology and Project Management
Audit Evidence
Reliance on the Work of Other Auditors
Audit Data Analytics
Reporting Audit Results
Other Audit Topics
Control Self-Assessment
CSA Advantages and Disadvantages
The CSA Life Cycle
Self-Assessment Objectives
Auditors and Self-Assessment
Implementation of Audit Recommendations
Chapter Review
Quick Review
Questions
Answers
Chapter 4 IT Life Cycle Management
Benefits Realization
Portfolio and Program Management
Business Case Development
Measuring Business Benefits
Project Management
Organizing Projects
Developing Project Objectives
Managing Projects
Project Roles and Responsibilities
Project Planning
Project Management Methodologies
The Systems Development Life Cycle (SDLC)
SDLC Phases
Software Development Risks
Alternative Software Development Approaches and Techniques
System Development Tools
Acquiring Cloud-Based Infrastructure and Applications
Infrastructure Development and Implementation
Review of Existing Architecture
Requirements
Design
Procurement
Testing
Implementation
Maintenance
Maintaining Information Systems
Change Management
Configuration Management
Business Processes
The Business Process Life Cycle and Business Process Reengineering
Capability Maturity Models
Managing Third Parties
Risk Factors
Onboarding and Due Diligence
Classification
Assessment
Remediation
Risk Reporting
Application Controls
Input Controls
Processing Controls
Output Controls
Auditing the Systems Development Life Cycle
Auditing Program and Project Management
Auditing the Feasibility Study
Auditing Requirements
Auditing Design
Auditing Software Acquisition
Auditing Development
Auditing Testing
Auditing Implementation
Auditing Post-Implementation
Auditing Change Management
Auditing Configuration Management
Auditing Business Controls
Auditing Application Controls
Transaction Flow
Observations
Data Integrity Testing
Testing Online Processing Systems
Auditing Applications
Continuous Auditing
Auditing Third-Party Risk Management
Chapter Review
Quick Review
Questions
Answers
Chapter 5 IT Service Management and Continuity
Information Systems Operations
Management and Control of Operations
IT Service Management
IT Operations and Exception Handling
End-User Computing
Software Program Library Management
Quality Assurance
Security Management
Media Control
Data Management
Information Systems Hardware
Computer Usage
Computer Hardware Architecture
Hardware Maintenance
Hardware Monitoring
Information Systems Architecture and Software
Computer Operating Systems
Data Communications Software
File Systems
Database Management Systems
Media Management Systems
Utility Software
Software Licensing
Digital Rights Management
Network Infrastructure
Enterprise Architecture
Network Architecture
Network-Based Services
Network Models
Network Technologies
Business Resilience
Business Continuity Planning
Disaster Recovery Planning
Auditing IT Infrastructure and Operations
Auditing Information Systems Hardware
Auditing Operating Systems
Auditing File Systems
Auditing Database Management Systems
Auditing Network Infrastructure
Auditing Network Operating Controls
Auditing IT Operations
Auditing Lights-Out Operations
Auditing Problem Management Operations
Auditing Monitoring Operations
Auditing Procurement
Auditing Business Continuity Planning
Auditing Disaster Recovery Planning
Chapter Review
Quick Review
Questions
Answers
Chapter 6 Information Asset Protection
Information Security Management
Aspects of Information Security Management
Roles and Responsibilities
Business Alignment
Asset Inventory and Classification
Access Controls
Privacy
Third-Party Management
Human Resources Security
Computer Crime
Security Incident Management
Forensic Investigations
Logical Access Controls
Access Control Concepts
Access Control Models
Access Control Threats
Access Control Vulnerabilities
Access Points and Methods of Entry
Identification, Authentication, and Authorization
Protecting Stored Information
Managing User Access
Protecting Mobile Computing
Network Security Controls
Network Security
IoT Security
Securing Client-Server Applications
Securing Wireless Networks
Protecting Internet Communications
Encryption
Voice over IP
Private Branch Exchange
Malware
Information Leakage
Environmental Controls
Environmental Threats and Vulnerabilities
Environmental Controls and Countermeasures
Physical Security Controls
Physical Access Threats and Vulnerabilities
Physical Access Controls and Countermeasures
Auditing Asset Protection
Auditing Security Management
Auditing Logical Access Controls
Auditing Network Security Controls
Auditing Environmental Controls
Auditing Physical Security Controls
Chapter Review
Quick Review
Questions
Answers
Appendix A Conducting a Professional Audit
Understanding the Audit Cycle
How the IS Audit Cycle Is Discussed
“Client” and Other Terms in This Appendix
Overview of the IS Audit Cycle
Project Origination
Engagement Letters and Audit Charters
Ethics and Independence
Launching a New Project: Planning an Audit
Developing the Audit Plan
Developing a Test Plan
Performing a Pre-Audit (or Readiness Assessment)
Organizing a Testing Plan
Resource Planning for the Audit Team
Performing Control Testing
Developing Audit Opinions
Developing Audit Recommendations
Managing Supporting Documentation
Delivering Audit Results
Management Response
Audit Closing Procedures
Audit Follow-up
Summary
Appendix B Popular Methodologies, Frameworks, and Guidance
Common Terms and Concepts
Governance
Goals, Objectives, and Strategies
Processes
Capability Maturity Models
Controls
The Deming Cycle
Projects
Frameworks, Methodologies, and Guidance
Business Model for Information Security (BMIS)
COSO Internal Control – Integrated Framework
COBIT
GTAG
GAIT
ISF Standard of Good Practice for Information Security
ISO/IEC 27001 and 27002
NIST SP 800-53 and NIST SP 800-53A
NIST Cybersecurity Framework
Payment Card Industry Data Security Standard
CIS Controls
IT Assurance Framework
ITIL
PMBOK Guide
PRINCE2
Risk IT
Val IT
Summary of Frameworks
Pointers for Successful Use of Frameworks
Notes
References
Appendix C About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Technical Support
Glossary
Index