Acknowledgments
Introduction
Chapter 1 Becoming a CISA
Benefits of CISA Certification
The CISA Certification Process
Experience Requirements
ISACA Code of Professional Ethics
ISACA IS Standards
The Certification Exam
Exam Preparation
Before the Exam
Day of the Exam
After the Exam
Applying for CISA Certification
Retaining Your CISA Certification
Continuing Education
CPE Maintenance Fees
Revocation of Certification
CISA Exam Preparation Pointers
Summary
Chapter 2 IT Governance and Management
IT Governance Practices for Executives and Boards of Directors
IT Governance
IT Governance Frameworks
IT Strategy Committee
The Balanced Scorecard
Information Security Governance
IT Strategic Planning
The IT Steering Committee
Policies, Processes, Procedures, and Standards
Information Security Policy
Privacy Policy
Data Classification Policy
System Classification Policy
Site Classification Policy
Access Control Policy
Mobile Device Policy
Social Media Policy
Other Policies
Processes and Procedures
Standards
Applicable Laws, Regulations, and Standards
Risk Management
The Risk Management Program
The Risk Management Process
Risk Treatment
IT Management Practices
Personnel Management
Sourcing
Change Management
Financial Management
Quality Management
Portfolio Management
Controls Management
Security Management
Performance and Capacity Management
Organization Structure and Responsibilities
Roles and Responsibilities
Segregation of Duties
Business Continuity Planning
Disasters
The Business Continuity Planning Process
Developing Continuity Plans
Testing Recovery Plans
Training Personnel
Making Plans Available to Personnel When Needed
Maintaining Recovery and Continuity Plans
Sources for Best Practices
Auditing IT Governance
Auditing Documentation and Records
Auditing Contracts
Auditing Outsourcing
Auditing Business Continuity Planning
Summary
Notes
Questions
Answers
Chatper 3 The Audit Process
Audit Management
The Audit Charter
The Audit Program
Strategic Audit Planning
Audit and Technology
Audit Laws and Regulations
ISACA Auditing Standards
ISACA Code of Professional Ethics
ISACA Audit and Assurance Standards
ISACA Audit and Assurance Guidelines
Risk Analysis
Auditors’ Risk Analysis and the Corporate Risk Management Program
Evaluating Business Processes
Identifying Business Risks
Risk Mitigation
Countermeasures Assessment
Monitoring
Controls
Control Classification
Internal Control Objectives
IS Control Objectives
General Computing Controls
IS Controls
Performing an Audit
Audit Objectives
Types of Audits
Compliance vs. Substantive Testing
Audit Methodology
Audit Evidence
Reliance Upon the Work of Other Auditors
Computer-Assisted Audit and Automated Work Papers
Reporting Audit Results
Other Audit Topics
Control Self-Assessment
CSA Advantages and Disadvantages
The Control Self-Assessment Life Cycle
Self-Assessment Objectives
Auditors and Self-Assessment
Implementation of Audit Recommendations
Summary
Notes
Questions
Answers
Chapter 4 IT Life Cycle Management
Benefits Realization
Portfolio and Program Management
Business Case Development
Measuring Business Benefits
Project Management
Organizing Projects
Developing Project Objectives
Managing Projects
Project Roles and Responsibilities
Project Planning
Project Management Methodologies
The System Development Life Cycle (SDLC)
SDLC Phases
Software Development Risks
Alternative Software Development Approaches and Techniques
System Development Tools
Acquiring Cloud-Based Infrastructure and Applications
Infrastructure Development and Implementation
Review of Existing Architecture
Requirements
Design
Procurement
Testing
Implementation
Maintenance
Maintaining Information Systems
Change Management
Configuration Management
Business Processes
The Business Process Life Cycle (BPLC) and Business Process Reengineering (BPR)
Capability Maturity Models
Managing Third Parties
Risk Factors
Onboarding and Due Diligence
Classification
Assessment
Remediation
Enterprise Architecture
The Zachman Framework
Data Flow Diagrams
Application Controls
Input Controls
Processing Controls
Output Controls
Auditing the System Development Life Cycle
Auditing Project Management
Auditing the Feasibility Study
Auditing Requirements
Auditing Design
Auditing Software Acquisition
Auditing Development
Auditing Testing
Auditing Implementation
Auditing Post-Implementation
Auditing Change Management
Auditing Configuration Management
Auditing Business Controls
Auditing Application Controls
Transaction Flow
Observations
Data Integrity Testing
Testing Online Processing Systems
Auditing Applications
Continuous Auditing
Auditing Third-Party Management
Summary
Notes
Questions
Answers
Chapter 5 IT Service Delivery and Infrastructure
Information Systems Operations
Management and Control of Operations
IT Service Management
IT Operations and Exception Handling
End-User Computing
Software Program Library Management
Quality Assurance
Security Management
Media Control
Data Management
Information Systems Hardware
Computer Usage
Computer Hardware Architecture
Hardware Maintenance
Hardware Monitoring
Information Systems Architecture and Software
Computer Operating Systems
Data Communications Software
File Systems
Database Management Systems
Media Management Systems
Utility Software
Software Licensing
Digital Rights Management
Network Infrastructure
Enterprise Architecture
Network Architecture
Network-Based Services
Network Models
Network Technologies
Local Area Networks
Wide Area Networks
Wireless Networks
TCP/IP Protocols and Devices
The Global Internet
Network Management
Networked Applications
Disaster Recovery Planning
Disaster Response Teams’ Roles and Responsibilities
Recovery Objectives
Developing Recovery Strategies
Developing Recovery Plans
Data Backup and Recovery
Testing DR Plans
Auditing IT Infrastructure and Operations
Auditing Information Systems Hardware
Auditing Operating Systems
Auditing File Systems
Auditing Database Management Systems
Auditing Network Infrastructure
Auditing Network Operating Controls
Auditing IT Operations
Auditing Lights-Out Operations
Auditing Problem Management Operations
Auditing Monitoring Operations
Auditing Procurement
Auditing Disaster Recovery Planning
Summary
Notes
Questions
Answers
Chapter 6 Information Asset Protection
Information Security Management
Aspects of Information Security Management
Roles and Responsibilities
Business Alignment
Asset Inventory and Classification
Access Controls
Privacy
Third-Party Management
Human Resources Security
Computer Crime
Security Incident Management
Forensic Investigations
Logical Access Controls
Access Control Concepts
Access Control Models
Access Control Threats
Access Control Vulnerabilities
Access Points and Methods of Entry
Identification, Authentication, and Authorization
Protecting Stored Information
Managing User Access
Protecting Mobile Computing
Network Security Controls
Network Security
Securing Client-Server Applications
Securing Wireless Networks
Protecting Internet Communications
Encryption
Voice over IP
Private Branch Exchange (PBX)
Malware
Information Leakage
Environmental Controls
Environmental Threats and Vulnerabilities
Environmental Controls and Countermeasures
Physical Security Controls
Physical Access Threats and Vulnerabilities
Physical Access Controls and Countermeasures
Auditing Asset Protection
Auditing Security Management
Auditing Logical Access Controls
Auditing Network Security Controls
Auditing Environmental Controls
Auditing Physical Security Controls
Summary
Notes
Questions
Answers
Appendix A Conducting a Professional Audit
Understanding the Audit Cycle
How the Information Systems Audit Cycle Is Discussed
“Client” and Other Terms in This Appendix
Overview of the IS Audit Cycle
Project Origination
Engagement Letters and Audit Charters
Ethics and Independence
Launching a New Project: Planning an Audit
Developing the Audit Plan
Developing a Test Plan
Performing a Pre-Audit (or “Readiness Assessment”)
Organizing a Testing Plan
Resource Planning for the Audit Team
Performing Control Testing
Developing Audit Opinions
Developing Audit Recommendations
Managing Supporting Documentation
Delivering Audit Results
Management Response
Audit Closing Procedures
Audit Follow-up
Summary
Appendix B Popular Methodologies, Frameworks, and Guidance
Common Terms and Concepts
Governance
Goals, Objectives, and Strategies
Processes
Capability Maturity Models
Controls
The Deming Cycle
Projects
Frameworks, Methodologies, and Guidance
Business Model for Information Security (BMIS)
COSO Internal Control – Integrated Framework
COBIT
GTAG
GAIT
ISF Standard of Good Practice for Information Security
ISO/IEC 27001 and 27002
ITAF
ITIL
PMBOK Guide
PRINCE2
Risk IT
Val IT
Summary of Frameworks
Pointers for Successful Use of Frameworks
Notes
References
Appendix C About the Download
System Requirements
Installing and Running Total Tester
Total Tester Premium Practice Exam Software
Technical Support
Glossary
Index
Figure Credits
Figure 4-6 courtesy of Digital Aardvark, Inc.
Figure 4-7 courtesy of AXELOS Limited. Copyright © AXELOS Limited 2016. PRINCE2® is a registered trade mark of AXELOS Limited. Used under permission of AXELOS Limited. All rights reserved.
Figure 4-9 courtesy of Oxford University Press, Inc. From Alexander et al., The Oregon Experiment, 1975, p. 44. Used by Permission of Oxford University Press, Inc.
Figure 5-2 courtesy of Fir0002/Flagstaffotos with permission granted under the terms of the GNU Free Documentation License, Version 1.2, http://commons.wikimedia.org/wiki/Commons:GNU_Free_Documentation_License,_version_1.2.
Figure 5-3 courtesy of Sassospicco with permission granted under the terms of the Creative Commons Attribution Share-Alike 2.5 License, http://creativecommons.org/licenses/by-sa/2.5/.
Figure 5-4, courtesy of Robert Jacek Tomczak, has been released into the public domain by its author at the Polish Wikipedia project.
Figure 5-5 courtesy of Robert Kloosterhuis with permission granted under the terms of the Creative Commons Attribution Share-Alike 2.5 License, http://creativecommons.org/licenses/by-sa/2.5/.
Figure 5-15 courtesy of Rebecca Steele.
Figure 5-16 courtesy of Harout S. Hhedeshian with permission granted under the terms of the Creative Commons Attribution 3.0 Unported License, http://creativecommons.org/licenses/by/3.0/.
Figure 5-17 courtesy of Stephanie Tsacas with permission granted under the terms of the Creative Commons Attribution Share-Alike 2.5 License, http://creativecommons.org/licenses/by-sa/2.5/.
Figure 5-18 courtesy of Fdominec with permission granted under the terms of the GNU Free Documentation License, Version 1.2, http://commons.wikimedia.org/wiki/Commons:GNU_Free_Documentation_License,_version_1.2.
Figure 6-3 courtesy Ingersoll Rand Security Technologies.
