Sybex's CISA: Certified Information Systems Auditor Study Guide, Fourth Editionis the newest edition of industry-leading study guide for the Certified Information System Auditor exam, fully updated to align with the latest ISACA standards and changes in IS auditing. This new edition provides complete guidance toward all content areas, tasks, and knowledge areas of the exam and is illustrated with real-world examples. All CISA terminology has been revised to reflect the most recent interpretations, including 73 definition and nomenclature changes. Each chapter summary highlights the most important topics on which you'll be tested, and review questions help you gauge your understanding of the material. You also get access to electronic flashcards, practice exams, and the Sybex test engine for comprehensively thorough preparation.

For those who audit, control, monitor, and assess enterprise IT and business systems, the CISA certification signals knowledge, skills, experience, and credibility that delivers value to a business. This study guide gives you the advantage of detailed explanations from a real-world perspective, so you can go into the exam fully prepared.

The CISA certification has been a globally accepted standard of achievement among information systems audit, control, and security professionals since 1978. If you're looking to acquire one of the top IS security credentials,CISA is the comprehensive study guide you need.

David L. Cannon CISA, CCSP, is President and Founder of CertTest Training Center, a leading CISA training provider. With more than 20 years of experience in IT training and consulting for IT operations, security, system administration, and management, David teaches CISA preparation courses across the country. He is a frequent speaker and lecturer at the leading security and auditing conferences.Brian T. O'Hara CISA, CISM, CRISC, CISSP is the Information Security Officer (ISO) for Do it Best Corp. and is an ISSA Fellow. He is the President of the Indiana InfraGard Members Alliance, a partnership between the FBI and the private sector and President of the Central Indiana Chapter of ISACA.

Featuring test questions by...
Allen Keele CISA, CISM, CISSP, ISO 31000 CICRA, ISO 27001 CICA, ISO 27001 Lead Auditor, ISO 22301 Certified Business Continuity Manager, and Certified Fraud Examiner is the founder of Certified Information Security www.certifiedinfosec.com.

Introduction xix

Assessment Test xlii

Chapter 1 Secrets of a Successful Auditor 1

Understanding the Demand for IS Audits 2

Executive Misconduct 3

More Regulation Ahead 5

Basic Regulatory Objective 7

Governance is Leadership 8

Three Types of Data Target Different Uses 9

Audit Results Indicate the Truth 10

Understanding Policies, Standards, Guidelines, and Procedures 11

Understanding Professional Ethics 14

Following the ISACA Professional Code 14

Preventing Ethical Conflicts 16

Understanding the Purpose of an Audit 17

Classifying General Types of Audits 18

Determining Differences in Audit Approach 20

Understanding the Auditors Responsibility 21

Comparing Audits to Assessments 21

Differentiating between Auditor and Auditee Roles 22

Applying an Independence Test 23

Implementing Audit Standards 24

Where Do Audit Standards Come From? 25

Understanding the Various Auditing Standards 27

Specific Regulations Defining Best Practices 31

Audits to Prove Financial Integrity 34

Auditor is an Executive Position 35

Understanding the Importance of Auditor Confidentiality 35

Working with Lawyers 36

Working with Executives 37

Working with IT Professionals 37

Retaining Audit Documentation 38

Providing Good Communication and Integration 39

Understanding Leadership Duties 39

Planning and Setting Priorities 40

Providing Standard Terms of Reference 41

Dealing with Conflicts and Failures 42

Identifying the Value of Internal and External Auditors 43

Understanding the Evidence Rule 43

Stakeholders: Identifying Whom You Need to Interview 44

Understanding the Corporate Organizational Structure 45

Identifying Roles in a Corporate Organizational Structure 45

Identifying Roles in a Consulting Firm Organizational Structure 47

Summary 49

Exam Essentials 49

Review Questions 52

Chapter 2 Governance 57

Strategy Planning for Organizational Control 61

Overview of the IT Steering Committee 64

Using the Balanced Scorecard 69

IT Subset of the BSC 74

Decoding the IT Strategy 74

Specifying a Policy 77

Project Management 79

Implementation Planning of the IT Strategy 90

Using COBIT 94

Identifying Sourcing Locations 94

Conducting an Executive Performance Review 99

Understanding the Auditors Interest in the Strategy 100

Overview of Tactical Management 100

Planning and Performance 100

Management Control Methods 101

Risk Management 105

Implementing Standards 108

Human Resources 109

System LifeCycle Management 111

Continuity Planning 111

Insurance 112

Overview of Business Process Reengineering 112

Why Use Business Process Reengineering 113

BPR Methodology 114

Genius or Insanity? 114

Goal of BPR 114

Guiding Principles for BPR 115

Knowledge Requirements for BPR 116

BPR Techniques 116

BPR Application Steps 117

Role of IS in BPR 119

Business Process Documentation 119

BPR Data Management Techniques 120

Benchmarking as a BPR Tool 120

Using a Business Impact Analysis 121

BPR Project Risk Assessment 123

Practical Application of BPR 125

Practical Selection Methods for BPR 127

Troubleshooting BPR Problems 128

Understanding the Auditors Interest in Tactical Management 129

Operations Management 129

Sustaining Operations 130

Tracking Actual Performance 130

Controlling Change 131

Understanding the Auditors Interest in Operational Delivery 131

Summary 132

Exam Essentials 132

Review Questions 134

Chapter 3 Audit Process 139

Understanding the Audit Program 140

Audit Program Objectives and Scope 141

Audit Program Extent 143

Audit Program Responsibilities 144

Audit Program Resources 144

Audit Program Procedures 145

Audit Program Implementation 146

Audit Program Records 146

Audit Program Monitoring and Review 147

Planning Individual Audits 148

Establishing and Approving an Audit Charter 151

Role of the Audit Committee 151

Preplanning Specific Audits 153

Understanding the Variety of Audits 154

Identifying Restrictions on Scope 156

Gathering Detailed Audit Requirements 158

Using a Systematic Approach to Planning 159

Comparing Traditional Audits to Assessments and SelfAssessments 161

Performing an Audit Risk Assessment 162

Determining Whether an Audit is Possible 163

Identifying the Risk Management Strategy 165

Determining Feasibility of Audit 167

Performing the Audit 167

Selecting the Audit Team 167

Determining Competence and Evaluating Auditors 168

Ensuring Audit Quality Control 170

Establishing Contact with the Auditee 171

Making Initial Contact with the Auditee 172

Using Data Collection Techniques 174

Conducting Document Review 176

Understanding the Hierarchy of Internal Controls 177

Reviewing Existing Controls 179

Preparing the Audit Plan 182

Assigning Work to the Audit Team 183

Preparing Working Documents 184

Conducting Onsite Audit Activities 185

Gathering Audit Evidence 186

Using Evidence to Prove a Point 186

Understanding Types of Evidence 187

Selecting Audit Samples 187

Recognizing Typical Evidence for IS Audits 188

Using ComputerAssisted Audit Tools 189

Understanding Electronic Discovery 191

Grading of Evidence 193

Timing of Evidence 195

Following the Evidence Life Cycle 195

Conducting Audit Evidence Testing 198

Compliance Testing 198

Substantive Testing 199

Tolerable Error Rate 200

Recording Test Results 200

Generating Audit Findings 201

Detecting Irregularities and Illegal Acts 201

Indicators of Illegal or Irregular Activity 202

Responding to Irregular or Illegal Activity 202

Findings Outside of Audit Scope 203

Report Findings 203

Approving and Distributing the Audit Report 205

Identifying Omitted Procedures 205

Conducting Followup (Closing Meeting) 205

Summary 206

Exam Essentials 207

Review Questions 210

Chapter 4 Networking Technology Basics 215

Understanding the Differences in Computer Architecture 217

Selecting the Best System 221

Identifying Various Operating Systems 221

Determining the Best Computer Class 224

Comparing Computer Capabilities 227

Ensuring System Control 228

Dealing with Data Storage 230

Using Interfaces and Ports 235

Introducing the Open Systems Interconnection Model 237

Layer 1: Physical Layer 240

Layer 2: DataLink Layer 240

Layer 3: Network Layer 242

Layer 4: Transport Layer 248

Layer 5: Session Layer 249

Layer 6: Presentation Layer 250

Layer 7: Application Layer 250

Understanding How Computers Communicate 251

Understanding Physical Network Design 252

Understanding Network Cable Topologies 253

Bus Topologies 254

Star Topologies 254

Ring Topologies 255

Meshed Networks 256

Differentiating Network Cable Types 258

Coaxial Cable 258

Unshielded TwistedPair (UTP) Cable 259

FiberOptic Cable 260

Connecting Network Devices 260

Using Network Services 263

Domain Name System 263

Dynamic Host Configuration Protocol 265

Expanding the Network 266

Using Telephone Circuits 268

Network Firewalls 271

Remote VPN Access 276

Using Wireless Access Solutions 280

Firewall Protection for Wireless Networks 284

Remote DialUp Access 284

WLAN Transmission Security 284

Achieving 802.11i RSN Wireless Security 287

Intrusion Detection Systems 288

Summarizing the Various Area Networks 291

Using Software as a Service (SaaS) 292

Advantages 292

Disadvantages 293

Cloud Computing 294

The Basics of Managing the Network 295

Automated LAN Cable Tester 295

Protocol Analyzers 295

Remote Monitoring Protocol Version 2 297

Summary 298

Exam Essentials 298

Review Questions 301

Chapter 5 Information Systems Life Cycle 307

Governance in Software Development 308

Management of Software Quality 310

Capability Maturity Model 310

International Organization for Standardization 312

Typical Commercial Records Classification Method 316

Overview of the Executive Steering Committee 317

Identifying Critical Success Factors 318

Using the Scenario Approach 318

Aligning Software to Business Needs 319

Change Management 323

Management of the Software Project 323

Choosing an Approach 323

Using Traditional Project Management 324

Overview of the System Development Life Cycle 327

Phase 1: Feasibility Study 331

Phase 2: Requirements Definition 334

Phase 3: System Design 339

Phase 4: Development 343

Phase 5: Implementation 354

Phase 6: Postimplementation 361

Phase 7: Disposal 363

Overview of Data Architecture 364

Databases 364

Database Transaction Integrity 368

Decision Support Systems 369

Presenting Decision Support Data 370

Using Artificial Intelligence 370

Program Architecture 371

Centralization vs. Decentralization 372

Electronic Commerce 372

Summary 374

Exam Essentials 374

Review Questions 376

Chapter 6 System Implementation and Operations 381

Understanding the Nature of IT Services 383

Performing IT Operations Management 385

Meeting IT Functional Objectives 385

Using the IT Infrastructure Library 387

Supporting IT Goals 389

Understanding Personnel Roles and Responsibilities 389

Using Metrics 394

Evaluating the Help Desk 396

Performing ServiceLevel Management 397

Outsourcing IT Functions 398

Performing Capacity Management 399

Using Administrative Protection 400

Information Security Management 401

IT Security Governance 401

Authority Roles over Data 402

Data Retention Requirements 403

Document Physical Access Paths 404

Personnel Management 405

Physical Asset Management 406

Compensating Controls 408

Performing Problem Management 409

Incident Handling 410

Digital Forensics 412

Monitoring the Status of Controls 414

System Monitoring 415

Document Logical Access Paths 416

System Access Controls 417

Data File Controls 420

Application Processing Controls 421

Log Management 423

Antivirus Software 424

Active Content and Mobile Software Code 424

Maintenance Controls 427

Implementing Physical Protection 430

Data Processing Locations 432

Environmental Controls 432

Safe Media Storage 440

Summary 442

Exam Essentials 442

Review Questions 444

Chapter 7 Protecting Information Assets 449

Understanding the Threat 450

Recognizing Types of Threats and Computer Crimes 452

Identifying the Perpetrators 454

Understanding Attack Methods 458

Implementing Administrative Protection 469

Using Technical Protection 472

Technical Control Classification 472

Application Software Controls 474

Authentication Methods 475

Network Access Protection 488

Encryption Methods 489

PublicKey Infrastructure 496

Network Security Protocols 502

Telephone Security 507

Technical Security Testing 507

Summary 509

Exam Essentials 509

Review Questions 511

Chapter 8 Business Continuity and Disaster Recovery 517

Debunking the Myths 518

Myth 1: Facility Matters 519

Myth 2: IT Systems Matter 519

From Myth to Reality 519

Understanding the Five Conflicting Disciplines Called Business Continuity 520

Defining Disaster Recovery 521

Surviving Financial Challenges 522

Valuing Brand Names 522

Rebuilding after a Disaster 523

Defining the Purpose of Business Continuity 524

Uniting Other Plans with Business Continuity 527

Identifying Business Continuity Practices 527

Identifying the Management Approach 529

Following a Program Management Approach 531

Understanding the Five Phases of a Business Continuity Program 532

Phase 1: Setting Up the BC Program 532

Phase 2: The Discovery Process 535

Phase 4: Plan Implementation 560

Phase 5: Maintenance and Integration 562

Understanding the Auditor Interests in BC/DR Plans 563

Summary 564

Exam Essentials 564

Review Questions 566

Appendix Answers to Review Questions 571

Index 591