Certified Information Systems Auditor (CISA) Cert Guide

Michael Gregg (CISSP, SSCP, CISA, MCSE, MCT, CTT+, A+, N+, Security+, CCNA, CASP, CISA, CISM, CEH, CHFI, and GSEC) works for a Houston, Texas–based IT security consulting firm. Michael is responsible for working with organizations to develop cost-effective and innovative technology solutions to security issues and for evaluating the security of emerging technologies. He has more than 20 years of experience in the IT field and holds two associate’s degrees, a bachelor’s degree, and a master’s degree. In addition to co-authoring the first, second, and third editions of Security Administrator Street Smarts, Michael has written or co-authored 15 other books, including The Network Security Test Lab: A Step-by-Step Guide (Wiley, 2015); CompTIA Security+ Rapid Review (Microsoft, 2013); Certified Ethical Hacker Cert Guide (Pearson, 2017); and CISSP Exam Cram (Que, 2016). Michael has been quoted in newspapers such as the New York Times and featured on various television and radio shows, including NPR, ABC, CBS, Fox News, CNN, and others, discussing cybersecurity and ethical hacking. He has created more than a dozen IT security training classes, and he has created and performed video instruction on many security topics, such as cybersecurity, CISSP, CASP, Security+, and others. When not consulting, teaching, or writing, Michael enjoys 1960s muscle cars and has a slot in his garage for a new project car. Rob Johnson (CISSP, CISA, CISM, CGEIT, and CRISC) is experienced in information risk, IT audit, privacy, and security management. He has a diverse background that includes hands-on operational experience as well as providing strategic risk assessment and support to leadership and board-level audiences. Rob currently serves as a senior vice president and technology executive with global teams and responsibilities at Bank of America. He has held various technology and executive positions throughout his career, including chief information security officer for a global insurance company, head of IT audit for a major domestic bank, chief information security officer for a large midwestern bank, chief cybersecurity architect and product owner for a major software house where he led deployments across 15 countries, and senior partner at a consulting firm. Rob is well known across a number of industry groups. He is a published author and frequent speaker at conferences. Rob has served on a number of ISACA global committees; for example, he was formerly the chair of the ISACA Education Committee and a member of the ISACA Assurance Committee to name a few. In addition, Rob was one of the 12 members of the prestigious ISACA COBIT 5 Task Force, which led to the creation of the COBIT 5 global standard. Rob holds a Bachelor of Science Degree in Interdisciplinary Studies from the University of Houston. He lives a quiet life, where he enjoys his children, watches his amazing son Donald win chess tournaments, and spends time with his wonderful wife, Lin.

Introduction xxiii
Chapter 1 The CISA Certification 3
Exam Intent 3
Why the CISA Certification Is So Important 4
CISA: The Gold Standard 5
Exam Requirements 6
CISA Exam Windows 6
Scheduling to Take the Exam 7
Deadline to Apply for the CISA Certification 7
ISACA Agreements 9
CISA Exam Domains 10
Question Format and Grading 13
Exam Grading 13
Exam Questions 14
Getting Exam Results and Retests 15
Maintaining CISA Certification 16
Reporting CPE Hours Earned 16
Earning CPE Hours 17
Top 10 Tips and Tricks 18
Chapter Summary 19
Define Key Terms 20
Suggested Readings and Resources 20
Chapter 2 The Information Systems Audit 23
“Do I Know This Already?” Quiz 23
Foundation Topics 27
Skills and Knowledge Required to Be an IS Auditor 27
Work-Related Skills 27
Knowledge of Ethical Standards 28
ISACA Standards, Procedures, Guidelines, and Baselines 31
Knowledge of Regulatory Standards 35
Guidance Documents 36
Auditing Compliance with Regulatory Standards 38
Knowledge of Business Processes 38
Types of Audits 39
Risk Assessment Concepts 40
Risk Management 43
Auditing and the Use of Internal Controls 45
The Auditing Life Cycle 47
Audit Methodology 47
The Auditing Life Cycle Steps 48
Chain of Custody and Evidence Handling 49
Automated Work Papers 50
CAATs 51
Audit Closing 52
Report Writing 53
The Control Self-Assessment Process 54
Continuous Monitoring 55
Quality Assurance 56
The Challenges of Audits 57
Communicating Results 57
Negotiation and the Art of Handling Conflicts 58
Chapter Summary 59
Exam Preparation Tasks 60
Review All the Key Topics 60
Complete Tables from Memory 61
Define Key Terms 61
Exercises 61
2.1 Network Inventory 61
Review Questions 64
Suggested Readings and Resources 68
Chapter 3 The Role of IT Governance 71
“Do I Know This Already?” Quiz 71
Foundation Topics 75
The IT Steering Committee 75
Corporate Structure 77
IT Governance Frameworks 77
COBIT 78
ITIL 78
COBIT Versus ITIL 79
Enterprise Risk Management 80
The Risk Management Team 81
Asset Identification 82
Threat Identification 82
Quantitative Risk Assessment 84
Qualitative Risk Assessment 86
The Three Lines of Defense Model 87
Policy Development 90
Policy 91
Policy, Standards, Procedures, and Baselines 92
Auditing Policies, Standards, Procedures, and Baselines 93
Data Classification 96
Security Policy 98
Management Practices of Employees 100
Forced Vacations, Rotation of Assignments, and Dual Control 102
Separation Events 102
Roles and Responsibilities 103
Segregation of Duties (SoD) 105
Compensating Controls 106
Key Employee Controls 106
Performance Management 107
Key Performance Terms 108
Management and Control Frameworks 110
Enterprise Architecture 111
Change Management 113
Quality Management 113
Maturity Models 116
Implementing a Maturity Model 118
Management’s Role in Compliance 119
Process Optimization Techniques 121
Taguchi 122
PDCA 123
Taguchi Versus PDCA 124
Management of IT Suppliers 125
Third-Party Outsourcing 125
Third-Party Audits 126
Contract Management 127
Performance Monitoring 128
Relationship Management 129
Chapter Summary 130
Exam Preparation Tasks 130
Review All the Key Topics 130
Complete Tables from Memory 131
Key Terms 131
Exercises 132
3.1 Determining the steps for quantitative risk assessment 132
Review Questions 133
Suggested Readings and Resources 135
Chapter 4 Maintaining Critical Services 137
“Do I Know This Already?” Quiz 137
Foundation Topics 140
Threats to Business Operations 140
The Business Continuity Planning (BCP) Process 142
Project Management and Initiation 143
Business Impact Analysis 144
Criticality Analysis 147
Development and Recovery Strategy 149
Final Plan Design and Implementation 151
Training and Awareness 152
Implementation and Testing 153
Paper Tests 155
Preparedness Tests 155
Full Operation Tests 156
Monitoring and Maintenance 156
Understanding BCP Metrics 157
Recovery Strategies 159
Alternate Processing Sites 159
Alternate Processing Options 160
Hardware Recovery 163
Redundant Array of Independent Disks 164
Software and Data Recovery 165
Backup and Restoration 167
Telecommunications Recovery 169
Verification of Disaster Recovery and Business Continuity Process Tasks 170
The Disaster Life Cycle 172
Chapter Summary 174
Exam Preparation Tasks 174
Review All the Key Topics 175
Define Key Terms 175
Exercises 175
4.1 Business Impact and Risk 175
Review Questions 177
Suggested Readings and Resources 179
Chapter 5 Information Systems Acquisition and Development 181
“Do I Know This Already?” Quiz 181
Foundation Topics 185
IT Acquisition and Project Management 185
IT Acquisition 185
Software Escrow Agreements 185
Software Licensing 185
Project Management 187
Roles, Responsibility, and Structure of Project Management 188
Project Culture and Objectives 189
Making the Business Case for Investment 190
Return on Investment 191
Project Management Activities and Practices 192
Project Initiation 193
Project Planning 193
Project Control and Execution 199
Project Closing 199
Business Application Development 200
Systems-Development Methodology 200
Phase 1: Initiation phase 202
Phase 2: Development 204
Phase 3: Implementation 208
Phase 4: Operation and Maintenance 210
Phase 5: Disposal 211
Tools and Methods for Software Development 212
Information Systems Maintenance 213
Outsourcing and Alternative System Development 214
Cloud Computing 216
Cloud Threats 218
Application-Development Approaches 219
N-tier 220
Virtualization 221
Chapter Summary 222
Exam Preparation Tasks 223
Review All the Key Topics 223
Complete Tables from Memory 223
Define Key Terms 224
Exercises 224
5.1 Project Management 224
5.2 Project Management 225
Review Questions 226
Suggested Readings and Resources 229
Chapter 6 Auditing and Understanding System Controls 231
“Do I Know This Already?” Quiz 231
Foundation Topics 235
Audit Universe and Application Auditing 235
Programmed and Manual Application Controls 236
Business Process Controls 237
Input Controls 237
Processing Controls 239
Data File Controls 241
Output Controls 242
Auditing Application Controls 243
Understanding the Application 243
Observation and Testing 244
Data Integrity Controls 245
Application System Testing 246
Continuous Online Auditing 247
Auditing Systems Development, Acquisition, and Maintenance 249
Project Management 250
Business Application Systems 252
E-commerce 253
Electronic Data Interchange 254
Email 255
Business Intelligence 256
Decision Support Systems 257
Artificial Intelligence and Expert Systems 258
Customer Relationship Management 258
Supply Chain Management 259
Social Media 260
Chapter Summary 260
Exam Preparation Tasks 261
Review All the Key Topics 261
Define Key Terms 262
Exercises 262
6-1 Software Application Audit 262
Review Questions 263
Suggested Readings and Resources 266
Chapter 7 Systems Maintenance and Service Management 269
“Do I Know This Already?” Quiz 269
Foundation Topics 273
Service Management Frameworks 273
COBIT 273
FitSM 274
ISO 20000 274
eTOM 275
Fundamental Technologies 275
Operating Systems 275
Secondary Storage 277
Utility Software 277
Database-Management Systems 278
Database Structure 279
Software Licensing Issues 282
Digital Rights Management 283
Network Infrastructure 283
Network Types 284
Network Standards and Protocols 285
The OSI Reference Model 286
The Application Layer 287
The Presentation Layer 287
The Session Layer 288
The Transport Layer 288
The Network Layer 288
The Data Link Layer 289
The Physical Layer 289
Network Services and Applications 290
Comparing the OSI Model to the TCP/IP Model 292
The Network Access Layer 292
The Internet Layer 293
The Host-to-Host/Transport Layer 295
The Application Layer 296
Network Services 297
Wireless Technologies 298
Bluetooth 298
802.11 Wireless 299
Smartphones, Tablets, and Hotspots 302
Network Equipment 303
Edge Devices 306
DMZ 306
Firewalls 306
Firewall Configuration 308
IDS/IPS 310
Wide Area Networks 312
Packet Switching 312
Circuit Switching 313
Capacity Planning and Systems Performance Monitoring 314
Network Analyzers 316
System Utilization and Load Balancing 317
Third Parties and Cloud Providers 318
Network Design 318
Network Cabling 320
Chapter Summary 323
Exam Preparation Tasks 324
Review All the Key Topics 324
Define Key Terms 324
Exercises 325
7.1 Organizing Network Components 325
Review Questions 328
Suggested Readings and Resources 331
Chapter 8 Protection of Assets 333
“Do I Know This Already?” Quiz 333
Foundation Topics 336
Access Control 336
Identification and Authentication (I&A) 336
Authentication by Knowledge 336
Authentication by Ownership 338
Authentication by Characteristic 338
Single Sign-on 340
Federation 343
Remote Access 345
RADIUS 345
Diameter 346
TACACS 346
Additional Remote Access Options 346
SSH 347
VPNs 348
Physical and Environmental Access Controls 349
Fences, Gates, and Bollards 349
Other Physical and Environmental Controls 351
Using Guards to Restrict Access 352
Locks 353
Lighting 354
CCTV 355
Heating, Ventilation, and Air Conditioning (HVAC) 356
Security Controls for Hardware and Software 356
Securing Voice Communications 356
Encryption’s Role as a Security Control 357
Private Key Encryption 359
Data Encryption Standard (DES) 361
Advanced Encryption Standard (AES) 362
Public Key Encryption 362
RSA Encryption 363
Elliptic Curve Cryptography (ECC) 363
Quantum Cryptography 364
Hashing and Digital Signatures 364
Public Key Infrastructure (PKI) 365
Using Cryptography to Secure Assets 367
Internet Security Protocols 368
Protection of Information Assets 369
Information Life Cycle 369
Access Restriction 370
Laws Related to the Protection of Information 370
Maintaining Compliance 371
Protection of Privacy 372
Using Data Classification to Secure Critical Resources 373
Data Leakage and Attacks 374
Attacks Against Encryption 374
Threats from Unsecured Devices 375
Threats from Improper Destruction 378
Threats to the Infrastructure 378
Chapter Summary 380
Exam Preparation Tasks 381
Review All the Key Topics 381
Complete Tables from Memory 382
Define Key Terms 382
Review Questions 382
Suggested Reading and Resources 384
Chapter 9 Asset Threats, Response, and Management 387
“Do I Know This Already?” Quiz 387
Foundation Topics 391
Security Controls 391
Technical Controls 391
Cloud Computing 391
Operating Systems 391
Databases 393
Virtualization 395
Administrative Controls 396
Attack Methods and Techniques 399
Social Engineering and Nontechnical Attacks 399
Sniffing 400
Man-in-the-Middle Attacks and Hijacking 401
Denial of Service 402
Botnets 403
Malware 404
Wireless and Bluetooth 405
SQL Injection 408
Buffer Overflow 409
XSS and XSRF 411
Logic Bombs, Rounding Down, and Asynchronous Attacks 411
Integer Overflow 412
Password Attacks 412
Prevention and Detection Tools and Techniques 414
Audit and Log Review 414
Security Testing Techniques 415
Vulnerability Scanning 416
Penetration Testing 416
Problem and Incident Management Practices 418
Tracking Change 418
Fraud Risk Factors 419
Insiders 419
Outsiders 419
Incident Response 420
Emergency Incident Response Team 422
Incident Response Process 422
Incident Response and Results 424
Forensic Investigation 425
Forensics Steps 426
Other Forensic Types 427
Computer Crime Jurisdiction 429
Chapter Summary 430
Exam Preparation Tasks 430
Review All the Key Topics 430
Complete Tables from Memory 431
Define Key Terms 431
Review Questions 431
Suggested Reading and Resources 433
Chapter 10 Final Preparation 437
Tools for Final Preparation 437
Pearson Test Prep Practice Test Software and Questions on the Website 437
Accessing the Pearson Test Prep Software Online 438
Accessing the Pearson Test Prep Software Offline 438
Customizing Your Exams 439
Updating Your Exams 440
Premium Edition 440
Memory Tables 441
Chapter-Ending Review Tools 441
Suggested Plan for Final Review/Study 441
Summary 442
Glossary 445
Appendix A Answers to the “Do I Know This Already” Quizzes and Review
Questions 467

Online Elements:
Appendix B Memory Tables
Appendix C Memory Tables Answer Key
9780789758446, TOC, 10/4/2017