The CISA Course Presentation 2003 v2

Welcome to the 2003 CISA Exam Revision Course
Introductions & Ice-Breaker

Your facilitators for this course are: Philip Culleton Austin Dunn
CISA Review Course
UNIT 1 Course Overview
Course Objectives
To: Briefly recap some of the key information needed Help you to draw on your underlying experience Practice your exam technique Be highly interactive and hopefully just a bit FUN !!!!
Format For Each Chapter

Start with an overview diagram of each chapter Followed by a recap of key points/sections within that chapter Finishing each chapter with CISA question to reinforce both points recapped There will be a few activities Questions are welcome at anytime.
Course Structure - Day 1

Unit 1 - Course overview Unit 2 - CISA overview Unit 3 - Chapter 1 recap Unit 4 - CISA chapter 1 questions Unit 5 - Chapter 2 recap Unit 6 - CISA chapter 2 questions Unit 7 - CISA team crossword... Unit 8 - Chapter 3 recap (part 1) Unit 9 - Chapter 3 recap (part 2) Unit 10 - Technology Pictionary... Unit 11 - Chapter 3 recap (part 3) Unit 12 - CISA chapter 3 questions Unit 13 - End of day mini CISA test

Unit 14 - Chapter 4 recap Unit 15 - CISA Chapter 4 questions Unit 16 - Chapter 5 recap
Unit 17 - CISA Chapter 5 questions Unit 18 - Chapter 6 recap
Unit 19 - Chapter 6 questions Unit 20 - Group Quiz - Jeopardy Unit 21 - Chapter 7 recap
Unit 22 - CISA Chapter 7 questions Unit 23 - End of day mini CISA test

Unit 24 - Timed mock exam
Unit 25 - Marking and review
Unit 26 - Team Quiz Unit 27 - General Q & A... Unit 28 - Exam arrangements for Saturday
Course Structure - Day 4 & 5

Self Study Self study days to be used as deemed fit. But suggested that you: Concentrate on your weaker areas Practice some more exam questions/technique.
CISA Review Course
UNIT 2 CISA Overview
The CISA Qualification

To obtain CISA qualification you need to: Adhere to the ISACA code of ethics. Submit evidence of 5 years of professional work experience
(can substitute a degree for two years, or a years non-audit IS experience for one year)
Pass the CISA exam..
Please Can you follow the review manual during the course
Page 461
CISA Exam Format

The exam format is: 4 hours in length (can leave early) 200 questions All multiple choice Single stem, 4 options Can be based on scenario, description, flowcharts, other diagrams or tables.
Page 462
Marking/Passing The Exam.

After completing the exam: It will be computer marked The raw score out of 200 will be algebraically converted to a score between 25 and 100 An individual scoring 75 (scaled score) or above will have passed.
This process takes 10 weeks (including notification by post), and remarking can be requested
Page 464
Key Knowledge Needed

Key information which you must know is: The technical content of the 7 chapters The glossary of CISA terms The standard CISA acronyms.
All of the above are contained within your CISA review manual, which should be thought of as a set of checklists.
Page 462
The Seven CISA Chapters.

Chapter 7 Chapter 1 Chapter 6
Business Application System Development, Acquisition Implementation & maintenance - SDLC -Automotive methodologies - IS maintenance practices - Project management Business Process Evaluation and Risk Management - IT Governance - Application controls - Business Applications The IS Audit Process - professional standards - code of professional ethics - other laws and regulations - performing an IS audit
(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
Disaster Recovery and Business Continuity - backup and recovery - disaster recovery - business continuity
The 7 CISA Chapters
Management Planning and Organization of IS - strategies to achieve business objs. - policies and procedures - IS management practices - organisational structures
(11%) 22 questions
Chapter 4
Protection of Information Assets
Chapter 3
Technical Infrastructure and Operational Practices - hardware platforms - software platforms - telecommunications - operations
(10%) 20 questions
- logical access controls - physical access controls - environment controls
(13%) 26 questions
(25%) 50 questions
CISA Review Course
UNIT 3 Chapter 1 Recap

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 1 Overview
Performing An IS Audit
- Risk Analysis - Controls - Audit Program Development - Audit Resource Scheduling - Evidence Gathering Techniques - Evaluation of Evidence - Audit Reports - Management Actions - Continuous Audit - Control Self Assessment
ISACA General Standards For Auditing

- ISACA Professional Standards - ISACA Statements - ISACA Code Of Professional Ethics
Key Key
Key ey
The IS Audit Process
Other Laws And Regulations

- General understanding only - Regulatory requirements - Government requirements - Management's process
COBIT Control Objectives

- Overview only - Framework - Control Objectives
ISACA
Standards for Information Systems auditing Information Systems auditing guidelines Code of Professional ethics Standards for Information Systems control professionals Statements on Information Systems Auditing Standards
now replaced by the IS auditing guidelines.
Standards for Information Systems Auditing

010 Audit Charter
Responsibilities, authority and accountability
020 Independence
Professional and organisational
030 Professional ethics and standards

Code of professional ethics, due professional care
040 Competence
Skills and knowledge, continuing professional education
050 Audit Planning 060 Performance of audit work

Supervision and evidence
070 Reporting 080 Follow-up activities.
IS Auditing Guidelines
Audit charter Audit documentation Audit considerations for irregularities Audit evidence requirements Audit sampling Corporate governance of information systems Due professional care Effect of involvement in the development, acquisition, implementation or maintenance process on the IS auditors independence.
IS Auditing Guidelines
Effect of pervasive IS controls Materiality concepts for auditing information systems Organisational relationship and independence Outsourcing of IS activities to other organisations Planning the IS audit Report content and form Use of CAATs Use of risk assessment in audit planning Using the work of other auditors and experts.
ISACA Code Of Professional Ethics

Support establishment of/compliance with, standards and procedures Comply with ISACA auditing standards Serve all major stakeholders in a loyal and honest manner Maintain confidentiality Be independent and objective Maintain competency Use due care Inform appropriate parties of the results of the work Support the education of management, clients and the general public Maintain high standards of conduct and character.
Audit program phases

Set the audit subject and objective Set the audit scope Pre-audit planning Audit procedures and steps for data gathering Decide how the results will be evaluated Prepare to communicate to management Prepare the audit report.
Risk-based audit approach

Gather information and plan. Understand the internal controls Perform compliance tests Perform substantive tests Conclude the audit.
So what is audit risk?

Inherent risk
The risk of a material misstatement in the absence of related controls
Controls risk
The risk of a material error which will not be prevented or detected by controls
Detection risk
The risk that an IS auditor uses inadequate procedures and concludes on material errors exist when they do
Overall audit risk

The combination of the above for each control objective.
Watch out for these...

Distinguish between compliance and substantive testing Type of audit - financial, operational or comprehensive Rules of evidence
independence and qualifications of provider of evidence objectivity of the evidence (also quality and quantity)
Audit Resource Management

Understand the capabilities and qualifications of individuals Deal with common resource constraints Use project management techniques to manage resource: develop a detailed resource schedule/plan track actual against plan take corrective action as appropriate
Consider training and on-going education
Evidence Gathering Techniques

Review of organisational structure Review of systems and IS procedures documentation Interviewing Observation Sampling, specifically: statistical vs. non-statistical (judgemental) attribute vs. variable key terminology - confidence coefficient, precision, expected error rate, sample mean, sample standard deviation and population standard deviation
Use of CAATs, including: test data generators expert systems system utilities - integrated test facilities - specialised audit software (ACL) - SCARF
Evaluation Of Evidence
Factors to consider: compensating and overlapping controls interrelationship (i.e. dependency) of controls sufficient, reliable and relevant impact of any weaknesses (including materiality)
Continuous Audit Approaches

Defined as monitoring of controls on an on-going basis Significant use of technology to achieve this Five key types of continuous techniques: Embedded Audit Modules (EAM) and Systems Control Audit Review File (SCARF) Snapshots Audit hooks Integrated Test Facilities (ITF) Continuous and Intermittent Simulation (CIS).
CISA Review Course
UNIT 4 CISA Chapter 1 Questions
CISA Review Course

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 2 Overview
Information Systems Strategies Organisational Structures
- Management Structures - Line Management - Project Management - Job Descriptions/Charts - Segregation of Duties - Compensating Controls - IPF Duties - Sources of Evidence - Strategic Planning - IS Planning/Steering Committees - User Pay Schemes
Key
Management Planning and Organization of IS
Policies and Procedures IS Management Practices

- Training/Cross Training - Scheduling and Time Reporting - Employee Handbook - Assessing Effectiveness of IS - Quality Standards - BPR - Hiring - Promotion - Termination - Job Rotation - Vacations - Outsourcing
Key Key
Strategic IS Planning
Four key activities are: Long term organisational planning Long term IS planning Short term IS planning On-going review of IS plans.
Key point is to tie IS objectives to business objectives
Steering Committees
Key functions include:
Review of short and long range IS plans Review and approval of major hardware and software acquisitions Approval and monitoring of major projects Review of IS budgets and expenditure Review of adequacy of resources Decide on centralisation and decentralisation
Written Policies And Procedures

Should: Be reviewed and updated regularly Cover all the important areas including: Hiring of staff Promotion Termination Job rotation Required vacation Employee handbook (e.g. background checks) (e.g. ensure fairness/objectivity) (e.g. immediate vs voluntary) (e.g. as a means of fraud prevention) (e.g. also as a means of reducing fraud) (e.g. includes emergency procedures, security compliance) Employee performance and evaluations (e. g. agreed goals/objectives)
Outsourcing
There are three key areas to consider: Advantages - greater IS expertise - potential cost savings - faster implementation of systems - increased cost - loss of control - vendor failure - audit rights - integrity, confidentiality and availability - loss of control to vendor - performance management
Disadvantages
Audit/security concerns
Management Principles
People Management Management of change Focus on good processes Security Handling 3rd parties
Measuring Efficiency/Effectiveness
IS effectiveness and efficiency can be measured by using: IS Budgets User satisfaction surveys Industry standards/benchmarking Goal accomplishment Comparison with ISO 9000 quality standards Capability maturity model (p. 76)
Quality Management Standards

There are several areas to understand: Range of standards
- ISO 9000 - choosing a standard - ISO 9001 - service companies - ISO 9002 - production companies - ISO 9003 - inspection companies - ISO 9004 - general quality guidelines - ISO 9126 - quality of end product
Key quality elements
- Management sponsorship/responsibility - Use of a quality system - Internal quality audits - Corrective preventative action (feedback).
Software Quality Management

Within ISO 9126 provides 6 guidelines for evaluating the quality of software: Functionality Reliability Usability Efficiency Maintainability Portability.
Organisational Structure Points 1

Typical CISA data processing management consist of: IS director Systems Development Manager End-User Support Manager Data management Database administrator Technical Support Manager Security Administrator Quality Assurance Manager Operations Manager Network Manager/Administrator
Should segregate/separate key classes of duties: Transaction authorisation Reconciliation/review Custody of assets.
Organisational Structure Points 2

Key CISA functional areas found in IS environments: Data entry Data librarian The control group Operations Security administration Quality assurance Database administration Systems analysis Application programming Systems programming LAN administration Help desk. (and WAN where appropriate)
Segregation of duties between IPF and the Business

Segregation of duties can be enforced through: Transaction authorisation Reconciliation Custody of assets Access to data Separation of duties within the IPF itself.
Be familiar with the table on page 85!
Compensating Controls
To address poor segregation of duties, consider: Audit trails Transaction logs Reconciliations Independent review. (traces the actions taken) (traces the transaction)
Sources Of Organisational Evidence

Information technology strategies Plans and budgets Security policies Organisational/functional charts Steering committee reports/minutes Personnel job descriptions System development and program change procedures Operations procedures Personnel policy manuals Authorising forms and documents.
CISA Review Course
CISA Review Course
UNIT 7 CISA Team Crossword
Instructions And Rationale

Split into teams of 3 Work together to complete the crossword based on key CISA terms
(exercise is designed to raise awareness of key CISA exam terminology)
Review Of Terms
Are there any terms which are not really clear ??? Most terms are technology related and knowing these is a key requirement for passing this exam.
CISA Review Course
UNIT 8 Chapter 3 Recap (part 1)

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 3 Overview
Information Systems Operational Practices
- Management of Operations - Operations Practices - Controlling Input/Output - Lights Out Operations - Scheduling - Monitoring Use of Resources - Problem Management - Program Change Control - Librarian Function - Quality Assurance - Service Levels - Technical Support - Physical Security
Information Systems Network & Telecoms

- Terminology - Architectures - Standards and Protocols - Transmission Media - WANs and LANs - Client/Server - Performance Monitoring - Communication Controls - Data Encryption - Internet - Viruses
Technical Infrastructure and Operational Practices
Key Key
Information Systems Software Platform
Key Key
Information Systems Hardware Platforms

- Technology Architecture - Capacity Management - System Monitoring - Preventative Maintenance - Hardware Acquisition Plan
Auditing Infrastructure and Operations
- Technology Architecture - Software Selection Process - Implementation and Change Control Procedures - Configuration Parameters
Page 101
Hardware Architectures
Three main classes: Large Medium Small (e.g. mainframe) (e.g. mini-computer) (e.g. microcomputer/PC) (e.g. Notebook/ laptop) (e.g. PDA)
Main distinguishing features are: Addressable memory capacity Amount of on-line storage Number of users supported simultaneously.
(although boundaries are now blurring.)
Page 105
Hardware Acquisition Plans

Requirement documents (or ITTs) should cover: Description of intended use Data processing requirements Specific hardware requirements System software requirements Support requirements Adaptability requirements Constraints Conversion requirements (e.g. centralised/decentralised) (including projected workloads) (e.g. peripherals to support) (e.g. operating systems) (including training and backup) (including upgrade paths) (e.g. due dates and cost) (e.g. migrating existing apps.)
The need to consider all these areas depends partly on the type of hardware being purchased.
Page 106
Key Acquisition Steps

Review of brochures and visits to other user sites Provision for competitive bidding Analysis of bids against product selection criteria Comparison of bids against each other Analysis of vendor financial condition (often overlooked) Analysis of on-going maintenance and support Review of delivery schedules against requirements Hardware/software upgrade/compatibility check Analysis of security and control issues (inc. physical) Review of all contract terms by a lawyer (right to audit) Production of formal recommendation detailing decision.
Page 107
Capacity Management
Factors to consider when planning hardware support for future expansion: Existing CPU utilisation Computer storage utilisation Telecommunications and wide area network traffic Terminal and I/O channel utilisation Number of users New technologies due to be implemented New applications due to be implemented Existing and future service level agreements.
Page 109
CISA Review Course

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 3 Overview

Key Key
Key Key

Page 101
System Software Components

Operating systems Access controls software Data communications software Database management systems (DBMS) Program library management systems Tape and disk management systems Online programming facilities (integrated development environment) Network management software Job scheduling software Utility programs
Page 110
Operating Systems
Key features are: It brings together the users, applications software and the systems Manages computer resources and processing Often includes facilities to assist in operating the computer and development of applications.
Page 110
Access Control Software (not in manual)

Key functions of such software are: Recording logon ids and passwords, and authenticating users Restricting access to specific terminals Restricting access to specific predetermined times Enforcing other rules for access such as terminal time-outs Ensuring individual accountability and auditability Logging events and user activities Generating exception reports
Doing all of the above at the operating system, database, and application program levels.
Data Communications Software

Common transmission codes: 5 bit CCITT (p 123) ASCII - IBM EBCDIC - 8 bit EBCDIC
Data communication systems have three components:

Transmitter Transmission path Receiver (source) (channel or line) (sink)
Common applications: EFT Office information systems Customer/supplier links such as EDI Electronic messaging (including the Internet).
Page 113
DBMS
Systems software that organises, controls and uses data. Use data dictionaries Structured in one of three ways: Hierarchical Network Relational
Each structure has a number of advantages and disadvantages, with relational generally being the structure of choice for most applications.
Page 114
Program library management systems

Some PLMS capabilities are: Integrity - Source programs are assigned modification and version numbers - creating automated backups and maintaining an audit trail
Update
Reporting - listing additions, deletions, modifications for management and auditor reviews Interface - with the operating system, job scheduling, access control and online program management systems
Page 118
Tape and disk management systems

Specialised software to track tape and disk inventories. Contain dataset names, location, creation date, retention period, expiry date etc A number of systems work with robotic units
Page 119
Online programming facilities (not in manual)

Facilities to assist programmers to code and compile programs. The proliferation towards having programming facilities based on PCs increases risks e.g. version control, unauthorised access, over-writing of valid programs.
Network management software

Has functions to control and maintain the network. Watches line status, active terminals, length of message queues, error rates and overall traffic Alerts operator of problems before they affect network reliability
Job scheduling software

From daily work schedules, this software determines which jobs are to be processed.
Various advantages: Job setup only performed once Job dependencies define Records all job successes and failures Reduces reliance on operators.
Page 119
Utility programs
Systems software which perform maintenance or specialised functions frequently required during operations. Can be related to: Understanding applications systems e.g. flow charter Assessing data quality e.g dump Testing programs e.g. online debugging facilitators Assisting in program development e.g. code generator Improving operational efficiency e.g. monitors.
Page 119
System Software-related Acquisition

Business, functional and technical needs and specification Cost/ benefit Obsolescence Compatibility with existing systems Security Demands on existing staff Training and hiring requirements Future growth needs Impact on system performance and the network
Page 120
Other system software considerations

Change control and implementation of patches Software licensing
Page 120
Chapter 3 Overview

Key Key
Key Key

Page 101
Telecoms Terminology/Devices
Terminals Modems Multiplexors/concentrators Switching types: Line/circuit Message Packet
(teletype, RJE etc.)
Front end communication processors Cluster controllers Protocol converters Spools and buffers.
Page 122, 140
Network components
Repeaters Hubs Bridges Switches Routers Brouters Gateways Multiplexors
Page 130
Transmission Media
Twisted pair Coaxial Fiber optic Radio Microwave Satellite Wireless Bluetooth
Page 132
Networking.
Architectures: Bus Ring Star Completely connected (mesh) (linked to one cable) (formed in a circle) (all linked to a main hub) (direct link between all)
The 7 layer OSI model was used to create interoperability between manufacturers products - the layers are: Application layer Presentation layer Session layer Transport layer end error Network layer Data link layer Physical layer (validation and transaction security) (format, encryption and transformation) (start, manage and stop sessions) (flow control and end to recovery) (packet management, routing and switching) (node to node control and error handling) (transmission of bits)
Page 124, 136
LAN Selection Criteria

Some relevant considerations are: What are the applications? What is the bandwidth requirement? What is the budget? What are the remote management needs?
The Internet
Consists of a Worldwide network exchanging information using common protocols such as TCP and IP Provides a range of services including: World Wide Web FTP RealAudio (supported by HTML and HTTP) (anonymous or otherwise)
(currently there is no firm standard for video)
Key Internet control issues are: Transaction security Entry security Viruses (such as SSL) (such as firewalls) (macro, Java or browser based).
Page 126
Other Internet Non-Web-based Services and Terminology

ISP Network access point (NAP) Internet link Remote Terminal Control Protocol (TELNET) Domain name service (DNS) Direct connection Internet appliance Online services File Transfer Protocol (FTP) Simple mail transport protocol (SMTP) Simple network management protocol (SNMP)
Page 128
Client/Server Points
Allows data and business logic to be distributed to where it best suits the application Typically this means data on the server(s) and application logic on the client
(it is important to understand 2 and 3-tier architectures)
Considerations when implementing include:

Memory/CPU (fat v thin) Scalability (easier in 3-tier) Application servers
Page 145
Middleware
Commonly used for:
Transaction processing (TP) monitors Remote procedure calls (RPC) Object request broker (ORB) technology Messaging servers
Page 146
Middleware
Middleware is the client/server glue that holds these type of applications together It is located physically on both the client and the server and it facilitates network connection and communication Key risks are: Provides another avenue of access to control Multiple versions of software may get out of sync
Key controls are: Network security controls Change control procedure (such as passwords & encryption) (such as versioning & tracking).
Telecommunications Monitoring Procedures

Latency - the delay that a message/packet has on its way to two destinations
Throughput - the quantity of work per unit of time
ISO has defined 5 network management tasks: Fault Management Configuration management Accounting resources Performance management Security management
Page 147
CISA Review Course
UNIT 10 Technology Pictionary
Instructions
Come to the front and each take one of the 12 technology lists Each person then gets 90 seconds to draw as many of the technology items on the list as possible whilst the others call them out The items can be tackled in any order although no written words are allowed, and no talking !!! Points for getting them right, plus points for guessing correctly
CISA Review Course

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 3 Overview

Key Key
Key Key

Page 101
IS operations
Management of IS operations Computer operations Technical support/helpdesk Scheduling Controlling input/output of data Quality assurance Program change control Librarian function Problem management procedures Procedures for monitoring efficient and effective use of resources Management of physical and environmental security.
Page 149
Computer operations
Key operator tasks include: Running and monitoring jobs Restarting applications after abnormal termination Facilitating backing up data Observing IPF for unauthorised entry Mounting tapes Monitoring adherence to job schedules Participating in disaster recovery tests.
(Note more and more of these tasks are becoming automated over time).
Page 149
Lights Out Operations

Typical tasks that would be automated are: Job scheduling Console operation Report balancing and distribution Re-run/re-start activities Tape mounting and management Environment monitoring
Key advantages are: Cost reduction Continuous operations Reduced error rate (24-7) (no humans involved !!!) (less expensive staff)
Page 149
Controls Over Input & Output

Input controls: Batch header forms Authorisation of input Batch balancing Data validation (electronically or manually)
Output controls: Report distribution procedures Access control over print spools and output.
Page 150
Management of IS operations
Key functions are resource allocation, and standards and procedures. Also planning, authorising, monitoring, reviewing the operations functions as a whole to ensure consistency with overall business strategies and policies.
Page 151
Service Levels
Normally defined using a SLA Typical tools used to monitor compliance with an SLA are: Abnormal job termination reports Operator problem reports Output distribution reports Console logs Operator work schedules Held desk tracking databases.
Page 151
Scheduling
This is: Defining jobs that can be run and the sequence of execution Maintenance functions should be performed at off peak time Jobs may be scheduled to run ad-hoc when system capacity is spare A key function in ensuring IS resources are optimally utilised.
Page 153
Problem Management
Key steps are: Detection Documentation Control Resolution Reporting (knowing something has happened) (capturing all relevant details) (continuing with other tasks) (fixing the problem) (reporting the fix)
(using and reviewing error logs is a key detection control)
Should be some form of multi-level escalation procedures.
Page 153
Librarian Function
Split between on and off line Typically off line storage includes: Tape vaults Company safes (in-house or 3rd party)
Typical controls over off-line storage include: Securing physical access Ensuring that library will withstand fire/heat for a minimum of 2 hrs Ensuring that library is separately located from the computer room Restricting logical access to key personnel only Maintaining a perpetual inventory (including transfer records) Having a written transfer/re-use policy.
Quality assurance
Ensure everyone participates use of standards, guidelines and procedures Maintain systems development methodology Make improvement recommendations in projects Establish a change control environment Define testing methodology Report issues to management.
Page 155
Help Desk and Technical Support

Help desk is first level of support - key functions are: Initiate/document problems that arise from users Escalate the issue if appropriate Follow up unresolved problems Close out problems once resolved
Technical support tends to be second level - key functions are: Obtaining detailed knowledge of the OS and in-house apps Answering specific technical enquiries Managing the installation of vendor/system changes Monitoring and maintaining system software Maintaining the companys telecommunications network.
Page 155
Chapter 3 Overview

Key Key
Key Key

Page 101
Auditing Infrastructure and Operating

Pages 156 - 165, be familiar with these! Hardware reviews Operating system reviews Database reviews (new) LAN reviews NOC reviews IS operations reviews Data entry control Lights out operations Problem management reporting Hardware availability & utilisation Scheduling
Physical/Environmental Security
Consider the full range of issues: Authorisation of entry to the facility Authorisation of temporary staff (such as engineers) Protection against disaster (for example fire) The need to keep equipment cool (air conditioning) Securing of external support facilities (for example power) The need for regular testing The use of emergency shutdown procedures The impact of a client/server based environment.
CISA Review Course
CISA Review Course
UNIT 13 Mini CISA Test (number 1)
Instructions
Take a question handout and answer sheet from the front, keeping the questions face down You will have 15 minutes to answer the questions, after which well hand out answer sheets
On Your Marks, Get Set, GO !!!!
Mini CISA Test - Number 1
STOP !!!!
Take an answer sheet and start marking Are there any questions you want to go over ?
CISA Review Course
And thats it for day one !!!!
CISA Review Course
Good morning !!!
CISA Review Course
Any questions about what we covered yesterday ???

Unit 14 - Chapter 4 recap Unit 15 - CISA Chapter 4 questions Unit 16 - Chapter 5 recap
Unit 17 - CISA Chapter 5 questions Unit 18 - Chapter 6 recap
Unit 19 - Chapter 6 questions Unit 20 - Group Quiz - Jeopardy Unit 21 - Chapter 7 recap
Unit 22 - CISA Chapter 7 questions Unit 23 - End of day mini CISA test
CISA Review Course

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 4 Overview
Network Infrastructure Security
- Lan Security - Client Server security - Internet threats and security - Encryption - Firewall Security Systems - Intrusion Detection Systems
Key
Importance of IS Management
- Security Policies
Logical Access
Key
Auditing Network Infrastructure Security
- Logical access paths - Issues and exposures - Authorisation issues - viruses

Auditing IS Management and Logical Accesst Environmental Exposures and Controls
- Issues exposures and controls for Environmental Exposures - Auditing Environmental Controls
Key
Physical Access Exposures and Controls
Page 185
Key elements of IS Management

Policies and procedures Organisation
Document responsibilities for:

Executive management Security committee Data owners Process Owners IT Developers

Security specialists/ advisors Users IS Auditors
Page 189
Security Policies
Key components include: management support and commitment access philosophy access authorisation regular reviews of access security awareness compliance with legislation (through training) (i.e. the ground rules) (should be written)
Should be enforced by a security administrator and overseen by a security committee

(The former either full time or with other non-conflicting duties).
Page 189
Computer Crime Issues and Exposures

Financial loss Legal repercussions Loss of credibility Loss of competitive edge Blackmail/industrial espionage Disclosure of sensitive/embarrassing information Sabotage. (e.g. privacy, DPA etc.)
Page 194
Technical Exposures
Data diddling (change data before data entry) Trojan horse Rounding down Salami technique (similar to rounding down) Viruses Worms Logic bomb (e.g. year 2000) Trap doors Asynchronous attack (attack data waiting to be transmitted) Data leakage Wire-tapping Piggybacking (technical or otherwise) Denial of service Shut down of the computer (directly or indirectly)
Page 196
Logical Access Paths

Several key ways logical access can be gained: Operator console On-line terminals Batch job processing Dial-up ports Telecommunications network
Typical perpetrators of violations include: Hackers Employees IS Personnel Temporary staff - vendors and consultants - accidental ignorant - interested parties (the competition, crackers, phrackers etc.)
Page 198, 195
Logical security techniques

Log-on ID and passwords - identification, accountability and authorisation Challenge-response techniques and one-time passwords Biometrics Logging computer access Terminal security Dial-back Remote access security Controls over BLP, systems exits, and privileged user ids Naming conventions.
Page 201
Controls Over Viruses

Technical means include: use workstations without floppy disks use remote booting use hardware-based passwords use write-protected tabs on floppy disks use boot virus protection
Software tools include: Scanners, signature and Heuristic active monitors integrity CRC checkers Behaviour blockers Immunisers
Other non-direct controls include: written policies and procedures system builds done from clean installation disks backups taken on a regular basis
Page 214
Audit techniques for logical access

Be familiar with pages 217 - 223.
Internet Threats and Security

Passive Attacks Network analysis Eavesdropping Traffic analysis
Page 228
Internet Threats and Security

Active Attacks Brute-force attacks Masquerading Packet replay Message modification Unauthorised access through the Internet Denial of service Dial-in penetration attacks E-mail bombing and spamming E-mail spoofing
Page 228
Data Encryption Points

Two main types of cryptosystems: Public/asymmetric Private/symmetric (encryption key is widely known, but the different decryption key is kept secret) (single encryption/decryption key kept secret, less processing power)
Effectiveness depends on the number of bits in the key(s) Common cryptosystems are: RSA DES (public) (private) no longer considered strong.
Page 231
Firewall security
Must enable organisations to:
block access to particular sites prevent users from accessing certain servers or services monitor communications between internal/external networks eavesdrop and record all communications encrypt packets between physical locations
Page 239
Intrusion Detection (IDS)

Identification of and response to inappropriate activities Detects attack patterns and issues alerts Two types - network based - host based (identify all attack attempts) (monitor internal resources)
Page 243
Environmental Controls
Again consider the full range: Raised floors and water detectors Hand-held fire extinguishers Manual fire alarms Smoke detectors Fire suppression systems Fireproofing walls and ceiling Electrical surge protectors UPSs/generators Emergency power-off switches Power leads from two substations Regular inspection by Fire Department Strategically locating computer room Rules on the consumption of food/fluids Fire resistant office materials Documented and Tested Emergency Evacuation Plans (dry-pipe, water and Halon, FM-200)
Page 248
Physical Controls
Remember the full range, not just the obvious: Door locks (bolting, electronic, cipher or biometric)
Logging of entry (manual or electronic) Photo ids Video cameras Security guards Escorted visitor access Bonded maintenance personnel Deadman doors Not advertising location of sensitive facilities Computer terminal locks Single entry points Alarm systems Secured report/ document distribution carts
Page 254
CISA Review Course
CISA Review Course

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 5 Overview
Backup and Recovery

- Procedures - Rotation of media
Disaster Recovery and Business Continuity
Business Continuity Planning

- Overall Planning Process/Stages - Risk Evaluation - Testing of Plans
IS Disaster Recovery
- Recovery alternatives - Off-site facilities
Key
Key
Elements Of An Effective BCP Plan

Senior management support User management involvement User and data processing procedures, including those for: Emergency action Notification Disaster declaration Systems recovery Network recovery User recovery Salvage operations Relocation.
Business Resumption Teams

Emergency action team Damage assessment team Emergency management team Off-site storage team Software team Applications team Security team Emergency operations team Network recovery team Communications team Transportation/relocation team User hardware team Data preparation and records team Administrative support team Supplies team Salvage team
Types of Insurance
IS equipment and facilities Media (i.e. software) reconstruction Extra expense Business interruption Valuable papers and records Errors and omissions Fidelity coverage Media transportation (loss in transit).
Disaster Event Scenarios

Systems should be risk ranked: Critical Vital Sensitive Non-critical
Should also take account of: Critical recovery time periods User and data processing interrelationships (i.e. weakest link).
Hot/Cold Site Contract Terms

Configurations Disaster definition Speed of availability Subscribers per site/area Reference/priority Insurance Usage period Communications Warranties Testing rights Reliability/penalties. (especially employee)
Telecommunications Continuity
Common forms of continuity include: Redundancy of company equipment Alternative routing (usually 2) Diverse routing (usually 2 or more) Long haul network diversity Last mile circuit protection Voice recovery.
Business Resumption Plan Testing

Should have the following test phases: Pre-test Test Post-test
The range of test types include: Paper tests Preparedness tests Full operational test (walkthrough with key players) (localised/partial version of full test) (the full monty)
Results should be analysed appropriately with common measurements being: Time taken Number of records - amount of work performed - accuracy of work.
Considerations for Backups
Frequency and retention per file Master files (synchronisation) Transaction files (to recreate master files) Real-time files (time stamping, duplicate logging) DBMS (integral feature) File descriptions Licenses Object and source code
CISA Review Course
CISA Review Course

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 6 Overview
Project Management Practices
- - SDLC - Porject Failure Risks - Overall SDLC Project Controls
Maintenance Practices
- Authorisation Procedures - System Documentation - Test Procedures - Change Approvals - Program Migration - Emergency Changes - Source Code Integrity - Coding Standards - Source Code Comparison - Library Control Software
Business Application Systems Development
Key
Business Application Development

- Requirements Definition - Feasibility Studies - Software Acquisition - Detailed Design - Programming - Testing - Implementation - Post Implementation Review - Tools and Productivity Aids
Key
Page 307
Key Players In Software Projects

Senior management User management Project steering committee Project sponsor Systems development management Project manager Systems development project team User project team Security officer Quality assurance Systems auditor.
Page 312
SDLC Phases and Risks

Project should be divided up into phases such as: Feasibility study, requirements definition, software acquisition, integrated resource management systems (ERPs), detailed design, programming, testing, implementation, post implementation review
(see page 315 for a typical approach)
Risks associated with poor management: Does not meet business needs Overruns in time and money Not delivered at all.
Page 314
RFP contents
Product functionality vs. actual requirements Customer references Vendor viability/financial stability Availability of complete and reliable documentation Vendor on-going support Source code availability Number of years product has been in existence List of recent or planned enhancements (with dates) Number of current client sites/client list Ability to allow acceptance testing at nominal cost.
Page 317
Testing
Unit testing Interface testing System testing Alpha and beta testing Pilot testing Whitebox/ Blackbox Function/Validation testing Regression testing Parallel testing Sociability testing
Page 324
Development methodologies
Data orientated system development Object oriented system development Component-based development Web-based Application Development Prototyping Rapid application development Agile Development Reengineering Reverse engineering Structured analysis.
Page 328
Prototyping (heuristic development)

Defined as creating systems through controlled trial and error Main aim is reduced development time Main emphasis is on screens and reports and hence is best suited for applications with little processing Two basic approaches: Throw-away Evolutionary
Quality is often an issue (especially with the latter).
Page 331
RAD
Technique aimed at producing applications in faster timescales Uses a number of key techniques to achieve this: Small, well-trained development teams Evolutionary prototyping Integrated power development tools A central repository Workshops Rigid development time frames (nearly all GUI)
Aim is to leverage automation and more powerful hardware to reduce human effort required.
Page 332
Change control
A key control is the formal authorisation of changes to the live system
(Both prior to being developed and also prior to migration)
However, there should also be some record of the changes, either manually or electronically
(This is especially important where there is poor segregation of duties)
The above applies equally to both operating system and application changes.
Page 335
Controls
Authorisation procedures - new projects, change control User approval before systems go live Continuous update of system documentation Program migration process Emergency changes Configuration Management Library control software Source and executable control integrity Source code comparison
Page 336
Library Control Software

Common functions are: Prohibit the updating of production code Prohibit the updating of production batch jobs Require only an authorised individual to check out/release source code Require only an authorised individual to migrate code into production Allow read-only access to source code Require that code being checked in meets coding standards Provide a full audit trail of all the changes Require programmers to enter details about the changes upon checking back in source code.
Page 337
Other Planning Points...

Project management methodologies
Critical path methodology Program evaluation review technique Plan before a project and control during it As resources before free, allocate to most critical tasks The PERT network diagram is a sequence of project activities Optimistic, pessimistic and expected activity timescales are used with standard deviation techniques to facilitate planning.
Estimation of timescales using: Function points Lines of code models.
Timebox Management
Page 342, 340
System development tools and productivity aids

Code generators
Generate their own code!
CASE 4GLs Test generators

Interactive debugging aids and code logic analysers.
Page 344
CASE
Defined as the use of automated tools to aid the software development process Generally divided up into 3 categories: Upper Middle Lower (business and application requirements) (detail designs) (generation of program code and db definitions)
Can be used across a range of platforms and are usually repository based Can be an element of overlap with 4 GLs (especially lower).
Page 344
4GLs
Typical characteristics: Non-procedural language Environmental independence Powerful software facilities Programmer workbench/toolsets concept Simple language subsets (often event driven) (portability)
Often classified as follows: Query and report generators Embedded/related database 4GLs Application generators.
Page 345
CISA Review Course
CISA Review Course
UNIT 20 Group Quiz - Jeopardy
CISA Review Course

(10%) 20 questions
(15%) 30 questions
Chapter 2
(16%) 32 questions
Chapter 5
The 7 CISA Chapters
(11%) 22 questions
Chapter 4
Chapter 3
(10%) 20 questions
(13%) 26 questions
(25%) 50 questions
Chapter 7 Overview
Business Application Systems
-eCommerce - EDI - POS - AI - Data warehouse
Business Process Re-engineering
Business Process Evaluation & Risk management
Application Controls
Input/Output - data validation - Integrity
IT Governance
Key Key
Business Process Re-engineering

Successful BPR results in: New business priorities Improved product, service, profitability New approach to organising and motivating people New approach to use of information Refined roles for 3ps (outsourcing, development, support) Redefined roles for clients and customers
IT Governance
Encompasses IS, technology and communication, business legal across all stakeholders Governed by generally accepted good/best practice to ensure resources we are used effectively and the risks are managed appropriately Strategic alignment between IT and enterprise objectives
Input Authorisation Types

On-line/transaction controls: Signatures on forms On-line access controls (such as unique passwords) Terminal identification Pre-printed source documents
Batch controls: Totals Batch balancing (e.g. dollars, items, documents and hash) (batch registers, control accounts and computer agreement)
(note - balancing really means comparing in some way.)
Controls Over Data Input

Programmed validation includes: Sequence check Limit check Range check Validity check Reasonableness check Table look-ups Existence check Key verification Check digit Completeness check Duplication check Logical relationship check (if a then b) (rekeying of data) (does data meet known values) (one sided) (two sided) (small set of fixed items)
Controls Over Processing

Manual recalculations Run to run totals Reasonableness checks Limit checks Exception reports Control totals (such as file sizes)
Controls Over Data Files

Before and after tracing of transactions Retention of source documentation Versioning Internal labelling External labelling Security controls One for one checking Pre-recorded input Parity checking (i.e. data stamping) (i.e. electronic) (i.e. physical) (to ensure integrity) (against other sources) (both manual & electronic) (specifically for transfers).
Application Risk Factors

The quality of internal control environment Economic conditions Time elapsed since last audit Complexity of operations Changes in the underlying environment Recent staff changes in key positions Time in existence Competitive environment Assets at risk Prior audit results Transaction volume and value Regulatory impact Impact of application failure/sensitivity of transactions.
Types of Audit Software Testing

Test of file calculations Comparison of data Sequencing or summarising data Reporting data exceptions Use of custom programs to monitor specific transactions Use of system utilities to analyse underlying data Use of ITFs to process test data Test data generation Use of SCARF or EAM Parallel simulation Expert systems analysis. (e.g. footing)
Procedures Based On CAATs

Generation of test data Analytical review Statistical sampling Range tests Exception processing. (mostly to test theories)
Business Application Systems

eCommerce EDI POSs Integrated manufacturing systems Batched data entry systems EFT systems Office automation systems ATMs Co-operative processing systems Voice response systems Accounting systems. (primarily for ordering) (including ERP)
e-Commerce
B2B B2C Architectures
2-tier 3-tier (server provides content, client handles display) (database server, web server, web browser)
Risk
Confidentiality, Integrity & Availability Authentication and Non-Repudiation Power shift to customer
EDI
In use for about 20 years, and gained popularity over the last 5 years Now being potentially overshadowed by the Internet Three main components are generally required: Communications handler EDI interface Application system (transmits & receives documents) (translates between EDI and app) (the in-house programs)
Hybrid nature means that EDI presents issues both in terms of security and application development Should use a mixture of inbound, outbound and general controls.
E-Mail and Digital Signatures

More recently an issue as users can now attach binary executables, and documents containing macro viruses Firewalls can be used to help guard against this threat Digital signatures can also be used These work by adding a string of extra digits to the document being sent, and then verifying these at the other end
(These use crypto technologies such as DES).
Specialised systems
AI and expert systems Data warehouses DSSs.
AI Technologies
Audit issue:
Errors generated from an AI system may impact a business more than errors from a traditional system
Expert systems are the most common type and consist of two key components: Knowledge base, expressed as: decision trees rules semantic nets Inference engine.
Audit techniques:
Review decision logic, procedures for updating knowledge etc.
AI Technologies
AI technologies include: Audit issue - expert systems Natural language processors Neural networks Intelligent text managers (e.g. rule based DIP) Voice recognition Foreign language translators.
Data Warehousing
Defined as a subject oriented information store designed specifically for decision support Key characteristics: Subject-orientated Integrated - time-variant - non-volatile
Topology can either be: A single central warehouse A series of data marts Or a mixture of both
Key issues are: The quality of data and the accuracy of the extraction process Data ownership.
DSSs
Characteristics include: Aimed at less structured problems Emphasis on flexibility and adaptability Effectiveness over efficiency Decision focus Can be framework based.
Often built via prototyping to ensure accurate capture of requirements Trends include: Better supported by advances in database and graphics technologies Greater numbers of experienced designers skilled in this area Greater need to understand data to stay competitive.
CISA Review Course
CISA Review Course
UNIT 23 Mini CISA Test (number 2)
Instructions
Take a question handout and answer sheet from the front, keeping the questions face down You will have 15 minutes to answer the questions, after which well hand out answer sheets
On Your Marks, Get Set, GO !!!!
Exam Technique
Key points to remember: Not time pressured, however. ..4 hrs x 60 mins / 200 qs = 1.2 mins per question. ..so dont ignore timing completely !!!! Much more important is your reading technique as: it is hard to maintain concentration across the full 200 questions they are partially designed to trick you up
Also, need to think with a CISA perspective - not the real world !!!
Mock Exam
The exam will be: 2 hours in length 100 questions spread over the 7 chapters in the correct proportions feature a range of question difficulties:(s) (a) (u) = straightforward = ambiguous = unusual
It should be taken seriously as the next two hours are the best indication of how well prepared you will be for the real thing on Saturday morning.
CISA Review Course
And thats it for day two !!!!
CISA Review Course
UNIT 24 Mock Exam
CISA Review Course
On your marks. Get set. GO !!!!
CISA Review Course
STOP !!!!

Unit 24 - Timed mock exam
Unit 25 - Marking and review
Unit 26 - Team Quiz Unit 27 - General Q & A... Unit 28 - Exam arrangements for Saturday
CISA Review Course
Any questions about what we covered yesterday ???
CISA Review Course
UNIT 25 Exam Review
Exam Review
Instructions: Swap papers for marking Total up the scores Indicate with a dot the incorrect answers on the 10x10 grid at the front Indicate with a dot the total score on the score sheet at the front Hand back the answer sheets Take time to review your mistakes against the explanations listed.
Any questions ???
CISA Review Course
UNIT 26 Team Quiz
Instructions
Split into 2 teams This final quiz is in two rounds: Round 1 - Categories Of Your Choice
(where each team takes it in turns to pick a category and answer 10 questions on this category).
Round 2 - Quickfire Round
At the end, the team with the most points wins.
Round 1 - Categories Round

The four categories are: Hardware and software Application development and maintenance IS operations, organisation & management General IS auditing.
A question not answerable by one team is open to the other team for a bonus mark. Note: no looking in your books !!!
Round 2 - Quickfire Round
15 questions in total There is a point for each correct answer, however each team gets only one attempt at each question On your marks, get set, go !!!!
CISA Review Course
UNIT 27 General Q & A.
General Q & A...

Having finished all the lectures, do you have any questions on.
Specific technical areas ? Specific CISA terms ? Specific CISA chapters ? Specific modules in the course ?
CISA Review Course
UNIT 28 Exam Arrangements
Exam Arrangements
The details of the exam are: Takes place Saturday 14th June Not admitted if do not arrive by 8.30 a.m.
(even though exam does not start until 9.00 a.m.)
Must bring some form of identification with a photo

(for example passport)
Only allowed HB pencils and an eraser

(no calculators, scratch paper or books of any kind).
GOOD LUCK !!!

(P.S. if you could please complete the evaluation forms and hand them back in..)

The CISA Course Presentation 2003 v2

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

The CISA Course Presentation 2003 v2

Загружено:

Авторское право:

Доступные форматы

Welcome to the 2003 CISA Exam Revision Course

Introductions & Ice-Breaker

CISA Review Course

UNIT 1 Course Overview

Format For Each Chapter

Course Structure - Day 1

Course Structure - Day 2

Unit 17 - CISA Chapter 5 questions Unit 18 - Chapter 6 recap

Course Structure - Day 3

Unit 25 - Marking and review

Course Structure - Day 4 & 5

CISA Review Course

UNIT 2 CISA Overview

The CISA Qualification

Pass the CISA exam..

CISA Exam Format

Marking/Passing The Exam.

Key Knowledge Needed

The Seven CISA Chapters.

The 7 CISA Chapters

- logical access controls - physical access controls - environment controls

CISA Review Course

UNIT 3 Chapter 1 Recap

The Seven CISA Chapters.

The 7 CISA Chapters

- logical access controls - physical access controls - environment controls

ISACA General Standards For Auditing

Other Laws And Regulations

COBIT Control Objectives

Standards for Information Systems Auditing

030 Professional ethics and standards

050 Audit Planning 060 Performance of audit work

070 Reporting 080 Follow-up activities.

ISACA Code Of Professional Ethics

Audit program phases

Risk-based audit approach

So what is audit risk?

Overall audit risk

Watch out for these...

Audit Resource Management

Consider training and on-going education

Evidence Gathering Techniques

Continuous Audit Approaches

CISA Review Course

UNIT 4 CISA Chapter 1 Questions

CISA Review Course

UNIT 5 Chapter 2 Recap

The Seven CISA Chapters.

The 7 CISA Chapters

- logical access controls - physical access controls - environment controls

Management Planning and Organization of IS

Policies and Procedures IS Management Practices

Key point is to tie IS objectives to business objectives

Written Policies And Procedures

Quality Management Standards

Key quality elements

Software Quality Management

Organisational Structure Points 1

Organisational Structure Points 2

Segregation of duties between IPF and the Business

Be familiar with the table on page 85!

Sources Of Organisational Evidence

CISA Review Course