Cisa Ebook New

Certified Information Systems Auditor (CISA®)
Introduction to CISA
Certified Information Systems Auditor is a registered trademark of ISACA

ISACA® is a registered trade mark of Information Systems Audit and Control Association.
© Simplilearn. All rights reserved.

Learning Objectives
By the end of this introductory domain, you will be able to:
• Describe CISA
• Demonstrate your understanding of the ISACA organization
• Discuss the history of CISA

• Understand the current CISA syllabus
• Describe the value of CISA
• List the requirements for certification and how to maintain the certification
• Outline the structure of CISA exams

Introduction to CISA
Introduced by ISACA in 1978, CISA has grown both in stature,

professional offering, and global influence. It is a widely recognized
certification because of the following features:
CISA is the preferred certification for information systems control,

●
assurance, and security professionals.

CISA®
CERTIFIED INFORMATION SYSTEMS AUDITORTM
● CISA is designed with the aim of attracting information systems

auditors, people concerned with technology security, educators,
and even CIOs.
ISACA
ISACA formerly stood for Information Systems Audit and Control Association. However, the organization is known by
the acronym ISACA only to reflect the range of governance professionals within IT that it caters for. ISACA was
founded in 1969 as a nonprofit organization and currently (in 2019) has over 159,000 members in 188 countries.
Following are the certifications provided by ISACA:
Certified Information Systems Auditor® Certified Information Security Manager®

(CISA®) (CISM®)
Certified in the Governance of Enterprise Certified in Risk and Information Systems

IT® (CGEIT®) Control (CRISC®)
!✔ ISACA has developed COBIT 5, RISK IT, and Val IT, which it continually updates.
History of CISA
Introduced in 1978
First exam monitored in 1981
• Approved by the United States Defense Department as part of its assurance framework
In 2011, there
was a change in
curriculum: six
domains to five
domains
Current CISA Syllabus
The CISA syllabus (2019) is divided into five domains. The exam has 150 multiple choice questions. The duration of the exam is four hours.
Beginning June 2019, ISACA is offering continuous testing, with a 365-day exam eligibility period to take your exam. Following is a summary
of the CISA domains:
Exam
Domain Topic
Weightage
Domain 1 Information Systems Auditing Process 21%
Domain 2 Governance and Management of IT 17%
Domain 3 Information Systems, Acquisition, Development, and Implementation 12%
Domain 4 Information Systems Operations and Business Resilience 23%
Domain 5 Protection of Information Assets 27%
Total 100%
Value of CISA
Globally accepted Increased

and recognized confidence
certification
Numerous benefits of a CISA

Increased value at designation Trust and
workplace recognition for
expertise
Achieve a high professional Higher earnings and greater career

standard growth
CISA Certification
The steps to obtain a CISA certification are:
• Pass CISA exam:

Pass the exam with a minimum of 450 marks
• Apply for certification:

• Minimum five years experience needed in IS Audit Domain areas
Note: Certification Application has to be within five years of sitting for the exam
• Waivers possible. See ISACA website for details.
• Agree to the Code of Professional Ethics
• Cohere with the Continuing Professional Education (CPE) Program
• Comply with the IS auditing standards

CISA Examination
CISA exams are prepared with the aim of gauging and testing hands-on skills in Information System Control and Audit.
Exam title Certified Information Systems Auditor (CISA®)
Exam duration Four hours to answer 150 multiple-choice questions covering five practice areas
Exam type Computer-based
Question type Multiple-choice questions
Pass requirements A candidate must receive a score of 450 or higher to pass the exam
A scaled score is a conversion of a candidate’s raw score on an exam to a common scale.

Scaled score
A candidate’s scores are reported as a scaled score.
!✔ ISACA uses and reports scores on a common scale from 200 to 800.
Thank You

Information System Auditing Process


Learning Objectives
By the end of this domain, you’ll be able to:
Plan an audit to determine whether information systems are protected, controlled, and provide
value to the organization
Conduct an audit in accordance with IS audit standards and a risk‐based IS audit strategy
Communicate audit progress, findings, results, and recommendations to stakeholders
Conduct an audit follow‐up to evaluate whether risks have been sufficiently addressed
Evaluate IT management and monitoring of controls
Utilize data analytics tools to streamline an audit process
Provide consulting services and guidance to the organization in order to improve the quality and
control of information systems
Identify opportunities for process improvement in the organization's IT policies and practices
Part A: Planning
Part A: Planning
The following topics are covered in Part A:
• IS Audit standards, guidelines, and codes of ethics
• Business processes
• Types of controls
• Risk-based audit planning
• Types of audits and assessments

IS Audit Standards, Guidelines, and Codes of Ethics
Information System Auditing Process
Part A: Planning 1.1
IS Audit Standards, Guidelines,

and Codes of Ethics
IS Audit Standards, Guidelines, and Codes of Ethics
Introduction
Credibility of an audit is based, in part, on use of commonly accepted standards.
ISACA is the global pioneer of IS Assurance and Audit guidelines, Tools and Techniques, Standards, and Code of
Professional Ethics.
ISACA standards provide a benchmark for IS audit.

Main Areas of Coverage
The main areas covered under this knowledge statement include:
ISACA IS
Audit and
Assurance
Guidelines
ISACA IS Audit ISACA IS
and Assurance Audit and
Tools and Assurance
Techniques Standards
Framework
Relationship The main

between areas of ISACA Code
Guidelines, Tools coverage of
and Techniques, Professional
and Standards Ethics
The CISA Exam will test your understanding of the application of Standards and Guidelines.
Categories of Standards and Guidelines
Performance Reporting
General
This category applies This category deals This category covers:

to all assignments and with the conduct of the o Reports
contains guiding IS audit and assurance o Information
principles for IS assignments. o Means of
assurance. It covers: communication
It covers: o Planning
o Ethics o Scoping
o Independence o Risk
o Objectivity o Materiality
o Due care o Supervision
o Knowledge o Exercise of
o Competence professional
o Skill judgement
o Due care
ISACA IS Audit and Assurance Standards
General Performance Reporting
1201 Engagement Planning 1401 Reporting

1001 Audit Charter
1202 Risk Assessment in 1402 Follow up Activities
1002 Organizational
Planning
Independence
1203 Performance and
1003 Professional
Supervision
Independence
1204 Materiality
1004 Reasonable Expectation
1205 Evidence
1005 Due Professional Care
1206 Using the Work of Other
1006 Proficiency
Experts
1007 Assertion
1207 Irregularity and Illegal Acts
1008 Criteria
ISACA IS Audit and Assurance Guidelines
General Performance Reporting
2001 Audit Charter 2201 Engagement Planning 2401 Reporting

2002 Organizational 2202 Risk Assessment in 2402 Follow up Activities
Independence Planning
2003 Professional 2203 Performance and
Independence Supervision
2004 Reasonable Expectation 2204 Materiality
2005 Due Professional Care 2205 Evidence
2006 Proficiency 2206 Using the Work of Other
Experts
2007 Assertion
2207 Irregularity and Illegal Acts
2008 Criteria
2208 Sampling
ISACA Code of Professional Ethics
ISACA set forth a code governing the professional conduct and ethics of all certified IS auditors and members of the
association. The members and certification holders shall:
Support the implementation and encourage Perform their duties with due diligence and Serve in the interest of stakeholders in a lawful
compliance with appropriate standards, professional care in accordance with professional and honest manner while maintaining high
procedures, and controls for information systems. standards and best practices standards of conduct and character and not
engage in acts discreditable to the profession.
Maintain the privacy and confidentiality of Maintain competency in their respective fields Inform appropriate parties about the results of
information obtained in the course of their duties and agree to undertake only those activities that
unless disclosure is required by a legal authority. work performed, revealing all significant facts
they reasonably expect to complete with known to them
Such information shall not be used for personal professional competence.
benefit or released to inappropriate parties.
Support the professional education of stakeholders

to enhance their understanding of information
systems security and control.
ISACA Code of Professional Ethics
Failure to comply with the code of professional ethics can result in an investigation into a
member’s and/or certification holder's conduct and, ultimately, in disciplinary measures.
ISACA IT Audit and Assurance Standards Framework Objective
The objectives of IS audit and assurance standards are to inform:
IS auditors
of the bare minimum level of
performance required to meet the
professional responsibilities set in
the Professional Code of Ethics
The management
of the profession’s requirement
regarding the work of audit
The CISA certification practitioners
holders
that failure to meet these
standards results in a review of
their conduct by the ISACA board
of directors, which may ultimately
result in a disciplinary action
ISACA IS Audit and Assurance Guidelines
• ISACA IS Audit and Assurance guidelines provide additional information on how to comply with
the ISACA Information Technology Assurance and Audit Standards.
• The IS Auditor should use professional judgment and be able to justify any differences.
• Guideline documents are identified by a prefix G, followed by the number, for example, “G10.”
There are 42 categories of guidelines.
ISACA IS Audit Guidelines
Using the Work of Other
Audit Sampling Irregularities and Illegal Acts Computer Forensics Configuration Management
Auditors
Effect of Pervasive IS Controls

Audit Evidence Requirement Reporting Post-implementation Review Access Controls
Use of Computer-Assisted Organizational Relationship Enterprise Resource Planning

Competence IT Organization
Audit Techniques (CAATs) and Independence (ERP) Systems Review
Outsourcing of IS Activities to Use of Risk Assessment in Business-to-Consumer (B2C) Review of Security

Other Organizations Audit Planning E-commerce Review Privacy Management Practices
System Development Life Business Continuity Plan (BCP) Return on Security Investment
Audit Charter Application Systems Review Cycle (SDLC) Review Review from IT Perspective (ROSI)
Materiality Concepts for General Considerations on the

Planning Internet Banking Continuous Assurance
Auditing Information Systems Use of the Internet
Effect of Third Parties on an Review of Virtual Private Responsibility, Authority, and

Due Professional Care Organization’s IT Controls Networks Accountability
Effect of Non-audit Role on Business Process Reengineering

Audit Documentation Follow-up Activities
the IS Auditor’s Independence (BPR) Project Reviews
Audit Considerations for

Irregularities and Illegal Acts IT Governance Mobile Computing Biometric Controls
ISACA IS Audit and Assurance Tools and Techniques
White
papers IS Audit
and
Assurance
programs
IS Audit and
Tools and techniques are Assurance
IS Audit and listed under www.isaca.org/itaf tools and
Assurance tools and techniques COBIT 5
techniques provide family of
additional guidance to products
IS audit and assurance
professionals. Reference
books
ISACA IS Audit and Assurance Tools and Techniques
ISACA has Standards and Guidelines related to Audit (ITAF™):
Section 2200 General Standards
Section 2400 Performance Standards
Section 2600 Reporting Standards
Section 3000 IT Assurance Guidelines
Section 3200 Enterprise Topics
Section 3400 IT Management Processes
Section 3600 IT Audit and Assurance Processes
Section 3800 IT Audit and Assurance Management

Business Processes
Business Processes
Explanation
A business process is an inter-related set of cross-functional activities or events that result in the delivery of a
specific product or service to a customer.
An IS auditor must understand and evaluate the business processes they are auditing.
An Internal audit function must be independent and report to the audit committee or to the board of directors.
Audit Charter
Audit charters are high-level documents that define the purpose, authority, and responsibility of the internal audit activity.
Grants and assigns authorization, responsibility, and accountability to the auditor
Guides the auditor to get an approval

Defines the scope of audit from the board of directors or the audit
Charter
function’s activities committee or senior management in their
absence
Fundamental Business Processes
Explanation
Understanding the underlying business process that is audited
Understanding the role that IS play in these processes
IS auditing involves assessment of IS-related controls and understanding the control objectives
Identifying key controls that help achieve a well-controlled environment, according to standards
Audit Planning
• Audit planning is the first step of the audit process.
The auditor’s responsibilities during the planning phase include:
• Gaining an understanding of the clients and its business
• Establishing priorities
• Determining an audit strategy
• Determining the type of evidence to collect, based on the risk

levels
• Assigning personnel resources for the audit
• Scheduling with the client to coordinate activities
The result of a well researched and completed audit plan is an audit program.
Fundamental Business Processes: Transaction Examples
Examples
Mobile
banking
ATM
transactions
Over the counter transactions

(For example: deposits,
withdrawals)
A chain store may have PoS (Point of Sale)
transactions with credit card information,
or cash extranet transactions with
A bank may have various suppliers (Electronic Data Interchange)
transactions
Using the Services of Other Auditors and Experts
IS audit and assurance professionals should:
• Consider using the work of other experts when there are constraints which would impair work performance
or potential gains in the quality of engagement.
• Assess and approve the adequacy of the other experts’ professional qualifications, competencies, relevant
experience, resources, independence, and quality‐control processes prior to the engagement.
• Assess, review, and evaluate the work of other experts as part of the engagement, and document the
conclusion on the extent of use and reliance on their work.
Risk Assessment and Risk Analysis
Business Processes
Relationship between Standards, Guidelines, Tools and Techniques
Standards
They are mandatory.
Tools and Techniques
They provide examples of
steps that the auditor may
follow in audits.
Guidelines
They provide assistance on
how Information Systems
Auditor (ISA) can
implement standards in
audits.
ISA must use professional judgment while applying the guidelines, tools, and techniques.
Legal and regulatory requirements may sometimes be more stringent than the standards.
The ISA should ensure compliance with the stringent legal or regulatory requirements.
Types of Controls
Control Principles
Explanation
Understand how the controls function
Explain how those control principles relate to IS

Internal Controls
Internal Controls are an enterprise’s internal processes implemented to achieve specific objectives while
minimizing risk.
They are the policies, procedures, practices, and structures incorporated by an organization to reduce risk.
They provide reasonable assurance to management that business objectives will be achieved and undesirable
events will be prevented, detected, and corrected.
They can be manual or automated.

Internal Controls
Internal controls have two broad objectives:
Examples of
Objectives
• Ensure that business

requirements are clearly
Increase the likelihood of an objective documented and understood
or a desirable event • Ensure software delivery without
time and cost overruns
• Ensure testing before release
Internal
Control
Objectives Examples of
Undesirable
Events
Decrease the likelihood of an • Virus outbreak
undesirable event occurring • Unfulfilled project objectives
Internal Controls
What can be Internal Controls consider two things What can be evaded?
achieved?
Internal controls procedures have two categories
General control Information

procedures system control
procedures
Classification of Internal Controls
Preventive
Controls
Corrective
Controls
Detective
Controls
• Predict and prevent problems before they occur

Preventive • Monitor input controls and events as a preventive measure
Controls • Examples:
o Segregation of duties
o Maker-checker/four-eyes principle
o Input and access controls (physical and logical)
o Encryption of data at rest and in transit
Corrective
Controls
Detective
Controls
Preventive
Controls
• Minimize the impact of a threat and rectify the cause of a problem

• Correct detected errors
Corrective • Root cause analysis, followed by changes to minimize future occurrences
o Disaster recovery and business continuity planning
o Incident response
o Backups, to ensure recovery by restoring data
o Reruns of failed processes
Detective
Controls
• Controls to detect and report intentional and unintentional errors after they occur
Preventive • Report incidence of errors, attacks, and omissions as they occur
o Logs
o Error messages
o Hash totals
o Rechecking of calculations
o Scrutiny of reports
Corrective o Code review
Controls o Internal audit function
o Logical and physical access logging, such as application audit trails, database
security logging, server room access control, and door logging to know details of
the person and time.
Detective
Controls
General Controls
General controls are the policies and procedures involving all areas of an organization, including IT
infrastructure and support services.
They enable IT functioning for the achievement of corporate goals such as:
• Controls over data center and networks
• Access control
• Segregation of duties
• SDLC and Change Management
• Physical security
General Controls
Internal Organizational Physical and

Operational Administrative
Accounting policies and logical security
Controls Controls
Controls procedures policies
Day-to-day Supports Facilities, data

Safeguarding Safeguarding
functions and operational centers,
of assets and of assets and
activities to controls, servers, IT
reliability of ensuring
accomplish operational infrastructure,
financial proper
business efficiency, and and access
records utilization of
objectives adherence to control
resources
management
policies
IS Control Objectives
A statement of the preferred purpose

or result to be attained by applying
Made of procedures, policies,
controls around information system
organizational structures, and
processes
practices
IS control objectives
are high-level
objectives that
management may
use for effective
control of IT
processes
Intended to reasonably assure that
enterprise objectives will be achieved
while undesired events are detected,
corrected, or prevented
Confidentiality
The first three are the

basic principles of
Reliability Integrity
information systems
security.
Overarching
principles of IS
controls
Compliance Availability
Efficiency is getting it done Effectiveness is getting the

with optimal use of Efficiency Effectiveness job done with a high degree
resources. of certainty.
Management plays an important role in regulating IS control objectives:
Selecting the control

objectives that can be
easily implemented and
are most appropriate to
the organization’s policies Cognizant of the risk
involved in
non-implementation of
some of the applicable
control objectives
Manner of implementation
IS Control Objectives: Examples
Ensure integrity of the sensitive
and critical application systems
Ensure integrity of the

system such as Operating Ensure safeguarding of assets
System integrity
Ensure availability of service

through Disaster Recovery Ensure effectiveness and
Plan and Business efficiency of operations
Continuity Planning
Ensure proper authentication

process for users
Ensure integrity of application systems by input authorization, input
validation, accuracy and completeness of data processing, database
integrity, accuracy, completeness, and security of output controls
Ensure availability of IT assets Protect computer systems

by having BCP and DR plans from improper access
Ensure database
confidentiality, integrity, Ensure that inputs are
and availability validated
Ensure integrity of the sensitive
and critical application systems
Ensure outsourced IT processes and services Safeguard information assets

have clearly defined SLAs, organizational assets by implementing physical and
are protected, and business objectives are met logical access controls
Ensure SDLC processes are established,

Ensure availability of IT services by maintained, and followed for repeatable
developing effective and efficient and reliable development of software
Disaster Recovery and Business applications to meet business objectives
Continuity plans
Ensure integrity and reliability of systems by

implementing change management controls
IS Controls
• IS control procedures include the following:
Strategy and General Access to

System Operation
direction of the IT organization and Information
development procedures
function management of Technology
procedures
the IT function programs, data
and resources
Database administration
System Quality Assurance Physical access Business

programming and (QA) processes controls Continuity
system support (BCP)
departments
Communications Database Detective and

and networks administration protection
mechanisms
Fundamental Business Processes
Types of Controls
Enterprise Architecture
It determines if IT is
An Enterprise
It determines how aligned with
Architecture (EA) is a
an organization can enterprise
conceptual blueprint
most effectively objectives and
that defines the
achieve its current delivers value to
structure and
and future business, keeping in
operations of an
objectives. view the complexity
organization.
of an organization.
Source: http://searchcio.techtarget.com/definition/enterprise-architecture
Zachman FrameworkTM
• It is a method to define an enterprise.
Two classifications are combined:
The first is what,

how, when, who,
where, and why
The second is
identification,
definition,
representation,
specification,
configuration, and
instantiation
Zachman FrameworkTM for Enterprise Architecture
It is a schema with an intersection between two
historical classifications.
Second
classification is
First classification derived from
includes reification, the
fundamentals of transformation of
communication of an abstract idea
the primitive into an
interrogatives. instantiation,
initially postulated
by ancient Greek
philosophers.
It includes:
• What
• How It includes:
• When • Identification
• Who • Definition
• Where • Representation
• Why • Specification
• Configuration
• Instantiation
(Source: https://www.zachman.com/about-the-zachman-framework)
Zachman FrameworkTM for Enterprise Architecture
The Zachman framework is not a methodology, but it is a structure.
It is a two-dimensional framework that combines six basic interrogatives (What, How, Where, Who, When, and Why).
The framework intersects with different perspectives: Executives, Business Managers, System Architects, Engineers,
and Technicians.
It enables holistic understanding of the enterprise by looking at the organization from various viewpoints.
Sherwood Applied Business Security Architecture
(SABSA)
Security architecture Each layer expands in

with a layered detail to move from a
framework, similar to policy to the
Zachman implementation of
technology
The primary
characteristic of the
SABSA model is that Ongoing “manage
everything must be and measure”
derived from an analysis phases of the
of the business lifecycle
requirements for
security
Provides a chain of
traceability through the
various layers: Risk-driven enterprise
contextual, conceptual, information security
logical, physical, architectures
component and
operational
SOMF
Service-oriented
Devised by
modeling
Michael Bell
framework
Modeling business
Used with a
and software
number of
systems to specify
architectural
service orientation
approaches
Can be used to design

any application,
business, and
technological
environment, either
local or distributed
Risk-Based Audit Planning
Risk-based Audit Planning
Explanation
Identification of key enterprise risks requires understanding of the organization, its environment, and control
objectives
Type and nature of transactions the entity engages in
Flow of this transaction and how it is captured into information systems

Risk Assessment Terms
Asset Risk Threat Vulnerability Impact
Valuable The potential Negative Weakness that The severity of

resource you that a chosen action that allows a threat the damage,
are trying to action or may harm a to cause harm sometimes
protect activity will system expressed in
lead to a loss dollars
Inherent, Control, Detection, and Overall Audit Risk
Different types of risk:
Ri
sk
Control
Risk
Probability that
Inherent a material Detection
Risk error exists Risk
Probability of an which will not
error existing be prevented Probability
that might be that the
or detected on Overall
material a timely basis Information
Systems
Audit Risk
assuming by the system
compensating of internal Auditor (ISA)
controls do not controls used Summation of
exist. It inadequate all audit risk
• exists checks and groups for
irrespective surmises that each control
of an audit material objective
• is contributed errors are
by the nature absent, when
of a business in fact, they
are present
Gap Analysis
Following are the two issues in Gap Analysis:
Usage gap
Gap Analysis
Product
gap
Assurance Definitions
• Target of evaluation (TOE): This is the information security deliverable, the object for which assurances are
made.
• Assurance activities: These activities depend on the method of assessment. Various methods of assessment
are discussed later.
• Security target (ST): This is the set of security specifications and requirements used to evaluate the target of
evaluation.
• Security protection profile (SPP): Similar to a security target, this profile is much broader in scope. Unlike an
ST, an SPP does not apply to any one particular deliverable but represents the security needs of a given
individual or group of individuals.

Risk-based Audit Definitions
Contro
l
IT Governance IT Control Objective
Evidence Risk
Risk Assessment and Risk Analysis
Explanation
Overall audit plan should focus on business risks related to use of IT.
Area under audit represents the audit scope.
Auditor to use risk-analysis techniques to establish critical area to focus on in the audit scope (focus to be on
high-risk areas).
Limited audit resources require this kind of focus in drawing the audit plan.
A proper audit report is critical.
Follow up on issues found in the audit is also critical.

Audit Risk-Based Audit Risk

Risk Analysis Methodology and
Auditing
Materiality
The main
areas of
coverage
Risk Risk Reporting

Assessment -Assessment techniques Follow-up
and Treatment techniques
Risk Analysis
Risk analysis assists an auditor in recognizing

vulnerabilities and risks, and how they can define
1 controls to be put in place to ensure such risks are
mitigated.
Risk is defined as the mixture of the likelihood of an

event and its magnitude (ISO/IEC 73)
2
IT Risk is specifically the enterprise risk associated with

the ownership, use, operation, influence, involvement
3 and adoption of Information Technology within a
business (ISACA’s IT Risk Framework).
Definitions of Risk
The probable The potential that a

frequency and given threat will
probable magnitude exploit
of future loss vulnerabilities of an
(source: An asset or group of
Introduction to assets and thereby
Factor Analysis of cause harm to the
Information Risk organization (source:
(FAIR), Risk ISO 27005)
Management Insight,
LLC)
Factor Analysis of Information Risk (FAIR)
FAIR is a probabilistic approach.

It focuses on what is probable, rather than what is possible.
It can be used to complement other methodologies.
Loss
• Productivity
• Resources utilized (for adverse
events)
• Replacement of damaged and
defective assets
• Legal and regulatory costs
• Loss of competitive advantage Value
• Reputational loss
• Criticality (impact on
smooth functioning)
• Cost
Threat agents
• Sensitivity
• Access
• Misuse
• Disclosure
• Unauthorized modification
Risk Analysis
From the Information System audit’s view, risk analysis aids in the following:
● It helps the auditor identify threats and Identify
Business Identify
risks within the IS environment. Objectives information
(BO) assets
● It assists in planning the audit by supporting
the BOs
evaluating controls in place.
● The helps an auditor be in a position to
know the audit objective.
Perform
● Decision making is easier as a risk-based Periodic Risk Perform Risk
Assessment (RA)
methodology is used. Reevaluation [Threat
–Vulnerability
(BO/RA/RM/RT) –Impact]
Perform Risk
Treatment (RT) Perform Risk
[Treat significant Management
risks not (RM) [Map
mitigated by Risks with
existing controls] controls in
place]
Calculating Risk
Exposure Factor The Exposure Factor (EF) is the percentage of value an asset lost due to an incident
Single Loss Expectancy The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF)
Annual Rate of Occurrence The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year
Annualized Loss Expectancy The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss
Expectancy (SLE) times the Annual Rate of Occurrence (ARO)
Calculating Risk
Risk Formulas
Asset Value Exposure Factor

SL (AV) (EF)
E
Probability of Cost of the

Ris the Risk Eventuality
k
Single Loss Annual Rate of

AL Occurrence (ARO)
Expectancy (SLE)
E
Risk-based Audit Approach
Audit risk is the risk that
A report or Might be
The risk-based audit approach is based on a concept in which information undetected
determination of areas that should be audited is based on might contain through the
the perceived level of risk. an error that is audit period
material
Residual Risk – This represents management’s risk appetite.
Normally, controls would be implemented to mitigate risk to
acceptable levels (i.e. residual risk).
Risk-based Auditing
Risk Assessment
Risk Assessment Risk Evaluation
● Risk assessment drives the audit process.

● The identification of risk, prioritization of audit areas, and allocation of audit
resources should be based on risk assessment.
● Evaluation of the risk management process must be conducted at every stage to
ensure that risk is being managed within the risk appetite of the organization.
Risk Assessment and Treatment
Risk Assessment
Risk Assessment Risk Treatment
● Risks assessments involve identifying, prioritizing, and quantifying risks

against criteria for risk tolerance and objectives relevant in the organization.
● Risk assessments should be carried out regularly to ensure it addressed
changes in security, risk situation, and environment, especially when key
changes takes place.
Risk Assessment and Treatment
Risk Assessment
Risk Assessment Risk Treatment
Risk Treatment
● Risk Mitigation – Applying adequate controls to lower the risks

● Risk acceptance – Objectively and knowingly not taking action
● Risk avoidance – Evading risks by ensuring actions that cause the risk are prevented
● Risk transfer/sharing – Sharing the risk with third parties such as suppliers or insurance companies
Risk Assessment Methods
• Different methods are employed to perform risk assessments. Examples: Scoring System Method and Judgmental
Method
A combination of methods may Methods may develop and change

be used over time
Scoring System Method

and Judgmental
Method
Auditor should evaluate appropriateness All methods depend on subjective judgment

of any chosen risk methodology
Control Principles
Risk-Based Audit Planning

Types of Audits and Assessments
Types of Audits
Knowledge Statement 1.11
Knowledge of various types of audits (e.g., internal, external, financial) and methods
for assessing and placing reliance on the work of other auditors or control entities.
Types of Audits
Explanation
Following are the various types of audits:
Internal vs. External
Specific domain (i.e. financial)
Reliance on other auditors

Internal vs. External Audits
Internal External
● Pre-audits ● Compliance
● Compliance audits ● Regulatory
● Post incident ● General
● Often targeted
Specific Domain
Specific Domain Audits
Financial Regulatory PCI DSS IT
Network Systems
Database Systems
Web or E-commerce
Systems
Reliance on Other Auditors
• Past audit results

• Incorporating other
audits
• Comparison
Audit Factors
Constrains the audit

The area to be The purpose of to a specific system,
audited the audit function, or unit, or
period of time
Audit Subject Audit Objective Audit Scope

Part B: Execution
Part B: Execution
The following topics are covered in Part B:
• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process

Audit Project Management
Plan the audit Monitor project

Build the audit plan Execute the plan
engagement activity
Audit Objectives
Audit objectives are the specific goals that the audit process must accomplish.
The audit objectives assure the following:

• Compliance with legal and regulatory requirements
• Protection of the confidentiality, integrity, and availability of information and IT resources
Audit Phases
The whole auditing process can generally be divided into the following three different phases:
Fieldwork and Reporting and

Planning
documentation follow-up
Planning Phase
Determine audit Determine audit Perform preaudit Determine

Set audit scope
subject objective planning procedures
Fieldwork and Documentation Phase
Discover and validate

Acquire data Test controls Document results
issues
Reporting Phase
Gather report
Draft report Issue report Follow-up
requirements
Audit Program
• An Audit Work Program represents the audit plan and strategy. It has audit procedures, scope and
objectives.
• The Audit Work Program:
• Is a guide for documenting various audit steps performed and the types and extent of evidential matters
reviewed;
• Provides a trail of the process used; and
• Provides accountability for performance.
• IS Audit Process Steps:
• Plan – assess risks, develop audit program: objectives, procedures (Guidance 5)
• Obtain and evaluate evidence – strengths and weaknesses of controls
• Prepare and present report – draft and final report
• Follow-up – corrective actions taken by management (Guidance 35)
Audit Methodology
Scope
It is a documented approach
for performing the audit in a Audit
continuous and recurring Audit
Methodology objectives
manner to achieve the Components
Audit Methodology planned audit objectives.
refers to standard
audit procedures to be
used to achieve the
planned audit Work
objectives. programs
Audit Working Papers
•
Part B: Execution 1.6

Applicable Laws and Regulations for IS Audit
Part B: Execution 1.6
Knowledge of the applicable laws

and regulations that affect the
scope, evidence collection and
preservation, and frequency of
audit.
Fraud Irregulaties and Illegal Acts
Explanation
Fraud investigations or legal proceedings require the integrity of the evidence be maintained throughout its
life cycle (called chain of custody in forensic evidence).
Legal requirements include law, regulation and/or contractual agreements placed on Audit (or IS Audit) or the
Auditee. Management and audit personnel in an organization should be aware of external requirements for
computer system practices and controls, and how data is processed, transmitted and stored. There is a need to
comply with different laws raising legal requirements that impact on audit objectives and audit scope.
Eviden Audit Documentation

ce
Continuous Auditing Legal Requirements

HIPAA and HITECH
PHI (Personal Health

Information)
The Health Insurance Portability

& Accountability Act of 1996
(HIPAA)
Redefining what a breach is
Health Information Technology

for Economic and Clinical Health
Act (HITECH)
Creating stricter notification

standards
Sarbanes-Oxley and PCI
Sarbanes-Oxl
2
ey
Public companies 3
must keep
electronic records
for 5 years
PCI-DSS (Payment
Card Industry-Data
Security Standards)
Cryptography Standards
ISO/IEC
7064 Data processing – Check character systems Published 2003
ISO/IEC 3 parts published 2002 2006, under revision

9796
Digital signature schemes giving message recovery
ISO/IEC
9797 Message authentication codes (MACs) 2 parts published 1999 2002, under revision, 3rd part is upcoming
ISO/IEC
9798 Entity authentication | 6 parts published 1997 2005
ISO/IEC
10116
Modes of operation for an n-bit block cipher algorithm | Published 2006
ISO/IEC
10118
Hash-functions | 4 parts published 1998 2004 (2006), under revision
ISO/IEC Key management 4 parts published 1996 2006, under revision

11770
Balanced Score Card
A type of
structured report Used to track
used as a execution of
performance activities
management tool
Should define Actually

Financial measurements measures
from four performance
perspectives against an
expected value
Customer
Internal
Process
Innovation/
Learning
Sampling Methodology
Sampling Methodology
Knowledge of different sampling

methodologies and other
substantive/data analytical procedures.
Sampling Methodologies
Compliance testing involves gathering evidence to test the enterprise’s compliance with control procedures.
Substantive testing is evidence gathered to evaluate the integrity of individual transactions, data, or other
information.
Presence of adequate internal controls (established through compliance testing) minimizes the number of
substantive tests that have to be done.
Conversely, weaknesses in internal controls will increase the need or number of substantive tests.
Sampling is done when it is not logical to test or verify all transactions by the consideration of the time and cost
needed. (i.e. the population which consists of all items in the area being examined).
Sampling Methodologies
Main Areas of Coverage:
Compliance vs. Substantive testing Sampling

Sampling
A sample is a subset of population members used to infer characteristics about a population based on the
results of examining the characteristics of a sample of the population.
The sample must represent as

A population consists of the entire
closely as possible the
group of items that need to be
characteristics of the whole
examined.
population.
Sampling is done, when verifying all The sample drawn must be a correct
transactions or events (population) representation of the population,
in the audit scope is not feasible. since all the conclusions are drawn
from the sample.
A basic understanding of sampling is necessary for the ISA.

General Approaches to Sampling
Sampling can either be statistical or non-statistical.
Non-statis
Statistical tical
Sampling Sampling
● Uses objective judgment to determine: ● Uses subjective judgment to

determine:
o Sample size
o Selection criteria o Method of sampling
o Sample precision o Sample size
o Reliability or confidence level o Sample selection
● This can be used to infer population ● This cannot be used to not infer
characteristics from the sample and is population characteristics from the
the preferred method. sample and is not a preferred method
of sampling.
General Approaches to Sampling
Non-statis
Statistical tical
Sampling Sampling
● Uses the judgment of the ISA to

● Uses statistical principles of probability determine the sample selection and
and confidence level to draw a sample size
representative of the population ● Increased possibility of sampling
risk—the risk that the analysis /
● ISA decides the sample precision (how conclusions will be wrong because the
closely the sample should represent sample is not representative of the
the population) and the confidence population
level (the number of times in 100 that ● This technique may be used when
the sample will represent the drawing an inference about the
population) population is not necessary; say, when
a handful of large-value credit limits
are picked up for scrutiny from a
population of extremely low-value
credit limits
Attribute and Variable Sampling
Sampling methods are of two types, attribute sampling and variable sampling.
Attribute Variable
sampling sampling
● Also known as proportional sampling ● Used to estimate the value of some

● Deals with the presence or absence of
variable, example verification of
transactions, review of processing in
an attribute
programs used in the preparation of
● Generally applied for compliance financial statements.
testing, to detect the presence or ● Also known as dollar estimation or Mean
absence of an attribute and draw value estimation sampling or Quantitative
conclusions from the rate of incidence. sampling
● Applied in substantive testing and deals
● Conclusions expressed in rates of
with characteristics that vary, monetary
incidence values, measures and in drawing
Types: conclusions regarding deviations from the
● Attribute sampling or fixed sample size norm.
● Provides conclusions related to deviations
attribute sampling or frequency
from the norm.
estimation Types:
● Stop-or-go sampling ● Stratified mean per unit
● Discovery sampling ● Un-stratified mean per unit
● Difference estimation
Attribute Sampling
Fixed Sample-Size
Attribute / Stop-or-go Discovery
Frequency-Estimat Sampling Sampling
e Sampling
• Adopted when
• Aim is to • Adopted when errors are
determine the the auditor expected to be a
rate of expects less rare occurrence
occurrence: How number of errors • Aim is to
many, how often? • Sample size is discover:
• Example: small and can be o fraud
Approval kept to minimum o bypassing rules
signature on user by manipulation
account creation (by splitting a
forms large order value
into several
smaller ones to
avoid having to
obtain approval
of a higher
authority)
Variable Sampling
Stratified Mean Unstratified Difference
Per Unit Mean Per Estimation
Unit
• Population is • Mean is • Technique used

divided into calculated for the to estimate the
strata, and entire sample, difference
samples are without between the
drawn from stratification and audited values
various strata extrapolated to and the book
• Stratification, if the entire values, on the
properly applied, population basis of
reduces the • It increases the differences
sample size sample size observed in the
relative to sample
unstratified mean
per unit
Stratified sampling produces a higher confidence level for the same sample size, or may result in a lower sample size
for the same confidence level, while other attributes are kept equal.
Sampling Terms
(Applicable to both attribute and variable sampling)
Confidence Coefficient / Level / Reliability Factor Level of Risk
• The probability that the sample is representative of the • The opposite of the confidence coefficient, the risk that the
population, in relation to the characteristic observed, sample is not representative of the population
expressed as a percentage • If the confidence coefficient is 95%, the level of risk is 5%
• 95% confidence coefficient implies 95% chance that the
sample is representative of the population
• Depending on assessment of the effectiveness of
internal controls, the ISA will vary the sample size
• The greater the confidence level the ISA desires, the
larger will be the sample size
Sampling Terms
(Applicable to both attribute and variable sampling)
Precision Sample / Population Standard Deviation
• The range of difference between the sample and • A measure of the variance or spread of values around the
population acceptable to the ISA mean
• This is expressed in percentage for attribute sampling
and as a numerical value for variable sampling
• The higher the precision level, the lower the sample size
and vice versa
Sampling Terms
• (Applicable to both attribute and variable sampling)
Expected Error Rate Tolerable Error Rate
• The expected error in percentage • Expressed as a percentage, it represents the maximum

• Applied only to attribute sampling, not variable degree of error that can exist, without the result being
sampling materially misstated
• If the expected error rate is high, the sample size will • Define maximum precision using tolerable error rate, within
have to be increased permissible limits
Audit Evidence Collection Techniques
Evidence Collection Techniques
Knowledge of the evidence collection

techniques (e.g., observation, inquiry,
inspection, interview, data analysis,
forensic investigation techniques,
computer-assisted audit techniques
[CAATs]) used to gather, protect and
preserve audit evidence.
Evidence Collection Techniques
Explanation
Audit findings must be supported by objective evidence
Know techniques to gather and preserve evidence
Information gathered through inquiry, observation, interview, analysis using CAATs (Computer Assisted
Auditing Techniques) such as, ACL, IDEA among others
Electronic media may be used to retain audit evidence to support audit findings
Retention policies should meet requirements for such evidence to support audit findings
Computer Interviewing and

Assisted Audit Observing Personnel Continuous Audit
Evidence in Performance of
Techniques Auditing Documentation
(CAATs) their Duties
1 2 3 4 5
Evidence
Is the information the Must directly relate to Is key to the audit Is mandatory under Should be appropriately
Information Systems the objectives of review process standard “S6 organized and
Auditor (ISA) gathers while Performance of Audit documented to support
performing an IS audit to Work” the findings and
meet the audit objectives conclusion(s)
by supporting the audit
findings
Reliability of Evidence
Determinants for the reliability of evidence include:
Independence Qualification
of the provider of the individual
of the providing the
evidence information/
evidence
Objectivity Timing of the

of the evidence
evidence
Given an audit scenario in the exam, a candidate should be able to determine which type of
evidence gathering technique would be best.
Evidence Characteristics and Types
• The confidence level of evidence is based on its value; audit evidence is considered
• Sufficient if it is complete, adequate, convincing, and would lead another ISA to form the same
conclusions
• Useful if it assists ISAs in meeting their audit objectives
• Reliable if in the auditor’s opinion, it is valid, factual, objective and supportable
• Relevant if it pertains to the audit objectives and has a logical relationship to the findings and
conclusions it is used to support
Techniques for Gathering Evidence
Techniques for gathering evidence include the following:
Reviewing IS Reviewing IS Reviewing IS standards Reviewing IS policies

organizational documentation and procedures
structures
Observing processes
Interviewing
and employee Re-performance Walkthroughs
appropriate personnel
performance
Audit Documentation
Audit documentation should include a record of
Planning Description Audit Audit steps Use of Audit Audit

and and/or program performed services of findings, document-atio
preparation walkthroughs and audit other conclusions, n related
of audit on the scoped evidence auditors or and to document
scope and audit area gathered experts recommend- identification
objectives ations and dates
Data Analytics
Data Analytics
Explanation
Audit findings must be supported by objective evidence
Know techniques to gather and preserve evidence
Information gathered through inquiry, observation, interview, analysis using CAATs (Computer Assisted
Auditing Techniques) such as, ACL, IDEA among others
Electronic media may be used to retain audit evidence to support audit findings
Retention policies should meet requirements for such evidence to support audit findings
Computer Assisted Audit Techniques (CAATs)
• Automated tools and techniques used for gathering and analyzing data from computer systems to meet a
predetermined audit objective.
Examples
CAATs
of CAATs
● Generalized audit software e.g.

CAATs process involves;
IDEA, ACL
● Understanding the client
● Utility software e.g. DBMS report
● Obtaining effective evidence writers
● Data analysis ● Debugging and scanning software
● Reporting ● Test Data
● Expert systems
● CAATs necessitated by differences
● SQL commands
in HW, SW environments, data
● Third party access control software
structures, record formats, ● Application software tracing and
processing functions mapping
● Options and reports build in a
system
Computer-Assisted Auditing Techniques
(CAATs
)
Types of CAATs:
Collate and analyze diverse data. Provide means of analyzing Enable the ISA to work
• GAS (Generalized Audit
Information systems employ data to achieve audit objectives independently, eliminating
Software)
diverse hardware, software, continuous assistance from the
• Utility software
databases, data structures, and IT function
• Industry-specific audit
formats for audit evidence
software
• Fourth-generation languages
like SQL
• Expert systems
• Neural networks
• Application software tracing
• Mapping
Types of CAATs
Generalized • Standard, off-the-shelf software which can read data from diverse database platforms,
Audit flat files, and ASCII formats
Software • ISA can utilize the in-built functions of the software
(GAS) • Functions of GAS include:
o File access and reorganization
o Sampling
o Filtration
Utility o Statistical analysis
o Stratification and frequency analysis
Software o Report generation
o Duplicate checking
o Recomputation
• Limitations of GAS include:
o Not suitable for concurrent auditing
Industry-specific o Can only conduct post-event audit
Audit Software o Limited capabilities to verify processing logic
Types of CAATs
Generalized
Audit
Software
(GAS)
Utility • Is a part of a suite of programs like: copy, sort programs, report generators, disk search
Software utility, and fourth-generation languages, like SQL (structured query language).
Industry-specific
Audit Software
Types of CAATs
Generalized
Audit
Software
(GAS)
Utility
Software
• While GAS is generic in nature, audit software specific to some industries like financial
services, insurance, and health care is also available.
Industry-specific • They include built-in queries to perform audit functions in specific industries, say check
Audit Software kiting in banking.
• Constructing similar queries in GAS would need more effort and skills.
Types of CAATs
• This is a type of artificial intelligence and incorporates a knowledge base that contains
Expert
the knowledge of human experts in the concerned domain.
System • The inference engine in the expert system compares the data presented against the
knowledge base to draw conclusions.
• Expert systems can be used for:
o Risk analysis
o Evaluation of internal controls and assessing if provisions on doubtful debts are
Neural adequate
Networks
Continuous
Online Audit
Types of CAATs
Expert
System
• These are designed to mimic the neurons of the human brain.

Neural • They can be “trained” to recognize patterns that indicate certain occurrences, like a
Networks fraud.
Continuous
Online Audit
Types of CAATs
Expert
System
Neural
Networks
• CAATs can be used to implement ongoing monitoring.

Continuous • They can be configured to continuously analyze data either in real or near real time
Online Audit intervals, in furtherance of preset audit objectives.
Computer Assisted Audit Techniques (CAATs)
Functional capabilities of Generalized Audit Software (GAS) are as follows:
File access: reading different file

structures and record formats
File reorganization: indexing,

sorting, merging, linking
Data selection: filtration

conditions, selection criteria
Statistical functions: sampling,

stratifications, frequency analysis
Arithmetic functions: arithmetic

operators and functions
Reporting and Communication Techniques
Knowledge of reporting and communication

techniques (e.g., facilitation, negotiation,
conflict resolution, audit report structure,
issue writing, management summary, result
verification).
Explanation
Communication needs to be effective and clear to improve the quality of the audit and maximize results.
When an argument ensues between the auditor and the auditee during the final IS audit findings report
presentation over the accuracy of the findings in the report, it makes the audit process counterintuitive and
quickly dilutes the audit process and its value.
Audit findings reported to stakeholders need to have appropriate buy-in from the auditees for the audit
process to be successful and value adding.
Communication and negotiation skills are required throughout the audit activity.
Communication skills determine the effectiveness of the audit reporting process.

Audit Report Objectives
The objectives of audit reporting are:

• Formally presenting the audit report to the auditee or client
• Providing statements of assurance of controls
• Identifying areas that require corrective actions
• Providing recommendations
• Formally seeking closure of the audit engagement
The main areas of coverage:
Information Technology Assurance

Communicating Audit Results Framework (ITAF) (Section 2600 –
Reporting Standards)
Communication of Audit Results
During exit interviews, the IS auditor should:
Recommend implementation
Ensure recommendations are Ensure facts presented in the dates for agreed-on
realistic and cost-effective report are accurate recommendations
Presentation techniques include:
● Executive summary Easy to read, concise report that presents the summary of the entire report
● Visual presentation: May include slides or computer graphics
Before communicating the results of an audit to senior management, the IS audit should discuss the findings with
management staff of the audited entity. This is to ensure an agreement is reached for both the findings and the
corrective action to be taken.
The CISA candidate should become familiar with the ISACA S7 Reporting and S8 Follow-up Activities standard.
Communication Skills
Facilitation Negotiation Conflict resolution Issue writing

The Report
Identify and Include:

• Organization, recipients, restriction on circulation
• Scope, objectives, period of coverage, nature, timing, and extent
• Findings, conclusions, recommendations/follow up, and reservations
or qualifications
o Grouped by materiality or intended recipient
o Mention faults and constructive corrections
• Evidence to support results (may be separate)
• Overall findings, conclusion, and opinion
• Signed and dated
Audit Report Basics
An audit report includes the following features:
Organization, recipients and

restriction on circulation
Scope, objectives, period of

coverage, nature, timing, and extent
Grouped by materiality or
intended recipient
Audit Findings, conclusions,
Report recommendations/follow- ups, and
Features reservations/qualifications
Mention faults and
constructive corrections
Evidence to support results
Overall findings, conclusion, and

opinion
Signature and date

Follow-Up Activities
• An IS auditor should conduct a follow-up program to determine whether the management has
implemented the agreed-on corrective actions.
• The results of the follow-up should be communicated appropriately.

Quality Assurance and Improvement of the Audit Process
Audit Assurance Systems and Frameworks
Knowledge of audit quality assurance

(QA) systems and frameworks.
Quality Assurance and Improvement of the Audit Process
Explanation
Auditing standards are the minimum parameters to be taken into account when performing an audit.
An IS auditor has to understand the impact of the IS environment on traditional auditing practices and
techniques to ensure the audit objective is achieved.
Control Self Assessment (CSA) is a process in which an IS auditor can act in the role of a facilitator to business
process owners to help them define and assess appropriate controls (taking into consideration the risk
appetite of the organization).
Process owners are best placed to define appropriate controls due to their process knowledge.
IS auditors help process owners understand the need for controls based on business risk.
The main areas covered under this knowledge statement are as follows:
Evaluation of
Control Self
Audit audit strengths
Audit Assessment
Audit objectives
methodology and weakness
programs (CSA)
Objectives, Using services

advantages, and Auditors Role of other Traditional vs.
disadvantages of in CSA Auditors and CSA Approach
CSA Experts
Control Self Assessment (CSA)
CSA is a management technique

that assures stakeholders,
customers, and other parties that
the internal control system of the
CSA is a methodology used to organization is reliable.
review key business objectives,

risks involved in achieving the
business objectives, and
CSA involves a series of tools on a internal controls designed to
continuum of sophistication, manage these business risks in
ranging from simple questionnaires a formal, documented
to facilitated workshops. collaborative process.
It ensures employees are aware of
business risk and that they conduct
periodic, proactive reviews of
controls.
Objectives of a CSA
Following are the objectives of a CSA:
Leverage the internal

Ensure Line Educate
audit function by
managers are in management on
shifting some of the
charge of monitoring control design and
control monitoring
controls monitoring
responsibilities to the
functional areas
Control Objectives for Information and Related Technology (COBIT provides guidance on development of a CSA
COBIT
Some important facts about COBIT are:
• Control Objectives for Information and related Technology

• ISACA first released COBIT in 1996
• Revised in 2005 to become ISO 17799:2005
• ISACA published the current version, COBIT 5, in 2012
• Contains 134 detailed information security controls based on 11 areas
Benefits of a CSA
Benefits of a CSA include the following:

• Early detection of risk
• More effective and improved internal controls
• Create cohesive teams – employee involvement
• Develops sense of ownership of controls in employees and process owners
• Improved audit rating process
• Reduction in control cost
• Increased communication between operations and top management
• Highly motivated employees
• Assurance provided to stakeholders and customers
CSA Disadvantages and Role of Auditor
Disadvantages of a CSA Auditor’s role in CSA
● Might be mistaken as an audit function ● Internal control professional and

replacement assessment facilitator (management staff
● May be taken as additional workload (e.g. participates in the CSA process, not the
writing reports to management) auditor)
● Failure to act on improvement suggestions
could damage employee morale
● Inadequate motivation limits effectiveness in
the discovery of weak controls
Traditional Vs. CSA Approach
The following table compares the traditional audit approach with CSA:
Traditional Audit Approach CSA
Assigns tasks Empowered and accountable employees
Policy-driven Continuous improvement learning curve
Limited employee participation Extensive employee participation and training
Limited stakeholder focus Broad stakeholder focus
Auditors and other specialists Staff at all levels and in all functions are the
primary control analysts
Domain One Exam Quick Pointers
1. The auditor is a facilitator in a Control Self Assessment.

2. Examples of substantive tests include testing samples of an inventory of backup tapes.
3. Control self Assessment (CSA) enhances audit responsibility as one of its key objectives.
4. Accountability cannot be enforced without authentication and identification in an access control.
5. IS Auditors are likely to perform compliance tests of internal controls if, after their initial evaluation of
the controls, they conclude that control risks are within acceptable limits.
6. Identification of high-risk areas is the most important step in an audit plan.
7. The auditor should be aware of data flows within an enterprise when assessing corrective, preventive,
or detective controls.
8. Responsibility and accountability can be established by the use of audit trails.
Domain One Exam Quick Pointers
9.
10.
11.
12.
13.
14.
Knowledge
Check
QUIZ
An audit charter should _____.
1
a. summarize the responsibilities, authority and scope of an internal audit

department.
b. define audit processes
c. outline audit goals and how to achieve them
d. keep track with the change in information technology

QUIZ
An audit charter should _____.
1
a. summarize the responsibilities, authority and scope of an internal audit

department
b. define audit processes
c. outline audit goals and how to achieve them
d. keep track with the change in information technology
The correct answer is a.
An audit charter should summarize the responsibility, authority, and scope of an audit department.
QUIZ
An audit report prepared by the information systems auditor should be
2 corroborated by _____.
a. supporting statements from IS management
b. work-papers of senior auditors
c. control self-assessment from the organization
d. appropriate, relevant, and sufficient audit evidence

QUIZ
An audit report prepared by the information systems auditor should be
2 corroborated by _____.
a. supporting statements from IS management
b. work-papers of senior auditors
c. control self-assessment from the organization
d. appropriate, relevant, and sufficient audit evidence
An IS auditor should have statements from IS Management to ensure that they are in agreement with the
findings as well the corrective action to be taken.
An IS auditor reviews the previous audit plan implemented for a client and finds that it was
QUIZ
designed to review the company network and e-mail systems, but not the e-commerce Web
3 server. The IT manager indicates that the preferred focus for audit is the newly implemented
ERP application. How should the auditor respond?
a. Determine the highest-risk systems and plan the audit based on the results
b. Audit the new ERP application as requested by the IT manager
c. Audit both the e-commerce server and the ERP application
d. Audit the e-commerce server since it was not audited last year
An IS auditor reviews the previous audit plan implemented for a client and finds that it was
QUIZ
designed to review the company network and e-mail systems, but not the e-commerce Web
3 server. The IT manager indicates that the preferred focus for audit is the newly implemented
ERP application. How should the auditor respond?
a. Determine the highest-risk systems and plan the audit based on the results
b. Audit the new ERP application as requested by the IT manager
c. Audit both the e-commerce server and the ERP application
d. Audit the e-commerce server since it was not audited last year
The correct answer is c .
The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of
highest risk. The IS auditor should not rely on the prior-year audit plan since it may not have been
designed to reflect a risk-based approach.
QUIZ When testing program change requests, an IS auditor found that the population
of changes was too small to provide a reasonable level of assurance. What is
4 the most appropriate action for the IS auditor to take?
a. Report the finding to management as a deficiency.
b. Create additional sample changes to programs.
c. Develop an alternate testing procedure.
d. Perform a walk-through of the change management process.

QUIZ When testing program change requests, an IS auditor found that the population
of changes was too small to provide a reasonable level of assurance. What is
4 the most appropriate action for the IS auditor to take?
a. Report the finding to management as a deficiency.
b. Create additional sample changes to programs.
c. Develop an alternate testing procedure.
d. Perform a walk-through of the change management process.
If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide
assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit
management approval) an alternate testing procedure.
QUIZ
The main advantage derived from an enterprise employing control
5 self-assessment (CSA) process is that it:
a. enables management to delegate responsibility.
b. can replace the traditional audit methods.
c. allows the auditor to independently assess risks.
d. identifies high-risk areas that require a detailed review later.

QUIZ
The main advantage derived from an enterprise employing control
5 self-assessment (CSA) process is that it:
a. enables management to delegate responsibility.
b. can replace the traditional audit methods.
c. allows the auditor to independently assess risks.
d. identifies high-risk areas that require a detailed review later.
The correct answer is d.
Control Self Assessment is based on the review of high-risk areas that will need a more thorough review at
a later date or either an immediate attention.
Case Study
Case Study 1
The IS auditor has been asked to perform a pre-audit review to assess the company’s readiness for a regulatory
compliance audit. The regulatory requirements include management taking an active role in IT management including
managerial review and testing of IT controls.
The areas to assess in the upcoming regulatory compliance audit include physical controls, logical controls, end-user
computing, and change management. The IS Auditor has only two weeks to complete the pre-audit review. Previous
audits found no issues with physical controls or end-user computing but did find issues with logical controls and change
management.
Previous issues found include inadequate password management and not all changes where reviewed by a change
approval board.
QUIZ
Which of the following would be the most important item for the IS auditor to
1 check first?
a. Password management
b. Change approval
c. Patch management
d. Physical security
QUIZ
Which of the following would be the most important item for the IS auditor to
1 check first?
a. Password management
b. Change approval
c. Patch management
d. Physical security
Password management and change approval were both identified as issues in previous audits. However,
password management is a more critical issue, and it is less time consuming to check. It may not be
possible to review change management within the time allotted.
QUIZ
If time permits, should the IS auditor review physical controls and end-user
2 computing, even though there were no problems noted in previous audits?
a. Yes, check both if time permits
b. No, as there were no previous issues
c. If possible, check physical controls but not end-user computing
d. If possible, check end-user computing then physical controls

QUIZ
If time permits, should the IS auditor review physical controls and end-user
2 computing, even though there were no problems noted in previous audits?
a. Yes, check both if time permits
b. No, as there were no previous issues
c. If possible, check physical controls but not end-user computing
d. If possible, check end-user computing then physical controls
Simply because there have not been issues in the past does not mean an area should not be reviewed
during an audit. If time permits, every area that will be addressed in the regulatory compliance audit
should be reviewed.
Case Study 2
An IS auditor has been tasked to audit a financial application used by a bank to process loan applications. The application
can be accessed via a Web interface from anywhere in the world. The company maintains the Web server internally (that
is. it is not outsourced) as well as the back end database. The auditor has limited time and may not be able to do a
complete audit.
QUIZ
Which of the following tools would be most helpful in this audit?
1
a. General audit software application tool
b. Statistical analysis tool
c. Web vulnerability testing tool
d. General vulnerability assessment tool

QUIZ
Which of the following tools would be most helpful in this audit?
1
a. General audit software application tool
b. Statistical analysis tool
c. Web vulnerability testing tool
d. General vulnerability assessment tool
Since the application is accessed via the Web, the most critical item to audit is the Web interface. This is
where most security issues would be helpful in an audit.
QUIZ
In this scenario, what is the order of importance of items checked?
2
a. Firewall, VPN, Web server, Database server
b. VPN, Firewall, Database server, Web server
c. Database server, VPN, Web server, Firewall
d. Web server, Firewall, Database server, VPN

QUIZ
In this scenario, what is the order of importance of items checked?
2
a. Firewall, VPN, Web server, Database server
b. VPN, Firewall, Database server, Web server
c. Database server, VPN, Web server, Firewall
d. Web server, Firewall, Database server, VPN
The correct answer is d.
The Web server is the most important as it is the publically facing interface most vulnerable to attack. The
database is protected by the firewall, so the next item to check is the firewall. VPN connections need not be
checked, as there is no VPN used in this scenario.
Key Takeaways
You’ are now able to:
Plan an audit to determine whether information systems are protected, controlled, and provide
value to the organization
Conduct an audit in accordance with IS audit standards and a risk‐based IS audit strategy
Communicate audit progress, findings, results, and recommendations to stakeholders
Conduct an audit follow‐up to evaluate whether risks have been sufficiently addressed
Utilize data analytics tools to streamline an audit process
Provide consulting services and guidance to the organization in order to improve the quality and
control of information systems
Identify opportunities for process improvement in the organization's IT policies and practices
This concludes “Process of Auditing
Information Systems.”
The next domain is “Governance and Management of IT."

Governance and Management of IT


Learning Objectives
Evaluate the IT strategy for alignment with the organization’s strategies and objectives
Evaluate the effectiveness of IT governance structure and IT organizational structure
Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements
Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives
Evaluate the policies of organization's risk management and data governance
Evaluate the monitoring and reporting of IT key performance indicators (KPIs)
Evaluate whether IT supplier selection, service, and contract management processes align with business
requirements
Conduct periodic review of information systems and enterprise architecture
Evaluate the information security program to determine its effectiveness and alignment with the
organization’s strategies and objectives
Evaluate potential opportunities and threats associated with emerging technologies, regulations, and
industry practices
Part A: IT Governance
IT Governance
• IT governance and IT strategy
• IT-related frameworks
• IT standards, policies, and procedures
• Organizational structure
• Enterprise architecture
• Enterprise risk management
• Maturity models
• Laws, regulations, and industry standards affecting the
organization
IT Governance and IT Strategy
IT Governance and IT Strategy
• Explanation
To assure the stakeholders that IT deployment is aligned with the business vision, mission, and
objectives, the top management may implement an IT governance framework.
Essential elements of IT governance include Strategic Alignment, Value Delivery, Risk Management, Resource
Management, and Performance Measurement.
The main areas covered are:
Governance of enterprise IT
Best practices for governance

of an enterprise IT
Information systems strategy

Standards Policies
The main areas

covered in this
knowledge
statement are
IT Governance Guidelines
Corporate Governance
At a high level, corporate governance has been defined as “the system by
which business corporations are directed and controlled.”
Corporate governance can also be defined as “a set of relationships between a

company’s management, its board, shareholders, and other stakeholders.”
It is a set of It also provides the Good corporate Corporate governance Many government
responsibilities and structure through governance should frameworks are regulations require
practices used by an which the objectives provide proper increasingly being senior management to
organization’s of the company are incentives for the used by governments sign off on the
management to set, the means of board and to curb inaccurate adequacy of internal
provide strategic attaining those management to financial reporting and controls and include
direction, in order to objectives, and pursue objectives that foster greater an assessment of the
ensure that goals are monitoring are in the interests of transparency and organization’s internal
achievable, risk is performance. the company and its accountability. controls.
properly addressed, shareholders, and
and organizational should facilitate
resources are properly effective monitoring.
utilized.
Corporate Governance
It is the system by which companies are directed and controlled.
Corporate
Governance
Boards of directors are responsible for the governance of the
“Governance is the companies.
combination of processes
and structures implemented Shareholders appoint the directors and auditors and ensure that the
by the board in order to governance structure is in place.
inform, direct, manage and
monitor the activities of the It also presupposes fair treatment of all stakeholders, monitors their
organization toward the performance and takes adequate measures to ensure compliance with
achievement of its laws, regulations, policy and contractual obligations.
objectives.” – Institute of
Internal Auditors Responsibilities of the board include setting the company’s strategic aims,
providing leadership to put them into effect, supervising management of
the business and reporting to shareholders on their stewardship. – Cadbury
Committee Report on Corporate Governance
The board’s actions are subject to laws, regulations and the shareholders in
general meeting.
Objectives of Corporate Governance
Corporate governance also presupposes the fair treatment of all

stakeholders, monitoring of performance, and taking adequate
measures for compliance with laws, regulations, policy, and
contractual obligations.
Effective risk Efficient and

Provide Attainment
management effective
strategic of corporate
to control risk, utilization of
direction objectives
within corporate
acceptable resources
levels
Role of Audit
Audit plays an important role in corporate governance.
Internal Assurance
Audit Services
• Provide an independent and objective
“Internal audit is an independent, assessment, based on evidence of the
objective assurance and consulting governance, risk management and control
activity, designed to add value and to processes in the organization.
improve an organization's operations. • Assure testing before release.
It helps an organization accomplish its • Information systems audit falls under this
objectives, by bringing a systematic, category.
disciplined approach to evaluate and
improve the effectiveness of risk Consulting
management, control, and Services
Audit governance processes.”
- Institute of Internal Auditors • These are advisory in nature and intended to
add value and improve the governance, risk
management, and control processes of an
organization, without internal audit assuming
management responsibility.
• Here, an internal auditor is engaged in providing
advice on controls in a new project or function.
External • Examples:
Audit o Training
o Advice
It is an examination of accuracy of
financial statements by an
independent external auditor.
IT Governance
An organization must have a long-term strategy for IT to guide decisions,

instead of taking decisions on an ad hoc basis.
Corporate
Governance
IS is used to aid business objectives and improve business processes.
IT Governance
IT governance is effective only when done within a formal framework.
IT governance is a Performance management can extend to efficacy of policies and proper

subset of corporate functioning of equipment, software and network, apart from the personnel.
governance
Following industry standards is better than developing one from scratch.
Industry standards have been through several iterations and have been
refined and improved over the years by experts.
An auditor must begin with the IT strategy and then follow policies,
procedures, framework, and practices which must be reviewed periodically
whenever the environment, business, or regulatory requirement changes.
IT Governance
Adequate investments must be provided for in-house and outsourced IT

resources to meet current and future business needs.
Corporate
Governance Current and new technologies must be opted for only after considering
the benefits, risks, and costs and envisioning the future trends.
IT Governance Internal Audit must analyze IT from a strategic perspective, before moving
on to the granular level of individual processes and applications.
The compliance and regulatory requirements must be met and the risk of
IT governance is a
these not being met must be measured. All the risks should be known and
subset of corporate discussed openly along with the efficacy of controls.
governance
Executive management must be aware of the risks in the organization and
closely monitor the processes and personnel to manage them. They should
check if the residual risk is within the risk appetite of the organization.
Finally, the value added by IT to the organization must be measured and the
costs incurred on it must be optimized.
Objectives of IT Governance
Ensuring that IT strategies and policies are in alignment with business

Corporate strategies and objectives and support corporate strategy
Governance
Managing IT risk and ensuring that it remains within the acceptable risk
level of the organization
IT Governance
Dovetailing IT policies and objectives with corporate policies and objectives
IT governance is a
subset of corporate Ensuring that the investments in IT yield expected returns to business
governance
Optimizing resources spent on IT and ensure that they deliver value to

business
Ensuring that IT is in compliance with regulatory obligations

Best Practices for Governance of an Enterprise IT
Governance of an enterprise IT integrates and institutionalizes good practices to ascertain the enterprise IT supports the business
objectives.
Business Managers and Boards demanding a better return

on investment
Concern over high expenditure on IT
Factors leading to the The need to meet regulatory requirements for IT (SOX, Basel
importance of enterprise II, and HIPAA.)
IT governance
The selection of service providers, and management of
service outsourcing and acquisition
Increasingly complex IT-related risks such as network

security
Best Practices for Governance of an Enterprise IT
Other factors leading to the importance of enterprise IT governance are:
IT governance The growing maturity

initiatives include and the consequent
adoption of control acceptance of
frameworks and good well-regarded
practices to monitor The need to optimize frameworks The need for
and improve critical IT costs by following enterprises to assess
activities. These standardized rather how they are
increase business than specially performing against
value and reduce developed approaches generally accepted
business risks standards and their
peers (benchmarking)
Information Security Governance
IT governance is a subset of corporate governance, whereas information security governance is a subset of
IT governance.
Corporate
Governance
“Information security governance can be

IT Governance defined as the process of establishing and
maintaining a framework and supporting
management structure and processes to
provide assurance that information security
strategies are aligned with and support
business objectives, are consistent with the
Information Security applicable laws and regulations through
Governance adherence to policies and internal controls
and provide assignment of responsibility, all
in an effort to manage risk.”
-NIST, Information Security Handbook:
A Guide for Managers.
The board of directors and executive Role of IT extends beyond corporate

management are responsible for boundaries to monitor if information
information security governance. systems are networked and critical elements
of IT are outsourced.
risk management strategic alignment of information

Core concerns of
information security
governance
compliance and value delivery security with business objectives
Information security governance has been

rendered important due to rapidly changing
IT threat scenario.
Five basic objectives of Information Security Governance
Strategic Risk management Resource Performance Value delivery by

alignment of by executing management by measurement by optimizing
information appropriate utilizing measuring, information
security with measures to information monitoring, and security
business strategy manage and security reporting investments in
to support mitigate risks, knowledge and information support of
organizational and reduce infrastructure, security organizational
objectives potential impacts efficiently and governance and objectives
on information effectively metrics to ensure
resources to an achievement of
acceptable level organizational
objectives
(Source: Information Security Governance: Guidance for Boards of Directors

and Executive Management, 2nd Edition, IT Governance Institute)
Information security governance requires strategic direction and impetus. It requires commitment, resources, and assigning
responsibility for information security management. It also requires means for the board to determine whether its intent has
been met.
Role of BODs/Senior Management:

Effective information security governance is achieved only by involvement of the Board of Directors and/or senior
management in:
Approving policy Appropriate Reporting and Members of the board This can be accomplished
monitoring and trend analysis need to be aware of by periodically providing
metrics the organization’s the board with high-level
information assets results of comprehensive
and their criticality to risk assessments and
the ongoing business Business Impact Analysis
operations (BIA), and business
dependency assessments
of information resources
GEIT (Governance of Enterprise IT)
It is the responsibility of the

board and Executive
Management.
The primary goals of GEIT

are to ensure that IT goals
and strategy are aligned
with organization goals and
Executive management is
objectives, and that the
responsible for implementing
promised benefits are
the necessary framework and
realized.
controls.
The board should oversee the
process to ensure that it is
effective.
Information Systems Strategy
An IS strategy articulates the enterprise’s long-term intention to use Information Systems to improve
its business processes based on business requirements.
When formulating the IS strategy, an enterprise must consider:

• Business objectives and the competitive environment.
• Current and future technologies, costs, risks, and benefits involved.
• The capability of an IT organization and technology to deliver current and future levels of
service, and the extent of change and investment this might imply for the enterprise.
• Cost of the current IT, and the value it provides to the business.
• Lessons learned from past failures and successes.
IT Governance Focus Areas
The focus areas of IT governance are as follows:
This focuses on ensuring the linkage of business and IT

Strategic plans by defining, maintaining, and validating the IT
Alignment value proposition; and aligning IT operations with
enterprise operations.
This involves executing the value proposition throughout

the delivery cycle, ensuring that IT delivers the promised Value
benefits against the strategy, concentrating on Delivery
optimizing costs, and proving the intrinsic value of IT.
It requires risk awareness by senior corporate officers,

understanding the enterprise's appetite for risk and
Risk
compliance requirements, transparency of significant
Management
risks to the enterprise, and embedding responsibilities
into the organization.
IT-Related Frameworks
IT Governance, Management, Security, and Control Frameworks
Knowledge of IT governance, management,

security and control frameworks, and
related standards, guidelines, and practices
IT-Related Frameworks
Explanation
IT Governance can be effective with a formal framework.
Effective management and monitoring of IT.
Management controls the decisions, direction, and performance of IT.

COBIT 5 Framework
The COBIT 5 framework clearly distinguishes between governance and management.
The governance function should Management is responsible for

establish balanced and high-level planning and carrying out activities in
objectives, considering the accordance with the directive of the
interests of all stakeholders, with a board.
provision to monitor performance COBIT 5 framework
and compliance with the functions
objectives set by the board.
Principles, Policies, and Frameworks
Principles, policies, and frameworks refer to the communication mechanisms that convey the direction and instructions of
governing bodies and management, which include:
Adapting
policies to the
enterprise
Information environment
security
principles
Policy life
cycle
Information
security
Principles, policies
policies, and
framework
model
ISO Standards
ISO 27000 (vocabulary and definitions).
ISO 27001 (ISMS requirements and implementation) This defines the main standard applicable for certification of ISMSs.
ISO 27002 (code of security practices) A code of best practices in ISMS; includes more than 5000 detailed controls.
ISO 27003 (implementation guidance) Guidelines to implement ISO 27000 series standards.
ISO 27004 (security management metrics and measurement) Information security management measurement and metrics.
ISO 27005 (information security risk management) Guidelines relating to the risk management aspects of ISO 27001.
ISO 38500
It is a high-level framework for effective IT governance.
Responsibilit Strateg
y y
Acquisitio
n
Includes
Performanc
e
Conformanc
Human
e
behavior
PCI Frameworks
Build And Maintain a Secure Protect Cardholder Data Maintain a Vulnerability

Network Management Program
1
Install and maintain a
firewall configuration to
protect cardholder data
3 Protect stored cardholder
data
5 Use and regularly update
the anti-virus software
4
Encrypt transmission of
2 Do not use vendor-supplied

defaults for system
passwords and other
cardholder data across
open, public networks
6 Develop and maintain
secure systems and
applications
security parameters
Regularly Monitor and Test Networks Maintain an Information Security
Policy
Implement Strong Access
10 12
Track and monitor access to Establish high-level security
Control Measures
network resources and principles and procedures
7 Restrict access to data by a cardholder data

business need-to-know
11 Routinely test security systems

and processes
8 Assign a unique ID to
persons with computer
access
9 Restrict physical access to

cardholder data
IT Standards, Policies, and Procedures
IT Standards, Policies, and Procedures
Explanation
IT strategies, policies, standards, and procedures should be consistent with business requirements.
Policies
Policies are high-level management directives.
Purpose Scope
Scope
COBIT 5 for
All policies should Information Security
contain these basic describes these Validity
components: attributes of each
policy:
Responsibility Compliance Goals

Policies
Policies are high-level documents that They are the guiding principles that set the
specify the thinking and philosophy of an tone for the organization as a whole.
organization.
Policies
In addition to high-level corporate policies, Policies should be clear and concise, which
individual units and departments may have would clearly define the expectations for
their own policies, which should be the employees. In short, they are what the
consistent with the high-level ones. organization expects.
Procedures, Standards, and Guidelines
A Standard describes the

specific use of technology,
often applied to hardware
and software
A Procedure is a step-by-step Guidelines are recommendations

guide to accomplish a task (which are discretionary)
Procedures
Procedures
Procedures are step-by-step Procedures are expected to change
instructions of how something more often than polices, in order to
should be done in order to keep pace with the changes in the
accomplish the objectives set out environment and regulatory
in the policies. requirements.
Guidelines
Guidelines are recommendatory in

nature.
Guidelines
Professional judgment should be used Auditor should be prepared to justify
while applying guidelines in the any departure from them.
organization.
Organizational Structure
Roles and Responsibilities
Knowledge of the organizational

structure, roles, and responsibilities
related to IT, including segregation
of duties (SoD)
Organizational Structure
Explanation
Organizations must define organizational structures.
Responsibilities of major functions should be outlined and documented to ensure proper segregation of duties.
Auditing IT Governance structure

Segregation of Duties control
and implementation
Sourcing practices Reviewing documentation
Segregation of Duties within IS Reviewing contractual

commitments
In CISA Exam, the IS Auditor must be aware of these globally recognized concepts.
However, knowledge of specific legislation and regulations will not be tested.
Roles and Responsibilities: BODs
Board members should approve the assessment of key assets to be protected.
It is unreasonable to
The tone of top expect lower-level Penalties for
Executive
management must personnel to abide by non-compliance must
management should
be conducive to security measures if be defined,
endorse security
effective security the senior communicated, and
requirements.
governance. management do not enforced.
follow them.
Roles and Responsibilities: Senior Management
The roles and responsibilities of senior management are as follows:
Chief
Executive Steering Information
Management Committee Security
Officer (CISO)
• Implements effective • Focuses on all security • Ensures that good

security management aspects of an information security
governance, and defines organization. practices are carried out
the strategic security • Should represent the within the organization.
objectives of an respective groups or
organization. functions impacted by
the information security.
Reviewing Documentation
The following documents should be reviewed.
IT strategies, plans, and budgets Security policy documentation
Organizational/Functional charts Job descriptions
System development and program

Steering Committee reports change procedures
Operations procedures Human Resource manuals
Quality Assurance manuals

Segregation of Duties (SoD) Matrix
The table illustrates an example of SoD matrix.
The rows and

columns capture
various IS duties
Note: X indicates incompatible duties

Explanation
The complexity of IT and global connectivity requires understanding of the IT architecture.
Architecture and strategy are intertwined and germane to your audit.

IT Architecture Models
Information architecture of COBIT Control Objective PO2
Zachman
AF-EAF CAFEA NAF
Framework
Sherwood
Applied
Business AFIoT UADF
Security
Architecture
IoT (Internet of Things)
Wearable
devices
Smart
The IoT is the internetworking of street
physical devices like vehicles and lighting
buildings, referred to as “smart” or Growth of IoT
”connected” devices that are in various
IoT has applications in a
embedded with electronics, verticals
variety of devices, such as Security,
software, sensors, and networking Connected Cameras,
heart-monitoring implants,
capability, enabling these devices to homes
automobiles with built-in Lighting
collect and exchange data.
sensors, devices to
monitor the environment,
Cars
food, pathogens.
Infotainment,
Navigation
IoT (Internet of Things)
The network of IoT devices is expected to reach between 5 billion and 1

trillion in number.
IoT poses security challenges in the following areas:
Encryption
Authentication (implementing
(IoT devices do encryption requires Updates (pushing
not incorporate substantial updates to such
strong processing and large numbers of
authentication memory resources, devices is difficult)
mechanisms) which IoT devices
are low on)
AF-EAF
Consists of various approaches, models, and definitions to communicate and

facilitate the presentation of key architecture components.
Air Force
Enterprise
Architecture
Framework
See also https://www.mitre.org/sites/default/files/pdf/10_1541.pdf

AFIoT
IEEE P2413 – Architecture Framework for the Internet of Things
Definition of
Defines It also
basic
relationships provides a
architectural
among various blueprint for
building blocks,
IoT verticals data
and their ability
abstraction
to be integrated
into multi-tiered
systems
CAFEA
Following are the Common Approach to Federal Enterprise Architecture:
International National Federal

Application
Sector
Levels of Scope
System Segment Agency

UADF
Universal Architecture Description Framework or UADF
• A collection of models form an architecture description framework

• If this collection is comprehensive, it is called a universal framework
NAF
Following is the NATO C3 System Architecture Framework:
Capability-oriented
Operation-oriented
Service-oriented
NATO C3 Systems Architecture

Framework System-oriented
Technical-oriented
Program-oriented
Enterprise Risk Management
Enterprise Risk Management
Explanation
Enterprise Risk Management is the cornerstone of IT auditing

The main areas of covered are:
1 ERM definitions
2 ERM domains
3 ERM standards
ERM Definition
“Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied
in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: http://www.coso.org/documents/coso_erm_executivesummary.pdf
ERM Objectives
Following are the objectives of ERM:
Strategic Operations
ERM
Objectives
Compliance Reporting
ERM Perspectives
Following are the perspectives of ERM:
Enterprise Division
ERM
Perspectives
Process Unit
COSO's ERM Integrated Framework
Following is the COSO’s Enterprise Risk Management integrated framework:
Risk Response Control Activities
Internal Environment Objective Setting
COSO’s
Enterprise Risk
Management:
Integrated
Framework
Risk Assessment Event Identification
Information and
Monitoring
Communication
ISO 31000
ISO 31000:2009 Principles and Guidelines on

Implementation
Standards
Sometimes ISO/IEC 31010:2009 Risk Management: Risk
Established in relating to risk
called ISO Assessment Techniques
November management
31000:2009
2009
ISO Guide 73:2009 Risk Management:

Vocabulary
ISO 31000
Following are the different ways to deal with the risk:
Removing the risk

Avoiding the risk
source
How to deal
with risk
Changing the consequences Changing the likelihood of

of risk risk
Accepting or increasing the risk to pursue Accepting/retaining the risk by informed

an opportunity decision
Sharing the risk with another party

Maturity Models
Maturity Models
Explanation
Maturity and process improvement models help enterprises evaluate the current state of internal controls in
comparison to the desired state.
CMM
Following are the various levels of Capability Maturity Model (CMM):
Level 5 Continuously Improving
Level 4 Quantitatively Controlled
Level 3 Well-defined
Level 2 Planned and Tracked
Level 1 Performed Informally

ISACA CMM
Processes and their

Lack of Processes are
0 management
management is 1 Initial
implemented ad hoc
completely chaotic
Certain discipline Processes of the

necessary to 3 Defined organization are
2 Repeated
perform basic documented
repetitive processes
is compiled
The processes are Processes are

managed and continually
4 Managed carried out to 5 Optimized improved; there is
measure their an innovation cycle
performance for processes and
through KPI management
IDEAL Model
The IDEAL model is an organizational improvement model developed by the Software Engineering Institute (SEI) at the Carnegie
Mellon University that serves as a roadmap for initiating, planning, and implementing improvement actions.
It is useful in planning and implementing effective process improvement programs for CMMI and similar initiatives.
• Initiating
• Diagnosing
• Establishing
The IDEAL model is • Acting
named for the five • Learning
phases it describes:
Laws, Regulations, and Industry Standards Affecting the Organization
Laws, Regulations, and Industry Standards Affecting the Organization
Explanation
External requirements affecting the organization.

Legal Requirements Regulations Industry Standards

Laws and Standards
The various laws and standards are as follows:
Federal Information Personal Information

Electronic Fund Transfer Children's Online Privacy
Security Management Act Protection and Electronic
Act, Regulation E (EFTA) Protection Act (COPPA)
(FISMA) Documents Act (PIPEDA)
• Passed in 1978
• Implemented by the Fed Reserve Board Regulation E
• Limits to customer liability on loss or theft of card
• EFT errors
Laws and Standards

• Effective since 2000

• It applies to the online collection of personal information from children below 13 years of age under the US
jurisdiction
• The Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA
Laws and Standards

• Effective since 2002

• NIST is responsible for developing standards, guidelines, and associated methods and techniques
• NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate security in
information systems and services
• FIPS 200 "Minimum Security Requirements for Federal Information and Information Systems“
Laws and Standards

• Canadian law
• It governs how private sector organizations collect, use, and disclose personal information
• The law gives different rights to individuals
Laws and Standards
European Union Data DMCA – Digital Millennium

Sarbanes-Oxley Act PCI DSS
Protection Directive Copyright Act
• Directive 95/46/EC
• Regulates the processing of personal data within the European Union
• Governs the use of personal data
• Requires organizations to be transparent
Laws and Standards

• Enacted on July 30, 2002 (nine months after the discovery of Enron problems)
• Applicable to “Issuers” as defined in the SEC Act of 1934 (approximately 15,000 public companies)
o Companies required to file periodic reports with the SEC
o Companies with more than 1 million dollars in total assets and at least 500 shareholders
o Companies who have registered securities with the SEC
o Creates the Public Company Accounting Oversight Board, or PCAOB funded by accounting firms and
registrants
Laws and Standards

• Signed into law on October 28, 1998

• Focused primarily on methods to bypass access control
• Made it illegal to circumvent copy protection technologies
Laws and Standards

• The Payment Card Industry Data Security Standard (PCI DSS) was jointly created in 2004 by four major credit-card
companies: Visa, MasterCard, Discover, and American Express
• PCI data security requirements apply to all merchants and service providers who store, process, or transmit any
cardholder data
PCI: Card Holder Data
Cardholder data is any Personally Identifiable Information (PII) of the cardholder.
Sensitive
Card Holder Data
Authentication Data
Primary Account CVV or CVC (Card Track 1 & Track 2 data

Expiration date Card holder name
Number (PAN) Verification Values) (magnetic stripe)
Development, Implementation, and Maintenance of IT Strategy
Knowledge of processes for

development, implementation and
maintenance of IT strategy, policies,
standards, and procedures
Development, Implementation, and Maintenance of IT Strategy
Explanation for Knowledge Statement
IT development, implementation, and maintenance follow formal processes.
This is intertwined with strategy, policies, standards, and procedures.

Steering
Strategies
Committee
Development
Outsourcing
Policies
Strategy
COBIT Control Objective PO1 - Define a Strategic IT Plan

COBIT Control Objective PO1.4 - IT Strategic Plan
ACTIONS MEASUREMENTS
1. Engaging with business and senior 1. Percent of IT objectives in the IT

management strategic plan that support the
strategic business plan
2. Understanding current IT capabilities 2. Percent of IT projects in the IT project
portfolio that can be directly traced to
the IT tactical plans
3. Providing a prioritization scheme 3. Delay between updates of IT strategic
plans and updates of IT tactical plans
Steering Committee
COBIT Control Objective PO4.3: IT Steering Committee is present within the process. Define the IT Processes, Organization,
and Relationships
Determine prioritization of Monitor status of projects Monitor service levels and

IT service improvements
Development Policies
COBIT Control Objective PO8.3: Development and Acquisition Standards
How is a software developed? Tools and Models
How is a software acquired?

Development Policies
COBIT Control Objective PO8.3: Development and Acquisition Standards
How is a software developed?
COBIT Control Objective AI2 -

How is a software acquired? Acquire and Maintain
Application Software
Outsourcing
Following are the various COBIT Control Objectives:
COBIT Control Objective AI5:

Procure IT Resources
COBIT Control Objective AI5.4: IT

Resources Acquisition
COBIT Control Objective AI5.3:

Supplier Selection
Value and Risk Drivers
Control Practices
Part B: IT Management
Part B: IT Management
• IT Resource Management
• IT Service Provider Acquisition and Management
• IT Performance Monitoring and Reporting
• IT Quality Assurance and Quality Management

IT Resource Management
Resource Allocation
Knowledge of IT resource investment

and allocation practices, including
prioritization criteria (e.g., portfolio
management, value management,
personnel management)
IT Resource Management
Explanation
Proper resource allocation
Prioritization
IT Investment and Allocation Practices
Financial Management Practices

Resource Management
COBIT Control Objective ME4.4: Resource Management
S trategic Alliances
B usiness Priorities
A llocate Investments
M onitor
Value Drivers
Efficient and Efficient IT

Goals achieved
effective resources
prioritization utilization
Planning
Costs
IT planning IT costs
support and optimization
optimization
Resources
Priorities
Risk Drivers
Following are the common Risk Drivers:
Incorrect Goals achieved

priorities
Insufficient
Insufficient
capabilities and Skills
resources
skills
Infrastructure
Insufficient
Fragmented
resources to
and/or inefficient
achieve desired Resources
infrastructure
goals
Priorities
VAL IT Framework
The VAL IT framework is an initiative of the IT Governance Institute (ITGI) to help

enterprises optimize the business value, derived by enterprises from investments in IT.
The VAL IT framework complements COBIT.
Goal Version Domains
• Business value from IT • Currently in version • Value governance

2.0 • Portfolio management
• Investment
management
VAL IT
Be managed as a portfolio of
investments
Include complete scope of activities

IT-enabled investments will necessary to achieve business
values
Be managed through their full

7 principles of economic life cycle
VAL IT
Recognize different categories of
investments to be evaluated and
managed differently
Define and monitor key metrics and
respond quickly to any changes or
deviations
Value delivery practices will
Engage all stakeholders and assign
appropriate accountability for
delivery of capabilities and
realization of business benefits
Be continually monitored, evaluated,

Source: ISACA VAL IT Brochure and improved
Risk IT Framework
Following are the features of Risk IT framework:
Aligns the management

Always connects to the of IT-related business
business objectives risks with the enterprise
risks management
Risk IT Framework
Balances the costs and

Visualizations
benefits of managing IT EnforcesSpeed
accountability
risks
Risk IT
•Risk IT is an initiative of ISACA dedicated to helping enterprises manage IT-related risk.
•Risk IT also complements COBIT.
•It is based on the principles of ERM (Enterprise Risk Management).
•IT Risk is a part of business risk and is the outcome of the use, ownership, and adoption of IT in an organization.
Principles of Risk IT
Accountability must
IT Risk always aligns IT risk should be IT risk management IT risk management be enforced and
aligned with IT risks should be must be a defined to set the
with business should be driven by
enterprise risk openly and fairly continuous process right tone and
objectives cost-benefit analysis
management communicated and be a part of confirm to
daily activities well-defined
tolerance levels
IT Investment and Allocation Practices
Enterprises have limited resources in the form of people and money, which can be allocated to IT investments. These
investments provide financial benefits such as cost reduction, and non-financial benefits such as improved customer
satisfaction.
Information Technology value is determined by the relationship between what the organization pays and what it receives.
The key governance practices to increase the value of IT are
Evaluate value optimization Direct value optimization Monitor value optimization

Implementing IT Portfolio Management
Risk-profile analysis
Continuous Diversification of
improvement projects
The methods
to implement
IT Portfolio
Management
are
Continuous alignment Infrastructure and

with business goals technologies
Financial management is a critical element of all business functions, in which the user-pays scheme (a form of chargeback) can
improve application monitoring of IS expenses and available resources.
Facilitates adequate allocation of funds,

especially in the IS environment where
expenses can be cost-intensive
Allows forecasting, monitoring, and Should be linked to short-range and

analyzing financial information long-range IT plans
IS Budget
Key points in software development are as follows:
IS auditor should know how an enterprise

tracks costs in software development
This includes understanding the

requirements of treating costs related to
software development for internal use or for
sale
IT Service Provider Acquisition and Management
IT Resource Investment and Allocation Practices
Knowledge of IT supplier selection, contract

management, relationship management and
performance monitoring processes,
including third-party outsourcing
relationships
IT Service Provider Acquisition and Management
Explanation
How to select suppliers
Managing contracts
Managing relationships
Monitoring processes
COBIT Control Objective AI5.2 - Supplier Contract Management

Vendor/Supplier Selection
Following is the process of vendor/supplier selection:
The IS auditor should 4 Prior

Growth
be familiar with potential relationships
vendor/supplier
selection
1 3
Capabilities Business
stability
2
Reviewing Contractual Commitments
The IS auditor should be familiar with the Request for Proposal (RFP) process and know what needs to be reviewed.
Service levels Right to audit, or Software escrow Penalties for

third-party audit non-compliance
reporting
Issues that should be addressed will cover
Contract Contract change Protection of Adherence to

termination and processes customer security policies
any associated information and procedures
penalties
Software Contracts
Contract
acceptance
Contract
Contract bidding maintenance
process
Software contracts
reviewed by an IS
auditor include
Development of Contract
contract compliance
requirements
and service
levels
Value Drivers
Defined supplier Efficiently managed High-quality

relationship, procurement of contribution to
objectives, and goals resources businesses and IT
processes
Control Policies
Intellectual property Technology upgrade
rights clauses
Penalties or incentives
SLAs
for SLA
Establish
supplier
contract
management
Right to audit responsibilities Monitoring and reporting
against SLAs
QA practices Notification and

escalation procedures
Security standards,
records management, and
control requirements
Contract Policies
Following are the various Contract Policies:
All contracts and

Internal review of Software escrow Alternative
contract changes
supplier/vendor agreements vendors/suppliers
should be reviewed
by legal advisors
IT Performance Monitoring and Reporting
Process Optimization
Process optimization approaches
Specific techniques
Tools
Performance Optimization
•Performance optimization is the process of improving the productivity of information systems to the highest possible level
without additional investment in the IT infrastructure.
•Performance optimization is driven by key performance indicators (KPIs) based on the business operations/processes,
strategic IT solutions, and corporate strategic objectives.
The broad phases of performance measurement include
Establishing and Establishing Gathering and Reporting and

updating accountability for analyzing using
performance performance performance performance
measures measures measures information
Optimization
Following are the different categories of Optimization:
Equipment optimization Control optimization
Operating procedures
Optimization Approaches
Following are the various Optimization approaches:
Lean Management TQM Kaizen Six Sigma

DMAIC and DMADV
DMAIC and DMADV are fundamental elements of Six Sigma
DMADV is used to
DMAIC is used to develop a new
improve an process, without
existing process. any yardstick for
improvement.
Define Define
Measure Measure
Analyze Analyze
Control Verify
Improve Design
DRIVE
Expansion of DRIVE
D efine
R eview
I dentify
V erify
E xecute
Methods
Following are the various methods for Process Improvement:
CEDAC
Brainstorming
Pareto
Analysis
Methods
CEDAC
CEDAC (Cause Also known as Fishbone or

and Effect Ishikawa
Diagram) method
In this method, problem is written at the end of the horizontal line drawn on a sheet of paper,
which resembles the spine of a fish.
On either side of
the spine, lines are The causes and the
drawn and labelled effects of the
with the major problem are written
factors involved along the fish
like task, people, bones.
location.
Pareto Analysis
Pareto Analysis Also known as

is derived from 80/20 principle
the Pareto
principle
The Pareto principle is widely used in quality control and can be applied to the following scenarios:
80% of
20% of your
20% of defects complaints
workforce
cause 80% of stem from 20%
produces 80%
the problem of your
of the results
products
Monitoring and Reporting IT Performance
Knowledge of practices for monitoring and reporting

IT performance (for example, balanced scorecard
[BSC] and key performance indicators [KPIs])
IT Performance Monitoring and Reporting
Explanation
IT governance progress must be measured and monitored with effective tools such as balanced scorecards
(BSCs) and key performance indicators (KPIs)
The results provide a clear indication of the capabilities of organization to meet its objectives
It also shapes IT Strategy for the long-term

IT Balanced Scorecard KPI

IT Balanced Scorecard
A balanced scorecard measures:
Customer/
Financial The IT balanced user
performance scorecard (BSC) is a satisfaction
process management
evaluation technique
that can be applied to
the IT governance
process to assess IT
functions and
processes.
The ability to Internal/operational

learn and processes
innovate
Business User
Contribution Satisfaction
The scorecard
measures
Innovation Operational
Excellence
The scorecard illustrates the relationship between financial, internal business processes, the customer, and learning and
growth in determining a balanced score.
KPI
The key stages in identifying KPIs are:
A pre-defined business Requirements for the

Combined teamwork
process (BP) business process
Combined teamwork
Result Indicators Performance Indicators The key stages in

(RIs)/Key Result (PIs)/Key Performance identifying KPIs are
Indicators (KRIs) Indicators (KPIs)
Quantitative measurement
Investigating variances
of the results
IT Quality Assurance and Quality Management
Quality Management and Quality Assurance
Explanation
IS audits examine IS quality
Quality Assurance is not the same as Quality Management

Quality Assurance
Quality Management
Quality Assurance
Quality Management
Quality Assurance
Following are the different ways to perform Quality Assurance:
1 2 3
Failure Statistical TQM

Testing Controls
Standards
A few standards involved in Quality Assurance are the following:
ISO 17025 +
ISO 9000 +
Standards
ISO 17025 -
• General requirements for the competence of testing and calibration
laboratories
• Scope
• Normative references
• Terms and definitions
• Management requirements
• Technical requirements
ISO 9000 +
Standards
ISO 17025 +
ISO 9000 -
• Customer focus
• Leadership
• Involvement of people
• System approach to management
• Continual improvement
• Factual approach to decision-making
• Mutually beneficial supplier relationships
Quality Management
Quality Management include:
uality
planning
uality
control
uality
assurance
uality
improvement
Quality Management Standards
ISO 9004:2008 – guidelines for performance improvement

Six Sigma
Kaizen
Taguchi methods
ISO 15504-4: 2005 – information technology – process assessment
TQM
Business Process Reengineering
Quality Management Systems
Knowledge of the use of capability

and maturity models
ISACA KPI
Following are the different Key Performance Indicator (KPI):
IT services Supply Financial

perspective
indicators indicators
Customer
perspective
Process System of
performance interrelated
indicators indicators
Process
perspective
Quality Economic Learning
indicators and
indicators growth
SMART
Expansion of SMART
S Specific
M Measurable
A Achievable/Acceptable
R Realistic/Relevant
T Time-specific/Trackable
Quality Management
COBIT Control Objective PO8 - Manage Quality

Quality Management is the process by which IS department-based processes are controlled, measured, and improved.
Areas of control for quality management include the following:
Software development, maintenance, and

Security
implementation
Acquisition of hardware and software HR management
Day-to-day operations General administration
Service management A good example of quality management is ISO 9001:2008

ISO Quality Management Systems (QMS)
ISO QMS incorporates the following 8 principles:
Customer focus Leadership
Involvement of People Process approach
8 principles of
ISO QMS
System approach to Continual

management improvement
Factual approach to Mutually beneficial

decision-making supplier relationship
Process Optimization
Knowledge of process optimization

techniques
Knowledge Statement 2.12 and 2.13
Knowledge of the practices for

monitoring and reporting controls
performance (e.g., continuous
monitoring, quality assurance [QA])
Knowledge of Quality Management

and quality assurance (QA) systems
Business Impact Analysis Related to Business Continuity Planning
Knowledge of business impact

analysis (BIA)
The IS auditor should determine whether BIA and BCP are suitably aligned
BCP should be based on a well-documented BIA to be efficient and effective
BIA drives the focus of BCP/disaster recovery plan (DRP) efforts of the organization and helps balance the costs
to be incurred with corresponding benefits to the organization
Business Impact
Analysis
Business Impact Analysis is a component of Business Continuity Planning (BCP), which identifies events
that could impact the continuity of operations and assesses the impact of these events.
BIA helps an organization to:
Understand the Gather information

priorities and time regarding the
requirements for organization’s
recovery of business current recovery
functions capabilities
Business Impact Analysis: Activities, Approval, and Approaches
Key
business End-users
processes
Understanding Activities involved in IT Approvals Approaches of BIA

the personnel
organization
BIA: required in BIA: are:
Questionnaires,
interviews, and
Roles Senior brainstorming
involved management sessions
Business Impact Analysis: Points to Consider
It is important to analyze the following questions before the business impact

analysis.
• What are the organization’s business processes?
• What are the critical information resources related to the critical business processes?
• What is the critical recovery time for information resources to resume business processing before
significant or unacceptable losses?
Business Impact Analysis: RTO and RPO
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are discussed here.
Recovery Time Objective (RTO) Recovery Point Objective (RPO)
This is acceptable downtime in This is the acceptable data loss

case of a disruption to in case of a disruption to
operations (determines operations (determines the
processes and technology used frequency of backup)
for backup and recovery, for
example, data tapes or disk)
Disruption Cost vs. Recovery Costs
The diagram shows the relationship between Disruption costs and Recovery costs.
The two should be balanced to attain an optimum protection level of key information assets, that is, to obtain an optimal RPO
and RTO.
If the business continuity strategy aims at a longer recovery time, it will be less expensive than a more stringent requirement,
and more susceptible to downtime costs spiraling out of control.
Downtime cost of the At a certain moment, it

disaster in the short run stops growing, reflecting
(for example, hours, days, the moment or point
and weeks), grows quickly when the business can
with time, where the no longer function.
disruption impact
increases if it lasts longer.
Business Continuity Plan (BCP)
Knowledge of the standards and

procedures for development,
maintenance, and testing of the
business continuity plan (BCP)
The IS Auditor needs to understand the life cycle of BCP/DRP plan development and maintenance and the types of
BCP tests, factors to consider when choosing the appropriate test scope, methods for observing recovery tests and
analyzing test results.
The main areas covered in this domain are:
IS Business Continuity
Planning
Business Continuity Planning
Process
Business Continuity Policy
Incident Management
Development of Business
Continuity Plans
Other Issues in Plan
Development
Components of a Business
Continuity Plan
Plan Testing
Components of an Effective BCP
Crisis communication plan
Continuity of Incidence
support plan response plan
Continuity of Disaster
operations recovery plan
plan
The components of a Business
Continuity Plan depend on the
Business Occupant
organization size and requirements.
resumption It may include: emergency
plan plan
Components to be Agreed
The components to be agreed are:
Governing policies Goals/requirements/products
Alternative facilities Critical IS resources to deploy
Staff required/responsible
Data and systems
for recovery tasks
Key decision-making Resources to support

personnel deployment
Backup of required supplies, Schedule of prioritized

other personnel activities
Business Continuity Plan Testing
BCP testing involves:
1 2 3 4 5
Testing the developed Specifications such as Testing of plan by Documentation of Analysis of the results
plans to determine if objective and scope post-test, paper test, test results, which obtained against
they work and of the test, test preparedness test, include document specifications set in
identify areas that execution, and and full operational observations, time, amount, count,
need improvement pretest test problems, and and accuracy
resolutions to
facilitate recovery in a
real disaster
Business Continuity Plan Test Execution
BCP tests can be executed by conducting pre-test, actual test, and post-test.
Pre-test: The set of actions necessary to set the stage for the actual test. This ranges from placing tables
in the proper operations recovery area to transporting and installing backup telephone equipment.
Actual test: This is the stage for real action of the business continuity test.
• Actual operational activities are executed to test specific objectives of the BCP.
• This is the real action of the business continuity test
• Actual operational activities are executed to test the specific objectives of the BCP
• This is the actual test of preparedness to respond to an emergency.
Business Continuity Plan: Test
There are five levels of testing.
Level 5 Cutover
Level 4 Parallel
Level 3 Simulation
Level 2 Walkthrough
Level 1 Document Review

Knowledge of the procedures used

to invoke and execute the business
continuity plan (BCP) and return to
normal operations
What is involved in invoking a BCP and DRP
How do you return to normal operations

Invoking the BCP/DRP
What factors trigger the BCP?
Who is authorized to invoke the BCP?

What steps must be taken to resume normal
operations?
Domain Two Exam Quick Pointers
Data and systems owners are accountable for maintaining appropriate security measures over information asset.
Business unit management is responsible for implementing cost effective controls in an automated system.
Proper segregation of duties prohibits a system analyst from performing quality assurance functions (it is difficult for us to poke holes in our own work).
The board of directors is ultimately accountable for developing an IS security policy.
Know BIA, RTO, and RPO

Knowledge
Check
QUIZ
To support organizational goals, the IS department should have ___________.
1
a. a leading-edge technology
b. plans to acquire new hardware and software
c. a low-cost philosophy
d. long- and short-range plans

QUIZ
To support organizational goals, the IS department should have ___________.
1
a. a leading-edge technology
b. plans to acquire new hardware and software
c. a low-cost philosophy
d. long- and short-range plans
The correct answer is d
The IS department should have long- and short-range plans that are consistent with the organization's
plans to attain its goals.
QUIZ
An organization needs to better understand whether one of its key business
2 processes is effective. What action should the organization consider?
a. Audit the process
b. Benchmark the process
c.
d. Offshore the process

QUIZ
An organization needs to better understand whether one of its key business
2 processes is effective. What action should the organization consider?
a. Audit the process
b. Benchmark the process
c.
d. Offshore the process
The correct answer is a
Auditing is the best way to understand a process

QUIZ An IS auditor is reviewing a contract management process to determine the financial viability
of a software vendor for a critical business application. Which of the following is correct
3 regarding the vendor’s suitability?
a. can deliver on the immediate contract
b. has similar financial standing as the organization
c. has significant financial obligations that can impose liability on the

organization
d. support the organization in the long term
QUIZ An IS auditor is reviewing a contract management process to determine the financial viability
of a software vendor for a critical business application. Which of the following is correct
3 regarding the vendor’s suitability?
a. can deliver on the immediate contract
b. has similar financial standing as the organization
c. has significant financial obligations that can impose liability on the

organization
d. support the organization in the long term
The long term viability of a vendor is essential to derive maximum value for the organization. It is more
likely a financially sound vendor would be in business for a long period of time.
QUIZ An organization having a number of offices across a wide geographical area has
developed a disaster recovery plan. Using actual resources, which of the
4 following is the MOST cost-effective test of the disaster recovery plan?
a. Cutover test
b. Walk through
c.
d. Regression test
a. Cutover test
b. Walk through
c.
d. Regression test
A cut over test, literally causes the primary systems to go offline, to ensure that backup systems and
processes function.
QUIZ
Which of the following is the MOST important action in recovering from a
5 cyber-attack?
a. Creating an incident-response team
b. Using cyber-forensic investigators
c. Executing a business continuity plan
d. Filing an insurance claim

QUIZ
5 cyber-attack?
a. Creating an incident-response team
The correct answer is c
The most important key step in recovering from cyber attacks is the execution of a business continuity plan
to quickly and cost-effectively recover critical systems, processes and data.
Case Study
Case Study 1
An IS auditor has been asked to audit a financial services company. The primary goal is to evaluate the alignment of
business strategic objectives with the IT objectives. While collecting data, the IS auditor finds the documentation for the
business strategic objectives is a brief list in a PowerPoint presentation. And there are items in the IT strategic plan
specifically designed to support specific business goals that are not in the budget. Some IT projects do not correlate to
any business objective. Finally, he discovers the communication between the IT management and the executive staff is
not effective.
QUIZ
Which of the following is a big concern for the auditor?
1
a. Items not correlated to business objectives
b. Items that are correlated but not budgeted
c. The abbreviated documentation for strategic objectives
d. Poor communication between IT and executives

QUIZ
Which of the following is a big concern for the auditor?
1
a. Items not correlated to business objectives
b. Items that are correlated but not budgeted
c. The abbreviated documentation for strategic objectives
d. Poor communication between IT and executives
The correct answer is b.
These are clearly defined items that have been determined to be necessary to support strategic goals, but
are not budgeted for. Answer option A would be the next most serious issue as it wastes financial
resources on unnecessary projects. Option C and D are both concerns, but not as critical as B.
QUIZ
Which is the most important reason that the abbreviated business strategic
2 goals would be a concern?
a. They would not, that is sufficient
b. The lack of detail makes it difficult to align IT with strategic goals
c. It may indicate poor communication from executives to IT
d. It may indicate executives lack of strategic vision

QUIZ
Which is the most important reason that the abbreviated business strategic
2 goals would be a concern?
a. They would not, that is sufficient
b. The lack of detail makes it difficult to align IT with strategic goals
c. It may indicate poor communication from executives to IT
d. It may indicate executives lack of strategic vision
The correct answer is b.
While options C and D are both possible, those are primarily outside the scope of an IS audit. Option B is
measureable and definable, and should be noted in the audit.
Case Study 2
An IS auditor is tasked with the review of a hotel chain’s outsourcing agreements. The company
outsources management of its Website, Web servers, and reservation application (including the
backend database) to a third-party. This business relationship has existed for 3 years, and is working
well. So far, there have been no significant outages and no security breaches.
QUIZ
Which of the following is the least important in an IS audit review?
1
a. The Web servers vulnerability to attack
b. The SLA
c. Incident reports in the past 3 years
d. The process for updating and patching Web servers

QUIZ
Which of the following is the least important in an IS audit review?
1
a. The Web servers vulnerability to attack
b. The SLA
c. Incident reports in the past 3 years
d. The process for updating and patching Web servers
There are no outages or breaches in the past three years. Hence, there should be few minor incidents.
QUIZ
Why should you closely review the SLA, even though the company reports show
2 satisfaction with the service?
a. Because there are no incidents to test the SLA
b. You need not review the SLA
c. You should briefly review the SLA
d. Because it is a common item to review in an audit

QUIZ
Why should you closely review the SLA, even though the company reports show
2 satisfaction with the service?
a. Because there are no incidents to test the SLA
b. You need not review the SLA
c. You should briefly review the SLA
d. Because it is a common item to review in an audit
Simply because the company has been satisfied so far, does not mean the SLA is adequate or complete. It
is likely that there will eventually be a breach or outage, and it is important to confirm that the SLA is
adequate.
Key Takeaways
You are now able to:
Evaluate the IT strategy for alignment with the organization’s strategies and objectives
Evaluate the effectiveness of IT governance structure and IT organizational structure
Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements
Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives
Evaluate the policies of organization's risk management and data governance
Evaluate the monitoring and reporting of IT key performance indicators (KPIs)
Evaluate whether IT supplier selection, service, and contract management processes align with business
requirements
Evaluate the information security program to determine its effectiveness and alignment with the
organization’s strategies and objectives
Evaluate potential opportunities and threats associated with emerging technologies, regulations, and
industry practices
This concludes ‘Governance and Management of IT.’
The next domain is ‘IS Acquisition, Development, and Implementation.’
Information Systems Acquisition, Development, and Implementation


Learning Objectives
Evaluate whether the business case for the proposed changes in information systems
meet the business objectives
Explain the organization's project management policies and practices
Evaluate the controls at stages of information systems development life cycle
Illustrate the readiness of information systems for implementation and migration into production
Conduct post‐implementation review of systems to determine whether project deliverables,

controls, and requirements are met
Evaluate change, configuration, release, and patch management policies and practices
Part A: Information Systems Acquisition and Development
Part A: Information Systems Acquisition and Development

• Project governance and management
• Business case and feasibility analysis
• System development methodologies
• Control identification and design

Overview
Organizations need proper processes and methodologies to create and change application systems and infrastructure
components. This is called information systems lifecycle management. Information systems lifecycle management encompasses:
Information system lifecycle
Retire Information
Acquisition Plan Acquisition Use and Maintenance
System
Project Governance and Management
Project Organizational Forms
Following are the project organizational forms:
Pu
e
re
nc
ue
Pro
Infl
jec
t
Matrix
Project managers have no formal or managerial authority
Influence Project Organization Their role is advisory in nature

Form
They are at a peer level with other members

Team members are involved completely in the project
Pure Project Organization Project managers have complete responsibility of the project
They have entire management authority over all team members

It is a hybrid form that combines characteristics of influence and

pure project forms
Responsibility for the project is shared between Project Manager

Matrix Project and functional managers
Organization
Members of the project report to both the Project Manager and

their functional managers
The IS Auditors must be They can be

familiar with all project included as
organizational forms advisories for their
and choose the most expertise in Last, but not the
appropriate one for the controlling aspects. least, the IT Steering
project. They must However, this makes Committee must
review the implications them ineligible to prioritize the IT
for management of the audit the project or projects.
project. application, while it
is operational.
Project Objectives
Main Objectives
Sub Objectives
Project Breakdown
Project Communication
On initiating a project management process, communication may be achieved in a number of ways depending on its size and
complexity. Project Communication types are as follows:
Team
Member
Team
Manager
Member
Manager
Manager
Team Team
Member Member
Project Culture
Establishment of a Project specific

project mission social events
statement
Project Culture represents the norms and rules of

engagement of the project. It is the common
understanding or the orientation expected of the
team. Project team
Project name and Project culture development /influencing method meeting rules and
logo includes communication
protocols
Project office or meeting place Project intranet

Project Management Practices and Project Initiation
Project management processes include:
Closing
Controlling
Executing
Planning
Initiating
Elements of Project
Projects have three key intertwining elements called Deliverables, Duration, and Budget (these should have positive
correlation).
Deliverables Duration Budget

Software Size Estimation
Software Size Estimation methods are used to determine the relative physical size of the application software to be
developed. These methods are:
Software Size Estimation
One of the methods of software size estimation is Function Point Analysis (FPA):
FPA is an indirect measure of the size of an information system (software size) based on number and complexity of inputs, outputs,
files, external interfaces, and queries.
Complexity adjustments (rating factors) are used based on analysis of reliability, criticality, complexity, reusability, changeability and
portability.
Software Cost Estimation
Software Cost estimation is a consequence of software size estimation and involves estimation of programs at each phase. Some of
the components to consider when using these techniques include:
Budgets and Schedules
Tasks involved in budgeting and scheduling are:

Critical Path Methodology (CPM)
In the Critical path methodology (CPM), a project can be represented as a network where activities are shown as branches
connected at nodes immediately preceding and immediately following activities.
Program Evaluation Review Technique (PERT)
Program evaluation review technique (PERT) is used for planning and control, estimation of time and resources required, and
detailed scheduling (timing and sequence).
Gantt Charts
Gantt charts are a graphical representation of scheduled tasks.

Timebox Management
Project Controlling Activities
The controlling activities of a project includes management of scope, resource usage, and risk. New requirements should be
documented and, if approved, allocated the appropriate resources.
To manage scope, the deliverables breakdown is accompanied by proper documentation in a component management database
(CMDB).
Changes to scope will always lead to changes in activities impacting deadline and budget. Therefore these need to be handled
formally in a Change Management Process.
Project Controlling
The steps in the Change Management Process are as follows:

Resource Usage Management
Resource usage is the process by which the project budget is being spent.
It checks if actual spending is in line with planned spending. Resource usage must be
measured and reported.
Every budget and project plan presupposes a certain "productivity" of resources and
delivers the expected quality of the outcome/deliverable.
Earned Value Analysis (EVA) technique can be used to check this. It involves comparing
the following continuously:
Closing a Project
A project should be finite and at some point be closed with the new or modified system handed over to the users and/or system
support staff.
Survey the project

The project sponsor Custody of
team, development
should be satisfied contracts may need
team, users, and
that the system to be assigned, and
other stakeholders
produced is documentation
to identify any
acceptable and ready archived or passed
lessons learned that
for delivery. on to those who will
can be applied to
need it.
future projects.
Closing a Project: Post Project Review
A post project review is important to improve a project.

Project Governance Framework
•
The project manager’s skill set should be commensurate with the project at hand.
To manage all the relevant parameters of a large project, project management practices, tools and control
frameworks are required.
Projects need to be managed on hard (Example: Budget and technical requirements), soft (Example: Personal
relationships, and departmental politics), and environmental factors.
COBIT Control PO10.3 - Project Management Approach.

Value Drivers
Optimized use of Clear roles and Clear Enhanced Timely ability to

resources for responsibilities accountability and alignment of react to and deal
project commitment for project objectives with project issues
management key decisions and with business
tasks objectives
Risk Drivers
Confusion caused Negative impact Failure to respond

by different project on project to project issues
management completion with optimal and
approaches within approved decisions
the organization
Controls
Project risks can be mitigated via controls which include:
Establishing a project management governance structure

• Project’s size
• Complexity
• Risks including legal, regulatory, and reputational risks
Defining the responsibility and accountability of roles

• The project manager
• The steering committee
Regular reporting and reviewing

Project Governance Mechanisms
•
Strong project governance is essential for successful project implementation.
Effective and efficient deployment of project resources is enhanced by having adequate project governance
mechanisms.
The more complex the project, the more elaborate the governance structures and mechanisms.
Use of vendors can speed up a project and potentially reduce total costs
However, use of vendors adds risks, especially if the vendor is single or sole source provider
Proper vendor management can reduce/ prevent problems caused by picking a vendor that is unable to achieve
the required solution or timescale and by ensuring that contracts address business needs and do not expose
the business to unnecessary risk
Hardware Acquisition
Infrastructure System Software

development Acquisition
Selection of a computer hardware and software environment frequently requires the preparation of specifications for
distribution to hardware/software (HW/SW) vendors and criteria for evaluating vendor proposals.
The specifications are sometimes presented to vendors in the form of an invitation to tender (ITT), also known as a request for
proposal (RFP).
When acquiring a system, the specifications should include the following:
Centralized or
Distributed,
decentralized,
Information processing requirements
…
…
…
…
Adaptability requirements
Hardware requirements
Organizational descriptions indicating
Constraints
whether the computer facilities are
System software applications
…
…
…
…
Conversion requirements
Support requirements
Manned or
Outsourced
lights-out
When purchasing or acquiring hardware and software from a vendor, consider the following:
Testimonials or visits with other users
Provisions for competitive bidding
Analysis of bids against requirements
Comparison of bids against each other using predefined evaluation criteria
Analysis of the vendor's financial condition
Analysis of the vendor's capability to provide maintenance and support (including training)
Review of delivery schedules against requirements

Other considerations include:
Analysis of hardware and software upgrade capability
Analysis of security and control facilities
Evaluation of performance against requirements
Review and negotiation of price
Review of contract terms (including right to audit clauses)
Preparation of a formal written report summarizing the analysis for each of the alternatives
and justifying the selection based on benefits and cost
System Software Acquisition
When selecting new system software, the business and technical issues considered include:
Business, functional, and technical needs and specifications
Cost and benefits
Compatibility with existing systems
Security
Demands of existing staff
Training and hiring requirements

System Software Acquisition
When selecting new system software, the business and technical issues considered include:
Future growth needs
Impact on system and network performance
Open source code vs. proprietary code

Infrastructure Development/Acquisition Practices
Challenges to infrastructure development and acquisition include the following:
Alignment with corporate standards Scalability and flexibility
Security Maintainability (cost effective)
Integration with existing systems Standardized hardware and software
IT industry trends ROI, cost and operational efficiency

Infrastructure Development Acquisition Practices
Phases in ICT Infrastructure Development and Acquisition are as follows:
Review of existing architecture Procurement
Analysis and design Implementation planning
Functional requirements Delivery
Proof of concept Installation

Request for Proposal Process
The requirements for a Request for proposal (RFP) are given in the following table:
Request for Proposal Process (contd.)
The requirements for a Request for proposal (RFP) are given in the following table:
Project Success
•
What makes a project a success?
How to integrate risk into that definition?

Define Success
Legal
User and Financial
Regulatory
Satisfaction ROI
Compliance
Productivity Cost- Benefit
Risk Management
•
Risk management and project management go hand-in-hand
Risk management processes are applied to project management

Risks Associated with Software Development
Risks associated with software development are as follows:

Levels of Software Project Risk
Software project risks exist at the following levels:

Risk Management
Risks are the possible negative events or conditions that would disrupt relevant aspects of the project.
Those that impact the business benefits

Those that impact the project
and therefore endanger the project's
itself. The project manager is There are two main very existence. The project sponsor is
responsible for mitigating this categories of project responsible for mitigating this risk
risk (risks within the project). risk: (business risk of the project).
Risk Management Process Steps
Risks are the possible negative events or conditions that would disrupt relevant aspects of the project.
Review and
Assess and evaluate risk
Identify risks Manage risks Monitor risks
evaluate risks management
process
Business Case and Feasibility Analysis
Benefits Realization Practices
•
The objective of IT projects is to realize tangible benefits.
Managing these benefits is essential to the success of projects.
A cost benefit analysis should be prepared prior to beginning a project.
This should estimate all costs and benefits throughout the life of a new system.
Business Realization
Business Case Development

and Approval
Benefits Realization
Techniques
Benefits Realization
Benefits realization is the process by which an organization evaluates technology solutions to business problems.
Cost
Quality
Factors in benefits realization

Development/timely delivery
include
Reliability
Dependability
Benefits Realization Technique
Benefits Realization Technique is also called Benefits Management.

must be part of project governance and management.
Business Case Development and Realization
Feasibility Study Business Case

Business Case Requirements
A business case should:
answer the question, be reviewed to ensure

“Why should this that it is still valid.
project be
undertaken?”
System Development Methodologies
System Development Models
•
System and software development is a critical part of any enterprise
Part of an IS audit is understanding how the audit target develops software and systems.
Traditional SDLC Phases: Waterfall Model
Feasibility
Requirements
Design
Development
Implement
Maintain
Disadvantages of Traditional SDLC
Changing Unclear
Fast Pace
Requirements Specifications
Agile Software Development Life Cycle
Start Next
Plan Design Development Evaluate
Iteration
Rapid Application Development (RAD)
Team Process Timeline
• • •
• • •
Object-Oriented Systems Development
Object-Oriented Systems Development contrasts from traditional approaches that treat data and procedures separately. Data and
procedures are grouped into an entity called an “object”:
Objects are organized into an aggregation hierarchy, with descriptions which show how services are used. Object classes
may inherit attributes and services from other object (parent) classes. Major advantages of this method are as follows:
• Permits analysts, • Ability to manage • Allows modeling of

programmers, unrestricted variety of complex relationships
developers to consider data types
larger logical chunks of
a system
Data-Oriented System Development
Data-Oriented System Development involves representing software requirements by focusing on data structure rather than data flow.
It considers data
independently from the
processes that transform
data.
Data-oriented development
complements traditional
development strategies.
Requirements Analysis in System Development Life Cycle (SDLC)
Requirements Analysis involves identifying and specifying requirements of the system chosen.
Decisions on Requirement Analysis are made on:
System processes User requirements Information criteria System operating

and interaction (effectiveness, environment (that
efficiency, is, operating
confidentiality, system)
integrity,
availability,
compliance,
reliability)
Requirements Analysis in SDLC
Requirements analysis in SDLC involves:
01 02 03 04 05 06
Key Outputs of Requirements Analysis
Key outputs include:
Design Schedule Resources

Control Identification and Design
Application Controls
• Primary objective of application controls is to ensure that only valid and accurate data is entered into an application.
• They may be automated or manual.
• Controls make the application more reliable in terms of accurate processing and expected results.
Data Validation and Edit Controls
Value Range Value Type Format
• Limits • Data type • Completeness

• Ranges • Reasonableness • Format
Input and Origination Controls
• Input controls ensure that all data entered into an application is valid, authorized, and processed accurately.
• Examples: edit checks, reconciliation and exception reports.
• •
•
o Signatures on source documents •
o Logical access controls
o Workstation identification—restricting input to o Total number of records
specific terminals or staff o Total amount
o Authentication of source documents o Total number of documents: Each document should
hold a unique number that enables tracking
o Hash totals: This is the total of non-numeric field such
as account numbers, customer ID, phone numbers, and
dates. This ensures the integrity of the data and that
non-numeric fields have not been changed
o Error correction procedures
o Logs
o Reconciliation
o Source document controls and procedures
Processing Procedures and Controls
Manual Checks Process Exceptions
• Calculations • Review
• Process • Handling
• Totals • Reporting
• Algorithms
Processing Controls
• Processing controls ensure that the application is processing data accurately.
Data validation, edits, and controls Processing controls
• •
• o Manual recalculation
o Edit check
o Programmed controls
o Limit check
o Sequence check o Reconciliation of file totals
o Exception reports
o Limit check
o Range check
o Validity check
o Reasonableness check
o Check digit
o Completeness check
o Duplicate check
Output Controls
• Output controls ensure that output is well formatted and delivered in a consistent and secure manner.
• Some of the examples of output controls are:
Final Values Reports Output
• Manually • Verification of • Methods

re-check receipts • Constraints
• Reconciliation • Formatting • Error handling
with control • Retention • Logging and
totals • Distribution in secure storage
• Controls over a secure of sensitive
computer manner forms
generated • Accuracy,
forms, completeness,
signatures, and timely
and delivery
negotiable
instruments
Risk Management Practices
•
Proper risk management is required in order to minimize the consequences and the likelihood that the project
fails to achieve its goals.
Major issues include: scope/deliverables, quality, budget and time.
Risk management is a continuous process, not a one-time activity, since risk profiles will change over time.
Part B: Information Systems Implementation
Part B: Information Systems Implementation

• Testing methodologies
• Configuration and release management
• System migration, infrastructure deployment, and data conversion
• Post-implementation review
Testing Methodologies
Testing Methodologies and Practices Related to ISs
•
Organizations employ a methodology to reduce development time and improve maintainability of the
resulting code base.
Controls appropriate to one form of development may not apply to other forms.
SDLC: Testing
SDLC: Testing
• System testing: collective constitution of the programs/modules as one system:
o Recovery testing is the ability to recover from failure;

o Security testing refers to access controls and impact on other systems;
o Load testing refers to testing performance during peak hours (processing with large volumes of data);
o Volume testing means applying incremental records to determine maximum volume of data the application can process;
o Stress testing refers to concurrent users and/or services that can be supported at a time (by increasing transactions
progressively); and
o Performance testing is comparing against other equivalent systems and/or benchmarks.
• Final acceptance testing is done during implementation, and considers:
o Quality assurance (technical aspects): focuses on documented specifications and technology employed.
o User acceptance (functional aspects): assesses if the system is production ready and satisfies all requirements.
SDLC: Testing Terminology
Alpha Testing Beta Testing Pilot Testing

SDLC: Testing Terminology
Function/validatio Regression testing: Parallel testing: Sociability testing:

n testing: testing rerunning tests to feeding test data evaluating impact
functionality ensure changes or into two systems on existing o test data generators are
against detailed corrections have and comparing systems or used to systematically
requirements not introduced results environment generate random test
errors; data used data
should be the o interactive debugging
same as data used aids and code logic
in original system analyzers are available
to assist in testing
activities.
SDLC: Implementation
Certification Accreditation Implementation

SDLC: Implementation
Documentation
Testing complete Users Trained
Complete
Configuration and Release Management
Release Management
•
Configuration and release management provide systematic, consistent, and unambiguous control on
attributes of IT components comprising the system
Changes to IT systems must be carefully assessed, planned, tested, approved, documented, and
communicated to minimize any undesirable consequences to the business processes
IS Configuration
Maintenance management
Change
Management
Change Management Process Overview
Confirm
Authorize Implement and
Document
Emergency Changes
Change Control
Documented Review
Requests
System Migration, Infrastructure Deployment, and Data Conversion
System Migration and Infrastructure Deployment
•
Deployment and migration are essential processes
Audits must consider these processes

Data Migration
Meaning and objectives of data migration
It involves porting Objective of data It should be It must be Tools or processes:

data from one conversion is to scheduled at a meticulously o Record counts
platform or ensure that the time when no / planned to ensure o Totals
database to entire existing minimal that the migration o Hash totals
another and is an data is converted disruption occurs is done well within o Logs
essential part of and ported onto the defined o Tools
migrating from an another platform, budget and o Manual
existing legacy without affecting stipulated time. processes
application to a the integrity of o Specialized
new one. the data. applications
Data Migration
Objectives of data migration
The consistency Security of data Any loss of A record should A rollback plan
of data should be being converted confidentiality and be maintained for must be defined, in
maintained should be integrity must be the data exported case the
throughout the maintained. prevented. from legacy conversion fails
process of data system into the despite all the care
being ported new one, which taken.
from legacy to enables
the target system. verification of
completeness and
accuracy of data.
Data Migration Steps
4 Identify the method

by which the
3 conversion will be
Define audit trails tested
2
Identify who is
responsible for
1 verifying the
Check if accuracy is conversion and
to be maintained at signing off
100% or some
Identify the data to margin of
be converted and difference is
the method to do permissible
that
Migration Issues
Migration Mapping Finalize
• Data Format • Source • Test

• Data Size • Destination • Document
Change Management
The Change Management process is as follows:
Possible Rollback
Review
Implementation
Change Approval
Board (CAB)
Formal RFC
Change Request
Cutover or Changeover Methods
• Once a new system has been tested and is ready to go live (also called cutover and
changeover), users and activities need to be shifted from legacy to the new
application.
• This can be done in several ways:
Parallel
Changeover
Phased
Changeover
Abrupt
Cutover
• Old and new systems are run in parallel for some time, until stakeholders and
Parallel users gain confidence in the new system.
Changeover • This gives users access to both systems for a while, which ensures that the
operations are not disrupted, even if unexpected problems occur.
• This is the safest method of changeover, since it provides sufficient time to identify
and correct any flaws or errors in the new system.
• The drawback of this method is that the users are required to run both the systems
during the overlap period which leads to a temporary increase in their workload.
Phased
Changeover
Abrupt
Cutover
Parallel
Changeover
• Switchover from old system to new one is done in a phased manner or stages.
• Some of the modules of new application are implemented initially and then
Phased gradually extended until the old system is entirely shut down.
Changeover • A unique challenge in this approach is that the users will have to perform different
tasks on two different systems in the initial phase, and will thus have to be
conversant with both.
Abrupt
Cutover
Parallel
Changeover
Phased
Changeover
• Old system is shut down on the pre planned date and time, and the new system is
activated.
• New system must be thoroughly tested and a fallback plan should be designed,
before the cutover is attempted.
Abrupt
• Out of all the methods, this method is most likely to cause disruption if the new
Cutover
system does not perform, since the comfort of some or all modules of old system
running in parallel is absent.
•
You must understand the architecture and architectural models in order to understand the organization.
Value Drivers
Requirements analysis in SDLC involves:
User
Satisfaction
Compliance
Functionality
Cost Effective
Security
Risk Drivers
Bad Information Functionality Expensive Cost Effective
Not User Friendly User Satisfaction Compliance is Difficult Compliance is easier

Controls
Develop the information

architecture model consistent
with the organization's strategy
and the strategic and tactical IT
plans.
Establish and maintain the Check the information

information architecture model in architecture model regularly for
the context of the entire adequacy regarding flexibility,
organization, documented in a functionality, cost-effectiveness,
manner that can be understood security, failure resiliency,
by business and IT management. compliance, and user satisfaction,
and update the model accordingly.
Post-Implementation Review
Post-Implementation Review Objectives and Practices
•
Post-implementation review is typically carried out in several weeks or months after project completion, when
the major benefits and shortcomings of the solution implemented will be realized
Projects should be formally closed to: provide accurate information on project results, improve future projects,
and allow an orderly release of project resources
The closure process should: determine whether project objectives were met or excused, and identify lessons
learned to avoid mistakes and encourage repetition of good practices
Main Area of Coverage
Post
implementation
Review
Post-implementation review verifies whether the system was designed and developed properly and proper controls
were built into the system.
• Assessing system adequacy

o Were user requirements and management objectives met?
o Were access controls adequately defined and implemented?
• Reviewing program cost/benefit and Return on

Investment (ROI) requirements
The objectives of
post
implementation are
• Providing recommendations for system inadequacies/deficiencies
• Providing implementation plans for

recommendations
Post-implementation review verifies whether the system was designed and developed properly and proper controls
were built into the system.
• Reviewing the development process
o Were the chosen methodologies followed?
o Was appropriate Program management used?
• Focus is to assess and critique the Program process

The objectives of
post
implementation are
• Best performed by parties not involved in the

Program
• Can be done internally by the Program development team and selected end-users
Knowledge
Check
QUIZ
The phases and deliverables of a system development life cycle (SDLC) project
1 should be determined:
a. During the initial planning phases of the project
b. After early planning has been completed, but before work has begun
c. Throughout the work stages, based on risks and exposures
d. Only after risks and exposures have been identified and the IS auditor has
recommended appropriate controls
QUIZ
The phases and deliverables of a system development life cycle (SDLC) project
1 should be determined:
a. During the initial planning phases of the project
b. After early planning has been completed, but before work has begun
c. Throughout the work stages, based on risks and exposures
d. Only after risks and exposures have been identified and the IS auditor has
recommended appropriate controls
Explanation: It is extremely important that the project be planned properly and that the specific phases
and deliverables be identified during the early stages of the project.
QUIZ
By evaluating application development projects against the capability maturity
2 model (CMM), an IS auditor should be able to verify that:
a. Reliable products are guaranteed
b. Programmers' efficiency is improved
c. Security requirements are designed
d. Predictable software processes are followed

QUIZ
By evaluating application development projects against the capability maturity
2 model (CMM), an IS auditor should be able to verify that:
a. Reliable products are guaranteed
b. Programmers' efficiency is improved
c. Security requirements are designed
d. Predictable software processes are followed

Explanation: By evaluating the organization's development projects against the CMM, an IS auditor determines whether the
development organization follows a stable, predictable software process. Although the likelihood of success should increase
as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM
does not evaluate technical processes such as programming nor does it evaluate security requirements or other application
controls.
QUIZ
An IS auditor reviewing a proposed application software acquisition should ensure that the:
3
a. Operating system (OS) being used is compatible with the existing hardware
platform.
b. Planned OS updates have been scheduled to minimize negative impacts on

company needs.
c. OS has the latest versions and updates.
d. Products are compatible with the current or planned OS.

QUIZ
An IS auditor reviewing a proposed application software acquisition should ensure that the:
3
a. Operating system (OS) being used is compatible with the existing hardware
platform.
b. Planned OS updates have been scheduled to minimize negative impacts on

company needs.
c. OS has the latest versions and updates.
d. Products are compatible with the current or planned OS
Explanation: In reviewing the proposed application the auditor should ensure that the products are
compatible with the current or planned OS.
QUIZ
Which of the following is an advantage of prototyping?
4
a. The finished system normally has strong internal controls.
b. Prototype systems can provide significant time and cost savings.
c. Change control is often less complicated with prototype systems.
d. It ensures that functions or extras are not added to the intended system.
QUIZ
Which of the following is an advantage of prototyping?
4
a. The finished system normally has strong internal controls.
b. Prototype systems can provide significant time and cost savings.
c. Change control is often less complicated with prototype systems.
d. It ensures that functions or extras are not added to the intended system.
The correct answer is b
Explanation: Prototype systems can provide significant time and cost savings; however, they also have
several disadvantages. They often have poor internal controls, change control becomes much more
complicated, and it often leads to functions or extras being added to the system that were not originally
intended.
Case Study
Case Study 1
•
QUIZ
Which of the following should be the auditor’s greatest concern?
1
a. The VPN
b. The database
c. The wireless connection
d. The firewall
QUIZ
Which of the following should be the auditor’s greatest concern?
1
a. The VPN
b. The database
c. The wireless connection
d. The firewall
Explanation: The scenario does not indicate how the wireless is secured, and wireless is always vulnerable
to attack attempts. The other items should also be audited, but the wireless connection must be the most
critical concern.
QUIZ
Why would the database be an issue?
2
a. It would not, it is encrypted, updated, and protected by the firewall
b. It would only be an issue if the encryption is weak
c. It is not an issue if the encryption is strong and the firewall is adequate
d. The collocation with other databases is an issue

QUIZ
Why would the database be an issue?
2
a. It would not, it is encrypted, updated, and protected by the firewall
b. It would only be an issue if the encryption is weak
c. It is not an issue if the encryption is strong and the firewall is adequate
d. The collocation with other databases is an issue
Explanation: Collocation of credit card data is not allowed with PCI standards. Furthermore, the various
databases all have points of entry to them that could be used to exploit the credit card related data.
Case Study 2
•
QUIZ The tech company supporting the firm has suggested a complete overhaul of security
including high end firewalls, intrusion detection systems, anti-virus, quarterly
1 penetration tests, and a variety of other security measures. What should be the
auditor’s opinion of this recommendation?
a. This is an excellent plan that will protect the data
b. This plan exceeds budget and provides limited ROI
c. The plan is good, provided the tech firm does not profit from it
d. The plan is inadequate and additional measures such as hard drive

encryption for all workstations should be considered
QUIZ The tech company supporting the firm has suggested a complete overhaul of security
including high end firewalls, intrusion detection systems, anti-virus, quarterly
1 penetration tests, and a variety of other security measures. What should be the
auditor’s opinion of this recommendation?
a. This is an excellent plan that will protect the data
b. This plan exceeds budget and provides limited ROI
c. The plan is good, provided the tech firm does not profit from it
d. The plan is inadequate and additional measures such as hard drive

encryption for all workstations should be considered
Explanation: It is easy to wish for every security innovation available. But budget constraints and return on
investment are always considerations. For this small network, less expensive measures like password
management could deliver significant security gains.
QUIZ
Apart from the items listed, what would be the most important item for the
2 company to consider?
a. Ensuring all machines including servers are updated and patched
b. Adding a DMZ
c. Implementing an IDS
d. Implementing stronger passwords (longer than 20 characters)

QUIZ
Apart from the items listed, what would be the most important item for the
2 company to consider?
a. Ensuring all machines including servers are updated and patched
b. Adding a DMZ
c. Implementing an IDS
d. Implementing stronger passwords (longer than 20 characters)
Explanation: Updates and patches are free, and provide a significant security benefit. Failure to update
and patch can also lead to serious vulnerabilities. While the other measures might be useful, they are not
as critical as updates, and options B and C may be cost prohibitive for a small company.
Key Takeaways
Evaluate whether the business case for the proposed changes in information systems
meet the business objectives
Explain the organization's project management policies and practices
Evaluate the controls at stages of information systems development life cycle
Illustrate the readiness of information systems for implementation and migration into production
Conduct post‐implementation review of systems to determine whether project deliverables,

controls, and requirements are met
This concludes ‘IS Acquisition, Development, and
Implementation.’
The next domain is ‘Information Systems Operations and Business
Resilience.’
Information Systems Operations and Business Resilience


Learning Objectives
Evaluate the organization’s ability to continue business operations
Evaluate whether IT service management practices align with business requirements

Evaluate IT operations and maintenance to determine whether they are controlled
effectively and continue to support the organization’s objectives
Evaluate database management practices and data governance policies and practices
Evaluate problem and incident management policies and practices
Evaluate end-user computing to determine whether the processes are effectively controlled
Evaluate policies and practices related to asset lifecycle management

Part A: Information Systems Operations
• Common technology components
• IT asset management
• Job scheduling and production process automation
• System interfaces
• End-user computing
• Data governance
• Systems performance management
• Problem and incident management
• Change, configuration, release, and patch management
• IT service level management
• Database management
Overview
The following gives an overview of Domain 4:
• Information systems operations, maintenance, and support practices are important to provide assurance
to users and management that the expected level of service will be delivered.
• Service level expectations are derived from the organization’s business objectives. IT service delivery
includes IS operations, IT services and management and the groups responsible for supporting them.
Common Technology Components
Technology Concepts
•
The IS auditor must be familiar with the functionality of information system hardware and network
components.
This includes understanding the importance of the physical part of IS/IT solutions that support the
organizational objectives and goals and key control and risks involving system software.
Although the CISA exam does not test technical knowledge of the working of individual components, an
understanding of the risks associated with and possible control functions of each component is expected.
Network Infrastructure Applications
Hardware Reviews Types of Networks
Operating systems Access Control

Enterprise Network Architectures
Network
Backbones Protocols
Segments
Hardware Risks
• Data Exposed • Virus

• Hardware Lost • Spyware
Malicious
Data Loss
Code
Physical Data
Theft Corruption
• Computers • Drive Corruption

• Storage Media • Drive Damage
Hardware Controls
Encryption Physical Security Media Sanitation Maintenance

Radio Frequency Identification: Risks
Business Process Risk Interference with RFID results in interference with business processes.
Business Intelligence Risk Competitors can gain information from RFID and use it to harm the business.
RFID can compromise personally identifiable information, wherein tagged items can be traced to an
Privacy risk
individual.
Example: An adversary gaining unauthorized access to computers on an enterprise

Business Process Risk network through Internet Protocol (IP) through enabled RFID readers if the readers are
not designed and configured properly
Radio Frequency Identification: Controls
Following are the various controls in Radio Frequency Identification:
Management
Operational Technical
Hardware Monitoring Practices
Availability reports – Utilization reports

check for downtime (automated) –
caused by: document utilization of
machine and
• Inadequate facilities peripherals:
• Excessive
maintenance • 85% overcapacity,
• Lack of preventive while >95% review
maintenance resource, capacity
• Inadequate physical and schedules
plants
• Inadequate operator
training
Error reports – detect Asset management
failures, corrective reports – Inventory of
action network – connected
equipment such as PC,
servers, routers, and
other devices
Hardware monitoring
practices include the
following
Hardware Auditing
• Capacity management procedures

o Ensuring continuous performance
• Performance evaluation procedures
o Whether performance management is
objective
Auditing of
hardware covers:
• Change management controls

o Approval
o Planning, scheduling, communication
o minimize impact on business • Availability and utilization reviews
o operator documentation
o Hardware availability and utilization
reporting
Operating System Integrity
Protect the OS from interference and compromise
Protect applications from other applications
Involves
Protecting itself (OS) from deliberate and inadvertent modifications
Ensure privileged programs are not interfered with by user programs
Process isolation ensures
Multiple processes are protected from each other; Example, writing into each other’s memory
Enforcement of least privilege

Access Control Software
Access Control Software developed for the computer must be compatible with its operating system.
Access to data
01 Designed to prevent unauthorized Use of system functions/programs
Updates/Changes to data
Designed to detect and prevent unauthorized computer access
02 Data communication software is used to transmit data from one point to another. It is also used for conversion:
Codes – ASCII, EBCDIC, Unicode. Communication software components include:
Sender and receiver

Communication software
03 components Message
The medium or channel

Network Topology and Its types
• Network topology defines the structure and arrangement of computers and other devices on a network.
• Network topology may be physical or technological.
• It includes the physical placement of devices, as well as the logical topology or the flow of data.
Bus Ring
Topology Topology
Star Mesh
Topology Topology
Bus Topology Ring Topology
• •
•
• •
•
•
Linear with single Tree where main

cable cable has branches
Star Topology Mesh Topology
• •
• •
• •
•
•
•
Types of Networks
PAN PAN
Types
Distributed of Local
Networks
WAN LAN
Area
MAN CAN
WLAN
WLAN incorporates an access point (AP)
It offers wireless Access Point (AP)

extension of the
range of LAN to
end-user devices
like desktops,
tablets, and
mobile phones.
It is a device that End-user devices

connects a wired must possess a The AP and wireless
It bears It serves as a bridge
hub, switch, or wireless NIC devices within a
attendant risks, between the wired
router and (Network Interface WLAN form a group
since the and wireless
broadcasts a Wi-Fi Card) to and share a Service
wireless signals segments of LAN.
signal over a communicate with Set Identifier (SSID).
are susceptible
designated area. an AP.
to
eavesdropping.
Wireless Network Security
The three important protocols of Wireless Network Security are as follows:
Security
WEP WPA WPA2

Wired Equivalent Privacy (WEP)
•It was the first WLAN standard (IEEE 802.11).
•It uses the RC4 algorithm.
•In this protocol, wireless devices can authenticate themselves to the AP.
Two methods of AP authentication:
Open System Shared Key

Authentication Authentication
(OSA) (SKA)
• It requires endpoint devices to provide only the • It requires both devices to share a symmetric
SSID. key, which is used to encrypt and decrypt the
• All transmissions between AP and endpoint data transmitted between them.
devices are in cleartext and can be intercepted. • This method provides better security than the
• No encryption or decryption is involved here. OSA.
Wi-Fi Protected Access (WPA & WPA2)
WPA
• IEEE 802.11i was developed
Limitations of WEP to overcome the
weaknesses of WEP
• Symmetric key used in many A protocol.
implementations may not be • It utilizes the Temporal Key
changed. Integrity Protocol (TKIP),
• In most cases, same key is which uses a different key
used by all devices in for each frame.
network. B
• The initialization vector is
static, which leads to an WPA2
inadequate degree of
randomness in the • It employs AES algorithm
encryption. for encryption, which
• Packet integrity is not provides a higher level of
C security.
adequately assured.
Virtual Private Networks
A VPN extends the corporate network securely via encrypted packets sent out via virtual connections
over the public Internet to distant offices, homeworkers, salespeople, and business partners. VPN
allows the following:
• Network managers to cost-efficiently increase the span of the corporate network

• Remote network users to securely and easily access their corporate enterprise
• Corporations to securely communicate with business partners
• Supply chain management to be efficient and effective
• Service providers to grow their businesses by providing substantial incremental bandwidth with
value-added services
Virtual Private Networks: Types
Intranet VPN – Used to

connect branch offices
within an enterprise
WAN
Remote-access VPN – Used Extranet VPN – Used to give

to connect telecommuters business partners limited
and mobile users to the access to each other’s
enterprise WAN in a secure corporate network
manner
VPN Types
IT Asset Management
Asset Management and Software Licensing
•
Software licensing should be subject to controls to ensure that the number of copies in circulation within an
organization does not exceed the number purchased.
Monitoring Use of
Resources in
Software Licensing
Software Licensing Issues
Possibility of copyright infringements leads to penalties and/or public embarrassment.

Policies and procedures to safeguard against license infringement:
• Relevant personnel policies on copyrights
• List of software used and licensed
• Compare with software in servers, PCs
Options to prevent software license violations:

• Centralized control and automatic distribution
• Disable ability of users to install software
• Diskless Workstations with access to server software
• Access through metered software
• Scanning PCs for unauthorized software
• Site licensing agreement with vendors
License Types
Following are the three

types of license:
Individual
Site
Organizational
Digital Rights Management
Digital Rights Management (DRM) refers to access control technologies that can be used by hardware manufacturers,
publishers, and copyright holders to impose limitations on the usage of digital content and devices.
The digital revolution that DRM removes usage DRM can also refer to Some companies that
has empowered control from the person in restrictions associated make use of DRM are
consumers to use digital possession of digital with specific instances of Sony, Apple Inc.,
content in new and content and puts it in the digital works or devices. Microsoft, BBC among
innovative ways has also hands of a computer others.
made it nearly impossible program.
for copyright holders to
control the distribution of
their property.
Job Scheduling and Production Process Automation
Job Scheduling
•
Job Scheduling Software
COBIT Control DS13.2 - Job Scheduling

Job Scheduling Value Drivers
Optimized use of Equalizing Minimize effects

resources Workloads of change
Job Scheduling Controls
Following are some of the controls used in job scheduling:

Job Scheduling Software
Systems software used Job information set up

by installations that only once, reducing
process large number of chance of error
batch routines
Reliance on operators is
reduced
Sets up daily work Job
schedules Scheduling Advantages
Software Job dependencies are
defined so that if a job
fails, subsequent jobs
relying on its output will
not be processed
Automatically determines
which jobs to be
Records of all job
submitted for processing
successes and failures
are maintained
System Interfaces
Control Techniques for Interface Integrity
•
System interfaces including middleware, application program interfaces (APIs), and other similar software
present special risks because they may not be subject to the same security and control rigor that is found in
large-scale application systems.
Management should ensure that systems are properly tested and approved, modifications are adequately
authorized and implemented, and appropriate version control procedures are followed.
System Interfaces
System Interfaces enable disparate systems to communicate and transfer data to each other by using
standard interfaces, data formats, and communication protocols.
Well-designed and well-developed system interfaces enable reliable physical and logical connection of
different systems.
An incorrectly functioning interface could affect the confidentiality, integrity, or availability of data which
can potentially affect business objectives or invoke legal compliance liability.
An IS auditor must understand and evaluate the controls used to protect system interfaces and data
transfers which could include encryption for confidentiality, hashing or data conciliation for integrity, audit
trails for non-repudiation, etc.
End-User Computing
End User Computing
•
End-user activities are still one of the biggest vulnerabilities in security; therefore, they must be examined as
part of any IS Audit.
End User Issues
Introducing rogue
Leaving systems
Password control Bypassing security Failure to follow devices and Password Re-use
unsecure
for convenience policies software
Risks and Controls for End User Computing
•
Operational risks and controls that relate to end-user computing

End User Risks and Controls
Behavior
Policies
End User Risk

Operations
Security Software
Data Governance
Data Quality
•
Data Quality Factors
Data Quality Areas (Technical, Operational, and Governance)
COBIT Control DS11.1 - Business Requirements for Data Management

Data Quality Factors
Following are the factors to be considered for better data quality:
Data Basics Data Validity Data Usability
Accuracy Consistent Accessible
Integrity Complete Timely

Data Quality Areas: Technical
The technical issues for quality data are as follows:
Database Structure
Application
Processes
Data Quality Areas: Operational
Following are the operational issues for quality data:
Business Processes
Business Rules
Validation
Data Quality Areas: Governance
Data Roles
Data Responsibilities
Monitoring
System Performance Management
Capacity Planning and Related Monitoring Tools and Techniques
•
Capacity planning ensures that the current and future capacity and performance aspects of business
requirements are anticipated in advance, assessed and, where necessary, provided in a cost-effective manner.
Capacity of information systems must be monitored on a continuous basis to meet business needs and should
be planned using projections of expected demands. Capacity includes the size and speed of the processor;
internal system memory; and storage and communications media.
Capacity Management
This involves planning and monitoring computing and network resources to ensure efficiency and
effectiveness. It requires expansion/reduction in line with business growth/reduction and takes
into account present business and future expansions.
• Annually, management should review and

update:
o utilization of CPU, storage, SAN, terminal,

• Network devices such as routers and switches
IO channel, telecomm, and LAN & WAN
which comprise physically and logically separated
bandwidth
networks (VLAN – Virtual LANs)
o number of users
o new technologies
o new applications
o SLAs
Problem and Incident Management
Problem and Incident Management Practices
•
An incident is any event that causes temporary disruption to the business. A problem may develop when such
incidents are unresolved.
Problem and Incident Management Practices
Initial Response
Root Cause Analysis
Follow-up
Problem Management
History of Incidents
Source of Incidents
Address the root

cause
Change, Configuration, Release, and Patch Management
Change Management
•
Software changes are critical to IT controls.

Change Management Process
Change Exceptions/ Follow-up

Management Emergencies
Configuration Management
Planning Executing Follow-up

Configuration Management
“Configuration management is a process of identifying and documenting hardware components, software and the
associated settings. A well-documented environment provides a foundation for sound operations management by
ensuring that IT resources are properly deployed and managed.”
-- Official ISC2 Guide to the CISSP CBK
Steps for sound configuration management:

4
Change management
3
Used to control and
Recovery Strategy
record all changes
2
Software Inventory Includes alternate
sites; but no
1 arrangement is done if
Includes name, type, function has low
Hardware inventory priority
vendor, license
number, type, validity,
Includes make, model, and librarian
MAC address, serial
number, location, and
organizational fixed
asset code
Software Release Management
Test release Gradual Rollout Follow-up

IT Service Level Management
Service Level Management Frameworks
•
Service level management ensures that IT services meet customer’s expectations and that service level
agreements (SLAs) are continuously maintained and improved as needed.
SLAs are generally separate documents from the contracts with external vendors. SLAs may also be created
internally to assure the key process owners of the level of service that the IT organization has agreed to
provide.
Service Level Management Practices
Response Responses
Availability
• Time • Days/Times • Initial

• Level • Total Uptime • Escalation
IT Service Management
IT Service Management (ITSM) comprises processes and procedures for efficient and effective delivery of IT services relative to
business expectations. ITSM comprises IT support services and IT delivery services.
IT Support Services IT Delivery Services
• Service desk (also called technical • Service level management

support/help desk) • IT financial management
• Incident management • Capacity management
• Problem management • IT service continuity management
• Configuration management • Availability management
• Change management (system and
infrastructure changes)
• Release management
SLA and OLA
Service Level Agreement (SLA) Operational Level Agreement (OLA)
• •
•
•
• •
•
In a nutshell, the service assured in SLA must be supported and backed up by OLA.
Service Management Practices
•
It is essential to know the latest approaches in contracting strategies, processes and contract management
practices.
Outsourcing IT can help reduce costs and/or complement an enterprise’s own expertise but may introduce
additional risks.
IT Service Management
Three important factors you need to be concerned with include the following:
Financial Efficiency and

Availability performance effectiveness
Tools to Measure IS Efficiency and Effectiveness
There are two ways to measure efficiency and effectiveness:
Exception Reports System Logs

Tools to Measure IS Efficiency and Effectiveness
Operator problem Operator work

reports schedules
These manual reports are These reports are

used by operators to log maintained manually by IS
computer operations management to assist in
problems and their human resource planning.
resolution. IS management Proper staffing of
should review operator operation support
actions to determine if they personnel will assure that
were appropriate and/or service requirement of end
whether additional users will be met.
operator training is
required.
Systems Performance Monitoring Processes, Tools, and Techniques
•
IT performance monitoring of critical processes and assets should be conducted on a continuous basis to
ensure reliable IT services that meet SLAs and achieve defined business objectives.
Performance monitoring processes must be established with supporting tools and techniques and, although
the CISA exam does not test knowledge of specific tools, the IS auditor should be aware of the importance of
monitoring and of basic techniques which may be employed.
Monitoring, evaluation, and assessment (MEA)

Monitoring Use of Resources

Critical Success Factors for Monitoring of Enterprise IT
Planning and communicating the

Identifying and engaging with key
in-scope processes (What)
stakeholders (Who)
Employing a risk-based assessment

Determining assessment frequency and approach with proper prioritization (How)
time to execute (When)
Continually tracking, reviewing and

reporting performance to management
The Process
Track Review and

Risk Based
Performance Report
Performance
Monitor Monitor Validate Goals

Processes Performance
Database Management
Database Management
•
COBIT Control DS11.1 - Business Requirements for Data Management

Data Management and Database Management System (DBMS)
Data management capabilities are enabled by system software components that enact and support the definition, storage,
sharing, and processing of user data and deal with file management capabilities.
One record is
Sequential processed after
User and system data are another
File organization usually partitioned into
manageable units called
data files. Examples of data Records are
file organizations include addressed
Direct Random individually based on
Access a key, not related to
the data. (e.g. a
record)
Database Provide a facility and

Management create and maintain
Systems a well organized
Database (DB)
Data Management and Database Management System (DBMS)
The advantages are as follows:
DBMS • Data independence

enables: • Ease of support and flexibility
• Transaction processing efficiency
Reduced data • Reduction of data redundancy
Decreased redundancy - Security • Maximize data consistency
access time over data (record, • Minimize maintenance cost through
field, transaction) sharing
• Enforce data/programming standards
• Enforce data security
• Stored data integrity checks
• Use of SQL/application generators
DBMS: Architecture
Metadata is data elements required to

define a database (data about data)
DBMS Architecture includes:

• Conceptual schema (logical DB Design)
• External schema (user view)
• Internal schema (physical
implementation)
Database Controls and Database Reviews
Database Controls are necessary to ensure integrity and availability. Database controls include:
• Definition standards and compliance
• Backup and recovery
• Access control over data items and tables
• Concurrency controls
• Controls to ensure accuracy, completeness, and consistency of data and relationships
• Use of checkpoints
• Database reorganization
• Database restructuring procedures
• Database performance monitoring tools/procedures
• Minimize non-system access
Database Controls and Database Reviews
Database reviews are as follows:

• Design:
o Integrity of data ensured through primary and foreign keys (e.g. preventing null values for key fields)
o Reduced duplication of data
• Access:
o User access to the database
o Speed of data access through the use of indexes
• Administration of the database:
o DBA/ODBC access
o Managing concurrent user access
o Backup and recovery/restore and contingency procedures
o Interfaces with other systems
Value Drivers
Following are the various Value Drivers:
Data Handling Transactions Support

Business
Requirements
Risk Drivers
Following are the various Risk Drivers:
Breaches Legal Regulatory

Requirements Requirements
Controls
Following are the steps in database controls:
• Define the business requirements for the

management of data by IT.
• Segregation of duties within operations for the entry,
processing and authorization of data transactions.
• Ensure data completeness
• Handling of data errors
• Verify logs
• Safeguard stored data
Part B: Business Resilience
Part B: Business Resilience

• Business Impact Analysis (BIA)
• System resiliency
• Data backup, storage, and restoration
• Business Continuity Plan (BCP)
• Disaster Recovery Plan (DRP)

Business Impact Analysis (BIA)
Business Impact Analysis (BIA)
•
A Business Impact Analysis (BIA) drives the focus of the BCP efforts of an organization and helps balance costs
to be incurred with the corresponding benefits to the organization. A good understanding of the BIA concept is
essential for the IS auditor to audit the effectiveness and efficiency of a BCP.
BIA
Following are the three items in Business Impact

Analysis:
Identify
Identify Likelihood Identify Impact
Vulnerabilities
Identify Criticalities
Following are the three items to identify criticalities:
Critical Processes Critical Data Critical Systems

BIA: Concepts
The Business Impact Analysis concepts are as follows:
RPO and RTO MTTD and MTTR MTO and SDO

BIA, RTO, and RPO
It is a key input in determining the RTO and RPO, which are the systems
that support mission critical business functions.
RTO and RPO are critical factors in determining the DR solutions that an
organization chooses for its applications.
BIA
BIA (Business Impact The smaller the RTO and RPO windows, the more robust and resilient should
Analysis) is a process that be the systems to restore a minimum acceptable level of service.
identifies mission critical
functions. It also identifies
the impact that disruption of The choice of different recovery solutions like mirroring, hot site, warm site
these functions will have on etc., depends on the RTO and RPO objectives.
business continuity.
Defining and installing resilient systems for a smaller RTO and RPO involves
greater expenditure.
RTO and RPO
RTO RPO
• RTO stands for Recovery Time • RPO stands for Recovery Point
Objective. Objective.
• It is the maximum period within • It is the maximum amount of data
which a business function or process that an organization can afford to
must be restored to an acceptable lose, in the event of a disaster.
level (in case of full restoration is not • Any loss of data beyond the RPO
possible) to preclude unacceptable may threaten the continuity of a
consequences for the business. business.
• It means that any delay beyond RTO in
restoring an agreed and acceptable
level of service will have grave
repercussions for the continuity of the
business.
•
The IS auditor should determine whether BIA and BCP are suitably aligned
BCP should be based on a well-documented BIA to be efficient and effective
BIA drives the focus of BCP/disaster recovery plan (DRP) efforts of the organization and helps balance the costs
to be incurred with corresponding benefits to the organization
Business Impact
Analysis
Business Impact Analysis is a component of Business Continuity Planning (BCP), which identifies events
that could impact the continuity of operations and assesses the impact of these events.
BIA helps an organization to:
Understand the Gather information

priorities and time regarding the
requirements for organization’s
recovery of business current recovery
functions capabilities
Business Impact Analysis: Activities, Approval, and Approaches
Key
business End-users
processes
Questionnaires,
Understanding Activities involved in IT Approvals interviews, and Approaches of BIA
the personnel
organization
BIA: required in BIA: brainstorming are:
sessions
Roles Senior
involved management
Business Impact Analysis: Points to Consider
It is important to analyze the following questions before the business impact analysis.
• What are the organization’s business processes?
• What are the critical information resources related to the critical business processes?
• What is the critical recovery time for information resources to resume business processing before
significant or unacceptable losses?
Business Impact Analysis: RTO and RPO
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are discussed here.
Recovery Time Objective (RTO) Recovery Point Objective (RPO)
This is acceptable downtime in This is the acceptable data loss

case of a disruption to in case of a disruption to
operations (determines operations (determines the
processes and technology used frequency of backup)
for backup and recovery, for
example, data tapes or disk)
The diagram shows the relationship between Disruption costs and Recovery costs.
The two should be balanced to attain an optimum protection level of key information assets, that is, to obtain an optimal RPO
and RTO.
If the business continuity strategy aims at a longer recovery time, it will be less expensive than a more stringent requirement,
and more susceptible to downtime costs spiraling out of control.
Downtime cost of the At a certain moment, it

disaster in the short run stops growing, reflecting
(for example, hours, days, the moment or point
and weeks), grows quickly when the business can
with time, where the no longer function.
disruption impact
increases if it lasts longer.
System Resiliency
System Resiliency
•
System resiliency tools and techniques are important to ensure uninterrupted service.
System resiliency
tools and
techniques
Resiliency
RAID SITES
Resiliency
BACKUP SPARES
Redundant Array of Inexpensive or Independent Disks (RAID)
• It protects data against disk failure.
• It provides redundancy, fault tolerance, and performance improvement by combining several physical disks into a logical
disk.
• Main features of RAID are:
Striping Redundancy Parity
• It implies dividing data into blocks • It implies that the same data is • This feature is used to provide
and writing these blocks to stored on more than one disk so fault tolerance, enabling data to be
different disks. that no disk turns out to be a reconstructed from its parallel disk
• It improves performance, since single point of failure. or parity, in case of failure.
both read and write operations • In case one disk fails, data can still • Checksums are used to detect any
are carried on in parallel on two or be accessed from the other disk. loss or mutilation in transit, since
more disks. data can be lost or unintentionally
modified while in transit.
RAID Levels
The primary levels of RAID are:
Disk
Striping
Disk Striping
Disk
with dual
0 Mirroring
parity
6 1
RAID
5 3
Disk Striping 4 Disk Striping
with with
distributed dedicated
parity parity
Disk Striping
with
dedicated
parity
RAID Levels: 0,1, and 3 RAID 0
• Two or more physical disks are combined into a

single logical disk.
• Data is striped across multiple drives.
• It neither offers redundancy nor parity.
0 • It offers performance improvement.
6 1 RAID 1
• Data is written onto two disks.
RAID • This level offers redundancy: If one disk fails, the
data is available on another disk.
• It does not incorporate striping or parity.
5 3 • It does not offer fault tolerance or improved
performance.
4 • Since the same data is written to two disks,
effective storage space is reduced by 50%.
RAID 3
• It requires a minimum of 3 disks.

• Data is striped on two or more disks, while parity
is on one disk.
• If any disk fails, it can be reconstructed with
parity.
• However, it offers no protection if both, a data
disk and parity disk, fail at the same time.
RAID 6 RAID Levels: 5, 6, and 10
• It is similar to RAID 5, except that the second set
of parity is written onto all disks.
• There is an increased level of redundancy. 0
• Here, the system remains operational, even if
both disks fail. 6 1
RAID 5 RAID
• In this level, data and parity are striped across
three or more disks. 5 3
• If one disk fails, the lost data can be
reconstructed again, using the data and parity in 10
other disks. RAID 10
• Some implementations allow hot swapping, the
• This level is also referred to as RAID 1+0, as it
ability to replace faulty drive, without shutting
essentially combines the two.
down the server.
• It requires at least 4 drives to function.
• Thus, the system remains operational, even if
• Blocks are mirrored (redundancy) and striped
one disk fails.
(performance), which gives it the name, “stripe of
• This offers both improved performance (striping)
mirrors”.
and redundancy (parity is distributed on all
• It is most suitable for highly utilized databases,
disks).
where many read and write operations have to
• This is the most common RAID level.
be performed.
• It is expensive, since it requires twice as many
disks as other RAID levels.
Sites and Spares
Following are the types of sites and spares:
• Hot site – Fully configured sites ready to operate

• Cold Site – Alternate location earmarked
• Warm site – Business site that can be converted
• Reciprocal Agreement – Also called “Mutual Aid” when two companies agree to help each other out
in the case of an emergency
• Hot spare – Fully configured hardware
• Cold spare – Duplicate hardware that can be configured
Disaster Recovery Site Types
Mirror Site Hot Site
● It is completely redundant and ● This site is entirely prepared and

consists of all the necessary configured for activation, in case any
equipment, software, data and staff, disaster strikes the primary site.
on par with the primary site. ● Data can be replicated to a hot site in near
● Data from the primary site is real time, or backups can be moved on a
replicated to the mirror site, in real regular basis.
● The hardware and software (system and
time.
application) of a hot site, must be identical
● It is the most expensive disaster
to that of the primary site.
recovery site type, but offers highest ● It must be compatible for restoration of
assurance for critical functions. backup data and commencement of
● A disruption in service is hardly operations on its own.
discernible to end users, when this ● In case a disaster strikes, the last available
type is adopted. backup is loaded, and the hot site is made
● It is mandatory for some types of operational within a few hours, so as to
organizations like banks, to adopt this restore the operations.
● It usually employs minimal staff to run
site type.
operations; however more staff is added if
needed.
Warm Cold Site

Site
● It is a site that includes complete ● It comprises a basic infrastructure,

infrastructure (HVAC, network in terms of space and HVAC,
devices, tape drives, etc.). without any IT or communications
● It is essential that the IT equipment equipment (hardware, software,
is adequate to sustain an data, network devices).
acceptable level of performance ● Prior to a cold site becoming
for mission-critical applications. operational, necessary hardware,
● Prior to a warm site becoming software, and office equipment are
operational, latest versions of acquired.
applications and data backups ● It is an empty data center.
need to be loaded. ● It may take weeks altogether to fully
● Operational staff also needs to be equip a cold site and render it
moved. operational.
● A warm site is less expensive as
compared to a hot site and hence
is widely adopted.
Mobile
Site
● It includes all equipment required

for recovery like, computers,
electric power, network
connections, and office equipment,
but mounted on trailers which can
be delivered to any location for
recovery.
● Prior to mobile site becoming
operational, it requires power,
data connections, water, and waste
disposal.
Data Backup, Storage, and Restoration
Data backup
•
An IS auditor should understand the relationship between backup/recovery plans and business process
requirements; it’s essential that critical data be available in the event of data loss or contamination.
Data must be backed up, available at a location that is not likely to be impacted by a disaster at the primary
site, and protected (i.e. physically secure and encrypted if necessary).
An organization should have documented policies, processes, procedures, and standards that clearly explain
data backup and recovery.
Data Backup, Storage, Maintenance, Retention, and Restoration
The terms involved in Data Backup:
Recovery Time
Objective
Recovery Point
Objective
Backup
There three types of backup:
Full A complete backup is obtained.
Differential A backup of last 4 changes is obtained.
Incremental A complete backup is obtained from the

previous backups.
Types of Backup
Full Backup Differential Backup Incremental Backup
• In this type, the data is fully • This type of backup makes a copy • This type backs up all the files,
backed up, and the archive bit is of all the files, that have changed subsequent to the last full or
set to zero. since the last full backup. incremental backup.
• The advantage of this type of • It does not change the archive bit • It sets the archive bit to zero.
backup is that the restoration is value. • It is the fastest method of creating
quick. • It consumes less time, as a backup, among others.
• However, since entire data is compared to the full backup. • However, restoration is the
backed up, the process of backing • However, restoration takes more slowest, as several backups are
up is slow. time, since full as well as, required.
differential backup is required.
Backups
Other Backups
Electronic
WORM
Vaulting
Offsite Read Only

•
•
Invoking the BCP/DRP
•
The main areas covered in this domain are:
IS Business Continuity
Planning
Process
Business Continuity Policy
Incident Management
Development of Business
Continuity Plans
Other Issues in Plan
Development
Components of a Business
Continuity Plan
Plan Testing
Components of an Effective BCP
Crisis communication plan
Continuity of Incidence
support plan response plan
Continuity of Disaster
operations recovery plan
plan
The components of a Business
Continuity Plan depend on the
Business Occupant
organization size and requirements.
resumption It may include: emergency
plan plan
Components to be Agreed
The components to be agreed are:
Governing policies Goals/requirements/products
Alternative facilities Critical IS resources to deploy
Staff required/responsible
Data and systems
for recovery tasks
Key decision-making Resources to support

personnel deployment
Backup of required supplies, Schedule of prioritized

other personnel activities
Business Continuity Plan Testing
BCP testing involves:
Testing the developed Specifications such as Testing of plan by Documentation of Analysis of the results
plans to determine if objective and scope post-test, paper test, test results, which obtained against
they work and of the test, test preparedness test, include document specifications set in
identify areas that execution, and and full operational observations, time, amount, count,
need improvement pretest test problems, and and accuracy
resolutions to
facilitate recovery in a
real disaster
Business Continuity Plan Test Execution
BCP tests can be executed by conducting pre-test, actual test, and post-test.
• Pre-test: The set of actions necessary to set the stage for the actual test. This ranges from placing tables
in the proper operations recovery area to transporting and installing backup telephone equipment.
• Actual test: This is the stage for real action of the business continuity test.
o Actual operational activities are executed to test specific objectives of the BCP.
o This is the real action of the business continuity test
o Actual operational activities are executed to test the specific objectives of the BCP
o This is the actual test of preparedness to respond to an emergency.
Level 5 Cutover
Level 4 Parallel
Level 3 Simulation
Level 2 Walkthrough
Level 1 Document Review

Disaster Recovery Plan (DRP)
Disaster Recovery
•
Understand different types of alternate sites
Explain the benefits and drawbacks of each

Disaster Recovery Planning: Alternatives
There are three basic sites in disaster recovery planning:
Hot Site Warm Site Cold Site

Disaster Recovery
•
An IS auditor should understand the concepts behind the decision to declare a disaster and invoke a BCP/DRP
and should understand the impact of the decision on an organization, remembering that invocation of the
BCP/DRP can, in itself, be a disruption.
Implementing DRP/BCP
Before initiating DRP/BCP implementation, ask the following questions:
Who When How

Disaster Recovery
•
The IS Auditor needs to understand the various testing methods for DRP/BCP.
Document Review
Walkthrough
Five levels of testing:

Simulation
Parallel
Cutover
DRP BCP Standards
ISO 27001 ISO 27002

Requirements for Information Code of Practice for Business
Security Management Systems Continuity Management
Section 14 addresses business
continuity management
Plan-Do-Check-Act Cycle
Plan
Repeat Do
Act Check
NOTE: PDCA is NOT in ISO 27001:2014

Process
Pre-project activities
Perform a Business Impact

Assessment (BIA)
Develop business continuity

and recovery plans
Test resumption and

recovery plans
Regulatory issues and DRP
•
Laws, regulations, and contracts all impact disaster recovery planning (DRP). Insurance policies also impact
DRP.
Regulatory, Legal, Contractual, and Insurance Issues
The main areas covered include:

may also be mandatory depending on
various regulatory or legal requirements.
Additionally, insurance is an important
component of the risk mitigation strategy
in terms of transfer of risk and the IS
auditor must be aware of the need to
maintain an insurance valuation
commensurate with the enterprise
technology infrastructure
Regulatory issues for DRP
Insurance
Laws
DRP
Regulations
Contracts
Knowledge
Check
QUIZ
An IS auditor examining the configuration of an operating system to verify the
1 controls should review the:
a. Transaction logs
b. Authorization tables
c. Parameter settings
d. Routing tables
QUIZ
An IS auditor examining the configuration of an operating system to verify the
1 controls should review the:
a. Transaction logs
b. Authorization tables
c. Parameter settings
d. Routing tables
Explanation: Parameters allow a standard piece of software to be customized for diverse environments
and are important in determining how a system runs. The parameter settings should be appropriate to an
organization's workload and control environment.
QUIZ
The database administrator (DBA) suggests that database (DB) efficiency can be
2 improved by denormalizing some tables. This would result in:
a. Loss of confidentiality
b. Increased redundancy
c. Unauthorized accesses
d. Application malfunctions
QUIZ
The database administrator (DBA) suggests that database (DB) efficiency can be
2 improved by denormalizing some tables. This would result in:
a. Loss of confidentiality
b. Increased redundancy
c. Unauthorized accesses
d. Application malfunctions
Explanation: Normalization is a design or optimization process for a relational DB that minimizes

redundancy; therefore, denormalization would increase redundancy. Denormalization is sometimes
advisable for functional reasons. It should not cause loss of confidentiality, unauthorized accesses or
application malfunctions.
QUIZ
Which of the following controls would be the most effective to ensure and maintain
3 continuous system availability?
a. Appropriate authorization of system changes
b. Access to users on a need-to-know basis
c. Appropriately documented changes
d. Near real-time monitoring

QUIZ
Which of the following controls would be the most effective to ensure and maintain
3 continuous system availability?
a. Appropriate authorization of system changes
b. Access to users on a need-to-know basis
c. Appropriately documented changes
d. Near real-time monitoring
Explanation: Authorizing all changes effectively prevents a potential change that may affect system
availability. Authorization is generally based on successful testing and is put into production after
acceptance by a business user.
a. Full operational test
b. Preparedness test
c. Paper test
d. Regression test
a. Full operational test
b. Preparedness test
c. Paper test
d. Regression test
A preparedness test is performed by each local office to test the adequacy of the preparedness for disaster
recovery.
QUIZ
5 cyber-attack?
a. Creating an incident response team

QUIZ
5 cyber-attack?
a. Creating an incident response team
The most important key step in recovering from cyber attacks is the execution of a business continuity plan
to quickly and cost-effectively recover critical systems, processes and data.
IS Operations, Maintenance, and Service Management
Case Study
Case Study 1
•
QUIZ
Which of the following would be the most important external item to audit?
1
a. The company’s website
b. The company’s wireless network
c. The company’s VPN
d. The company’s physical security

QUIZ
Which of the following would be the most important external item to audit?
1
a. The company’s website
b. The company’s wireless network
c. The company’s VPN
d. The company’s physical security

Since employees work from home, this is a potential point of entry for malware, attacks, and other dangers. The
Wireless should be checked, but given the office location the only people who could attempt to breach their
wireless would be those companies on the floors immediately below this company. The website contains no
sensitive data, so even if it is breached, it would have minimal impact. Physical security is not something that is
checked externally.
QUIZ
Is physical security of the servers an important item to audit?
2
a. No they are in a locked room in the office
b. No, that is outside the scope of an IS audit
c. Yes, access control must be assessed
d. Yes, but primarily just to confirm the lock works

QUIZ
Is physical security of the servers an important item to audit?
2
a. No they are in a locked room in the office
b. No, that is outside the scope of an IS audit
c. Yes, access control must be assessed
d. Yes, but primarily just to confirm the lock works
It is not sufficient that there is a lock. It needs to be determined who has access to that room and how such
access is monitored and controlled.
Case Study 2
•
QUIZ
When auditing which of the following is the most critical element of the SLA to
1 examine?
a. Exception reports
b. Response time
c. Penalties for failure to meet response time
d. Staff training
QUIZ
When auditing which of the following is the most critical element of the SLA to
1 examine?
a. Exception reports
b. Response time
c. Penalties for failure to meet response time
d. Staff training
Exception reports detail any exception to the SLA. This is the best way to determine if the SLA is being met.
Prior to evaluating if the current SLA is adequate, it is important to note if it is even being adhered to.
QUIZ
What is the importance of a right to audit clause?
2
a. Very little it does not significantly impact the SLA
b. It allows the company to audit the vendor
c. It is important only if it is a no-notice right to audit
d. It is used to force the vendor to conform to security standards

QUIZ
What is the importance of a right to audit clause?
2
a. Very little it does not significantly impact the SLA
b. It allows the company to audit the vendor
c. It is important only if it is a no-notice right to audit
d. It is used to force the vendor to conform to security standards
A is clearly wrong. Right to audits are very rarely with no-notice and a right to audit does not force
conformity to standards, it simply allows the company to confirm adherence or deviation from security
standards.
Key Takeaways
Evaluate the organization’s ability to continue business operations
Evaluate whether IT service management practices align with business requirements

Evaluate IT operations and maintenance to determine whether they are controlled
effectively and continue to support the organization’s objectives
Evaluate database management practices and data governance policies and practices
Evaluate end-user computing to determine whether the processes are effectively controlled

This concludes ‘IS Operations, Maintenance, and
Service Management’.
The next domain is ‘Protection of Information Assets’.
Protection of Information Assets


Learning Objectives
Conduct audit in accordance with IS audit standards and a risk‐based IS audit strategy
Evaluate the organization's information security and privacy policies and practices
Evaluate physical and environmental controls to determine whether information assets

are adequately safeguarded
Evaluate logical security controls to verify the confidentiality, integrity, and availability
of information
Evaluate data classification practices for alignment with the organization’s policies and
applicable external requirements
Evaluate the information security program to determine its effectiveness and alignment with
the organization’s strategies and objectives
Perform technical security testing to identify potential threats and vulnerabilities
Evaluate potential opportunities and threats associated with emerging technologies, regulations,
and industry practices
Part A: Information Asset Security and Control

• Information asset security frameworks, standards, and guidelines
• Privacy principles
• Physical access and environmental controls
• Identity and access management
• Network and end-point security
• Data classification
• Data encryption and encryption-related techniques
• Public Key Infrastructure (PKI)
• Web-based communication techniques
• Virtualized environments
• Mobile, wireless, and Internet-of-Things (IoT) devices

Overview
An information asset is a component related to provision of accurate data or information for decision-making purposes by an
entity. It is considered to hold value to that particular organization and should, therefore, be protected by ensuring Confidentiality,
Integrity, and Availability (CIA).
Information assets example
Information Applications Computers Network
Human Resources Facilities

Information Asset Security Frameworks, Standards, and Guidelines
External Requirements
•
Many external factors impact audits—most important are laws and regulations that affect cyber security.
Contractual requirements are also important.
COBIT Control ME3.1 – Identification of External Legal, Regulatory, and Contractual Compliance Requirements.
Information Security and External Parties
Legal Regulatory Contractual

Laws and Regulations
1 2 3
Federal
Cyber Electronic Information
Security Act Fund Security
2015 Transfer Act Management
Act
Health Insurance Portability 4 5

& Accountability Act
(HIPAA)
Payment
Health Information Card
Technology for Economic Industry
and Clinical Health Act
(HITECH)
Contractual
Various contractual requirements are:
Security Encryption Authentication Data Storage Personnel Policies
GENERAL DATA ACCESS OPERATIONAL

Privacy Principles
Privacy Principles
•
Maintaining the privacy of confidential data is critical to IS. Therefore, any audit must verify that privacy
principles are applied and maintained.
Privacy Management Issues and Role of IS Auditors
? How
!
?
Why Who
Exception
Destruction
? Who
Control Disclosure
COLLECTION ACCESS D&D

As an IS auditor, you should ask the following questions:
ADEQUACY INTERNATIONAL ONGOING ASSESSMENT

Focus and extent of privacy impact assessment may depend on changes in technology, processes, or people as shown below:
Physical Access and Environmental Controls
Physical Controls
•
Physical security weaknesses can result in financial loss, legal repercussions, loss of credibility, or loss of
competitive edge.
Thus, information assets must be protected against physical attacks, such as vandalism and theft, through
controls that restrict access to sensitive areas containing computer equipment or confidential data files.
Such controls usually employ the use of access door locks that require the use of a password, key, token, or
biometric authentication of the person attempting entry.
Physical Controls
Restrict Entry Identify Monitor
• Locks and • Badges • Cameras

Barriers • Key cards • Sign In
• Guards
Physical Access Exposures
• •
•
•
•
•
•
• •
• •
•
•
•
•
•
•
•
•
•
•
Physical Access Exposures
Auditing physical access

Evaluation includes:
includes:
• Touring the information • General cleanliness

processing facility • Doors, Windows, walls,
• Visibly observing curtains
physical access controls • Ceilings, raised floors
• Reviewing physical • Ventilation
security documentation
Additional Physical Security Measures
• Bollards are small concrete pillars, sometimes containing lights or flowers

• Fences
• 3 ft – 4 ft High, Deters casual trespassers
• 6 ft – 8 ft High, Too hard to climb easily
• 8 ft High with 3 Strands of Barbed Wire, deters intruders
• Motion Detectors
• Lighting
Man Traps
• Two doors each with an entry that is secure
Doors—1 uses pin, the other swipe card Short Hall The Facility
Identity and Access Management
Logical Access Control
•
Logical access controls are used to manage and protect information assets.
Controls enact and substantiate policies and procedures designed by management to protect information
assets.
Controls exist at both the operating system level and the application level, so it is important to understand
logical access controls as they apply to systems that may reside on multiple operating system platforms and
involve more than one application system or authentication point.
Access
Access is the flow of data between subjects and

objects.
A subject is an active An object is a passive

component such as a component such as a
user, a program, or a file, program, data, or
process. other resource.
Identification, Authentication, Authorization and Accountability (IAAA)
Logical access control may be divided into the following stages:
1 2 3 4
• It is a process by which a subject claims a particular identify, typically by providing user account name or number.
• It forms the first part of the credentials.
1 2 3 4
• At this stage, the subject provides the second part of credentials such as a password, biometric reading, PIN, or
cryptographic key.
• If both parts of the credential set supplied match the values stored by the system (those provided when the user account
was set up), the subject is considered to have been authenticated.
• However, the subject’s rights or privileges (namely, what they can accomplish on the system) depend on the next stage –
authorization.
1 2 3 4
• When the subject desires to perform an action or access a resource, the system needs to consult an access matrix to
determine whether the subject has the privileges/rights to carry the resource to perform the action.
• Depending on the role of the subjects, they may or may not be permitted to access the resource.
• For example, not all subjects may have access to sensitive data or a resource such as a printer.
1 2 3 4
• Although users have been identified, authenticated, and authorized to use a resource, they need to be accountable for their
actions.
• This is accomplished by recording the actions of the subjects, typically done by logging their actions on the system.
• To establish accountability of the subjects for their action, it is necessary to ensure that each subject is uniquely identified by
a unique user account.
• It is also necessary to log critical (though not necessarily all) actions of the subjects on the system.
Authentication
There are three types of Authentication. They

are:
1 Type I: Something you know
2 Type II: Something you have
3 Type III: Something you are

Identification and Authentication
Identification and Authentication Multifactor authentication
• Proving one’s identity, which is • A combination of more than one method

authenticated prior to being granted e.g.
access o Token and password or PIN
• Critical building block of IS security: o Token and biometric device
o basis of most access control
systems: first line of defense –
preventing unauthorized access
o establishes user accountability –
linking activities to users
Identification and Authentication: Login IDs and Passwords
Login IDs and Passwords:
• Used to restrict access to

computerized information,
• Two-phase user
transactions, programs, and
identification/authentication • Access rules can be specified at
system software
process based on something you OS level (controlling access to
know: files) or within individual
o Login ID – individual applications controlling access to
identification menu functions and types of data
o Password – individual
authentication • May involve an internal list of
valid login-IDs and a
corresponding set of access rules
for each login-ID
Access Control Matrix
Access Control Matrix is used to identify:
Access Control
Matrix
Capability Access
Biometrics
Fingerprint
Handprint
Retina
Iris
False Acceptance
False Rejection
Crossover Error-Rate
Data Leakage
•
Data leakage is the risk that sensitive information may be inadvertently made public.
It occurs in different ways such as job postings that list the specific software and network devices with which
applicants should have experience in to system administrators posting questions on technical web sites that
include posting with the specific details on the firewall or database versions they are running and the IP
addresses they are trying to connect.
Risks and Controls Associated Data Leakage
Any information regarding the internal network
Any information regarding key personnel schedules
Social Media leakage
Posting organization charts and strategic plans to externally

accessible websites
Data classification policies, security awareness training, and

periodic audits of data leakage are elements that the IS auditor
will want to ensure are in place
Maintenance and Monitoring of Security Controls
•
Security needs to be aligned with business objectives to provide reasonable reduction in risk.
Information Security Management (ISM)
Electronic trading through service

010010100010 providers and directly with customers
Factors that raise the profile of

information and privacy risk
Loss of organizational barriers
LOGIN
through use of remote access facilities
***
Effective ISM is the most critical factor in High-profile security exposures:

protecting information assets and privacy viruses, denial of service (DOS)
attacks, intrusions, unauthorized
access, disclosures and identity theft
over the Internet, and so on
The three issues in Information Security Management are:
Confidentiality Availability Integrity
Resiliency Cryptographic
Data at rest
Hash
Backups
Data at transit
HMAC
Redundancy
Validation
The key elements in ISM are:
Senior Management
Policies & Procedures Organization

Network and Endpoint Security
Network Security Controls
•
An IS Auditor must know how network security controls function. This includes firewalls, IDS, and
honeypots.
COBIT Control DS5.10 - Network Security

Types of Firewalls
Stateful Packet
Packet Filter Application
Inspection
Types of Firewalls
• A firewall is a device used as a barrier between a trusted network (typically the intranet) and an
untrusted network (like the internet).
• It works by enforcing rules to control incoming and outgoing traffic.
• It may also be used to prevent one network segment from accessing another.
• For example, access to critical segments of the network may be restricted.
• The three types of firewalls are as follows:
Packet-filtering
Firewall
Stateful Inspection
Firewall
Proxy Firewall
Types of Firewalls
• This is basically a packet-filtering router and is a first-generation firewall.

Packet-filtering • The device takes decisions on whether or not to allow a packet based on the rules
Firewall configured in the ACL (Access Control List).
• The rules may be based on the source and destination IP addresses, port numbers,
and protocol types.
• A packet-filtering firewall has two limitations:
(a) It is stateless (that is, it does not track the state of the packet)
Stateful Inspection (b) It examines only the packet header and does not conduct deep-packet inspection.
Firewall • These limitations mean that this kind of firewall cannot protect against some types of
attacks.
Proxy Firewall
Types of Firewalls
Packet-filtering
Firewall
• This firewall overcomes a limitation of the packet-filtering firewall by keeping track of

the movement of packets in and out of the network until the connection has been
Stateful Inspection closed.
Firewall • This is done by maintaining a state table, which keeps a track of all connections.
• This firewall can keep track of connectionless protocols like UDP (User Datagram
Protocol) and ICMP (Internet Control Message Protocol).
Proxy Firewall
Types of Firewalls
Packet-filtering
Firewall
Stateful Inspection
Firewall
• A proxy firewall is also known as a “dual-homed host” as it has two network interfaces,
one with an internal IP address and another with an external IP address.
Proxy Firewall • It acts as a middleman intercepting both incoming and outgoing traffic before
forwarding it with a different IP address.
• Thus, it masks the internal network from the internet.
Types of Firewalls
Packet-filtering
Firewall
Stateful Inspection There are 2 types of proxy firewalls

Firewall
• It creates a circuit or connection between the two communicating

systems.
• It works at the session layer and is application independent.
Proxy Firewall • However, it does not do deep-packet inspection.
• It provides granular controls.

• It not only distinguishes between protocols but also controls
the commands in protocols.
• Thus, it is possible to allow some commands in a protocol but
disallow others.
Intrusion Detection Systems (IDS)
Intrusion Detection Systems IDS components
• Monitor network usage anomalies • Sensor – collects data (network packets,

• Used together with firewalls and log files, system call traces)
routers • Analyzer – receives input from sensors
• Continuously operates in the and determines intrusive activity
background • Admin console
• Administrator alerted when intrusions • User interface
are detected
• Protects against external and internal
misuse
Intrusion Detection Systems (IDS)
Anomaly Based
Signature Based
Combined
Intrusion Detection System
• While firewalls allow or deny certain types of packets based on rules, an IDS or Intrusion Detection System is designed to
detect suspicious traffic and raise an alert.
• IDS may be of the following types:
Host-based IDS
(HIDS)
• Has Network Interface

• Usually installed on
Cards (NICs) configured
critical servers to
in promiscuous mode,
Both NIDS and HIDS are of watch for suspicious
which means that they
the following types: activity
copy all the traffic in the
Signature-based
network and pass it on to
Anomaly-based
an analyzer
Hybrid or Combined
• Can work only with the
traffic on the network,
meaning cannot see
what is happening inside
a computer
Intrusion Detection System
• Every known attack has a • This is behavioral-based and works on • This combines both
signature that is fed into the basis of statistical anomalies, signature-based and
the IDS. rather than known signatures. anomaly- or
• This is used to detect an • The IDS is initially put in “learning behavioral-based IDS.
attack. mode,” during which it samples the • This is flexible and can
• Limitation of IDS is that environment and formulates a profile. detect attacks based on
only known attacks can • All the traffic is compared with the known signatures as
be detected. profile built up by IDS and any well as unknown
• Unknown or new attacks, anomaly triggers an alert. This is likely attacks.
whose signatures have to generate false positives.
not been fed into the • The longer the system is put in
system, are not detected. learning mode, the more accurate the
profile is likely to be.
Honey Pots and Honey Nets
Fake System
Detract the attacker
Monitor and trace

SIEM
• Security information and event management. These are products that have Security Information
Management combined with Security Event Management. Usually combining things such as:
o Log management: Aggregating and monitoring logs
o Alerting
o Dashboards: Management consoles
o Compliance: Monitoring and reporting
SIEM
Data about events concerning an organization’s security is produced by logs

at multiple locations, like firewalls, IDS, IPS, various servers, proxies, etc.
Looking at each of the logs individually does not produce a holistic picture of
suspicious events and threats. Nor is it feasible to scrutinize these logs
manually. Moreover, log formats differ widely for different systems.
The objective of SIEM is to pool the logs from various sources and use
automated tools to correlate and analyze them.
SIEM stands for Security
Incident and Event
Management In addition to storing logs from various sources centrally, SIEM analyzes
them in near real time so that suitable counter measures can be taken.
It deploys agents at multiple locations to gather security-related data and

relay it back to the central console, where they are analyzed and anomalies
are flagged for remedial action. This serves as an early warning system.
Security Devices, Protocols, and Techniques
•
An organization implements specific applications of cryptographic system to ensure confidentiality of

important data.
Security Devices
FIREWALL IDS
PACKET FILTER ACTIVE
SPI PASSIVE
APPLICATION
HONEYPOT PROXY
Protocols
IPSec CHAP
SSL/TLS KERBEROS
SESAME
VPN AUTHENTICATION
SSS/TLS Process
Step 1: Client Hello (cipher settings, SSL version, etc.)
Step 2: Server Hello (cipher settings, SSL version, X. 509 cert., etc.)
Step 3: Client authenticates the server with the CA
Step 4: Client sends pre-master secret
Step 5: Client has session key and finishes handshake
Client Machine Step 6: Server has session key and finishes handshake
Server
Kerberos Process
Key Distribution Center

(KDC)
Step 1: User is authenticated by AS AS

Authentication Service
Step 2: AS directs
TGS to create TGT
Step 3: TGT is sent back to user; encrypted with
symmetric key known only to KDC
TGS
Ticket Granting Service
User Step 4: User requests service ticket, sends TGT to KDC
Step 5: KDC sends service ticket to user. Good for <5min

symmetric key known to KDC and Service
Step 6: User sends service ticket to service Service (some server/service

the user wants to access
Application of
the OSI Model in
Network
Architectures
Open Systems Interconnection Model
Common standard for open system interconnection

using a layered set of protocols.
Defines a 7-layer
hierarchical architecture
Objective is to provide: that logically partitions
functions required to
support system-to-system
communication
A set of open A benchmark to

system standards compare
for equipment different
manufacturers communication
systems
OSI Model: Summary Functions
Summary functions of the OSI model are as follows:
OSI Model: Mnemonics
Some mnemonics to remember the OSI layers:
A Application All
P Presentation People
S Session Seem
T Transport To
N Network Need
D Data Link Data
P Physical Processing
OSI Model: Mnemonics
Lets reverse the layers to form another mnemonic:
P Physical Please
D Data Link Do
N Network Not
T Transport Throw
S Session Sausage
P Presentation Pizza
A Application Away
OSI Layers
Application • This is the layer closest to the user.

• It comprises protocols that support the
applications.
Presentation • Examples of functionality of this layer are:
o HTTP
o SMTP
o FTP
Session
Transport
Network
Data Link
Physical
OSI Layers
Application
• This layer is either placed below (or above the

Presentation application layer, depending on whether you
move top down or bottom up) the Application
layer.
Session • It is responsible for formatting the data to make
it readable to the applications.
• Functionalities of this layer include:
Transport o Compression
o Decompression
o Encryption
Network o Decryption
Data Link
Physical
OSI Layers
Application
Presentation
• This layer establishes, maintains, and terminates

Session
the connections between two applications.
• It keeps track of all applications that are
communicating over the network.
Transport • Some of the protocols that operate at this layer
are:
o RPC (Remote Procedure Call)
Network o SQL (Structured Query Language)
Data Link
Physical
OSI Layers
Application
Presentation
Session
• This layer establishes connections between two

Transport
computers.
• For example:
o TCP
Network
o UDP (User Datagram Protocol)
o SSL
Data Link
Physical
OSI Layers
Application
Presentation
Session
• This layer uses IP addresses that are routable.

Transport
• Inserts data into packet headers for routing.
• Logical addressing enables packets to be routed
in different layers through networks like
Network
Ethernet, Token Ring, etc.
• It maintains routing tables.
• Routers operate at the Network Layer.
Data Link • Common protocols for this layer are:
o IP
o ICMP
Physical o OSPF (Open Shortest Path First).
OSI Layers
Application
Presentation
Session
Transport
• This layer converts data into appropriate formats
for LAN and WAN.
Network
• Bridges and switches operate at the Data Link
Layer.
• Network technologies have different signaling
Data Link and encoding patterns and interpret electricity
voltages differently.
• MAC addresses are physical addresses and are
Physical not routable. They cannot go beyond the
physical segment of the network.
OSI Layers
Application
Presentation
Session
Transport
Network
• This layer is responsible for converting bits into
voltages for transmission over the network.
Data Link • Specifications include voltage levels, voltage
changes, physical connectors for electrical and
optical data transmission.
Physical • Repeaters and hubs operate at the Physical
Layer.
Data Classification
Data Classification Standards
•
Information assets have varying degrees of sensitivity and criticality in meeting business objectives. Data is
classified and protected according to the set degree.
An important first step to data classification is discovery, inventory, and risk assessment. Once this is
accomplished, data classification can be put into use.
Data Classification Standards and Supporting Procedures
Confidential
Sensitive
Public
Inventory and Classification of Information Assets
•
Inventory and Classification of Information Assets
o Who has access to what

o Who determines access rights and levels
•
•
Classification of Information Assets
Critical
Significant
Moderate
Low
Classifying Data
Military Civilian
Top Secret Confidential
Secret Private
Confidential Sensitive
Store, Retrieve, Transport, and Dispose of Confidential Information
•
Confidential information assets are vulnerable during storage, retrieval and transport and must be disposed of
properly.
Handling Confidential Information
Storing, retrieving, transporting, and disposing of confidential information:
Backup files and databases
Data banks
Need procedures
to prevent access Disposal of media previously used to hold confidential information
to, or loss of, Controls required
sensitive for Management of equipment sent for offsite maintenance
information and Public agencies and organizations concerned with sensitive, critical
software or confidential information
E-token electronic keys
Storage records
Destruction of Confidential Data
DoD Data Destruction
Physical Destruction
Document Destruction
Data Encryption and Encryption-Related Techniques
Encryption
•
One of the best ways to protect the confidentiality of information is through the use of encryption
Symmetric vs. Asymmetric
Effective encryption systems depend on:

• Algorithm strength, secrecy, and difficulty of compromising a key
• The nonexistence of back doors by which an encrypted file can be decrypted without knowing the key
Symmetric vs. Asymmetric Encryption
•
•
•
•
•
• •
•
•
•
•
• •
•
Symmetric vs. Asymmetric Encryption
• •
• •
•
•
Symmetric vs. Asymmetric Keys compared
The number of keys required for groups of people is large:

The number of keys required for groups of people is less.
N(n-1)/2
Symmetric keys are faster and stronger than asymmetric Asymmetric keys are slower and weaker than symmetric
keys of comparable length. keys of comparable length.
A pair of keys (private key and public key) is used.

The same key is used for encryption and decryption. Messages encrypted with either of them can be decrypted
only with the other key.
It provides only confidentiality. It provides confidentiality and non-repudiation.
The keys have to be shared confidentially. Common means Since two different keys are used and the public key is
of communication, like email, cannot be employed. known to all, the question of sharing the key does not arise.
It requires no other infrastructure to support them. It requires PKI (public key infrastructure) to support them.
Symmetric Ciphers
DES AES Blowfish
• 56-bit key • 128-, 192-, or • Variable Key

• Outdated 256-bit key Length of 32
• Very Secure to 448 bit
• Very Secure
Asymmetric Ciphers
RSA DH ECC
• Widely used • The first • Newer

• Older but still • Only for key • Very Secure
can be secure exchange
Asymmetric Ciphers
Digital Envelope
• Digital envelopes adopt a hybrid approach by using both symmetric and asymmetric encryption.
• This approach is preferred because symmetric keys are quicker and less resource intensive than asymmetric keys of similar
length.
• However, secure exchange using symmetric keys between two parties can pose challenge.
Let’s say Alex wishes to send a message to Bob. It would On receiving the digital envelope, Bob would obtain the
be quicker and more efficient to use symmetric symmetric key by decrypting the encrypted key with his
encryption rather than asymmetric encryption (digital private key (which only he has). Once he has obtained the
signatures) if Alex could convey the symmetric key to Bob symmetric key, he would decrypt the encrypted message.
without the risk of compromise. There is no chance of compromise as an attacker cannot
obtain the value of the symmetric key without Bob’s private
key.
Instead, Alex could encrypt the message with a symmetric key and then
encrypt the symmetric key with Bob’s public key (asymmetric
encryption) and send both the encrypted message (which has been
encrypted with a symmetric key) and the encrypted (with Bob’s public
key) symmetric key to Bob. These together constitute a digital envelope.
Network Infrastructure Security: Encryption
Following are the differences between symmetric and public keys:
Symmetric key Public key
● Both share the same key ● Two separate keys: a public and a private key
● Much faster ● Typically slower
● As secure with a smaller key ● Examples:
● Examples: RSA, ElGamal Encryption, ECC
DES, IDEA, RC5, AES, Serpent, GOST, Blowfish
Hardware, System Software, and DBMS
•
Operating system issues
Hardware issues
Issues with closed systems vs open systems

Logical Access Controls
Various Logical Access Controls

are:
User Profiles Logging
User
Login Management
Authentication
Access Control Data protection

Operating System Issues
Configuration
Patch
Inherent OS Security Management
Hardening
Hardware
Access
Circumventing Hardware Installation

Security Security
Rogue Devices
Database Activity Monitoring
It is monitoring and
analyzing database activity
that operates
independently of the
database management
system (DBMS) and does
not rely on any form of
Database activity
native (DBMS-resident)
monitoring and prevention
auditing or native logs
Database Activity (DAMP) is an extension to
such as trace or
Monitoring DAM that goes beyond
transaction logs. DAM is
monitoring and alerting to
typically performed
also block unauthorized
continuously and in
activities.
real-time.
Public Key Infrastructure (PKI)
PKI and Digital Signatures
•
Encryption is the process of converting a plaintext message into a secure coded form of text called cipher
text, which cannot be understood without converting it back via decryption (the reverse process) to
plaintext. PKI involves the distribution of asymmetric keys.
Digital Signatures
Digital signatures ensures:
• Data integrity – one-way

cryptographic hashing algorithm
(digital signature algorithms)
• Sender identity (authentication) –
public key cryptography
• Electronic identification • Non-repudiation • Used to send
of a person or entity • Replay protection – timestamps and encrypted information
• Intended for the sequence numbers are built into the and the relevant key
recipient to verify the messages along with it
integrity of the data • The message to be
and the identity of the sent, can be encrypted
sender by using either:
o Asymmetric key
o Symmetric key
Digital Signatures
Public Key Infrastructure (PKI) is a framework a trusted party uses to issue, maintain, and revoke public key certificates.
Many applications need key distribution.
In PKI, a Certification Authority (CA) validates

keys.
Distribution in PKI is done via a hierarchy of CAs.

• PKI (Public Key Infrastructure) uses asymmetric key pairs and combines software, encryption, and
services to provide a means of protecting security of business communication and transactions.
• PKCS (Public Key Cryptography Standards) was put in place by RSA to ensure uniform Certificate
management throughout the Internet.
• A Certificate is a digital representation of information that identifies you as a relevant entity by a

trusted third party (TTP).
• A CA (Certification Authority) is an entity trusted by one or more users to manage certificates.
• RA (Registration Authority) is used to take the burden off of a CA by handling verification prior to

certificates being issued. RA acts as a proxy between the user and CA. RA receives request,
authenticates it, and forwards it to the CA.
• CRL (Certificate Revocation List) is a list of certificates issued by a CA that are no longer valid. CRLs
are distributed in two main ways: PUSH model: CA automatically sends the CRL out a regular
intervals and Pull model: The CRL is downloaded from the CA by those who want to see it to verify
a certificate. End user is responsible.
X.509 Certificates
Version
Certificate holder’s public key
Serial number
Certificate holder’s distinguished name
Certificate’s validity period
Unique name of certificate issuer
Digital signature of issuer
Signature algorithm identifier

Web-Based Communication Techniques
Peer-to-peer, IM, and Web
•
All of these communication technologies can be a definite improvement for corporate communications, but
they also have risks.
Peer-to-peer Computing
In Peer-to-peer Computing there is no specific server is required to connect. The connection is between two peers.
The risk involved are:
Copyright Data
Malware
Issues Leakage
Social Networking Sites
Various security risks in using social networking

sites:
Information Phishing Stalking

Leakage
Cloud Computing
It offers advantages
Cloud computing
over in-house
services are usually
computing resources in
delivered on virtual
terms of hardware
machines. This
acquisition; installation
enables the service
of software, power, and
provider to optimize
environmental controls;
the hardware
considerable
resources by running
expenditure; etc.
multiple operating
However, it also comes
systems and
with associated risks,
applications on each
which have to
server.
considered.
Cloud Computing
The following are the popular models of cloud computing services:
Software as a Platform as a Infrastructure

Service (SaaS) Service (PaaS) as a Service
(IaaS)
• Application software is • This is the lowest level

delivered on the cloud. • Service provider is of cloud computing and
• The service provider is responsible for the envisages provision of
responsible for the server hardware and pre-configured
infrastructure, hosting, network. hardware and
and management of the • Users can concentrate networking via
application. on developing and virtualized interface like
• Users subscribe to the implementing their hypervisor.
service on payment. application software. • Operating system and
• Example: Salesforce.com applications are the
responsibility of the
subscriber.
Cloud Computing
• Cloud computing is the provision of internet based, remote computing services.
• It makes use of virtual machines and can be outsourced to a third-party service provider.
• Three different models of cloud computing are:
Software as a Platform as a Infrastructure

Service (SaaS) Service (PaaS) as a Service
(IaaS)
• Service provider offers a • A self-service model,

platform, including where the user gets full
• Service provider offers server, operating remote access to and
the use of a specific system, and database responsibility for
application and and is responsible for managing, monitoring,
database in their own securing the platform. and securing the
environment. • Clients do not get computing resources.
administrative access, • Users can migrate from
but they can develop a capex model (users
and run their invest in the resources)
applications on the to an opex model (users
platform. pay for the services).
Virtualized Environments
Virtualized Systems
•
Virtualization provides an organization with a significant opportunity to increase efficiency and decrease
costs of its IT operations.
Virtualization
•Virtualization is a means by which a single hardware device or server can host multiple operating system environments, which
in turn provide a platform for multiple applications. This facilitates an efficient use of hardware resources.
•A virtual machine or guest is a virtual instance of an operating system that operates in an environment provided by the host.
•Computer resources such as RAM, processor time, and storage are emulated through the host environment.
•Guest systems do not interact directly with these resources but through a layer called hypervisor in the host environment.
Two methods to implement virtualization:
Bare metal Hosted

or native virtualization
virtualization
In this model, there is an operating system

In this model, the hypervisor directly interacts with between the hypervisor and the hardware.
the hardware since there is no operating system However, the host operating system (which comes
between the hypervisor and the hardware. between the hypervisor and the hardware) can be
a single point of failure, as the guests will not be
able to operate if the host operating system fails.
Virtualization
It affords a means It serves the need Virtual Machines Virtual machines

Legacy application
of consolidating to run legacy provide secure can be used to run
can run on an
the workloads of applications, and isolated multiple operating
older operating
several which even sandboxes on systems
system version in
under-utilized though they do which untrusted simultaneously (on
a VM, while other
servers into one not require much applications can the same
VMs in the same
or a few servers. computing be tested or hardware
host environment
resources, may executed. This platform).
support other/
not be compatible assures fault and later operating
with newer error systems.
systems. containment.
Virtualization Risks
Apart from the risks for conventional resources, virtualization attracts other risks.
Guest
Misconfiguration Rootkits operating
of the Host systems
access
• Misconfiguration of host • Rootkits may install • In hosted virtualization

occurs when any themselves as implementations, guest
vulnerability or flaw in hypervisors below the tools enable guest
the host extends to the guest operating systems. operating systems to
guest virtual machine • They may escape the access resources of
that it supports. anti-virus detection, another guest or host
since they operate operating system.
below the operating • This feature could be
system. exploited for an attack.
Virtualization Controls
Implementing the Disabling hypervisor

Securing the mechanisms to services such as
Patching the
configuration of monitor integrity of file-sharing between
hypervisor
hypervisor hypervisor files that guest operating system
detect change and host operating

system
Types of Virtual Systems
Virtual Machine
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Cloud
Virtual Machines
Virtual Machine (VM)
• It is an operating system
Virtualization that is implemented in a
virtual environment.
• It enables a single hardware A • It is also referred to as a
device, like a server, to , operating in the
support multiple operating environment of the .
systems, each of which can,
in turn, support a different
application B Hypervisor
• By enabling multiple
operating systems to • To implement a virtual environment,
function from a single a hypervisor is installed on the top of
server, virtualization the hardware.
enhances server • It provides a layer of abstraction
optimization. between the host environment and
the guest operating systems.
C • The host environment emulates
computer resources (like memory,
processor, storage, etc.) to each VM.
• The hypervisor interacts with the
underlying hardware to create
multiple instances of virtual
machines, each of which can support
an operating system and application.
Types of Virtualization
Virtual machines can be implemented in two ways:
• There is no operating system • A host operating system is first

between the hypervisor and the installed on the server, and the
hardware, hence the name. hypervisor is installed on top of
• The hypervisor is the first thing to the operating system.
be installed on the server since it • Guest Virtual Machines run on
is the operating system. top of the hypervisor.
• The hypervisor communicates • Hypervisor provides better
directly with the hardware. hardware support and
• Hardware support may be limited, compatibility since it invokes
as it has limited device drivers. drivers of the host operating
• Examples: VMWare ESX, Microsoft system.
Hyper-V. • Operating system of the host can
become a single point of failure. If
it fails, all VMs above it also fail.
Components of Virtual Systems
Virtual storage
Hypervisor The virtual servers are hosted on one
The hypervisor mechanism is the or more actual/physical servers. The
process that provides the virtual hard drive space and RAM of those
servers with access to resources. physical servers are partitioned for the
various virtual servers’ usage.
Voice Communications Security
•
The increasing complexity and convergence of voice and data communications introduces additional risks
that must be taken into account by the IS auditor.
Voice-over IP
IP telephony (Internet • VOIP is a technology where voice traffic is carried on

telephony) is the technology top of existing data infrastructure.
that makes it possible to • In VOIP, sounds are digitized into IP packets and
have a voice conversation transferred through the network layer before being
over the Internet. Protocols
decoded back into the original voice.
used to carry the signal over
the IP network are referred
• VOIP has reduced long-distance call costs in a number
to as VOIP. of organizations.
Voice-over IP
VoIP • VOIP innovation progresses at market rates rather than at

advantages the rates of International Telecommunications Union (ITU)
over traditional • Lower costs per call or even free calls for long-distance calls
telephony • Lower infrastructure costs
• Need to protect two asset: the data and the voice

• Inherent poor security
Risks of VoIP • The current Internet architecture does not provide the same
physical wire security as the phone lines
Controls for securing VoIP are security mechanisms such as those deployed in data networks (e.g., firewalls,
encryption) to emulate the security level currently used by PSTN network users.
Private Branch Exchange (PBX)
PBX is a sophisticated computer-based phone system from the early 1920s. Originally analog, it is now
digital. The principal purpose was to save the cost of providing each person with a line. Attributes include:
Non-blocking
Digital phones for
Multiple telephone Switching calls configuration that Operator console
both voice and
lines within PBX allows or switchboard
data
simultaneous calls
Private Branch Exchange (PBX)
The issues in Private Branch Exchange are as follows:
1 Theft of Service
2 Denial of Service
3 Information Disclosure
Mobile, Wireless, and Internet of Things (IoT) Devices
Mobile, Wireless, and IoT devices
•
Portable and wireless devices present a new threat to an organization's information assets and must be
properly controlled.
Internet of Things (IoT) are nonstandard computing devices that connect wirelessly to a network and have
the ability to transmit data.
Controls and Risks Associated with the Use of Mobile and Wireless Devices
Information
Device Theft Malware
Compromise
Laptop Security
The risks involved in laptop security are:
• Difficult to implement logical and physical security in a mobile environment
Laptop Security Controls:
• Engraving the serial number, company name

• Cable locks, monitor detectors
• Regular backup of sensitive data
• Encryption of data
• Allocating passwords to individual files
• Theft response procedures
Bring Your Own Device
Perform the following to avoid organization
threat:
1 Limit Access
2 Minimum Requirements
3 Sheep dip
Risks Associated with IoT Devices
Business Risk Operational Risk Technical Risk

Part B: Security Event Management
Part B: Security Event Management

• Security awareness training and programs
• Information system attack methods and techniques
• Security testing tools and techniques
• Security monitoring tools and techniques
• Incident response management
• Evidence collection and forensics

Security Awareness Training and Programs
Security Awareness Program
•
Security depends on the participation of all members of an organization. Therefore, ensuring that the entire
staff is aware of security issues is important. This is something that should be checked in an IS audit.
Awareness and Education
Security awareness and education –

Monitoring and compliance
training and regular updates
• Written policies and procedures and • Control includes an element of monitoring

updates • Usually relates to regulatory/legal
• Non-disclosure statements signed by compliance
employees • Incident Handling and Response
• Newsletters, web pages, videos, and other
media
• Visible enforcement of security rules
• Simulated security incidents and simulated
drills
• Rewards for reporting suspicious events
• Periodic audits
Security Awareness
Login Banner Email/Intranet Lunch and

Learn
Information System Attack Methods and Techniques
Fraud
•
Fraud is a significant threat to any organization. There are always new scams being used by criminals. IS audits
should review the IS controls regarding fraud.
Email Fraud
FBI estimates that

Use that to con
losses to
lower-level
Gain control of businesses as a
employee into
upper-level result of this Remediation
sending wire
executive’s email fraud were more
transfers/authoriz
than $1.2 billion
ing payments
worldwide
Multiparty approval process
Be suspicious of email/phone requests
Require a purchase order number to send

money to vendors
Email Fraud
1. Send a fake email from a person who can authorize

payment
2. Encourage rapid processing (an emergency situation)
3. Make sure the real authorizing authority is unavailable
4. Send the money to an account in this country

Attack Methods
•
Various attacks pose different issues for remediation.

Malware
Virus/Worm
Trojan Horse
Logic Bomb
Spyware
Malware
• This is a malware that requires a • A worm is a self-contained • A Trojan is a malware that

host to be able to deliver its program that can reproduce disguises itself as legitimate
payload. without a host program. software but has a hidden
• A virus infects a file by inserting or malicious functionality.
attaching itself to a file. • It can install itself through
• There are various kinds of viruses. backdoors and key loggers and
implement rootkits.
Malware
• A logic bomb is a malware that is • This is a malware that covertly • It generates advertisements based
triggered when a certain condition collects sensitive information on the user’s browsing habits.
occurs, such as a particular date or about victims, such as their • It is not malicious in nature but
time. browsing habits. has implications relating to privacy
• It can be used to install malware, and security.
change system settings, log
keystrokes, etc.
General Attacks
Denial of Service
Wireless Attacks Data Theft

Web Attacks
SQL Injection Website Defacement
Cross-Site Scripting
Web Attacks
• In this attack, an SQL (Structured • A buffer is an allocated

Query Language) query is ‘injected’ segment of memory.
into data input fields. • A buffer overflow occurs when
• If the system executes the SQL more data is written to a buffer
query, it can lead to sensitive data than it can hold, causing some
being revealed. of it to be written to an adjacent
buffer.
• The overflow data which is
written to an adjacent buffer
may contain executable code of
malicious nature.
Security Testing Tools and Techniques
Security Testing
•
Tools are available to assess the effectiveness of network infrastructure security.
These tools permit identification of real-time risks to an information processing environment and corrective
actions taken to mitigate these risks.
Security Testing Techniques
Vulnerability Scanners
Patch management
Automated pen test

Pen Testing
Benefits Dangers Advice

Pen Testing Phases
Discovery /
Planning Attack Reporting
Reconnaissance
• Seek management approval

• Sign NDA
• Define scope of work
• Agree on deliverables
• Agree on rules of engagement
• Agreed upon timelines/deadlines
• Identify milestones
Pen Testing Phases
Discovery /
Reconnaissance
• Internet footprinting
• OS detection
• Network mapping
• WHOIS lookups
• Domain name searches
• Social engineering
• Dumpster diving
Pen Testing Phases
Discovery /
Reconnaissance
• Injection attacks
• OS exploits
• Network exploits
• Privilege escalation
• Internet service exploits
Pen Testing Phases
Discovery /
Reconnaissance
• Provides report to management with summary and detailed

findings
• Identifies risks of vulnerabilities and their impact on business
• Gives recommendations and solutions
Security Monitoring Tools and Techniques
Prevention and Detection
•
The ability to detect a security breach is critical for IS. Therefore, detection tools and techniques are an
important part of any IS audit.
Virus Detection Tools and Control Techniques
• Malware • Logs • Traffic

• Intrusion • Events • Performance
Detection Review Behavior

File Change Detection and IDS
The three issues in File Change Detection are as
follows:
File Hash
IDS
Tripwire
Log Review
Various logs to be reviewed are as

follows:
Server Log
Firewall Log
Router Log
Incident Response Management
Incident Response Management
•
Incident response management enables organizations to detect incidents promptly and respond appropriately.
This allows them to mitigate the damage and reduce the delays and costs that come with disruptions.
Automated IDS is placed to detect and notify potential incidents in real-time.
IS auditor should validate the incident response plan and ensure that the CSIRT is capable to handle and
prevent security incidents.
Incident Response Management Phases
Planning and
Detection Initiation Recording Evaluation
preparation
Containment Eradication Escalation Response Recovery
Post-incident
Closure Reporting Lessons learned
review
Evidence Collection and Forensics
Forensics
•
Incident response can lead to at least a basic forensic examination. It is also the case that the first responders
to computer crimes are often IT personnel. For this reason, forensic procedures are important to IS and to IS
Audits.
Forensics Process
Preparation Collection
Reporting Analysis
Evidence Preservation Techniques
Audit Documentation Investigation Continuous Audit

Evidence Preservation Techniques
The general guidelines in evidence preservation techniques are as

follows:
Make few changes Document Established Techniques

Knowledge
Check
QUIZ
Accountability for the maintenance of appropriate security measures over information assets
1 resides with the _____.
a. Security administrator
b. Systems operations group
c. Management
d. Data and systems owners

QUIZ
Accountability for the maintenance of appropriate security measures over information assets
1 resides with the _____.
a. Security administrator
b. Systems operations group
c. Management
d. Data and systems owners

Explanation: Management should ensure that all information assets (data and systems) have an appointed owner
who makes decisions about classification and access rights. System owners typically delegate day-to-day
custodianship to the systems delivery/operations group and security responsibilities to a security administrator.
Owners, however, remain accountable for the maintenance of appropriate security.
QUIZ
Which of the following best provides access control to payroll data being processed on a
2 local server?
a. Logging access to personal information
b. Using separate passwords for sensitive transactions
c. Using software that restricts access rules to authorized staff
d. Restricting system access to business hours

QUIZ
Which of the following best provides access control to payroll data being processed on a
2 local server?
a. Logging access to personal information
b. Using separate passwords for sensitive transactions
c. Using software that restricts access rules to authorized staff
d. Restricting system access to business hours
Explanation: The server and system security should be defined to allow only authorized staff members
access to information about the staff whose records they handle on a day-to-day basis.
QUIZ
An organization is proposing the installation of a single sign-on facility, giving access to all
3 systems. The organization should be aware that _____.
a. Maximum unauthorized access would be possible if a password is disclosed
b. User access rights would be restricted by the additional security parameters
c. The security administrator’s workload would increase
d. User access rights would be increased

QUIZ
An organization is proposing the installation of a single sign-on facility, giving access to all
3 systems. The organization should be aware that _____.
a. Maximum unauthorized access would be possible if a password is disclosed
b. User access rights would be restricted by the additional security parameters
c. The security administrator’s workload would increase
d. User access rights would be increased
Explanation: If a password is disclosed when single sign-on is enabled, there is a risk that unauthorized
access to all systems will be possible. User access rights should remain unchanged by a single sign-on, as
additional security parameters are not implemented necessarily.
QUIZ
When installing an intrusion detection system (IDS), which of the following is MOST
4 important?
a. Identifying messages that need to be quarantined
b. Properly locating the IDS in the network architecture
c. Minimizing the rejection errors
d. Preventing denial-of-service (DoS) attacks

QUIZ
When installing an intrusion detection system (IDS), which of the following is MOST
4 important?
a. Identifying messages that need to be quarantined
b. Properly locating the IDS in the network architecture
c. Minimizing the rejection errors
d. Preventing denial-of-service (DoS) attacks
Explanation: Proper location of an IDS in the network is the most important decision during installation. A
poorly located IDS could leave key areas of the network unprotected.
Protection of Information Assets
Case Study
Case Study
An IS auditor is auditing a medical billing company. The company services over 100 clinics consisting of over 1200 doctors
and 100,000 patients. The company stores medical billing data in a server cluster. That cluster is located in a secure
building that includes physical security measures such as camera surveillance, biometric entry to the building and the
server room, and round-the-clock security guards. The databases are patched and updated regularly. The network access
to the data servers is protected by a firewall/DMZ combination and an IDS is run. Users who access the databases need a
password and digital signature.
QUIZ
The auditor wants to confirm the security of the cryptography used with the
1 digital signatures. Which of the following is the most important to check?
a. Key length used
b. Password policies are in place
c. Key storage policies and procedures
d. Details of the cryptography algorithms used

QUIZ
The auditor wants to confirm the security of the cryptography used with the
1 digital signatures. Which of the following is the most important to check?
a. Key length used
b. Password policies are in place
c. Key storage policies and procedures
d. Details of the cryptography algorithms used

Most auditors are not cryptographers and cannot evaluate the details of an algorithm. Passwords are
important, but a separate issue from the cryptography. Key length is important but all vendors of digital
certificates have minimum key lengths that should be adequate. The security concern is the storage of
keys.
QUIZ
When considering the data on servers, which law or regulation would be the
2 most important to review?
a. PCI
b. Sarbanes-Oxley
c. FISMA
d. HIPAA
QUIZ
When considering the data on servers, which law or regulation would be the
2 most important to review?
a. PCI
b. Sarbanes-Oxley
c. FISMA
d. HIPAA
HIPAA specifically addresses privacy and security of health care records. PCI is applicable to credit card
data, Sarbanes Oxley to electronic records and publically traded companies, and FISMA relates to security
standards for US Federal agencies.
Key Takeaways
Conduct audit in accordance with IS audit standards and a risk‐based IS audit strategy
Evaluate the organization's information security and privacy policies and practices
Evaluate physical and environmental controls to determine whether information assets

are adequately safeguarded
Evaluate logical security controls to verify the confidentiality, integrity, and availability
of information
Evaluate data classification practices for alignment with the organization’s policies and
applicable external requirements
Evaluate the information security program to determine its effectiveness and alignment with
the organization’s strategies and objectives
Perform technical security testing to identify potential threats and vulnerabilities
Evaluate potential opportunities and threats associated with emerging technologies, regulations,
and industry practices
THANK YOU

Cisa Ebook New

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa Ebook New

Uploaded by

Copyright:

Available Formats

Certiﬁed Information Systems Auditor (CISA®)

Certiﬁed Information Systems Auditor is a registered trademark of ISACA

© Simplilearn. All rights reserved.

By the end of this introductory domain, you will be able to:

• Discuss the history of CISA

• Outline the structure of CISA exams

Introduced by ISACA in 1978, CISA has grown both in stature,

CISA is the preferred certiﬁcation for information systems control,

assurance, and security professionals.

● CISA is designed with the aim of attracting information systems

Certiﬁed Information Systems Auditor® Certiﬁed Information Security Manager®

Certiﬁed in the Governance of Enterprise Certiﬁed in Risk and Information Systems

First exam monitored in 1981

Domain 2 Governance and Management of IT 17%

Domain 3 Information Systems, Acquisition, Development, and Implementation 12%

Domain 4 Information Systems Operations and Business Resilience 23%

Domain 5 Protection of Information Assets 27%

Globally accepted Increased

Numerous beneﬁts of a CISA

Achieve a high professional Higher earnings and greater career

• Pass CISA exam:

• Apply for certiﬁcation:

• Agree to the Code of Professional Ethics

• Cohere with the Continuing Professional Education (CPE) Program

• Comply with the IS auditing standards

Exam title Certiﬁed Information Systems Auditor (CISA®)

Exam type Computer-based

Question type Multiple-choice questions

A scaled score is a conversion of a candidate’s raw score on an exam to a common scale.

© Simplilearn. All rights reserved.

Certiﬁed Information Systems Auditor is a registered trademark of ISACA

© Simplilearn. All rights reserved.

By the end of this domain, you’ll be able to:

Communicate audit progress, ﬁndings, results, and recommendations to stakeholders

Evaluate IT management and monitoring of controls

Utilize data analytics tools to streamline an audit process

The following topics are covered in Part A:

• IS Audit standards, guidelines, and codes of ethics

• Risk-based audit planning

• Types of audits and assessments

IS Audit Standards, Guidelines,

Credibility of an audit is based, in part, on use of commonly accepted standards.

ISACA standards provide a benchmark for IS audit.

Relationship The main

This category applies This category deals This category covers:

General Performance Reporting

1201 Engagement Planning 1401 Reporting

General Performance Reporting

2001 Audit Charter 2201 Engagement Planning 2401 Reporting

Support the professional education of stakeholders

Eﬀect of Pervasive IS Controls

Use of Computer-Assisted Organizational Relationship Enterprise Resource Planning

Outsourcing of IS Activities to Use of Risk Assessment in Business-to-Consumer (B2C) Review of Security

Materiality Concepts for General Considerations on the

Eﬀect of Third Parties on an Review of Virtual Private Responsibility, Authority, and

Eﬀect of Non-audit Role on Business Process Reengineering

Audit Considerations for

ISACA has Standards and Guidelines related to Audit (ITAF™):

Section 2200 General Standards

Section 2400 Performance Standards

Section 2600 Reporting Standards

Section 3000 IT Assurance Guidelines

Section 3200 Enterprise Topics