Introduction.
Self-Assessment.
1. The Information Systems (IS) Audit Process.
Conducting IS Audits in Accordance with Generally Accepted IS Audit Standards and Guidelines.
ISACA IS Auditing Standards and Guidelines and Code of Professional Ethics.
Auditing Standards Explained.
The ISACA Code of Professional Ethics.
Ensuring That the Organization's Information Technology and Business Systems are Adequately Controlled, Monitored, and Assessed.
ISACA's CobiT Framework.
Control Self-Assessment.
Risk-Based IS Audit Strategy and Objectives.
Aligning Controls with the Organization's Business Objectives.
Steering Committee.
Strategic Planning.
Organizational Structure.
IT Department Head.
Security Department.
Quality Assurance.
Applications.
Data Management.
Technical Support.
Operations.
Segregation of Duties.
IS Auditing Practices and Techniques.
Audit Planning and Management Techniques.
Information Systems Audits.
Attestation.
Findings and Recommendations.
SAS 70.
SAS 94.
Attribute Sampling.
Variable Sampling.
Substantive Tests.
Compliance Tests.
Audit Conclusions.
Obtaining Evidence.
Organization's Use of System Platforms, IT Infrastructure, and Applications.
Techniques to Gather Information and Preserve Evidence.
Control Objectives and Controls Related to IS (Such as Preventative and Detective).
Reviewing the Audit.
Communicating Audit Results.
Facilitating Risk Management and Control Practices.
IS, Business, and Audit Risk (Such as Threats and Impacts).
Risk-Analysis Methods, Principles, and Criteria.
Communication Techniques.
Personnel-Management Techniques.
Practice Questions.
2. Management, Planning, and Organization of IS.
Strategy, Policies, Standards, and Procedures.
Strategic Planning.
IS Steering Committee.
The Components of IS Strategies, Policies, Standards, and Procedures.
Policy Development.
IT Policy.
Procedures.
Evaluating IS Management Practices to Ensure Compliance with IS Policies, Standards, and Procedures.
Evaluating the Process for Strategy Development, Deployment, and Maintenance.
Principles of IS Organizational Structure and Design.
Evaluating IS Organization and Structure.
Evaluating Use of Third-Party Services.
Examining IS Management and Practices.
IS Project-Management Strategies and Policies.
IT Governance, Risk Management, and Control Frameworks.
IS Problem- and Change-Management Strategies and Policies.
IS Quality-Management Strategies and Policies.
IS Information Security Management Strategies and Policies.
IS Business Continuity Management Strategies and Policies.
Contracting Strategies, Processes, and Contract-Management Practices.
Employee Contracts.
Confidentiality Agreement.
Trade Secret Agreements.
Discovery Agreements.
Noncompete Agreements.
Roles and Responsibilities of IS Functions (Including Segregation of Duties).
Practices Related to the Management of Technical and Operational Infrastructure.
Problem Management/Resource Management Procedures.
Help Desk.
Scheduling.
Service-Level Agreements.
Key Performance Indicators and Performance-Measurement Techniques.
Exam Prep Questions.
3. Technical Infrastructure and Operational Practices and Infrastructure.
IT Organizational Structure.
Evaluating Hardware Acquisition, Installation, and Maintenance.
Risks and Controls Relating to Hardware Platforms.
Change Control and Configuration Management Principles for Hardware.
Evaluating Systems Software Development, Acquisition, Implementation, and Maintenance.
Understanding Systems Software and Utilities Functionality.
Risks and Controls Related to System Software and Utilities.
Change Control and Configuration Management Principles for System Software.
Evaluating Network Infrastructure Acquisition, Installation, and Maintenance.
Understanding Network Components Functionality.
Networking Concepts and Devices.
The TCP/IP Protocol Suite.
Firewalls.
Packet-Filtering Firewalls.
Stateful Packet-Inspection Firewalls.
Proxy Firewalls.
Routers.
Modems.
Internet, Intranet, and Extranet.
Risks and Controls Related to Network Infrastructure.
Evaluating IS Operational Practices.
Risks and Controls Related to IS Operational Practices.
Evaluating the Use of System Performance and Monitoring Processes, Tools, and Techniques.
Exam Prep Questions.
4. Protection of Information Assets.
Understanding and Evaluating Controls Design, Implementation, and Monitoring.
Logical Access Controls.
Techniques for Identification and Authentication.
Network Infrastructure Security.
Encryption Techniques.
Digital Signature Techniques.
Network and Internet Security.
Security Software.
Voice Communications Security.
Environmental Protection Practices and Devices.
Physical Access.
Physical Security Practices.
Intrusion Methods and Techniques.
Passive and Active Attacks.
Viruses.
Security Testing and Assessment Tools.
Sources of Information on Information Security.
Security Monitoring, Detection, and Escalation Processes and Techniques.
The Processes of Design, Implementation, and Monitoring of Security.
Review Written Policies, Procedures, and Standards.
Logical Access Security Policy.
Formal Security Awareness and Training.
Data Ownership.
Security Administrators.
Access Standards.
Auditing Logical Access.
Exam Prep Questions.
5. Disaster Recovery and Business Continuity.
Understanding and Evaluating Process Development.
Crisis Management and Business Impact Analysis Techniques.
Disaster Recovery and Business Continuity Planning and Processes.
Hot Sites.
Warm Sites.
Cold Site.
Duplicate Processing Facilities.
Reciprocal Agreements.
Backup and Storage Methods and Practices.
Backup Definitions.
Tape Storage.
Storage Area Networks and Electronic Vaulting.
Disaster Recovery and Business Continuity Testing Approaches and Methods.
Paper Test.
Walk-Through Testing.
Preparedness Test (Full Test).
Full Operational Test.
Understanding and Evaluating Business Continuity Planning, Documentation, Processes, and Maintenance
Evaluating the Organization's Capability to Ensure Business Continuity in the Event of a Business Disruption.
Evaluating Backup and Recovery Provisions in the Event of a Short-Term Disruption.
Evaluating the Capability to Continue Information System Processing in the Event That the Primary Information-Processing Facilities Are Not Available.
Insurance in Relation to Business Continuity and Disaster Recovery.
Property Insurance.
Liability Insurance.
Human Resource Issues (Evacuation Planning, Response Teams).
Exam Prep Questions
6. Business Application System Development, Acquisition, Implementation, and Maintenance.
Evaluating Application Systems Development and Implementation.
System-Development Methodologies and Tools.
Prototyping.
RAD.
The Phases of the SDLC.
Project-Management Principles, Methods, and Practices.
Application-Maintenance Principles.
Post-Implementation Review Techniques.
Evaluating Application Systems Acquisition and Implementation.
Application-Implementation Practices.
Application System-Acquisition Processes.
Application Change Control and Emergency Change-Management Procedures.
Evaluating Application Systems.
Application Architecture.
Software Quality-Assurance Methods.
Testing Principles, Methods, and Practices.
Exam Prep Questions.
7. Business Process Evaluation and Risk Management.
Evaluating IS Efficiency and Effectiveness of Information Systems in Supporting Business Processes.
Methods and Approaches for Designing and Improving Business Procedures.
Business Performance Indicators.
Evaluating the Design and Implementation of Programmed and Manual Controls.
Business Process Controls.
Evaluating Business Process Change Projects.
Evaluating the Implementation of Risk Management and Governance.
Exam Prep Questions.
8. Practice Exam 1.
9. Answer Key 1.
10. Practice Exam 2.
11. Answer Key 2.
Appendix A: CD Contents and Installation Instructions.
Multiple Test Modes.
Wrong Answer Feedback.
Retake a Previous Exam from Your Exam History.
Configure Your Own Custom Exam.
Start Your Exam from a Predefined Set of Questions.
Custom Exam Mode.
Question Types.
Random Questions and Order of Answers.
Detailed Explanations of Correct and Incorrect Answers.
Attention to Exam Objectives.
Installing the CD.
Technical Support.
CISA Glossary.
Index
