ebook img

Exam Cram 2 ISACA CISA PDF

590 Pages·3.076 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Exam Cram 2 ISACA CISA

CISA Exam Prep Objective Matrix CISA Job Practice Area 1: IS Audit Process (Approximately 10% of Exam) Task Page Knowledge Statement Page Develop and implement a risk-based IS 32 Knowledge of ISACA IS Auditing Standards, 27 audit strategy for the organization in Guidelines and Procedures and Code of compliance with IS audit standards, Professional Ethics guidelines and best practices. Knowledge of IS auditing practices and 27 Plan specific audits to ensure that IT and 24 techniques business systems are protected and controlled. Knowledge of techniques to gather information 39 Conduct audits in accordance with IS audit 27 and preserve evidence (e.g., observation, standards, guidelines and best practices to inquiry, interview, CAATs, electronic media) meet planned audit objectives. Knowledge of the evidence life cycle (e.g., 39 Communicate emerging issues, potential 50 the collection, protection, chain of custody) risks, and audit results to key stakeholders. Knowledge of control objectives and 36 Advise on the implementation of risk 39 controls related to IS (e.g., CobiT) management and control practices within the Knowledge of risk assessment in an audit 35 organization, while maintaining independence. context Knowledge of audit planning and 24 management techniques Knowledge of reporting and communication 39 techniques (e.g., facilitation, negotiation, conflict resolution) Knowledge of control self-assessment (CSA) 50 Knowledge of continuous audit techniques 50 CISA Job Practice Area 2: IT Governance (Approximately 15% of Exam) Task Page Knowledge Statement Page Evaluate the effectiveness of IT governance 67 Knowledge of the purpose of IT strategies, 74 structure to ensure adequate board control policies, standards and procedures for an over the decisions, directions, and organization and the essential elements of each performance of IT so that it supports the Knowledge of IT governance frameworks 67 organization’s strategies and objectives. Knowledge of the processes for the develop- 74 Evaluate IT organizational structure and 88 ment, implementation and maintenance of IT human resources (personnel) management strategies, policies, standards and procedures to ensure that they support the organization’s (for example, protection of information assets, strategies and objectives. business continuity and disaster recovery, Evaluate the IT strategy and the process for 67 systems and infrastructure lifecycle its development, approval, implementation, management, IT service delivery and support) and maintenance to ensure that it supports the Knowledge of quality management strategies 95 organization’s strategies and objectives. and policies Evaluate the organization’s IT policies, 74 Knowledge of organizational structure, roles 99 standards, and procedures; and the processes and responsibilities related to the use and for their development, approval, implemen- management of IT tation, and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements. Continues on Following Page Objective Matrix Continued CISA Job Practice Area 2: (Continued) Task (continued) Page Knowledge Statement (continued) Page Evaluate management practices to ensure 74 Knowledge of generally accepted international 74 compliance with the organization’s IT strategy, IT standards and guidelines policies, standards, and procedures. Knowledge of enterprise IT architecture and 72 Evaluate IT resource investment, use, and 72 its implications for setting long-term strategic allocation practices to ensure alignment with directions the organization’s strategies and objectives. Knowledge of risk management methodologies 79 Evaluate IT contracting strategies and policies, 93 and tools and contract management practices to ensure Knowledge of the use of control frameworks 95 that they support the organization’s strategies (e.g., CobiT, COSO, ISO 17799) and objectives. Knowledge of the use of maturity and process 95 Evaluate risk management practices to 79 improvement models (e.g., CMM, CobiT) ensure that the organization’s IT related risks are properly managed. Knowledge of contracting strategies, 93 processes and contract management practices Evaluate monitoring and assurance practices 67 to ensure that the board and executive Knowledge of practices for monitoring and 71 management receive sufficient and timely reporting of IT performance (e.g., balanced information about IT performance. scorecards, key performance indicators [KPI]) Knowledge of relevant legislative and 67 regulatory issues (e.g., privacy, intellectual property, corporate governance requirements) Knowledge of IT human resources (personnel) 88 management Knowledge of IT resource investment and 71 allocation practices (e.g., portfolio management return on investment (ROI)) CISA Job Practice Area 3: Systems and Infrastructure Lifecycle Management (Approximately 16% of Exam) Task Page Knowledge Statement Page Evaluate the business case for the proposed 130 Knowledge of benefits management practices, 130 system development/acquisition to ensure that (e.g., feasibility studies, business cases) it meets the organization’s business goals. Knowledge of project governance mechanisms 117 Evaluate the project management framework 120 (e.g., steering committee, project oversight and project governance practices to ensure board) that business objectives are achieved in a Knowledge of project management practices, 117 cost-effective manner while managing risks tools, and control frameworks to the organization. Knowledge of risk management practices 176 Perform reviews to ensure that a project is 120 applied to projects progressing in accordance with project plans, is adequately supported by documentation Knowledge of project success criteria and risks 121 and status reporting is accurate. Knowledge of configuration, change and re- 146 Evaluate proposed control mechanisms for 130 lease management in relation to development systems and/or infrastructure during and maintenance of systems and/or infrastructure specification, development/acquisition, and testing to ensure that they will provide Knowledge of control objectives and tech- 158 safeguards and comply with the organization’s niques that ensure the completeness, accuracy, policies and other requirements. validity, and authorization of transactions and data within IT systems applications CISA Job Practice Area 3: (Continued) Task (continued) Page Knowledge Statement (continued) Page Evaluate the processes by which systems 168 Knowledge of enterprise architecture related 178 and/or infrastructure are developed/acquired to data, applications, and technology (e.g., and tested to ensure that the deliverables distributed applications, web-based meet the organization’s objectives. applications, web services, n-tier applications) Evaluate the readiness of the system and/or 130 Knowledge of requirements analysis and 130 infrastructure for implementation and management practices (e.g., requirements migration into production. verification, traceability, gap analysis) Perform post-implementation review of 176 Knowledge of acquisition and contract 130 systems and/or infrastructure to ensure that management processes (e.g., evaluation they meet the organization’s objectives and of vendors, preparation of contracts, vendor are subject to effective internal control. management, escrow) Perform periodic reviews of systems and/or 168 Knowledge of system development method- 142 infrastructure to ensure that they continue to ologies and tools and an understanding of meet the organization’s objectives and are their strengths and weaknesses (e.g., agile subject to effective internal control. development practices, prototyping, rapid application development [RAD], object- Evaluate the process by which systems and/or 146 oriented design techniques) infrastructure are maintained to ensure the continued support of the organization’s objec- Knowledge of quality assurance methods 130 tives and are subject to effective internal control. Knowledge of the management of testing 130 Evaluate the process by which systems 130 processes (e.g., test strategies, test plans, and/or infrastructure are disposed of to ensure test environments, entry and exit criteria) that they comply with the organization’s Knowledge of data conversion tools, 130 policies and procedures. techniques, and procedures Knowledge of system and/or infrastructure 130 disposal procedures Knowledge of software and hardware 130 certification and accreditation practices Knowledge of post-implementation review 130 objectives and methods (e.g., project closure, benefits realization, performance measurement) Knowledge of system migration and 130 infrastructure deployment practices CISA Job Practice Area 4: IT Service Delivery and Support (Approximately 14% of Exam) Task Page Knowledge Statement Page Evaluate service level management practices 198 Knowledge of service level management 198 to ensure that the level of service from internal practices and external service providers is defined and Knowledge of operations management best 198 managed. practices (e.g., workload scheduling, network Evaluate operations management to ensure 198 services management, preventive maintenance) that IT support functions effectively meet Knowledge of systems performance monitoring 274 business needs. processes, tools, and techniques (e.g., network Evaluate data administration practices to ensure 221 analyzers, system utilization reports, load the integrity and optimization of databases. balancing) Continues on Following Page Objective MatrixContinued CISA Job Practice Area 4: (Continued) Task (continued) Page Knowledge Statement (continued) Page Evaluate the use of capacity and performance 244 Knowledge of the functionality of hardware 242 monitoring tools and techniques to ensure that and network components (e.g., routers, IT services meet the organization’s objectives. switches, firewalls, peripherals) Evaluate change, configuration, and release 198 Knowledge of database administration practices 221 management practices to ensure that changes Knowledge of the functionality of system 221 made to the organization’s production environ- software including operating systems, utilities, ment are adequately controlled and documented. and database management systems Evaluate problem and incident management 274 Knowledge of capacity planning and 198 practices to ensure that incidents, problems, monitoring techniques or errors are recorded, analyzed, and resolved in a timely manner. Knowledge of processes for managing 198 scheduled and emergency changes to the Evaluate the functionality of the IT infrastructure 209 production systems and/or infrastructure (e.g., network components, hardware, system including change, configuration, release, software) to ensure that it supports the and patch management practices organization’s objectives. Knowledge of incident/problem management 198 practices (e.g., help desk, escalation procedures, tracking) Knowledge of software licensing and 221 inventory practices Knowledge of system resiliency tools and 209 techniques (e.g., fault tolerant hardware, elimination of single point of failure, clustering) CISA Job Practice Area 5: Protection of Information Assets (Approximately 31% of Exam) Task Page Knowledge Statement Page Evaluate the design, implementation, and 337 Knowledge of the techniques for the design, 294 monitoring of logical access controls to ensure implementation and monitoring of security the confidentiality, integrity, availability and (e.g., threat and risk assessment, sensitivity authorized use of information assets. analysis, privacy impact assessment) Evaluate network infrastructure security to 293 Knowledge of logical access controls for the 303 ensure confidentiality, integrity, availability identification, authentication, and restriction and authorized use of the network and the of users to authorized functions and data (e.g., information transmitted. dynamic passwords, challenge/response, menus, profiles) Evaluate the design, implementation, and 364 monitoring of environmental controls to prevent Knowledge of logical access security architec- 303 or minimize loss. tures (e.g., single sign-on, user identification strategies, identity management) Evaluate the design, implementation, and moni- 364 toring of physical access controls to ensure that Knowledge of attack methods and techniques 313 information assets are adequately safeguarded. (e.g., hacking, spoofing, Trojan horses, denial of service, spamming) Evaluate the processes and procedures used 312 to store, retrieve, transport, and dispose of Knowledge of processes related to monitoring 330 confidential information assets. and responding to security incidents (e.g., escalation procedures, emergency incident response team) CISA Job Practice Area 5: (Continued) Knowledge Statement (continued) Page Knowledge of network and Internet security 340 devices, protocols, and techniques (e.g., SSL, SET, VPN, NAT) Knowledge of intrusion detection systems and 319 firewall configuration, implementation, operation, and maintenance Knowledge of encryption algorithm techniques 340 (e.g., AES, RSA) Knowledge of public key infrastructure (PKI) 340 components (e.g., certification authorities, registration authorities) and digital signature techniques Knowledge of virus detection tools and control 329 techniques Knowledge of security testing and assess- 337 ment tools (e.g., penetration testing, vulnerability scanning) Knowledge of environmental protection 381 practices and devices (e.g., fire suppression, cooling systems, water sensors) Knowledge of physical security systems and 303 practices (e.g., biometrics, access cards, cipher locks, tokens) Knowledge of data classification schemes 389 (e.g., public, confidential, private, and sensitive data) Knowledge of voice communications security 328 (e.g., voice over IP) Knowledge of the processes and procedures 312 used to store, retrieve, transport, and dispose of confidential information assets Knowledge of controls and risks associated 319 with the use of portable and wireless devices (e.g., PDAs, USB devices, Bluetooth devices) Continues on Following Page Objective MatrixContinued CISA Job Practice Area 6: Business Continuity and Disaster Recovery (Approximately 14% of Exam) Task Page Knowledge Statement Page Evaluate the adequacy of backup and restore 432 Knowledge of data backup, storage, main- 431 provisions to ensure the availability of tenance, retention and restoration processes, information required to resume processing. and practices Evaluate the organization’s disaster recovery 436 Knowledge of regulatory, legal, contractual, 406 plan to ensure that it enables the recovery of and insurance issues related to business IT processing capabilities in the event of a continuity and disaster recovery disaster. Knowledge of business impact analysis (BIA) 411 Evaluate the organization’s business continuity 436 Knowledge of the development and mainte- 419 plan to ensure its ability to continue essential nance of the business continuity and disaster business operations during the period of an IT recovery plans disruption. Knowledge of business continuity and disaster 421 recovery testing approaches and methods Knowledge of human resources management 421 practices as related to business continuity and disaster recovery (e.g., evacuation planning, response teams) Knowledge of processes used to invoke the 421 business continuity and disaster recovery plans Knowledge of types of alternate processing 425 sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites, cold sites) CISA Michael Gregg CISA Exam Prep Associate Publisher Copyright © 2007 by Que Publishing Dave Dusthimer All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or trans- mitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without writ- Acquisitions Editor ten permission from the publisher. No patent liability is assumed with respect to the use of the Betsy Brown information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability Senior Development assumed for damages resulting from the use of the information contained herein. Editor ISBN-10: 0-7897-3573-3 Christopher Cleveland ISBN-13: 978-0-7897-3573-7 Library of Congress Cataloging-In-Progress data Managing Editor Library of Congress Cataloging-in-Publication Data Patrick Kanouse Gregg, Michael (Michael C.) Project Editor CISA exam prep / Michael Gregg. Seth Kerney p. cm. Includes index. Copy Editor ISBN 978-0-7897-3573-7 (pbk.) 1. Information Systems Audit and Control Association— Krista Hansing Examinations—Study guides. 2. Electronic data processing personnel—Certification—Study guides. 3. Electronic data processing departments—Auditing—Examinations—Study guides. 4. Indexer Management information systems—Auditing—Examinations—Study guides. I. Title. II. Title: Tim Wright Certified Information Systems Auditor exam prep. QA76.3.G75268 2007 Proofreader 658.4’03—dc22 Debbie Williams 2007012694 Printed in the United States of America Technical Editors First Printing: April 2007 Donald Glass 10 09 08 07 4 3 2 1 Shawn Merdinger Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been Publishing Coordinator appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a Vanessa Evans term in this book should not be regarded as affecting the validity of any trademark or service mark. CISA®and ISACA®are registered trademarks of the Information Systems Audit and Control Multimedia Developer Association. Dan Scherf Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no war- Book Designer ranty or fitness is implied. The information provided is on an “as is” basis. The author and the pub- Gary Adair lisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book. Page Layout Bulk Sales BronkellaPublishing LLC Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the U.S., please contact International Sales [email protected] Contents at a Glance Exam Objectives Reference Introduction 1 Study and Exam Preparation Tips 11 Part I: IT Governance and the Audit Process CHAPTER 1 The Audit Process 21 CHAPTER 2 IT Governance 63 Part II: System and Infrastructure Lifecycle Management CHAPTER 3 Lifecycle Management 113 CHAPTER 4 System Infrastructure Control 155 Part III: IT Service Delivery and Support CHAPTER 5 Information Systems Hardware and Architecture 195 CHAPTER 6 Information Systems Used for IT Delivery and Support 239 Part IV: Protection of Information Assets CHAPTER 7 Protection of Logical Assets 289 CHAPTER 8 Physical Security 361 Part V: Business Continuity and Disaster Recovery CHAPTER 9 Business Continuity and Disaster Recovery 403 Part VI: Final Preparation Fast Facts 447 Practice Exam 475 Answers to Practice Exam Questions 509 Glossary 527 Index 565 Table of Contents Introduction.....................................................................1 How This Book Helps You ..................................................1 About the CISA Exam ......................................................2 CISA Exam Objectives......................................................2 How to Prepare for the Exam................................................3 Additional Exam-Preparation Resources.......................................4 Practice Tests .........................................................5 What This Book Does ......................................................5 What This Book Does Not Do...............................................6 Contacting the Author ......................................................6 About the Book ............................................................6 Instructional Features..................................................7 Extensive Practice Test Options .........................................8 Final Preparation......................................................9 Final Words of Wisdom.....................................................9 Study and Exam Prep Tips........................................................11 Learning Styles ...........................................................12 Study Tips ...............................................................12 Study Strategies......................................................12 Pretesting Yourself....................................................14 Exam Prep Tips...........................................................14 Exam Format........................................................15 Question Types ......................................................16 More Exam Preparation Tips ..........................................16 Final Considerations.......................................................18

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.