the cisa course presentation 2003 v2

8/3/2019 The CISA Course Presentation 2003 v2

1/207

Welcome to the 2003 CISA Exam

Revision Course


2/207

Introductions & Ice-Breaker

Your facilitators for this course are:-

Philip Culleton

Austin Dunn


3/207

CISA Review Course

UNIT 1

Course Overview


4/207

Course Objectives

To:-

Briefly recap some of the key information needed

Help you to draw on your underlying experience

Practice your exam technique Be highly interactive and hopefully just a bit FUN !!!!


5/207

Format For Each Chapter

Start with an overview diagram of each chapter

Followed by a recap of key points/sections within that chapter

Finishing each chapter with CISA question to reinforce both

points recapped

There will be a few activities

Questions are welcome at anytime.


6/207

Course Structure - Day 1

Unit 1 - Course overview

Unit 2 - CISA overview

Unit 3 - Chapter 1 recap

Unit 4 - CISA chapter 1 questions

Unit 5 - Chapter 2 recapUnit 6 - CISA chapter 2 questions

Unit 7 - CISA team crossword...

Unit 8 - Chapter 3 recap (part 1)


Unit 10 - Technology Pictionary...


Unit 12 - CISA chapter 3 questions

Unit 13 - End of day mini CISA test


7/207



Unit 15 - CISA Chapter 4 questions


Unit 17 - CISA Chapter 5 questionsUnit 18 - Chapter 6 recap

Unit 19 - Chapter 6 questions

Unit 20 - Group Quiz - Jeopardy





8/207


Unit 24 - Timed mock exam

Unit 25 - Marking and review

Unit 26 - Team Quiz

Unit 27 - General Q & A...

Unit 28 - Exam arrangements for Saturday


9/207

Course Structure - Day 4 & 5

Self Study

Self study days to be used as deemed fit.

But suggested that you:-

Concentrate on your weaker areas

Practice some more exam questions/technique.


10/207

CISA Review Course

UNIT 2

CISA Overview


11/207

The CISA Qualification

To obtain CISA qualification you need to:-

Adhere to the ISACA code of ethics.

Submit evidence of 5 years of professional work experience

(can substitute a degree for two years, or a years non-audit ISexperience for one year)

Pass the CISA exam..

Page 461

Please Can you follow

the review manual

during the course


12/207

CISA Exam Format

The exam format is:-

4 hours in length (can leave early)

200 questions

All multiple choice

Single stem, 4 options

Can be based on scenario, description, flowcharts, other diagrams or

tables.

Page 462


13/207

Marking/Passing The Exam.

After completing the exam:-

It will be computer marked

The raw score out of 200 will be algebraically converted to a score

between 25 and 100

An individual scoring 75 (scaled score) or above will have passed.

This process takes 10 weeks (including notification by post),

and remarking can be requested

Page 464


14/207

Key Knowledge Needed

Key information which you must know is:-

The technical content of the 7 chapters

The glossary of CISA terms

The standard CISA acronyms.

All of the above are contained within your CISA review

manual, which should be thought of as a set of checklists.

Page 462


15/207

The Seven CISA Chapters.

The 7 CISA

Chapters

Chapter 3

Technical Infrastructure and

Operational Practices

- hardware platforms

- software platforms

- telecommunications

- operations

Chapter 1

The IS Audit Process

- professional standards

- code of professional ethics

- other laws and regulations

- performing an IS audit

Chapter 2

Management Planning and Organization

of IS

- strategies to achieve business objs.

- policies and procedures

- IS management practices

- organisational structures

Chapter 5

Disaster Recovery andBusiness Continuity

- backup and recovery

- disaster recovery

- business continuity

Chapter 4

- logical access controls

- physical access controls

- environment controls

Protection of Information Assets

Chapter 6

Chapter 7

Business Application System

Development, AcquisitionImplementation & m aintenance

- SDLC

-Automotive methodologies- IS maintenance practices

- Project management

Business Process Evaluation

and Risk Management

- IT Governance

- Application controls

- Business Applications

(15%)

30 questions

(16%)

32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


16/207

CISA Review Course

UNIT 3

Chapter 1 Recap


17/207


The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions(16%)

32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


18/207

Chapter 1 Overview

ey

ISACA General Standards

For Auditing

- ISACA Professional Standards

- ISACA Statements

- ISACA Code Of Professional

Ethics


Performing An IS Audit

- Risk Analysis

- Controls

- Audit Program Development

- Audit Resource Scheduling

- Evidence Gathering Techniques

- Evaluation of Evidence

- Audit Reports

- Management Actions

- Continuous Audit

- Control Self Assessment

COBIT Control Objectives

- Overview only

- Framework

- Control Objectives

Other Laws And Regulations

- General understanding only

- Regulatory requirements

- Government requirements

- Management's process

Key

KeyKey


19/207

ISACA

Standards for Information Systems auditing

Information Systems auditing guidelines

Code of Professional ethics

Standards for Information Systems control professionals

Statements on Information Systems Auditing Standards

now replaced by the IS auditing guidelines.


20/207

Standards for Information Systems Auditing

010 Audit Charter

Responsibilities, authority and accountability

020 Independence

Professional and organisational

030 Professional ethics and standards Code of professional ethics, due professional care

040 Competence

Skills and knowledge, continuing professional education

050 Audit Planning

060 Performance of audit work

Supervision and evidence

070 Reporting

080 Follow-up activities.


21/207

IS Auditing Guidelines

Audit charter

Audit documentation

Audit considerations for irregularities

Audit evidence requirements

Audit sampling

Corporate governance of information systems

Due professional care

Effect of involvement in the development, acquisition, implementation or

maintenance process on the IS auditors independence.


22/207

IS Auditing Guidelines

Effect of pervasive IS controls

Materiality concepts for auditing information systems

Organisational relationship and independence

Outsourcing of IS activities to other organisations

Planning the IS audit

Report content and form

Use of CAATs

Use of risk assessment in audit planning

Using the work of other auditors and experts.


23/207

ISACA Code Of Professional Ethics

Support establishment of/compliance with, standards and procedures

Comply with ISACA auditing standards

Serve all major stakeholders in a loyal and honest manner

Maintain confidentiality

Be independent and objective

Maintain competency

Use due care

Inform appropriate parties of the results of the work

Support the education of management, clients and the general public

Maintain high standards of conduct and character.


24/207

Audit program phases

Set the audit subject and objective

Set the audit scope

Pre-audit planning

Audit procedures and steps for data gathering

Decide how the results will be evaluated

Prepare to communicate to management

Prepare the audit report.


25/207

Risk-based audit approach

Gather information and plan.

Understand the internal controls

Perform compliance tests

Perform substantive tests

Conclude the audit.


26/207

So what is audit risk?

Inherent risk

The risk of a material misstatement in the absence of related controls

Controls risk

The risk of a material error which will not be prevented or detected by

controls

Detection risk

The risk that an IS auditor uses inadequate procedures and concludes

on material errors exist when they do

Overall audit risk

The combination of the above for each control objective.


27/207


28/207

Audit Resource Management

Understand the capabilities and qualifications of individuals

Deal with common resource constraints

Use project management techniques to manage resource:- develop a detailed resource schedule/plan

track actual against plan

take corrective action as appropriate

Consider training and on-going education


29/207

Evidence Gathering Techniques

Review of organisational structure

Review of systems and IS procedures documentation

Interviewing

Observation

Sampling, specifically:- statistical vs. non-statistical (judgemental)

attribute vs. variable

key terminology - confidence coefficient, precision, expected error rate,sample mean, sample standard deviation and

population standard deviation

Use of CAATs, including:- test data generators - integrated test facilities

expert systems - specialised audit software (ACL)

system utilities - SCARF


30/207

Evaluation Of Evidence

Factors to consider:-

compensating and overlapping controls

interrelationship (i.e. dependency) of controls

sufficient, reliable and relevant

impact of any weaknesses (including materiality)


31/207

Continuous Audit Approaches

Defined as monitoring of controls on an on-going basis

Significant use of technology to achieve this

Five key types of continuous techniques:- Embedded Audit Modules (EAM) and Systems Control Audit Review File(SCARF)

Snapshots

Audit hooks

Integrated Test Facilities (ITF)

Continuous and Intermittent Simulation (CIS).


32/207

CISA Review Course

UNIT 4

CISA Chapter 1 Questions


33/207

CISA Review Course

UNIT 5

Chapter 2 Recap


34/207


The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions(16%)

32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


35/207

Chapter 2 Overview

Key

Information Systems

Strategies

- Strategic Planning

- IS Planning/Steering Committees

- User Pay Schemes

Management Planning and

Organization of IS

Organisational Structures

- Management Structures

- Line Management

- Project Management

- Job Descriptions/Charts

- Segregation of Duties

- Compensating Controls

- IPF Duties- Sources of Evidence

Policies and Procedures

- Hiring

- Promotion

- Termination

- Job Rotation

- Vacations

- Outsourcing

IS Management Practices

- Training/Cross Training

- Scheduling and Time Reporting

- Employee Handbook

- Assessing Effectiveness of IS

- Quality Standards

- BPR

Key

KeyKey


36/207

Strategic IS Planning

Four key activities are:-

Long term organisational planning

Long term IS planning

Short term IS planning

On-going review of IS plans.

Key point is to tie IS objectives to business objectives


37/207

Steering Committees

Key functions include:

Review of short and long range IS plans

Review and approval of major hardware and software acquisitions

Approval and monitoring of major projects

Review of IS budgets and expenditure

Review of adequacy of resources

Decide on centralisation and decentralisation


38/207

Written Policies And Procedures

Should:-

Be reviewed and updated regularly

Cover all the important areas including:-

Hiring of staff (e.g. background checks)

Promotion (e.g. ensure fairness/objectivity)

Termination (e.g. immediate vs voluntary)

Job rotation (e.g. as a means of fraud prevention)

Required vacation (e.g. also as a means of reducing fraud)

Employee handbook (e.g. includes emergency procedures,

security compliance)

Employee performance

and evaluations (e. g. agreed goals/objectives)


39/207

Outsourcing

There are three key areas to consider:-

Advantages - greater IS expertise

- potential cost savings

- faster implementation of systems

Disadvantages - increased cost

- loss of control

- vendor failure

Audit/security concerns - audit rights

- integrity, confidentiality and availability

- loss of control to vendor

- performance management


40/207

Management Principles

PeopleManagement

Management of change

Focus on good processes

Security

Handling 3rd parties


41/207

Measuring Efficiency/Effectiveness

IS effectiveness and efficiency can be measured by using:-

IS Budgets

User satisfaction surveys

Industry standards/benchmarking

Goal accomplishment

Comparison with ISO 9000 quality standards

Capability maturity model (p. 76)


42/207

QualityManagement Standards

There are several areas to understand:-

Range of standards - ISO 9000 - choosing a standard

- ISO 9001 - service companies

- ISO 9002 - production companies

- ISO 9003 - inspection companies- ISO 9004 - general quality guidelines

- ISO 9126 - quality of end product

Key quality elements - Management sponsorship/responsibility

- Use of a quality system

- Internal quality audits- Corrective preventative action (feedback).


43/207

Software Quality Management

Within ISO 9126 provides 6 guidelines for evaluating the

quality of software:-

Functionality

Reliability

Usability

Efficiency

Maintainability

Portability.


44/207

Organisational Structure Points 1

Typical CISA data processing management consist of:- IS director

Systems Development Manager

End-User Support Manager

Data management

Database administrator Technical Support Manager

Security Administrator

Quality Assurance Manager

Operations Manager

Network Manager/Administrator

Should segregate/separate key classes of duties:-

Transaction authorisation

Reconciliation/review

Custody of assets.


45/207

Organisational Structure Points 2

Key CISA functional areas found in IS environments:-

Data entry

Data librarian

The control group

Operations

Security administration

Quality assurance

Database administration

Systems analysis

Application programming

Systems programming

LAN administration (and WAN where appropriate)

Help desk.


46/207

Segregation of duties between IPF and the Business

Segregation of duties can be enforced through:-

Transaction authorisation

Reconciliation

Custody of assets

Access to data

Separation of duties within the IPF itself.

Be familiar with the table on page 85!


47/207

Compensating Controls

To address poor segregation of duties, consider:-

Audit trails (traces the actions taken)

Transaction logs (traces the transaction)

Reconciliations

Independent review.


48/207

Sources Of Organisational Evidence

Information technology strategies

Plans and budgets

Security policies

Organisational/functional charts

Steering committee reports/minutes

Personnel job descriptions

System development and program change procedures

Operations procedures

Personnel policy manuals

Authorising forms and documents.


49/207

CISA Review Course

UNIT 6



50/207

CISA Review Course

UNIT 7

CISA Team Crossword


51/207

Instructions And Rationale

Split into teams of 3

Work together to complete the

crossword based on key CISA terms

(exercise is designed to raise awareness

of key CISA exam terminology)


52/207

Review Of Terms

Are there any terms which are not really clear ???

Most terms are technology related and knowing these is a key

requirement for passing this exam.


53/207

CISA Review Course

UNIT 8

Chapter 3 Recap

(part 1)


54/207


The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions(16%)

32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


55/207

Key

Information Systems

Hardware Platforms

- Technology Architecture

- Capacity Management

- System Monitoring

- Preventative Maintenance

- Hardware Acquisition Plan

Technical Infrastructure

and Operational Practices

Information Systems


- Management of Operations

- Operations Practices

- Controlling Input/Output

- Lights Out Operations

- Scheduling

- Monitoring Use of Resources

- Problem Management

- Program Change Control- Librarian Function

- Quality Assurance

- Service Levels

- Technical Support

- Physical Security

Information Systems

Software Platform


- Software Selection Process

- Implementation and Change

Control Procedures

- Configuration Parameters

Information Systems

Network & Telecoms

- Terminology

- Architectures

- Standards and Protocols

- Transmission Media

- WANs and LANs

- Client/Server

- Performance Monitoring

- Communication Controls

- Data Encryption- Internet

- Viruses

Key

KeyKey

Auditing Infrastructure and

Operations

Chapter 3 Overview

Page 101


56/207

Hardware Architectures

Three main classes:-

Large (e.g. mainframe)

Medium (e.g. mini-computer)

Small (e.g. microcomputer/PC)

(e.g. Notebook/ laptop)

(e.g. PDA)

Main distinguishing features are:-

Addressable memory capacity

Amount of on-line storage Number of users supported simultaneously.

(although boundaries are now blurring.)

Page 105


57/207

Hardware Acquisition Plans

Requirement documents (or ITTs) should cover:-

Description of intended use (e.g. centralised/decentralised)

Data processing requirements (including projected workloads)

Specific hardware requirements (e.g. peripherals to support)

System software requirements (e.g. operating systems)

Support requirements (including training and backup)

Adaptability requirements (including upgrade paths)

Constraints (e.g. due dates and cost)

Conversion requirements (e.g. migrating existing apps.)

The need to consider all these areas depends partly on the

type of hardware being purchased.

Page 106


58/207

Key Acquisition Steps

Review of brochures and visits to other user sites

Provision for competitive bidding

Analysis of bids against product selection criteria

Comparison of bids against each other

Analysis of vendor financial condition (often overlooked)

Analysis of on-going maintenance and support

Review of delivery schedules against requirements

Hardware/software upgrade/compatibility check

Analysis of security and control issues (inc. physical)

Review of all contract terms by a lawyer (right to audit)

Production of formal recommendation detailing decision.

Page 107


59/207

Capacity Management

Factors to consider when planning hardware support for future

expansion:-

Existing CPU utilisation

Computer storage utilisation Telecommunications and wide area network traffic

Terminal and I/O channel utilisation

Number of users

New technologies due to be implemented

New applications due to be implemented

Existing and future service level agreements.

Page 109


60/207

CISA Review Course

UNIT 9

Chapter 3 Recap

(part 2)


61/207


The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions(16%)

32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


62/207

Key

Information Systems

Hardware Platforms



- System Monitoring





Information Systems






- Scheduling



- Program Change Control- Librarian Function

- Quality Assurance

- Service Levels

- Technical Support

- Physical Security

Information Systems

Software Platform




Control Procedures


Information Systems

Network & Telecoms

- Terminology

- Architectures



- WANs and LANs

- Client/Server




- Viruses

Key

KeyKey


Operations

Chapter 3 Overview

Page 101


63/207

System Software Components

Operating systems

Access controls software

Data communications software

Database management systems (DBMS)

Program library management systems

Tape and disk management systems

Online programming facilities (integrated developmentenvironment)

Network management software

Job scheduling software

Utility programs

Page 110


64/207

Operating Systems

Key features are:

It brings together the users, applications software and the

systems

Manages computer resources and processing

Often includes facilities to assist in operating the computer

and development of applications.

Page 110


65/207

Access Control Software (not in manual)

Key functions of such software are:-

Recording logon ids and passwords, and authenticating users

Restricting access to specific terminals

Restricting access to specific predetermined times

Enforcing other rules for access such as terminal time-outs

Ensuring individual accountability and auditability

Logging events and user activities

Generating exception reports

Doing all of the above at the operating system, database, and

application program levels.


66/207

Data Communications Software

Common transmission codes:-

5 bit CCITT (p 123) - IBM EBCDIC

ASCII - 8 bit EBCDIC

Data communication systems have three components:

Transmitter (source)

Transmission path (channel or line)

Receiver (sink)

Common applications:-

EFT Office information systems

Customer/supplier links such as EDI

Electronic messaging (including the Internet).

Page 113


67/207

DBMS

Systems software that organises, controls and uses data.

Use data dictionaries

Structured in one of three ways:- Hierarchical

Network

Relational

Each structure has a number of advantages anddisadvantages, with relational generally being the structure

of choice for most applications.

Page 114


68/207

Program library management systems

Some PLMS capabilities are:

Integrity - Source programs are assigned modification

and version numbers

Update - creating automated backups and maintaining

an audit trail

Reporting - listing additions, deletions, modifications for

management and auditor reviews

Interface - with the operating system, job

scheduling, access control and online

program management systems

Page 118


69/207

Tape and disk management systems

Specialised software to track tape and disk inventories.

Contain dataset names, location, creation date, retention

period, expiry date etc

A number of systems work with robotic units

Page 119


70/207

Online programming facilities (not in manual)

Facilities to assist programmers to code and compile

programs.

The proliferation towards having programming facilitiesbased on PCs increases risks e.g. version control,

unauthorised access, over-writing of valid programs.


71/207

Network management software

Has functions to control and maintain the network.

Watches line status, active terminals, length of message

queues, error rates and overall traffic

Alerts operator of problems before they affect network

reliability


72/207

Job scheduling software

From daily work schedules, this software determines which

jobs are to be processed.

Various advantages:

Job setup only performed once

Job dependencies define

Records all job successes and failures

Reduces reliance on operators.

Page 119


73/207

Utility programs

Systems software which perform maintenance or

specialised functions frequently required during operations.

Can be related to: Understanding applications systems e.g. flow charter

Assessing data quality e.g dump

Testing programs e.g. online debugging facilitators

Assisting in program development e.g. code generator

Improving operational efficiency e.g. monitors.

Page 119


74/207

System Software-related Acquisition

Business, functional and technical needs and specification

Cost/ benefit

Obsolescence

Compatibility with existing systems

Security

Demands on existing staff

Training and hiring requirements

Future growth needs

Impact on system performance and the network

Page 120


75/207

Other system software considerations

Change control and implementation of patches

Software licensing

Page 120


76/207

Key

Information Systems

Hardware Platforms



- System Monitoring





Information Systems






- Scheduling



- Program Change Control

- Librarian Function

- Quality Assurance

- Service Levels

- Technical Support

- Physical Security

Information Systems

Software Platform




Control Procedures


Information SystemsNetwork & Telecoms

- Terminology

- Architectures



- WANs and LANs

- Client/Server




- Viruses

Key

KeyKey


Operations

Chapter 3 Overview

Page 101


77/207

Telecoms Terminology/Devices

Terminals (teletype, RJE etc.)

Modems

Multiplexors/concentrators

Switching types:- Line/circuit

Message

Packet

Front end communication processors

Cluster controllers

Protocol converters

Spools and buffers.

Page 122, 140


78/207

Network components

Repeaters

Hubs

Bridges

Switches Routers

Brouters

Gateways

Multiplexors

Page 130


79/207

TransmissionMedia

Twisted pair

Coaxial

Fiber optic

Radio Microwave

Satellite

Wireless

Bluetooth

Page 132


80/207

Networking.

Architectures:-

Bus (linked to one cable) Ring (formed in a circle) Star (all linked to a main hub) Completely connected (mesh) (direct link between all)

The 7 layer OSI model was used to create interoperabilitybetween manufacturers products - the layers are:-

Application layer (validation and transaction security) Presentation layer (format, encryption and

transformation) Session layer (start, manage and stop sessions) Transport layer (flow control and end to

end error recovery) Network layer (packet management, routing and

switching) Data link layer (node to node control and error

handling) Physical layer (transmission of bits)

Page 124, 136


81/207

LAN Selection Criteria

Some relevant considerations are:

What are the applications?

What is the bandwidth requirement?

What is the budget?

What are the remote management needs?


82/207

The Internet

Consists of aWorldwide network exchanging information

using common protocols such as TCP and IP

Provides a range of services including:-

World Wide Web (supported by HTML and HTTP)

FTP (anonymous or otherwise)

RealAudio

(currently there is no firm standard for video)

Key Internet control issues are:-

Transaction security (such as SSL)

Entry security (such as firewalls)

Viruses (macro, Java or browser based).

Page 126


83/207

Other Internet Non-Web-based Services and Terminology

ISP

Network access point (NAP)

Internet link

Remote Terminal Control Protocol (TELNET)

Domain name service (DNS)

Direct connection

Internet appliance

Online services

File Transfer Protocol (FTP)

Simple mail transport protocol (SMTP)

Simple network management protocol (SNMP)

Page 128


84/207

Client/Server Points

Allows data and business logic to be distributed to where it

best suits the application

Typically this means data on the server(s) and application

logic on the client

(it is important to understand 2 and 3-tier architectures)

Considerations when implementing include:

Memory/CPU (fat v thin)

Scalability (easier in 3-tier)

Application servers

Page 145


85/207

Middleware

Commonly used for:

Transaction processing (TP) monitors

Remote procedure calls (RPC)

Object request broker (ORB) technology

Messaging servers

Page 146


86/207

Middleware

Middleware is the client/server glue that holds these type of

applications together

It is located physically on both the client and the server and it

facilitates network connection and communication

Key risks are:-

Provides another avenue of access to control

Multiple versions of software may get out of sync

Key controls are:- Network security controls (such as passwords & encryption)

Change control procedure (such as versioning & tracking).


87/207

TelecommunicationsMonitoring Procedures

Latency - the delay that a message/packet has on its

way to two destinations

Throughput - the quantity of work per unit of time

ISO has defined 5 network management tasks:

Fault Management

Configuration management

Accounting resources

Performance management

Security management

Page 147


88/207

CISA Review Course

UNIT 10

Technology Pictionary


89/207

Instructions

Come to the front and each take one of the 12technology lists

Each person then gets 90 seconds to draw as

many of the technology items on the list as

possible whilst the others call them out

The items can be tackled in any order although

no written words are allowed, and no talking !!!

Points for getting them right, plus points forguessing correctly


90/207

CISA Review Course

UNIT 11

Chapter 3 Recap

(part 3)


91/207


The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions

(16%)

32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


92/207

Key

Information Systems

Hardware Platforms



- System Monitoring





Information Systems






- Scheduling




- Librarian Function

- Quality Assurance

- Service Levels

- Technical Support

- Physical Security

Information Systems

Software Platform




Control Procedures



- Terminology

- Architectures



- WANs and LANs

- Client/Server




- Viruses

Key

KeyKey


Operations

Chapter 3 Overview

Page 101


93/207

IS operations

M

anagement of IS operations Computer operations

Technical support/helpdesk

Scheduling

Controlling input/output of data

Quality assurance

Program change control

Librarian function

Problem management procedures

Procedures for monitoring efficient and effective use ofresources

Management of physical and environmental security.

Page 149


94/207

Computer operations

Key operator tasks include:-

Running and monitoring jobs

Restarting applications after abnormal termination

Facilitating backing up data Observing IPF for unauthorised entry

Mounting tapes

Monitoring adherence to job schedules

Participating in disaster recovery tests.

(Note more and more of these tasks are becoming automated over time).

Page 149


95/207

Lights Out Operations

Typical tasks that would be automated are:-

Job scheduling

Console operation

Report balancing and distribution

Re-run/re-start activities

Tape mounting and management

Environment monitoring

Key advantages are:-

Cost reduction (less expensive staff)

Continuous operations (24-7)

Reduced error rate (no humans involved !!!)

Page 149


96/207

Controls Over Input & Output

Input controls:-

Batch header forms

Authorisation of input (electronically or manually)

Batch balancing

Data validation

Output controls:-

Report distribution procedures

Access control over print spools and output.

Page 150


97/207

Management of IS operations

Key functions are resource allocation, and standards and

procedures.

Also planning, authorising, monitoring, reviewing the operationsfunctions as a whole to ensure consistency with overall business

strategies and policies.

Page 151


98/207

Service Levels

Normally defined using a SLA

Typical tools used to monitor compliance with an SLA are:-

Abnormal job termination reports

Operator problem reports

Output distribution reports

Console logs

Operator work schedules

Held desk tracking databases.

Page 151


99/207

Scheduling

This is:

Defining jobs that can be run and the sequence of

execution

Maintenance functions should be performed at off peak

time

Jobs may be scheduled to run ad-hoc when system

capacity is spare

A key function in ensuring IS resources are optimally

utilised.

Page 153


100/207

Problem Management

Key steps are:-

Detection (knowing something has happened)

Documentation (capturing all relevant details)

Control (continuing with other tasks)

Resolution (fixing the problem)

Reporting (reporting the fix)

(using and reviewing error logs is a key detection control)

Should be some form of multi-level escalation procedures.

Page 153


101/207

Librarian Function

Split between on and off line

Typically off line storage includes:-

Tape vaults (in-house or 3rd party)

Company safes

Typical controls over off-line storage include:-

Securing physical access

Ensuring that library will withstand fire/heat for a minimum of 2 hrs

Ensuring that library is separately located from the computer room

Restricting logical access to key personnel only

Maintaining a perpetual inventory (including transfer records)

Having a written transfer/re-use policy.


102/207

Quality assurance

Ensure everyone participates use of standards, guidelines

and procedures

Maintain systems development methodology

Make improvement recommendations in projects

Establish a change control environment

Define testing methodology

Report issues to management.

Page 155


103/207

Help Desk and Technical Support

Help desk is first level of support - key functions are:-

Initiate/document problems that arise from users

Escalate the issue if appropriate

Follow up unresolved problems

Close out problems once resolved

Technical support tends to be second level - key functions

are:-

Obtaining detailed knowledge of the OS and in-house apps

Answering specific technical enquiries

Managing the installation of vendor/system changes

Monitoring and maintaining system software

Maintaining the companys telecommunications network.

Page 155


104/207

Key

Information Systems

Hardware Platforms



- System Monitoring





Information Systems






- Scheduling




- Librarian Function- Quality Assurance

- Service Levels

- Technical Support

- Physical Security

Information Systems

Software Platform




Control Procedures



- Terminology

- Architectures



- WANs and LANs

- Client/Server



- Data Encryption

- Internet

- Viruses

Key

KeyKey


Operations

Chapter 3 Overview

Page 101


105/207

Auditing Infrastructure and Operating

Pages 156 - 165, be familiar with these!

Hardware reviews

Operating system reviews

Database reviews (new)

LAN reviews

NOC reviews

IS operations reviews

Data entry control

Lights out operations Problem management reporting

Hardware availability & utilisation

Scheduling


106/207


107/207

CISA Review Course

UNIT 12



108/207

CISA Review Course

UNIT 13

Mini CISA Test

(number 1)


109/207

Instructions

Take a question handout and answer sheet from the front,

keeping the questions face down

You will have 15 minutes to answer the questions, after which

well hand out answer sheets

On YourMarks, Get Set, GO !!!!


110/207

Mini CISA Test - Number 1

STOP !!!!

Take an answer sheet and start marking

Are there any questions you want to go over ?


111/207

CISA Review Course

Andthats it

fordayone !!!!


112/207

CISA Review Course

Goodmorning !!!


113/207

CISA Review Course

Any questions

about what we covered

yesterday ???


114/207







Unit 19 - Chapter 6 questions

Unit 20 - Group Quiz - Jeopardy





115/207

CISA Review Course

UNIT 14

Chapter 4 Recap


116/207


The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions

(16%)32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


117/207


118/207

Key elements of ISManagement

Policies and procedures

Organisation

Document responsibilities for:

Executive management Security committee

Data owners

Process Owners

IT Developers

Security specialists/ advisors

Users

IS Auditors

Page 189


119/207

Security Policies

Key components include:-

management support and commitment

access philosophy (i.e. the ground rules)

access authorisation (should be written)

regular reviews of access

security awareness (through training)

compliance with legislation

Should be enforced by a security administrator and overseen by

a security committee(The former either full time or with other non-conflicting duties).

Page 189


120/207

Computer Crime Issues and Exposures

Financial loss

Legal repercussions (e.g. privacy, DPA etc.)

Loss of credibility

Loss of competitive edge

Blackmail/industrial espionage

Disclosure of sensitive/embarrassing information

Sabotage.

Page 194


121/207

Technical Exposures

Data diddling (change data before data entry)

Trojan horse

Rounding down

Salami technique (similar to rounding down)

Viruses

Worms Logic bomb (e.g. year 2000)

Trap doors

Asynchronous attack (attack data waiting to be transmitted)

Data leakage

Wire-tapping

Piggybacking (technical or otherwise)

Denial of service

Shut down of the computer (directly or indirectly)

Page 196


122/207

Logical Access Paths

Several key ways logical access can be gained:-

Operator console

On-line terminals

Batch job processing

Dial-up ports Telecommunications network

Typical perpetrators of violations include:-

Hackers - vendors and consultants

Employees - accidental ignorant

IS Personnel - interested parties (the competition, crackers,

Temporary staff phrackers etc.)

Page 198, 195


123/207

Logical security techniques

Log-on ID and passwords - identification, accountability and

authorisation

Challenge-response techniques and one-time passwords

Biometrics

Logging computer access

Terminal security

Dial-back

Remote access security Controls over BLP, systems exits, and privileged user ids

Naming conventions.

Page 201


124/207

Controls Over Viruses

Technical means include:- use workstations without floppy disks use remote booting use hardware-based passwords use write-protected tabs on floppy disks use boot virus protection

Software tools include:- Scanners, signature and Heuristic active monitors integrity CRC checkers Behaviour blockers Immunisers

Other non-direct controls include:-

written policies and procedures system builds done from clean installation disks backups taken on a regular basis

Page 214


125/207

Audit techniques for logical access

Be familiar with pages 217 - 223.


126/207

Internet Threats and Security

Passive Attacks

Network analysis

Eavesdropping

Traffic analysis

Page 228


127/207

Internet Threats and Security

Active Attacks

Brute-force attacks

Masquerading

Packet replay

Message modification

Unauthorised access through the Internet

Denial of service

Dial-in penetration attacks

E-mail bombing and spamming

E-mail spoofing

Page 228


128/207

Data Encryption Points

Two main types of cryptosystems:-

Public/asymmetric (encryption key is widely known, but thedifferent decryption key is kept secret)

Private/symmetric (single encryption/decryption key kept

secret, less processing power)

Effectiveness depends on the number of bits in the key(s)

Common cryptosystems are:-

RSA (public)

DES (private) no longer considered strong.

Page 231


129/207

Firewall security

Must enable organisations to:

block access to particular sites

prevent users from accessing certain servers or

services

monitor communications between internal/external

networks

eavesdrop and record all communications

encrypt packets between physical locations

Page 239


130/207

Intrusion Detection (IDS)

Identification of and response to inappropriate

activities

Detects attack patterns and issues alerts

Two types- network based (identify all attack attempts)

- host based (monitor internal resources)

Page 243


131/207

Environmental Controls

Again consider the full range:- Raised floors and water detectors

Hand-held fire extinguishers

Manual fire alarms

Smoke detectors

Fire suppression systems (dry-pipe, water and Halon, FM-200)

Fireproofing walls and ceiling

Electrical surge protectors

UPSs/generators

Emergency power-off switches

Power leads from two substations

Regular inspection by Fire Department

Strategically locating computer room

Rules on the consumption of food/fluids

Fire resistant office materials

Documented and Tested Emergency Evacuation Plans

Page 248


132/207

Physical Controls

Remember the full range, not just the obvious:-

Door locks (bolting, electronic, cipher or biometric)

Logging of entry (manual or electronic)

Photo ids

Video cameras

Security guards

Escorted visitor access

Bonded maintenance personnel

Deadman doors

Not advertising location of sensitive facilities

Computer terminal locks Single entry points

Alarm systems

Secured report/ document distribution carts

Page 254

CISA R i C


133/207

CISA Review Course

UNIT 15



134/207

CISA Review Course

UNIT 16

Chapter 5 Recap

The Seven CISA Chapters


135/207


The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions

(16%)32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions


136/207

Chapter 5 Overview

Business Continuity

Planning

- Overall Planning Process/Stages

- Risk Evaluation

- Testing of Plans

Disaster Recoveryand Business Continuity

IS Disaster Recovery

- Recovery alternatives

- Off-site facilities

KeyKeyKey

Backup and Recovery

- Procedures

- Rotation of media


137/207

Elements Of An Effective BCP Plan

Senior management support

User management involvement

User and data processing procedures, including those for:- Emergency action

Notification

Disaster declaration

Systems recovery

Network recovery

User recovery

Salvage operations

Relocation.

B i R ti T


138/207

Business Resumption Teams

Emergency action team

Damage assessment team

Emergency management team

Off-site storage team

Software team

Applications team

Security team

Emergency operations team

Network recovery team

Communications team

Transportation/relocation team

User hardware team

Data preparation and records team

Administrative support team

Supplies team

Salvage team

T f I


139/207

Types of Insurance

IS equipment and facilities

Media (i.e. software) reconstruction

Extra expense

Business interruption

Valuable papers and records

Errors and omissions

Fidelity coverage

Media transportation (loss in transit).


140/207

H t/C ld Sit C t t T


141/207

Hot/Cold Site Contract Terms

Configurations

Disaster definition

Speed of availability

Subscribers per site/area

Reference/priority

Insurance (especially employee)

Usage period

Communications

Warranties

Testing rights

Reliability/penalties.

T l i ti C ti it


142/207

Telecommunications Continuity

Common forms of continuity include:-

Redundancy of company equipment

Alternative routing (usually 2)

Diverse routing (usually 2 or more)

Long haul network diversity

Last mile circuit protection

Voice recovery.

B siness Res mption Plan Testing


143/207

Business Resumption Plan Testing

Should have the following test phases:- Pre-test

Test

Post-test

The range of test types include:- Paper tests (walkthrough with key players)

Preparedness tests (localised/partial version of full test)

Full operational test (the full monty)

Results should be analysed appropriately with common

measurements being:-

Time taken - amount of work performed

Number of records - accuracy of work.

C id ti f B k


144/207

Considerations for Backups

Frequency and retention per file

Master files (synchronisation)

Transaction files (to recreate master files)

Real-time files (time stamping, duplicate logging)

DBMS (integral feature)

File descriptions

Licenses

Object and source code

CISA Review Course


145/207

CISA Review Course

UNIT 17



146/207



147/207

e Se e C S C apte s

The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions

(16%)32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions

Ch t 6 O i


148/207

Chapter 6 Overview

Key

Business Application

Systems Development

Maintenance Practices

- Authorisation Procedures

- System Documentation

- Test Procedures

- Change Approvals

- Program Migration

- Emergency Changes

- Source Code Integrity

- Coding Standards

- Source Code Comparison

- Library Control Software

Project Management Practices- - SDLC- Porject Failure Risks

- Overall SDLC Project Controls

Key

KeyKey

Business Application

Development

- Requirements Definition

- Feasibility Studies

- Software Acquisition

- Detailed Design

- Programming

- Testing

- Implementation

- Post Implementation Review

- Tools and Productivity AidsPage 307

Key Players In Software Projects


149/207

Key Players In Software Projects Senior management

User management

Project steering committee

Project sponsor

Systems development management

Project manager

Systems development project team

User project team

Security officer

Quality assurance

Systems auditor.Page 312

SDLC Phases and Risks


150/207

SDLC Phases and Risks

Project should be divided up into phases such as:-

Feasibility study, requirements definition, software acquisition, integrated

resource management systems (ERPs), detailed design, programming,

testing, implementation, post implementation review

(see page 315 for a typical approach)

Risks associated with poor management:-

Does not meet business needs

Overruns in time and money

Not delivered at all.

Page 314

RFP contents


151/207

RFP contents

Product functionality vs. actual requirements

Customer references

Vendor viability/financial stability

Availability of complete and reliable documentation

Vendor on-going support

Source code availability

Number of years product has been in existence

List of recent or planned enhancements (with dates)

Number of current client sites/client list

Ability to allow acceptance testing at nominal cost.

Page 317

Testing


152/207

Testing

Unit testing

Interface testing

System testing

Alpha and beta testing

Pilot testing

Whitebox/ Blackbox

Function/Validation testing

Regression testing

Parallel testing

Sociability testing

Page 324

Development methodologies


153/207

Development methodologies

Data orientated system development

Object oriented system development

Component-based development

Web-based Application Development

Prototyping

Rapid application development

Agile Development

Reengineering

Reverse engineering

Structured analysis.

Page 328

Prototyping (heuristic development)


154/207

Prototyping (heuristic development)

Defined as creating systems through controlled trial anderror

Main aim is reduced development time

Main emphasis is on screens and reports and hence is

best suited for applications with little processing

Two basic approaches:-

Throw-away

Evolutionary

Quality is often an issue (especially with the latter).

Page 331

RAD


155/207

RAD

Technique aimed at producing applications in fastertimescales

Uses a number of key techniques to achieve this:-

Small, well-trained development teams Evolutionary prototyping

Integrated power development tools (nearly all GUI)

A central repository

Workshops

Rigid development time frames

Aim is to leverage automation and more powerful

hardware to reduce human effort required.

Page 332

Change control


156/207

Change control

A key control is the formal authorisation of changes to the

live system

(Both prior to being developed and also prior to migration)

However, there should also be some record of the

changes, either manually or electronically

(This is especially important where there is poor segregation of duties)

The above applies equally to both operating system and

application changes.

Page 335

Controls


157/207

Co t o s

Authorisation procedures - new projects, change control

User approval before systems go live

Continuous update of system documentation

Program migration process

Emergency changes

ConfigurationManagement

Library control software

Source and executable control integrity

Source code comparison

Page 336

Library Control Software


158/207

y

Common functions are:-

Prohibit the updating of production code

Prohibit the updating of production batch jobs

Require only an authorised individual to check out/release source

code

Require only an authorised individual to migrate code into production Allow read-only access to source code

Require that code being checked in meets coding standards

Provide a full audit trail of all the changes

Require programmers to enter details about the changes upon

checking back in source code.

Page 337

Other Planning Points


159/207

Other Planning Points...

Project management methodologies Critical path methodology

Program evaluation review technique

Plan before a project and control during it

As resources before free, allocate to most critical tasks

The PERT network diagram is a sequence of project activities

Optimistic, pessimistic and expected activity timescales are used withstandard deviation techniques to facilitate planning.

Estimation of timescales using:-

Function points

Lines of code models.

Timebox Management

Page 342, 340

System development tools and productivity aids


160/207

System development tools and productivity aids

Code generators Generate their own code!

CASE

4GLs

Test generators

Interactive debugging aids and code logic analysers.

Page 344

CASE


161/207

CASE Defined as the use of automated tools to aid the software

development process

Generally divided up into 3 categories:-

Upper (business and application requirements)

Middle (detail designs)

Lower (generation of program code and db

definitions)

Can be used across a range of platforms and are usually

repository based

Can be an element of overlap with 4 GLs (especially lower).

Page 344

4GLs


162/207

4GLs

Typical characteristics:-

Non-procedural language (often event driven)

Environmental independence (portability)

Powerful software facilities

Programmer workbench/toolsets concept

Simple language subsets

Often classified as follows:-

Query and report generators

Embedded/related database 4GLs

Application generators.

Page 345

CISA Review Course


163/207

UNIT 19



164/207


165/207



166/207

The 7 CISA

Chapters

Chapter 3






- operations

Chapter 1






Chapter 2


of IS





Chapter 5



- disaster recovery


Chapter 4





Chapter 6

Chapter 7



- SDLC




and Risk Management

- IT Governance



(15%)

30 questions

(16%)32 questions

(10%)

20 questions

(11%)

22 questions

(13%)

26 questions

(25%) 50 questions

(10%)

20 questions

Chapter 7 Overview


167/207

p

Application Controls

Input/Output

- data validation

- Integrity

Business Process

Evaluation & Risk

management

Business ApplicationSystems

-eCommerce- EDI

- POS

- AI

- Data warehouse

IT Governance

Business Process

Re-engineering

Key

Key

Business Process Re-engineering


168/207

g g

Successful BPR results in:

New business priorities

Improved product, service, profitability

New approach to organising and motivating people

New approach to use of information

Refined roles for 3ps (outsourcing, development, support)

Redefined roles for clients and customers

IT Governance


169/207

Encompasses IS, technology and communication, business

legal across all stakeholders

Governed by generally accepted good/best practice to ensureresources we are used effectively and the risks are managed

appropriately

Strategic alignment between IT and enterprise objectives


170/207


171/207

Controls Over Processing


172/207

Manual recalculations

Run to run totals

Reasonableness checks

Limit checks

Exception reports Control totals (such as file sizes)

Controls Over Data Files


173/207

Before and after tracing of transactions Retention of source documentation

Versioning (i.e. data stamping)

Internal labelling (i.e. electronic)

External labelling (i.e. physical)

Security controls (to ensure integrity)

One for one checking (against other sources)

Pre-recorded input (both manual & electronic)

Parity checking (specifically for transfers).

Application Risk Factors


174/207

The quality of internal control environment

Economic conditions

Time elapsed since last audit

Complexity of operations

Changes in the underlying environment

Recent staff changes in key positions

Time in existence

Competitive environment

Assets at risk

Prior audit results

Transaction volume and value

Regulatory impact

Impact of application failure/sensitivity of transactions.

Types of Audit Software Testing


175/207

Test of file calculations (e.g. footing)

Comparison of data

Sequencing or summarising data

Reporting data exceptions

Use of custom programs to monitor specific transactions

Use of system utilities to analyse underlying data

Use of ITFs to process test data

Test data generation

Use of SCARF or EAM

Parallel simulation

Expert systems analysis.

Procedures Based On CAATs


176/207

Generation of test data

Analytical review (mostly to test theories)

Statistical sampling

Range tests

Exception processing.

Business Application Systems


177/207

eCommerce

EDI

POSs

Integrated manufacturing systems (including ERP)

Batched data entry systems EFT systems

Office automation systems

ATMs

Co-operative processing systems

Voice response systems (primarily for ordering)

Accounting systems.

e-Commerce


178/207

B2B

B2C

Architectures

2-tier (server provides content, client handles display) 3-tier (database server, web server, web browser)

Risk

Confidentiality, Integrity & Availability

Authentication and Non-Repudiation

Power shift to customer

EDI


179/207

In use for about 20 years, and gained popularity over the

last 5 years

Now being potentially overshadowed by the Internet

Three main components are generally required:- Communications handler (transmits & receives documents)

EDI interface (translates between EDI and app)

Application system (the in-house programs)

Hybrid nature means that EDI presents issues both interms of security and application development

Should use a mixture of inbound, outbound and general

controls.

E-Mail and Digital Signatures


180/207

More recently an issue as users can now attach binary

executables, and documents containing macro viruses

Firewalls can be used to help guard against this threat

Digital signatures can also be used

These work by adding a string of extra digits to the document

being sent, and t

the cisa course presentation 2003 v2

Documents