the cisa course presentation 2003 v2
TRANSCRIPT
-
8/3/2019 The CISA Course Presentation 2003 v2
1/207
Welcome to the 2003 CISA Exam
Revision Course
-
8/3/2019 The CISA Course Presentation 2003 v2
2/207
Introductions & Ice-Breaker
Your facilitators for this course are:-
Philip Culleton
Austin Dunn
-
8/3/2019 The CISA Course Presentation 2003 v2
3/207
CISA Review Course
UNIT 1
Course Overview
-
8/3/2019 The CISA Course Presentation 2003 v2
4/207
Course Objectives
To:-
Briefly recap some of the key information needed
Help you to draw on your underlying experience
Practice your exam technique Be highly interactive and hopefully just a bit FUN !!!!
-
8/3/2019 The CISA Course Presentation 2003 v2
5/207
Format For Each Chapter
Start with an overview diagram of each chapter
Followed by a recap of key points/sections within that chapter
Finishing each chapter with CISA question to reinforce both
points recapped
There will be a few activities
Questions are welcome at anytime.
-
8/3/2019 The CISA Course Presentation 2003 v2
6/207
Course Structure - Day 1
Unit 1 - Course overview
Unit 2 - CISA overview
Unit 3 - Chapter 1 recap
Unit 4 - CISA chapter 1 questions
Unit 5 - Chapter 2 recapUnit 6 - CISA chapter 2 questions
Unit 7 - CISA team crossword...
Unit 8 - Chapter 3 recap (part 1)
Unit 9 - Chapter 3 recap (part 2)
Unit 10 - Technology Pictionary...
Unit 11 - Chapter 3 recap (part 3)
Unit 12 - CISA chapter 3 questions
Unit 13 - End of day mini CISA test
-
8/3/2019 The CISA Course Presentation 2003 v2
7/207
Course Structure - Day 2
Unit 14 - Chapter 4 recap
Unit 15 - CISA Chapter 4 questions
Unit 16 - Chapter 5 recap
Unit 17 - CISA Chapter 5 questionsUnit 18 - Chapter 6 recap
Unit 19 - Chapter 6 questions
Unit 20 - Group Quiz - Jeopardy
Unit 21 - Chapter 7 recap
Unit 22 - CISA Chapter 7 questions
Unit 23 - End of day mini CISA test
-
8/3/2019 The CISA Course Presentation 2003 v2
8/207
Course Structure - Day 3
Unit 24 - Timed mock exam
Unit 25 - Marking and review
Unit 26 - Team Quiz
Unit 27 - General Q & A...
Unit 28 - Exam arrangements for Saturday
-
8/3/2019 The CISA Course Presentation 2003 v2
9/207
Course Structure - Day 4 & 5
Self Study
Self study days to be used as deemed fit.
But suggested that you:-
Concentrate on your weaker areas
Practice some more exam questions/technique.
-
8/3/2019 The CISA Course Presentation 2003 v2
10/207
CISA Review Course
UNIT 2
CISA Overview
-
8/3/2019 The CISA Course Presentation 2003 v2
11/207
The CISA Qualification
To obtain CISA qualification you need to:-
Adhere to the ISACA code of ethics.
Submit evidence of 5 years of professional work experience
(can substitute a degree for two years, or a years non-audit ISexperience for one year)
Pass the CISA exam..
Page 461
Please Can you follow
the review manual
during the course
-
8/3/2019 The CISA Course Presentation 2003 v2
12/207
CISA Exam Format
The exam format is:-
4 hours in length (can leave early)
200 questions
All multiple choice
Single stem, 4 options
Can be based on scenario, description, flowcharts, other diagrams or
tables.
Page 462
-
8/3/2019 The CISA Course Presentation 2003 v2
13/207
Marking/Passing The Exam.
After completing the exam:-
It will be computer marked
The raw score out of 200 will be algebraically converted to a score
between 25 and 100
An individual scoring 75 (scaled score) or above will have passed.
This process takes 10 weeks (including notification by post),
and remarking can be requested
Page 464
-
8/3/2019 The CISA Course Presentation 2003 v2
14/207
Key Knowledge Needed
Key information which you must know is:-
The technical content of the 7 chapters
The glossary of CISA terms
The standard CISA acronyms.
All of the above are contained within your CISA review
manual, which should be thought of as a set of checklists.
Page 462
-
8/3/2019 The CISA Course Presentation 2003 v2
15/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions
(16%)
32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
16/207
CISA Review Course
UNIT 3
Chapter 1 Recap
-
8/3/2019 The CISA Course Presentation 2003 v2
17/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions(16%)
32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
18/207
Chapter 1 Overview
ey
ISACA General Standards
For Auditing
- ISACA Professional Standards
- ISACA Statements
- ISACA Code Of Professional
Ethics
The IS Audit Process
Performing An IS Audit
- Risk Analysis
- Controls
- Audit Program Development
- Audit Resource Scheduling
- Evidence Gathering Techniques
- Evaluation of Evidence
- Audit Reports
- Management Actions
- Continuous Audit
- Control Self Assessment
COBIT Control Objectives
- Overview only
- Framework
- Control Objectives
Other Laws And Regulations
- General understanding only
- Regulatory requirements
- Government requirements
- Management's process
Key
KeyKey
-
8/3/2019 The CISA Course Presentation 2003 v2
19/207
ISACA
Standards for Information Systems auditing
Information Systems auditing guidelines
Code of Professional ethics
Standards for Information Systems control professionals
Statements on Information Systems Auditing Standards
now replaced by the IS auditing guidelines.
-
8/3/2019 The CISA Course Presentation 2003 v2
20/207
Standards for Information Systems Auditing
010 Audit Charter
Responsibilities, authority and accountability
020 Independence
Professional and organisational
030 Professional ethics and standards Code of professional ethics, due professional care
040 Competence
Skills and knowledge, continuing professional education
050 Audit Planning
060 Performance of audit work
Supervision and evidence
070 Reporting
080 Follow-up activities.
-
8/3/2019 The CISA Course Presentation 2003 v2
21/207
IS Auditing Guidelines
Audit charter
Audit documentation
Audit considerations for irregularities
Audit evidence requirements
Audit sampling
Corporate governance of information systems
Due professional care
Effect of involvement in the development, acquisition, implementation or
maintenance process on the IS auditors independence.
-
8/3/2019 The CISA Course Presentation 2003 v2
22/207
IS Auditing Guidelines
Effect of pervasive IS controls
Materiality concepts for auditing information systems
Organisational relationship and independence
Outsourcing of IS activities to other organisations
Planning the IS audit
Report content and form
Use of CAATs
Use of risk assessment in audit planning
Using the work of other auditors and experts.
-
8/3/2019 The CISA Course Presentation 2003 v2
23/207
ISACA Code Of Professional Ethics
Support establishment of/compliance with, standards and procedures
Comply with ISACA auditing standards
Serve all major stakeholders in a loyal and honest manner
Maintain confidentiality
Be independent and objective
Maintain competency
Use due care
Inform appropriate parties of the results of the work
Support the education of management, clients and the general public
Maintain high standards of conduct and character.
-
8/3/2019 The CISA Course Presentation 2003 v2
24/207
Audit program phases
Set the audit subject and objective
Set the audit scope
Pre-audit planning
Audit procedures and steps for data gathering
Decide how the results will be evaluated
Prepare to communicate to management
Prepare the audit report.
-
8/3/2019 The CISA Course Presentation 2003 v2
25/207
Risk-based audit approach
Gather information and plan.
Understand the internal controls
Perform compliance tests
Perform substantive tests
Conclude the audit.
-
8/3/2019 The CISA Course Presentation 2003 v2
26/207
So what is audit risk?
Inherent risk
The risk of a material misstatement in the absence of related controls
Controls risk
The risk of a material error which will not be prevented or detected by
controls
Detection risk
The risk that an IS auditor uses inadequate procedures and concludes
on material errors exist when they do
Overall audit risk
The combination of the above for each control objective.
-
8/3/2019 The CISA Course Presentation 2003 v2
27/207
-
8/3/2019 The CISA Course Presentation 2003 v2
28/207
Audit Resource Management
Understand the capabilities and qualifications of individuals
Deal with common resource constraints
Use project management techniques to manage resource:- develop a detailed resource schedule/plan
track actual against plan
take corrective action as appropriate
Consider training and on-going education
-
8/3/2019 The CISA Course Presentation 2003 v2
29/207
Evidence Gathering Techniques
Review of organisational structure
Review of systems and IS procedures documentation
Interviewing
Observation
Sampling, specifically:- statistical vs. non-statistical (judgemental)
attribute vs. variable
key terminology - confidence coefficient, precision, expected error rate,sample mean, sample standard deviation and
population standard deviation
Use of CAATs, including:- test data generators - integrated test facilities
expert systems - specialised audit software (ACL)
system utilities - SCARF
-
8/3/2019 The CISA Course Presentation 2003 v2
30/207
Evaluation Of Evidence
Factors to consider:-
compensating and overlapping controls
interrelationship (i.e. dependency) of controls
sufficient, reliable and relevant
impact of any weaknesses (including materiality)
-
8/3/2019 The CISA Course Presentation 2003 v2
31/207
Continuous Audit Approaches
Defined as monitoring of controls on an on-going basis
Significant use of technology to achieve this
Five key types of continuous techniques:- Embedded Audit Modules (EAM) and Systems Control Audit Review File(SCARF)
Snapshots
Audit hooks
Integrated Test Facilities (ITF)
Continuous and Intermittent Simulation (CIS).
-
8/3/2019 The CISA Course Presentation 2003 v2
32/207
CISA Review Course
UNIT 4
CISA Chapter 1 Questions
-
8/3/2019 The CISA Course Presentation 2003 v2
33/207
CISA Review Course
UNIT 5
Chapter 2 Recap
-
8/3/2019 The CISA Course Presentation 2003 v2
34/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions(16%)
32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
35/207
Chapter 2 Overview
Key
Information Systems
Strategies
- Strategic Planning
- IS Planning/Steering Committees
- User Pay Schemes
Management Planning and
Organization of IS
Organisational Structures
- Management Structures
- Line Management
- Project Management
- Job Descriptions/Charts
- Segregation of Duties
- Compensating Controls
- IPF Duties- Sources of Evidence
Policies and Procedures
- Hiring
- Promotion
- Termination
- Job Rotation
- Vacations
- Outsourcing
IS Management Practices
- Training/Cross Training
- Scheduling and Time Reporting
- Employee Handbook
- Assessing Effectiveness of IS
- Quality Standards
- BPR
Key
KeyKey
-
8/3/2019 The CISA Course Presentation 2003 v2
36/207
Strategic IS Planning
Four key activities are:-
Long term organisational planning
Long term IS planning
Short term IS planning
On-going review of IS plans.
Key point is to tie IS objectives to business objectives
-
8/3/2019 The CISA Course Presentation 2003 v2
37/207
Steering Committees
Key functions include:
Review of short and long range IS plans
Review and approval of major hardware and software acquisitions
Approval and monitoring of major projects
Review of IS budgets and expenditure
Review of adequacy of resources
Decide on centralisation and decentralisation
-
8/3/2019 The CISA Course Presentation 2003 v2
38/207
Written Policies And Procedures
Should:-
Be reviewed and updated regularly
Cover all the important areas including:-
Hiring of staff (e.g. background checks)
Promotion (e.g. ensure fairness/objectivity)
Termination (e.g. immediate vs voluntary)
Job rotation (e.g. as a means of fraud prevention)
Required vacation (e.g. also as a means of reducing fraud)
Employee handbook (e.g. includes emergency procedures,
security compliance)
Employee performance
and evaluations (e. g. agreed goals/objectives)
-
8/3/2019 The CISA Course Presentation 2003 v2
39/207
Outsourcing
There are three key areas to consider:-
Advantages - greater IS expertise
- potential cost savings
- faster implementation of systems
Disadvantages - increased cost
- loss of control
- vendor failure
Audit/security concerns - audit rights
- integrity, confidentiality and availability
- loss of control to vendor
- performance management
-
8/3/2019 The CISA Course Presentation 2003 v2
40/207
Management Principles
PeopleManagement
Management of change
Focus on good processes
Security
Handling 3rd parties
-
8/3/2019 The CISA Course Presentation 2003 v2
41/207
Measuring Efficiency/Effectiveness
IS effectiveness and efficiency can be measured by using:-
IS Budgets
User satisfaction surveys
Industry standards/benchmarking
Goal accomplishment
Comparison with ISO 9000 quality standards
Capability maturity model (p. 76)
-
8/3/2019 The CISA Course Presentation 2003 v2
42/207
QualityManagement Standards
There are several areas to understand:-
Range of standards - ISO 9000 - choosing a standard
- ISO 9001 - service companies
- ISO 9002 - production companies
- ISO 9003 - inspection companies- ISO 9004 - general quality guidelines
- ISO 9126 - quality of end product
Key quality elements - Management sponsorship/responsibility
- Use of a quality system
- Internal quality audits- Corrective preventative action (feedback).
-
8/3/2019 The CISA Course Presentation 2003 v2
43/207
Software Quality Management
Within ISO 9126 provides 6 guidelines for evaluating the
quality of software:-
Functionality
Reliability
Usability
Efficiency
Maintainability
Portability.
-
8/3/2019 The CISA Course Presentation 2003 v2
44/207
Organisational Structure Points 1
Typical CISA data processing management consist of:- IS director
Systems Development Manager
End-User Support Manager
Data management
Database administrator Technical Support Manager
Security Administrator
Quality Assurance Manager
Operations Manager
Network Manager/Administrator
Should segregate/separate key classes of duties:-
Transaction authorisation
Reconciliation/review
Custody of assets.
-
8/3/2019 The CISA Course Presentation 2003 v2
45/207
Organisational Structure Points 2
Key CISA functional areas found in IS environments:-
Data entry
Data librarian
The control group
Operations
Security administration
Quality assurance
Database administration
Systems analysis
Application programming
Systems programming
LAN administration (and WAN where appropriate)
Help desk.
-
8/3/2019 The CISA Course Presentation 2003 v2
46/207
Segregation of duties between IPF and the Business
Segregation of duties can be enforced through:-
Transaction authorisation
Reconciliation
Custody of assets
Access to data
Separation of duties within the IPF itself.
Be familiar with the table on page 85!
-
8/3/2019 The CISA Course Presentation 2003 v2
47/207
Compensating Controls
To address poor segregation of duties, consider:-
Audit trails (traces the actions taken)
Transaction logs (traces the transaction)
Reconciliations
Independent review.
-
8/3/2019 The CISA Course Presentation 2003 v2
48/207
Sources Of Organisational Evidence
Information technology strategies
Plans and budgets
Security policies
Organisational/functional charts
Steering committee reports/minutes
Personnel job descriptions
System development and program change procedures
Operations procedures
Personnel policy manuals
Authorising forms and documents.
-
8/3/2019 The CISA Course Presentation 2003 v2
49/207
CISA Review Course
UNIT 6
CISA Chapter 2 Questions
-
8/3/2019 The CISA Course Presentation 2003 v2
50/207
CISA Review Course
UNIT 7
CISA Team Crossword
-
8/3/2019 The CISA Course Presentation 2003 v2
51/207
Instructions And Rationale
Split into teams of 3
Work together to complete the
crossword based on key CISA terms
(exercise is designed to raise awareness
of key CISA exam terminology)
-
8/3/2019 The CISA Course Presentation 2003 v2
52/207
Review Of Terms
Are there any terms which are not really clear ???
Most terms are technology related and knowing these is a key
requirement for passing this exam.
-
8/3/2019 The CISA Course Presentation 2003 v2
53/207
CISA Review Course
UNIT 8
Chapter 3 Recap
(part 1)
-
8/3/2019 The CISA Course Presentation 2003 v2
54/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions(16%)
32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
55/207
Key
Information Systems
Hardware Platforms
- Technology Architecture
- Capacity Management
- System Monitoring
- Preventative Maintenance
- Hardware Acquisition Plan
Technical Infrastructure
and Operational Practices
Information Systems
Operational Practices
- Management of Operations
- Operations Practices
- Controlling Input/Output
- Lights Out Operations
- Scheduling
- Monitoring Use of Resources
- Problem Management
- Program Change Control- Librarian Function
- Quality Assurance
- Service Levels
- Technical Support
- Physical Security
Information Systems
Software Platform
- Technology Architecture
- Software Selection Process
- Implementation and Change
Control Procedures
- Configuration Parameters
Information Systems
Network & Telecoms
- Terminology
- Architectures
- Standards and Protocols
- Transmission Media
- WANs and LANs
- Client/Server
- Performance Monitoring
- Communication Controls
- Data Encryption- Internet
- Viruses
Key
KeyKey
Auditing Infrastructure and
Operations
Chapter 3 Overview
Page 101
-
8/3/2019 The CISA Course Presentation 2003 v2
56/207
Hardware Architectures
Three main classes:-
Large (e.g. mainframe)
Medium (e.g. mini-computer)
Small (e.g. microcomputer/PC)
(e.g. Notebook/ laptop)
(e.g. PDA)
Main distinguishing features are:-
Addressable memory capacity
Amount of on-line storage Number of users supported simultaneously.
(although boundaries are now blurring.)
Page 105
-
8/3/2019 The CISA Course Presentation 2003 v2
57/207
Hardware Acquisition Plans
Requirement documents (or ITTs) should cover:-
Description of intended use (e.g. centralised/decentralised)
Data processing requirements (including projected workloads)
Specific hardware requirements (e.g. peripherals to support)
System software requirements (e.g. operating systems)
Support requirements (including training and backup)
Adaptability requirements (including upgrade paths)
Constraints (e.g. due dates and cost)
Conversion requirements (e.g. migrating existing apps.)
The need to consider all these areas depends partly on the
type of hardware being purchased.
Page 106
-
8/3/2019 The CISA Course Presentation 2003 v2
58/207
Key Acquisition Steps
Review of brochures and visits to other user sites
Provision for competitive bidding
Analysis of bids against product selection criteria
Comparison of bids against each other
Analysis of vendor financial condition (often overlooked)
Analysis of on-going maintenance and support
Review of delivery schedules against requirements
Hardware/software upgrade/compatibility check
Analysis of security and control issues (inc. physical)
Review of all contract terms by a lawyer (right to audit)
Production of formal recommendation detailing decision.
Page 107
-
8/3/2019 The CISA Course Presentation 2003 v2
59/207
Capacity Management
Factors to consider when planning hardware support for future
expansion:-
Existing CPU utilisation
Computer storage utilisation Telecommunications and wide area network traffic
Terminal and I/O channel utilisation
Number of users
New technologies due to be implemented
New applications due to be implemented
Existing and future service level agreements.
Page 109
-
8/3/2019 The CISA Course Presentation 2003 v2
60/207
CISA Review Course
UNIT 9
Chapter 3 Recap
(part 2)
-
8/3/2019 The CISA Course Presentation 2003 v2
61/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions(16%)
32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
62/207
Key
Information Systems
Hardware Platforms
- Technology Architecture
- Capacity Management
- System Monitoring
- Preventative Maintenance
- Hardware Acquisition Plan
Technical Infrastructure
and Operational Practices
Information Systems
Operational Practices
- Management of Operations
- Operations Practices
- Controlling Input/Output
- Lights Out Operations
- Scheduling
- Monitoring Use of Resources
- Problem Management
- Program Change Control- Librarian Function
- Quality Assurance
- Service Levels
- Technical Support
- Physical Security
Information Systems
Software Platform
- Technology Architecture
- Software Selection Process
- Implementation and Change
Control Procedures
- Configuration Parameters
Information Systems
Network & Telecoms
- Terminology
- Architectures
- Standards and Protocols
- Transmission Media
- WANs and LANs
- Client/Server
- Performance Monitoring
- Communication Controls
- Data Encryption- Internet
- Viruses
Key
KeyKey
Auditing Infrastructure and
Operations
Chapter 3 Overview
Page 101
-
8/3/2019 The CISA Course Presentation 2003 v2
63/207
System Software Components
Operating systems
Access controls software
Data communications software
Database management systems (DBMS)
Program library management systems
Tape and disk management systems
Online programming facilities (integrated developmentenvironment)
Network management software
Job scheduling software
Utility programs
Page 110
-
8/3/2019 The CISA Course Presentation 2003 v2
64/207
Operating Systems
Key features are:
It brings together the users, applications software and the
systems
Manages computer resources and processing
Often includes facilities to assist in operating the computer
and development of applications.
Page 110
-
8/3/2019 The CISA Course Presentation 2003 v2
65/207
Access Control Software (not in manual)
Key functions of such software are:-
Recording logon ids and passwords, and authenticating users
Restricting access to specific terminals
Restricting access to specific predetermined times
Enforcing other rules for access such as terminal time-outs
Ensuring individual accountability and auditability
Logging events and user activities
Generating exception reports
Doing all of the above at the operating system, database, and
application program levels.
-
8/3/2019 The CISA Course Presentation 2003 v2
66/207
Data Communications Software
Common transmission codes:-
5 bit CCITT (p 123) - IBM EBCDIC
ASCII - 8 bit EBCDIC
Data communication systems have three components:
Transmitter (source)
Transmission path (channel or line)
Receiver (sink)
Common applications:-
EFT Office information systems
Customer/supplier links such as EDI
Electronic messaging (including the Internet).
Page 113
-
8/3/2019 The CISA Course Presentation 2003 v2
67/207
DBMS
Systems software that organises, controls and uses data.
Use data dictionaries
Structured in one of three ways:- Hierarchical
Network
Relational
Each structure has a number of advantages anddisadvantages, with relational generally being the structure
of choice for most applications.
Page 114
-
8/3/2019 The CISA Course Presentation 2003 v2
68/207
Program library management systems
Some PLMS capabilities are:
Integrity - Source programs are assigned modification
and version numbers
Update - creating automated backups and maintaining
an audit trail
Reporting - listing additions, deletions, modifications for
management and auditor reviews
Interface - with the operating system, job
scheduling, access control and online
program management systems
Page 118
-
8/3/2019 The CISA Course Presentation 2003 v2
69/207
Tape and disk management systems
Specialised software to track tape and disk inventories.
Contain dataset names, location, creation date, retention
period, expiry date etc
A number of systems work with robotic units
Page 119
-
8/3/2019 The CISA Course Presentation 2003 v2
70/207
Online programming facilities (not in manual)
Facilities to assist programmers to code and compile
programs.
The proliferation towards having programming facilitiesbased on PCs increases risks e.g. version control,
unauthorised access, over-writing of valid programs.
-
8/3/2019 The CISA Course Presentation 2003 v2
71/207
Network management software
Has functions to control and maintain the network.
Watches line status, active terminals, length of message
queues, error rates and overall traffic
Alerts operator of problems before they affect network
reliability
-
8/3/2019 The CISA Course Presentation 2003 v2
72/207
Job scheduling software
From daily work schedules, this software determines which
jobs are to be processed.
Various advantages:
Job setup only performed once
Job dependencies define
Records all job successes and failures
Reduces reliance on operators.
Page 119
-
8/3/2019 The CISA Course Presentation 2003 v2
73/207
Utility programs
Systems software which perform maintenance or
specialised functions frequently required during operations.
Can be related to: Understanding applications systems e.g. flow charter
Assessing data quality e.g dump
Testing programs e.g. online debugging facilitators
Assisting in program development e.g. code generator
Improving operational efficiency e.g. monitors.
Page 119
-
8/3/2019 The CISA Course Presentation 2003 v2
74/207
System Software-related Acquisition
Business, functional and technical needs and specification
Cost/ benefit
Obsolescence
Compatibility with existing systems
Security
Demands on existing staff
Training and hiring requirements
Future growth needs
Impact on system performance and the network
Page 120
-
8/3/2019 The CISA Course Presentation 2003 v2
75/207
Other system software considerations
Change control and implementation of patches
Software licensing
Page 120
-
8/3/2019 The CISA Course Presentation 2003 v2
76/207
Key
Information Systems
Hardware Platforms
- Technology Architecture
- Capacity Management
- System Monitoring
- Preventative Maintenance
- Hardware Acquisition Plan
Technical Infrastructure
and Operational Practices
Information Systems
Operational Practices
- Management of Operations
- Operations Practices
- Controlling Input/Output
- Lights Out Operations
- Scheduling
- Monitoring Use of Resources
- Problem Management
- Program Change Control
- Librarian Function
- Quality Assurance
- Service Levels
- Technical Support
- Physical Security
Information Systems
Software Platform
- Technology Architecture
- Software Selection Process
- Implementation and Change
Control Procedures
- Configuration Parameters
Information SystemsNetwork & Telecoms
- Terminology
- Architectures
- Standards and Protocols
- Transmission Media
- WANs and LANs
- Client/Server
- Performance Monitoring
- Communication Controls
- Data Encryption- Internet
- Viruses
Key
KeyKey
Auditing Infrastructure and
Operations
Chapter 3 Overview
Page 101
-
8/3/2019 The CISA Course Presentation 2003 v2
77/207
Telecoms Terminology/Devices
Terminals (teletype, RJE etc.)
Modems
Multiplexors/concentrators
Switching types:- Line/circuit
Message
Packet
Front end communication processors
Cluster controllers
Protocol converters
Spools and buffers.
Page 122, 140
-
8/3/2019 The CISA Course Presentation 2003 v2
78/207
Network components
Repeaters
Hubs
Bridges
Switches Routers
Brouters
Gateways
Multiplexors
Page 130
-
8/3/2019 The CISA Course Presentation 2003 v2
79/207
TransmissionMedia
Twisted pair
Coaxial
Fiber optic
Radio Microwave
Satellite
Wireless
Bluetooth
Page 132
-
8/3/2019 The CISA Course Presentation 2003 v2
80/207
Networking.
Architectures:-
Bus (linked to one cable) Ring (formed in a circle) Star (all linked to a main hub) Completely connected (mesh) (direct link between all)
The 7 layer OSI model was used to create interoperabilitybetween manufacturers products - the layers are:-
Application layer (validation and transaction security) Presentation layer (format, encryption and
transformation) Session layer (start, manage and stop sessions) Transport layer (flow control and end to
end error recovery) Network layer (packet management, routing and
switching) Data link layer (node to node control and error
handling) Physical layer (transmission of bits)
Page 124, 136
-
8/3/2019 The CISA Course Presentation 2003 v2
81/207
LAN Selection Criteria
Some relevant considerations are:
What are the applications?
What is the bandwidth requirement?
What is the budget?
What are the remote management needs?
-
8/3/2019 The CISA Course Presentation 2003 v2
82/207
The Internet
Consists of aWorldwide network exchanging information
using common protocols such as TCP and IP
Provides a range of services including:-
World Wide Web (supported by HTML and HTTP)
FTP (anonymous or otherwise)
RealAudio
(currently there is no firm standard for video)
Key Internet control issues are:-
Transaction security (such as SSL)
Entry security (such as firewalls)
Viruses (macro, Java or browser based).
Page 126
-
8/3/2019 The CISA Course Presentation 2003 v2
83/207
Other Internet Non-Web-based Services and Terminology
ISP
Network access point (NAP)
Internet link
Remote Terminal Control Protocol (TELNET)
Domain name service (DNS)
Direct connection
Internet appliance
Online services
File Transfer Protocol (FTP)
Simple mail transport protocol (SMTP)
Simple network management protocol (SNMP)
Page 128
-
8/3/2019 The CISA Course Presentation 2003 v2
84/207
Client/Server Points
Allows data and business logic to be distributed to where it
best suits the application
Typically this means data on the server(s) and application
logic on the client
(it is important to understand 2 and 3-tier architectures)
Considerations when implementing include:
Memory/CPU (fat v thin)
Scalability (easier in 3-tier)
Application servers
Page 145
-
8/3/2019 The CISA Course Presentation 2003 v2
85/207
Middleware
Commonly used for:
Transaction processing (TP) monitors
Remote procedure calls (RPC)
Object request broker (ORB) technology
Messaging servers
Page 146
-
8/3/2019 The CISA Course Presentation 2003 v2
86/207
Middleware
Middleware is the client/server glue that holds these type of
applications together
It is located physically on both the client and the server and it
facilitates network connection and communication
Key risks are:-
Provides another avenue of access to control
Multiple versions of software may get out of sync
Key controls are:- Network security controls (such as passwords & encryption)
Change control procedure (such as versioning & tracking).
-
8/3/2019 The CISA Course Presentation 2003 v2
87/207
TelecommunicationsMonitoring Procedures
Latency - the delay that a message/packet has on its
way to two destinations
Throughput - the quantity of work per unit of time
ISO has defined 5 network management tasks:
Fault Management
Configuration management
Accounting resources
Performance management
Security management
Page 147
-
8/3/2019 The CISA Course Presentation 2003 v2
88/207
CISA Review Course
UNIT 10
Technology Pictionary
-
8/3/2019 The CISA Course Presentation 2003 v2
89/207
Instructions
Come to the front and each take one of the 12technology lists
Each person then gets 90 seconds to draw as
many of the technology items on the list as
possible whilst the others call them out
The items can be tackled in any order although
no written words are allowed, and no talking !!!
Points for getting them right, plus points forguessing correctly
-
8/3/2019 The CISA Course Presentation 2003 v2
90/207
CISA Review Course
UNIT 11
Chapter 3 Recap
(part 3)
-
8/3/2019 The CISA Course Presentation 2003 v2
91/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions
(16%)
32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
92/207
Key
Information Systems
Hardware Platforms
- Technology Architecture
- Capacity Management
- System Monitoring
- Preventative Maintenance
- Hardware Acquisition Plan
Technical Infrastructure
and Operational Practices
Information Systems
Operational Practices
- Management of Operations
- Operations Practices
- Controlling Input/Output
- Lights Out Operations
- Scheduling
- Monitoring Use of Resources
- Problem Management
- Program Change Control
- Librarian Function
- Quality Assurance
- Service Levels
- Technical Support
- Physical Security
Information Systems
Software Platform
- Technology Architecture
- Software Selection Process
- Implementation and Change
Control Procedures
- Configuration Parameters
Information SystemsNetwork & Telecoms
- Terminology
- Architectures
- Standards and Protocols
- Transmission Media
- WANs and LANs
- Client/Server
- Performance Monitoring
- Communication Controls
- Data Encryption- Internet
- Viruses
Key
KeyKey
Auditing Infrastructure and
Operations
Chapter 3 Overview
Page 101
-
8/3/2019 The CISA Course Presentation 2003 v2
93/207
IS operations
M
anagement of IS operations Computer operations
Technical support/helpdesk
Scheduling
Controlling input/output of data
Quality assurance
Program change control
Librarian function
Problem management procedures
Procedures for monitoring efficient and effective use ofresources
Management of physical and environmental security.
Page 149
-
8/3/2019 The CISA Course Presentation 2003 v2
94/207
Computer operations
Key operator tasks include:-
Running and monitoring jobs
Restarting applications after abnormal termination
Facilitating backing up data Observing IPF for unauthorised entry
Mounting tapes
Monitoring adherence to job schedules
Participating in disaster recovery tests.
(Note more and more of these tasks are becoming automated over time).
Page 149
-
8/3/2019 The CISA Course Presentation 2003 v2
95/207
Lights Out Operations
Typical tasks that would be automated are:-
Job scheduling
Console operation
Report balancing and distribution
Re-run/re-start activities
Tape mounting and management
Environment monitoring
Key advantages are:-
Cost reduction (less expensive staff)
Continuous operations (24-7)
Reduced error rate (no humans involved !!!)
Page 149
-
8/3/2019 The CISA Course Presentation 2003 v2
96/207
Controls Over Input & Output
Input controls:-
Batch header forms
Authorisation of input (electronically or manually)
Batch balancing
Data validation
Output controls:-
Report distribution procedures
Access control over print spools and output.
Page 150
-
8/3/2019 The CISA Course Presentation 2003 v2
97/207
Management of IS operations
Key functions are resource allocation, and standards and
procedures.
Also planning, authorising, monitoring, reviewing the operationsfunctions as a whole to ensure consistency with overall business
strategies and policies.
Page 151
-
8/3/2019 The CISA Course Presentation 2003 v2
98/207
Service Levels
Normally defined using a SLA
Typical tools used to monitor compliance with an SLA are:-
Abnormal job termination reports
Operator problem reports
Output distribution reports
Console logs
Operator work schedules
Held desk tracking databases.
Page 151
-
8/3/2019 The CISA Course Presentation 2003 v2
99/207
Scheduling
This is:
Defining jobs that can be run and the sequence of
execution
Maintenance functions should be performed at off peak
time
Jobs may be scheduled to run ad-hoc when system
capacity is spare
A key function in ensuring IS resources are optimally
utilised.
Page 153
-
8/3/2019 The CISA Course Presentation 2003 v2
100/207
Problem Management
Key steps are:-
Detection (knowing something has happened)
Documentation (capturing all relevant details)
Control (continuing with other tasks)
Resolution (fixing the problem)
Reporting (reporting the fix)
(using and reviewing error logs is a key detection control)
Should be some form of multi-level escalation procedures.
Page 153
-
8/3/2019 The CISA Course Presentation 2003 v2
101/207
Librarian Function
Split between on and off line
Typically off line storage includes:-
Tape vaults (in-house or 3rd party)
Company safes
Typical controls over off-line storage include:-
Securing physical access
Ensuring that library will withstand fire/heat for a minimum of 2 hrs
Ensuring that library is separately located from the computer room
Restricting logical access to key personnel only
Maintaining a perpetual inventory (including transfer records)
Having a written transfer/re-use policy.
-
8/3/2019 The CISA Course Presentation 2003 v2
102/207
Quality assurance
Ensure everyone participates use of standards, guidelines
and procedures
Maintain systems development methodology
Make improvement recommendations in projects
Establish a change control environment
Define testing methodology
Report issues to management.
Page 155
-
8/3/2019 The CISA Course Presentation 2003 v2
103/207
Help Desk and Technical Support
Help desk is first level of support - key functions are:-
Initiate/document problems that arise from users
Escalate the issue if appropriate
Follow up unresolved problems
Close out problems once resolved
Technical support tends to be second level - key functions
are:-
Obtaining detailed knowledge of the OS and in-house apps
Answering specific technical enquiries
Managing the installation of vendor/system changes
Monitoring and maintaining system software
Maintaining the companys telecommunications network.
Page 155
-
8/3/2019 The CISA Course Presentation 2003 v2
104/207
Key
Information Systems
Hardware Platforms
- Technology Architecture
- Capacity Management
- System Monitoring
- Preventative Maintenance
- Hardware Acquisition Plan
Technical Infrastructure
and Operational Practices
Information Systems
Operational Practices
- Management of Operations
- Operations Practices
- Controlling Input/Output
- Lights Out Operations
- Scheduling
- Monitoring Use of Resources
- Problem Management
- Program Change Control
- Librarian Function- Quality Assurance
- Service Levels
- Technical Support
- Physical Security
Information Systems
Software Platform
- Technology Architecture
- Software Selection Process
- Implementation and Change
Control Procedures
- Configuration Parameters
Information SystemsNetwork & Telecoms
- Terminology
- Architectures
- Standards and Protocols
- Transmission Media
- WANs and LANs
- Client/Server
- Performance Monitoring
- Communication Controls
- Data Encryption
- Internet
- Viruses
Key
KeyKey
Auditing Infrastructure and
Operations
Chapter 3 Overview
Page 101
-
8/3/2019 The CISA Course Presentation 2003 v2
105/207
Auditing Infrastructure and Operating
Pages 156 - 165, be familiar with these!
Hardware reviews
Operating system reviews
Database reviews (new)
LAN reviews
NOC reviews
IS operations reviews
Data entry control
Lights out operations Problem management reporting
Hardware availability & utilisation
Scheduling
-
8/3/2019 The CISA Course Presentation 2003 v2
106/207
-
8/3/2019 The CISA Course Presentation 2003 v2
107/207
CISA Review Course
UNIT 12
CISA Chapter 3 Questions
-
8/3/2019 The CISA Course Presentation 2003 v2
108/207
CISA Review Course
UNIT 13
Mini CISA Test
(number 1)
-
8/3/2019 The CISA Course Presentation 2003 v2
109/207
Instructions
Take a question handout and answer sheet from the front,
keeping the questions face down
You will have 15 minutes to answer the questions, after which
well hand out answer sheets
On YourMarks, Get Set, GO !!!!
-
8/3/2019 The CISA Course Presentation 2003 v2
110/207
Mini CISA Test - Number 1
STOP !!!!
Take an answer sheet and start marking
Are there any questions you want to go over ?
-
8/3/2019 The CISA Course Presentation 2003 v2
111/207
CISA Review Course
Andthats it
fordayone !!!!
-
8/3/2019 The CISA Course Presentation 2003 v2
112/207
CISA Review Course
Goodmorning !!!
-
8/3/2019 The CISA Course Presentation 2003 v2
113/207
CISA Review Course
Any questions
about what we covered
yesterday ???
-
8/3/2019 The CISA Course Presentation 2003 v2
114/207
Course Structure - Day 2
Unit 14 - Chapter 4 recap
Unit 15 - CISA Chapter 4 questions
Unit 16 - Chapter 5 recap
Unit 17 - CISA Chapter 5 questions
Unit 18 - Chapter 6 recap
Unit 19 - Chapter 6 questions
Unit 20 - Group Quiz - Jeopardy
Unit 21 - Chapter 7 recap
Unit 22 - CISA Chapter 7 questions
Unit 23 - End of day mini CISA test
-
8/3/2019 The CISA Course Presentation 2003 v2
115/207
CISA Review Course
UNIT 14
Chapter 4 Recap
-
8/3/2019 The CISA Course Presentation 2003 v2
116/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions
(16%)32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
117/207
-
8/3/2019 The CISA Course Presentation 2003 v2
118/207
Key elements of ISManagement
Policies and procedures
Organisation
Document responsibilities for:
Executive management Security committee
Data owners
Process Owners
IT Developers
Security specialists/ advisors
Users
IS Auditors
Page 189
-
8/3/2019 The CISA Course Presentation 2003 v2
119/207
Security Policies
Key components include:-
management support and commitment
access philosophy (i.e. the ground rules)
access authorisation (should be written)
regular reviews of access
security awareness (through training)
compliance with legislation
Should be enforced by a security administrator and overseen by
a security committee(The former either full time or with other non-conflicting duties).
Page 189
-
8/3/2019 The CISA Course Presentation 2003 v2
120/207
Computer Crime Issues and Exposures
Financial loss
Legal repercussions (e.g. privacy, DPA etc.)
Loss of credibility
Loss of competitive edge
Blackmail/industrial espionage
Disclosure of sensitive/embarrassing information
Sabotage.
Page 194
-
8/3/2019 The CISA Course Presentation 2003 v2
121/207
Technical Exposures
Data diddling (change data before data entry)
Trojan horse
Rounding down
Salami technique (similar to rounding down)
Viruses
Worms Logic bomb (e.g. year 2000)
Trap doors
Asynchronous attack (attack data waiting to be transmitted)
Data leakage
Wire-tapping
Piggybacking (technical or otherwise)
Denial of service
Shut down of the computer (directly or indirectly)
Page 196
-
8/3/2019 The CISA Course Presentation 2003 v2
122/207
Logical Access Paths
Several key ways logical access can be gained:-
Operator console
On-line terminals
Batch job processing
Dial-up ports Telecommunications network
Typical perpetrators of violations include:-
Hackers - vendors and consultants
Employees - accidental ignorant
IS Personnel - interested parties (the competition, crackers,
Temporary staff phrackers etc.)
Page 198, 195
-
8/3/2019 The CISA Course Presentation 2003 v2
123/207
Logical security techniques
Log-on ID and passwords - identification, accountability and
authorisation
Challenge-response techniques and one-time passwords
Biometrics
Logging computer access
Terminal security
Dial-back
Remote access security Controls over BLP, systems exits, and privileged user ids
Naming conventions.
Page 201
-
8/3/2019 The CISA Course Presentation 2003 v2
124/207
Controls Over Viruses
Technical means include:- use workstations without floppy disks use remote booting use hardware-based passwords use write-protected tabs on floppy disks use boot virus protection
Software tools include:- Scanners, signature and Heuristic active monitors integrity CRC checkers Behaviour blockers Immunisers
Other non-direct controls include:-
written policies and procedures system builds done from clean installation disks backups taken on a regular basis
Page 214
-
8/3/2019 The CISA Course Presentation 2003 v2
125/207
Audit techniques for logical access
Be familiar with pages 217 - 223.
-
8/3/2019 The CISA Course Presentation 2003 v2
126/207
Internet Threats and Security
Passive Attacks
Network analysis
Eavesdropping
Traffic analysis
Page 228
-
8/3/2019 The CISA Course Presentation 2003 v2
127/207
Internet Threats and Security
Active Attacks
Brute-force attacks
Masquerading
Packet replay
Message modification
Unauthorised access through the Internet
Denial of service
Dial-in penetration attacks
E-mail bombing and spamming
E-mail spoofing
Page 228
-
8/3/2019 The CISA Course Presentation 2003 v2
128/207
Data Encryption Points
Two main types of cryptosystems:-
Public/asymmetric (encryption key is widely known, but thedifferent decryption key is kept secret)
Private/symmetric (single encryption/decryption key kept
secret, less processing power)
Effectiveness depends on the number of bits in the key(s)
Common cryptosystems are:-
RSA (public)
DES (private) no longer considered strong.
Page 231
-
8/3/2019 The CISA Course Presentation 2003 v2
129/207
Firewall security
Must enable organisations to:
block access to particular sites
prevent users from accessing certain servers or
services
monitor communications between internal/external
networks
eavesdrop and record all communications
encrypt packets between physical locations
Page 239
-
8/3/2019 The CISA Course Presentation 2003 v2
130/207
Intrusion Detection (IDS)
Identification of and response to inappropriate
activities
Detects attack patterns and issues alerts
Two types- network based (identify all attack attempts)
- host based (monitor internal resources)
Page 243
-
8/3/2019 The CISA Course Presentation 2003 v2
131/207
Environmental Controls
Again consider the full range:- Raised floors and water detectors
Hand-held fire extinguishers
Manual fire alarms
Smoke detectors
Fire suppression systems (dry-pipe, water and Halon, FM-200)
Fireproofing walls and ceiling
Electrical surge protectors
UPSs/generators
Emergency power-off switches
Power leads from two substations
Regular inspection by Fire Department
Strategically locating computer room
Rules on the consumption of food/fluids
Fire resistant office materials
Documented and Tested Emergency Evacuation Plans
Page 248
-
8/3/2019 The CISA Course Presentation 2003 v2
132/207
Physical Controls
Remember the full range, not just the obvious:-
Door locks (bolting, electronic, cipher or biometric)
Logging of entry (manual or electronic)
Photo ids
Video cameras
Security guards
Escorted visitor access
Bonded maintenance personnel
Deadman doors
Not advertising location of sensitive facilities
Computer terminal locks Single entry points
Alarm systems
Secured report/ document distribution carts
Page 254
CISA R i C
-
8/3/2019 The CISA Course Presentation 2003 v2
133/207
CISA Review Course
UNIT 15
CISA Chapter 4 Questions
-
8/3/2019 The CISA Course Presentation 2003 v2
134/207
CISA Review Course
UNIT 16
Chapter 5 Recap
The Seven CISA Chapters
-
8/3/2019 The CISA Course Presentation 2003 v2
135/207
The Seven CISA Chapters.
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions
(16%)32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
-
8/3/2019 The CISA Course Presentation 2003 v2
136/207
Chapter 5 Overview
Business Continuity
Planning
- Overall Planning Process/Stages
- Risk Evaluation
- Testing of Plans
Disaster Recoveryand Business Continuity
IS Disaster Recovery
- Recovery alternatives
- Off-site facilities
KeyKeyKey
Backup and Recovery
- Procedures
- Rotation of media
-
8/3/2019 The CISA Course Presentation 2003 v2
137/207
Elements Of An Effective BCP Plan
Senior management support
User management involvement
User and data processing procedures, including those for:- Emergency action
Notification
Disaster declaration
Systems recovery
Network recovery
User recovery
Salvage operations
Relocation.
B i R ti T
-
8/3/2019 The CISA Course Presentation 2003 v2
138/207
Business Resumption Teams
Emergency action team
Damage assessment team
Emergency management team
Off-site storage team
Software team
Applications team
Security team
Emergency operations team
Network recovery team
Communications team
Transportation/relocation team
User hardware team
Data preparation and records team
Administrative support team
Supplies team
Salvage team
T f I
-
8/3/2019 The CISA Course Presentation 2003 v2
139/207
Types of Insurance
IS equipment and facilities
Media (i.e. software) reconstruction
Extra expense
Business interruption
Valuable papers and records
Errors and omissions
Fidelity coverage
Media transportation (loss in transit).
-
8/3/2019 The CISA Course Presentation 2003 v2
140/207
H t/C ld Sit C t t T
-
8/3/2019 The CISA Course Presentation 2003 v2
141/207
Hot/Cold Site Contract Terms
Configurations
Disaster definition
Speed of availability
Subscribers per site/area
Reference/priority
Insurance (especially employee)
Usage period
Communications
Warranties
Testing rights
Reliability/penalties.
T l i ti C ti it
-
8/3/2019 The CISA Course Presentation 2003 v2
142/207
Telecommunications Continuity
Common forms of continuity include:-
Redundancy of company equipment
Alternative routing (usually 2)
Diverse routing (usually 2 or more)
Long haul network diversity
Last mile circuit protection
Voice recovery.
B siness Res mption Plan Testing
-
8/3/2019 The CISA Course Presentation 2003 v2
143/207
Business Resumption Plan Testing
Should have the following test phases:- Pre-test
Test
Post-test
The range of test types include:- Paper tests (walkthrough with key players)
Preparedness tests (localised/partial version of full test)
Full operational test (the full monty)
Results should be analysed appropriately with common
measurements being:-
Time taken - amount of work performed
Number of records - accuracy of work.
C id ti f B k
-
8/3/2019 The CISA Course Presentation 2003 v2
144/207
Considerations for Backups
Frequency and retention per file
Master files (synchronisation)
Transaction files (to recreate master files)
Real-time files (time stamping, duplicate logging)
DBMS (integral feature)
File descriptions
Licenses
Object and source code
CISA Review Course
-
8/3/2019 The CISA Course Presentation 2003 v2
145/207
CISA Review Course
UNIT 17
CISA Chapter 5 Questions
-
8/3/2019 The CISA Course Presentation 2003 v2
146/207
The Seven CISA Chapters.
-
8/3/2019 The CISA Course Presentation 2003 v2
147/207
e Se e C S C apte s
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions
(16%)32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
Ch t 6 O i
-
8/3/2019 The CISA Course Presentation 2003 v2
148/207
Chapter 6 Overview
Key
Business Application
Systems Development
Maintenance Practices
- Authorisation Procedures
- System Documentation
- Test Procedures
- Change Approvals
- Program Migration
- Emergency Changes
- Source Code Integrity
- Coding Standards
- Source Code Comparison
- Library Control Software
Project Management Practices- - SDLC- Porject Failure Risks
- Overall SDLC Project Controls
Key
KeyKey
Business Application
Development
- Requirements Definition
- Feasibility Studies
- Software Acquisition
- Detailed Design
- Programming
- Testing
- Implementation
- Post Implementation Review
- Tools and Productivity AidsPage 307
Key Players In Software Projects
-
8/3/2019 The CISA Course Presentation 2003 v2
149/207
Key Players In Software Projects Senior management
User management
Project steering committee
Project sponsor
Systems development management
Project manager
Systems development project team
User project team
Security officer
Quality assurance
Systems auditor.Page 312
SDLC Phases and Risks
-
8/3/2019 The CISA Course Presentation 2003 v2
150/207
SDLC Phases and Risks
Project should be divided up into phases such as:-
Feasibility study, requirements definition, software acquisition, integrated
resource management systems (ERPs), detailed design, programming,
testing, implementation, post implementation review
(see page 315 for a typical approach)
Risks associated with poor management:-
Does not meet business needs
Overruns in time and money
Not delivered at all.
Page 314
RFP contents
-
8/3/2019 The CISA Course Presentation 2003 v2
151/207
RFP contents
Product functionality vs. actual requirements
Customer references
Vendor viability/financial stability
Availability of complete and reliable documentation
Vendor on-going support
Source code availability
Number of years product has been in existence
List of recent or planned enhancements (with dates)
Number of current client sites/client list
Ability to allow acceptance testing at nominal cost.
Page 317
Testing
-
8/3/2019 The CISA Course Presentation 2003 v2
152/207
Testing
Unit testing
Interface testing
System testing
Alpha and beta testing
Pilot testing
Whitebox/ Blackbox
Function/Validation testing
Regression testing
Parallel testing
Sociability testing
Page 324
Development methodologies
-
8/3/2019 The CISA Course Presentation 2003 v2
153/207
Development methodologies
Data orientated system development
Object oriented system development
Component-based development
Web-based Application Development
Prototyping
Rapid application development
Agile Development
Reengineering
Reverse engineering
Structured analysis.
Page 328
Prototyping (heuristic development)
-
8/3/2019 The CISA Course Presentation 2003 v2
154/207
Prototyping (heuristic development)
Defined as creating systems through controlled trial anderror
Main aim is reduced development time
Main emphasis is on screens and reports and hence is
best suited for applications with little processing
Two basic approaches:-
Throw-away
Evolutionary
Quality is often an issue (especially with the latter).
Page 331
RAD
-
8/3/2019 The CISA Course Presentation 2003 v2
155/207
RAD
Technique aimed at producing applications in fastertimescales
Uses a number of key techniques to achieve this:-
Small, well-trained development teams Evolutionary prototyping
Integrated power development tools (nearly all GUI)
A central repository
Workshops
Rigid development time frames
Aim is to leverage automation and more powerful
hardware to reduce human effort required.
Page 332
Change control
-
8/3/2019 The CISA Course Presentation 2003 v2
156/207
Change control
A key control is the formal authorisation of changes to the
live system
(Both prior to being developed and also prior to migration)
However, there should also be some record of the
changes, either manually or electronically
(This is especially important where there is poor segregation of duties)
The above applies equally to both operating system and
application changes.
Page 335
Controls
-
8/3/2019 The CISA Course Presentation 2003 v2
157/207
Co t o s
Authorisation procedures - new projects, change control
User approval before systems go live
Continuous update of system documentation
Program migration process
Emergency changes
ConfigurationManagement
Library control software
Source and executable control integrity
Source code comparison
Page 336
Library Control Software
-
8/3/2019 The CISA Course Presentation 2003 v2
158/207
y
Common functions are:-
Prohibit the updating of production code
Prohibit the updating of production batch jobs
Require only an authorised individual to check out/release source
code
Require only an authorised individual to migrate code into production Allow read-only access to source code
Require that code being checked in meets coding standards
Provide a full audit trail of all the changes
Require programmers to enter details about the changes upon
checking back in source code.
Page 337
Other Planning Points
-
8/3/2019 The CISA Course Presentation 2003 v2
159/207
Other Planning Points...
Project management methodologies Critical path methodology
Program evaluation review technique
Plan before a project and control during it
As resources before free, allocate to most critical tasks
The PERT network diagram is a sequence of project activities
Optimistic, pessimistic and expected activity timescales are used withstandard deviation techniques to facilitate planning.
Estimation of timescales using:-
Function points
Lines of code models.
Timebox Management
Page 342, 340
System development tools and productivity aids
-
8/3/2019 The CISA Course Presentation 2003 v2
160/207
System development tools and productivity aids
Code generators Generate their own code!
CASE
4GLs
Test generators
Interactive debugging aids and code logic analysers.
Page 344
CASE
-
8/3/2019 The CISA Course Presentation 2003 v2
161/207
CASE Defined as the use of automated tools to aid the software
development process
Generally divided up into 3 categories:-
Upper (business and application requirements)
Middle (detail designs)
Lower (generation of program code and db
definitions)
Can be used across a range of platforms and are usually
repository based
Can be an element of overlap with 4 GLs (especially lower).
Page 344
4GLs
-
8/3/2019 The CISA Course Presentation 2003 v2
162/207
4GLs
Typical characteristics:-
Non-procedural language (often event driven)
Environmental independence (portability)
Powerful software facilities
Programmer workbench/toolsets concept
Simple language subsets
Often classified as follows:-
Query and report generators
Embedded/related database 4GLs
Application generators.
Page 345
CISA Review Course
-
8/3/2019 The CISA Course Presentation 2003 v2
163/207
UNIT 19
CISA Chapter 6 Questions
-
8/3/2019 The CISA Course Presentation 2003 v2
164/207
-
8/3/2019 The CISA Course Presentation 2003 v2
165/207
The Seven CISA Chapters.
-
8/3/2019 The CISA Course Presentation 2003 v2
166/207
The 7 CISA
Chapters
Chapter 3
Technical Infrastructure and
Operational Practices
- hardware platforms
- software platforms
- telecommunications
- operations
Chapter 1
The IS Audit Process
- professional standards
- code of professional ethics
- other laws and regulations
- performing an IS audit
Chapter 2
Management Planning and Organization
of IS
- strategies to achieve business objs.
- policies and procedures
- IS management practices
- organisational structures
Chapter 5
Disaster Recovery andBusiness Continuity
- backup and recovery
- disaster recovery
- business continuity
Chapter 4
- logical access controls
- physical access controls
- environment controls
Protection of Information Assets
Chapter 6
Chapter 7
Business Application System
Development, AcquisitionImplementation & m aintenance
- SDLC
-Automotive methodologies- IS maintenance practices
- Project management
Business Process Evaluation
and Risk Management
- IT Governance
- Application controls
- Business Applications
(15%)
30 questions
(16%)32 questions
(10%)
20 questions
(11%)
22 questions
(13%)
26 questions
(25%) 50 questions
(10%)
20 questions
Chapter 7 Overview
-
8/3/2019 The CISA Course Presentation 2003 v2
167/207
p
Application Controls
Input/Output
- data validation
- Integrity
Business Process
Evaluation & Risk
management
Business ApplicationSystems
-eCommerce- EDI
- POS
- AI
- Data warehouse
IT Governance
Business Process
Re-engineering
Key
Key
Business Process Re-engineering
-
8/3/2019 The CISA Course Presentation 2003 v2
168/207
g g
Successful BPR results in:
New business priorities
Improved product, service, profitability
New approach to organising and motivating people
New approach to use of information
Refined roles for 3ps (outsourcing, development, support)
Redefined roles for clients and customers
IT Governance
-
8/3/2019 The CISA Course Presentation 2003 v2
169/207
Encompasses IS, technology and communication, business
legal across all stakeholders
Governed by generally accepted good/best practice to ensureresources we are used effectively and the risks are managed
appropriately
Strategic alignment between IT and enterprise objectives
-
8/3/2019 The CISA Course Presentation 2003 v2
170/207
-
8/3/2019 The CISA Course Presentation 2003 v2
171/207
Controls Over Processing
-
8/3/2019 The CISA Course Presentation 2003 v2
172/207
Manual recalculations
Run to run totals
Reasonableness checks
Limit checks
Exception reports Control totals (such as file sizes)
Controls Over Data Files
-
8/3/2019 The CISA Course Presentation 2003 v2
173/207
Before and after tracing of transactions Retention of source documentation
Versioning (i.e. data stamping)
Internal labelling (i.e. electronic)
External labelling (i.e. physical)
Security controls (to ensure integrity)
One for one checking (against other sources)
Pre-recorded input (both manual & electronic)
Parity checking (specifically for transfers).
Application Risk Factors
-
8/3/2019 The CISA Course Presentation 2003 v2
174/207
The quality of internal control environment
Economic conditions
Time elapsed since last audit
Complexity of operations
Changes in the underlying environment
Recent staff changes in key positions
Time in existence
Competitive environment
Assets at risk
Prior audit results
Transaction volume and value
Regulatory impact
Impact of application failure/sensitivity of transactions.
Types of Audit Software Testing
-
8/3/2019 The CISA Course Presentation 2003 v2
175/207
Test of file calculations (e.g. footing)
Comparison of data
Sequencing or summarising data
Reporting data exceptions
Use of custom programs to monitor specific transactions
Use of system utilities to analyse underlying data
Use of ITFs to process test data
Test data generation
Use of SCARF or EAM
Parallel simulation
Expert systems analysis.
Procedures Based On CAATs
-
8/3/2019 The CISA Course Presentation 2003 v2
176/207
Generation of test data
Analytical review (mostly to test theories)
Statistical sampling
Range tests
Exception processing.
Business Application Systems
-
8/3/2019 The CISA Course Presentation 2003 v2
177/207
eCommerce
EDI
POSs
Integrated manufacturing systems (including ERP)
Batched data entry systems EFT systems
Office automation systems
ATMs
Co-operative processing systems
Voice response systems (primarily for ordering)
Accounting systems.
e-Commerce
-
8/3/2019 The CISA Course Presentation 2003 v2
178/207
B2B
B2C
Architectures
2-tier (server provides content, client handles display) 3-tier (database server, web server, web browser)
Risk
Confidentiality, Integrity & Availability
Authentication and Non-Repudiation
Power shift to customer
EDI
-
8/3/2019 The CISA Course Presentation 2003 v2
179/207
In use for about 20 years, and gained popularity over the
last 5 years
Now being potentially overshadowed by the Internet
Three main components are generally required:- Communications handler (transmits & receives documents)
EDI interface (translates between EDI and app)
Application system (the in-house programs)
Hybrid nature means that EDI presents issues both interms of security and application development
Should use a mixture of inbound, outbound and general
controls.
E-Mail and Digital Signatures
-
8/3/2019 The CISA Course Presentation 2003 v2
180/207
More recently an issue as users can now attach binary
executables, and documents containing macro viruses
Firewalls can be used to help guard against this threat
Digital signatures can also be used
These work by adding a string of extra digits to the document
being sent, and t