CISA: The Last Mile [Leanpub PDF/iPad/Kindle]

Preface

Legend
The CISA Mindset
Think the “ISACA Way“

Domain 1A: IS Auditing Process - Planning

1A1. IS Audit Standards, Guidelines, and Codes of Ethics
ISACA IS Audit and Assurance Standards
ISACA IS Audit and Assurance Guidelines
ISACA Code of Professional Ethics
ITAF (IT Audit Framework)
IS Internal Audit Function
1A2. Types of Audits, Assessments, and Reviews
Control Self-Assessment (CSA)
Integrated Auditing
1A3. Risk-Based Audit Planning
Individual Audit Assignments
Effect of Laws and Regulations on IS Audit Planning
Audit Risk and Materiality
Risk Assessment
IS Audit Risk Assessment Techniques
Risk Analysis
1A4. Types of Controls and Considerations
Internal Controls
Control Objectives and Control Measures
Control Classifications
Control Relationship to Risk
Prescriptive Controls and Frameworks
Evaluation of the Control Environment

Domain 1B: IS Auditing Process - Execution

1B1. Audit Project Management
Audit Objectives
Audit Phases
Audit Programs
Audit Work Papers
Fraud, Irregularities, and Illegal Acts
Agile Auditing
1B2. Audit Testing and Sampling Methodology
Compliance Versus Substantive Testing
Sampling
1B3. Audit Evidence Collection Techniques
Interviewing and Observing Personnel in Performance of Their Duties
1B4. Audit Data Analytics
Computer-Assisted Audit Techniques
Continuous Auditing and Monitoring
Continuous Auditing Techniques
Artificial Intelligence in IS Audit
1B5. Reporting and Communication Techniques
Communicating Audit Results
Audit Report Objectives
Audit Report Structure and Contents
Audit Documentation
Follow-Up Activities
Types of IS Audit Reports
1B6. Quality Assurance and Improvement of Audit Process
Audit Committee Oversight
Audit Quality Assurance
Audit Team Training and Development
Monitoring

Domain 2A: IT Governance

2A1. Laws, Regulations, and Industry Standards
Impact of Laws, Regulations, and Industry Standards on IS Audit
Governance, Risk, and Compliance (GRC)
2A2. Organizational Structure, IT Governance, and IT Strategy
Enterprise Governance of Information and Technology (EGIT)
Good Practices for EGIT
Audit’s Role in EGIT
Information Security Governance
Information Systems Strategy
Strategic Planning
Business Intelligence
Organizational Structure
Auditing IT Governance Structure and Implementation
2A3. IT Policies, Standards, Procedures, and Guidelines
Policies
Standards
Procedures
Guidelines
2A4. Enterprise Architecture and Considerations
IT Sourcing Practices
2A5. Enterprise Risk Management (ERM)
Developing a Risk Management Program
Risk Management Life Cycle
Risk Analysis Methods
2A6. Data Privacy Program and Principles
Privacy Documentation
Audit Process
2A7. Data Governance and Classification
Data Classification
Legal Purpose, Consent, and Legitimate Interest
Data Subject Rights and Transborder Data Flow

Domain 2B: IT Management

2B1. IT Resource Management
Value of IT
IT Portfolio Management
IT Management Practices
Human Resource Management
Enterprise Change Management
Financial Management Practices
Information Security Management
2B2. IT Vendor Management
Sourcing Practices
Outsourcing Practices and Strategies
Cloud Governance
Governance in Outsourcing
Capacity and Growth Planning
Third-Party Service Delivery Management
2B3. IT Performance Monitoring and Reporting
Key Performance Indicators (KPIs)
Key Risk Indicators (KRIs)
Key Control Indicators (KCIs)
Performance Optimization
Approaches and Techniques
2B4. Quality Assurance and Quality Management of IT
Quality Assurance
Quality Management
Operational Excellence

Domain 3A: Information Systems Acquisition and Development

3A1. Project Governance and Management
Project Management Practices
Project Management Organizational Structures
Project Management Roles and Responsibilities
Project Management Techniques
Portfolio and Program Management
Project Management Office (PMO)
Project Benefits Realization
Project Initiation
Project Objectives
Project Planning
Project Execution
Project Monitoring and Controlling
Project Closing
IS Auditor’s Role in Project Management
3A2. Business Case and Feasibility Analysis
Components of Feasibility Analysis
IS Auditor’s Role in Business Case Development
3A3. System Development Methodologies
Business Application Development
SDLC Models
SDLC Phases
IS Auditor’s Role in SDLC Project Management
Software Development Methods
System Development Tools and Productivity Aids
Infrastructure Development and Acquisition
Hardware and Software Acquisition
System Software Acquisition
3A4. Control Identification and Design
Application Controls
Output Controls

Domain 3B: Information Systems Implementation

3B1. System Readiness and Implementation Testing
Testing Classifications
Software Testing
Data Integrity Testing
Application System Testing
System Implementation
3B2. Implementation Configuration and Release Management
Configuration Management Systems
3B3. System Migration, Infrastructure Deployment, and Data Conversion
Data Migration
Changeover (Go-Live or Cutover) Techniques
System Change Procedures and the Program Maintenance Phase
System Software Implementation
Certification and Accreditation
3B4. Post-Implementation Review
IS Auditor’s Role in Post-Implementation Review

Domain 4A: Information Systems Operations

4A1. IT Components
Networking
Computer Hardware Components and Architectures
Common Enterprise Back-End Devices
USB Mass Storage Devices
Wireless Communication Technologies
Hardware Maintenance Program
Hardware Failures
4A2. IT Asset Management
4A3. Job Scheduling and Production Process Automation
Job Scheduling Software
Scheduling Reviews
4A4. System Interfaces
Risks Associated With System Interfaces
Controls Associated With System Interfaces
4A5. End-User Computing and Shadow IT
End-User Computing
Shadow IT
4A6. Systems Availability and Capacity Management
IS Architecture and Software
Operating System Features and Integrity
Access Control Software
Data Communications Software
Utility Programs
Software Licensing
Source Code Management
Capacity Management
Resilience Metrics: RTO and RPO
4A7. Problem and Incident Management
Problem Management
Incident Management
Detection, Documentation and Resolution of Abnormal Conditions
Help Desk
Network Management Tools
Problem Management Reporting Reviews
4A8. IT Change, Configuration and Patch Management
Configuration Management
Change Management Process
Patch and Release Management
4A9. Operational Log Management
Types of Logs
Log Management
4A10. IT Service Level Management
Service Level Agreements
Monitoring of Service Levels
Service Levels and Enterprise Architecture
4A11. Database Management
DBMS Architecture
Database Structure Models
Database Controls
Database Reviews

Domain 4B: Business Resilience

4B1. Business Impact Analysis (BIA)
Classification of Operations and Criticality Analysis
4B2. System and Operational Resilience
Application Resiliency and Disaster Recovery Methods
Telecommunication Network Resiliency and Disaster Recovery Methods
4B3. Data Backup, Storage and Restoration
Data Storage Resiliency and Disaster Recovery Methods
Backup and Restoration
Backup Schemes
4B4. Business Continuity Plan (BCP)
IT Business Continuity Planning
Disasters and Disruptive Events
Business Continuity Planning Process
Business Continuity Policy
Incident Management
Development of Business Continuity Plans
Plan Development Issues
Components of a Business Continuity Plan
Plan Testing
Business Continuity Maintenance
Auditing Business Continuity
4B5. Disaster Recovery Plans (DRP)
Recovery Objectives and Metrics
Recovery Strategies
Recovery Site Alternatives
DRP Development
DRP Testing

Domain 5A: Protection of Information Assets

5A1. Information Asset Security Policies, Frameworks, Standards and Guidelines
Information Asset Security Policies, Procedures and Guidelines
Information Security Frameworks and Standards
Information Security Baselines
5A2. Physical and Environmental Controls
Environmental Exposures and Controls
IS Auditor Focus
Physical Access Exposures and Controls
Industrial Control Systems Security
5A3. Identity and Access Management
Identity and Access Management
Authentication, Authorization and Accountability
Zero-Trust Architecture
Privileged Access Management
Directory Services
Identity Governance and Administration
Identity as a Service
System Access Permission
Types of Access Controls
Information Security and External Parties
Digital Rights Management
Logical Access
Access Control Software
Logon IDs and Passwords
Remote Access Security
Biometrics
Naming Conventions for Logical Access Controls
Federated Identity Management
Auditing Logical Access
5A4. Network and Endpoint Security
IS Network Infrastructure
Enterprise Network Architectures
Types of Networks
Common Network Types
Network Services
Network Standards and Protocols
Virtual Private Networks
Network Attached Storage
Content Delivery Networks
Network Time Protocol
Applications in a Networked Environment
Network Infrastructure Security
Firewalls
Unified Threat Management
Network Segmentation
Endpoint Security
5A5. Data Loss Prevention
Types of DLP
Data Loss Risk
DLP Solutions and Data States
DLP Controls
DLP Content Analysis Methods
DLP Deployment Best Practices
DLP Risk, Limitations and Considerations
5A6. Data Encryption
Elements of Encryption Systems
Link Encryption and End-to-End Encryption
Symmetric Key Cryptographic Systems
Public (Asymmetric) Key Cryptographic Systems
Hash Functions
Elliptic Curve Cryptography
Quantum Cryptography
Homomorphic Encryption
Digital Signatures
Digital Envelope
Applications of Cryptographic Systems
Kerberos
Secure Shell
Domain Name System Security Extensions
Email Security
Encryption Audit Procedures
5A7. Public Key Infrastructure
Digital Certificates
Key Management
Certificate Revocation
Certificate Revocation List
PKI Infrastructure Risk
Audit Procedures for PKI
5A8. Cloud and Virtualized Environments
Virtualization
Virtual Circuits
Virtual Local Area Network
Virtual Storage Area Networks (VSANs)
Software-Defined Networking
Containerization
Secure Cloud Migration
The Shared Responsibility Model
Key Risk in Cloud Environments
DevSecOps
5A9. Mobile, Wireless, and Internet of Things Devices
Mobile Computing
Mobile Device Threats
Mobile Device Controls
Mobile Device Management
Bring Your Own Device
Internet Access on Mobile Devices
Audit Procedures for Mobile Devices
Mobile Payment Systems
Wireless Networks
Internet of Things (IoT)

Domain 5B: Security Event Management

5B1. Security Awareness Training and Programs
The Information Security Learning Continuum
Benefits of a Security Awareness, Training and Education Program
Approach to Security Awareness, Training and Education
Conditions for a Successful Security Awareness Training and Education Program
Conducting a Needs Assessment
Implementing an Awareness and Training Program
5B2. Information System Attack Methods and Techniques
Fraud Risk Factors
Computer Crime Issues and Exposures
Internet Threats and Security
Malware
Ransomware
5B3. Security Testing Tools and Techniques
Security Testing Objectives
Security Assessments vs Security Audits
Vulnerability Assessments
Penetration Testing
Threat Readiness (Information Security Teams)
Security Testing Techniques
Security Operations Center (SOC)
Full Network Assessment Reviews
Security Testing Audit Procedures
5B4. Security Monitoring Tools and Techniques
Information Security Monitoring
Intrusion Detection Systems
Intrusion Prevention Systems
Audit Logging in Monitoring System Access
Protecting Log Data
Security Information and Event Management (SIEM)
5B5. Security Incident Response Management
Incident Response Process
Computer Security Incident Response Team
Incident Response Plan
Security Orchestration, Automation and Response
Types of Investigations
Types of Computer Forensics
Phases of Computer Forensics
Audit Considerations
Computer Forensic Techniques
Computer Forensics Tools
Chain of Custody
Best Practices to Secure Digital Evidence

CISA: The Last Mile

You pay

Author earns

...Or Buy With Credits!

About

Share this book

Categories

Feedback

Author

Contents

Preface

Domain 1A: IS Auditing Process - Planning

Domain 1B: IS Auditing Process - Execution

Domain 2A: IT Governance

Domain 2B: IT Management

Domain 3A: Information Systems Acquisition and Development

Domain 3B: Information Systems Implementation

Domain 4A: Information Systems Operations

Domain 4B: Business Resilience

Domain 5A: Protection of Information Assets

Domain 5B: Security Event Management

The Leanpub 60 Day 100% Happiness Guarantee

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

Free Updates. DRM Free.

Write and Publish on Leanpub