About the Book

Sybex's CISA: Certified Information Systems Auditor Study Guide, Fourth Edition is the newest edition of industry-leading study guide for the Certified Information System Auditor exam, fully updated to align with the latest ISACA standards and changes in IS auditing. This new edition provides complete guidance toward all content areas, tasks, and knowledge areas of the exam and is illustrated with real-world examples. All CISA terminology has been revised to reflect the most recent interpretations, including 73 definition and nomenclature changes. Each chapter summary highlights the most important topics on which you'll be tested and review questions help you gauge your understanding of the material. ·Secrets of a Successful Auditor ·Governance ·Audit Process ·Networking Technology Basics ·Information Systems Life Cycle ·System Implementation and Operations ·Protecting Information Assets ·Business Continuity and Disaster Recovery

About the Author

David L. Cannon, CISA, CCSP, is President and Founder of CertTest Training Center, a leading CISA training provider. David has more than 20 years' IT training and consulting experience in such industries as IT operations, security, system administration, and management. David teaches CISA preparation courses across the country and is a frequent speaker and lecturer at the leading security and auditing conferences and is well respected within the I.S. Auditing field. Brian T. O'Hara CISA, CISM, CRISC, CISSP is a Senior Security Consultant with Rook Security. He is the President of the Indiana InfraGard Members Alliance partnership between the FBI and the private sector and President of the Central Indiana Chapter ISACA. Allen Keele CISA, CISM, CISSP, ISO 31000 CICRA, ISO 27001 CICA, ISO 27001 Lead Auditor, ISO 22301 Certified Business Continuity Manager and Certified Fraud Examiner is the founder of Certified Information Security.

Table of Contents:
Introduction Assessment Test Chapter 1 Secrets of a Successful Auditor ·Understanding the Demand for IS Audits ·Executive Misconduct ·More Regulation Ahead ·Basic Regulatory Objective ·Governance Is Leadership ·Three Types of Data Target Different Uses ·Audit Results Indicate the Truth ·Understanding Policies, Standards, Guidelines and Procedures ·Understanding Professional Ethics ·Following the ISACA Professional Code ·Preventing Ethical Conflicts ·Understanding the Purpose of an Audit ·Classifying General Types of Audits ·Determining Differences in Audit Approach ·Understanding the Auditor's Responsibility ·Comparing Audits to Assessments ·Differentiating between Auditor and Auditee Roles ·Applying an Independence Test ·Implementing Audit Standards ·Where Do Audit Standards Come From? ·Understanding the Various Auditing Standards ·Specific Regulations Defining Best Practices ·Audits to Prove Financial Integrity ·Auditor Is an Executive Position ·Understanding the Importance of Auditor Confidentiality ·Working with Lawyers ·Working with Executives ·Working with IT Professionals ·Retaining Audit Documentation ·Providing Good Communication and Integration ·Understanding Leadership Duties ·Planning and Setting Priorities ·Providing Standard Terms of Reference ·Dealing with Conflicts and Failures ·Identifying the Value of Internal and External Auditors ·Understanding the Evidence Rule ·Stakeholders: Identifying Whom You Need to Interview ·Understanding the Corporate Organizational Structure ·Identifying Roles in a Corporate Organizational Structure ·Identifying Roles in a Consulting Firm Organizational Structure Chapter 2 Governance ·Strategy Planning for Organizational Control ·Overview of the IT Steering Committee ·Using the Balanced Scorecard ·IT Subset of the BSC ·Decoding the IT Strategy ·Specifying a Policy ·Project Management ·Implementation Planning of the IT Strategy ·Using COBIT ·Identifying Sourcing Locations ·Conducting an Executive Performance Review ·Understanding the Auditor's Interest in the Strategy ·Overview of Tactical Management ·Planning and Performance ·Management Control Methods ·Risk Management ·Implementing Standards ·Human Resources ·System Life Cycle Management ·Continuity Planning ·Insurance ·Overview of Business Process Reengineering ·Why Use Business Process Reengineering ·BPR Methodology ·Genius or Insanity? ·Goal of BPR ·Guiding Principles for BPR ·Knowledge Requirements for BPR ·BPR Techniques ·BPR Application Steps ·Role of IS in BPR ·Business Process Documentation ·BPR Data Management Techniques ·Benchmarking as a BPR Tool ·Using a Business Impact Analysis ·BPR Project Risk Assessment ·Practical Application of BPR ·Practical Selection Methods for BPR ·Troubleshooting BPR Problems ·Understanding the Auditor's Interest in Tactical Management ·Operations Management ·Sustaining Operations ·Tracking Actual Performance ·Controlling Change ·Understanding the Auditor's Interest in Operational Delivery Chapter 3 Audit Process ·Understanding the Audit Program ·Audit Program Objectives and Scope ·Audit Program Extent ·Audit Program Responsibilities ·Audit Program Resources ·Audit Program Procedures ·Audit Program Implementation ·Audit Program Records ·Audit Program Monitoring and Review ·Planning Individual Audits ·Establishing and Approving an Audit Charter ·Role of the Audit Committee ·Preplanning Specific Audits ·Understanding the Variety of Audits ·Identifying Restrictions on Scope ·Gathering Detailed Audit Requirements ·Using a Systematic Approach to Planning ·Comparing Traditional Audits to Assessments and Self-Assessments ·Performing an Audit Risk Assessment ·Determining Whether an Audit Is Possible ·Identifying the Risk Management Strategy ·Determining Feasibility of Audit ·Performing the Audit ·Selecting the Audit Team ·Determining Competence and Evaluating Auditors ·Ensuring Audit Quality Control ·Establishing Contact with the Auditee ·Making Initial Contact with the Auditee ·Using Data Collection Techniques ·Conducting Document Review ·Understanding the Hierarchy of Internal Controls ·Reviewing Existing Controls ·Preparing the Audit Plan ·Assigning Work to the Audit Team ·Preparing Working Documents ·Conducting Onsite Audit Activities ·Gathering Audit Evidence ·Using Evidence to Prove a Point ·Understanding Types of Evidence ·Selecting Audit Samples ·Recognizing Typical Evidence for IS Audits ·Using Computer Assisted Audit Tools ·Understanding Electronic Discovery ·Grading of Evidence ·Timing of Evidence ·Following the Evidence Life Cycle ·Conducting Audit Evidence Testing ·Compliance Testing ·Substantive Testing ·Tolerable Error Rate ·Recording Test Results ·Generating Audit Findings ·Detecting Irregularities and Illegal Acts ·Indicators of Illegal or Irregular Activity ·Responding to Irregular or Illegal Activity ·Findings Outside of Audit Scope ·Report Findings ·Approving and Distributing the Audit Report ·Identifying Omitted Procedures ·Conducting Follow up (Closing Meeting) Chapter 4 Networking Technology Basics ·Understanding the Differences in Computer Architecture ·Selecting the Best System ·Identifying Various Operating Systems ·Determining the Best Computer Class ·Comparing Computer Capabilities ·Ensuring System Control ·Dealing with Data Storage ·Using Interfaces and Ports ·Introducing the Open Systems Interconnection Model ·Layer 1: Physical Layer ·Layer 2: Data Link Layer ·Layer 3: Network Layer ·Layer 4: Transport Layer ·Layer 5: Session Layer ·Layer 6: Presentation Layer ·Layer 7: Application Layer ·Understanding How Computers Communicate ·Understanding Physical Network Design ·Understanding Network Cable Topologies ·Bus Topologies ·Star Topologies ·Ring Topologies ·Meshed Networks ·Differentiating Network Cable Types ·Coaxial Cable ·Unshielded Twisted Pair (UTP) Cable ·Fiber Optic Cable ·Connecting Network Devices ·Using Network Services ·Domain Name System ·Dynamic Host Configuration Protocol ·Expanding the Network ·Using Telephone Circuits ·Network Firewalls ·Remote VPN Access ·Using Wireless Access Solutions ·Firewall Protection for Wireless Networks ·Remote Dial Up Access ·WLAN Transmission Security ·Achieving 802.11i RSN Wireless Security ·Intrusion Detection Systems ·Summarizing the Various Area Networks ·Using Software as a Service (SaaS) ·Advantages ·Disadvantages ·Cloud Computing ·The Basics of Managing the Network ·Automated LAN Cable Tester ·Protocol Analyzers ·Remote Monitoring Protocol Version 2 Chapter 5 Information Systems Life Cycle ·Governance in Software Development ·Management of Software Quality ·Capability Maturity Model ·International Organization for Standardization ·Typical Commercial Records Classification Method ·Overview of the Executive Steering Committee ·Identifying Critical Success Factors ·Using the Scenario Approach ·Aligning Software to Business Needs ·Change Management ·Management of the Software Project ·Choosing an Approach ·Using Traditional Project Management ·Overview of the System Development Life Cycle ·Phase 1: Feasibility Study ·Phase 2: Requirements Definition ·Phase 3: System Design ·Phase 4: Development ·Phase 5: Implementation ·Phase 6: Post implementation ·Phase 7: Disposal ·Overview of Data Architecture ·Databases ·Database Transaction Integrity ·Decision Support Systems ·Presenting Decision Support Data ·Using Artificial Intelligence ·Program Architecture ·Centralization vs. Decentralization ·Electronic Commerce Chapter 6 System Implementation and Operations ·Understanding the Nature of IT Services ·Performing IT Operations Management ·Meeting IT Functional Objectives ·Using the IT Infrastructure Library ·Supporting IT Goals ·Understanding Personnel Roles and Responsibilities ·Using Metrics ·Evaluating the Help Desk ·Performing Service Level Management ·Outsourcing IT Functions ·Performing Capacity Management ·Using Administrative Protection ·Information Security Management ·IT Security Governance ·Authority Roles over Data ·Data Retention Requirements ·Document Physical Access Paths ·Personnel Management ·Physical Asset Management ·Compensating Controls ·Performing Problem Management ·Incident Handling ·Digital Forensics ·Monitoring the Status of Controls ·System Monitoring ·Document Logical Access Paths ·System Access Controls ·Data File Controls ·Application Processing Controls ·Log Management ·Antivirus Software ·Active Content and Mobile Software Code ·Maintenance Controls ·Implementing Physical Protection ·Data Processing Locations ·Environmental Controls ·Safe Media Storage Chapter 7 Protecting Information Assets ·Understanding the Threat ·Recognizing Types of Threats and Computer Crimes ·Identifying the Perpetrators ·Understanding Attack Methods ·Implementing Administrative Protection ·Using Technical Protection ·Technical Control Classification ·Application Software Controls ·Authentication Methods ·Network Access Protection ·Encryption Methods ·Public Key Infrastructure ·Network Security Protocols ·Telephone Security ·Technical Security Testing Chapter 8 Business Continuity and Disaster Recovery ·Debunking the Myths ·Myth 1: Facility Matters ·Myth 2: IT Systems Matter ·From Myth to Reality ·Understanding the Five Conflicting Disciplines Called Business Continuity ·Defining Disaster Recovery ·Surviving Financial Challenges ·Valuing Brand Names ·Rebuilding after a Disaster ·Defining the Purpose of Business Continuity ·Uniting Other Plans with Business Continuity ·Identifying Business Continuity Practices ·Identifying the Management Approach ·Following a Program Management Approach ·Understanding the Five Phases of a Business Continuity Program ·Phase 1: Setting Up the BC Program ·Phase 2: The Discovery Process ·Phase 4: Plan Implementation ·Phase 5: Maintenance and Integration ·Understanding the Auditor Interests in BC / DR Plans Summary Exam Essentials Review Questions Appendix Answers to Review Questions Index