FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 1 of 40 ITauditSecurity’s CISA Study Guide For a description of this guide, guidance on using it, and some warnings, see http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/ Table of Contents on next page Copyright 2012, ITauditSecurity Rev 2.0 NOTE: When this guide was created, the main sections of the exam were as follows: • IS Audit process • IT Governance • Systems & Lifecycle Mgmt • IT Service Delivery & Support • Protection of Info Assets • BCP and DRP ISACA has since reorganized the sections, but that doesn’t affect the information itself. Quick Review Info Yellow highlight notes where ISACA emphasizes CISA must-know this Blue highlight = good-to-know info List of key items to recite from memory: 5 Task Statements - SPCCA 10 Knowledge Statements – SPGE – CRP - CCC 7 Code of Ethics – IPS PC DE 3 types of Standards 6 Project Mgmt – IP EMC Projects: Triple restraint: QRS & CDT 10 Audit Stages OSI – PDNTSPA TCP/IP – NDITA Capability Maturity Model– zeroIRDMO 6 SDLC – FRD DIP (don’t forget differences if software purchased) 6 Benchmarking – PROAAI
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 1 of 40
ITauditSecurity’s CISA Study Guide
For a description of this guide, guidance on using it, and some warnings, see
NOTE: When this guide was created, the main sections of the exam were as follows:
• IS Audit process
• IT Governance
• Systems & Lifecycle Mgmt
• IT Service Delivery & Support
• Protection of Info Assets
• BCP and DRP
ISACA has since reorganized the sections, but that doesn’t affect the information itself.
Quick Review InfoYellow highlight notes where ISACA
emphasizes CISA must-know this
Blue highlight = good-to-know info
List of key items to recite from memory:
5 Task Statements - SPCCA
10 Knowledge Statements – SPGE – CRP - CCC
7 Code of Ethics – IPS PC DE
3 types of Standards
6 Project Mgmt – IP EMC
Projects: Triple restraint: QRS & CDT
10 Audit Stages
OSI – PDNTSPA
TCP/IP – NDITA
Capability Maturity Model– zeroIRDMO
6 SDLC – FRD DIP
(don’t forget differences if software purchased)
6 Benchmarking – PROAAI
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 2 of 40
Quick Review Info ................................................................................................................................................... 1
> IS Audit Process...................................................................................................................................................... 5
7 Code of Ethics – IPS PC DE ............................................................................................................................... 5
Information Tech Assurance Framework (ITAF) .................................................................................................... 6
Engagement Letter vs. Audit Charter ..................................................................................................................... 8
Charter - RAA ....................................................................................................................................................................... 8
> IT Governance ...................................................................................................................................................... 12
CMM vs. ISO 15504 (SPICE) – PME PO ........................................................................................................................... 13
Business Process Reengineering (BPR) ............................................................................................................................ 13
Systems & System Development Life Cycle (SDLC) ............................................................................................... 15
Alternatives to SDLC Project Organization......................................................................................................................... 16
Alternative Development Methods ..................................................................................................................................... 17
Change Control Procedures ................................................................................................................................. 19
Key CASE Audit Issues ...................................................................................................................................................... 19
Programming Languages ..................................................................................................................................... 19
Fourth-generation Languages ............................................................................................................................................ 19
Input Control Techniques ................................................................................................................................................... 21
Data Integrity ............................................................................................................................................................ 24
EDI Controls ....................................................................................................................................................................... 25
Auditing EDI ....................................................................................................................................................................... 26
Digital Signatures ............................................................................................................................................................... 26
> IT Service Delivery & Support ............................................................................................................................... 28
IS Operations ........................................................................................................................................................ 28
IS Hardware .......................................................................................................................................................... 28
IS Architecture & Software ................................................................................................................................... 28
Database Management System (DBMS) ........................................................................................................................... 28
System Control ................................................................................................................................................................... 30
> Protection of Information Assets ........................................................................................................................... 31
Key elements of Information Security Mgmt ....................................................................................................................... 31
Digital signatures ................................................................................................................................................................ 35
Digital Envelope ................................................................................................................................................................. 35
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 4 of 40
VOIP .................................................................................................................................................................................. 37
Precision/expected error rate – acceptable margin of error between samples and subject population. Low error rate
requires large sample.
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 9 of 40
Substantive Testing – content/integrity
Variable sampling – designating $ value or effectiveness (weight) of entire subject by prorating from a smaller sample
(ex: weigh $50 bill and calculate value of stack of bills by total weight).
Unstratified mean estimation – projects an estimated total for entire population
Stratified mean estimation – calculate average by grouping items (all males, all females, all over 30)
Difference estimation – determine difference between audited and unaudited claims of value.
Audit coefficient – level of confidence re: audit results. 95% & higher = high degree of confidence
Attestation – providing assurance via your signature that document contents are authentic & genuine.
Type 1 events occur before balance sheet date; Type 2 after (not auditor’s responsibility to detect subsequent events)
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 10 of 40
Open Systems Interconnect (OSI) Model Provides standard interface at each layer; ensures each layer does not have to be concerned about the details of how
other layers operate
Each layer is self-contained and can be updated without affecting other layers
• Each layer communicates with the layer above and below it, as well as virtually with the same layer on the
remote system
Memory
Phrase 7 OSI Layers
4 TCP/IP
Layers
Memory
Phrase
Headers &
Data
Communication
Types
Layer Controls/
Provides Protocol
Away 7 – Application
4 -
Application
Anchovi
es
To
Application
Gateway -Standard
interface to
the network
-Problem
solving
-Encryption
-DNS
Pizza 6 –
Presentation
Format &
Data
Structure
Translate &
Display.
Screen
formatting
Sausage 5 – Session
App to App Communicati
on sessions
between
applications
-RPC
-SQL database
session
-NFS
Throw 4 – Transport 3–
Transport Throw
Message
Host to Host -Login screen -TCP (confirmed
delivery)
-UDP(un-confirmed)
Not 3 – Network
2 –
Internet/
Network
I
Packet
Router
Routing
Address to
Address
-IP
Do 2 - Data Link
1 – Link
(LAN/WAN
Interface)
Do
-Frame
-MAC
address
Switch/Bridg
e
Transmit &
Receive
-Flow control
-Error
notification
-Order
sequence
-NetBIOS
-DHCP
-PPP
Please ↑ 1 – Physical Nor
Signal Cable/Wireless
Hub/Repeater
Wifi Transmitter
Cable &
voltage
requirements
Control
electrical link
between
systems
MAC Address = 48-bit
Cables
• Coax – 185 meters, 2 pairs of wires
• UTP < 200 ft, 4 twisted pairs
• Fiber – dense wave multiplexing
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 11 of 40
Point-to-Point Protocol (PPP)
• Data link layer protocol for accessing remote network using IP over serial lines (replaced SLIP)
IP Addresses (32 bits)
Four IPs in each subnet are lost/reserved
• Numeric name (e.g., 192.0.0.0) for routing table/network path
• Starting IP
• Ending IP (IPs in between start & end = IP address space)
• Broadcast IP
ARP = MAC address to IP address
VLANs (requires router to access other subnets)
• Port-based: specific port configured to a specific VLAN. Small networks
• MAC-based: ties MAC address into VLAN, reconfigures network port on switch
• Policy or rule-based: Rule based on IP address or protocol in header. Switch ports reconfigure automatically
DNS – Bootp using RARP!
Dedicated Phone Circuits
• POTS – 56Kbs (half of ISDN circuit)
• Integrated Services Digital Network (ISDN) – 128Kbs, 23 channels of data, voice, video (conference); runs on
POTS
• Primary trunk line (T1) – 28 POTS circuits, 1.544 Mbps. Charged by the mile.
• Digital Subscriber Line (DSL) – over POTS. 368 Kbps-1.544 Mbps.
Packet Switching
• Eliminated need for dedicated lines (Internet is PS’d)
• Not limited by distance
• Source & destination known, path is not
• Charged according to packets transmitted, not distance
Examples
• X.25 – foundation of modern switched networks (not popular today)
Encrypt with public key, decrypt only with private key – confidentiality (read only by receiver)
Encrypt with private key, decrypt with public key – authentication and non-repudiation
Encrypt with private key, then public key – confidentiality, authentication, and non-repudiation
Elliptical Curve Cryptography (ECC)
• Public key variation using discrete logarithm using elliptical curve (2 points on curve)
• Works with networked computers, smart cards, wireless phones, mobile devices
• Less computational power, more security per bit (160-bit ECC = 1024-bit RSA)
Quantum Cryptography
• Uses interaction of light pulses, polarization metrics
Digital signatures
• Uses public key algorithm to ensure identify of sender and integrity of the data
• Hash algorithm creates message digest, smaller version of the original message
• Changes variable length messages into a fixed, 128-bit length digest
• Hashes are one-way functions, can't reverse
o MD5, SHA-1, SHA-256
• Digital signature encrypted by sender's private key, receiver decrypts with public key, then recomputes a
digital signature and compares it to the original signature
• Ensure data integrity, authentication, and non-repudiation (but not confidentiality)
• Vulnerable to man-in-the-middle attack
Digital Envelope
• Contains data encrypted with symmetric key and the session key (which is the symmetric key, encrypted with
the receiver's public/asymmetric key)
• Receivers' private key used to decrypt session key (symmetric key); symmetric key used to decrypt data.
• Uses asymmetric keys to protect the data integrity, authentication, and non-repudiation gained by symmetric
key
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 36 of 40
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
• Session or connection-layered protocol
• Provides end point authentication and confidentiality
• Typically, only the server is authenticated (including the client requires PKI deployment)
• Phases
o Algorithm negotiation
o Exchange of Public key and certificate-based authentication
o Symmetric cipher-based traffic encryption
• Runs on layers beneath application protocols HTTP, SMTP, NNTP and above the TCP protocol
• Uses hybrid of hashed, private, and public key cryptography to provide confidentiality, integrity, authentication
(between client & server), and non-repudiation
IPSec
• Runs at the network layer
• Used for communicating between two or more hosts, subnets, or hosts and subnets (establishes VPNs)
• Transport mode – only data portion of packet (encapsulation security payload (ESP)) is encrypted –
confidentiality
• Tunnel mode – ESP payload (data) and header are encrypted. Additional authentication header (AH) provides
non-repudiation
• Uses security associations (SAs) to define the security parameters to use (algorithms, keys, initialization
vectors, etc.)
• Using asymmetric encryption via Internet Security Association and Key Management Protocol/Oakley
(ISAKMP/Oakley) increases ISPsec security by using key management, public keys, negotiation, uses of SAs, etc.
SSH
• Runs at application layer
• Client/server program for encrypting command-line shell traffic used for remote logon and management.
• Used to secure telnet and ftp
Secure Multipurpose Internet Mail Extensions (S/MIME)
• Email protocol authenticating sender and receiver
• Verifies message integrity and confidentiality, including attachments
Secure Electronic Transactions (SET)
• Visa/MasterCard protocol used to secure credit card transactions
• Application protocol using PKI of trusted 3rd party
Encryption Risks
• Secrecy of keys is paramount
• Randomness of key generation relates to how easy a key can be compromised
• Tying passwords to key generation weakens the key’s randomness, so important to use strong passwords
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 37 of 40
Viruses
• Attached to programs
• Self-propagating to other programs
• Attack EXEs, file directory system, boot & system areas, data files
Worms
• Does not attach to programs
• Propagates via OS security weaknesses
Virus/Worm controls – policies (preventative) and antivirus software (detective)
• Backups = vital control
VOIP
• Replaces circuit switching (and associated waste of bandwidth) with packet switching
• Secure VOIP similar to data networks (firewalls, encryption)
• Network issues take down phones also, so backup availability a big issue
• VLANS should be used to segregate VOIP infrastructure/traffic
• Session Border Controllers (SBCs) provide VOIP security similar to firewalls by monitoring VOIP protocols,
monitor for DoS, provide network address and protocol transition features
Private Branch Exchange (PBX)
• In-house phone company for organization, allows 4-digit dialing, save cost of individual phone lines to phone
company’s central office
• PBX security different from normal OS security
o External access/control by 3rd party for updates/maintenance
o Richness of features available for attacks
PBX Controls
• Physically secure PBX and telephone closets
• Configure and secure separate and dedicated admin ports
• Control direct inward dial (DID) lines to avoid external parties getting dial tone for free long-distance calls
• Block certain long-distance numbers
• Control numbers destined for faxes and modems
• Use call-tracking logs
• Maintenance out of Service (MOS) – signaling communication is terminated on PBX, but line may be left open
for eavesdropping
• Embedded passwords can be restored when system rebooted during crash recovery
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 38 of 40
Auditing Infosec Management Framework
• Policies/Procedures, including Logical Access Security Polices
• Security Awareness and training
• Data ownership: owners, custodians, security administrator
• New IT users (sign document regarding security policies/procedures)
• New Data Users
• Documented user authorization
• Terminated users
• Security baseline
• Inventory (devices, applications, data)
• Antivirus
• Passwords
• Patching
• Minimizing services (turn off unneeded)
• Addressing vulnerabilities
• Backups
Computer Forensics (IPAP)
• Identify – information
• Preserve – retrieving data, documenting chain of custody ▪ Who had access to the data ▪ How evidence gathered ▪ Proving that analysis based on copies of original, unaltered evidence
• Analyze
• Present
> BCP/DRP Starts with risk assessment
• People, data, infrastructure, and other resources that support key business processes
• Dangers and threats to the organization
• Estimated probability of threat occurrence
BCP includes
• DRP plan
• Plan to restore operations to normal following disaster
• Improvement of security operations
BCP Lifecycle
• Create BCP policy
• Businesses Impact Analysis (BIA)
• Classify of operations and criticality
• Identify IS processes that support business criticality
• Develop BCP and IS DRP
• Develop resumption procedures
• Training and awareness programs
• Test and implement plan
• Monitoring
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 39 of 40
BCP Policy
• Should encompass preventative, detective, and corrective controls
• BCP most critical corrective control
• Incident management control
• Main severity criterion is service downtime
• Media backup control
BIA identifies:
• Different business processes & criticality
• Critical IS resources supporting critical business processes
• Critical recovery period before significant or unacceptable loses occur
Recovery point objective (RPO) – based on acceptable data loss; earliest time in which it is acceptable to recover; date/time or synchronization point to which systems/data will be restored.
Recovery time objective (RTO) – based on acceptable downtime; earliest time when business operations must
resume.
Interruption window – how long a business can wait before operations resume (after this point, losses are
unaffordable)
Maximum Tolerable outage (MTO) – maximum time business can operate in alternate processing mode before
other problems occur
Service delivery objective (SDO) – acceptable level of services required during alternate processing
Recovery Alternatives
• Hot site – fully configured and ready to operate within hours. Not for extended use.
• Warm site – partially configured (network and peripheral devices, but no main computers). Site ready in hours,
operations ready in days or weeks.
• Cold site – has basic utilities, ready in weeks.
• Redundant site – dedicated, self-developed sites.
• Mobile site – data center in a box
• Reciprocal agreements with other businesses
Redundant Array of Inexpensive/Independent Disks (RAID)
• Level 0 -striped disk array, no fault tolerance; stripes multiple disks into one volume (faster when software based)
• Level 1 – mirroring; 2 drives, half the space (faster when software based)
• Level 2 – Hamming code ECC – interweaving data based on hamming code (EXPENSIVE and rare; HW based,
resource intensive)
• Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 for parity (faster in HW)
• Level 5 – block level; independent disks with distributed parity blocks; at least 3 drives, stripes data and parity
(faster in HW) � mirrored sets
• Level 6 – Level 5 with 2 independent distributed parity schemes (faster in HW)
• Level 10 – high reliability & performance; at least 4 drives, stripes level 1 segments; hi I/O
• Level ) 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major data loss
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 40 of 40
Insurance Coverage
• IS equipment/facilities
• software media reconstruction
• Extra expense – of continuing operations after disaster; loss due to computer media damage
• Business interruption
• Valuable papers and records
• Errors and omissions
• Fidelity coverage – loss due to dishonest/fraudulent acts
• Media transportation
• Covers loss based on historical performance, not existing
• No compensation for loss of image/goodwill
Grandfather (monthly), father (weekly), son (daily) backup rotation scheme
Difference between ISACA book and Sybex Sybex is easier to read and digest
• Layout is better and more reader-friendly
• More bullet points, charts, and tables that summarize the information and show relationships or differences in
the subject matter
• Less subject matter on a page, so eyes don’t get so tired as you read.
Both identify critical things a CISA must know, but ISACA is more specific in their must-know notes.
I would never read just one book. Read one book and take notes. Then read the other book and supplement
your notes. This process will help you understand the difference between the two sources. Each perspective is