This Cram Sheet contains distilled information in key areas of knowledge pertinent to the CISA exam. Review this information as the last thing you do before you enter the testing center, paying special attention to those areas in which you feel that you need the most review.
The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator.
Using a statistical sample to inventory the tape library is an example of a substantive test.
Audit responsibility enhancement is an objective of a control self-assessment (CSA) program.
If proper identification and authentication are not performed during access control, no accountability can exist for any action performed.
IS auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. Think of it this way: If any reliance is placed on internal controls, that reliance must be validated through compliance testing. High control risk results in little reliance on internal controls, which results in additional substantive testing.
In planning an audit, the most critical step is identifying the areas of high risk.
Prior audit reports are considered of lesser value to an IS auditor attempting to gain an understanding of an organization’s IT process than evidence directly collected.
When evaluating the collective effect of preventative, detective, or corrective controls within a process, an IS auditor should be aware of the point at which controls are exercised as data flows through the system.
The primary purpose of audit trails is to establish accountability and responsibility for processed transactions.
When implementing continuous monitoring systems, an IS auditor’s first step is to identify high-risk areas within the organization.
Auditing resources are allocated to the areas of highest concern, as a benefit of a risk-based approach to audit planning.
Inherent risk is associated with authorized program exits (trap doors).
After an IS auditor has identified threats and potential impacts, the auditor should identify and evaluate the existing controls.
Generalized audit software can be used to search for address field duplications.
The use of statistical sampling procedures helps minimize detection risk.
Lack of reporting of a successful attack on the network is a great concern to an IS auditor.
Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist.
An integrated test facility is considered a useful audit tool because it compares processing output with independently calculated data.
A bottom-up approach to the development of organizational policies is often driven by risk assessment.
An IS auditor’s primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.
Data and systems owners are accountable for maintaining appropriate security measures over information assets.
Business unit management is responsible for implementing cost-effective controls in an automated system.
Proper segregation of duties prohibits a system analyst from performing quality-assurance functions.
The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals.
If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented.
Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit.
The board of directors is ultimately accountable for developing an IS security policy.
When auditing third-party service providers, an auditor should be concerned with ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster.
Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities.
When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should not focus on procedures in an audit of IS strategy.
Above all else, an IS strategy must support the business objectives of the organization.
IS assessment methods enable IS management to determine whether the activities of the organization differ from the planned or expected levels.
Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties.
An audit client’s business plan should be reviewed before an organization’s IT strategic plan is reviewed.
Key verification is one of the best controls for ensuring that data is entered correctly.
Allowing application programmers to directly patch or change code in production programs increases risk of fraud.
A mesh network topology provides a point-to-point link between every network host. If each host is configured to route and forward communication, this topology provides the greatest redundancy of routes and the greatest network fault tolerance.
Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host provides a higher level of protection from external attack than a firewall alone.
An IS auditor usually places more reliance on evidence directly collected, such as through personal observation.
The directory system of a database-management system describes the location of data and the access method.
The transport layer of the TCP/IP protocol suite provides for connection-oriented protocols, to ensure reliable communication.
Improper file access becomes a greater risk when implementing a database system.
Electronic data interface (EDI) supports intervendor communication while decreasing the time necessary for review because it is usually configured to readily identify errors requiring follow-up.
To properly protect against unauthorized disclosure of sensitive data, hard disks should be demagnetized prior to disposal or release.
An IS auditor can expect to find system errors to be detailed in the console log.
When reviewing print systems spooling, an IS auditor is most concerned with the potential for unauthorized printing of report copies.
Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirety or not at all. Atomicity is part of the ACID test reference for transaction processing.
Functioning as a protocol-conversion gateway for wireless WTLS to Internet SSL, the WAP gateway is a component that warrants critical concern and review for the IS auditor when auditing and testing controls that enforce message confidentiality. During protocol conversion, WTLS is decrypted and then re-encrypted with SSL. Therefore, the traffic is in plain text for a brief moment at the WAP gateway.
When trying to determine the existence of unauthorized access to data by a user or program, the IS auditor often reviews the system logs.
Proper segregation of duties prevents a computer operator (user) from performing security administration duties.
A graphical map of the network topology is essential for the IS auditor to obtain a clear understanding of network management.
Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to analog, and are required for analog transmissions to enter a digital network.
If users have direct access to a database at the system level, risk of unauthorized and untraceable changes to the database increases.
Neural networks are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem.
A long asymmetric encryption key (public-key encryption) increases encryption overhead and cost.
Creating user accounts that automatically expire by a predetermined date is an effective control for granting temporary access to vendors and external support personnel.
Worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email.
Outbound traffic filtering can help prevent an organization’s systems from participating in a distributed denial-of-service (DDoS) attack.
Identifying network applications such as mail, web, or FTP servers to be externally accessed is an initial step in creating a proper firewall policy.
Improperly configured routers and router access lists are a common vulnerability for denial-of-service attacks.
With public-key encryption, or asymmetric encryption, data is encrypted by the sender using the recipient’s public key, and the data is then decrypted using the recipient’s private key.
Trojan horse programs are a common form of Internet attack.
The SSL protocol provides confidentiality through symmetric encryption such as Data Encryption Standard, or DES.
Network performance-monitoring tools are used to measure and ensure proper network capacity management and availability of services.
Information systems security policies are used as the framework for developing logical access controls.
Intrusion-detection systems (IDS) are used to gather evidence of network attacks.
Time stamps are an effective control for detecting duplicate transactions such as payments made or received.
Traffic analysis is a passive attack method used by intruders to determine potential network vulnerabilities.
File encryption is a good control for protecting confidential data that resides on a PC.
Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most environmentally friendly.
Logical access controls should be reviewed to ensure that access is granted on a leastprivilege basis per the organization’s data owners.
A callback system is a remote access control in which the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials back the user at a predetermined number stored in the server’s configuration database.
End-user involvement is critical during the business impact assessment phase of business continuity planning.
Redundancy provides both integrity and availability. Organizations should use offsite storage facilities to maintain redundancy of current and critical information within backup files.
Of the three major types of BCP tests (paper, walk-through, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan’s effectiveness.
The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster. Total elimination of risk is impossible.
Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing.
If a database is restored from information backed up before the last system image, the system should be restarted before the last transaction because the final transaction must be reprocessed.
Of the three major types of BCP tests (paper, walk-through, and preparedness), a walk-through test requires only that representatives from each operational meet to review the plan.
An offsite processing facility should not be easily identifiable externally because easy identification would create an additional vulnerability for sabotage.
Criticality of assets is often influenced by the business criticality of the data to be protected and by the scope of the impact upon the organization as a whole. For example, the loss of a network backbone creates a much greater impact on the organization as a whole than the loss of data on a typical user’s workstation.
Although the primary business objective of BCP and DRP is to mitigate the risk and impact of a business interruption, the dominating objective remains the protection of human life.
Of the three major types of offsite processing facilities (hot, warm, and cold), a cold site is characterized by at least providing for electricity and HVAC. A warm site improves upon this by providing for redundant equipment and software that can be made operational within a short time.
Minimizing single points of failure or vulnerabilities of a common disaster are mitigated by geographically dispersing resources.
With the objective of mitigating the risk and impact of a major business interruption, a disaster-recovery plan should endeavor to reduce the length of recovery time necessary and the costs associated with recovery.
Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs.
Mitigating the risk and impact of a disaster or business interruption usually takes priority over transferring risk to a third party such as an insurer.
A cold site is often an acceptable solution for preparing for recovery of noncritical systems and data.
Offsite data storage should be kept synchronized when preparing for recovery of time-sensitive data such as that resulting from transaction processing.
Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of a business continuity plan.
Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive transaction processing.
Obtaining user approval of program changes is very effective for controlling application changes and maintenance.
A clause for requiring source code escrow in an application vendor agreement is important to ensure that the source code remains available even if the application vendor goes out of business.
Library control software restricts source code to read-only access.
Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion.
Regression testing is used in program development and change management to determine whether new changes have introduced any errors in the remaining unchanged code.
Source code escrow protects an application purchaser’s ability to fix or change an application in case the application vendor goes out of business.
Determining time and resource requirements for an application-development project is often the most difficult part of initial efforts in application development.
The project sponsor is ultimately responsible for providing requirement specifications to the software-development team.
A primary high-level goal for an auditor who is reviewing a system-development project is to ensure that business objectives are achieved. This objective guides all other systems-development objectives.
Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensure that those changes and corrections have not introduced new errors.
Whenever an application is modified, the entire program, including any interface systems with other applications or systems, should be tested to determine the full impact of the change.
An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to meet business objectives.
The quality of the metadata produced from a data warehouse is the most important consideration in the warehouse’s design.
Procedures to prevent scope creep are baselined in the Design Phase of the SystemsDevelopment Life Cycle (SDLC) model.
Function point analysis (FPA) provides an estimate of the size of an information system based on the number and complexity of a system’s inputs, outputs, and files.
Application controls should be considered as early as possible in the systems-development process, even in the development of the project’s functional specifications.
User management assumes ownership of a systems-development project and the resulting system.
Rapid Application Development (RAD) is used to develop strategically important systems faster, reduce development costs, and still maintain high quality.
Run-to-run totals can verify data through various stages of application processing.
Input/output controls should be implemented for both the sending and the receiving application in an integrated systems environment.
The board of directors and executive officers are ultimately accountable for the functionality, reliability, and security within IT governance.
Authentication techniques for sending and receiving data between EDI systems is crucial to prevent unauthorized transactions.
Data-mining techniques can be used to help identify and investigate unauthorized transactions.
After identifying potential security vulnerabilities, the IS auditor should perform a business impact analysis of the threats that would exploit the vulnerabilities.
Network environments often add to the complexity of program-to-program communication, making application systems implementation and maintenance more difficult.