CISA

 CISA Notes

DISCLAIMER:

• This document contains unedited notes and has not been formally proofread.

• The information provided in this document is intended to provide a basic understanding of certain technologies.

• Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.

• Some websites and software may be flagged as malware by antivirus programs.

• The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.

• The document is not a substitute for professional advice or expert analysis and should not be used as such.

• The document does not constitute an endorsement or recommendation of any particular technology, product, or service.

• The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.

• The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.

• The author reserve the right to update or change the information contained in this document at any time without prior notice.

• Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.

• It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.

• Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.

• It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.

• It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.

• It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

REFERENCES:

• https://www.linkedin.com/learning
• CISA Cert Prep: 1 Auditing Information Systems for IS Auditors
• CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors
• CISA Cert Prep: 3 Information Technology Life Cycle for IS Auditors
• CISA Cert Prep: 4 IT Operations, Maintenance, and Service Delivery for IS Auditors
• CISA Cert Prep: 5 Information Asset Protection for IS Auditors
• CISA  review Manual 

******************************************************************************************

Certified Information Systems Auditor (CISA)

Modules under CISA

• 1. Information Systems Auditing  Process.
  

• 2. Governance and Management of IT.

• 3. Information Systems  Acquisition, Development, and Implementation.
  

• 4. Protection of Information Assets.

1. Information Systems Auditing Process

The Topics covered are

• Planning
• Execution

************_*_*_*_*_*_*_************

Auditing Information Systems 

Information Systems Audits and Assessments

• Inputs are used from - Vulnerability Assessment, Penetration testing, Compliance assessment [GDPR, HIPAA, Credit cards]

• HIPAA- Health Insurance Portability and Accountability Act

• PCI DSS -PAYMENT CARD INDUSTRY SECURITY STANDARDS

• SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants

• General Data Protection Regulation (GDPR) Compliance 

• Internal audit of Security policy, standards and procedures 

• Software development assessment 

• Incident responses

• BCP Business continuity Planning

Types of Audits 

Internal Audits and External Audits

Scope of the Audit, Roles, Functions, management responsibility  is definite in Audit Charter 

Audit Planning 

Short-Term Planning

Long-Term Planning

Business Process categorized based on Risk factor  - High, Medium and Low

IS Internal controls

Risk Analysis

• Vulnerability- weakness in the system

• Threat - exploits vulnerabilities 

• Control or Countermeasure 

Internal objectives and controls 

• CIA - Confidentiality Integrity Availability 

• Controls Three types

• Administrative or Soft controls

• Technical or Logical controls 

• Physical Controls 

3 Types of Characteristics of controls 

Preventive 

Detective

Corrective 

Framework - are like document best practices 

• ITIL  IT infrastructure Library

• ISO 27000 series

• COBIT 5 - Control Objectives for Information and Related Technologies 

Performing IS Audit 

• Two person rule - Someone does the audit and someone verifies it

• Independent auditors  

Communicating Audit results 

• Audit Reporting 

• Closing Findings

• Control Self-assessment [CSA] 

• Continuous Auditing 

************_*_*_*_*_*_*_************

CHAPTER 1

Information Systems Auditing Process

Part A. Planning: 

• IS Audit Standards, Guidelines and Codes of Ethics

• ISACA IS AUDIT AND ASSURANCE STANDARDS

• ISACA IS AUDIT AND ASSURANCE GUIDELINES

• ISACA CODE OF PROFESSIONAL ETHICS

• Business Processes

• Types of Controls

• Risk-based Audit Planning

• Types of Audits and Assessments

Execution

• Audit Project Management

• Sampling Methodology

• Audit Evidence Collection Techniques

• Data Analytics

• Reporting and Communication Techniques

Quality Assurance and Improvement of the Audit Process

1. Audit Standards, Guidelines and code of ethics

IT Audit Standards  & Guidelines 

ISACA IT audit Framework is divided into  3 categories. 

Under Three Categories 

• General:
• Fundamental principles are provided 
• Performance
• Address the execution of the task
• Reporting:
• Cover the various report formats, methods of communication

2. Business Process

A: INTERNAL AUDIT FUNCTION

• Audit Charter - 
• The audit charter encompasses the management's responsibilities, objectives and entire scope for the IS audit.

B: MANAGEMENT OF THE IS AUDIT FUNCTION

• Audit Resource Management -
• Auditors need to improve their abilities to conduct audits on emerging technologies. 

C: AUDIT PLANNING

• Short term and long term planning & analysis Annually

• Risk classified as High, Medium and low

• Audit plan for all risk rated as high

D: EFFECT OF LAWS AND REGULATIONS ON IS AUDIT PLANNING

• Impact of Laws and Regulations on IS Audit Planning

• - Evaluate the necessary legal certifications mandated by internal and external entities for IT systems.

• - Analyze the pertinent laws and regulations that are relevant to the audit.

• - Implement procedures to ensure adherence and compliance with the regulations.

E: BUSINESS PROCESS Applications and Control

• ECommerce

• Electronic Data Interchange

• Email

• Point-of-sale Systems

• Electronic Banking

• Electronic Funds Transfer

• Automated Teller Machine

• Electronic Finance

• Integrated Manufacturing Systems

• Interactive Voice Response

• Purchase Accounting System

• Image Processing

• Industrial Control Systems

• Artificial Intelligence and Expert System Supply Chain Management

• Customer Relationship Management

F: Using the Services of Other Auditors and Experts

3. Types of Controls

• Control Objectives and Control Measures IS Control Objectives

• Evaluation of the Control Environment

• General Controls

• IS-specific Controls

4. Risk based Audit Planning

• Audit Risk and Materiality

• Risk Assessment

• IS Audit Risk Assessment Techniques

• Risk Analysis

5. Types of Audits and Assessments

Part B: Execution

6 Audit Project Management

• Audit Objectives

• Audit Phases

• Audit Programs

• Minimum Skills to Develop an Audit Program

• Audit Work Papers

• Fraud, Irregularities and Illegal Acts

7. Sampling Methodology

• Compliance Versus Substantive Testing
• Sampling
• Sampling Risk

8. Audit Evidence Collection Techniques

• Interviewing and Observing Personnel in Performance of Their Duties

9 Data Analytics

• Computer-assisted Audit Techniques CAATs as a Continuous Online Audit Approach

• Continuous Auditing and Monitoring

• Continuous Auditing Techniques

10 Reporting and Communication Techniques

• Communicating Audit Results

• Audit Report Objectives

• Audit Report Structure and Contents

• Audit Documentation

• Follow-up Activities

• Types of IS Audit Reports

11 Quality Assurance and Improvement of the Audit Process

• Control Self-assessment

• Objectives of CSA

• Benefits of CSA

• Disadvantages of CSA

• The IS Auditor’s Role in CSA

• Integrated Auditing

***********************************************************************

CHAPTER 2

Governance and Management of IT

The Topics covered are

• IT Governance

• IT governance is about setting clear directions and providing instructions to the management team who then carry out the tasks accordingly.

• 
  
• IT Management

• 1. IT Governance and IT Strategy

• 2. IT-related Frameworks

• 3. IT Standards, Policies, and Procedures

• 4. Organizational Structure

• 5. Enterprise Architecture

• 6. Enterprise Risk Management

• 7. Maturity Models

• 8. Laws, Regulations and Industry Standards Affecting the Organization

Part A: IT Governance

Key Practice 

• Adhere to a governance framework that outlines the rules and guidelines for IT management.

• COBIT 5 - ISACA framework for IT management

• ISO 27001

• ITIL - framework for IT service delivery

• ISO 38500 - framework of IT governance

• 1. Create an IT strategy and establish steering committees to guide decision-making.

• A. Strategy is on governance side

• Board members who are responsible for overseeing IT matters.

• Ensuring that IT aligns with the overall business goals.

• Defining and monitoring strategic objectives.

• Providing resources for IT initiatives.

• Optimizing IT spending to achieve maximum value.

• Managing investments in IT projects.

• Managing and mitigating IT-related risks.

• Offering guidance and direction to the management team.

•  B. Steering committee on management side

• Managing and overseeing spending related to IT initiatives.

• Ensuring proper architecture and engineering of IT systems.

• Allocating resources for IT projects and initiatives.

• Managing project timelines and deliverables.

• Forming and leading project teams.

• Providing feedback to the board about IT strategy and initiatives.

• 2. Utilize an IT balanced scorecard to measure and track performance.

• A. Scorecard can be from perspectives

• Financial Perspective: Evaluating the financial impact and outcomes of IT initiatives.

• Customer Perspective: Assessing how IT services and solutions meet customer needs and expectations.

• Internal Processes Perspective: Focusing on improving internal IT processes and operations.

• Learning & Growth Perspective: Emphasizing the development of IT skills and capabilities for future success.

• B. Metrics are reported with dashboards

• 3. Incorporate information governance to ensure the effective management and control of information assets.

• Security Governance roles

• Directors

• Security steering Committee

• CISO chief information security officer

• Managers and staff 

• Security Governance Provides

• Security and Risk Management: Ensuring protection against potential threats and managing security risks.

• Asset Security: Safeguarding valuable assets and information.

• Communications and Network Security: Securing communication channels and networks.

• Identity and Access Management: Controlling and managing user access to systems and data.

• Security Assessment and Testing: Conducting evaluations and tests to identify vulnerabilities.

• Software Development Security: Implementing security measures in software development processes.

• 4. Enterprise architecture 

• Translate business drivers to architectural decisions

• Assist decisions makers 

• Practice of diagramming and documenting the architecture of the enterprise

• There are different aspects of enterprise architecture:

• Business Architecture: This focuses on the organization's business strategy, goals, and objectives.

• Information Architecture: This deals with the structure, processes, and storage architecture, also known as data architecture.

• Application Architecture: This involves the design of applications and services, supported by technical architecture, which is also known as information systems architecture.

• Technical Architecture: This covers the IT infrastructure, including hardware, software, and networks.

• Check on 

• Zachman framework 

• TOGAF - The Open group Architecture Framework

• SABSA - Sherwood Applied Business Security Architecture

• 5. Policies, Processes, and Standards

• Policies: These are rules that state what needs to be done to meet certain requirements.

• Standards: These specify the specific data or information needed to fulfill those requirements.

• Processes: These are the steps or procedures that must be followed to meet the requirements.

• Guidelines: These are suggestions or recommendations on how to meet a requirement effectively.

• Baselines- Minimum level of security

• Master Security Program policy

• The Master Security Program policy outlines all the policies that need to be followed.

• It also establishes the process for creating, modifying, maintaining, and sharing these policies.

• Access Control Policies

• Access Control Policies: These policies define the rules for allowing, removing, changing, and verifying access to systems, applications, and data.

• Authorization and Identification Policy: This policy outlines how user accounts and group memberships are managed to ensure proper access control.

• Password Policy: This policy sets guidelines for creating and managing passwords to enhance security.

• Granting User Rights and Privileges: This policy governs how user rights and privileges are assigned to maintain the appropriate level of access.

• Monitoring Policy: This policy establishes guidelines for monitoring access and activities to detect any unauthorized or suspicious behavior.

• Data Classification and Control policies

• Data Life cycle policy

• Data classification policy

• data ownership policy

• information labelling and handling policy

• Communication Security policies
• Data & wireless communication and
• encryption policies
• Security testing policies

• Vulnerability

• App security testing

• Configuration and Change management policies

• Malicious code policy

• Incident Management Policies

• Backup and recovery policies

• Third-party Control policies

• 6. Auditing Governance and documentation

• Framework used

• COBIT

• ITIL

• ISO 27001 or 38500

•  Planning

• Plans, processes , frequencies

• Audit Documentation

• existing - police's 

• Are Up to date

• Auditing a balance Scorecard

• KPIs

• 7. Risk Management Process

• Risk Analysis

• Vulnerabilities

• Threat

• Countermeasures 

• Risk Matrix

• Probability of occurrence Vs Business impact

• Plan - Collect Information - Define risk control

• Risk mitigation

• Risk transference

• Risk acceptance

• Risk Avoidance 

• Risk Planning Phase

• Risk assessment team

• Define team/ scope/ method/ tools/ acceptable risk level

• Collection Phase

• Identify assets - Tangible & Intangible 

• Assign value to assets

• Identify vulnerabilities and threats

• calculate risk index - low to high

• Cost - benefit analysis

• Residual risks 

• Uncertainty Analysis

• Risk Dealing Process

• Risk Mitigation

• Risk transference

• Risk acceptance

• Risk avoidance

• Auditing Risk management

• 8. IT Management, Structure, and Responsibility 

• IT organization structure

• Resource

• Internal
• Employee 

•  External
• Third-party 

Part B: IT Management

• 1. IT Resource Management

• 2. IT Service Provider Acquisition and Management

• 3. IT Performance Monitoring and Reporting

• 4. Quality Assurance and Quality Management of IT

• 5.