CISA Flashcards
Prentive control
Detect problems before they arise, prevent and error
Detective control
Detect and report and occurance of an error
Corrective control
Minimize the impact of a threat, correct errors arising from a problem
Inherent Risk
Risk level without consideration of the controls
Control risk
The risk that a material error exists that would not be prevented by the existing controls
Detection risk
The risk that material errors or misstatements are not identified by IS Audit
Overall audit risk
The probability that information or financial reports contain material errors or misstatements
Risk Mitigatation
Reducing of risk with controls
Risk Acceptance
Not taking any action towards the risk
Risk Avoidance
Avoiding risk by not allowing the action that would cause risk
Nonstasticical sampling
Judgemental method of determining the sample size
Risk Sharing (Transfer)
Transferring the associated risk to other parties
Statistical Sampling
Objective method of determining the sample size
Attribute sampling
Answers the question “how many”? For example how many user access request out of the total were approved
Stop or go sampling
Helps prevent excessive sampling by allowing the audit to stop testing at the earliest possible moment
Inquiry
Interview of the respective personnel
Observation
Observation of audit evidence
Walkthroughs
Technique used to confirm the understanding of the controls
Reperformance
Generally provides better audit evidence than other methods
SCARF
System Control Audit Review File
Embedding of audit software to the host application for continuos auditing. Useful when regular processing cannot be interrupted.
Snapshots
This technique involves taking “pictures” at the start and at the end of the process flow. Transactions are tagged by identifiers. Useful when audit trail is required.
Audit Hooks
Embedding of hooks in the applications functions to work as an alert for detection and prevention. Useful when only selected transcations need to be examined.
ITF
Test transactions are sent at the same time with the live transcations in the same environment. Useful when it is no beneficial to test use data.
CIS ( Continuos and intermittent simulation)
Useful when transaction meeting certain criteria needs to be examined
CSA
Assessment of controls made by staff and management. Does not replace the external audit function. IS Auditor works as facilitator. Helps with early detection of risk and enchancec the external audit.
ISO 27000 series
Series of set of best practices that provide guidance to organizations implementing and maintaining information security programs
COBIT
Developed by ISACA to support EGIT by providing a framework that ensures that IT is aligned with business, IT enables the business and maximizes benefits.
ITIL
Framework used to achieve operational IT service management
High level information security policy
Should include statements on confidentiality integrity and availability
Data classification policy
Should describe the classification, level of control and responsibilities of all potential users including ownership
Acceptable use policy
Includes information for all information resources and describes the organizational permissions for the usage of IT and information related resources
End-user computing policy
describes the parameters and usage of desktop, mobile computing and other tools by users
Access control policies
Describe the method for defining and granting access to users to various IT resources
IT Steering commitee
Review long and short range plans of the IT deparment. Ensure that IT plans align with corporate objectives. Reporting of IS activities to board of directors
Risk Management program
- Asset identification 2. Evaluation of threats and vulnerabilities to assets 3. Evaluation of Impact 4. Calculation of Risk 5. Evaluation of response to risk
Planning phase
- Audit Subject 2. Audit Objective 3. Audit Scope 4. Preaudit planning 5. Determine procedures
Risk based audit approach
- Gather information and plan 2. Obtain understanding of internal controls 3. Perform compliance tests 4. Performance substantive tests 5. Conclude audit
Fieldwork and documentation phase
- Acquire data 2. Test Controls 3. Issue discovery and validation 4. Document results
Reporting phase
- Gather report requirements 2. Draft report 3. Issue Report 4. Follow up§
CMMI
Capability maturity model integration. Evaluate management of a compuiter center and the development function, change management process
SOC 2
Report on the service organizations system controls relevant to security, availability, processing integrity, confidentiality or privacy..
SOC 1
Report on the service organizations system controls likely to be relevant to user entities internal control over financial reporting
SOC 3
Similar to SOC 2 but does not include the detailed understanding of the design of controls and the tests performed by the service auditor
IT Balanced Scoreboard
Drive the organization towards optimal use of IT, which is aligned with the organizations strategic goals.
QA
Verify that system changes authorized, tested and implemented in a controlled manner prior to being introduced to production
Project portfolio
All projects being carried out in the organization at a given point of time
FPA
Function point analysis. Multi-point technique used for estimating the complexity (size) in developing a large business application
SLOC
Count of source code. Can be used in estimation of small non complex application size
GANTT Charts
Aid in scheduling and monitoring of project activities
Critical path
The sequence of events that produces the longest path through a project. Helps to estimate the overall time required to complete the project.
Timebox management
Project management technique for defining and deploying a software deliverable in a certain short frame of time. Combines the QA and UAT functions
PERT
Program evalution review technique. Used to estimate the length of the project.
SDLC
Software development life cycle. 1. Feasiblity study 2. Requirement definitions 3A. Software selection and acquisition 3B. Design 4B. Development 5. Final testing and implementation 6. Post- Implementation
Prototyping
Software development methodology. Usually has a lack of controls when finished. Changes in design and requirements happen quickly which makes change management complicated.
RAD
Rapid Applicaiton development. Develop strategically important applications quickly while reducing developments costs and quality. RAD uses protyping.
OOSD
Object oriented system development. Data and procedures can be grouped into an enity known as an object. Advantages: Capacity to meet demands of changing environment, manage unrestricted variety of data types
Component based development
Reduces development time.
Sequence check
Any sequence or duplicated control numbers are rejected or noted for follow-up.
Limit check
Data should not exceed the predetermined amount
Data Atomicity
Transaction is either competed in its entirety or not at all.
Range check
Data should be in the predetermind range
Data Consistency
All integrity conditions in the database are maintained with each transaction.
Table lookups
Input data comply with predetermined in a computerized table.
Validity check
Programmed checking of the data validy in accordance with predetermined criteria
Check digit
A numeric value has been calculated mathematically and is added to data to ensure that the original data has not been altered during transposition and transcription.
Regression testing
Rerunning the same tests after change have been made to the program
White box testing (software)
Assess the effectiveness of software program logic.
Sociability testing
Test to confirm that the new or modified system can operate in the target environment
Black box testing (software)
Funcitional operational effectiveness testing
Pararrel testing
Feeding of test data to the original and system in development and compare the results
Top down software testing
Advantages: Test of major functions and processing are conducted early. Interface erros can be detected sooner
Bottom up software testing
Begin testing with atomic units, such as programs and modules. Advantages: Error in critical modules are found early, testing can be started before all programs are complete.
Data Isolation
Each transaction is isolated from other transactions
Data Durability
If the transaction is reported as complete, the database endures subsequent hardware or software failures
Snapshot (program)
Record flow of designated transactions through logic paths within program. Verifies program logic.
Mapping
Identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed. Identifies potential exposures, identifies efficiency
Tracing and tagging
Shows the trail of instructions executed during an application. Tagging involves placing and indicator on selected transactions at input and using tracing to track them. Provides exact picture of sequence of events.
Test data / deck
Simulates transactions through real programs
Pararrel operation
Process actual production data through current and in development system. Verifies new system before discontinue of old system
Pararrel simulation.
Process production data using computer programs that simulate application program logic. Eliminates need to prepare test data.
ITF
Integrated testing facility. Creates a fictiouis file in the database with test transactions processed simultaneously with live data. Periodic testing does not require separate test process.
Pararrel changeover
Running of old and new system in pararrel.
Phased changeover
Old system is phased out in pieces
Abrupt changeover
Old system is replaced by a cutoff at a certain date and time
BIA
Business Impact Analysis is used to evaluiate the critical processes and to determined the time frames, priorities, resources and interdepencies. To perform BIA you need an understanding of the organization, key business processes. Often this information can be obtained from the Risk Assessement results.
Alternative routing
Method of routing information via an alternate medium. This method uses different networks, circuits and end points.
DBSM
Database management software. Aids in organizing, controlling and using the data needed by the application program.
Diverse routing
The method of routing traffic through split cable facilities or duplicate cables
Long-haul Network diversity
Routing of network through multiple vendors / carriers in case one of the carriers goes out.
Full backup
Copies all file and folders to the backup media.
DRP
Disaster recovery plan. The technical aspect of BCP.
Incremential backup
Copies the files and folders that have changed since the last incremential or full backup.
Differential backup
Copies all files and folders that have been changed or added since full backup was performed.
BCP(steps)
Business continuity plan. Enable business to continue offering critical services in the event of a disruption and to survive disasterous interruption to activities.
1. Project planning 2. Risk assessment and Analysis 3. BIA 4. BC Strategy Developement 5. BC Strategy Developemtn 6. BC Awareness training 7. BC Plan testing 8. BC Plan Monitoring
COOP
Continuity of operations plan. Procedures and guidance to sustain organiszations MEFs at an alternative site for upt to 30 days
Preparedness test
Localized version of full test where actual resources are expended in the simulation of a system crash.
Paper test
Paper walkthrough of the plan, involing major players who reason out different scenarios.
Full Operational test
One step away from actaul service disruption.
Cold Site
Facility with space and basic infrastructure, but lacking any IT or communication equipment, programs data or office support
Mobile Site
For example a van packed with equipment to run small business operations
Warm site
Complete infrasturcture, but partially configured in terms of IT. Typically in a warm site the programs and data would need to be loaded to the site before they can be used.
Hot Site
Facility with space and basic infrastructureww and all IT and communication equipment required to support critical applications. Usually has up to date programs and data equivalent to the primary site.
Mirrored site
Fully redundant site with real-time data replicaiton from production site. Fully equipped and staffed.
Reciprocal agreement
Agreement between separate but similar companies on using the other companys premises in case of a disaster.
Symmetric encryption
A single key is used to encrypt and decrypt the messages
Asymmetric encryption
Two keys are used; one for encryption and another for decryption. Used to achieve Confidentiality, authentication and non-repudiation and Integrity
Confidentiality
Confidentiality in this context means that the data is only available to authorized parties.
Authentication
In authentication, the user or computer has to prove its identity to the server or client.
Non-repudiation
Nonrepudiation ensures that no party can deny that it sent or received a message via encryption and/or digital signatures or approved some information.
Integrity
Integrity means that data or information in your system is maintained so that it is not modified or deleted by unauthorized parties.
Availability
Availability guarantees that systems, applications and data are available to users when they need them.
Hash value
Used to ensure the integrity of message/content.
CA
Certificate Authority. REsponsible for the issuance and management of digital certificates.
RA
Registeration Authority. Delegated with the function of verifying the correctness of the information provided by applicants.
IDS
Intrustion Detection system. Can be placed either between a firewall and external network or between a firewall and the internal network. Used to detect intrusion.
IPS
Intrusion prevention system. Detect and prevent intrustion attacks.
Blackbox pen test
Assumes no prior knowledge of the infrastructure. Important to have management knowledge prior to testing.
