CISACertifiedInformationSystemsAuditorStudyGuide(3rd 2011).pdf

1、CISACertified Information Systems AuditorStudy GuideThird Edition610107book.indb 12/7/11 10:01:52 PM610107book.indb 22/7/11 10:01:53 PMCISACertified Information Systems AuditorStudy GuideThird EditionDavid Cannon610107book.indb 32/7/11 10:01:53 PMAcquisitions Editor:Jeff KellumDevelopment Editor:Sar

2、a BarryTechnical Editors:Brady Pamplin and Tim HeagartyProduction Editor:Christine OConnorCopy Editor:Sharon WilkeyEditorial Manager:Pete GaughanProduction Manager:Tim TateVice President and Executive Group Publisher:Richard SwadleyVice President and Publisher:Neil EddeBook Designers:Judy Fung and B

3、ill GibsonCompositor:Craig Woods,Happenstance Type-O-RamaProofreader:Publication Services,Inc.Indexer:Robert SwansonProject Coordinator,Cover:Katherine CrockerCover Designer:Ryan SneedIllustrators:Kayla McGee,Aaron TateReviewers:Eric Phifer,Stace McRae,Joseph Shook,Chuck Write,Everette Hubbard,Khan

4、Hamid,and Connie KerrCopyright 2011 by Wiley Publishing,Inc.,Indianapolis,IndianaISBN:978-0-470-61010-7Published simultaneously in CanadaNo part of this publication may be reproduced,stored in a retrieval system or transmitted in any form or by any means,electronic,mechanical,photocopying,recording,

5、scanning or otherwise,except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act,without either the prior written permis-sion of the Publisher,or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center,222 Rosewood Drive,Danvers,MA 0

6、1923,(978)750-8400,fax(978)646-8600.Requests to the Publisher for permission should be addressed to the Permissions Department,John Wiley&Sons,Inc.,111 River Street,Hoboken,NJ 07030,(201)748-6011,fax(201)748-6008,or online at http:/ of Liability/Disclaimer of Warranty:The publisher and the author ma

7、ke no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties,including without limitation warranties of fitness for a particular purpose.No warranty may be created or extended by sales or promotional materials

8、.The advice and strategies contained herein may not be suitable for every situation.This work is sold with the understanding that the publisher is not engaged in ren-dering legal,accounting,or other professional services.If professional assistance is required,the services of a competent professional

9、 person should be sought.Neither the publisher nor the author shall be liable for dam-ages arising herefrom.The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the

10、 informa-tion the organization or Web site may provide or recommendations it may make.Further,readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.For general information on our other products and s

11、ervices or to obtain technical support,please contact our Customer Care Department within the U.S.at(877)762-2974,outside the U.S.at(317)572-3993 or fax(317)572-4002.Wiley also publishes its books in a variety of electronic formats.Some content that appears in print may not be available in electroni

12、c books.Library of Congress Cataloging-in-Publication Data Cannon,David L.,1962-CISA:certified information systems auditor study guide/David L.Cannon.3rd ed.p.cm.ISBN 978-0-470-61010-7(pbk.)978-1-118-03365-4(ebk.)978-1-118-03368-5(ebk.)978-1-118-03367-8(ebk.)1.Computer securityExaminationsStudy guid

13、es.2.Information storage and retrieval systemsSecu-rity measuresExaminationsStudy guides.3.Computer networksSecurity measuresExaminationsStudy guides.4.Management information systemsAuditingExaminationsStudy guides.I.Title.QA76.3.C3445 2011 005.8dc22 2010051405TRADEMARKS:Wiley,the Wiley logo,and the

14、 Sybex logo are trademarks or registered trademarks of John Wiley&Sons,Inc.and/or its affiliates,in the United States and other countries,and may not be used without written permission.CISA and Certified Information Systems Auditor are registered trademarks of ISACA.All other trademarks are the prop

15、erty of their respective owners.Wiley Publishing,Inc.,is not associated with any product or vendor mentioned in this book.10 9 8 7 6 5 4 3 2 1610107book.indb 42/7/11 10:01:53 PMDear Reader,Thank you for choosing CISA:Certified Information Systems Auditor Study Guide,Third Edition.This book is part o

16、f a family of premium-quality Sybex books,all of which are written by outstanding authors who combine practical experience with a gift for teaching.Sybex was founded in 1976.More than 30 years later,were still committed to producing consistently exceptional books.With each of our titles,were working

17、 hard to set a new standard for the industry.From the paper we print on,to the authors we work with,our goal is to bring you the best books available.I hope you see all that reflected in these pages.Id be very interested to hear your comments and get your feedback on how were doing.Feel free to let

18、me know what you think about this or any other Sybex book by sending me an email at .If you think youve found a technical error in this book,please visit http:/.Customer feed-back is critical to our efforts at Sybex.Best regards,Neil Edde Vice President and Publisher Sybex,an Imprint of Wiley610107b

19、ook.indb 52/7/11 10:01:53 PM610107book.indb 62/7/11 10:01:53 PMThis third edition is an ongoing tribute to the students who attended our seminars.Their infinite questions were instrumental in the creation of this Study Guide.I wish to express my appreciation to my past employers and clients for the

20、opportunities that led me down this path.I have been blessed to work with the best staff on this planet:Joe DeVoss,Kayla McGee,Aaron Tate,Angela Adair,and Jessica Autry.I would like to express a special appreciation to the following people for their years of encouragement:Carl Adkins,Thomas Carson J

21、r.,Jeff Kellum,Sean Burke,Tarik Nasir,Kris Lonborg,David Bassham,Brady Pamplin,Mark and Kris Herber,Alicia Haskin,Chuck Wright,Eric Phifer,Alicia Haskin,Frank Carter,Chris and Tammy Stevens,Daryl Luthas,Matt and Angelia Gair,Frank Carter,and Gary and Michelle Ames.I hope reading this little book wil

22、l help you accomplish your dreams.Semper Fidelis 610107book.indb 72/7/11 10:01:53 PMAcknowledgmentsWe would like to thank Acquisitions Editor Jeff Kellum and Development Editor Sara Barry for their vision and guidance.Technical Editor Brady Pamplin was very helpful in providing his expert assistance

23、 during the writing of this book.We wish to thank Production Editor Christine OConnor for keeping the book on track,and for her tireless effort in ensuring that we put out the best book possible.We would also like to thank Bonny Andresen,Copy Editor Sharon Wilkey,Compositor Craig Woods at Happenstan

24、ce Type-O-Rama,Illustrators Kayla McGee,Aaron Tate,TK,Proofreader Publication Services,and Indexer Robert Swanson for their polished efforts to make certain this third edition became a reality.610107book.indb 82/7/11 10:01:53 PMAbout the AuthorDavid L.Cannon,CISA,is President and founder of CertTest

25、 Training Center,a leading CISA training provider.David has over three decades of practical experience in management and consulting in business development,compliance,IT operations,security and training in such industries as retail,distribution,healthcare,manufacturing,technology and finance.He regu

26、larly teaches CISA,BSC,PMP,CISSP and other management seminars across North America with a holistic approach.Hes a long-time pilot surviving major engine failures with-out even scratching the paint.David is committed to helping provide readers the implementa-tion skills necessary for you to be succe

27、ssful.With his latest edition,CISA candidates can rest assured they have the most current self-study content available to advance their career.610107book.indb 92/7/11 10:01:53 PM610107book.indb 102/7/11 10:01:53 PMContents at a GlanceIntroduction xxiiiAssessment Test xlviiChapter 1 Secrets of a Succ

28、essful Auditor 1Chapter 2 Managing IT Governance 53Chapter 3 Audit Process 131Chapter 4 Networking Technology Basics 205Chapter 5 Information Systems Life Cycle 279Chapter 6 System Implementation and Operations 349Chapter 7 Protecting Information Assets 417Chapter 8 Business Continuity and Disaster

29、Recovery 501Appendix A About the Companion CD 555Glossary 559Index 605610107book.indb 112/7/11 10:01:53 PM610107book.indb 122/7/11 10:01:53 PMContentsIntroduction xxiiiAssessment Test xlviiChapter 1 Secrets of a Successful Auditor 1Understanding the Demand for IS Audits 3Executive Misconduct 3More R

30、egulation Ahead 5Basic Regulatory Objective 6Governance is Leadership 8Audit Results Indicate the Truth 9Understanding Policies,Standards,Guidelines,and Procedures 9Understanding Professional Ethics 11Following the ISACA Code 11Preventing Ethical Conflicts 13Understanding the Purpose of an Audit 14C

31、lassifying Basic Types of Audits 15Determining Differences in Audit Approach 15Understanding the Auditors Responsibility 16Comparing Audits to Assessments 16Differentiating Between Auditor and Auditee Roles 17Applying an Independence Test 18Implementing Audit Standards 19Where Do Audit Standards Com

32、e From?20Understanding the Various Auditing Standards 22Specific Regulations Defining Best Practices 25Audits to Prove Financial Integrity 28Auditor Is an Executive Position 29Understanding the Importance of Auditor Confidentiality 30Working with Lawyers 30Working with Executives 31Working with IT P

33、rofessionals 31Retaining Audit Documentation 32Providing Good Communication and Integration 33Understanding Leadership Duties 33Planning and Setting Priorities 34Providing Standard Terms of Reference 35Dealing with Conflicts and Failures 36Identifying the Value of Internal and External Auditors 36Un

34、derstanding the Evidence Rule 37Stakeholders:Identifying Who You Need to Interview 38610107book.indb 132/7/11 10:02:17 PMxiv ContentsUnderstanding the Corporate Organizational Structure 39Identifying Roles in a Corporate Organizational Structure 39Identifying Roles in a Consulting Firm Organizationa

35、l Structure 42Summary 43Exam Essentials 43Review Questions 45Answers to Review Questions 50Chapter 2 Managing IT Governance 53Strategy Planning for Organizational Control 55Overview of the IT Steering Committee 58Using the Balanced Scorecard 63IT Subset of the BSC 67Decoding the IT Strategy 68Specif

36、ying a Policy 70Project Management 72Implementation Planning of the IT Strategy 80Using COBIT 82Identifying Sourcing Locations 83Conducting an Executive Performance Review 88Understanding the Auditors Interest in the Strategy 88Overview of Tactical Management 88Planning and Performance 89Management

37、Control Methods 89Risk Management 93Implementing Standards 96Human Resources 97System Life-Cycle Management 98Continuity Planning 99Insurance 99Performance Management 99Overview of Business Process Reengineering 101Why Use Business Process Reengineering 101BPR Methodology 102Genius or Insanity?102Go

38、al of BPR 103Guiding Principles for BPR 103Knowledge Requirements for BPR 104BPR Techniques 105BPR Application Steps 105Role of IS in BPR 108Business Process Documentation 109BPR Data Management Techniques 109610107book.indb 142/7/11 10:02:17 PMContents xvBenchmarking as a BPR Tool 110Using a Busine

39、ss Impact Analysis 111BPR Project Risk Assessment 112Practical Application of BPR 115Practical Selection Methods for BPR 117Troubleshooting BPR Problems 118Understanding the Auditors Interest in Tactical Management 119Operations Management 119Sustaining Operations 120Tracking Performance 120Controll

40、ing Change 120Understanding the Auditors Interest in Operational Delivery 121Summary 121Exam Essentials 122Review Questions 123Answers to Review Questions 128Chapter 3 Audit Process 131Understanding the Audit Program 132Audit Program Objectives and Scope 133Audit Program Extent 134Audit Program Resp

41、onsibilities 135Audit Program Resources 136Audit Program Procedures 137Audit Program Implementation 137Audit Program Records 138Audit Program Monitoring and Review 139Planning Individual Audits 140Establishing and Approving an Audit Charter 141Role of the Audit Committee 143Preplanning Specific Audi

42、ts 144Understanding the Variety of Audits 145Identifying Restrictions on Scope 147Gathering Detailed Audit Requirements 148Using a Systematic Approach to Planning 150Comparing Traditional Audits to Assessments and Self-Assessments 151Performing an Audit Risk Assessment 153Determining Whether an Audi

43、t Is Possible 154Identify the Risk Management Strategy 155Is This Audit Feasible?156610107book.indb 152/7/11 10:02:17 PMxvi ContentsPerforming the Audit 158Selecting the Audit Team 158Determining Competence and Evaluating Auditors 158Ensuring Audit Quality Control 161Establishing Contact with the Au

44、ditee 161Making Initial Contact with the Auditee 162Using Data Collection Techniques 164Conducting Document Review 165Understanding the Hierarchy of Internal Controls 167Reviewing Existing Controls 169Preparing the Audit Plan 171Assigning Work to the Audit Team 172Preparing Working Documents 173Cond

45、ucting Onsite Audit Activities 174Gathering Audit Evidence 175Using Evidence to Prove a Point 175Understanding Types of Evidence 176Selecting Audit Samples 176Recognizing Typical Evidence for IS Audits 178Using Computer-Assisted Audit Tools 178Understanding Electronic Discovery 181Grading of Evidenc

46、e 182Timing of Evidence 184Following the Evidence Life Cycle 184Conducting Audit Evidence Testing 187Compliance Testing 187Substantive Testing 188Tolerable Error Rate 189Record Your Test Results 189Generate Audit Findings 190Report Findings 192Approving and Distributing the Audit Report 194Identifyi

47、ng Omitted Procedures 194Conducting Follow-Up(Closing Meeting)194Summary 195Exam Essentials 196Review Questions 198Answers to Review Questions 203Chapter 4 Networking Technology Basics 205Understanding the Differences in Computer Architecture 206Selecting the Best System 211Identifying Various Opera

48、ting Systems 211Determining the Best Computer Class 214610107book.indb 162/7/11 10:02:17 PMContents xviiComparing Computer Capabilities 216Ensuring System Control 217Dealing with Data Storage 218Using Interfaces and Ports 222Introducing the Open Systems Interconnect Model 225Layer 1:Physical Layer 2

49、28Layer 2:Data-Link Layer 228Layer 3:Network Layer 230Layer 4:Transport Layer 236Layer 5:Session Layer 237Layer 6:Presentation Layer 237Layer 7:Application Layer 238Understanding How Computers Communicate 239Understanding Physical Network Design 240Understanding Network Topologies 241Identifying Bus

50、 Topologies 241Identifying Star Topologies 242Identifying Ring Topologies 242Identifying Meshed Networks 244Differentiating Network Cable Types 245Coaxial Cable 246Unshielded Twisted-Pair(UTP)Cable 246Fiber-Optic Cable 247Connecting Network Devices 248Using Network Services 250Domain Name System 251