CISA Study Guide and 195 Practice Questions

According to ISACA, the CISA program is its cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security. CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. There are currently more than 30,000 CISAs worldwide.

To earn the Certified Information Systems Auditor (CISA) designation, you need to pass a multiple choices exam which covers the following content areas:

1. Management, Planning, and Organization of IS
2. Technical Infrastructure and Operational Practices
3. Protection of Information Assets
4. Disaster Recovery and Business Continuity
5. Business Application System Development, Acquisition, Implementation, and Maintenance
6. Business Process Evaluation and Risk Management
7. The IS Audit Process

Success factors in the CISA exam = 40% TECHNOLOGY + 60% BUSINESS PRACTICE. We are not talking about the percentage of questions here. We are talking about the success factor - the technology questions are easy to answer because they are mostly based on factual information. The business practice questions are different - different answers work best in different scenarios under different conditions.

Table of contents

EXAM FORMAT
ABOUT THIS BOOK
EXAM TOPICS
EXAM REGISTRATION CONTACTS
STUDY PSYCHOLOGY & EXAM TACTICS

KEY EXAM STRATEGIES
STRATEGY ONE: KEYWORD OR KEY PHRASE MATCHING.
STRATEGY TWO: CHOICES GROUPING.
STRATEGY THREE: THINK TRICKY.

SECURITY THEORIES
THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM
DEFENSE IN DEPTH
VULNERABILITIES
SECURITY MEASURES
STANDARDS AND GUIDELINES

IS ORGANIZATION AND INFORMATION ASSETS PROTECTION
THE STAKEHOLDERS
THE BOARD
THE AUDIT MANAGER
AUDIT PERSONNEL

IS CONTROLS
CLASSIFICATION OF CONTROLS
GENERAL CONTROLS VS APPLICATION CONTROLS

ACCESS CONTROL AND THE AUDITING PROCESS
ACCESS CONTROL MODELS
ACLS VERSUS CAPABILITIES
WHAT IS ORANGE BOOK, BY THE WAY?
TYPES OF ACCESS CONTROL
THE AAA CONCEPT
ESTABLISHING ACCOUNTABILITY THROUGH EVENT LOGGING
THE AUDIT PROCESS
THE SARBANES–OXLEY ACT AND THE COSO FRAMEWORK
WHAT IS AUDITING, BY THE WAY?
THE ROLE OF AN AUDITOR
THE AUDIT PROCESS FLOW
AUDIT PLANNING
RECOMMENDED TYPES OF AUDIT
AUDIT FIELDWORKS
AUDIT PROGRAM
AUDIT REPORT
AUDIT FOLLOW-UP

IT STRATEGIC PLANNING
IT STRATEGIC PLANNING DEFINED
THE ROLE OF IS AUDITING IN THE PLANNING PROCESS
IN-HOUSE OR OUTSOURCE?
AVOIDING CONFLICTS OF INTEREST

PROTECTION OF INFORMATION ASSETS THROUGH SECURITY POLICY
INFORMATION ASSETS DEFINED
DATA CLASSIFICATIONS AND LAYER OF RESPONSIBILITIES
SECURITY POLICY
SECURITY MODELS AND MODES OF OPERATIONS
ORGANIZATION SPECIFIC CLASSIFICATION SCHEME
EXAMPLE POLICY
CONSEQUENCES OF VIOLATIONS
EVALUATION
CHANGE CONTROL

BUSINESS CONTINUITY PLANNING, CRISIS COMMUNICATIONS & BIA
DEFINITION
BCP VS BPCP VS DRP
BCP PHASES
STAKEHOLDERS AND CRISIS COMMUNICATIONS
THE RISK ASSESSMENT FLOW
RISK VS THREAT AND VULNERABILITY
IDENTIFYING RISKS
LOSS CALCULATIONS
BUSINESS IMPACT ANALYSIS DEFINED
BIA GOALS AND STEPS
BIA CHECKLIST
PREPARING FOR EMERGENCY
MANAGING RECOVERY
TESTING THE PLAN
USER ACCEPTANCE
PLAN MAINTENANCE
INCIDENT HANDLING

RISK MANAGEMENT
RISK MANAGEMENT DEFINED
THE RISK MANAGEMENT STEPS
IS AUDITING AND RISK MANAGEMENT
RISK-BASED AUDITING

PROJECT MANAGEMENT
PROJECT MANAGEMENT DEFINED
PROJECT MANAGEMENT AND AUDIT

CHANGE MANAGEMENT
CHANGE MANAGEMENT DEFINED
CHANGE MANAGEMENT STRATEGIES
CHANGE MANAGEMENT VS CHANGE CONTROL VS CONFIGURATION MANAGEMENT
CHANGE CONTROL REVISITED

APPLICATION PROGRAM DEVELOPMENT
GENERAL GUIDELINES
SYSTEM CHANGE CONTROL
SOFTWARE DEVELOPMENT PROCESSES AND MODELS
BUY VS MAKE: ACQUISITION MANAGEMENT METHODS

TECHNICAL READINGS

SECTION 1: TOPICS ON SECURITY THEORY
SECTION 2: TOPICS ON HACKING, ATTACKING, DEFENDING AND AUDITING
SECTION 3: TOPICS ON ENCRYPTION AND VPN
SECTION 4: TOPICS ON RESPONDING TO ATTACKS
SECTION 5: TOPICS ON VIRUSES

VALUABLE THIRD PARTY RESOURCES

SPECIAL TOPIC COVERAGE
Information Security Program Development and Management, with coverage on:

EISP
ISSP
SysSP
Combination SysSP
ISPME

IT Operations Management
Information Security Program and Policy Development
Policy and Program Management
Vulnerability & Patch Management
Data Storage Strategy
Environmental Controls
Imaging Technologies
ERP Security
Incident Response, with coverage on the different kinds of IRT
Concealing hard disk data

Baseline policy and guidelines
Planning and scoping of the assessment of risk
Methodologies for proper assessment of risk
Special notes on penetration testing
Internet Security
Firewall security
Virus security
Web server security
Name resolution security
Mail server security
RAS server security
Proxy server security
Authentication server security

Physical Site Management
Equipment and Media Management
Emergency Response
ERT Formation
ER Planning and Preparation
Coverage, goal and scope
Emergency priorities
Emergency Reporting Procedure
Emergency Escalation Procedure
Incident Monitoring

Forensic Processing
Software Testing

AUDIT OBJECTIVES AND AUDIT RISKS
OUTSOURCING IT AUDIT
SECURITY CONCERNS ON M&A

SAMPLE I.S. AUDIT QUESTIONNAIRE

140 Technical Drill Practice Questions

55 Program and Policy Drill Questions

Basic Networking Technotes

Appendix updated 8 Dec 08 covering:
CMM AND CMMI
ESCROWED ENCRYPTION STANDARD (EES)
OBJECT ORIENTED DESIGN
COMPUTER FORENSICS
INCIDENT RESPONSE (IR)
HIPAA
PLATFORM FOR PRIVACY PREFERENCES PROJECT (P3P)
OECD GUIDELINES
CEI’S COMMANDMENTS OF ETHICS
THE INFOSEC ASSESSMENT METHODOLOGY (IAM)
COVERT CHANNEL ANALYSIS
COMMON CRITERIA (CC)
PHYSICAL AND ENVIRONMENTAL SECURITY
INFORMATION RETENTION & DISPOSAL PROCEDURES
BALANCED SCORECARD
BUSINESS PROCESS REENGINEERING
INTERNAL PREVENTIVE CONTROLS VERSUS COMPENSATING CONTROLS
SOFTWARE DEVELOPMENT APPROACHES: THE PROS & CONS
EMERGING PROCESSOR TECHNOLOGIES
EMERGING WIRELESS SECURITY STANDARDS
IM SECURITY
VOIP
HR AND SECURITY

Now comes with Practice Questions to drill you in computer security, controls, IS audit and policy concepts!!!

The Technical Drill Practice Test Module is designed for reinforcing learning objectives and validating knowledge so you know you're prepared to answer even the toughest questions on the CISA certification exam. You will find this module to be a challenging and effective tool that will help you learn how to recognize IS security threats and recommend proper security control and audit solutions.

ExamREVIEW is an independent content developer not associated/affiliated with the certification vendor mentioned on this web page and throughout this web site. The certification exam described is the trademark of the corresponding certification vendor.

We at ExamREVIEW develop study material entirely on our own. Our material is fully copyrighted. Braindump is strictly prohibited. We provide essential knowledge contents, NOT any generalized "study system" kind of "pick-the-right-answer-every time" techniques or "visit this link" referrals.

You may choose products based on their purposes and/or nature:

Ready-to-go: the product will get you sufficiently prepared for the exam assuming you have reasonable background in the corresponding field.	Filling-the-gaps: the product is written to secure exam clearance through filling up exam-specific gaps found in the mainstream study material.	Essential Reference: the product provides coverage on selected essential topic(s) given BOK of a massive scale.	Focused revision: highly focused study notes covering key exam topics.
	Our printed books are distributed primarily through CREATESPACE AMAZON. Page size is 8" x 10", grayscale printing, with font sizing ranging from 10 to 14 (Garamond).		Our electronic study products are in PDF format. Full color printing, with font sizing ranging from 10 to 14 (Garamond).
Shipment is through		To view this web site properly, your browser needs to support Javascript. Click HERE to find out.

Exam Index Quick Support Subscribe Terms of Use Contact Us