Certified Information Systems Security Auditor (CISSA) – Outline

Detailed Course Outline

• The Process of Auditing Information Systems
  • Exam Relevance
  • Agenda
  • Chapter 1 Learning Objectives
  • Learning Objectives (continued)
  • Audit Charter
  • Definition of Auditing
  • Definition of Information Systems
  • Auditing Audit Objectives
  • Audit Planning
  • Audit Planning cont.
  • IS Audit Resource Management
  • Types of Audits
  • Elements of an Audit
  • Creating the Plan for an Audit
  • Planning the Audit
  • Audit Methodology
  • Phases of an Audit
  • Audit Work papers
  • Audit Procedures
  • Types of Tests for IS Controls
  • Forensic Audits
  • Fraud Detection
• Risk Based Auditing
  • Risk –Based Auditing
  • Definition of Risk
  • Purpose of Risk Management
  • Risk Management
  • Purpose of Risk Analysis
  • Why Use Risk Based Auditing
  • Risk Assessment and Treatment
  • Risk Assessment and Treatment cont.
  • General Controls
  • Internal Controls
  • Areas of Internal Control
  • IS Controls Versus Manual Controls
  • IS Controls
  • IS Controls cont.
  • Internal Control Objectives
  • Assessing and Implementing Countermeasures
  • Performing an Audit Risk Assessment
  • A Risk Based Audit Approach
  • Risk –based Auditing
  • Risk –based Auditing
• Audit Plannng and Performance
  • Audit Planning
  • Effect of Laws and Regulations on IS Audit
  • Planning
  • Performing the Audit
  • ISACA IT Audit and Assurance Tools and Techniques
  • ISACA IT Audit and Assurance Standards Framework
  • Relationship Among Standards, Guidelines and Tools and Techniques
  • ISACA IT Audit and Assurance Standards
  • Framework cont.
  • Evidence
  • Gathering Evidence
  • Sampling
  • Compliance vs. Substantive Testing
  • Testing Controls
  • Integrated Auditing
  • Using the Services of Auditors and Experts
  • Audit Risk
  • Computer-assisted Audit Techniques
• Reporting on Audit
  • Audit Analysis and Reporting
  • Audit Documentation
  • Automated Work Papers
  • Automated Work Papers cont.
  • Evaluation of Audit Strengths and Weaknesses
  • Communicating Audit Results
  • Management Implementation of Audit
  • Recommendations
• IT Governance and Management of IT
  • Exam Relevance
  • Agenda
  • Task Statements
  • Governance and Management of IT
  • Corporate Governance
  • IT Governance
  • Information Technology Monitoring and Assurance
  • Practices for Management
  • Best Practices for IT Governance
  • Information Security Governance
  • Result of Security Governance
• Strategic Planning and Models
  • IS Strategy
  • Strategic Enterprise Architecture Plans
  • IT Strategy Committee
  • Standard IT Balanced Scorecard
  • Enterprise Architecture
  • Maturity and Process Improvement Models
  • IT Investment and Allocation Practices
  • Auditing IT Governance Structure and
  • Implementation
  • Policies, Standards and Procedures
  • Policies and Procedures
  • Policies
  • Procedures
  • Standards
  • Risk Management
  • Risk Management Process
  • Risk Analysis Methods
  • Risk Mitigation
• Resource Management
  • Organization of the IT Function
  • IS Roles and Responsibilities
  • Segregation of Duties Within IS
  • Segregation of Duties Controls
  • Human Resource Management
  • Sourcing Practices
  • Management of IT Functional Operations
  • Organizational Change Management
  • Change Management cont.
  • Quality Management
  • Performance Optimization
  • Reviewing Documentation
  • Reviewing Contractual Commitments
• Business Continuity Planning
  • Business Continuity Planning
  • IS Business Continuity Planning
  • Disasters and Other Disruptive Events
  • Business Continuity Planning Process
  • Business Continuity Policy
  • Business Continuity Planning Incident
  • Management
  • Business Impact Analysis cont.
  • Development of Business Continuity Plans
  • Other Issues in Plan Development
  • Components of a Business Continuity Plan
  • Components of a Business Continuity Plan cont.
  • Insurance
  • Plan Testing
  • Summary of Business Continuity
  • Auditing Business Continuity
  • Reviewing the Business Continuity Plan
  • Evaluation of Prior Test Results
  • Evaluation of Offsite Storage
  • Interviewing Key Personnel
  • Evaluation of Security at Offsite Facility
  • Reviewing Alternative Processing Contract
  • Reviewing Insurance Coverage
  • End of Domain
• Information Systems Acquisition, Development and Implementation
  • Exam Relevance
  • Agenda
  • Learning Objectives
  • Learning Objectives cont.
  • Program and Project Management
  • Portfolio/Program Management
  • Portfolio/Program Management cont.
  • Business Case Development and Approval
  • Benefits Realization Techniques
  • General IT Project Aspects
  • Project Context and Environment
  • Project Organizational Forms
  • Project Communication
  • Project Objectives
  • Roles and Responsibilities of Groups and Individuals
  • Project Management Practices Project
  • Planning Project Planning cont.
  • General Project Management
  • Project Controlling Project Risk
  • Closing a Project
• Systems Development Models
  • Business Application Development
  • Traditional SDLC Approach
  • Traditional SDLC Approach cont.
  • Traditional SDLC Approach cont.
  • Requirements Definition
  • Business Process Reengineering and Process
  • Change Projects
  • Business Process Reengineering and Process
  • Change Projects cont.
  • Risk Associated with Software Development
  • Use of Structures Analysis,
  • Design and Development Techniques
  • Alternative Development Methods
  • Agile Development
  • Prototyping
  • Rapid Application Development
  • Other Alternative Development Methods
  • Computer-aided Software Engineering
  • Fourth-generation Languages
• Types of Specialized Business Applications
  • Electronic Commerce
  • Electronic Data Interchange
  • Electronic Mail Electronic Banking
  • Electronic Finance
  • Electronic Funds Transfer
  • Automated Teller Machine
  • Artificial Intelligence and Expert Systems
  • Business Intelligence
  • Decision Support Systems
  • Decision Support Systems cont.
  • Acquisition
  • Infrastructure Development / Acquisition
  • Practices
  • Project Phases of Physical Architecture Analysis
  • Hardware Acquisition
  • System Software Acquisition
  • Auditing Systems Development,
  • Acquisition and Maintenance Auditing Systems Development Acquisition
  • System Software Change Control
  • Procedures
• Application Controls
  • Application Controls
  • Input/Origination Controls
  • Processing Procedures and Controls
  • Output Controls
  • Types of Output Controls
  • Business Process Control Assurance
  • Auditing Application Controls
  • Application Testing
  • Precautions Regarding Testing
  • System Change Procedures and the Program
  • Migration Process
  • System Change Procedures and the Program
  • Migration Process cont.
  • End of Chapter Three
• Information Systems Operations, Maintenance and Support
  • Exam Relevance
  • Agenda
  • Learning Objectives
  • Learning Objectives cont.
  • Information Security Management
  • Information Systems Operations
  • IT Service Management
  • Infrastructure Operations
  • Monitoring Use of Resources
  • Support/ Help Desk
  • Change Management Process
  • Release Management
• System and Communications Hardware
  • Computer Hardware Components and Architectures
  • Computer Hardware Components and Architectures cont.
  • Security Risks with Portable Media
  • Security Controls for Portable Media
  • Hardware Maintenance Program
  • Hardware Monitoring Procedures
  • Capacity Management
  • IS Architecture and Software
  • Operating Systems
  • Access Control Software
  • Data Communications Software
  • Data Management
  • Database Management System cont.
  • Tape and Disk Management Systems
  • Utility Programs
  • Software Licensing Issues
  • Digital Rights Management
  • Auditing Networks
  • Network Infrastructure
  • Enterprise Network Architectures
  • Types of Networks
  • Network Standards and Protocol
  • OSI Architecture
  • OSI Architecture (continued)
  • Application of the OSI Model in Network
  • Architectures cont.
  • Network Architectures
  • Network Components
  • Communications Technologies
  • Communications Technology cont.
  • Wireless Networking
  • Risks Associated with Wireless Communications
  • Internet Technologies
  • Auditing of Network Management
  • Auditing of Applications Management
  • Hardware Reviews
  • Operating System Reviews
  • Database Reviews
  • Network Infrastructure and Implementation
  • Reviews Network Infrastructure and Implementation Reviews
  • Physical Security Audits
  • Access Controls Review
  • Scheduling Reviews
  • Scheduling Reviews; Questions to Consider
  • Auditing Job Scheduling
  • Job Scheduling Reviews
  • Personnel Reviews
  • Business Continuity and Disaster Recovery
  • Audits
  • Auditing of Business Continuity Plans
  • Recovery Point Objective and Recovery Time
  • Objective
  • Business Continuity Strategies
  • Recovery Strategies
  • Recovery Alternatives
  • Audit of Third Party Recovery Agreements
  • Organization and Assignment of Responsibilities
  • Team Responsibilities
  • Backup and Restoration
• Auditing Networks
  • Network Infrastructure
  • Enterprise Network Architectures
  • Types of Networks
  • Network Services
  • Network Standards and Protocols
  • OSI Architecture
  • OSI Architecture (continued)
  • Application of the OSI Model in Network
  • Architectures cont.
  • Network Architectures
  • Network Components
  • Communications Technologies
  • Communications Technology cont.
  • Wireless Networking
  • Risk Associated with Wireless Communications
  • Internet Technologies
  • Auditing of Network Management
  • Auditing of Applications Management
  • Hardware Reviews
  • Operating Systems Reviews
  • Database Reviews
  • Network Infrastructure and Implementation
  • Reviews
  • Network Infrastructure and Implementation
  • Reviews
  • Physical Security Audits
  • Access Controls Review
  • Access Controls Review cont.
  • Scheduling Reviews
  • Scheduling Reviews; Questions to Consider
  • Auditing Job Scheduling
  • Job Scheduling Reviews
  • Personnel Reviews
• Business Continuity and Disaster Recovery Audits
  • Auditing of Business Continuity Plans
  • Recovery Point
  • Objective and Recovery Time Objective
  • Business Continuity Strategies
  • Recovery Strategies
  • Recovery Alternatives
  • Audit of Third Party Recovery Agreements
  • Organization and Assignment of Responsibilities
  • Team Responsibilities
  • Backup and Restoration
  • End of Domain Four
• Protection of Information Assets
  • Exam Relevance
  • Course Agenda
  • Chapter 5 Task Statements
  • Knowledge Areas
  • Information Security Management
  • Importance of Information Security Management
  • Key Elements of Information Security Management
  • Critical Success Factors to Information Security
  • Management
  • Inventory and Classification of Information
  • Assets
  • Privacy Management Issues and the Role of IS Auditors
  • Social Media Risks
• Access Controls
  • System Access Permission
  • Mandatory and Discretionary Access Controls
  • IAAA
  • Authentication
  • Authorization
  • Challenges with Identity Management
  • Identification and Authentication
  • Logical Access Exposures
  • Paths of Logical Access
  • Logical Access Control Software
  • Auditing Logical Access
  • Access Control Lists
  • Centralized versus Decentralized Access
  • Decentralized Access Risks
  • Single Sign-on (SSO)
  • Single Sign-on Advantages
  • Single Sign-on Disadvantages
  • Familiarization with the Organization’s IT
  • Environment
  • Remote Access
  • Remote Access Security
  • Auditing Remote Access
  • Auditing Remote Access (cont.)
  • Logging All System Access
• Equipment and Network Security
  • Security of Portable Media
  • Mobile Device Security
  • Storing, Retrieving, Transporting and Disposing of Confidential
  • Information Concerns
  • Associated with Storage Media
  • Network Infrastructure Security
  • Network Infrastructure Security cont.
  • LAN Security Issues
  • Client-server Security
  • Wireless Security Threats
  • Wireless Security Threats cont.
  • Audit Log Analysis Tools
  • Internet Threats and Security
  • Causes of Internet Attacks
  • Firewalls
  • Firewall Issues
  • Network Security Architectures
  • Honeypots and Honeynets
  • Intrusion Detection and Prevention Systems
  • IDS / IPS Components
  • IDS / IPS Features
  • Voice-Over IP (VoIP)
  • Techniques for Testing Security
  • Auditing Network Infrastructure Security
• Encryption
  • Firewall Issues
  • Network Security Architectures
  • Honeypots and Honeynets
  • Intrusion Detection and Prevention Systems
  • IDS / IPS Components
  • IDS / IPS Features
  • Voice-Over IP (VoIP)
  • Techniques for Testing Security
  • Auditing Network Infrastructure Security
• Encryption
  • Encryption Definition
  • Encryption
  • Symmetric Encryption
  • Asymmetric Algorithms
  • Hashing Algorithms
  • Digital Signatures
  • Digital Envelope
  • Public Key Infrastructure (PKI)
  • Uses of Encryption in Communications
  • Auditing Encryption Implementations
  • Malware
  • Viruses
  • Virus Protection
  • Other Forms of Malware
  • Incident Handling and Evidence
  • Security Incident Handling and Response
  • Evidence Handling
  • Physical and Environmental Controls
  • Physical Access Issues and Exposures
  • Physical Access Issues and Exposures cont.
  • Physical Access Controls
  • Controls for Environmental Exposures
  • Controls for Environmental Exposures cont.
  • Controls for Environmental Exposures cont.
  • Electrical Problems
  • Auditing Physical Access
  • End of Domain Five