CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf

CISA DOMAIN 1 – THE PROCESS ON AUDITING INFORMATION SYSTEMS
1 | P a g e
This article covers –
• Overall understanding of the domain
• Important concepts to focus on from exam point of view
The article is split into 4 parts as below:
• Part 1 – Overall understanding of Domain 1, Important concepts from exam point of view – Audit charter,
Audit planning, Risk analysis
• Part 2 – Internal controls, COBIT – 5, Risk-based auditing, Risk treatment
• Part 3 – Compliance testing Vs. Substantive testing, Audit evidence, Audit Sampling and Control self-
assessment
Overall understanding of the domain:
• Weightage - This domain constitutes 21 percent of the CISA exam (approximately 32 questions)
• Covers 11 Knowledge statements covering the process of auditing information systems
1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of
Professional Ethics and other applicable standards
2. risk assessment concepts and tools and techniques in planning, examination, reporting and
follow-up
3. Fundamental business processes and the role of IS in these processes
4. Control principles related to controls in information systems
5. Risk-based audit planning and audit project management techniques
6. Applicable laws and regulations which affect the scope, evidence collection and preservation and
frequency of audits
7. Evidence collection techniques used to gather, protect and preserve audit evidence
8. Different sampling methodologies and other substantive/data analytical procedures
9. Reporting and communication techniques
10. Audit quality assurance (QA) systems and frameworks
11. Various types of audits and methods for assessing and placing reliance on the work of other
auditors or control entities
PART 1
©Aswini Srinath

2 | P a g e
Important concepts from exam point of view:
1. Audit Charter:
➢ Audit Charter outlines the overall authority, scope and responsibilities of audit function
➢ Audit charter should be approved by Audit committee or senior management
➢ Internal audit function is always independent of management committee
2. Audit planning:
➢ Step 1 – Understanding of business mission, vision, objectives, process which includes
information requirements under CIA trait (Confidentiality, Integrity and Availability of data)
➢ Step 2 – Understanding of business environment
➢ Step 3 - Review prior work papers
➢ Step 4 - Perform Risk analysis
➢ Step 5 - Set audit scope and objectives
➢ Step 6 - Develop audit plan/strategy
➢ Step 7 - Assign audit personal/resources
➢ Audit planning includes –
1. Short term planning – considers audit issues that will be covered during the year
2. Long term planning - audit plans that will take into account risk-related issues regarding
changes in the organization’s IT strategic direction that will affect the organization’s IT
environment.
Points to remember:
• When CISA question is on the approval of audit charter, the answer should be
senior most management, based on the options available.
• IS auditor’s role being more of reporting of audit observations and giving an
“independent audit opinion”
Point to remember: The first step in the audit planning is always understanding the
business mission, objectives and business environment, then analyzing the risk involved
based in the audit scope.
©Aswini Srinath

3 | P a g e
3. Risk analysis:
➢ Risk is a combination of the probability of an event and its consequence (International
Organization for Standardization [ISO] 31000:2009)
➢ Risk analysis is part of audit planning, and help identify risk and vulnerabilities so the IS auditor
can determine the controls needed to mitigate those risk
➢ Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000
➢ Risk Assessment Process – The process starts with identifying the sources and events, then
identifying the vulnerabilities associated with the sources, and then analyzing the probability of
the occurrence and the impact.
➢ Risk Management Process - It begins with identifying the business objectives, the information
assets that are associated with business, assessment of risk, how to mitigate the risk (either to
avoid or transfer or mitigate/reduce the risk) and implementing controls to mitigate the risk)
Point to remember:
• CISA candidate should be aware of the difference between Risk assessment and
Risk management. Risk assessment is the process of finding where the risk exists.
Risk management is the second step after performing risk assessment.
• Risk can be mitigated/reduced through implementation of controls/ third-party
insurance, etc.
Point to remember: CISA candidate should be able to differentiate between threat and
vulnerability. Threat is anything that can exploit a vulnerability, intentionally or accidentally,
and obtain, damage, or destroy an asset. Vulnerability is Weakness or gap in a security
program that can be exploited by threats to gain unauthorized access to an asset
©Aswini Srinath

4 | P a g e
4. Internal Controls:
➢ Internal controls are normally composed of policies, procedures, practices and organizational
structures which are implemented to reduce risks to the organizations
➢ The board of directors are responsible for establishing the effective internal control system
➢ Classification of internal controls:
a. Preventive controls
b. Detective controls
c. Corrective controls
➢ Preventive controls: are those internal controls which are deployed to prevent happening of an
event that might affect achievement of organizational objectives. Some examples of preventive
control activities are:
• Employee background checks
• Employee training and required certifications
• Password protected access to asset storage areas
• Physical locks on inventory warehouses
• Security camera systems
• Segregation of duties (i.e. recording, authorization, and custody all handled by separate
individuals)
➢ Detective controls: Detective controls seek to identify when preventive controls were not
effective in preventing errors and irregularities, particularly in relation to the safeguarding of
assets. Some examples of detective control activities are:
Point to remember: When CISA question is on the responsibility of internal controls, the
answer should be senior most management (BoD, CEO, CIO, CISO etc) , based on the
options available.
Point to remember: CISA question will be scenario based, where the candidate should
have a thorough understanding of all the three controls and able to differentiate between
preventive, detective and corrective controls
PART 2
©Aswini Srinath

5 | P a g e
• bank reconciliations
• control totals
• physical inventory counts
• reconciliation of the general ledgers to the detailed subsidiary ledgers
• Internal audit functions
➢ Corrective controls: When detective control activities identify an error or irregularity, corrective
control activities should then see what could or should be done to fix it, and hopefully put a new
system in place to prevent it the next time around. Some examples of corrective control
activities are:
• data backups can be used to restore lost data in case of a fire or other disaster
• data validity tests can require users to confirm data inputs if amounts are outside a
reasonable range
• insurance can be utilized to help replace damaged or stolen assets
• management variance reports can highlight variances from budget to actual for
management corrective action
• training and operations manuals can be revised to prevent future errors and
irregularities
5. COBIT 5:
➢ Developed by ISACA
➢ A comprehensive framework that assist enterprises in achieving their objectives for the governance and
management of enterprise IT (GEIT)
➢ COBIT 5 based on 5 principles and 7 enablers
5 Principles 7 Enablers
1. Meeting Shareholders needs 1. Principles, Policies and Frameworks
2. End-to-End coverage 2. Processes
3. Holistic Approach 3. Organizational Structures
4. Integrated Framework 4. Culture, Ethics and Behaviour
5. Separate governance from management 5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
(Note: A CISA candidate will not be asked to specifically identify the COBIT process, the COBIT domains or the
set of IT processes defined in each. However, candidates should know what frameworks are, what they do
and why they are used by enterprises)
©Aswini Srinath

6 | P a g e
6. Risk based auditing
➢ Audit Risk - the risk that information may contain a material error that may go undetected during the
course of the audit.
➢ The audit approach should be as follows:
• Step 1 – Gather available information and plan through review of prior year’s audit results, recent
financial information, inherent risk assessments
• Step 2 – Understanding of existing internal controls by analyzing control procedures, detection
risk assessment
• Step 3 – Perform compliance testing by identifying key controls to be tested
• Step 4 – Perform substantive testing by test of account balances, analytical procedures
• Step 5 – Conclude the audit - Audit report with independent audit opinion
➢ Factors which influence audit risk
a. Inherent risk – Risk that an activity would pose if no controls/ other mitigating factors were in place.
b. Control risk - Risk that a material error exists that would not be prevented or detected on a timely
basis by the system of internal controls
c. Detection risk - The risk that material errors or misstatements that have occurred will not be
detected by the IS auditor
d. Residual risk – Risk that remains after controls are taken into account
7. Risk Treatment
➢ Risk identified in the risk assessment needs to be treated.
➢ Possible risk response options include:
• Risk mitigation—Applying appropriate controls to reduce the risk
• Risk acceptance—Knowingly and objectively not taking action, providing the risk clearly
satisfies the organization’s policy and criteria for risk acceptance
• Risk avoidance—Avoiding risk by not allowing actions that would cause the risk to occur
• Risk transfer/sharing—Transferring the associated risk to other parties (e.g., insurers or
suppliers)
Point to remember: A CISA candidate should know the differences between preventive, detective
and corrective controls. An example of a question in the exam would be: Which of the following
controls would BEST detect
©Aswini Srinath

7 | P a g e
8. Compliance testing Vs. substantive testing
➢ Compliance testing - determines whether controls are in compliance with management policies and
procedures
Examples:
• User access rights
• Program change control procedures
• Review of logs
• Software license audit
➢ Substantive testing - gathers evidences to evaluate the integrity of individual transactions, data or other
information
Examples:
• performance of a complex calculation on sample basis
• testing of account balances
9. Audit Evidence
➢ any information used by the IS auditor to determine whether the entity or data being audited follows the
established criteria or objectives and supports audit conclusions
➢ Techniques for gathering evidence:
• Review IS organization structures
• Review IS policies and procedures
• Review IS standards
• Review IS documentation
• Interview appropriate personnel
Point to remember:
• CISA question will be scenario based and the candidate should able to differentiate between
substantive testing and compliance testing.
• statistical sampling is to be used when the probability of error must be objectively
quantified (i.e no subjectivity is involved). Statistical sampling is an objective method of
sampling in which each item has equal chance of selection
PART 3
©Aswini Srinath

8 | P a g e
• Observe processes and employee performance
• Walkthrough
10.Audit Sampling
➢ The subset of population members used to perform testing
➢ Two approaches of sampling:
a. Statistical sampling - using mathematical laws of probability to create the sample size
b. Non-Statistical sampling - Uses auditor judgment to determine the method of sampling
➢ Methods of sampling
a. Attribute sampling - Applied in compliance testing situations, deals with the presence or absence
of the attribute and provides conclusions that are expressed in rates of incidence. Involves three
types:
• Attribute sampling - selecting a small number of transactions and making assumptions
about how their characteristics represent the full population of which the selected items
are a part
• Stop-or-sampling - This model help prevents excessive sampling of an attribute by
allowing an audit test to be stopped at the earliest possible moment. It is mostly used
when auditor believes that relatively few errors will be found in populations
• Discovery sampling – It is mostly used when the objective of audit is to discover fraud
b. Variable sampling - Applied in substantive testing situations, deals with population
characteristics that vary, such as monetary values and weights or any other measurement and
provides conclusions related to deviations from the norm. Involves three types:
• Stratified mean per unit – It a statistical model in which population is divided into groups
and samples are drawn from the various groups
• Un-stratified mean per unit – A statistical model in which sample mean (Average) is
calculated and projected as an estimated total.
• Difference estimation – Statistical model used to estimate the total difference between
audited values and unaudited values based on differences obtained from sample
observations.
Point to remember: A CISA candidate, given an audit scenario, should be able to determine which
type of evidence gathering technique would be best
©Aswini Srinath

9 | P a g e
c. Important statistical terms:
• Confident coefficient (CC) – A percentage expression of the probability that the
characteristics of sample are true representation of the population. Stronger the internal
control, lower the confident coefficient
• Level of risk – Equal to one minus the confidence coefficient [if confident co-efficient
is 95%, the level of risk is (100-95= 5%)]
• Expected error rate (ERR) – An estimate stated as a percent of the error that may exist.
The greater the ERR, greater the sample size
11.Control Self-assessment (CSA)
a. What is CSA?
➢ assessment of controls made by the staff and management of the unit or units involved
➢ management technique that assures stakeholders, customers and other parties that the
internal control system of the organization is reliable.
➢ Ensures that employees are aware of the risk to the business and they conduct periodic,
proactive reviews of controls
b. Objectives of CSA
➢ to leverage the internal audit function by shifting some of the control monitoring responsibilities to
the functional areas
➢ not intended to replace audit’s responsibilities but to enhance them
c. Benefits of CSA
➢ Early detection of risk
➢ More effective and improved internal controls
➢ Developing a sense of ownership of the controls in the employees and process owners and
➢ reducing their resistance to control improvement initiatives
➢ Increased communication between operational and top management
➢ Highly motivated employees
Point to remember: The IS auditor should be familiar with the different types of sampling techniques
and when it is appropriate to use each of them
©Aswini Srinath

10 | P a g e
d. Disadvantages of CSA
➢ mistaken as an audit function replacement
➢ considered as an additional workload
➢ Failure to act on improvement suggestions could damage employee morale
➢ Lack of motivation may limit effectiveness in the detection of weak controls
e. Auditor’s role in CSA
➢ The auditor’s role in CSAs should be considered enhanced when audit departments establish a CSA
program.
➢ Auditors become internal control professionals and assessment facilitators
©Aswini Srinath

CISA DOMAIN 2 – GOVERNANCE AND MANAGEMENT OF IT
1 | P a g e
• Part 1 – Corporate Governance, Governance of Enterprise IT (GEIT), Auditor’s role in GEIT
• Part 2 – IT Balanced Score Card (BSC), IT Governing Committee (IT Strategy and Steering
committee), Maturity and process improvement models
• Part 3 – Risk Management, Human Resource Management, Sourcing Practices
• Part 4 – Information Security – Roles and Responsibilities, Business Continuity Planning (BCP),
Business Impact Analysis (BIA)
• Part 5 – Classification of Systems and criticality analysis, Components of Business Continuity
Planning (BCP), Plan Testing.
Weightage - This domain constitutes 16 percent of the CISA exam (approximately 24 questions)
Covers 17 Knowledge statements covering the process of auditing information systems
1. Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization
and the essential elements of each
2. Knowledge of IT governance, management, security and control frameworks and related
standards, guidelines and practices
3. Knowledge of organizational structure, roles, and responsibilities related to IT, including
segregation of duties (SoD)
4. Knowledge of relevant laws, regulations and industry standards affecting the organization
PART 1 – CISA Domain 2 – Governance and Management of IT
» Overall understanding of the domain
» What is Corporate Governance?
» What is Governance of Enterprise IT (GEIT)?
» What is the role of auditor in GEIT?
©Aswini Srinath

2 | P a g e
5. Knowledge of the organization’s technology direction and IT architecture and their implications
for setting long-term strategic directions
6. Knowledge of the processes for the development, implementation and maintenance of IT
strategy, policies, standards and procedures
7. Knowledge of the use of capability and maturity models
8. Knowledge of process optimization techniques
9. Knowledge of IT resource investment and allocation practices, including prioritization criteria
(e.g., portfolio management, value management, personnel management)
10.Knowledge of IT supplier selection, contract management, relationship management and
performance monitoring processes including third party outsourcing relationships
11.Knowledge of enterprise risk management (ERM)
12.Knowledge of practices for monitoring and reporting of controls performance (e.g., continuous
monitoring, quality assurance [QA])
13.Knowledge of quality management and quality assurance (QA) systems
14.Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced
scorecards
[BSCs], key performance indicators [KPIs])
15.Knowledge of business impact analysis (BIA)
16.Knowledge of the standards and procedures for the development, maintenance and testing of
the business continuity plan (BCP)
17.Knowledge of procedures used to invoke and execute the business continuity plan and return
to normal operations
1. Corporate Governance:
➢ It is a system by which entity is controlled and directed
➢ Set of responsibilities and practices who provide strategic directions, thereby ensuring that
• Goals are achievable,
• Risk are properly addressed and
• Organizational resources are properly utilized
➢ Involves a set of relationships between a company’s management, its board, its
shareholders and other stakeholders
©Aswini Srinath

3 | P a g e
2. Governance of Enterprise IT (GEIT):
➢ GEIT is one of the domains of Corporate governance
➢ GEIT is a system in which all stakeholders, including the board, senior management, internal
customers and departments such as finance, provide input into the decision-making process.
➢ GEIT is the responsibility of the board of directors and executive management.
➢ Purposes of GEIT are:
a. to direct IT endeavors to ensure that IT performance meets the objectives of aligning IT
with the enterprise’s objectives and the realization of promised benefits
b. enable the enterprise by exploiting opportunities and maximizing benefits
c. IT resources should be used responsibly, and IT-related risk should be managed
Appropriately
➢ Key element of GEIT is the alignment of business and IT, leading to the achievement of business
value.
➢ Examples of GEIT includes the following:
✓ COBIT 5 is developed by ISACA, which includes five principles, five domains, 37
processes and 210 practices
✓ The International Organization for Standardization (ISO)/International Electro-
technical
Commission (IEC) 27001 (ISO 27001) - provides guidance to organizations
implementing and maintaining information security programs.
✓ The Information Technology Infrastructure Library (ITIL) was developed by the UK
Office of Government Commerce (OGC)
✓ ISO/IEC 38500:2008 Corporate governance of information technology
✓ ISO/IEC 20000 is a specification for service management that is aligned with ITIL’s
service management framework
Points to remember:
➢ To have an effective IT Governance, IT plan should be consistent with overall
business plan
➢ To improve information security alignment with business, the best practice is to
involve top management to mediate between business and information systems.
©Aswini Srinath

4 | P a g e
3. Auditor’s Role in Governance of Enterprise IT (GEIT):
➢ To provide leading practice recommendations to senior management to help improve the quality
and effectiveness of the IT governance initiatives implemented.
➢ Helps ensure compliance with GEIT initiatives implemented within an organization
➢ continuous monitoring, analysis and evaluation of metrics associated with GEIT initiatives
require an independent and balanced view to ensure a qualitative assessment that
subsequently facilitates the qualitative improvement of IT processes and associated GEIT
initiatives
➢ To check on alignment of the IT function with the organization’s mission, vision, values,
objectives and strategies
➢ To ensure compliance with legal, environmental, information quality, fiduciary, security and
privacy requirements
Points to remember:
➢ Though ISACA does not test on ISO numbers, it is good to know the ISO numbers
and standards and their scope/description, to understand the subject better
• ISO 27001 (BS7799) - ISO for information security management system (ISMS) -
(Requirements - 0 t 10; Controls – 114; Control objectives – 35; Domains -14)
• ISO 38500 - Information technology – Security techniques – Code of practice for
information security controls.
• ISO 20000 - ISO for Information technology service management (ITSM) system.
The standard was developed to mirror the best practices described – ITIL
➢ Relationship between COBIT and ITIL - COBIT defines IT goals, whereas ITIL provides the
process-level steps on how to achieve them
➢ how to achieve them
©Aswini Srinath

5 | P a g e
➢
4. IT Balanced Score Card (BSC):
➢ BSC is a process management evaluation technique that can be applied to the GEIT process
in assessing IT functions and processes
➢ BSC is the most effective means to aid the IT strategy committee and management in
achieving IT governance through proper IT and business alignment
5. IT Governing committees:
➢ Organizations, broadly have two committees
1. IT Strategy committee
2. IT Steering committee
➢ There should be a clear understanding of both the IT strategy and IT steering committee
➢ Role of IT strategy committee:
• Advises the board and management on IT strategy
• Is delegated by the board to provide input to the strategy and prepare its approval
• Focuses on current and future strategic IT issues
• Provides insight and advice to the board on topics such as:
✓ The alignment of IT with the business direction
Points to remember:
➢ The purpose of IT Balance Score card is to evaluate and monitor performance indicators
– Customer satisfaction, internal processes, innovation capacity, etc.
➢ The IT BSC does not measure the financial performance of the enterprise
» What is IT Balanced Score Card (BSC)?
» What are the roles and responsibilities of IT Governing Committee (IT Strategy and Steering
committee)?
» What are the Maturity and process improvement models?
©Aswini Srinath

6 | P a g e
✓ The availability of suitable IT resources, skills and infrastructure to meet the
strategic objectives
✓ The achievement of strategic IT objectives
➢ Membership of IT Strategy committee:
• Board members, and
• Specialist non-board members
➢ Role of IT Steering committee:
• Assists the executive in the delivery of the IT strategy
• Oversees day-to-day management of IT service delivery and IT projects
• Focuses on implementation
• Decides the overall level of IT spending and how costs will be allocated
• Approves project plans and budgets, setting priorities and milestones
• Communicates strategic goals to project teams
• Monitors resource and priority conflict between enterprise divisions and the IT function
as well as between projects
• Report to the board of directors on IS activities.
• Make decisions regarding centralization versus decentralization and assignment of
responsibility.
The
➢ Membership of IT Strategy committee:
• Sponsoring executive
• Business executive (key users)
• Chief information officer (CIO)
• Key advisors as required (IT, audit, legal, finance)
Points to remember: The enterprise’s risk appetite is best established by IT Steering
committee.
©Aswini Srinath

7 | P a g e
6. Maturity and Process Improvement Models:
➢ Implementation of IT governance requires ongoing performance measurement of an
organization’s resources that contribute to the execution of processes that deliver IT services
to the business
➢ Some of the process improvement models are:
• The IDEAL model is a software process improvement (SPI) program model in planning
and implementing an effective software process improvement program and consists of
five phases:
1. Initiating,
2. Diagnosing,
3. Establishing,
4. Acting and
5. Learning
• The COBIT Process Assessment Model (PAM), using COBIT 5,
• Capability Maturity Model Integration (CMMI) - is a process improvement approach
that provides enterprises with the essential elements of effective processes. It is based
on ISO/IEC 15504 Information Technology—Process Assessment standard. CMMI have
five maturity levels
✓ Level 1 – Initial – This is a riskiest stage an organization can find itself - an
unpredictable environment that increases risk and inefficiency.
✓ Level 2 – Managed – Projects are planned and performed, however there are lot
of issues to be addressed
✓ Level 3 – Defined – Organizations are proactive at this level, rather than
reactive. Processes are tailored for the organization. Organization is aware of
their shortcomings, how to address and plans for improvement.
✓ Level 4 - Quantitatively managed – This level is more measured and
controlled. The organization is ahead of risks, with more data-driven insight into
process deficiencies.
✓ Level 5 – Optimised – At this stage, the processes are stable and flexible. The
organization will be in constant state of improving and responding to changes or
other opportunities.
©Aswini Srinath

8 | P a g e
7. Risk Management:
➢ The process of identifying vulnerabilities and threats to the information resources used
by an organization in achieving business objectives and what countermeasures to take
in reducing risk to an acceptable level.
➢ encompasses identifying, analyzing, evaluating, treating, monitoring and
communicating the impact of risk on IT processes
➢ The Board may choose to treat the risk in any of the following ways
1. Avoid—Eliminate the risk by eliminating the cause
2. Mitigate—Lessen the probability or impact of the risk by defining, implementing and
monitoring appropriate controls
3. Share/Transfer (deflect, or allocate)—Share risk with partners or transfer via
insurance coverage, contractual agreement or other means
4. Accept—Formally acknowledge the existence of the risk and monitor it.
➢ The steps of Risk Management process involve:
• Step – 1: Asset identification – Examples: Information, Data, Software,
Hardware, documents, personnel.
• Step – 2: Evaluation of threats and vulnerabilities:
a. Threat - A threat is a person or event that has the potential for impacting
a valuable resource in a negative manner. Common clauses of threats are:
✓ Errors
✓ Malicious damage/attack
Points to remember: The best to assess IT risks is achieved by - evaluating threats
associated with existing IT assets and IT projects.
» What is Risk Management?
» What are the steps involved in Risk Management process?
» What is Human Resource Management?
» What are the Sourcing Practices?
©Aswini Srinath

9 | P a g e
✓ Fraud
✓ Theft
✓ Equipment/software failure
b. Vulnerability - Vulnerability refer to weaknesses in a system. They make
threat outcomes possible and potentially even more dangerous. Examples
are:
✓ Lack of user knowledge
✓ Lack of security functionality
✓ Inadequate user awareness/education (e.g., poor choice of
passwords)
✓ Untested technology
✓ Transmission of unprotected communications
• Step 3 – Evaluation of the impact – The result of a threat agent exploiting a
vulnerability is called an impact
✓ In commercial organizations, threats usually result in
a. a direct financial loss in the short term or
b. an ultimate (indirect) financial loss in the long term
✓ Examples of such losses include:
• Direct loss of money (cash or credit)
• Breach of legislation (e.g., unauthorized disclosure)
• Loss of reputation/goodwill
• Endangering of staff or customers
• Breach of confidence
• Loss of business opportunity
• Reduction in operational efficiency/performance
• Interruption of business activity
• Step 4 – Calculation of Risk – A common method of combining the elements is to
calculate for each threat: probability of occurrence × magnitude of impact. This
will give a measure of overall risk.
• Step 5 – Evaluation of and response to Risk
©Aswini Srinath

10 | P a g e
✓ After risk has been identified, existing controls can be evaluated or new
controls designed to reduce the vulnerabilities to an acceptable level.
✓ These controls are referred to as countermeasures or safeguards and
include actions, devices, procedures or techniques
✓ Residual risk, the remaining level of risk after controls have been
applied, can be used by management to further reduce risk by identifying
those areas in which more control is required.
8. Human Resource Management:
• On Hiring process, the first step before hiring a candidate is background checks
(e.g., criminal, financial, professional, references, qualifications)
• A required vacation (holiday) ensures that once a year, at a minimum, someone
other than the regular employee will perform a job function. This reduces the
opportunity to commit improper or illegal acts. During this time, it may be possible
to discover fraudulent activity as long as there has been no collusion between
employees to cover possible discrepancies (Mandatory leave is a control measure)
• Job rotation provides an additional control (to reduce the risk of fraudulent or
malicious acts) because the same individual does not perform the same tasks all
the time. This provides an opportunity for an individual other than the regularly
assigned person to perform the job and notice possible irregularities.
• On Termination policies, policies be structured to provide adequate protection for
the organization’s computer assets and data. The following control procedures
should be applied:
✓ Return of all devices, access keys, ID cards and badges
✓ Deletion/revocation of assigned logon IDs and passwords
✓ Notification to appropriate staff and security personnel regarding the
employee’s status change to “terminated”
✓ Arrangement of the final pay routines
✓ Performance of a termination interview
©Aswini Srinath

11 | P a g e
9. Sourcing Practices:
✓ Delivery of IT functions can include:
• Insourced - Fully performed by the organization’s staff
• Outsourced - Fully performed by the vendor’s staff
• Hybrid - Performed by a mix of the organization’s and vendor’s staffs; can include
joint ventures/supplemental staff
✓ IT functions can be performed across the globe, taking advantage of time zones and
arbitraging labor rates, and can include:
• Onsite - Staff work onsite in the IT department.
• Offsite - Also known as nearshore, staff work at a remote location in the same
geographic
• Offshore—Staff work at a remote location in a different geographic region
✓ Objective of outsourcing - to achieve lasting, meaningful improvement in business
processes and services through corporate restructuring to take advantage of a vendor's
core competencies
✓ The management should consider the following areas for moving IT functions offsite or
offshore:
• Legal, regulatory and tax issues
• Continuity of operations
Points to remember:
➢ The CISA candidate should be aware of the above process – from hiring to
termination. ISACA tests on the knowledge at each step – on what the
enterprise should/should not do.
➢ The employees should be aware of the enterprise IS policy. If not, the lack
of knowledge would lead to unintentional disclosure of sensitive information
➢ When an employee is terminated, the immediate action/most important
action/first step that the enterprise should do is – disable the employee’s
logical access and communicate on the termination of the employee
©Aswini Srinath

12 | P a g e
• Personnel
• Telecommunication issues
• Cross-border and cross-cultural issues
10. Information Security – Roles and Responsibilities:
Role Responsibilities
a. Systems development
manager
Responsible for programmers and analysts who
implement new systems and maintain existing
systems
b. Project management Responsible for planning and executing IS
projects and may report to a project management
office or to the development organization
c. Help desk (service desk) Responds to technical questions and problems faced
by users
Points to remember:
➢ The most important function of IS management in outsourcing practices is -
monitoring the outsourcing provider’s performance
➢ The enterprise cannot outsource the accountability for IT security policy. The
accountability always lies with the senior management/Board of directors
➢ When the outsourcing service is provided in another country, the major
concern for the IS auditor is – the legal jurisdiction can be questioned
➢ The clause in outsourcing contract that can help in improving the service
levels and minimize the costs is – Gain-sharing performance bonuses.
➢ The
» What are the various Information Security roles and their Responsibilities?
» What is Business Continuity Planning (BCP)?
» What is Business Impact Analysis (BIA)?
©Aswini Srinath

13 | P a g e
Role Responsibilities
d. Quality assurance (QA)
manager
Responsible for negotiating and
facilitating quality activities in all areas of
information technology.
e. Information security
management
Separate IT department, headed by a CISO. The
CISO may report to the CIO or have a dotted-line
(indirect reporting) relationship to the CIO
f. Systems administrator Responsible for maintaining major multiuser
computer systems, including LAN, WLANs, WANs,
etc.
g. Database Administration Maintains the data structures in the corporate
database system
11. Business Continuity Planning (BCP):
✓ The purpose of business continuity/disaster recovery is to enable a business to continue
offering critical services in the event of a disruption and to survive a disastrous interruption to
activities.
✓ The first step in preparing a BCP is to identify the business processes of strategic
importance—those key processes that are responsible for both the permanent growth of the
business and for the fulfillment of the business goals
✓ Based on the key processes, the risk management process should begin with a risk
assessment
✓ The result of the risk assessment should be the identification of the following:
a. The human resources, data, infrastructure elements and other resources (including
those provided by third parties) that support the key processes
b. A list of potential vulnerabilities—the dangers or threats to the organization
c. The estimated probability of the occurrence of these threats
d. The efficiency and effectiveness of existing risk mitigation controls (risk
countermeasures)
✓ BCP is primarily the responsibility of senior management
✓ ISO for BCP – ISO 22301
©Aswini Srinath

14 | P a g e
✓ The IT business continuity plan should be aligned with the strategy of the organization. If the
IT plan is a separate plan, it must be consistent with and support the corporate BCP.
✓ Business Continuity policy:
• Is a document approved by top management that defines the extent and scope of the
business continuity effort (a project or an ongoing program) within the organization
• Should be pro-active
• Is a most critical corrective control
• The business continuity policy serves several other purposes:
▪ Its internal portion is a message to internal stakeholders (i.e., employees,
management, board of directors) that the company is undertaking the effort,
committing its resources and expecting the rest of the organization to do the
same.
▪ Its public portion is a message to external stakeholders (shareholders,
regulators, authorities, etc.) that the organization is treating its obligations
(e.g., service delivery, compliance) seriously.
✓ Business Continuity Planning (BCP) Incident Management:
• An incident is
▪ any unexpected event, even if it causes no significant damage
▪ Dynamic in nature
• Depending on an estimation of the level of damage to the organization, all types of incidents
should be categorized. A classification system could include the following categories:
▪ Negligible - incidents are those causing no perceptible or significant damage
▪ Minor - events are those that, while not negligible, produce no negative material (of
relative importance) or financial impact
▪ Major - incidents cause a negative material impact on business processes and may
affect other systems, departments or even outside clients
▪ Crisis - major incident that can have serious material (of relative importance) impact
on the continued functioning of the business and may also adversely impact other
systems or third parties.
©Aswini Srinath

15 | P a g e
12. Business Impact Analysis (BIA):
✓ critical step in developing the business continuity strategy and the subsequent implementation
of the risk countermeasures and BCP in particular.
✓ used to evaluate the critical processes (and IT components supporting them) and to determine
time frames, priorities, resources and interdependencies
✓ Different approaches for performing BIA:
• Detailed questionnaire
• Interview groups of key users
• Bring relevant IT personnel and end users (i.e., those owning the critical processes)
together in a room to come to a conclusion regarding the potential business impact of
various levels of disruptions.
13. Classification of systems and criticality analysis:
✓ Critical - These functions cannot be performed unless they are replaced by identical
capabilities
✓ Vital - These functions can be performed manually, but only for a brief period of time (usually
five days or less)
✓ Sensitive - These functions can be performed manually, at a tolerable cost and for an
extended period of time. While they can be performed manually, it usually is a difficult
process and requires additional staff to perform.
» What is the classification of systems and their criticality analysis?
» What are the components of Business Continuity Planning (BCP)?
» What is Plan testing?
©Aswini Srinath

16 | P a g e
✓ Non-sensitive - These functions may be interrupted for an extended period of time, at little or
no cost to the company, and require little or no catching up when restored.
14. Components of Business Continuity Planning (BCP):
✓ Business Continuity Planning (BCP) – Provides procedures for sustaining mission/business
operations while recovering from a significant disruption
✓ Continuity of Operations Plan (COOP) - Provides procedures and guidance to sustain an
organization’s MEFs (Mission Essential Functions) at an alternate site for up to 30 days;
✓ Business resumption plan - Provides procedures for relocating information systems
operations to an alternate location.
✓ Continuity of support plan / IT contingency plan
✓ Crisis communications plan
✓ Incident response plan
✓ Transportation plan
✓ Occupant emergency plan (OEP)
✓ Evacuation and emergency relocation plan
Points to remember:
➢ The first resource to be protected when designing continuity plan provisions
and processes – Human Resource/ People
➢ The first step in business continuity life cycle is – BCP scope, followed by Risk
assessment
➢ The insurance that covers loss incurred from dishonest or fraudulent acts by
employees – Fidelity coverage
Points to remember:
➢ The authority to make a disaster declaration is Business Continuity Coordinator
or backup personnel identified in the succession plan
➢ The primary responsibility for establishing organization-wide contingency plans
lies with the Board of Directors.
©Aswini Srinath

17 | P a g e
15. Plan Testing:
✓ Should be scheduled during a time that will minimize disruptions to normal operations
✓ Key recovery team members be involved in the test process and allotted the necessary time to
put their full effort into it
✓ Should address all critical components and simulate actual primetime processing conditions,
even if the test is conducted in off hours.
✓ Plan Execution: Pre-test, Test, Post-Test
✓ Types of tests:
• Desk-based evaluation/paper test - A paper walk-through of the plan, involving major
players in the plan’s execution who reason out what might happen in a particular type
of service disruption.
• Preparedness test - Usually a localized version of a full test, wherein actual resources
are expended in the simulation of a system crash
• Full operational test—This is one step away from an actual service disruption. The
organization should have tested the plan well on paper and locally before endeavoring
to completely shut down operations.
©Aswini Srinath

CISA DOMAIN 3 – INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND IMPLEMENTATION
1 | P a g e
• Part 1 – Overall understanding, Benefits realization and its techniques, Portfolio management
and business case
• Part 2 – Project Management structure, Project Organizational forms, OBS, WBS
• Part 3 – Project management practices, Software size estimation, Traditional SDLC approach
• Part 4 – Various testing classification, Various changeover techniques
• Part 5 – Certification & Accreditation, AI and expert systems, Agile development, Software re-
engineering and Reverse engineering
• Part 6 – Benchmarking process, Capacity Maturity Model Integration (CMMI), Process
procedures and controls
• Part 7 – Various types of data edits and controls
• Part 8 – Data integrity testing and its types, Four online data integrity requirements – ACID
Principle
• Part 9 – Various types of online audit techniques
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and
implementation
» Overall understanding of Domain 3
» What is benefits realization?
» What is portfolio management?
» What is Business case development and approval?
» What are the business realization techniques?
©Aswini Srinath

2 | P a g e
1. Knowledge of benefits realization practices, (e.g., feasibility studies, business cases, total cost
of ownership [TCO], return on investment [ROI])
2. Knowledge of IT acquisition and vendor management practices (e.g., evaluation and selection
process, contract management, vendor risk and relationship management, escrow, software
licensing) including third-party outsourcing relationships, IT suppliers and service providers.
3. Knowledge of project governance mechanisms (e.g., steering committee, project oversight board,
project management office)
4. Knowledge of project management control frameworks, practices and tools
5. Knowledge of risk management practices applied to projects
6. Knowledge of requirements analysis and management practices (e.g., requirements verification,
traceability, gap analysis, vulnerability management, security requirements)
7. Knowledge of enterprise architecture related to data, applications, and technology (e.g., web-
based applications, web services, n-tier applications, cloud services, virtualization)
8. Knowledge of system development methodologies and tools including their strengths and
weaknesses (e.g., agile development practices, prototyping, rapid application development
[RAD], object-oriented design techniques, secure coding practices, system version control)
9. Knowledge of control objectives and techniques that ensure the completeness, accuracy, validity
and authorization of transactions and data
10. Knowledge of testing methodologies and practices related to the information system
development life cycle (SDLC)
11. Knowledge of configuration and release management relating to the development of information
systems
12. Knowledge of system migration and infrastructure deployment practices and data conversion
tools, techniques and procedures
13.Knowledge of project success criteria and project risk
14. Knowledge of post-implementation review objectives and practices (e.g., project closure, control
implementation, benefits realization, performance measurement)
©Aswini Srinath

3 | P a g e
1. Benefits realization:
The objectives of benefits realization are
» is to ensure that IT and the business fulfill their value management responsibilities
» IT-enabled business investments achieve the promised benefits and deliver measurable
business value
» Required capabilities (solutions and services) are delivered on time and within budget
2. Portfolio/Program Management:
The objectives of project portfolio management are:
» Optimization of the results of the project portfolio (not of the individual projects)
» Prioritizing and scheduling projects
» Resource coordination (internal and external)
» Knowledge transfer throughout the projects
3. Business case development and approval:
» A business case provides the information required for an organization to decide whether a
project should proceed
» A business case is the first step in a project or a precursor to the commencement of the
project
» The business case should also be a key element of the decision process throughout the life
cycle of any project
» The initial business case would normally derive from a feasibility study undertaken as part of
project initiation/planning
» The feasibility study will normally include the following six elements:
I. Project Scope - defines the business problem and/or opportunity to be addressed
II. Current Analysis - defines and establishes an understanding of a system, a software
Product. At this point in the process, the strengths and weaknesses of the
current system or software product are identified.
III. Requirements - defined based upon stakeholder needs and constraints
IV. Approach - Recommended system and/or software solution to satisfy the
Requirements
V. Evaluation is based upon the previously completed elements within the feasibility
study. The final report addresses the cost-effectiveness of the approach selected
©Aswini Srinath

4 | P a g e
VI. Review – A formal review of feasibility study report is conducted with all stakeholders
4. Benefit realization techniques:
» COBIT 5 provides the industry accepted framework under which IT governance goals and
objectives are derived from stakeholder drivers with the intent of enterprise IT generating
business value from IT-enabled investments
» COBIT 5 based on 5 principles and 7 enablers
5 Principles 7 Enablers
1. Meeting Shareholders needs 1. Principles, Policies and Frameworks
2. End-to-End coverage 2. Processes
3. Holistic Approach 3. Organizational Structures
4. Integrated Framework 4. Culture, Ethics and Behaviour
5. Separate governance from management 5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
4. Project Management structure:
» Project management is a business process in a project-oriented organization
» Some of the most prominent standards and organizations - PRINCE2TM
» The project management process begins with the project charter and ends with the
completion of the project
implementation
» What is Project Management structure?
» What are the project organizational forms?
» What is Project communication and culture?
» What are the project objectives?
» What is OBS and WBS?
©Aswini Srinath

5 | P a g e
» Project Charter provides a preliminary delineation of roles and responsibilities, outlines the
project objectives, identifies the main stakeholders, and defines the authority of the project
manager
5. Project Organizational forms:
» Three major forms of organizational alignment for project management are
✓ Influence project organization –
• The project manager has only a staff function without formal management
authority
• The project manager is only allowed to advise peers and team members
as to which activities should be completed
✓ Pure project organization –
• The project manager has formal authority over those taking part in the project
• providing a special working area for the project team that is separated from their
normal office space
✓ Matrix project organization -
• Management authority is shared between the project manager and the
department heads.
6. Project communication and culture:
» Project communication can be achieved by
✓ One-on-one meetings - One-on-one meetings and a project start workshop help to
facilitate two-way communication between the project team members and the project
manager
✓ Kick-off meetings - A kick-off meeting may be used by the project manager to inform
the team of what has to be done for the project
✓ Project start workshops - communication is open and clear among the project team to
use a project start workshop to obtain cooperation from all team members and buy-in
from stakeholders. This helps develop a common overview of the project and
communicates the project culture early in the project.
©Aswini Srinath

6 | P a g e
✓ A combination of the three
» A project culture is comprised of shared norms, beliefs, values and assumptions of the project
team.
» A key success factor for establishing the correct project culture is defining and adapting
the unique characteristics of a project
7. Project objectives:
» Project objectives are the specific action statements that support the road map to obtain
established project goals
» A project needs clearly defined results that are specific, measurable, attainable, realistic and
timely (SMART)
» These objectives are broken down into three –
✓ Main objectives are the primary reason for the project and will always be directly
coupled with business success
✓ Additional objectives are objectives that are not directly related to the main results of
the project but may contribute to project success
✓ Non-objectives are the results that are not to be expected on completion of the project.
» A commonly accepted approach to define project objectives is to start off with an object
breakdown structure (OBS).
» After the OBS has been compiled or a solution is defined, a work breakdown structure (WBS)
is designed to structure all the tasks that are necessary to build up the elements of the OBS
during the project
8. OBS – Object based Structure:
» It represents the individual components of the solution and their relationships to each other
in a hierarchical manner, either graphically or in a table.
» An OBS can help, especially when dealing with nontangible project results such as
organizational development, to ensure that a material deliverable is not overlooked.
©Aswini Srinath

7 | P a g e
9. WBS – Object based Structure:
» WBS is designed to structure all the tasks that are necessary to build up the elements of the
OBS during the project.
» The WBS represents the project in terms of manageable and controllable units of work, serves
as a central communications tool in the project, and forms the baseline for cost and resource
planning.
10. Roles and Responsibilities:
» Senior Management - Demonstrates commitments to the project and approve the resources
» User management – Assumes ownership of the project and resulting systems, allocates
qualified resources, and actively participates in business process redesign, system
requirement definitions, test case development, acceptance testing and user training
» Project steering committee – It provides overall directions and also responsible for all
deliverables, project cost, and schedules
» Project sponsor – Providing funding for the project.
» Systems development management – Provides technical supports for hardware and
software environment by developing, installing User project team - Completes assigned task,
communicates effectively with user by actively involving them in the development process as a
subject matter expert.
» Security officer – Ensures that systems controls and supporting processes provide an
effective level of protection based on data classifications
implementation
» What are the roles and responsibilities of each individual in IS environment?
» What are project management practices?
» What are the methods of software size estimation? (1) SLOC and, (2) FPA
» How to measure project time frame? (1) Gantt Charts, (2) CPM and (3) PERT
» What is traditional SDLC approach?
» What are the various approaches of test plans? (1) Bottom-up, and (2) Top-down
©Aswini Srinath

8 | P a g e
» Quality assurance – person who review results and deliverables within each phase and at the
end of each phase and confirm compliance requirement and operating the requested systems.
» Project manager – Day to day management and leadership of the project
» Systems development project team – Completes assigned task, communicates effectively
with user by actively involving them in the development process.
11. Project Management practices:
» Project management is the application of knowledge, skills, tools and techniques to a broad
range of activities to achieve a stated objective such as meeting the defined user
requirements, budget and deadlines for an IS project
» Project management knowledge and practices are best described in terms of their component
processes of
a. initiating,
b. planning,
c. executing and controlling and
d. closing a project
» Initiation of the project
• Initiated by project manager or sponsor
• often be compiled into terms of reference or a project charter that states the objective of
the project, the stakeholders in the system to be produced, and the project manager and
sponsor
• Approval of a project initiation document (PID) or a project request document (PRD) is
the authorization for a project to begin
» Project planning
• The project manager should determine the following as part of project planning
Points to remember:
➢ The CISA candidate should be familiar with general roles and responsibilities of groups
or individuals involved in the systems development process.
©Aswini Srinath

9 | P a g e
✓ Project scope
✓ The various tasks that need to be performed to produce the expected business
application system
✓ The sequence or the order in which these tasks need to be performed
✓ The duration or the time window for each task
✓ The priority of each task
✓ The IT resources that are available and required to perform these tasks
✓ Budget or costing for each of these tasks
✓ Source and means of funding
• System Development Project Cost Estimation
The following are the four methods in determining the cost of system development
project:
1. Analogous estimating
2. Parametric estimating
3. Bottom-up estimating
4. Actual costs
• Software size estimation
✓ Relates to methods of determining the relative physical size of the application
software to be developed
✓ Can be used as a guide for the allocation of resources, estimates of time and cost
required for its development, and as a comparison of the total effort required by
the resources available
✓ Methods of software sizing
• Single line of code (SLOC) –
o The traditional and simplest method in measuring size by counting the
number of lines of source code, measured in SLOC, is referred to as kilo
lines of code (KLOC)
©Aswini Srinath

10 | P a g e
• Functional Point Analysis (FPA) –
o Indirect measurement of software size
o It is based on the number and complexity of inputs, outputs, files,
interfaces and queries.
o a multiple point technique widely used for estimating complexity in
developing large business applications.
o Five functional points - user inputs, user outputs, user inquiries, files
and external interfaces.
• Scheduling and establishing the time frame
o While budgeting involves totaling the human and machine effort involved in each
task, scheduling involves establishing the sequential relationship among tasks.
o The schedule can be graphically represented using various techniques such as
a. Gantt charts,
b. Critical Path Methodology (CPM) or
c. Program Evaluation Review Technique (PERT) diagrams.
o Gantt charts:
a. constructed to aid in scheduling the activities (tasks) needed to complete a
project
b. The charts show when an activity should begin and when it should end along
a timeline.
c. Gantt charts can also reflect the resources assigned to each task and by what
percent allocation.
d. Gantt charts can also be used to track the achievement of milestones or
Points to remember:
➢ The CISA candidate should be familiar with concepts of SLOC and FPA and should be able to
differentiate between the two. CISA question will be based on a scenario where the candidate
should be able to justify on the method of software estimation
➢ A reliable technique for estimating the scope and cost of a software-development project –
Functional Point Analysis (FPA)
©Aswini Srinath

11 | P a g e
significant accomplishments for the project such as the end of a project phase or
completion of a key deliverable.
o Critical Path Methodology (CPM):
a. the critical path is the sequence of activities whose sum of activity time is
longer than that for any other path through the network
b. Critical path are important because if everything goes according to the
schedule, their duration gives the shortest possible completion time for the
overall project
c. Activities that are not in the critical path have slack time
d. Slack time - It is defined as the amount of time a task can be delayed without
causing another task to be delayed or impacting the completion date of the
overall project.
e. Activities on a critical path have zero slack time, and conversely, activities
with zero slack time are on a critical path
o Program Evaluation Review Technique (PERT):
a. CPM-type technique which uses three different estimates of each activity
duration in lieu of using a single number for each activity duration.
b. The three estimates are then reduced (applying a mathematical formula) to a
single number and then the classic CPM algorithm is applied
1. First one - Most optimistic one (if everything went well)
2. Second one – Most likely scenario
3. Third one – Most pessimistic or worst-case scenario
» Project executing and controlling:
• The controlling activities of the project includes:
1. Management of scope changes
2. Management of resource usage
Points to remember:
➢ A program evaluation review technique that considers different scenarios
for planning and control projects – Program Evaluation Review Technique (PERT)
©Aswini Srinath

12 | P a g e
3. Management of risk
o The risk management process consists of five steps:
1. Identify risk
2. Access and evaluate risk
3. Manage risk
4. Monitor risk
5. Evaluate the risk management process
» Closing a project:
• A Project should have a finite life so, at some point, it is closed and the new or modified
system is handed over to the user
• When closing a project, there may still be some issues that need to be resolved,
ownership of which needs to be assigned
• The project sponsor should be satisfied that the system produced is acceptable and
ready for delivery
12. Traditional SDLC approach:
• Also referred to as the waterfall technique
• Traditional system Development Life Cycle Approach
o Phase 1 – Feasibility Study:
1. Includes development of a business case, which determine the strategic
benefits of implementing the system either in productivity gains or in
future cost avoidance
2. Intangible factors such as readiness of the business users and maturity of
the business processes will also be considered and assessed.
3. This business case provides the justification for proceeding to the next
phase.
o Phase 2 – Requirements definition - Define the problem or need that requires
resolution and define the functional and quality requirements of the solution
system
o Phase 3A – Software selection and acquisition (Purchased systems) - Based on
requirements defined, prepare a request for proposal outlining the entity
requirements to invite bids from suppliers
©Aswini Srinath

13 | P a g e
o Phase 3B – Design (In-house development) - Based on the requirements defined,
establish a baseline of system and subsystem specifications that describe the
parts of the system, how they interface, and how the system will be implemented
using the chosen hardware, software and network facilities.
o Phase 4A – Configuration (purchased systems) - Configure the system, if it is a
packaged system, to tailor it to the organization’s requirements. This is best
done through the configuration of system control parameters, rather than
changing program code.
o Phase 4B – Development (In-house development) - Use the design specifications to
begin programming and formalizing supporting operational processes of the
System
o Phase 5 – Final testing and implementation - The system also may go through a
certification and accreditation process to assess the effectiveness of the business
application in mitigating risk
o Phase 6 – Post implementation - Following the successful implementation of a
new or extensively modified system, implement a formal process that assesses
the adequacy of the system and projected cost benefit or ROI measurements vis-
à-vis the feasibility stage findings and deviations
Points to remember:
➢ The CISA candidate should be familiar with the phases of traditional SDLC.
➢ The candidate should be aware of what IS auditor should look for when reviewing the
feasibility study
©Aswini Srinath

14 | P a g e
13. Approaches of test plans:
• Bottom-up approach:
o a testing strategy in which the modules at the lower level are tested with higher
modules until all the modules and aspects of the software are tested properly
o Benefits of bottom-up approach:
- No need for stubs or drivers
- Can be started before all programs are complete
- Errors in critical modules are found early
• Top-down approach:
o High-level modules are tested first and then low-level modules and finally
integrating the low-level modules to a high level to ensure the system is working
as intended.
o Benefits of top-down approach:
- Tests of major functions and processing are conducted early
- Interface errors can be detected sooner
- Confidence is raised in the system because programmers and users actually
see a working system
Points to remember:
➢ The type of approach to the development of organizational policies is often driven by
risk assessment – Bottom-up approach
➢ The MOST appropriate method to ensure that internal application interface errors
are identified as soon as possible – Top-down approach
©Aswini Srinath

15 | P a g e
●
14. Testing classifications:
• Unit testing:
o The testing of an individual program or module.
o Unit testing uses a set of test cases that focus on the control structure of the
procedural design.
o These tests ensure that the internal operation of the program performs
according to specification.
• Interface or integration testing
o The tests that verify and validate the functioning of the application under test
with other systems, where a set of data is transferred from one system to
another
implementation
» What are the various testing classifications?
• Unit Testing ● System testing
• Integration/interface testing ● Final acceptance testing – QAT & UAT
» What are the other types of testing?
• Alpha and beta testing ● Functional testing
• Pilot testing ● Regression testing
• White box testing ● Parallel testing
• Black box testing ● Sociability testing
» What are the changeover techniques?
• Parallel changeover
• Phased changeover
• Abrupt changeover
©Aswini Srinath

16 | P a g e
o A hardware or software test that evaluates the connection of two or more
components that pass information from one area to another
o The objective is to take unit-tested modules and build an integrated structure
dictated by design.
• System testing:
o The testing of the software application as a whole to check if the system is
complaint with the user requirements.
o It is an end to end user perspective testing intended to find defects in the
software system.
• Final acceptance testing:
o After the system staff is satisfied with their system tests, the new or modified
system is ready for the acceptance testing, which occurs during the
implementation phase.
o Final acceptance testing has two major parts:
1. Quality assurance testing (QAT):
- QAT focuses on the documented specifications and the technology
employed.
- QAT is performed primarily by the IT department.
- The participation of the end user is minimal and on request.
- QAT does not focus on functionality testing.
2. User acceptance testing (UAT):
- UAT should be performed in a secure testing or staging
environment
- On completion of acceptance testing, the final step is usually a
certification and accreditation process
Points to remember:
➢ Failure in this testing stage would have the GREATEST impact on the implementation of new
application software – Acceptance testing
©Aswini Srinath

17 | P a g e
15. Other types of testing:
• Alpha and beta testing:
o An alpha version is an early version of the application system (or software
product) submitted to internal users for testing.
o The first stage, called alpha testing, is often performed only by users within the
organization developing the software
o The second stage, called beta testing, a form of user acceptance testing,
generally involves a limited number of external users.
• Pilot testing:
o A preliminary test that focuses on specific and predetermined aspects of a
System
o Proof of concept are early pilot testing.
• White box testing:
o Software testing method in which the internal structure/design/implementation
of the item being tested is known to the tester
• Black box testing:
o Software testing method in which the internal structure/ design/implementation
of the item being tested is NOT KNOWN to the tester.
o An integrity-based form of testing associated with testing components of
an information system’s “functional” operating effectiveness without regard to
any specific internal program structure
• Functional testing: It ensures that the product actually meets the client's needs
• Regression testing: The process of rerunning a portion of a test scenario or test plan to
ensure that changes or corrections have not introduced new errors.
• Parallel testing: This is the process of feeding test data into two systems - the modified
system and an alternative system (possibly the original system) and comparing the
results
• Sociability testing: Purpose of this test to confirm that the new or modified system can
operate in its target environment without adversely impacting existing systems.
©Aswini Srinath

18 | P a g e
16. Changeover (Go-live or cutover) techniques:
• Parallel changeover:
o This technique includes running the old system, then running both the old and
new systems in parallel, and finally, fully changing over to the new system after
gaining confidence in the working of the new system.
o Advantages:
- minimize the risk of using the newer system
- help in identifying problems, issues or any concerns that the user comes
across in the newer system in the beginning
o Disadvantages:
- running two systems at the same time is higher costs.
- The parallel changeover process also can be quite time-consuming.
• Phased changeover:
o The phased changeover technique is considered a compromise between parallel
and direct changeovers.
o In a phased changeover, the new system is implemented one stage at a time
o Advantages:
- Low cost and
- Isolates errors
o Disadvantages:
- the process takes a long time to complete because phases need to
be implemented separately.
Points to remember:
➢ The CISA candidate should be familiar with all the above types of testing. CISA question will
be scenario based and the candidate is expected to identify which type of testing is to be
used.
➢ White box testing - dynamic analysis tool for the purpose of testing software modules
©Aswini Srinath

19 | P a g e
• Abrupt changeover:
o In this approach the newer system is changed over from the older system on a
cutoff date and time, and the older system is discontinued once changeover to the
new system takes place
o Advantages:
- Low cost
o Disadvantages:
- Asset safeguarding
- Data integrity
- System effectiveness
- System efficiency
- Change management challenges (depending on the configuration
items considered)
- Duplicate or missing records (duplicate or erroneous records may
exist if data cleansing is not done correctly)
implementation
» What does certification and accreditation mean?
» What does Artificial Intelligence (AI) and Expert systems mean?
» What is Agile development?
» What is software re-engineering?
» What is reverse engineering?
Points to remember:
➢ The CISA candidate should be familiar with all the changeover techniques with its
advantages and disadvantages.
➢ The CISA candidate is expected to know where the use which type of changeover technique.
➢ Most Risky changeover technique/Low cost changeover – Abrupt/Direct changeover
➢ Costliest changeover technique/ Least risky changeover technique – Parallel changeover
➢ Changeover in Phases – Phased changeover
©Aswini Srinath

20 | P a g e
17. Certification and Accreditation:
• Certification:
o Certification is the process of evaluating, testing, and examining security controls
that have been pre-determined based on the data type in an information system
o The certification process ensures that security weaknesses are identified and plans
for mitigation strategies are in place
o Testing laboratories may also certify that certain products meet pre-established
standards, or governmental agencies may certify that a company is meeting
existing regulations (e.g., emission limits).
• Accreditation:
o Accreditation is the formal declaration by a neutral third party that the
certification program is administered in a way that meets the relevant norms or
standards of certification program (e.g., ISO/IEC 17024).
o Accreditation is the official management decision (given by a senior official) to
authorize operation of an information system and to explicitly accept the risk to
the organization’s operations, assets or individuals based on the implementation
of an agreed-upon set of requirements and security controls.
18. Artificial Intelligence (AI) and Expert Systems:
• Artificial intelligence (AI) is the study and application of the principles by which:
o Knowledge is acquired and used.
o Goals are generated and achieved.
o Information is communicated.
o Collaboration is achieved.
o Concepts are formed.
o Languages are developed.
Points to remember:
➢ The CISA candidate should be familiar with the auditor’s role in the certification
process
©Aswini Srinath

21 | P a g e
• AI fields include, among others:
o Expert systems
o Natural and artificial (such as programming) languages
o Neural networks
o Intelligent text management
o Theorem proving
o Abstract reasoning
o Pattern recognition
o Voice recognition
o Problem solving
o Machine translation of foreign languages
• Expert systems:
o Expert systems are an area of AI and perform a specific function or are prevalent
in certain industries.
o An expert system allows the user to specify certain basic assumptions or formulas
and then uses these assumptions or formulas to analyze arbitrary events. Based
on the information used as input to the system, a conclusion is produced.
o Key to the system is the knowledge base (KB), which contains specific information
or fact patterns associated with particular subject matter and the rules for
interpreting these facts.
o Knowledge base: This component consists of data, facts and rules for a certain
topic, industry or skill, usually equivalent to that of a human expert. The
information in the KB can be expressed in several ways:
1. Decision trees – Using questioners to lead the user through series of choices,
until a conclusion is reached.
2. Rules - Expressing declarative knowledge through the use of if-then
relationships. For example, if a patient’s body temperature is over 39°C (102.2°F)
and his/her pulse is under 60, then the patient might be suffering from a certain
disease.
©Aswini Srinath

22 | P a g e
3. Semantic nets - A semantic network is a system in which commonly understood
labeling is used to show relationships between its parts
19. Agile development:
• The term “agile development” refers to a family of similar development processes that
espouse a nontraditional way of developing complex systems. One of the first agile
processes, Scrum (a rugby analogy), emerged in the early 1990s
• a lightweight software engineering framework that promotes iterative development
throughout the life-cycle of the project, close collaboration between the development
team and business side, constant communication, and tightly-knit teams
20. Software re-engineering:
• Re-engineering is a process of updating an existing system by extracting and reusing
design and program components
• the act of recreating a core business process with the goal of
o improving product output,
o improving product quality, or
o reducing costs.
• The following are the steps involved in business process re-engineering
o Define objectives and framework
o Identify customer needs
o Study the existing process
o Formulate a Redesign Business plan
o Implement and monitor the redesigned process
o Establish continuous improvement process
Points to remember:
➢ The MOST likely to result from a business process reengineering (BPR)
Project - An increased number of people using technology
➢ The FIRST step of Re-engineering process – Identify current/existing business
processes. If option on Identifying customer needs is available, then it would be the
best option
©Aswini Srinath

23 | P a g e
21. Reverse engineering:
• Reverse engineering is the process of studying and analyzing an application, a software
application or a product to see how it functions and to use that information to develop a
similar system
• This process can be carried out in several ways:
o Decompiling object or executable code into source code and using it to analyze the
program
o Black box testing the application to be reverse-engineered to unveil its
functionality
• Advantages:
o Faster development and reduced SDLC duration
o Possibility of introducing improvements by overcoming the reverse-engineered
application drawbacks
22. Benchmarking process:
• Benchmarking is about improving business processes.
• It is defined as a continuous, systematic process for evaluating the products, services or
work processes of organizations recognized as a world-class “reference” in a globalized
world
• Benchmarking process includes the following exercise:
o Plan
o Research
o Observe
o Analyze
implementation
» What is Benchmarking process?
» What is Capacity Maturity Model Integration (CMMI)?
» What are process procedures and controls?
©Aswini Srinath

24 | P a g e
o Adopt
o Improve
23. Capacity Maturity Model Integration (CMMI):
• Capability Maturity Model Integration (CMMI) is a process level improvement training and
appraisal program. Administered by the CMMI Institute, a subsidiary of ISACA.
• The following are the characteristics of the maturity levels:
o Level 1 – Initial – Processes are unpredictable, poorly controlled and reactive.
o Level 2 – Managed – Process is characterized for projects and is often reactive.
o Level 3 – Defined – Process characterized for the organization and is proactive
o Level 4 – Quantatively managed – Process is measured and controlled
o Level 5 – Optimizing – Focus is on process improvement.
24. Processing procedures and controls:
• Processing procedures and controls are meant to ensure the reliability of application
program processing.
• IS auditors need to understand the procedures and controls that can be exercised over
processing to evaluate what exposures are covered by these controls and what exposures
remain.
implementation
» What are the various data edits and controls?
• Sequence check ● Key verification
• Limit check ● Check digit
• Range check ● Completeness check
• Validity check ● Duplicate check
• Reasonableness check ● Logical Relationship check
• Existence check
©Aswini Srinath

25 | P a g e
25. Data validation edits and controls:
1. Sequence check:
o The control number follows sequentially and any sequence or duplicated control
numbers are rejected or noted on an exception report for follow-up purposes.
o For example, invoices are numbered sequentially. The day’s invoices begin with
12001 and end with 15045. If any invoice larger than 15045 is encountered
during processing, that invoice would be rejected as an invalid invoice number.
2. Limit check:
o Data should not exceed a predetermined amount.
o For example, payroll checks should not exceed US $4,000. If a check exceeds US
$4,000, the data would be rejected for further verification/authorization.
3. Range check:
o Data should be within a predetermined range of values.
o For example, product type codes range from 100 to 250. Any code outside this
range should be rejected as an invalid product type.
4. Validity check:
o Programmed checking of the data validity in accordance with predetermined
criteria.
o For example, a payroll record contains a field for marital status and the
acceptable status codes are M or S. If any other code is entered, the record should
be rejected.
5. Reasonableness check:
o Input data are matched to predetermined reasonable limits or occurrence rates.
o For example, a widget manufacturer usually receives orders for no more than 20
widgets. If an order for more than 20 widgets is received, the computer program
should be designed to print the record with a warning indicating that the order
appears unreasonable.
6. Existence check:
©Aswini Srinath

26 | P a g e
o Data are entered correctly and agree with valid predetermined criteria.
o For example, a valid transaction code must be entered in the transaction code
field.
7. Key verification:
o The keying process is repeated by a separate individual using a machine that
compares the original keystrokes to the repeated keyed input.
o For example, the worker number is keyed twice and compared to verify the keying
process.
8. Check digit:
o A numeric value that has been calculated mathematically is added to data to
ensure that the original data have not been altered or an incorrect, but valid,
value substituted.
o This control is effective in detecting transposition and transcription errors.
o For example, a check digit is added to an account number so it can be checked
for accuracy when it is used.
9. Completeness check:
o A field should always contain data rather than zeros or blanks (No Null value)
o A check of each byte of that field should be performed to determine that some
form of data, not blanks or zeros, is present.
o For example, a worker number on a new employee record is left blank. This is
identified as a key field and the record would be rejected, with a request that the
field be completed before the record is accepted for processing.
10. Duplicate check:
o New transactions are matched to those previously input to ensure that they have
not already been entered.
o For example, a vendor invoice number agrees with previously recorded invoices
to ensure that the current order is not a duplicate and, therefore, the vendor will
not be paid twice.
11. Logical relationship check:
©Aswini Srinath

27 | P a g e
o If a particular condition is true, then one or more additional conditions or data
input relationships may be required to be true and consider the input valid.
o For example, the hire date of an employee may be required to be more than 16
years past his/her date of birth.
26. Data integrity testing:
• Data integrity testing is a set of substantive tests that examines accuracy, completeness,
consistency and authorization of data presently held in a system
• Two common types of data integrity tests are
- Relational Integrity tests – Relational integrity tests are performed at the data
element and record-based levels.
implementation
» What is data integrity testing?
» What are the types of data integrity testing?
• Relational integrity testing
• Referential integrity testing
» What are the four online data integrity requirements?
• Atomicity
• Consistency
• Isolation
• Durability
Points to remember:
➢ The CISA is expected to be familiar with each one of the data edit and controls
➢ Check digit - Effective in detecting transposition and transcription errors
➢ Reasonableness check – A data validation edit control that matches input data to an
occurrence rate
©Aswini Srinath

28 | P a g e
- Referential integrity tests - tests whether the table relationships are consistent.
In other words, any foreign key field must agree with the primary key that is
referenced by the foreign key.
27. Data Integrity in Online Transaction Processing Systems:
• The four online data integrity requirements known collectively as the ACID principle,
which are as follows:
o Atomicity - From a user perspective, a transaction is either completed in its entirety
or not at all. If an error or interruption occurs, all changes made up to that point
are backed out.
o Consistency - All integrity conditions in the database are maintained with each
transaction, taking the database from one consistent state into another consistent
state.
o Isolation - Each transaction is isolated from other transactions, and hence, each
transaction only accesses data that are part of a consistent database state.
o Durability - If a transaction has been reported back to a user as complete, the
resulting changes to the database survive subsequent hardware or software
failures.
Points to remember:
➢ In an online transaction processing system, data integrity is maintained by
ensuring that a transaction is either completed in its entirety or not at all. This
principle of data integrity is known as - Atomicity
Points to remember:
➢ Referential integrity - will prevent dangling tuples in a database
©Aswini Srinath

29 | P a g e
28. Online auditing techniques:
• Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM) -
The use of this technique involves embedding specially written audit software in the
organization’s host application system so the application systems are monitored on a
selective basis
• Snapshots - This technique involves taking what might be termed pictures of the
processing path that a transaction follows, from the input to the output stage.
• Audit hooks - This technique involves embedding hooks in application systems to
function as red flags and to induce IS security and auditors to act before an error or
irregularity gets out of hand.
• Integrated test facility (ITF) - It creates a fictitious entity in a database to
process test transactions simultaneously with live input. It can be used to
incorporate test transactions into a normal production run of a system.
• Continuous and intermittent simulation (CIS) – This means that the simulation is notified
about each transaction that is entered to the application and accesses to database by
the DBMS
implementation
» What are the online audit techniques?
• Systems Control Audit Review and Embedded Audit Modules (SCARF/EAM)
• Snapshots
• Audit Hooks
• Integrated test facility (ITF)
• Continuous and intermittent simulation (CIS)
Points to remember:
➢ An online auditing techniques is most effective for the early detection of errors
or irregularities – Audit hooks
➢ Generalized audit software (GAS) – Used by IS auditor to detect duplicate invoice
records within an invoice master file
©Aswini Srinath

CISA DOMAIN 4 – INFORMATION SYSTEMS OPERATIONS, MAINTENANCE AND SERVICE MANAGEMENT
1 | P a g e
• Part 1 – Information Systems operations, Management of IS operations, ITSM
• Part 2 – Service Level Agreements, Operational Level Agreements, Incident and problem Management process
• Part 3 – Roles and responsibilities of support/help desk, Change management, Patch management and release
management.
• Part 4 – Quality Assurance (QA) and Overview of DBMS and DBMS architecture
• Part 5 – Data dictionary/Directory system, Database structure, OSI Architecture
• Part 6 – Application of OSI Model in Network Architecture, LAN topology, LAN components
• Part 7 – WAN components, WAN topology, Network performance metrics
• Part 8 – Network Management issues, Network Management tool and Overview of Disaster Recovery Planning
(DRP)
• Part 9 – Overview of Recovery Point Objective (RPO) and Recovery Time Objective (RTO), additional parameters in
defining recovery strategies and various types of recovery strategies
• Part 10 – Different recovery/Continuity/response teams and their responsibilities, overview on back-up and
restoration and the various disaster recovery testing methods
1. Knowledge of service management frameworks
PART 1 – CISA Domain 4 – Information Systems operations, Maintenance and Service Management
• Overall understanding of Domain 4
• What is information Systems operations?
• What are the ways of managing IS operations?
• What is IT service Management Framework (ITSM)?
©Aswini Srinath

2 | P a g e
2. Knowledge of service management practices and service level management
3. Knowledge of techniques for monitoring third-party performance and compliance with service agreements and
regulatory requirements
4. Knowledge of enterprise architecture (EA)
5. Knowledge of the functionality of fundamental technology (e.g., hardware and network components, system
software, middleware, database management systems)
6. Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of
failure, clustering)
7. Knowledge of IT asset management, software licensing, source code management and inventory practices
8. Knowledge of job scheduling practices, including exception handling
9. Knowledge of control techniques that ensure the integrity of system interfaces
10. Knowledge of capacity planning and related monitoring tools and techniques
11. Knowledge of systems performance monitoring processes, tools and techniques (e.g., network analyzers, system
utilization reports, load balancing)
12. Knowledge of data backup, storage, maintenance and restoration practices
13. Knowledge of database management and optimization practices
14. Knowledge of data quality (completeness, accuracy, integrity) and life cycle management (aging, retention)
15. Knowledge of problem and incident management practices
16. Knowledge of change management, configuration management, release management and patch
management practices
17. Knowledge of operational risks and controls related to end-user computing
18. Knowledge of regulatory, legal, contractual and insurance issues related to disaster recovery
19. Knowledge of business impact analysis (BIA) related to disaster recovery planning
20. Knowledge of the development and maintenance of disaster recovery plans (DRPs)
21. Knowledge of benefits and drawbacks of alternate processing sites (e.g., hot sites, warm sites, cold sites)
22. Knowledge of disaster recovery testing methods
23. Knowledge of processes used to invoke the disaster recovery plans (DRPs)
1. Information Systems operations:
» Responsible for ongoing support for an organizations computer and IS environment
» plays a critical role in ensuring that computer operations processing requirements are met, end users are
satisfied and information is processed securely
©Aswini Srinath

3 | P a g e
2. Management of IS operations:
» COBIT 5 framework makes clear distinction between governance and management, which are as follows:
• Governance:
a. Ensures that stakeholder needs, conditions and options are evaluated
to determine balanced, agreed-on enterprise objectives to be achieved;
b. Setting direction through prioritization and decision making; and monitoring performance
and compliance against agreed-on direction and objectives.
c. Overall governance is the responsibility of the board of directors under
the leadership of the chairperson.
d. Specific governance responsibilities may be delegated to special organizational structures
at an appropriate level, particularly in larger, complex enterprises.
• Management:
a. Management plans, builds, runs and monitors activities in alignment with the direction set
by the governance body to achieve the enterprise objectives
b. Management is the responsibility of the executive management under the leadership of
the chief executive officer (CEO).
c. IS management has the overall responsibility for all operations within the IT department
3. IT Service Management framework (ITSM):
» Refers to the implementation and management of IT services (people, process and information technology)
to meet business needs
» Two frameworks for ITSM:
1. IT Infrastructure Library (ITIL):
• a reference body of knowledge for service delivery good practices
• a comprehensive framework detailed over five volumes – Service strategy, Service design, Service
transition, services operations, Continual service improvement
• The main objective of ITIL is to improve service quality to the business.
2. ISO 20000-1:2011 Information technology – Service management
• Requires service providers to implement the plan-do-check-act (PDCA) methodology
• The main objective is to improve service quality, achievement of the standard certifies
organizations as having passed auditable practices and processes in ITSM.
©Aswini Srinath

4 | P a g e
4. Service Level Agreement and Operational Level Agreement:
» Service Level Agreement:
• The Service Level agreement is a contract between service provider and customer
• SLAs can also be supported by operational level agreements (OLAs)
» Operational Level Agreement:
• OLA is an agreement between the internal support groups of an institution that supports SLA
• The OLA clearly depicts the performance and relationship of the internal service groups.
• The main objective of OLA is to ensure that all the support groups provide the intended Service
Level Agreement
5. Tools to monitor efficiency and effectiveness of services provided:
» Exception reports:
• These automated reports identify all applications that did not successfully
complete or otherwise malfunctioned.
• An excessive number of exceptions may indicate:
– Poor understanding of business requirements
– Poor application design, development or testing
– Inadequate operation instructions
– Inadequate operations support
• What are Service Level Agreements (SLAs) and Operational Level Agreements (OLAs)?
• What are the tools to monitor efficiency and effectiveness of services provided?
- Exception reports - Operator problem reports
- System and application logs - Operator work schedule
• What is incident management and problem management?
©Aswini Srinath

5 | P a g e
– Inadequate operator training or performance monitoring
– Inadequate sequencing of tasks
– Inadequate system configuration
– Inadequate capacity management
» System and application logs:
• Refers to logs generated from various systems and applications
• Using this software, the auditor can carry out tests to ensure that:
✓ Only approved programs access sensitive data
✓ Only authorized IT personnel access sensitive data
✓ Software utilities that can alter data files and program libraries are used only for authorized
purposes
✓ Approved programs are run only when scheduled and, conversely, that unauthorized runs
do not take place
✓ The correct data file generation is accessed for production purposes
✓ Data files are adequately protected
» Operator problem reports – Manual report used by helpdesk to log computer operations problems &
resolutions
» Operator work schedules – Report maintained manually by IS management to assist in human resource
planning to ensure proper staffing of operation support
6. Incident management and problem management:
» Incident management:
• An Incident is an event that could lead to loss of, or disruption to, an organization's operations, services or
functions.
Points to remember:
o Availability reports – The report that IS auditor use to check compliance with service level agreements
(SLA) requirement for uptime
©Aswini Srinath

6 | P a g e
• Incident management is a term describing the activities of an organization to identify, analyze, and correct
hazards to prevent a future re-occurrence.
• These incidents within a structured organization are normally dealt with by either an incident response
team (IRT) or an incident management team (IMT)
• Incident management is reactive and its objective is to respond to and resolve issues restoring normal
service (as defined by the SLA) as quickly as possible.
» Problem management:
• Problem management is the process responsible for managing the lifecycle of all problems that happen or
could happen in an IT service.
• The primary objectives of problem management are to prevent problems and resulting incidents from
happening, to eliminate recurring incidents, and to minimize the impact of incidents that cannot be
prevented.
7. Support/Help desk – Roles and responsibilities:
• The responsibility of the technical support function is to provide specialist knowledge of
production systems to identify and assist in system change/development and problem resolution.
• The basic function of the help desk is to be the first, single and central point of contact for users and to
follow the incident management process
• The help desk personnel must ensure that all hardware and software incidents that arise are fully
documented and escalated based on the priorities established by management
• What are the roles and responsibilities of Support/help desk?
• What is change management and patch management process?
• What is release management – Major, Minor and emergency releases?
©Aswini Srinath

7 | P a g e
8. Change management and patch management process:
» Change management:
• used when changing hardware, installing or upgrading to new releases of off-the-shelf applications,
installing a software patch and configuring various network devices
• Changes are classified into three types:
a) Emergency changes
b) Major changes
c) Minor changes
» Patch Management:
• an area of systems management that involves acquiring, testing and installing multiple patches (code
changes) to an administered computer system in order to maintain up-to-date software and often to
address security risk
• Patch management tasks include the following:
- Maintaining current knowledge of available patches
- Deciding what patches are appropriate for particular systems
- Ensuring that patches are installed properly; testing systems after installation
- Documenting all associated procedures, such as specific configurations required
9. Release management:
• Software release management is the process through which software is made available to users.
• The term “release” is used to describe a collection of authorized changes.
• The release will typically consist of a number of problem fixes and enhancements to the service.
• The release can be of three types:
a. Major releases: Normally contain a significant change or addition to new functionality. A major
upgrade or release usually supersedes all preceding minor upgrades.
Points to remember:
o Patch Management – The BEST method for preventing exploitation of system vulnerabilities
©Aswini Srinath

8 | P a g e
b. Minor releases: Upgrades, normally containing small enhancements and fixes. A minor upgrade or
release usually supersedes all preceding emergency fixes. Minor releases are generally used to fix
small reliability or functionality problems that cannot wait until the next major release.
c. Emergency releases: Normally containing the corrections to a small number of known problems.
Emergency releases are fixes that require implementation as quickly as possible to prevent
significant user downtime to business-critical functions
• While change management is the process whereby all changes go through a robust testing and approval
process, release management is the process of actually putting the software changes into production.
10. Quality Assurance:
• QA personnel verify that system changes are authorized, tested and implemented in a controlled manner
prior to being introduced into the production environment according to a company’s change and release
management policies
11. Database management systems (DBMS):
• aids in organizing, controlling and using the data needed by application programs.
• A DBMS provides the facility to create and maintain a well-organized database.
• Primary functions include:
a. Reduced data redundancy,
b. Decreased access time and
c. Basic security over sensitive data.
• What is Quality Assurance (QA)?
• What is Database Management Systems (DBMS)?
• What is DBMS Architecture?
©Aswini Srinath

9 | P a g e
12. DBMS Architecture:
• Database architecture focuses on the design, development, implementation and maintenance of
computer programs that store and organize information for businesses, agencies and institutions.
• A database architect develops and implements software to meet the needs of users. The design of
a DBMS depends on its architecture
• Metadata:
» the data (details/schema) of any other data (i.e. data about data)
» The word 'Meta' is the prefix that is generally the technical term for self-referential. In other words,
we can say that Metadata is the summarized data for the contextual data.
» There are three types of metadata:
i. Conceptual schema,
ii. External schema and
iii. Internal schema
13. Data Dictionary/Directory system:
• Data Dictionary contains an index and descriptions all of the data stored in database. Directory describes
the locations of the data and the access method
• Some of the benefits of using DD/DS include:
- Enhancing documentation
- Providing common validation criteria
• What is Data Dictionary / Directory system?
• What is Database structure?
• What are the database types?
- Hierarchical database model
- Network database model
- Relational database model
• What is OSI Architecture?
©Aswini Srinath

10 | P a g e
- Facilitating programming by reducing the needs for data definition
- Standardizing programming methods
14. Database structure:
• The database structure is the collection of record type and field type definitions that comprise
your database`.
• There are three major types of database structure:
i. Hierarchical database model,
ii. Network database model, and
iii. Relational database model
• Hierarchical database model:
✓ In this model there is a hierarchy of parent and child data segments. To create links between them,
this model uses parent-child relationships.
✓ These are 1:N (one-to-many) mappings between record types represented by logical trees
• Network database model:
✓ In the network model, the basic data modeling construct is called a set.
✓ A set is formed by an owner record type, a member record type and a name.
✓ A member record type can have that role in more than one set, so a multi-owner relationship is
allowed.
✓ An owner record type can also be a member or owner in another set. Usually, a set defines a 1:N
relationship, although one-to-one (1:1) is permitted
✓ Disadvantages of Network database model:
o Structures can be extremely complex and difficult to comprehend, modify or reconstruct
in case of failure.
o This model is rarely used in current environments.
o The hierarchical and network models do not support high-level queries. The user programs
have to navigate the data structures.
©Aswini Srinath

11 | P a g e
• Relational database model
✓ In Relational database model, the data and relationships among these data are organized in
tables.
✓ A table is a collection of rows, also known as tuples, and each tuple in a table contains the
same columns. Columns, called domains or attributes, correspond to fields.
✓ Relational database has the following properties:
o Values are atomic.
o Each row is unique.
o Column values are of the same kind.
o The sequence of columns is insignificant.
o The sequence of rows is insignificant.
o Each column has a unique name
✓ The relational model is independent from the physical implementation of the data structure,
and has many advantages over the hierarchical and network database models. With relational
databases, it is easier:
o For users to understand and implement a physical database system
o To convert from other database structures
o To implement projection and join operations
o To create new relations for applications
o To implement access control over sensitive data
o To modify the database
✓ A key feature of relational databases is the use of “normalization”
✓ Normalization:
o a technique of organizing the data in the database
o a systematic approach of decomposing tables to eliminate data
redundancy(repetition) and undesirable characteristics like Insertion, Update and
Deletion Anomalies
©Aswini Srinath

12 | P a g e
15. OSI Architecture:
• OSI model was developed by the International Organization for Standardization (ISO) in 1984, and it is
now considered as an architectural model for the inter-computer communications
• OSI model is a reference model that describes how information from a software application in
one computer moves through a physical medium to the software application in another computer.
• The OSI (Open Systems Inter-connection) is a proof-of-concept model composed of seven layers, each
specifying particular specialized tasks or functions.
• The OSI model was defined in ISO/IEC 7498, which has the following parts:
- ISO/IEC 7498-1 The Basic Model
- ISO/IEC 7498-2 Security Architecture
- ISO/IEC 7498-3 Naming and addressing
- ISO/IEC 7498-4 Management framework
• Each layer is self-contained and relatively independent of the other layers in terms of its particular
function
• There are seven OSI layers. Each layer has different functions. They are:
1. Physical Layer
2. Data-Link Layer
3. Network Layer
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Application Layer
Points to remember:
o The CISA candidate will not be tested on the specifics of this standard in the exam
©Aswini Srinath

13 | P a g e
• The functions of each layer are as follows:
1. Physical Layer - The physical layer provides the hardware that transmits and receives the bit stream
as electrical, optical or radio signals over an appropriate medium or carrier.
2. Data-Link Layer - The data link layer is used for the encoding, decoding and logical organization of
data bits. Data packets are framed and addressed by this layer, which has two sublayers
3. Network Layer - This layer of the assigned the IP addresses and is responsible for routing and
forwarding. This layer prepares the packets for the data link layer
4. Transport Layer - The transport layer provides reliable and transparent transfer of data between
end points, end-to-end error recovery and flow control.
5. Session Layer - The session layer controls the dialogs (sessions) between computers. It establishes,
manages and terminates the connections between the local and remote application layers
6. Presentation Layer - The presentation layer converts the outgoing data into a format acceptable
by the network standard and then passes the data to the session layer (It is responsible for
translation, compression and encryption)
7. Application Layer - provides a standard interface for applications that must communicate with
devices on the network (e.g., print files on a network-connected printer, send an email or store
data on a file server)
Points to remember:
o The OSI layer that perform error detection and encryption – Data Link layer
• What is the application of OSI model in Network Architecture?
• What is LAN topology?
• What are the LAN components?
- Repeaters - Switches
- Hubs - Routers
- Bridges - Gateways
©Aswini Srinath

14 | P a g e
16. Application of the OSI model in Network Architectures:
• The concepts of the OSI model are used in the design and development of organizations’
network architectures. This includes LANs, WANs, MANs and use of the public Transmission
Control Protocol/Internet Protocol (TCP/IP)-based global Internet.
• The discussion will focus on:
✓ LAN
✓ WAN
✓ Wireless networks
✓ Public global internet infrastructure
✓ Network administration and control
✓ Applications in a networked environment
✓ On-demand computing
• Local Area Network (LAN):
» a computer network that interconnects computers within a limited area such as a residence, school,
laboratory, university campus or office building
» Media used in LAN:
✓ Copper (twisted-pairs) circuit:
- Twisted pairs are of two types:
(1) Shielded twisted pair - More attenuation, More cross talk and more interference
(2) unshielded twisted pair – More attenuation, More cross talk and more interference
- Two insulated wires are twisted around each other, with current flowing through them in
opposite directions.
- Advantages:
a. This reduces the opportunity for cross talk
b. Cheap
c. Readily available
d. Simple to modify
- Disadvantages:
a. Easy to tap
b. Easy to splice
c. Interference and Noise
©Aswini Srinath

15 | P a g e
✓ Fiber-optics systems:
- It refers to the technology and medium used in the transmission of data as pulses of light
through a strand or fiber medium made of glass or plastic flashes of light.
- Fiber-optic systems have a low transmission loss as compared to twisted-pair circuits.
- Optical fiber is smaller and lighter than metallic cables of the same capacity.
- Fiber is the preferred choice for high-volume, longer-distance runs
✓ Radio systems (wireless):
- Data are communicated between devices using low-powered systems that broadcast (or
radiate) and receive electromagnetic signals representing data
17. LAN Topologies:
- Star topology
- Bus topology
- Ring topology
18. LAN components:
- Repeaters - physical layer devices that extend the range of a network or connect two separate
network segments together
- Hubs - physical layer devices that serve as the center of a star-topology network or a network
concentrator
- Bridges - data link layer devices that were developed to connect LANs or create two separate
LAN or WAN network segments from a single segment to reduce collision domains
Points to remember:
o The method of routing traffic through split-cable facilities or duplicate-cable facilities is called “Diverse
routing”
o The type of line media that provides the BEST security for a telecommunication network is “Dedicated
lines”
©Aswini Srinath

16 | P a g e
- Switches - data link level devices that can divide and interconnect network segments
and help to reduce collision domains in Ethernet-based networks
- Routers - operate at the OSI network layer by examining network addresses (i.e., routing information
encoded in an IP packet).
- Gateways - are devices that are protocol converters. Typically, they connect and convert between
LANs and the mainframe, or between LANs and the Internet, at the application layer of the OSI
reference model
19. WAN components:
- WAN switches - Data link layer devices used for implementing various WAN technologies such as ATM,
point-to-point frame relay and ISDN
- Routers - devices that operate at the network layer of the OSI reference model and provide an
interface between different network segments on an internal network or connects the internal
network to an external network
• What are the WAN components?
- WAN switches
- Routers
- Modems
• What are WAN technologies?
- Point-to-point protocol - Integrated services digital network (ISDN)
- X.25 - Asynchronous transfer mode
- Frame Relay - Multiprotocol label switching
- Digital subscriber lines - Virtual Private Network
• What are the network performance metrics?
- Latency - Throughput
©Aswini Srinath

17 | P a g e
- Modems (modulator/demodulator)
✓ Converts computer digital signals into analog data signals and analog data back to digital.
✓ A main task of the modems at both ends is to maintain their synchronization so the receiving
device knows when each byte starts and ends. Two methods can be used for this purpose:
- Synchronous transmission - a data transfer method in which a continuous stream of data
signals is accompanied by timing signals (generated by an electronic clock) to ensure that
the transmitter and the receiver are in step (synchronized) with one another. The data is
sent in blocks (called frames or packets) spaced by fixed time intervals
- Asynchronous transmission - The term asynchronous is used to describe the process where
transmitted data is encoded with start and stop bits, specifying the beginning and end of
each character. Asynchronous transmission works in spurts and must insert a start bit
before each data character and a stop bit at its termination to inform the receiver where it
begins and ends.
20. WAN technologies:
- Point to point protocol - (PPP) is a data link layer communications protocol used to establish a direct
connection between two nodes. PPP is a widely available remote access solution that supports
asynchronous and synchronous links, and operates over a wide range of media.
- X.25 - is a standard suite of protocols used for packet-switched communications over a wide area
network
- Frame Relay - Frame relay is a packet-switching telecommunication service designed for cost-efficient
data transmission for intermittent traffic between LAN and between endpoints in WAN
- Integrated services digital network (ISDN) – It is a set of communication standards for simultaneous
digital transmission of voice, video, data, and other network services over the traditional circuits of the
public switched telephone network
- Asynchronous transfer mode – ATM is a dedicated-connection switching technology that organizes
digital data into 53-byte cell units and transmits them over a physical medium using digital signal
technology
- Multiprotocol label switching - Multiprotocol label switching (MPLS) is a mechanism used within
computer network infrastructures to speed up the time it takes a data packet to flow from one node
to another. It enables computer networks to be faster and easier to manage by using short path labels
instead of long network addresses for routing network packets.
©Aswini Srinath

18 | P a g e
- Digital subscriber lines - Digital subscriber line (DSL) is a technology that transports high-bandwidth
data over a simple telephone line that is directly connected to a modem. This allows for file-sharing,
and the transmission of pictures and graphics, multimedia data, audio and video conferencing and
much more
- Virtual Private Network (VPN):
• extends a private network across a public network and enables users to send and receive
data across shared or public networks as if their computing devices were directly connected
to the private network. Applications running on an end system (PC, smartphone etc.) across
a VPN may therefore benefit from the functionality, security, and management of the
private network
• VPN technology was developed to allow remote users and branch offices to access
corporate applications and resources. To ensure security, the private network connection
is established using an encrypted layered tunneling protocol, and VPN users use
authentication methods, including passwords or certificates, to gain access to the VPN.
• There are three types of VPNs:
1. Remote-access VPN - Used to connect telecommuters and mobile users to the enterprise
WAN in a secure manner; it lowers the barrier to telecommuting by ensuring that
information is reasonably protected on the open Internet.
2. Intranet VPN - Used to connect branch offices within an enterprise WAN
3. Extranet VPN - Used to give business partners limited access to each other’s corporate
network; and example is an automotive manufacturer with its suppliers
21. Network Performance Metrics:
- Latency: The delay that a message or packet will experience on its way from source to destination. A very
easy way to measure latency in a TCP/IP network is to use the ping command.
- Throughput: The quantity of useful work made by the system per unit of time. In telecommunications, it
is the number of bytes per second that are passing through a channel.
Points to remember:
o Ping command is used to measure the latency
©Aswini Srinath

19 | P a g e
22. Network Management Issues:
A WAN needs to be monitored and managed similarly to a LAN. ISO, as part of its communications modeling
effort (ISO/IEC 10040), has defined five basic tasks related to network management:
- Fault management - Detects the devices that present some kind of technical fault
- Configuration management - Allows users to know, define and change, remotely, the configuration of any
device
- Accounting resources - Holds the records of the resource usage in the WAN (who uses what)
- Performance management - Monitors usage levels and sets alarms when a threshold has been surpassed
- Security management - Detects suspicious traffic or users, and generates alarms accordingly
23. Network Management tools:
- Response Time - Identify the time necessary for a command entered by users at a terminal to be answered
by the host system.
• What are the Network Management issues?
- Fault Management - Performance management
- Configuration management - Security management
- Accounting resources
• What are the Network Management tools?
- Response time - Network monitors
- Downtime reports - Simple Network Management Protocol (SNMP)
- Online monitors - Help desk reports
- Protocol analyzers
• What is Disaster Recovery Planning (DRP)?
©Aswini Srinath

20 | P a g e
- Downtime Reports - Track the availability of telecommunications line and circuits. Interruptions due to
power line failure, traffic, overload, operator error or other anomalous conditions are identified in a
downtime reports
- Online Monitors - Check data transmissions accuracy and errors. Monitoring can be performed be echo
checking and status checking all transmissions, ensuring that messages are not lost or transmitted more
than one.
- Network Monitors - Real time display of network nodes and status.
- Protocol Analyzers – It is a diagnostic tool used for monitoring packets flowing within the network.
- Simple Network Management Protocol (SNMP) - It is a TCP/IP-based protocol that monitors and controls
different variables throughout the network, manages configurations, and collects statistics on
performance and security
- Help desk reports - It is prepared by the help desk, which is staffed or supported by IT technicians trained
to handle problems occurring during normal IS usage.
24. Disaster Recovery Planning (DRP):
- DRP is an element of an internal control system established to manage availability and restore
critical processes/IT services in the event of interruption.
- The purpose of this continuous planning process is
• to ensure that cost-effective controls to prevent possible IT disruptions and
• to recover the IT capacity of the organization in the event of a disruption are in place
- DRP is a continuous process. Once the criticality of business processes and supporting IT services,
systems and data are defined, they are periodically reviewed and revisited
- The ultimate goal of the DRP process is
• to respond to incidents that may impact people and
• the ability of operations to deliver goods and services to the marketplace and to comply
with regulatory requirements
©Aswini Srinath

21 | P a g e
- The difference between BCP and DRP is as follows:
• BCP is focused on keeping the business operations running, perhaps in a different location
or by using different tools or processes, after the disaster has happened. DRP is focused on
restoring business operations after the disaster has taken place.
• BCP often includes Non-IT aspects of the business. DRP often focuses on IT systems
Points to remember:
o The prerequisite for developing a disaster recovery planning is – to have a management
commitment.
o The PRIMARY GOAL of Disaster Recovery planning and Business continuity planning should
always be – Safety of Personnel (Human safety first)
o Occupant Emergency Plan (OEP) provides the response procedures for occupants of a facility
in the event a situation poses a threat to the heal and safety of personnel
o The critical first step in disaster recovery and contingency planning is – to complete a
business impact analysis
o The term “Disaster Recovery” refers to recovery of technological environment
o The BCP is ultimate responsibility of Board of Directors
o Minimizing single points of failure or vulnerabilities of a common disaster is mitigated by
geographically dispersing resources.
o Disaster Recovery planning addresses the technological aspect of business continuity
planning
o A disaster recovery plan for an organization should focus on reducing the length of recovery
time and the cost of recovery.
o The results of tests and drills are the BEST evidence of an organization’s disaster recovery
readiness.
o Fault-tolerant hardware is the only technology that provides continuous and uninterrupted
support in the event of a disaster or disruption
©Aswini Srinath

22 | P a g e
25. Recovery Point Objective (RPO) and Recovery Time Objective (RTO):
- Recovery Point objective:
• RPO is determined based on the acceptable data loss in case of disruption of operations.
• RPO indicates the earliest point in time in which it is acceptable to recover the data. For
example, if the process can afford to lose the data up to four hours before disaster, then
the latest backup available should be up to four hours before disaster or interruption and
the transactions that occurred during the RPO period and interruption need to be entered
after recovery (known as catch-up data)
• RPO effectively quantifies the permissible amount of data loss in case of disruption.
Points to remember:
o The CISA candidate should be familiar with which recovery strategies would be best with different RTO and
RPO parameters.
o with different RTO and RPO parameters.
• What is Recovery Point Objective (RPO) and Recovery Time Objective (RTO)?
• What are the additional parameters in defining the recovery strategy?
- Interruption window
- Service delivery objective (SDO)
- Maximum tolerable outages
• What are the recovery strategies?
- Hot site - Cold site
- Warm site - Reciprocal arrangements
©Aswini Srinath

23 | P a g e
- Recovery Time Objective:
• The RTO is determined based on the acceptable downtime in case of a disruption of
operations.
• It indicates the earliest point in time at which the business operations (and supporting IT
systems) must resume after disaster
- Both of these concepts are based on time parameters.
- The nearer the time requirements are to the center (0-1 hours), the higher the cost of the recovery
strategies.
- If the RPO is in minutes (lowest possible acceptable data loss), then data mirroring or real-time
replication should be implemented as the recovery strategy.
- If the RTO is in minutes (lowest acceptable time down), then a hot site, dedicated spare servers (and
other equipment) and clustering must be used.
- The below table represents the relationship between RPO and RTO:
Disruption hours Recovery Time Objective Recovery Point objective
0 to 1 hour Active-Active clustering Mirroring (Real-time replication)
1 to 4 hours Active-passive clustering (Hot Standby) Disk-based back-ups, snapshots,
delayed replication, log shipping
4 – 24 hours Cold Standby Tape backups, log shipping
©Aswini Srinath

24 | P a g e
26. Additional parameters in defining recovery strategy:
- Interruption window - The maximum period of time the organization can wait from the point of failure to
the critical services/applications restoration. After this time, the progressive losses caused by the
interruption are unaffordable.
- Service delivery objective (SDO) - Level of services to be reached during the alternate process mode until
the normal situation is restored. This is directly related to the business needs.
- Maximum tolerable outages - Maximum time the organization can support processing in alternate mode.
After this point, different problems may arise, especially if the alternate SDO is lower than the usual SDO,
and the information pending to be updated can become unmanageable.
27. Recovery strategies:
- A recovery strategy identifies the best way to recover a system (one or many) in case of interruption,
including disaster, and provides guidance based on which detailed recovery procedures can be developed
- The selection of a recovery strategy would depend on:
• The criticality of the business process and the applications supporting the processes
• Cost
Points to remember:
o Recovery Point Objective (RPO) will be deemed critical if it is small
o If the Recovery point objective (RPO) is close to zero, then it means that the activity is critical and
hence the cost of maintaining the environment would be higher
o The LOWEST expenditure in terms of recovery arrangement can be through Reciprocal agreement
o A hot site is maintained and data mirroring is implemented, where Recovery Point Objective (RPO)
is low
o The BEST option to support 24/7 availability is – Data Mirroring
o The metric that describes how long it will take to recover a failed system is – Mean time to Repair
(MTTR)
©Aswini Srinath

25 | P a g e
• Time required to recover
• Security
- Recovery strategies based on the risk level identified for recovery are as follows:
• Hot sites - facilities with space and basic infrastructure and all of the IT and
communications equipment required to support the critical applications, along with office
furniture and equipment for use by the staff.
• Warm sites - are complete infrastructures but are partially configured in terms of IT, usually
with network connections and essential peripheral equipment such as disk drives, tape
drives and controllers.
• Cold sites - are facilities with the space and basic infrastructure adequate to support
resumption of operations, but lacking any IT or communications equipment, programs,
data or office support.
• Duplicate information processing facilities
• Mobile sites - are packaged, modular processing facilities mounted on transportable
vehicles and kept ready to be delivered and set up at a location that may be specified upon
activation
• Reciprocal agreements - are agreements between separate, but similar, companies to
temporarily share their IT facilities in the event that one company loses processing
capability. Reciprocal agreements are not considered a viable option due to the
constraining burden of maintaining hardware and software compatibility between the
companies, the complications of maintaining security and privacy compliance during
shared operations, and the difficulty of enforcing the agreements should a disagreement
arise at the time the plan is activated.
• Reciprocal arrangements with other organisations - are agreements between two or
more organizations with unique equipment or applications. Under the typical agreement,
participants promise to provide assistance to each other when an emergency arises.
©Aswini Srinath

26 | P a g e
Points to remember:
o The CISA candidate should know these recovery strategies and when to use them
o An offsite information processing facility having electrical wiring, air conditioning and flooring,
but no computer or communications equipment is a Cold site
o The type of offsite information processing facility is often an acceptable solution for preparing
for recovery of non-critical systems and data is a cold site
o Data mirroring and parallel processing are both used to provide near-immediate recoverability
for time-sensitive systems and transaction processing
o Organizations should use off-site storage facilities to maintain redundancy of current and
critical information within backup files.
o An off-site processing facility should not be easily identifiable externally because easy
identification would create an additional vulnerability for sabotage
o The GREATEST concern when an organization's backup facility is at a warm site is – Timely
availability of hardware.
o The GREATEST risk created by a reciprocal agreement for disaster recovery made between two
companies is – Developments may result in hardware and software incompatibility.
• What are the different Recovery/Continuity/response teams and their responsibilities?
• What is back-up and restoration?
- Full back-up
- Incremental back-up
- Differential back-up
• What are the disaster recovery testing methods?
- Checklist review - Parallel test
- Structured walk-through - Full interruption test
- Simulation test
©Aswini Srinath

27 | P a g e
28. Different Recovery/continuity/response teams and their responsibilities:
- Incident response team
- Emergency action team
- Information security team
- Damage assessment team
- Offsite storage team
- Software team
- Applications team
- Administrative support team
- Salvage team
- Emergency operations team
- Network recovery team
- Communications team
- Transportation team
- User hardware team
- Relocation team
- Legal affairs team
- Recovery test team
- Training team
Points to remember:
o The responsibility of disaster recovery relocation team is to co-ordinate the process of moving
from hot site to a new location or to the restored original location.
o The responsibility of offsite storage team is to obtain, pack and ship media and records to the
recovery facilities, as well as establishing and overseeing an offsite storage schedule.
o The responsibility of transportation team is to locate a recovery site, if one has not been
predetermined, and coordinating the transport of company employees to the recovery site.
o The responsibility of salvage team is managing the relocation project and conducting a more
detailed assessment of the damage to the facilities and equipment.
©Aswini Srinath

28 | P a g e
29. Back-up and restoration:
- Back-up schemes:
There are three main schemes for backup:
• Full back-up - This type of backup scheme copies all files and folders to the backup media, creating
one backup set (with one or more media, depending on media capacity)
• Incremental back-up - An incremental backup copies the files and folders that changed or are new
since the last incremental or full backup
• Differential back-up - A differential backup will copy all files and folders that have been added or
changed since a full backup was performed. This type of backup is faster and requires less media
capacity than a full backup and requires only the last full and differential backup sets to make a
full restoration
30. Disaster Recovery testing methods:
• Checklist review - This is a preliminary step to a real test. Recovery checklists are distributed to all members
of a recovery team to review and ensure that the checklist is current.
• Structured walk-through - Team members physically implement the plans on paper and review each step
to assess its effectiveness, identify enhancements, constraints and deficiencies.
• Simulation test - The recovery team role plays a prepared disaster scenario without activating processing
at the recovery site.
• Parallel test - The recovery site is brought to a state of operational readiness, but operations at the primary
site continue normally.
Points to remember:
o The BEST backup strategy for a large database with data supporting online sales is – Weekly
full back-up with daily incremental back-up
©Aswini Srinath

29 | P a g e
• Full interruption test - Operations are shut down at the primary site and shifted to the recovery site in
accordance with the recovery plan; this is the most rigorous form of testing but is expensive and potentially
disruptive.
Points to remember:
o A continuity plan test that uses actual resources to simulate a system crash to cost-effectively
obtain evidence about the plan's effectiveness is preparedness test
o The most effective test of DRP for organisations having number of offices across a wide
geographical area is preparedness test
o The type of BCP test that requires only representatives from each operational area to meet to
review the plan is Walk-through test
©Aswini Srinath

CISA DOMAIN 5 – PROTECTION OF INFORMATION ASSETS
1 | P a g e
• Part 1 – Information Security Management Systems (ISMS) – Its importance and key elements
• Part 2 – The Classification of Information assets, Various fraud risk factors, Information security control design
• Part 3 – System Access Permission, Mandatory Access Controls (MACs) and Discretionary Access Controls
(DACs) and other types of Access controls.
• Part 4 – Difference between privacy and confidentiality, privacy principles and the role of IS auditors, the privacy
related compliance requirements
• Part 5 – Critical Success Factors (CSFs) to Information Security Management, the different mechanisms available
for raising information security awareness, the various Human Resources security.
• Part 6 – The various Computer crime issues and exposures, the perpetrators in computer crimes, the common
attack methods and techniques
• Part 7 – the various phases of incident response, the logical access exposures, Identification and authentication
(I&A).
• Part 8 – The common I&A vulnerabilities, the categorization of Authentication, the various authentication
techniques.
• Part 9 – Biometric access controls, Operation of each biometric access control, the various biometric devices/
techniques.
• Part 10 – The quantitative measures to determine the performance of biometric control devices, Single sign-on
- its advantages and disadvantages, Firewall security systems.
• Part 11 – The general features of firewall, the types of firewall, Packet filter firewall - its advantages and
disadvantages.
• Part 12 – Application firewall systems - its advantages and disadvantages, Stateful inspection firewall - its
advantages and disadvantages, the various firewall implementations that are commonly used.
• Part 13 – Intrusion Detection Systems (IDS) - its types, its components and its features
• Part 14 – The limitations of Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Honeypots
and its types
• Part 15 – Honeynets, Cryptography, Encryption and decryption
©Aswini Srinath

2 | P a g e
• Part 16 - Digital signature, the various environmental issues and exposures in Information security, the controls
for environmental exposures, the various physical exposure issues and exposures in Information security, the
controls for Physical access exposures
1. Knowledge of generally accepted practices and applicable external requirements (e.g., laws, regulations)
related to the protection of information assets
2. Knowledge of privacy principles
3. Knowledge of the techniques for the design, implementation, maintenance, monitoring and reporting of
security controls
4. Knowledge of physical and environmental controls and supporting practices related to the protection of
information assets
5. Knowledge of physical access controls for the identification, authentication and restriction of users to
authorized facilities and hardware
6. Knowledge of logical access controls for the identification, authentication and restriction of users to
authorized functions and data
7. Knowledge of the security controls related to hardware, system software (e.g., applications, operating
systems) and database management systems.
8. Knowledge of risk and controls associated with virtualization of systems
9. Knowledge of risk and controls associated with the use of mobile and wireless devices, including personally
owned devices (bring your own device [BYOD])
10. Knowledge of voice communications security (e.g., PBX, Voice-over Internet Protocol [VoIP])
11. Knowledge of network and Internet security devices, protocols and techniques
PART 1 – CISA Domain 5 – Protection of Information assets
» Overall understanding of the domain
» What is Information Security Management Systems (ISMS)?
» What is the importance of Information Security Management Systems (ISMS)?
» What are the key elements of Information security management?
»
©Aswini Srinath

3 | P a g e
12. Knowledge of the configuration, implementation, operation and maintenance of network security controls
13. Knowledge of encryption-related techniques and their uses
14. Knowledge of public key infrastructure (PKI) components and digital signature techniques
15. Knowledge of risk and controls associated with peer-to-peer computing, instant messaging and web-based
technologies (e.g., social networking, message boards, blogs, cloud computing)
16. Knowledge of data classification standards related to the protection of information assets
17. Knowledge of the processes and procedures used to store, retrieve, transport and dispose of confidential
information assets
18. Knowledge of risk and controls associated with data leakage
19. Knowledge of security risk and controls related to end-user computing
20. Knowledge of methods for implementing a security awareness program
21. Knowledge of information system attack methods and techniques
22. Knowledge of prevention and detection tools and control techniques
23. Knowledge of security testing techniques (e.g., penetration testing, vulnerability scanning)
24. Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation
procedures, emergency incident response team)
25. Knowledge of the processes followed in forensics investigation and procedures in collection and
preservation of the data and evidences (i.e., chain of custody).
26. Knowledge of fraud risk factors related to the protection of information assets
1. What is Information Security Management Systems (ISMS)?
❖ Represents the collation of all the interrelated/interacting information security elements of an
organization so as to ensure policies, procedures, and objectives can be created, implemented,
communicated, and evaluated to better guarantee an organization's overall information security
❖ This system is typically influenced by organization's needs, objectives, security requirements, size, and
processes
❖ Includes and lends to effective risk management and mitigation strategies
2. What is the importance of Information Security Management Systems (ISMS)?
❖ Ensure the continued availability of their information systems and data.
❖ Ensure the integrity of the information stored on their computer systems and while in transit.
❖ Preserve the confidentiality of sensitive data while stored and in transit.
©Aswini Srinath

4 | P a g e
❖ Ensure conformity to applicable laws, regulations and standards.
❖ Ensure adherence to trust and obligation requirements in relation to any information relating to an
identified or identifiable individual (i.e., data subject) in accordance with its privacy policy or applicable
privacy laws and regulations.
❖ Ensure that sensitive data are adequately protected while stored and when in transit, based on
organizational requirements.
3. What are the key elements of Information security management?
❖ An ISMS is defined in the International Organization for Standardization (ISO)/International Electro
Technical Commission (IEC) 27000 series of standards and guidelines
❖ The first standard in this series was ISO/IEC 17799:2000; this was a fast-tracking of the existing British
standard BS 7799 part 1:1999
❖ The initial release of BS 7799 was based, in part, on an information security policy manual developed by the
Royal Dutch/Shell Group in the late 1980s and early 1990s
❖ ISO 27000 series are as follows:
o ISO 27001
o ISO 27002
o ISO 27003
o ISO 27004
o ISO 27005
4. What are the classification of Information assets?
❖ Effective control requires a detailed inventory of information assets.
❖ Creating this list is the first step in classifying assets and determining the level of protection needed for
each asset.
❖ Information assets have varying degrees of sensitivity and criticality in meeting business objectives
» What are the classification of Information assets?
» What are the various fraud risk factors?
» What is Information Security Control design?
©Aswini Srinath

5 | P a g e
❖ Classification of information assets reduces the risk and cost of over- or under-protecting information
resources in linking security to business objectives because it helps to build and maintain a consistent
perspective of the security requirements for information assets throughout the organization
❖ Most organizations use a classification scheme with three to five levels of sensitivity.
❖ The number of classification categories should take into consideration the size and nature of the
organization and the fact that complex schemes may become too impractical to use.
❖ Data classification is a major part of managing data as an asset.
❖ Data classification as a control measure should define:
- The importance of the information asset
- The information asset owner
- The process for granting access
- The person responsible for approving the access rights and access levels
- The extent and depth of security controls
❖ If documents or media are not labeled according to a classification scheme, this is an indicator of a
potential misuse of information. Users might reveal confidential information because they did not know that
the requirements prohibited disclosure.
❖ The below is the example of classification of assets:
- HIGHLY RESTRICTED: This classification label applies to the most private or otherwise sensitive
information of the Company. Information under this classification shall be strictly monitored and
controlled at all times. (e.g. merger and acquisition documents, corporate level strategic plans,
litigation strategy memos, reports on breakthrough new product research, and Trade Secrets such
as certain computer programs.)
- CONFIDENTIAL: This classification label applies to Company information, which is private or
otherwise sensitive in nature and shall be restricted to those with a legitimate business need for
access. (e.g. employee performance evaluations, customer transaction data, strategic alliance
agreements, unpublished internally generated market research, computer passwords, identity token
personal identification numbers (PINs), and internal audit reports).
©Aswini Srinath

6 | P a g e
- INTERNAL USE ONLY: This classification label applies to information intended for use within the
Company, and in some cases within affiliated organizations, such as business partners of the
Company. Assets of this type are widely-distributed within the Company and may be distributed
within Company without permission from the information asset owner. (e.g. telephone directory,
dial-up computer access numbers, new employee training materials, and internal policy manuals.
- PUBLIC: This classification applies to information that has been explicitly approved by the
Company’s management for release to the public. Assets of this type may be circulated without
potential harm. (e.g. product and service brochures, advertisements, job opening announcements,
and press releases.)
5. What are the various fraud risk factors?
❖ Fraud is the crime of using dishonest methods to take something valuable from a person or organization.
❖ There can be many reasons why a person commits fraud, but one of the more accepted models is the fraud
triangle, which was developed by criminologist Donald R. Cressey
❖ The below are the three key elements in the fraud triangle:
I. Motivation - a perceived financial (or other) need
II. Rationalization - the way the fraudster justifies the crime to himself/herself
III. Opportunity - the method by which the crime is to be committed. Opportunity is created by abuse
of position and authority, poor internal controls, poor management oversight, etc.
6. What is Information Security Control design?
❖ Information security is maintained through use of controls
❖ Controls can be
- Proactive controls – Controls which attempt to prevent an incident (Safeguards)
- Reactive controls - Controls that allow the detection, containment and recovery from an incident
(Counter measures)
Points to remember:
1. The MOST effectively reduce social engineering incidents is Security awareness training.
2. Non-repudiation is a message service that provides the strongest evidence that a specific action
has occurred
©Aswini Srinath

7 | P a g e
❖ Every organization has some controls in place, and a risk assessment should document these
- controls and their effectiveness in mitigating risk
❖ An effective control is one that prevents, detects and/or contains an incident and enables recovery from
an event
❖ Controls are divided into three categories:
- Managerial controls - Controls related to the oversight, reporting, procedures and operations of a
process. These include policy, procedures, balancing, employee development and compliance
reporting.
- Technical controls - Controls also known as logical controls and are provided through the use of
technology, piece of equipment or device. Examples include firewalls, network or host-based
intrusion detection systems (IDSs), passwords, and antivirus software. A technical control requires
proper managerial (administrative) controls to operate correctly.
- Physical controls - Controls that are locks, fences, closed-circuit TV (CCTV), and devices that are
installed
to physically restrict access to a facility or hardware. Physical controls require maintenance,
monitoring and the ability to assess and react to an alert should a problem be indicated.
❖ Controls within the above groups can be classified into:
- Preventive controls - internal controls which are deployed to prevent happening of an event that
might affect achievement of organizational objectives
- Detective controls - Detective controls seek to identify when preventive controls were not effective
in preventing errors and irregularities, particularly in relation to the safeguarding of assets.
- Corrective controls - When detective control activities identify an error or irregularity, corrective
control activities should then see what could or should be done to fix it, and hopefully put a new
system in place to prevent it the next time around.
» What is System Access Permission?
» What are Mandatory Access Controls (MACs) and Discretionary Access Controls (DACs)?
» What are the other types of Access controls?
- Role-based access control (RBAC)
- Rule-based access control (RAC)
- Organization-based access control (OrBAC)
-
©Aswini Srinath

8 | P a g e
7. What is System Access Permission?
❖ System access permission is the prerogative to act on a computer resource.
❖ This usually refers to a technical privilege, such as the ability to read, create, modify or delete a file or
data; execute a program; or open or use an external connection
❖ System access to computerized information resources is established, managed and controlled at
- the physical level and/or
- the logical level
❖ Physical controls:
- The controls restrict the entry and exit of personnel to an area such as an office building, suite, data
center or room containing information processing equipment such as a local area network (LAN)
server.
- There are many types of physical access controls including badges, memory cards, guard keys, true
floor-to-ceiling wall construction fences, locks and biometrics.
❖ Logical system access controls:
- Restrict the logical resources of the system (transactions, data, programs, applications) and are
applied when the subject resource is needed.
- On the basis of identification and authentication of the user that requires a given resource and by
analyzing the security profiles of the user and the resource, it is possible to determine if the requested
access is to be allowed (i.e., what information users can utilize, the programs or transactions they can
run, and the modifications they can make).
- Such controls may be built into the operating system (OS), invoked through separate access control
software and incorporated into application programs, database systems, network control devices and
utilities (e.g., real-time performance monitors).
8. What are Mandatory Access Controls (MACs) and Discretionary Access Controls (DACs)?
❖ Mandatory Access Controls (MACs):
Points to remember:
1. Security administration efforts are BEST reduced through the deployment of - Role-based
access controls (RBACs)
©Aswini Srinath

9 | P a g e
- MACs are logical access control filters used to validate access credentials that cannot be
controlled or modified by normal users or data owners; they act by default
- With mandatory access control, the security policy is centrally controlled by a security policy
administrator; users do not have the ability to override the policy and, for example, grant
access to files that would otherwise be restricted
❖ Discretionary Access Controls (DACs):
- Controls that may be configured or modified by the users or data owners
- This would be the case of data owner-defined sharing of information resources, where the
data owner may select who will be enabled to access his/her resource and the security level
of this access.
- DACs cannot override MACs; DACs act as an additional filter, prohibiting still more access with
the same exclusionary principle.
9. What are the other types of Access controls?
- Role-based access control (RBAC) - Provides access based on the position an individual hold
in the organization
- Rule-based access control (RAC) – Dynamically assign rules to users based on criteria defined
by owner or system administrator
- Organization-based access control (OrBAC) - allows the policy designer to define a security
policy independently of the implementation
» What does privacy mean and how is it different from confidentiality?
» What are the privacy principles and the role of IS auditors?
» What are the privacy related compliance requirements?
o ISO/IEC 29100:2011,
o ISO/IEC 27018:2014,
o ISO/IEC 27701: 2019
©Aswini Srinath

10 | P a g e
10. What does privacy mean and how is it different from confidentiality?
❖ Privacy means freedom from unauthorized intrusion or disclosure of information about an
individual (data subject).
❖ It is an organization-wide matter that, by its nature, requires a consistent approach throughout the
organization
❖ A good practice to ensure this includes the following:
- Privacy should be considered from the outset and be built in by design.
- Private data should be collected fairly in an open, transparent manner. Only the data required
for the purpose should be collected in the first instance.
- Private data should be kept securely throughout their life cycle.
- Private data should only be used and/or disclosed for the purpose for which they were
- collected.
- Private data should be accurate, complete and up to date.
- Private data should be deleted when they are no longer required.
❖ In terms of information, privacy is the right of an individual to have some control over how his or her
personal information (or personal health information) is collected, used, and/or disclosed.
Confidentiality, on the other hand, is a far slimmer concept than privacy. Confidentiality is the duty to
ensure information is kept secret only to the extent possible.
❖ Privacy talks about a person, but Confidentiality is about information. Privacy restricts the public from
accessing the personal details about a person, whereas Confidentiality protects the information from
the range of unauthorised persons
11. What are the privacy principles and the role of IS auditors?
❖ IS auditors may be asked to support or perform review of privacy impact analysis. Such assessments
should:
- Pinpoint the nature of personally identifiable information associated with business processes.
- Document the collection, use, disclosure and destruction of personally identifiable
information.
- Ensure that accountability for privacy issues exists.
- Identify legislative, regulatory and contractual requirements for privacy.
- Be the foundation for informed policy, operations and system design decisions based on an
understanding of privacy risk and the options available for mitigating that risk.
©Aswini Srinath

11 | P a g e
❖ The IS auditor may also be called on to give assurance on compliance with privacy policy, laws and other
regulations. To fulfill this role, the IS auditor should:
- Identify and understand legal requirements regarding privacy from laws, regulations and
contract agreements.
Examples include the Organisation for Economic Co-operation and Development (OECD)
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, European
Union Data Protection Directives and the US-EU Safe Harbor Framework. Depending on the
assignment, IS auditors may need to seek legal or expert opinion on these.
- Review management’s privacy policy to ascertain whether it takes into consideration the
requirement of these privacy laws and regulations.
- Check whether personal sensitive data are correctly managed in respect to these
requirements.
- Verify that the correct security measures are adopted.
12. What are the privacy related compliance requirements?
❖ ISO/IEC 29100:2011 – Information Technology - Security techniques - Privacy framework - provides a
privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
❖ ISO/IEC 27018:2014 – Information technology — Security techniques — Code of practice for protection
of personally identifiable information (PII) in public clouds acting as PII processors
❖ ISO/IEC 27701: 2019 – Privacy extension of ISO/IEC 27001 - The design goal is to enhance the existing
Information Security Management System (ISMS) with additional requirements in order to establish,
implement, maintain, and continually improve a Privacy Information Management System (PIMS). The
standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII
Processors to manage privacy controls to reduce the risk to the privacy rights of individuals
©Aswini Srinath

12 | P a g e
13. What are the Critical Success Factors to Information Security Management?
❖ Security awareness, training and education:
- Security awareness program should include the following:
o Training (often administered online)
o Quizzes to gauge retention of training concepts
o Security awareness reminders such as posters, newsletters or screensavers
o A regular schedule of refresher training
❖ Strong leadership, direction and commitment by senior management on security training is needed.
This commitment should be supported with a comprehensive program of formal security awareness
training
❖ a professional risk-based approach must be used systematically to identify sensitive and critical
information resources and to ensure that there is a clear understanding of threats and risk. Thereafter,
appropriate risk assessment activities should be undertaken to mitigate unacceptable risk and ensure
that residual risk is at an acceptable level
14. What are the different mechanisms available for raising information security awareness?
❖ Computer-based security awareness and training programs
❖ Email reminders and security tips
❖ Written security policies and procedures (and updates)
❖ Nondisclosure statements signed by the employee
❖ Use of different media in promulgating security (e.g., company newsletter, web page, videos, posters,
login reminders)
❖ Visible enforcement of security rules
❖ Simulated security incidents for improving security
» What are the Critical Success Factors to Information Security Management?
» What are the different mechanisms available for raising information security awareness?
» What are the various Human Resources security?
©Aswini Srinath

13 | P a g e
❖ Rewarding employees who report suspicious events
❖ Periodic reviews
❖ Job descriptions
15. What are the various Human Resources security?
❖ Screening and Background verifications and checks:
- All the candidates for employment, contractors or third-party users should be subject to
background verification checks.
- These should be carried out and documented in accordance with relevant laws, regulations
and ethics, and proportional to the business requirements, the classification of the
information to be accessed and the perceived risk.
- The same process should be followed for hiring candidates through agency.
❖ During employment:
- Application of security policies:
✓ Management should require employees, contractors and third-party users to apply
security in accordance with the established policies and procedures of the
organization.
✓ Management responsibilities should be defined to ensure that security is applied
throughout an individual’s employment within the organization.
✓ A formal disciplinary process for handling security breaches should be established.
- Documentation of responsibilities in Job description: Specific responsibilities should be
documented in approved job descriptions. This will help ensure that employees, contractors
and third-party users are aware of information security threats and concerns, their
responsibilities and liabilities, and are equipped to support organizational security policy in
the course of their normal work and to reduce the risk of human error
- Employee education, Training and awareness: An adequate level of awareness, education and
training in security procedures and the correct use of information processing facilities should
be provided to all employees, contractors and third-party users to minimize possible security
risk.
©Aswini Srinath

14 | P a g e
❖ Termination or change of employment:
- When an employee, contractor or third-party user exits the organization, responsibilities
should be in place to manage this process, including the return of all equipment and removal
of all access rights.
- Communication of termination responsibilities should include ongoing security requirements
and legal responsibilities.
- Where appropriate, responsibilities contained within any confidentiality agreement and the
terms and conditions of employment continuing for a defined period after the end of the
employee, contractor or third-party user’s employment should also be communicated.
- Responsibilities and duties still valid after termination of employment should be contained in
the employee, contractor or third-party user’s contracts.
❖ Removal of access rights
- The access rights of all employees, contractors and third-party users to information and
information processing facilities should be removed upon termination of their employment,
contract or agreement, or adjusted upon change.
- The access rights that should be removed or adapted include physical and logical access, keys,
identification cards, information processing facilities, subscriptions, and removal from any
documentation that identifies them as a current member of the organization. This should
include notifying partners and relevant third parties—if a departing employee has access to
the third party premises.
- If a departing employee, contractor or third-party user has known passwords for accounts
remaining active, these should be changed upon termination or change of employment,
contract or agreement.
- Access rights for information assets and information processing facilities should be reduced
or removed before the employment terminates or changes, depending on the evaluation of
risk factors such as:
• Whether the termination or change is initiated by the employee, contractor or third-party
user, or by management and the reason of termination
• The current responsibilities of the employee, contractor or any other user
• The value of the assets currently accessible.
©Aswini Srinath

15 | P a g e
» What are the various Computer crime issues and exposures?
» Who are the perpetrators in computer crimes?
- Hackers - Nations
- Script kiddies - Educated or interested outsiders
- Employees - Part-time and temporary personnel
- IT personnel - Third parties
- End users - Opportunists
- Formal employees
» What are the common attack methods and techniques?
- Alternation attack - War driving
- Botnets - Eavesdropping (Active and Passive)
- Brute force attack - Man-in-the-middle
- War dialing - Interrupt attack
- War chalking - Masquerading
- War walking - Pharming
- Piggybacking - Salami
Points to remember:
1. The primary/best method for assuring the integrity of a prospective staff member - Background
screening
2. When an employee is terminated from service, the MOST important action is to - disable the
employee's logical access.
©Aswini Srinath

16 | P a g e
16. What are the various Computer crime issues and exposures?
❖ Computer systems can be used to fraudulently obtain money, goods, software or corporate
information.
❖ Crimes can also be committed when the computer application process or data are
manipulated to accept false or unauthorized transactions.
❖ Computer crime can be performed without anything physically being taken or stolen, and it can
be done remotely.
❖ Threats to business include:
- Financial loss - These losses can be direct, through loss of electronic funds, or indirect,
through the costs of correcting the exposure.
- Legal repercussions –
o A person cannot use another person's material without citation and reference. An
author has the right to sue a plagiarist. Some plagiarism may also be deemed a
criminal offense, possibly leading to a prison sentence.
o The IS auditor should obtain legal assistance when reviewing the legal issues
associated with computer security.
- Loss of credibility or competitive edge –
o Many organizations, especially service firms such as banks, savings and loans and
investment firms, need credibility and public trust to maintain a competitive edge.
o A security violation can damage this credibility severely, resulting in loss of business
and prestige
- Blackmail/industrial espionage/organized crime –
o Blackmail - is an act of coercion using the threat of revealing or publicizing either
substantially true or false information about a person or people unless certain
demands are met. It is often damaging information, and may be revealed to family
members or associates rather than to the general public.
o Industrial espionage – means spying directed towards discovering the secrets of a
rival manufacturer or other industrial company.
o Organized crime - is a category of transnational, national, or local groupings of highly
centralized enterprises run by criminals to engage in illegal activity, most commonly
©Aswini Srinath

17 | P a g e
for profit. Some criminal organizations, such as terrorist groups, are politically
motivated.
- Disclosure of confidential, sensitive or embarrassing information - As noted previously, such
events can damage an organization’s credibility and its means of conducting business. Legal
or regulatory actions against the company may also be the result of disclosure.
- Sabotage –
o a deliberate action aimed at weakening a polity, effort, or organization through
subversion, obstruction, disruption, or destruction.
o “Hacktivism” occurs when perpetrators make nonviolent use of illegal or legally
ambiguous digital tools in pursuit of political ends.
17. Who are the perpetrators in computer crimes?
❖ Perpetrators in computer crimes are often the same people who exploit physical exposures, although
the skills needed to exploit logical exposures are more technical and complex.
❖ The following are the probable perpetrators in computer crimes:
o Hackers:
- Hackers are also known as crackers.
- Persons with the ability to explore the details of programmable systems and the knowledge
to stretch or exploit their capabilities, whether ethical or not.
- Hackers are typically attempting to test the limits of access restrictions to prove their ability
to overcome the obstacles
- Some hackers seek to commit a crime through their actions for some level of personal
gain or satisfaction
o Script kiddies:
- Script kiddies are also known as Skiddies.
- Script kiddies are an unskilled individual who uses existing computer scripts or codes to hack
into computers, lacking the expertise to write their own.
©Aswini Srinath

18 | P a g e
o Employees (authorized or unauthorized) - Affiliated with the organization and given system
access based on job responsibilities, these individuals can cause significant harm to an
organization. Therefore, screening prospective employees through appropriate background
checks are an important means of preventing computer crimes within the organization.
o IT personnel - These individuals have the easiest access to computerized information, as they
are the custodians of this information. In addition to logical access controls, good SoD and
supervision help in reducing logical access violations by these individuals.
o End User - Personnel who often have broad knowledge of the information within the
organization and have easy access to internal resources
o Former Employees - who have left on unfavourable terms may have access if it was not
immediately removed at the time of the employee’s termination or if the system
has “back doors.
o Nations - As more critical infrastructure is controlled from the Internet (e.g., supervisory
control and data acquisition [SCADA] systems) and more nation’s key organizations and
businesses rely on the Internet; it is not uncommon for nations to attack each other.
o Interested or educated outsiders – These may include – Competitors, Terrorists, organized
criminals, Hackers looking for a challenge, Script kiddies for the purpose of curiosity, joyriding
and testing their newly acquired tools/scripts and exploits, Crackers, Phreakers
o Part-time and temporary personnel - Remember that facility contractors such as office
cleaners often have a great deal of physical access and could perpetrate a computer crime.
o Third parties - Vendors, visitors, consultants or other third parties who, through projects,
gain access to the organization’s resources and could perpetrate a crime
o Accidental unaware - Someone who unknowingly perpetrates a violation
©Aswini Srinath

19 | P a g e
o Opportunists - Where information is inadvertently left unattended or left for destruction, a
passerby can access same
18. What are the common attack methods and techniques?
❖ Alternation attack: Occurs when unauthorized modifications affect the integrity of the data or code.
Cryptographic hash is a primary defense against alteration attacks.
❖ Botnets:
- Short form of Robot network
- Botnets comprise a collection of compromised computers (called zombie computers) running
software, usually installed via worms, Trojan horses or back doors
- Examples are Denial-of-service (DoS) attacks, adware, spyware and spam
❖ Brute force attack:
- Attack launched by an intruder, using many of the password-cracking tools available at little or no
cost, on encrypted passwords and attempts to gain unauthorized access to an organization’s network
or host-based systems
- The attacker systematically checks all possible passwords and passphrases until the correct one is
found.
❖ War dialing:
- Also known as Dial-in penetration attack.
- a technique to automatically scan a list of telephone numbers, usually dialing every number in a local
area code to search for modems, computers, bulletin board systems (computer servers) and fax
machines.
❖ War driving:
- the act of searching for Wi-Fi wireless networks, usually from a moving vehicle, using
a laptop or smartphone
- The practice of driving around businesses or residential neighborhoods while scanning with a laptop
computer, hacking tool software and sometimes with a global positioning system (GPS) to search for
wireless network names
©Aswini Srinath

20 | P a g e
❖ War walking - Similar to war driving, but a vehicle is not used. The potential hacker walks around the vicinity
with a handheld device. Currently, there are several free hacking tools that fit in these mini-devices.
❖ War Chalking:
- The practice of marking a series of symbols (outward-facing crescents) on sidewalks and walls to
indicate nearby wireless access points.
- These markings are used to identify hotspots, where other computer users can connect to the
Internet wirelessly and at no cost.
- War chalking was inspired by the practice of unemployed migrant workers, during the Great
Depression in the US, using chalk marks to indicate which homes were friendly.
❖ Eavesdropping:
- Also known as “Sniffing or snooping attack”
- An intruder gathers the information flowing through the network with the intent of acquiring and
releasing the message contents for either personal analysis or for third parties who might have
commissioned such eavesdropping.
- This is significant when considering that sensitive information, traversing a network, can be seen in
real time by all other machines, including email, passwords and, in some cases, keystrokes.
- These activities can enable the intruder to gain unauthorized access, to fraudulently use information
such as credit card accounts and to compromise the confidentiality of sensitive information that
could jeopardize or harm an individual’s or an organization’s reputation.
- There are two types of eavesdropping attack:
o Passive eavesdropping - The hacker simply listens to data that is passing through the
network.
o Active eavesdropping - The hackers disguise themselves. This allows them to
impersonate a website where users would normally share their private data.
❖ Interrupt attack:
- Occurs when a malicious action is performed by invoking the OS to execute a particular system call
- Example: A boot sector virus typically issues an interrupt to execute a write to the boot sector.
©Aswini Srinath

21 | P a g e
❖ Man-in-the middle attack:
o The following scenarios are possible:
- The attacker actively establishes a connection to two devices. The attacker connects to both
devices and pretends to each of them to be the other device. Should the attacker’s device be
required to authenticate itself to one of the devices, it passes the authentication request to
the other device and then sends the response back to the first device. Having authenticated
himself/herself in this way, the attacker can then interact with the device as he/she wishes.
To successfully execute this attack, both devices have to be connectable.
- The attacker interferes while the devices are establishing a connection. During this process,
the devices have to synchronize the hop sequence that is to be used. The aggressor can
prevent this synchronization so that both devices use the same sequence but a different
offset within the sequence.
- Types of Man-in-the middle attack – IP snoofing, DNS snoofing, HTTPS snoofing, SSL hijacking,
E-mail hijacking, Wi-Fi eavesdropping, stealing browser cookies.
❖ Masquerading:
o The term masquerade means “pretend to be someone one is not/ be disguised or passed off as
something else”
o An active attack in which the intruder presents an identity other than the original identity. The
purpose is to gain access to sensitive data or computing/network resources to which access is not
allowed under the original identity.
o Impersonation both by people and machines falls under this category.
❖ Pharming:
o An attack that aims to redirect the traffic of a web site to a bogus web site
o In recent years, both pharming and phishing have been used to steal identity information.
o Pharming has become a major concern to businesses hosting e-commerce and to online banking web
sites. For example: A web page created to deceive visitors into believing that is another company's web
page. A user may create a web page that appears to be for a specific bank, requesting a username and
password for login.
o Sophisticated measures known as anti-pharming are required to protect against this serious threat.
Antivirus software and spyware removal software cannot protect against pharming.
©Aswini Srinath

22 | P a g e
❖ Piggybacking:
o Piggyback attack is an active form of wiretapping.
o The act of following an authorized person through a secured door or electronically attaching to an
authorized telecommunications link to intercept and possibly alter transmissions.
o Piggybacking is considered a physical access exposure
❖ Salami:
o A Salami attack is a series of minor attacks that together results in a larger attack.
o Involves slicing small amounts of money from a computerized transaction or account.
o A real-time example is that an employee of a bank in USA had his employment terminated. The man
introduced a logic bomb into the bank’s servers. The logic bomb was programmed to debit ten cents
from all the accounts registered in the bank and transfer them into the account of the person whose
name was alphabetically the last in the bank’s records. Later, he had opened an account in the name of
Ziegler. The amount transferred was so little that nobody had noticed the fault. However, it had been
brought to light when a person by the name of Zygler opened his account in the same bank. He was
surprised to find a large amount of money being transferred into his account every week. He reported
the ‘mistake’ to the bank and the former employee was prosecuted.
Points to remember:
1. Active attack based on if and then logic – Logic bomb
2. Ping of Death is the result of denial-of-service attack
3. The expansion of a network infrastructure to support a wireless solution increases the risk of which
type of attack – War driving
4. Sniffing is an attack that can be used to capture sensitive pieces of information (e.g., a password)
passing through the network
5. Spoofing is forging an address and inserting it into a packet to disguise the origin of the
communication.
6. Data destruction is erasing information or removing it from its original location.
7. Traffic analysis is a passive attack to a network
8. Message modification, Masquerading and denial-of-service attack are active attacks to a network
Points to remember:
1. A monitored double-doorway entry system, also referred to as a mantrap or dead man door,
is used as a deterrent control for the vulnerability of piggybacking.
©Aswini Srinath

23 | P a g e
19. What are the various phases of incident response?
I. Planning and preparation
II. Detection
III. Initiation
IV. Recording
V. Evaluation
VI. Containment
VII. Eradication
VIII. Escalation
IX. Response
X. Recovery
XI. Closure
XII. Reporting
XIII. Post-incident review
XIV. Lessons learned
20. What are the logical access exposures?
❖ Exposures that arise through accidental or intentional Exploitation of Logical Access Control weaknesses include
technical exposures such as destroying data, compromising system usability, distracting processing resources at
either the network, platform, database or application level.
» What are the various phases of incident response?
» What are the logical access exposures?
» What is Identification and authentication (I&A)?
©Aswini Srinath

24 | P a g e
❖ Technical exposures include the following:
o Data leakage:
- Involves siphoning or leaking information out of the computer.
- This can involve dumping files to paper, or can be as simple as stealing computer reports and
tapes.
- Unlike product leakage, data leakage leaves the original copy, so it may go undetected.
o Wiretapping:
- Involves eavesdropping on information being transmitted over telecommunications lines.
o Computer shutdown:
- Initiated through terminals or personal computers connected directly (online) or remotely
(via the Internet) to the computer.
- Only individuals who know a high level logon ID usually can initiate the shutdown process, but
this security measure is effective only if proper security access controls are in place for the
high-level logon ID and the telecommunications connections into the computer.
- Some systems have proven to be vulnerable to shutting themselves down under certain
conditions of overload.
21. What is Identification and authentication (I&A)?
❖ Identification and authentication (I&A) is a logical access control software is a process of establishing
and providing one’s identity.
❖ Before proceeding further, let us understand the difference identification, authorization, authentication
to be more clear on the concepts.
- Identification occurs when someone claims an identity (such as with a username)
- Authentication occurs when someone proves their identity (such as entering a password)
- Once that person’s identity is proven, authorization techniques can grant or block access to
objects based on their proven identities.
❖ So, Identification and authentication (I&A) is a process by which the systems obtain from a user his/her
claimed identity and the credentials needed to authenticate this identity and validates both pieces of
information.
©Aswini Srinath

25 | P a g e
22. What are the common I&A vulnerabilities?
❖ Weak authentication methods (e.g., no enforcement of password minimum length, complexity and
change frequency)
❖ Use of simple or easily guessed passwords
❖ The potential for users to bypass the authentication mechanism
❖ The lack of confidentiality and integrity for the stored authentication information
❖ The lack of encryption for authentication and protection of information transmitted over a network
❖ The user’s lack of knowledge on the risk associated with sharing authentication elements (e.g.,
passwords, security tokens)
23. What are the categorization of Authentication?
❖ Authentication is categorized into three as below:
1. Something you know (Example: Password)
2. Something you have (Example: Token card)
3. Something you are/ you do (Example: a biometric feature)
❖ These techniques can be used independently or in combination to authenticate and identify a user.
24. What are the various authentication techniques?
❖ A Single-factor authentication technique (something you know) involves the use of the traditional logon
ID and password/credential.
❖ A Two-factor authentication technique (also known as 2FA) is a combination of any three above
categories. For example, something you know, such as a personal identification number (PIN), combined
and associated with something you have, such as a token card, is a Two factor authentication technique.
Another example is withdrawing of money from an ATM; only the correct combination of a bank
card (something you have) and a PIN (something you know) allows the transaction to be carried out.
» What are the common I&A vulnerabilities?
» What are the categorization of Authentication?
» What are the various authentication techniques?
©Aswini Srinath

26 | P a g e
❖ A Multi-factor authentication technique (also known as MFA) is a combination of more than one method,
such as token and password (or PIN or token and biometric device). MFA is an effective method to
provide enhanced security. Examples of Multi-factor authentication include using a combination of these
elements to authenticate:
- Codes generated by smartphone applications
- Badges, USB devices, or other physical devices
- Soft tokens, certificates
- Fingerprints
- Codes sent to an email address
- Facial recognition
- Retina or iris scanning
- Behavioral analysis
- Answers to personal security questions
» What are biometric access controls?
» How does biometric access control system work?
» What are the various biometric devices/techniques?
- Physically oriented biometric devices
o Palm-based
o Hand Geometry
o Retina scan
o Iris scan
o Finger prints
o Face recognition
- Behaviour oriented biometric devices
o Signature recognition
©Aswini Srinath

27 | P a g e
25. What are biometric access controls?
❖ Biometrics Access control security systems are designed to restrict physical entry to only users with
authorization.
❖ Biometric access controls are the best means of authenticating a user’s identity based on a
unique, measurable attribute or trait for verifying the identity of a human being
❖ This control restricts computer access based on a physical (something you are) or behavioral (something
you do) characteristic of the user.
26. How does biometric access control system work?
❖ A biometric access control system is a pattern recognition unit that gathers a specific type of biometric
data from a person, focuses on a relevant feature of that data, compares that feature to a preset group
of attributes in its database, and then performs an action based on the accuracy of the comparison.
❖ There are a variety of characteristics that can be used for biometric comparisons, such as fingerprints,
irises, hand geometries, voice patterns, or DNA information, and although there are certain limitations
to biometric capabilities, an effective system can precisely identify an individual based on these factors.
❖ A standard biometric access control system is composed of four main types of components:
1. A sensor device,
2. A quality assessment unit,
3. A feature comparison and matching unit, and
4. A database.
27. What are the various biometric devices/techniques?
❖ The types of biometric devices/ techniques are divided into two, which are as follows:
- Physically oriented biometrics
- Behaviour oriented biometrics
Points to remember:
1. Biometric door locks - This system is used in instances when extremely sensitive facilities must be
protected such as in the military
©Aswini Srinath

28 | P a g e
On each of the biometric device, let us have an overview of the device, how the biometric device
operates, the advantages and disadvantages of them.
❖ Physically oriented biometrics:
1. Palm-based biometric devices:
- These devices analyze physical characteristics associated with the palm such as ridges and
valleys.
- This biometric involves placing the hand on a scanner where physical characteristics are
captured.
2. Hand Geometry:
- This type of biometric device is one of the oldest technique.
- This technique is concerned with measuring the physical characteristics of the users’ hands
and fingers from a three-dimensional perspective.
- The user places his hand, palm-down, on a metal surface with five guidance pegs to ensure
that fingers are placed properly and in the correct hand position.
- The template is built from measurements of physical geometric characteristics of a person’s
hand (usually 90 measurements) - for example, length, width, thickness and surface area.
3. Iris scan:
- An Iris, which has patterns associated with the colored portions surrounding the pupils, is
unique for every individual and, therefore, a viable method for user identification.
- To capture this information, the user is asked to center his/her eye onto a device by seeing
the reflection of their iris in the device. Upon this alignment occurring, a camera takes a
picture of the user’s iris and compares it with a stored image.
- The iris is stable over time, having over 400 characteristics, although only approximately 260
of these are used to generate the template.
- As is the case with fingerprint scanning, the template carries less information than a high-
quality image.
- Advantage of Iris scan - Contact with the device is not needed, which contrasts with other
forms of identification such as fingerprint and retinal scans
©Aswini Srinath

29 | P a g e
- Disadvantages of iris scan - The iris recognition are the high cost of the system, as compared
to other biometric technologies, and the high amount of storage requirements needed to
uniquely identify a user.
4. Retina scan:
- A retinal scan is a biometric technique that uses unique patterns on a person's retina blood
vessels.
- Retina scan uses optical technology to map the capillary pattern of the eye’s retina.
- The user has to put his eye within 0.4 to 0.8 inches (1 to 2 cm) of the reader while an image
of the pupil is taken.
- The patterns of the retina are measured at over 400 points to generate a 96-byte template.
- Advantages of Retina scanning: Retinal scan is extremely reliable, and it has the lowest FAR
among the current biometric methods.
- Disadvantages of Retina scanning: The need for fairly close physical contact with the scanning
device, which impairs user acceptance, and the high cost.
5. Fingerprints:
- Fingerprint access control is commonly used biometric technique
- The user places his/her finger on an optical device or silicon surface to get his/her
fingerprint scanned.
- The template generated for the fingerprint, named “minutiae,” measures bifurcations,
divergences, enclosures, endings and valleys in the ridge pattern.
- It contains only specific data about the fingerprint (the minutiae), not the whole image
of the fingerprint itself.
- Additionally, the full fingerprint cannot be reconstructed from the template.
- Depending on the provider, the fingerprint template may use between 250 bytes to
more than 1,000 bytes.
- More storage space implies lower error rates. Fingerprint characteristics are described
by a set of numeric values.
- While the user puts the finger in place for between two and three seconds, a typical
image containing between 30 and 40 finger details is obtained and an automated
comparison to the user’s template takes place.
©Aswini Srinath

30 | P a g e
- Advantages of fingerprint scanning:
o Low cost,
o Small size of the device,
o Ability to physically interface into existing client-server–based systems, and
o ease of integration into existing access control methods.
- Disadvantages of fingerprint scanning:
o the need for physical contact with the device and the possibility of poor-quality
images due to residues, such as dirt and body oils, on the finger.
o Fingerprint biometrics are not as effective as other techniques.
6. Face Recognition:
- In this biometric device, the biometric reader processes an image captured by a video
camera, which is usually within 24 inches (60 cm) of the human face, isolating it from the
other objects captured within the image.
- The reader analyzes images captured for general facial characteristics.
- The template created is based on either generating two- or three-dimensional mapping
arrays or by combining facial-metric measurements of the distance between specific facial
features, such as the eyes, nose and mouth. Some vendors also include thermal imaging in
the template.
- Advantages of facial recognition:
o The face is considered to be one of the most natural and most “friendly” biometrics
o It is acceptable to users because it is fast and easy to use.
o Disadvantages of face recognition:
o The lack of uniqueness, which means that people who look alike may fool the
device.
o Some systems cannot maintain high levels of performance as the database grows
in size.
❖ Behaviour oriented biometrics:
1. Signature recognition:
o Also referred to as Signature dynamics.
o This biometric technique can be operated in two ways:
©Aswini Srinath

31 | P a g e
o Static: In this mode, users write their signature on paper, digitize it through
an optical scanner or a camera, and the biometric system recognizes the
signature analyzing its shape. This group is also known as "off-line".
o Dynamic: In this mode, users write their signature in a digitizing tablet,
which acquires the signature in real time. Another possibility is the
acquisition by means of stylus-operated PDAs. Some systems also operate
on smart-phones or tablets with a capacitive screen, where users can sign
using a finger or an appropriate pen. Dynamic recognition is also known as
"on-line".
o Advantages of signature recognition:
- It is fast, easy to use and has a low implementation cost.
- Even though a person might be able to duplicate the visual image of
- someone else’s signature, it is difficult if not impossible to duplicate the
dynamics (e.g., time duration in signing, pen-pressure, how often pen leaves
signing block, etc)
o Disadvantages of signature recognition:
- Capturing the uniqueness of a signature particularly when a user does not
sign his/her name in a consistent manner. For example, this may occur due
to illness/disease or use of initials versus a complete signature.
- Users’ signing behavior may change when signing onto signature
identification and authentication “tablets” versus writing the signature in ink
onto a piece of paper.
Points to remember:
1. Biometrics - provides authentication based on a physical characteristic of a subject
2. Retina scan - highest reliability and lowest false-acceptance rate (FAR) among the current biometric
methods.
3. Iris pattern – The biometric parameter that is better suited for authentication use over a long
period of time
©Aswini Srinath

32 | P a g e
28. What are the quantitative measures to determine the performance of biometric control devices?
❖ The following are the three quantitative measures to determine the performance of biometric control
devices.
o False-Rejection Rate (FRR)
o False-Acceptance Rate (FAR)
o Equal Error rate (EER)
o The lower the overall measure the more effective the biometric
❖ False-Rejection Rate (FRR):
- It relates to the percentage of identification instances in which authorised persons are
incorrectly rejected.
- It is also known as Type-1 error rate.
❖ False-Acceptance Rate (FAR):
- It relates to the percentage of identification instances in which unauthorised persons are
incorrectly accepted.
- It is also known as Type-2 error rate.
❖ Equal Error rate:
» What are the quantitative measures to determine the performance of biometric control devices?
- False-error rate (FER)
- False-acceptance rate (FAR)
- Equal Error rate (EER)
» What is Single sign-on? What are its advantages and disadvantages?
» What are firewall security systems?
©Aswini Srinath

33 | P a g e
- Each biometric system may be adjusted to lower FRR or FAR, but as a general rule when one
decreases, the other increases (and vice versa), and there is an adjustment point where the
two errors are equal.
- An overall metric related to the two error types is the equal error rate (EER), which is the
percent showing when false rejection and acceptance are equal.
29. What is Single sign-on? What are its advantages and disadvantages?
❖ An authentication scheme that allows a user to log in with a single ID and password to any of several
related, yet independent, software systems
❖ The SSO process begins with the first instance where the user credentials are introduced into the
organization’s IT computing environment.
❖ The information resource or SSO server handling this function is referred to as the primary domain.
❖ Every other information resource, application or platform that uses those credentials is called a
secondary domain.
❖ Advantages of Single sign-on:
- Multiple passwords are no longer required; therefore, a user may be more inclined and
motivated to select a stronger password.
- It improves an administrator’s ability to manage users’ accounts and authorizations to all
associated systems.
- It reduces administrative overhead in resetting forgotten passwords over multiple platforms
and applications.
- It reduces the time taken by users to log into multiple applications and platforms.
❖ Disadvantages of Single sign-on:
- Support for all major OS environments is difficult.
- SSO implementations will often require a number of solutions integrated into a total solution
for an enterprise’s IT architecture.
- The costs associated with SSO development can be significant when considering the nature and
extent of interface development and maintenance that may be necessary.
- The centralized nature of SSO presents the possibility of a single point of failure and total compromise
of an organization’s information assets. For this reason, strong authentication in the form of complex
password requirements and the use of biometrics is frequently implemented.
©Aswini Srinath

34 | P a g e
30. What are firewall security systems?
❖ In the world of computer firewall protection, a firewall refers to a network device which blocks certain
kinds of network traffic, forming a barrier between a trusted and an untrusted network.
❖ It is analogous to a physical firewall in the sense that firewall security attempts to block the spread of
computer attacks
❖ Firewalls are hardware and software combinations that are built using routers, servers and a
variety of software. They separate networks from each other and screen the traffic between them
31. What are the general features of firewall?
The following are the features of firewall:
❖ Block access to particular sites on the Internet
❖ Limit traffic on an organization’s public services segment to relevant addresses and ports
❖ Prevent certain users from accessing certain servers or services
❖ Monitor communications and record communications between an internal and an external Network
❖ Monitor and record all communications between an internal network and the outside world to
investigate network penetrations or detect internal subversion
❖ Encrypt packets that are sent between different physical locations within an organization by creating a
VPN over the Internet (i.e., IPSec, VPN tunnels)
» What are the general features of firewall?
» What are the types of firewall?
1. Packet Filter firewall
2. Application firewall systems and
3. Stateful Inspection firewall
» What is packet filter firewall, its advantages and disadvantages?
©Aswini Srinath

35 | P a g e
32. What are the types of firewall?
❖ There are three basic types of firewalls that are used by companies to protect their data & devices to
keep destructive elements out of network, which are as follows:
1. Packet Filter firewall
2. Application firewall systems and
3. Stateful Inspection firewall
33. What is packet filter firewall, its advantages and disadvantages?
❖ It is also known as “Static filtering firewall”
❖ The simplest and earliest kinds of firewalls (i.e., first generation of firewalls) were packet filtering-based
firewalls deployed between the private network and the Internet.
❖ Packet filters act by inspecting packets transferred between computers. When a packet does not match
the packet filter's set of filtering rules, the packet filter either drops (silently discards) the packet, or
rejects the packet (discards it and generates an Internet Control Message Protocol notification for the
sender) else it is allowed to pass.
❖ Packets may be filtered by source and destination network addresses, protocol, source and
destination port numbers.
❖ Advantages:
- They can process packets at very fast speeds.
- They easily can match on most fields in Layer 3 packets and Layer 4 segment headers, providing a
lot of flexibility in implementing security policies.
❖ Disadvantages/limitations:
- Its simplicity is a disadvantage, because it is vulnerable to attacks from improperly configured filters
and attacks tunneled over permitted services.
- If a single packet filtering router is compromised, every system on the private network may be
compromised and organizations with many routers may face difficulties in designing, coding and
maintaining the rule base.
❖ Some of the more common attacks against packet filter firewalls are – IP spoofing, Source routing
specification, Miniature fragment attack.
©Aswini Srinath

36 | P a g e
34. What is Application firewall systems, its advantages and disadvantages?
❖ It is also known as “Proxy firewall”
❖ An application firewall is a type of firewall that scans, monitors and controls network, Internet and local
system access and operations to and from an application or service.
❖ This type of firewall makes it possible to control and manage the operations of an application or service
that's external to the IT environment.
❖ The application firewall systems are of two types:
1. Circuit-level firewall systems
2. Application-level firewall systems
❖ Circuit-level firewall systems:
- This works at session layer of the OSI model, between the application layer and transport layer of
the TCP/IP stack.
- It creates a connection (circuit) between the two communicating systems
- This type of proxy cannot look into the contents of a packet; thus, it does not carry out deep-
packet inspection. It can only make access decisions based upon protocol header and session
information that is available to it
- This firewall system does not provide the deep-inspection capabilities of an application layer
proxy.
❖ Application-level firewall systems:
- This works at application layer of the OSI model
- An application-level proxy firewall has one proxy per protocol hence one application-level proxy
per protocol is required (FTP, SMTP, NTP, HTTP)
- Each proxy is a piece of software that has been designed to understand how a specific protocol
talks and how to identify suspicious data within a transmission using that protocol.
» What is Application firewall systems, its advantages and disadvantages?
» What is Stateful inspection firewall, its advantages and disadvantages?
» What are the various firewall implementations that are commonly used?
©Aswini Srinath

37 | P a g e
- This firewall system requires more processing per packet and thus are slower than a circuit level
proxy firewall
- This firewall system provides more protection than circuit-level proxy firewalls
35. What is Stateful inspection firewall, its advantages and disadvantages?
❖ It is also known as “dynamic filtering firewall”
❖ A stateful inspection firewall keeps track of the destination IP address of each packet that leaves the
organization’s internal network.
❖ Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the
incoming message is in response to the request that went out from the organization.
❖ This is done by mapping the source IP address of an incoming packet with the list of destination IP
addresses that is maintained and updated.
❖ This approach prevents any attack initiated and originated by an outsider.
❖ Advantages:
- Stateful firewalls are aware of the state of a connection. Stateful firewalls typically build a state
table and use this table to allow only returning traffic from connections currently listed in the state
table
- Stateful firewalls do not have to open up a large range of ports to allow communication. The state
table is used to determine whether this is returning traffic; otherwise, the filtering table is used to
filter the traffic.
- Stateful firewalls prevent more kinds of DoS attacks than packet-filtering firewalls and have more
robust logging.
❖ Disadvantages/limitations:
- They can be complex to configure.
- They cannot prevent application-layer attacks.
- They do not support user authentication of connections.
- Not all protocols contain state information.
- Some applications open multiple connections, some of which use dynamic port numbers for the
additional connections.
- Additional overhead is involved in maintaining a state table.
36. What are the various firewall implementations that are commonly used?
©Aswini Srinath

38 | P a g e
The following are the various firewall implementations that are commonly used across organizations:
❖ Screened-host firewall
❖ Dual-homed firewall
❖ Dematerialized zone (DMZ) or screened-subnet firewall
❖ Screened-host firewall:
- The screened host firewall combines a packet-filtering router with an application gateway located on the
protected subnet side of the router.
- A screened host firewall architecture uses a host (called a bastion host) to which all outside hosts connect,
rather than allowing direct connection to other, less secure, internal hosts.
- To achieve this, a filtering router is configured so that all connections to the internal network from the
outside network are directed toward the bastion host.
❖ Dual-homed firewall:
- This is a firewall system that has two or more network interfaces, each of which is connected to a different
network
o One facing the external network and
o The other facing the internal network
- The host controls or prevents the forwarding of traffic between NICs.
- This can be an effective measure to isolate a network
❖ Dematerialized zone (DMZ) or Screened-subnet firewall:
- This firewall system is also known as “Triple-homed firewall”
- This architecture adds another layer of security to the screened-host architecture.
- The external firewall screens the traffic entering the DMZ network.
- However, instead of the firewall then redirecting the traffic to the internal network, an interior firewall
also filters the traffic.
- The use of these two physical firewalls creates a DMZ
- The screened-subnet approach provides more protection than a stand-alone firewall or a screened-host
firewall because three devices are working together and all three devices must be compromised before
an attacker can gain access to the internal network
©Aswini Srinath

39 | P a g e
37. What is Intrusion Detection Systems (IDS) and its types?
- An intrusion detection system is a device or software application that monitors a network or systems for
malicious activity or policy violations.
- Any intrusion activity or violation is typically reported either to an administrator or collected centrally using
a security information and event management system.
- IDS has two main types:
1. Network intrusion detection system - They identify attacks within the monitored network and issue
a warning to the operator.
2. Host-based intrusion detection system - They are configured for a specific environment and will
monitor various internal resources of the OS to warn of a possible attack.
38. What are the components of Intrusion Detection Systems (IDS)?
The Components of an Intrusion Detection System are as follows:
o Sensors that are responsible for collecting data, such as network packets, log files, system call
traces, etc.
o Analyzers that receive input from sensors and determine intrusive activity
o An administration console
o A user interface
39. What are the features of Intrusion Detection Systems (IDS)?
The features of Intrusion Detection System are as follows:
o Intrusion detection
o Gathering evidence on intrusive activity
o Automated response (i.e., termination of connection, alarm messaging)
o Security policy
o Interface with system tools
» What is Intrusion Detection Systems (IDS) and its types?
» What are the components of Intrusion Detection Systems (IDS)?
» What are the features of Intrusion Detection Systems (IDS)?
©Aswini Srinath

40 | P a g e
o Security policy management
40. What are the limitations of Intrusion Detection Systems (IDS)?
An IDS cannot help with the following weaknesses:
o Weaknesses in the policy definition
o Application-level vulnerabilities
o Back doors into applications
o Weaknesses in identification and authentication schemes
41. What is Intrusion Prevention Systems (IPS)?
- An intrusion prevention system (IPS) is a form of network security that works to detect and prevent
identified threats.
- Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents
and capturing information about them.
- As the name suggests, an IPS is a preventative and proactive technology, whereas an IDS is a detective
and after-the-fact technology.
42. What are honeypots and its types?
❖ A honeypot is a software application that pretends to be a vulnerable server on the Internet and is not
set up to actively protect against break-ins.
❖ It acts as a decoy system that lures hackers.
❖ The more a honeypot is targeted by an intruder, the more valuable it becomes.
❖ Although honeypots are technically related to IDSs and firewalls, they have no real production value as
an active sentinel of networks.
» What are the limitations of Intrusion Detection Systems (IDS)?
» What is Intrusion Prevention Systems (IPS)?
» What are honeypots and its types?
©Aswini Srinath

41 | P a g e
❖ There are two basic types of honeypots:
o High-interaction - Give hackers a real environment to attack
o Low-interaction - Emulate production environments and provide more limited information
43. What are honeynets?
❖ A honeynet is a group of virtual servers contained within a single physical server, and the servers within
this network are honeypots.
❖ The purpose of this virtual network is to attract the attention of an attacker, similar to how a
single honeypot tries to attract the attention of an attacker
❖ An IDS triggers a virtual alarm whenever an attacker breaches security of any networked
computers.
❖ A stealthy keystroke logger watches everything the intruder types.
❖ A separate firewall cuts off the machines from the Internet anytime an intruder tries to attack another
system from the honeynet.
44. What is Cryptography?
❖ Cryptography provides for secure communication in the presence of malicious third-parties known as
adversaries. Encryption uses an algorithm and a key to transform an input (i.e., plaintext) into an
encrypted output (i.e., ciphertext).
❖ It is a method of storing and transmitting data in a form that only those it is intended for can read and
process.
❖ It is also considered a science of protecting information by encoding it into an unreadable format
» What are Honeynets?
» What is Cryptography?
» What is Encryption and decryption?
Points to remember:
1. Honeypots are often used as a detection and deterrent control against Internet attacks.
©Aswini Srinath

42 | P a g e
❖ Cryptanalysis is the science of studying and breaking the secrecy of encryption processes, compromising
authentication schemes, and reverse-engineering algorithms and keys.
❖ In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but
requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent.
In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad).
One-time pad is also known as Vernum Cipher.
45. What is Encryption and decryption?
❖ Encryption is the process of encoding information.
❖ This process converts the original representation of the information, known as plaintext, into an
alternative form known as cipher text.
❖ Only authorized parties can decipher a cipher text back to plaintext and access the original information.
This is called decryption.
❖ It serves as a mechanism to ensure confidentiality
❖ Encryption generally is used to:
o Protect data in transit over networks from unauthorized interception and manipulation
o Protect information stored on computers from unauthorized viewing and manipulation
o Deter and detect accidental or intentional alterations of data
o Verify authenticity of a transaction or document
❖ Encryption is limited in that it cannot prevent the loss or modification of data
❖ The process of encrypting and decrypting messages involves keys. The two main types of keys in
cryptographic systems are:
1. Symmetric-key (also known as Unique key/ Secret key)
2. Public-key (also known as asymmetric key)
Points to remember:
1. One-time pad – The type of encryption is proven to be unbreakable.
2. A key distinction between encryption and hashing algorithms is that hashing algorithms are
irreversible.
©Aswini Srinath

43 | P a g e
46. What is digital signature?
❖ A digital signature is a mathematical scheme for verifying the authenticity of digital messages or
documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong
reason to believe that the message was created by a known sender (authentication), and that the
message was not altered in transit (integrity)
❖ Therefore, digital signature ensures:
1. Data integrity
2. Authentication
3. Non-repudiation
» What is digital signature?
» What are the various environmental issues and exposures in Information security?
» What are the controls for environmental exposures?
» What are the various physical exposure issues and exposures in Information security?
» What are the controls for Physical access exposures?
»
©Aswini Srinath

44 | P a g e
47. What are the various environmental issues and exposures in Information security?
❖ Environmental exposures are due primarily to naturally occurring events such as lightning
storms, earthquakes, volcanic eruptions, hurricanes, tornados and other types of extreme weather
conditions.
❖ The result of such conditions can lead to many types of problems. One particular area of concern is
power failures of computer and supporting environmental systems.
❖ Generally, power failures can be grouped into four distinct categories, based on the duration and
relative severity of the failure:
❖ Total failure (Blackout)
❖ Severely reduced voltage (brownout)
❖ Sags (Temp Rapid decreases – Power line conditioners)
❖ Spikes (1 nanosecond - Temp Rapid Increases - Surge Protector)
❖ Surges (More than 3 nanoseconds - Temp Rapid Increases)
❖ Electromagnetic interference (EMI) - Caused by electrical storms or noisy electrical equipment
which result in hang or crash of computer systems
48. What are the controls for environmental exposures?
❖ Alarm control panels
❖ Water detectors
❖ Handheld fire extinguishers
❖ Manual fire alarms
Points to remember:
1. The IS auditor should be familiar with how a digital signature functions to protect data. The
specific types of message digest algorithms are not tested on the CISA exam.
2. Digital signature encrypts the hash of the message and not the message. Hence, digital signature
does not provide confidentiality or privacy.
3. The private key of the sender is used for encryption of hash of the message
4. Non-repudiation is best described as proving a user performed a transaction that did not change
©Aswini Srinath

45 | P a g e
❖ Smoke detectors
❖ Fire suppression systems
❖ Dry-pipe sprinkling systems
❖ Halon systems
❖ FM-200
❖ Argonite
❖ CO2 systems
49. What are the various physical exposure issues and exposures in Information security?
Exposures that exist from accidental or intentional violation of these access paths include:
❖ Unauthorized entry
❖ Damage, vandalism or theft to equipment or documents
❖ Copying or viewing of sensitive or copyrighted information
❖ Alteration of sensitive equipment and information
❖ Public disclosure of sensitive information
❖ Abuse of data processing resources
❖ Blackmail
❖ Embezzlement
50. What are the controls for Physical access exposures?
❖ Bolting door locks
❖ Combination door locks (cipher locks)
❖ Electronic door locks
❖ Biometric door locks
❖ Manual logging
❖ Electronic logging
Points to remember:
1. Soda acid should not be used to extinguish a class C (U.S.) fire
2. Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most
environmentally friendly.
3. The private key of the sender is used for encryption of hash of the message
©Aswini Srinath

46 | P a g e
❖ Identification badges (photo IDs)
❖ Video cameras
❖ Security guards
❖ Controlled visitor access
❖ Dead man doors (Mantrap)
❖ Computer workstation locks
❖ Not advertising the location of sensitive facilities
❖ Controlled single entry point
❖ Alarm system
❖ Secured report / document distribution cart
❖ Windows
❖ Touring the information processing facility (IPF)
❖ Testing of physical safeguards
©Aswini Srinath

CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf

CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf

More Related Content

Similar to CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf

More from infosecTrain

Recently uploaded

CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf