This document contains an outline for a CISA review course covering topics such as information security management, logical access controls, network security, and auditing frameworks. It includes sections on inventorying and classifying assets, access permissions, privacy issues, risks from external parties, and incident response. Self-assessment questions test on weaknesses like uncontrolled database passwords, the risks of single sign-on, uses of intrusion detection systems, and effective antivirus controls.

1. 2016 CISA® Review Course
Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA
[PECB Certified Trainer]

2. Quick Reference Review
• Importance of Information Security Management
• Inventory and Classification of Information Assets
• Physical/Environmental Exposures and Controls
• Logical Access
• Auditing Information Security Management Framework

3. 5.2 Importance of Information Security
Management

4. 5.2.1 Key Elements of IS Management

6. 5.2.2 IS Management Roles & Responsibilities

8. 5.2.3 Inventory & Classification of Information Assets

9. 5.2.4 System Access Permission

10. 5.2.5 Mandatory & Discretionary Access Controls

11. 5.2.6 Privacy Management Issues & the role of
IS Auditors

12. 5.2.7 Critical Success Factors to IS Management

13. 5.2.8 Information Security and External Parties

14. Identification of Risks related to External Parties

15. Addressing Security when dealing with Customers

16. Addressing Security inThird Party Agreements

17. 5.2.9 Human Resources Security andThird Parties
• Screening
• Terms and Conditions of
Employment
• During Employment
• Removal of Access Rights

18. 5.2.10 Computer Crime Issues & Exposures
Threats to business
• Financial Loss
• Legal Repercussions
• Loss of Credibility
• Blackmail
• Disclosure of Confidential, Sensitive or
Embarrassing information
Possible Perpetrators
• Hackers
• Script Kiddies
• Employees (Current, Former)
• IS Personnel
• End Users
• Third Parties

22. 5.2.11 Security Incident Handling & Response

23. 5.3 Logical Access
• Primary means used to manage and protect information assets
• IS auditors to analyze and evaluate the effectiveness of a logical access control in
accomplishing IS objectives and avoiding losses resulting from exposures

24. 5.3.1 Logical Access Exposures

25. 5.3.2 Familiarization with the Enterprise’s IT
Environment

26. 5.3.4 Logical Access Control Software

27. 5.3.5 Identification and Authentication
• Logon ID & Passwords
• Token devices, One time Passwords
• Biometrics

28. 5.3.6 Authorization Issues

30. 5.3.7 Storing, Retrieving,Transporting &
Disposing of Confidential Information

32. 5.4 Network Infrastructure Security

33. 5.4.1 LAN Security

34. 5.4.2 Client-Server Security

35. 5.4.3Wireless SecurityThreats and Risk Mitigation

37. 5.4.4 InternetThreats and Security

38. 5.4.5 Encryption

39. 5.4.6 Malware

40. 5.4.7Voice-Over IP (VOIP)
• VOIP Security Issues
• A computer system disruption terminates the telephone
• A backup communication facility should be planned
• IP telephones and their supporting equipment require the care and maintenance
as computer systems do

41. 5.4.8 Private Branch Exchange (PBX)

42. 5.5 Auditing Information Security
Management Framework

43. 5.5.1 Auditing Information Security Management
Framework
• Review written Policies, Procedures and Standards
• Logical Access Security Policies
• Formal Security Awareness and Training
• Data Ownership and Custodians
• Data Users and new Users

44. 5.5.2 Auditing Logical Access
• Interviewing Systems Personnel
• Review reports from Access Control Software
• Review Application Systems Operations Manual

45. 5.5.3Techniques forTesting Security
• Terminal Cards and Keys
• Logon IDs and Passwords
• Logging and Reporting of Computer Access Violations
• Review Access Controls and Password Administration

46. 5.5.4 InvestigationTechniques
Investigation of Computer Crime
• Laws exist but not reported due to negative publicity
• Proper procedures to be used in case of aftermath
• The environment and evidence must be left unaltered
• Specialist law enforcement and evidence must be left unaltered
Computer Forensics
• Process of identifying, preserving, analyzing, presenting digital evidence in a
manner that is legally acceptable in any legal proceedings
• Any electronic data or document can be used as digital evidence

50. 5.6 Auditing Network Infrastructure Security
IS auditor should:
• Review network diagrams that identify the organization’s internetworking
infrastructure
• Identify the network design implemented, including the IP strategy used
• Determine the applicable security policies, procedures, standards
• Identify the roles and responsibilities for implementation of network infrastructure
• Review SLAs to ensure that they include provisions for security

51. 5.6.1 Auditing Remote Access
IS Auditors should:
• Review access points for appropriate controls, such as VPN, firewalls, IDSs

52. Network PenetrationTests

53. Full Network Assessment Reviews

54. 5.7 Environmental Exposures & Controls

55. 5.7.1 Environmental Issues and Exposures

56. 5.7.2 Controls for Environmental Exposures

58. 5.7.3 Auditing Environmental Controls

59. 5.8 Physical Access Exposures & Controls

60. 5.8.1 Physical Access Issues & Exposures

61. 5.8.2 Physical Access Controls

63. 5.8.3 Auditing Physical Access

64. 5.9 Mobile Computing
Controls to reduce the risk of disclosure of sensitive data stored on laptop/mobile devices:
• Back up business critical or sensitive data on a regular basis
• Use a cable locking system or a locking system with a motion detector that sounds an audible alarm
• Encrypt data
• Allocate passwords to individual files
• Establish a theft response team and develop procedures to follow when a laptop is stolen
• Using two-factor authentication. This can be achieved using biometric readers

65. Self-Assessment Questions
1. An IS auditor has just completed a review of an organization that has
mainframe computer and two database servers where all production data
reside. Which of the following weaknesses would be considered MOST
serious?
a) The security officer also serves as the DBA
b) Password controls are not administered over the two database servers
c) There’s no business continuity plan for the mainframe system’s noncritical applications
d) Most LANs do not back up file-server-fixed disks regularly

66. Self-Assessment Questions
2. An organization is proposing to install a single sign-on facility giving
access to all systems. The organization should be aware that:
a) Maximum unauthorized access would be possible if a password is disclosed
b) User access rights would be restricted by the additional security parameters
c) The security administrator’s workload would increase
d) User access rights would be increased

67. Self-Assessment Questions
3. A B-to-C e-commerce web site as part of its information security program
wants to monitor, detect and prevent hacking activities and alert the system
administrator when suspicious activities occur. Which of the following
infrastructure components could be used for this purpose?
a) Intrusion Detection Systems (IDS)
b) Firewalls
c) Routers
d) Asymmetric encryption

68. Self-Assessment Questions
4. Which of the following is the MOST effective antivirus control?
a) Scanning email attachments on the mail server
b) Restoring systems from clean copies
c) Disabling universal serial bus (USB) ports
d) An online antivirus scan with up-to-date virus definitions

69. Answers
1. b) Password controls are not administered over the two database
servers
2. a) Maximum unauthorized access would be possible if a password is
disclosed
3. a) Intrusion Detection Systems (IDS)
4. d) An online antivirus scan with up-to-date virus definitions