Introduction xix
Assessment Test xlii
Chapter 1 Secrets of a Successful Auditor 1
Understanding the Demand for IS Audits 2
Executive Misconduct 3
More Regulation Ahead 5
Basic Regulatory Objective 7
Governance is Leadership 8
Three Types of Data Target Different Uses 9
Audit Results Indicate the Truth 10
Understanding Policies, Standards, Guidelines, and Procedures 11
Understanding Professional Ethics 14
Following the ISACA Professional Code 14
Preventing Ethical Conflicts 16
Understanding the Purpose of an Audit 17
Classifying General Types of Audits 18
Determining Differences in Audit Approach 20
Understanding the Auditor's Responsibility 21
Comparing Audits to Assessments 21
Differentiating between Auditor and Auditee Roles 22
Applying an Independence Test 23
Implementing Audit Standards 24
Where Do Audit Standards Come From? 25
Understanding the Various Auditing Standards 27
Specific Regulations Defining Best Practices 31
Audits to Prove Financial Integrity 34
Auditor is an Executive Position 35
Understanding the Importance of Auditor Confidentiality 35
Working with Lawyers 36
Working with Executives 37
Working with IT Professionals 37
Retaining Audit Documentation 38
Providing Good Communication and Integration 39
Understanding Leadership Duties 39
Planning and Setting Priorities 40
Providing Standard Terms of Reference 41
Dealing with Conflicts and Failures 42
Identifying the Value of Internal and External Auditors 43
Understanding the Evidence Rule 43
Stakeholders: Identifying Whom You Need to Interview 44
Understanding the Corporate Organizational Structure 45
Identifying Roles in a Corporate Organizational Structure 45
Identifying Roles in a Consulting Firm Organizational Structure 47
Summary 49
Exam Essentials 49
Review Questions 52
Chapter 2 Governance 57
Strategy Planning for Organizational Control 61
Overview of the IT Steering Committee 64
Using the Balanced Scorecard 69
IT Subset of the BSC 74
Decoding the IT Strategy 74
Specifying a Policy 77
Project Management 79
Implementation Planning of the IT Strategy 90
Using COBIT 94
Identifying Sourcing Locations 94
Conducting an Executive Performance Review 99
Understanding the Auditor's Interest in the Strategy 100
Overview of Tactical Management 100
Planning and Performance 100
Management Control Methods 101
Risk Management 105
Implementing Standards 108
Human Resources 109
System Life¿Cycle Management 111
Continuity Planning 111
Insurance 112
Overview of Business Process Reengineering 112
Why Use Business Process Reengineering 113
BPR Methodology 114
Genius or Insanity? 114
Goal of BPR 114
Guiding Principles for BPR 115
Knowledge Requirements for BPR 116
BPR Techniques 116
BPR Application Steps 117
Role of IS in BPR 119
Business Process Documentation 119
BPR Data Management Techniques 120
Benchmarking as a BPR Tool 120
Using a Business Impact Analysis 121
BPR Project Risk Assessment 123
Practical Application of BPR 125
Practical Selection Methods for BPR 127
Troubleshooting BPR Problems 128
Understanding the Auditor's Interest in Tactical Management 129
Operations Management 129
Sustaining Operations 130
Tracking Actual Performance 130
Controlling Change 131
Understanding the Auditor's Interest in Operational Delivery 131
Summary 132
Exam Essentials 132
Review Questions 134
Chapter 3 Audit Process 139
Understanding the Audit Program 140
Audit Program Objectives and Scope 141
Audit Program Extent 143
Audit Program Responsibilities 144
Audit Program Resources 144
Audit Program Procedures 145
Audit Program Implementation 146
Audit Program Records 146
Audit Program Monitoring and Review 147
Planning Individual Audits 148
Establishing and Approving an Audit Charter 151
Role of the Audit Committee 151
Preplanning Specific Audits 153
Understanding the Variety of Audits 154
Identifying Restrictions on Scope 156
Gathering Detailed Audit Requirements 158
Using a Systematic Approach to Planning 159
Comparing Traditional Audits to Assessments and Self¿Assessments 161
Performing an Audit Risk Assessment 162
Determining Whether an Audit is Possible 163
Identifying the Risk Management Strategy 165
Determining Feasibility of Audit 167
Performing the Audit 167
Selecting the Audit Team 167
Determining Competence and Evaluating Auditors 168
Ensuring Audit Quality Control 170
Establishing Contact with the Auditee 171
Making Initial Contact with the Auditee 172
Using Data Collection Techniques 174
Conducting Document Review 176
Understanding the Hierarchy of Internal Controls 177
Reviewing Existing Controls 179
Preparing the Audit Plan 182
Assigning Work to the Audit Team 183
Preparing Working Documents 184
Conducting Onsite Audit Activities 185
Gathering Audit Evidence 186
Using Evidence to Prove a Point 186
Understanding Types of Evidence 187
Selecting Audit Samples 187
Recognizing Typical Evidence for IS Audits 188
Using Computer¿Assisted Audit Tools 189
Understanding Electronic Discovery 191
Grading of Evidence 193
Timing of Evidence 195
Following the Evidence Life Cycle 195
Conducting Audit Evidence Testing 198
Compliance Testing 198
Substantive Testing 199
Tolerable Error Rate 200
Recording Test Results 200
Generating Audit Findings 201
Detecting Irregularities and Illegal Acts 201
Indicators of Illegal or Irregular Activity 202
Responding to Irregular or Illegal Activity 202
Findings Outside of Audit Scope 203
Report Findings 203
Approving and Distributing the Audit Report 205
Identifying Omitted Procedures 205
Conducting Follow¿up (Closing Meeting) 205
Summary 206
Exam Essentials 207
Review Questions 210
Chapter 4 Networking Technology Basics 215
Understanding the Differences in Computer Architecture 217
Selecting the Best System 221
Identifying Various Operating Systems 221
Determining the Best Computer Class 224
Comparing Computer Capabilities 227
Ensuring System Control 228
Dealing with Data Storage 230
Using Interfaces and Ports 235
Introducing the Open Systems Interconnection Model 237
Layer 1: Physical Layer 240
Layer 2: DatäLink Layer 240
Layer 3: Network Layer 242
Layer 4: Transport Layer 248
Layer 5: Session Layer 249
Layer 6: Presentation Layer 250
Layer 7: Application Layer 250
Understanding How Computers Communicate 251
Understanding Physical Network Design 252
Understanding Network Cable Topologies 253
Bus Topologies 254
Star Topologies 254
Ring Topologies 255
Meshed Networks 256
Differentiating Network Cable Types 258
Coaxial Cable 258
Unshielded Twisted¿Pair (UTP) Cable 259
Fiber¿Optic Cable 260
Connecting Network Devices 260
Using Network Services 263
Domain Name System 263
Dynamic Host Configuration Protocol 265
Expanding the Network 266
Using Telephone Circuits 268
Network Firewalls 271
Remote VPN Access 276
Using Wireless Access Solutions 280
Firewall Protection for Wireless Networks 284
Remote Dial¿Up Access 284
WLAN Transmission Security 284
Achieving 802.11i RSN Wireless Security 287
Intrusion Detection Systems 288
Summarizing the Various Area Networks 291
Using Software as a Service (SaaS) 292
Advantages 292
Disadvantages 293
Cloud Computing 294
The Basics of Managing the Network 295
Automated LAN Cable Tester 295
Protocol Analyzers 295
Remote Monitoring Protocol Version 2 297
Summary 298
Exam Essentials 298
Review Questions 301
Chapter 5 Information Systems Life Cycle 307
Governance in Software Development 308
Management of Software Quality 310
Capability Maturity Model 310
International Organization for Standardization 312
Typical Commercial Records Classification Method 316
Overview of the Executive Steering Committee 317
Identifying Critical Success Factors 318
Using the Scenario Approach 318
Aligning Software to Business Needs 319
Change Management 323
Management of the Software Project 323
Choosing an Approach 323
Using Traditional Project Management 324
Overview of the System Development Life Cycle 327
Phase 1: Feasibility Study 331
Phase 2: Requirements Definition 334
Phase 3: System Design 339
Phase 4: Development 343
Phase 5: Implementation 354
Phase 6: Postimplementation 361
Phase 7: Disposal 363
Overview of Data Architecture 364
Databases 364
Database Transaction Integrity 368
Decision Support Systems 369
Presenting Decision Support Data 370
Using Artificial Intelligence 370
Program Architecture 371
Centralization vs. Decentralization 372
Electronic Commerce 372
Summary 374
Exam Essentials 374
Review Questions 376
Chapter 6 System Implementation and Operations 381
Understanding the Nature of IT Services 383
Performing IT Operations Management 385
Meeting IT Functional Objectives 385
Using the IT Infrastructure Library 387
Supporting IT Goals 389
Understanding Personnel Roles and Responsibilities 389
Using Metrics 394
Evaluating the Help Desk 396
Performing Service¿Level Management 397
Outsourcing IT Functions 398
Performing Capacity Management 399
Using Administrative Protection 400
Information Security Management 401
IT Security Governance 401
Authority Roles over Data 402
Data Retention Requirements 403
Document Physical Access Paths 404
Personnel Management 405
Physical Asset Management 406
Compensating Controls 408
Performing Problem Management 409
Incident Handling 410
Digital Forensics 412
Monitoring the Status of Controls 414
System Monitoring 415
Document Logical Access Paths 416
System Access Controls 417
Data File Controls 420
Application Processing Controls 421
Log Management 423
Antivirus Software 424
Active Content and Mobile Software Code 424
Maintenance Controls 427
Implementing Physical Protection 430
Data Processing Locations 432
Environmental Controls 432
Safe Media Storage 440
Summary 442
Exam Essentials 442
Review Questions 444
Chapter 7 Protecting Information Assets 449
Understanding the Threat 450
Recognizing Types of Threats and Computer Crimes 452
Identifying the Perpetrators 454
Understanding Attack Methods 458
Implementing Administrative Protection 469
Using Technical Protection 472
Technical Control Classification 472
Application Software Controls 474
Authentication Methods 475
Network Access Protection 488
Encryption Methods 489
Public¿Key Infrastructure 496
Network Security Protocols 502
Telephone Security 507
Technical Security Testing 507
Summary 509
Exam Essentials 509
Review Questions 511
Chapter 8 Business Continuity and Disaster Recovery 517
Debunking the Myths 518
Myth 1: Facility Matters 519
Myth 2: IT Systems Matter 519
From Myth to Reality 519
Understanding the Five Conflicting Disciplines Called Business Continuity 520
Defining Disaster Recovery 521
Surviving Financial Challenges 522
Valuing Brand Names 522
Rebuilding after a Disaster 523
Defining the Purpose of Business Continuity 524
Uniting Other Plans with Business Continuity 527
Identifying Business Continuity Practices 527
Identifying the Management Approach 529
Following a Program Management Approach 531
Understanding the Five Phases of a Business Continuity Program 532
Phase 1: Setting Up the BC Program 532
Phase 2: The Discovery Process 535
Phase 4: Plan Implementation 560
Phase 5: Maintenance and Integration 562
Understanding the Auditor Interests in BC/DR Plans 563
Summary 564
Exam Essentials 564
Review Questions 566
Appendix Answers to Review Questions 571
Index 591
