CISA Global WebinarI-2010V8-Weeks 1 - Free

Copyright TechnoDyne University
4/19/2010
Presenting
Live From New York City

Global Webinar CISA Exam Refresher Class Spring 2010
CISA Exam Refresher Class

Spring 2010 Instructor
Jay Ranade
CISA, CISSP, CISM, CBCP New York City
Assisting Jay today will be: Rob Alti and Kari Bruursema
Confidential & Proprietary - Not for Resale or Distribution
4/19/2010
Instructor Introduction
Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called Jay Ranade Series. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the Best of Byte. His books have been translated into Mandarin, Korean, Spanish, Japanese, Portuguese, and German. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee for 2005-2007. He teaches exam preparation classes globally for CISA, CISM, CISSP, CBCP, CGEIT, and CIA. He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University and IT Auditing for St. Johns University. Jay is Director of Education for TechnoDyne University, the premier educational institution in Certification-related and GRC-related education. He is four times world champion in Arm Wrestling and two times world champion (2002 and 2003) in martial arts breaking. He has appeared on ESPN and ESPN2 numerous times.
technodyne
www.technodyneuniversity.com
April 2010 Slide 3
Instructor Information
Contact information
JAYRANADE@technodyneuniversity.com
USA +1-917-971-9786
TechnoDyne University
502 Valley Road, Suite 103 Wayne, NJ 07470 USA
technodyne
April 2010 Slide 4
4/19/2010
Welcome to all Global participation from every time zone All continents represented Registrations from 43 plus countries Questions can be sent at any time Consolidated answers would be sent to all participants who participate till the end of this presentation
April 2010 Slide 5
technodyne
Format of the Seminar 2 presentations of 85 minutes each with 10 minute break 72 key concepts of CBK in CISA questions (derived from 786 axioms) 11 types of questions in the exam 24 Final suggestions before and during the exam
April 2010 Slide 6
technodyne
4/19/2010
What we expect from you?

That you have done exam preparation This 3 hour seminar is to enhance your knowledge, not to teach you from scratch That you have studied prior to todays class. Usually, candidates spend 200 plus hours in CISA exam studies, in addition to attending a 30-40 hour seminar from an expert instructor That you have some level of IT, audit, controls or security background
technodyne
April 2010 Slide 7
Purpose of this seminar. To give a last boost of knowledge to push your score beyond 75 percent, minimum requirement for CISA exam Discuss those topics which are mostly misunderstood by CISA exam candidates Discuss techniques to answer questions Material derived from Jay Ranades 786 one-line memory aids for CISA exam called Axioms
technodyne
April 2010 Slide 8
4/19/2010
Remember It is a global exam, dont apply your own shop knowledge If you are CISSP, remember that CISA is about controls, not technology Each question has a stem and 4 possible answers. Usually 2 of the answers can be thrown out. There is only one correct answer
technodyne
April 2010 Slide 9
Remember Preventive controls take preference over detective controls Think from business perspective, not IT perspective CISA exam questions which were correct in the past may be incorrect now
Dont use old manuals, axioms, or Q/A CDs Examples: OS patches, WEP vs. WPA wireless security, biometrics hand geometry
April 2010 Slide 10
technodyne
4/19/2010
Audit Process (20 questions in the exam)
technodyne
April 2010 Slide 11
Audit Process
Whether segregation of duties is being followed or not can best be determined by observation
Principle of DOPESS
If the auditor implements the controls in a particular department (as a previous job function), these controls cannot be audited by the same auditor because that would compromise independence In a risk-based audit planning, audit resources are allocated to the areas of highest concern and risk
technodyne
April 2010 Slide 12
4/19/2010
Audit Process .
Finding material weakness is not based on professional judgment during audit, it is based on experience, competence, and thoroughness in planning as well execution of audit. Controls are put at various places in a system as the data flows from one point to the other. These controls are preventive, detective, and corrective. An auditor should be aware of the points where the controls are put In forensic investigation, chain of custody of the evidence must be established for the court
technodyne
April 2010 Slide 13
Audit Process .
If the compliance tests indicate that there are sufficient internal controls, substantive tests can be minimized Audit hooks are best when only selected transactions need to be examined or reviewed If an auditee takes immediate corrective action to correct auditors findings, auditor should still report the finding with the mention that corrective action has been taken. Reporting the finding is a must
technodyne
April 2010 Slide 14
4/19/2010
IT Governance (30 questions in the exam)
technodyne
April 2010 Slide 15
IT Governance
Lack of senior managements interest in strategic IT planning means that IT is not aligned with organizations business objectives CMM has 5 maturity levels. Maturity level 3 (defined) is the lowest level at which balanced score card (BSC) exists. It does not exist at level 1 and 2 Control objectives must be established before controls are implemented. An auditor must understand control objectives to understand purpose or desired results of control procedures
April 2010 Slide 16
technodyne
4/19/2010
IT Governance..
One of the strong compensating controls for DBA activity is ensure that DBA can not delete activity logs. Activity log is a strong detective control for DBA activities. Purpose of performance measurement is to optimize performance. What can not be measured, can not be improved either Lack of sufficient security controls is vulnerability, not a threat
April 2010 Slide 17
technodyne
IT Governance..
Security awareness program provides training on a regular basis to the new and current employees and contingent workers A good security policy will have provision for response management for security-related incidents (e.g. intrusion, worm, virus, DDOS participation, etc) If top management intervenes in decisions of technology implementation and meeting business requirements, it denotes proper IT governance.
technodyne
April 2010 Slide 18
4/19/2010
IT Governance..
Core business activities of an organization are not outsourced because thats what gives differentiated advantage to it. If such an activity is outsourced, it would be a concern to an IT auditor . Mandatory one-week vacation in financial institutions is a detective control to find out illegal acts or improprieties if any. Accountability for corporate security policy for outsourced processes (IT or otherwise) is always with the outsourcer
April 2010 Slide 19
technodyne
IT Governance..
One of the first steps in creating a firewall policy is to identify network applications which need to be externally accessed Risk management is all about protecting assets. Therefore the first step in a risk management program is to take inventory of assets IT strategy committee takes into account future business direction, future technological innovations, and regulatory compliance considerations
April 2010 Slide 20
technodyne
10
4/19/2010
System and Infrastructure Lifecycle Management (32 questions in the exam)
technodyne
April 2010 Slide 21
System and Infrastructure Lifecycle Management

Baselining is a cutoff point during development phase beyond which additional change requests or enhancement requests can not occur. However, such changes/enhancements could only be considered by following strict procedures for costbenefit analysis and approval processes. Systems usability is measured by the end-user perception of the system Lack of documentation is usually the risk associated with agile development process.
April 2010 Slide 22
technodyne
11
4/19/2010

Main benefit of integrating TQM (total quality management) in the software development project is for end-user satisfaction and not cost controls or meeting delivery dates or proper documentation Steering committee performs the financial evaluation of a project Waterfall lifecycle model in software development is best suitable when application system development requirements are well understood and expect to remain stable
April 2010 Slide 23
technodyne

User management assumes project ownership and the resulting system (not steering committee, or IT Project manager, or senior management) If you do not know the requirements baseline, the best method for development would be agile, because agile development follows an adaptive approach Senior management approves project and the resources it needs. Project steering committee monitors costs and timelines and provides overall direction. Technical project manager provides technical support
April 2010 Slide 24
technodyne
12
4/19/2010

In Timebox method of development, having a baseline is very important. It is because the project is completed in a fixed-time development effort
Deliverable, Time, and Resources
Quality of metadata is an important factor in the design of a data warehouse. While donating or disposing off used computers, organization must ensure that confidentiality is not being compromised. Tapes must be degaussed and magnetic disks must be demagnetized. It is also known as media sanitization.
April 2010 Slide 25
technodyne

Run-to-run totals will provide assurance that data converted from an old system to a new file system contains all the important elements Bottom up software development and testing ensures that errors in critical modules are detected early on in the process A top down software development and testing approach ensures that interface errors are detected and that critical functions are tested early on.
April 2010 Slide 26
technodyne
13
4/19/2010

Escrow agreement is a must when licensing software from small companies Regression testing is used to ensure that an application change has not altered the system functionality that was not intended. Data used in regression test is the same as was used to perform the test before the change was enacted. An auditor assigned to audit a reorganized BPR project should get the old process flow and the new process flow and ensure adequate controls in the new process.
April 2010 Slide 27
technodyne

Program reverse engineering usually involves reversing machine code into source code to understand its logic. It is usually done to understand a program whose source code has been lost. EVA (earned value analysis) is an industry standard for measuring progress of a project at any stage. It compares planned amount of work with completed amount of work. Prototyping always starts with high-level functions first; so effective testing for such functions is top down. RAD uses prototyping as its core strategy
technodyne
April 2010 Slide 28
14
4/19/2010
TDUs ISACA Exam Training Courses
If you are planning for an ISACA certification exam in June 2010, Jay Ranade provides full, in-depth ISACA certification training courses. Go to www.technodyneuniversity.com to sign up today. Jay has an over 90% exam pass rate and satisfaction is guaranteed.
technodyne
April 2010 Slide 29
IT Service Delivery and Support (28 questions in the exam)
technodyne
April 2010 Slide 30
15
4/19/2010
IT Service Delivery and Support

Hardware maintenance programs must be aligned with vendor specifications When reviewing or auditing 3rd party IT service providers, auditors main concern would be if the services are provided as per contractual agreement Continuity of IT services must provide assurance that agreed upon SLA meets the obligations of external customers and internal clients
April 2010 Slide 31
technodyne

Firewalls prevent external attacks (Internet to Intranet) while activity logs detect internal attacks or misuse (within Intranet). A screened subnet firewall implementation is a very secure implementation. It uses two packet filtering routers and a bastion host. It supports both application level and network level security. It is also called DMZ implementation. It provides the BEST protection against Internet attacks SOAP (simple object access protocol) is a platformindependent protocol for exchanging XML-based messages over computer networks, normally using HTTP
April 2010 Slide 32
technodyne
16
4/19/2010

When patches to take care of vulnerabilities are received, first step should be to ensure that the source of patches is authentic Risk management planning from cyber attacks begins with identifying critical information assets first In a LAN environment, separate conduits should be used for data and electrical cables. Electrical cables can generate electro-magnetic fields which can cause transmission errors in the data cables
technodyne
April 2010 Slide 33
IT Service Delivery and Support ACID test for a DBMS

A = Atomicity C = Consistency I = Isolation D = Durability
technodyne
April 2010 Slide 34
17
4/19/2010
Protection of Information Assets (62 questions in the exam)
technodyne
April 2010 Slide 35
Protection of Information Assets Validated digital signatures in an email help detect spam IDS can not detect attacks in encrypted traffic A sender encrypting a message using his/her private key provides nonrepudiation but not confidentiality
technodyne
April 2010 Slide 36
18
4/19/2010
Protection of Information Assets Traffic analysis is a passive attack to determine potential network vulnerabilities Port scanning usually precedes an attack Data transmitted in a Wireless LAN is best protected if the session is encrypted using dynamic keys. Use of static keys used over a long period has the probability of being compromised
technodyne
April 2010 Slide 37
Protection of Information Assets Validated digital signatures in an email help detect spam IDS can not detect attacks in encrypted traffic A sender encrypting a message using his/her private key provides nonrepudiation but not confidentiality
technodyne
April 2010 Slide 38
19
4/19/2010
Protection of Information Assets

A sender encrypting a message using receivers public key provides confidentiality but not non-repudiation Authenticity and confidentiality can be ensured by first encrypting the message using senders private key and then encrypting the result again using receivers public key Two factor authentication can be compromised by man-in-the-middle attack
April 2010 Slide 39
technodyne

One way to break the safety of SSL is to establish a fake SSL server, accept users SSL traffic on the fake server, then route from fake server to real server, and thus compromise the information. Thus SSL could be a target for man-in-the middle attack Key logging can circumvent normal authentication but not two-factor authentication CER (cutover error rate) or EER (equal error rate) is when FAR = FRR. Lower the CER, better it is
technodyne
April 2010 Slide 40
20
4/19/2010
Protection of Information Assets Creating individuals accountability is an OS access control function not a Data Base access control function First step in data classification is to establish data ownership Virus scanners look for sequence of bits called signatures which are typical of a virus program
technodyne
April 2010 Slide 41

SSL (Secure socket layer) uses symmetric encryption You need a business continuity plan to recover from a cyber attack Digital signatures provide authenticity, nonrepudiation, and integrity, but NO confidentiality Anytime you use your private key to encrypt information, you can not repudiate it later
April 2010 Slide 42
technodyne
21
4/19/2010
Business Continuity and Disaster Recovery (28 questions in the exam)
technodyne
April 2010 Slide 43
Business Continuity and Disaster Recovery Incremental backups have the fastest backup time, Differential backups have the fastest recovery time RPO is the point to which data must be recovered to resume operations after a disaster/interruption
technodyne
April 2010 Slide 44
22
4/19/2010
Business Continuity and Disaster Recovery

Cold sites have the slowest recovery (drop shipment) and hot sites/replicated sites have the quickest It is very important when selecting an alternate facility for DR. It should not be affected by the same incident Outcome/result of BIA is list of critical business processes and their RTOs and RPOs Electronic vaulting is backing up of data/files at remote locations over telecom. Lines.
April 2010 Slide 45
technodyne
Business Continuity and Disaster Recovery RTO is the maximum delay a business process can tolerate to stay viable If you do not know RTO (recovery time objective) for various business processes, you can not develop strategy for BC Residual risk which jeopardizes human life can NOT be treated as acceptable residual risk.
technodyne
April 2010 Slide 46
23
4/19/2010
Business Continuity and Disaster Recovery

Without data to process, all disaster recovery efforts are useless. So, IS auditor during BC audit must verify that data backups are done and stored off-site Real time synchronous replication to a remote site is done to ensure low to zero RPO. After a BCP has been implemented, a paper test (desktop test) should be done first, then structured walkthrough, and then a full operational test
technodyne
April 2010 Slide 47
Business Continuity and Disaster Recovery Sequence of a BCP- risk assessment, BIA, develop recovery strategies, develop/test/implement a BC plan A recovery technique should not be dependent upon a process, if that process itself could be compromised by the disaster/incident Remote electronic vaulting is also called Televaulting.
technodyne
April 2010 Slide 48
24
4/19/2010
Business Continuity and Disaster Recovery Cross training is a preventive control to mitigate the risk of a single individual knowing it all. It is a must for BC and DR. It is a usual practice to perform CSA to detect such threats. DR techniques from expensive to cheap: split processing for RTO, data mirroring for RPO, hot site, warm site, cold site, mobile site, reciprocal agreement
April 2010 Slide 49
technodyne
11 Types of Questions
technodyne
April 2010 Slide 50
25
4/19/2010
Types of Questions..
Questions to test knowledge
Example: What is RTO and RPO They usually are straightforward
Questions where two answers are very similar

Usually one answer is subset of the other
Questions on Controls
All 4 choices look fine But preventive control prevails amongst the choices
technodyne
April 2010 Slide 51
Types of Questions.. Question stem has too much superfluous information

You do not need all the information to answer the question
Case study questions

Case study followed by 2 to 4 questions Do not get intimidated, they are easiest to answer
April 2010 Slide 52
technodyne
26
4/19/2010
Types of Questions..
Questions of practical knowledge
You have to have practical experience Example: Use of guards outside data center
Questions requiring mathematical formulas

Example: How many symmetric key pairs required by 6 people. Answer: 15 Formula: (N x (N-1))/2
Technical definition
Stem defines and asks you what is it?
technodyne
April 2010 Slide 53
Types of Questions.. Dual Negative question

Which of the following is NOT inappropriate means which of the following three are appropriate
Good vs. Bad situation

Example: which of the following will increase costs of recovery (look for something bad) Which of the following will speed up recovery (look for something something good)
technodyne
April 2010 Slide 54
27
4/19/2010
Types of Questions.. Poorly worded questions

Poor grammar, wrong punctuation Remember that questions are contributed globally
technodyne
April 2010 Slide 55
24 Final Suggestions
technodyne
April 2010 Slide 56
28
4/19/2010
Dos and Donts

If you can, choose to take test in English language Best overall vs. amongst choices First overall vs. amongst choices Concern is not always bad Highest Priority Most Critical It is a Global Profession Dont think of how you do it in your company Dont overeat. Blood rushes to the stomach to digest food while it is needed in your brain to understand the questions Take a good night sleep the night before (remember it is always a Friday the evening before)
April 2010 Slide 57
technodyne
Dos and Donts

Plan on reaching the examination center at least 2 hours before the exam. Provide for delays due to accidents, traffic jams, cop stopping you for speeding etc Dont get tense or nervous. Tension is a state of mind not a state of being. Even if you think that you know the answer from first few choices, read all choices anyway. You have one hour (60 minutes) for each set of 50 questions. Feel free to underline key words on the question sheet (e.g. Best, First, Concern, Highest Priority etc.) Dont skip answers. You can review them later of you have time. Skipped answer does not give you credit. Guessed answer has 25 percent probability of getting correct. You can put a check mark on guessed answers for speedy identification and reviewing them later if you have time.
technodyne
April 2010 Slide 58
29
4/19/2010
Dos and Donts

Dont feel discouraged if other candidates are flipping pages faster than you are. Keep your pace. Success depends upon total score, not how fast you flip pages Spend all 4 hours even if you finish it earlier. Review the answers. Dont hurry because your friends finished it earlier and are waiting outside for you. Not many people feel confident after CISA exam. Dont let it bother you. Dont plan any activity after the exam. Go home and relax. Expect results around end of July by email. Dont forget to tell your instructor at jayranade@aol.com and the sponsors TechnoDyne University to let them know how you fared. Remember, ISACA has two other certifications called CISM and CGEIT. TechnoDyne University organize those webinars as well After you are certified, keep enhancing your knowledge as a life long passion. Passing CISA is the means, not an end in itself. Practice ISACA code of ethics. Stakeholders around the world depend upon auditors being ethical.
technodyne
April 2010 Slide 59
Questions We will consolidate and answer pertinent questions Additional questions can be emailed to us up to June 4 Consolidated questions and answers will be emailed soon to all participants who attend complete webinar/seminar set
technodyne
April 2010 Slide 60
30
4/19/2010
Thanks
To Padma Allen and Reddy Allen for sponsoring this seminar and bearing all the expenses George Giraldo Director of Business Development for unselfish dedication to this worthy cause Peter Syrek for dedication and hard work in spreading the word for these webinars Bina Advani for logistics management Kari Bruursema for superb operational support Pallavi Singh for providing research Rob Alti for technical support nobody else can provide And lastly, Vinod Raj for everything else
April 2010 Slide 61
technodyne
Questions
Contact information
JAYRANADE@TechnodyneUniversity.com USA +1-917-971-9786
Technodyne University
502 Valley Road, Suite 103 Wayne, NJU 07470 USA
technodyne
April 2010 Slide 62
31
4/19/2010
TDUs ISACA Exam Training Courses
If you are planning for an ISACA certification exam in June 2010, Jay Ranade provides full, in-depth ISACA certification training courses. Go to www.technodyneuniversity.com to sign up today. Jay has an over 90% exam pass rate and satisfaction is guaranteed.
technodyne
April 2010 Slide 63
32

CISA Global WebinarI-2010V8-Weeks 1 - Free

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CISA Global WebinarI-2010V8-Weeks 1 - Free

Diunggah oleh

Hak Cipta:

Format Tersedia

Copyright TechnoDyne University

Live From New York City

CISA Exam Refresher Class

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

April 2010 Slide 3

April 2010 Slide 4

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

What we expect from you?

April 2010 Slide 7

April 2010 Slide 8

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

April 2010 Slide 9

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

Audit Process (20 questions in the exam)

April 2010 Slide 11

April 2010 Slide 12

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

April 2010 Slide 13

April 2010 Slide 14

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

IT Governance (30 questions in the exam)

April 2010 Slide 15

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

April 2010 Slide 18

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

System and Infrastructure Lifecycle Management (32 questions in the exam)

April 2010 Slide 21

System and Infrastructure Lifecycle Management

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

System and Infrastructure Lifecycle Management

System and Infrastructure Lifecycle Management

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

System and Infrastructure Lifecycle Management

System and Infrastructure Lifecycle Management

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

System and Infrastructure Lifecycle Management

System and Infrastructure Lifecycle Management

April 2010 Slide 28

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

TDUs ISACA Exam Training Courses

April 2010 Slide 29

IT Service Delivery and Support (28 questions in the exam)

April 2010 Slide 30

Confidential & Proprietary - Not for Resale or Distribution

Copyright TechnoDyne University

IT Service Delivery and Support