4/19/2010
Presenting
Jay Ranade
CISA, CISSP, CISM, CBCP New York City
Assisting Jay today will be: Rob Alti and Kari Bruursema
4/19/2010
Instructor Introduction
Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called Jay Ranade Series. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the Best of Byte. His books have been translated into Mandarin, Korean, Spanish, Japanese, Portuguese, and German. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee for 2005-2007. He teaches exam preparation classes globally for CISA, CISM, CISSP, CBCP, CGEIT, and CIA. He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University and IT Auditing for St. Johns University. Jay is Director of Education for TechnoDyne University, the premier educational institution in Certification-related and GRC-related education. He is four times world champion in Arm Wrestling and two times world champion (2002 and 2003) in martial arts breaking. He has appeared on ESPN and ESPN2 numerous times.
technodyne
www.technodyneuniversity.com
Instructor Information
Contact information
JAYRANADE@technodyneuniversity.com
USA +1-917-971-9786
TechnoDyne University
502 Valley Road, Suite 103 Wayne, NJ 07470 USA
technodyne
www.technodyneuniversity.com
4/19/2010
Welcome to all Global participation from every time zone All continents represented Registrations from 43 plus countries Questions can be sent at any time Consolidated answers would be sent to all participants who participate till the end of this presentation
April 2010 Slide 5
technodyne
www.technodyneuniversity.com
Format of the Seminar 2 presentations of 85 minutes each with 10 minute break 72 key concepts of CBK in CISA questions (derived from 786 axioms) 11 types of questions in the exam 24 Final suggestions before and during the exam
April 2010 Slide 6
technodyne
www.technodyneuniversity.com
4/19/2010
technodyne
www.technodyneuniversity.com
Purpose of this seminar. To give a last boost of knowledge to push your score beyond 75 percent, minimum requirement for CISA exam Discuss those topics which are mostly misunderstood by CISA exam candidates Discuss techniques to answer questions Material derived from Jay Ranades 786 one-line memory aids for CISA exam called Axioms
technodyne
www.technodyneuniversity.com
4/19/2010
Remember It is a global exam, dont apply your own shop knowledge If you are CISSP, remember that CISA is about controls, not technology Each question has a stem and 4 possible answers. Usually 2 of the answers can be thrown out. There is only one correct answer
technodyne
www.technodyneuniversity.com
Remember Preventive controls take preference over detective controls Think from business perspective, not IT perspective CISA exam questions which were correct in the past may be incorrect now
Dont use old manuals, axioms, or Q/A CDs Examples: OS patches, WEP vs. WPA wireless security, biometrics hand geometry
www.technodyneuniversity.com
April 2010 Slide 10
technodyne
4/19/2010
technodyne
www.technodyneuniversity.com
Audit Process
Whether segregation of duties is being followed or not can best be determined by observation
Principle of DOPESS
If the auditor implements the controls in a particular department (as a previous job function), these controls cannot be audited by the same auditor because that would compromise independence In a risk-based audit planning, audit resources are allocated to the areas of highest concern and risk
technodyne
www.technodyneuniversity.com
4/19/2010
Audit Process .
Finding material weakness is not based on professional judgment during audit, it is based on experience, competence, and thoroughness in planning as well execution of audit. Controls are put at various places in a system as the data flows from one point to the other. These controls are preventive, detective, and corrective. An auditor should be aware of the points where the controls are put In forensic investigation, chain of custody of the evidence must be established for the court
technodyne
www.technodyneuniversity.com
Audit Process .
If the compliance tests indicate that there are sufficient internal controls, substantive tests can be minimized Audit hooks are best when only selected transactions need to be examined or reviewed If an auditee takes immediate corrective action to correct auditors findings, auditor should still report the finding with the mention that corrective action has been taken. Reporting the finding is a must
technodyne
www.technodyneuniversity.com
4/19/2010
technodyne
www.technodyneuniversity.com
IT Governance
Lack of senior managements interest in strategic IT planning means that IT is not aligned with organizations business objectives CMM has 5 maturity levels. Maturity level 3 (defined) is the lowest level at which balanced score card (BSC) exists. It does not exist at level 1 and 2 Control objectives must be established before controls are implemented. An auditor must understand control objectives to understand purpose or desired results of control procedures
April 2010 Slide 16
technodyne
www.technodyneuniversity.com
4/19/2010
IT Governance..
One of the strong compensating controls for DBA activity is ensure that DBA can not delete activity logs. Activity log is a strong detective control for DBA activities. Purpose of performance measurement is to optimize performance. What can not be measured, can not be improved either Lack of sufficient security controls is vulnerability, not a threat
April 2010 Slide 17
technodyne
www.technodyneuniversity.com
IT Governance..
Security awareness program provides training on a regular basis to the new and current employees and contingent workers A good security policy will have provision for response management for security-related incidents (e.g. intrusion, worm, virus, DDOS participation, etc) If top management intervenes in decisions of technology implementation and meeting business requirements, it denotes proper IT governance.
technodyne
www.technodyneuniversity.com
4/19/2010
IT Governance..
Core business activities of an organization are not outsourced because thats what gives differentiated advantage to it. If such an activity is outsourced, it would be a concern to an IT auditor . Mandatory one-week vacation in financial institutions is a detective control to find out illegal acts or improprieties if any. Accountability for corporate security policy for outsourced processes (IT or otherwise) is always with the outsourcer
April 2010 Slide 19
technodyne
www.technodyneuniversity.com
IT Governance..
One of the first steps in creating a firewall policy is to identify network applications which need to be externally accessed Risk management is all about protecting assets. Therefore the first step in a risk management program is to take inventory of assets IT strategy committee takes into account future business direction, future technological innovations, and regulatory compliance considerations
April 2010 Slide 20
technodyne
www.technodyneuniversity.com
10
4/19/2010
technodyne
www.technodyneuniversity.com
technodyne
www.technodyneuniversity.com
11
4/19/2010
technodyne
www.technodyneuniversity.com
technodyne
www.technodyneuniversity.com
12
4/19/2010
Quality of metadata is an important factor in the design of a data warehouse. While donating or disposing off used computers, organization must ensure that confidentiality is not being compromised. Tapes must be degaussed and magnetic disks must be demagnetized. It is also known as media sanitization.
April 2010 Slide 25
technodyne
www.technodyneuniversity.com
technodyne
www.technodyneuniversity.com
13
4/19/2010
technodyne
www.technodyneuniversity.com
www.technodyneuniversity.com
14
4/19/2010
If you are planning for an ISACA certification exam in June 2010, Jay Ranade provides full, in-depth ISACA certification training courses. Go to www.technodyneuniversity.com to sign up today. Jay has an over 90% exam pass rate and satisfaction is guaranteed.
technodyne
www.technodyneuniversity.com
technodyne
www.technodyneuniversity.com
15
4/19/2010
technodyne
technodyne
www.technodyneuniversity.com
16
4/19/2010
technodyne
www.technodyneuniversity.com
technodyne
www.technodyneuniversity.com
17
4/19/2010
technodyne
www.technodyneuniversity.com
Protection of Information Assets Validated digital signatures in an email help detect spam IDS can not detect attacks in encrypted traffic A sender encrypting a message using his/her private key provides nonrepudiation but not confidentiality
technodyne
www.technodyneuniversity.com
18
4/19/2010
Protection of Information Assets Traffic analysis is a passive attack to determine potential network vulnerabilities Port scanning usually precedes an attack Data transmitted in a Wireless LAN is best protected if the session is encrypted using dynamic keys. Use of static keys used over a long period has the probability of being compromised
technodyne
www.technodyneuniversity.com
Protection of Information Assets Validated digital signatures in an email help detect spam IDS can not detect attacks in encrypted traffic A sender encrypting a message using his/her private key provides nonrepudiation but not confidentiality
technodyne
www.technodyneuniversity.com
19
4/19/2010
technodyne
www.technodyneuniversity.com
www.technodyneuniversity.com
20
4/19/2010
Protection of Information Assets Creating individuals accountability is an OS access control function not a Data Base access control function First step in data classification is to establish data ownership Virus scanners look for sequence of bits called signatures which are typical of a virus program
technodyne
www.technodyneuniversity.com
technodyne
www.technodyneuniversity.com
21
4/19/2010
technodyne
www.technodyneuniversity.com
Business Continuity and Disaster Recovery Incremental backups have the fastest backup time, Differential backups have the fastest recovery time RPO is the point to which data must be recovered to resume operations after a disaster/interruption
technodyne
www.technodyneuniversity.com
22
4/19/2010
technodyne
www.technodyneuniversity.com
Business Continuity and Disaster Recovery RTO is the maximum delay a business process can tolerate to stay viable If you do not know RTO (recovery time objective) for various business processes, you can not develop strategy for BC Residual risk which jeopardizes human life can NOT be treated as acceptable residual risk.
technodyne
www.technodyneuniversity.com
23
4/19/2010
www.technodyneuniversity.com
Business Continuity and Disaster Recovery Sequence of a BCP- risk assessment, BIA, develop recovery strategies, develop/test/implement a BC plan A recovery technique should not be dependent upon a process, if that process itself could be compromised by the disaster/incident Remote electronic vaulting is also called Televaulting.
technodyne
www.technodyneuniversity.com
24
4/19/2010
Business Continuity and Disaster Recovery Cross training is a preventive control to mitigate the risk of a single individual knowing it all. It is a must for BC and DR. It is a usual practice to perform CSA to detect such threats. DR techniques from expensive to cheap: split processing for RTO, data mirroring for RPO, hot site, warm site, cold site, mobile site, reciprocal agreement
www.technodyneuniversity.com
April 2010 Slide 49
technodyne
11 Types of Questions
technodyne
www.technodyneuniversity.com
25
4/19/2010
Types of Questions..
Questions to test knowledge
Example: What is RTO and RPO They usually are straightforward
Questions on Controls
All 4 choices look fine But preventive control prevails amongst the choices
technodyne
www.technodyneuniversity.com
technodyne
www.technodyneuniversity.com
26
4/19/2010
Types of Questions..
Questions of practical knowledge
You have to have practical experience Example: Use of guards outside data center
Technical definition
Stem defines and asks you what is it?
technodyne
www.technodyneuniversity.com
www.technodyneuniversity.com
27
4/19/2010
technodyne
www.technodyneuniversity.com
24 Final Suggestions
technodyne
www.technodyneuniversity.com
28
4/19/2010
technodyne
www.technodyneuniversity.com
www.technodyneuniversity.com
29
4/19/2010
technodyne
www.technodyneuniversity.com
Questions We will consolidate and answer pertinent questions Additional questions can be emailed to us up to June 4 Consolidated questions and answers will be emailed soon to all participants who attend complete webinar/seminar set
technodyne
www.technodyneuniversity.com
30
4/19/2010
Thanks
To Padma Allen and Reddy Allen for sponsoring this seminar and bearing all the expenses George Giraldo Director of Business Development for unselfish dedication to this worthy cause Peter Syrek for dedication and hard work in spreading the word for these webinars Bina Advani for logistics management Kari Bruursema for superb operational support Pallavi Singh for providing research Rob Alti for technical support nobody else can provide And lastly, Vinod Raj for everything else
April 2010 Slide 61
technodyne
www.technodyneuniversity.com
Questions
Contact information
JAYRANADE@TechnodyneUniversity.com USA +1-917-971-9786
Technodyne University
502 Valley Road, Suite 103 Wayne, NJU 07470 USA
technodyne
www.technodyneuniversity.com
31
4/19/2010
If you are planning for an ISACA certification exam in June 2010, Jay Ranade provides full, in-depth ISACA certification training courses. Go to www.technodyneuniversity.com to sign up today. Jay has an over 90% exam pass rate and satisfaction is guaranteed.
technodyne
www.technodyneuniversity.com
32