cisa global webinari-2010v8-weeks 1- free

Live From New York CityGlobal Webinar

CISA Exam Refresher Class

Spring 2010

Presenting

CISAExam Refresher Class

Spring 2010

InstructorJay Ranade

CISA, CISSP, CISM, CBCPNew York City

Assisting Jay today will be:Rob Alti and Kari Bruursema

Copyright TechnoDyne University 4/19/2010

Confidential & Proprietary - Not for Resale or Distribution 1

www.technodyneuniversity.comApril 2010

Slide 3© technodyne

Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called “Jay Ranade Series”. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the “Best of Byte”. His books have been translated into Mandarin, Korean, Spanish, Japanese, Portuguese, and German.

Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee for 2005-2007.

He teaches exam preparation classes globally for CISA, CISM, CISSP, CBCP, CGEIT, and CIA. He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University and IT Auditing for St. John’s University.

Jay is Director of Education for TechnoDyne University, the premier educational institution in Certification-related and GRC-related education.

He is four times world champion in Arm Wrestling and two times world champion (2002 and 2003) in martial arts breaking. He has appeared on ESPN and ESPN2 numerous times.

Instructor Introduction



• Contact information– [email protected]

– USA +1-917-971-9786

• TechnoDyne University502 Valley Road, Suite 103Wayne, NJ 07470USA

Instructor Information





• Global participation from every time zone• All continents represented• Registrations from 43 plus countries• Questions can be sent at any time• Consolidated answers would be sent to all

participants who participate till the end of this presentation

Welcome to all



• 2 presentations of 85 minutes each with 10 minute break

• 72 key concepts of CBK in CISA questions (derived from 786 axioms)

• 11 types of questions in the exam• 24 Final suggestions before and during the

exam

Format of the Seminar





• That you have done exam preparationThis 3 hour seminar is to enhance your knowledge, not to teach you from scratch

• That you have studied prior to today’s class. Usually, candidates spend 200 plus hours in CISA exam studies, in addition to attending a 30-40 hour seminar from an expert instructor

• That you have some level of IT, audit, controls or security background

What we expect from you?



• To give a last boost of knowledge to push your score beyond 75 percent, minimum requirement for CISA exam

• Discuss those topics which are mostly misunderstood by CISA exam candidates

• Discuss techniques to answer questions• Material derived from Jay Ranade’s 786

one-line memory aids for CISA exam called “Axioms”

Purpose of this seminar….





• It is a global exam, don’t apply your own shop knowledge

• If you are CISSP, remember that CISA is about controls, not technology

• Each question has a stem and 4 possible answers. Usually 2 of the answers can be thrown out.

• There is only one correct answer

Remember……



• Preventive controls take preference over detective controls

• Think from business perspective, not IT perspective

• CISA exam questions which were correct in the past may be incorrect now– Don’t use old manuals, axioms, or Q/A CDs– Examples: OS patches, WEP vs. WPA

wireless security, biometrics hand geometry

Remember……





Audit Process(20 questions in the exam)



• Whether segregation of duties is being followed or not can best be determined by observation

– Principle of DOPESS

• If the auditor implements the controls in a particular department (as a previous job function), these controls cannot be audited by the same auditor because that would compromise independence

• In a risk-based audit planning, audit resources are allocated to the areas of highest concern and risk

Audit Process





• Finding material weakness is not based on professional judgment during audit, it is based on experience, competence, and thoroughness in planning as well execution of audit.

• Controls are put at various places in a system as the data flows from one point to the other. These controls are preventive, detective, and corrective. An auditor should be aware of the points where the controls are put

• In forensic investigation, chain of custody of the evidence must be established for the court

Audit Process ……….



• If the compliance tests indicate that there are sufficient internal controls, substantive tests can be minimized

• Audit hooks are best when only selected transactions need to be examined or reviewed

• If an auditee takes immediate corrective action to correct auditor’s findings, auditor should still report the finding with the mention that corrective action has been taken. Reporting the finding is a must

Audit Process ……….





IT Governance(30 questions in the exam)



• Lack of senior management’s interest in strategic IT planning means that IT is not aligned with organization’s business objectives

• CMM has 5 maturity levels. Maturity level 3 (defined) is the lowest level at which balanced score card (BSC) exists. It does not exist at level 1 and 2

• Control objectives must be established before controls are implemented. An auditor must understand control objectives to understand purpose or desired results of control procedures

IT Governance





• One of the strong compensating controls for DBA activity is ensure that DBA can not delete activity logs. Activity log is a strong detective control for DBA activities.

• Purpose of performance measurement is to optimize performance. What can not be measured, can not be improved either

• Lack of sufficient security controls is vulnerability, not a threat

IT Governance………..



• Security awareness program provides training on a regular basis to the new and current employees and contingent workers

• A good security policy will have provision for response management for security-related incidents (e.g. intrusion, worm, virus, DDOS participation, etc)

• If top management intervenes in decisions of technology implementation and meeting business requirements, it denotes proper IT governance.






• Core business activities of an organization are not outsourced because that’s what gives differentiated advantage to it. If such an activity is outsourced, it would be a concern to an IT auditor .

• Mandatory one-week vacation in financial institutions is a detective control to find out illegal acts or improprieties if any.

• Accountability for corporate security policy for outsourced processes (IT or otherwise) is always with the outsourcer




• One of the first steps in creating a firewall policy is to identify network applications which need to be externally accessed

• Risk management is all about protecting assets. Therefore the first step in a risk management program is to take inventory of assets

• IT strategy committee takes into account future business direction, future technological innovations, and regulatory compliance considerations






System and Infrastructure Lifecycle Management

(32 questions in the exam)



• Baselining is a cutoff point during development phase beyond which additional change requests or enhancement requests can not occur. However, such changes/enhancements could only be considered by following strict procedures for cost-benefit analysis and approval processes.

• Systems usability is measured by the end-user perception of the system

• Lack of documentation is usually the risk associated with agile development process.

System and Infrastructure Lifecycle Management





• Main benefit of integrating TQM (total quality management) in the software development project is for end-user satisfaction and not cost controls or meeting delivery dates or proper documentation

• Steering committee performs the financial evaluation of a project

• Waterfall lifecycle model in software development is best suitable when application system development requirements are well understood and expect to remain stable

System and Infrastructure Lifecycle Management …



• User management assumes project ownership and the resulting system (not steering committee, or IT Project manager, or senior management)

• If you do not know the requirements baseline, the best method for development would be agile, because agile development follows an adaptive approach

• Senior management approves project and the resources it needs. Project steering committee monitors costs and timelines and provides overall direction. Technical project manager provides technical support






• In Timebox method of development, having a baseline is very important. It is because the project is completed in a fixed-time development effort

– Deliverable, Time, and Resources

• Quality of metadata is an important factor in the design of a data warehouse.

• While donating or disposing off used computers, organization must ensure that confidentiality is not being compromised. Tapes must be degaussed and magnetic disks must be demagnetized. It is also known as media sanitization.




• Run-to-run totals will provide assurance that data converted from an old system to a new file system contains all the important elements

• Bottom up software development and testing ensures that errors in critical modules are detected early on in the process

• A top down software development and testing approach ensures that interface errors are detected and that critical functions are tested early on.






• Escrow agreement is a must when licensing software from small companies

• Regression testing is used to ensure that an application change has not altered the system functionality that was not intended. Data used in regression test is the same as was used to perform the test before the change was enacted.

• An auditor assigned to audit a reorganized BPR project should get the old process flow and the new process flow and ensure adequate controls in the new process.




• Program reverse engineering usually involves reversing machine code into source code to understand its logic. It is usually done to understand a program whose source code has been lost.

• EVA (earned value analysis) is an industry standard for measuring progress of a project at any stage. It compares planned amount of work with completed amount of work.

• Prototyping always starts with high-level functions first; so effective testing for such functions is top down. RAD uses prototyping as its core strategy






TDU’s ISACA Exam Training Courses

• If you are planning for an ISACA certification exam in June 2010, Jay Ranade provides full, in-depth ISACA certification training courses.

• Go to www.technodyneuniversity.com to sign up today. Jay has an over 90% exam pass rate and satisfaction is guaranteed.



IT Service Delivery and Support(28 questions in the exam)





• Hardware maintenance programs must be aligned with vendor specifications

• When reviewing or auditing 3rd party IT service providers, auditors main concern would be if the services are provided as per contractual agreement

• Continuity of IT services must provide assurance that agreed upon SLA meets the obligations of external customers and internal clients

IT Service Delivery and Support



• Firewalls prevent external attacks (Internet to Intranet) while activity logs detect internal attacks or misuse (within Intranet).

• A screened subnet firewall implementation is a very secure implementation. It uses two packet filtering routers and a bastion host. It supports both application level and network level security. It is also called DMZ implementation. It provides the BEST protection against Internet attacks

• SOAP (simple object access protocol) is a platform-independent protocol for exchanging XML-based messages over computer networks, normally using HTTP






• When patches to take care of vulnerabilities are received, first step should be to ensure that the source of patches is authentic

• Risk management planning from cyber attacks begins with identifying critical information assets first

• In a LAN environment, separate conduits should be used for data and electrical cables. Electrical cables can generate electro-magnetic fields which can cause transmission errors in the data cables




• ACID test for a DBMS– A = Atomicity– C = Consistency– I = Isolation – D = Durability






Protection of Information Assets(62 questions in the exam)



• Validated digital signatures in an email help detect spam

• IDS can not detect attacks in encrypted traffic

• A sender encrypting a message using his/her private key provides non-repudiation but not confidentiality

Protection of Information Assets





• Traffic analysis is a passive attack to determine potential network vulnerabilities

• Port scanning usually precedes an attack • Data transmitted in a Wireless LAN is

best protected if the session is encrypted using dynamic keys. Use of static keys used over a long period has the probability of being compromised




• Validated digital signatures in an email help detect spam

• IDS can not detect attacks in encrypted traffic

• A sender encrypting a message using his/her private key provides non-repudiation but not confidentiality






• A sender encrypting a message using receiver’s public key provides confidentiality but not non-repudiation

• Authenticity and confidentiality can be ensured by first encrypting the message using sender’s private key and then encrypting the result again using receiver’s public key

• Two factor authentication can be compromised by man-in-the-middle attack




• One way to break the safety of SSL is to establish a fake SSL server, accept user’s SSL traffic on the fake server, then route from fake server to real server, and thus compromise the information. Thus SSL could be a target for man-in-the middle attack

• Key logging can circumvent normal authentication but not two-factor authentication

• CER (cutover error rate) or EER (equal error rate) is when FAR = FRR. Lower the CER, better it is






• Creating individual’s accountability is an OS access control function not a Data Base access control function

• First step in data classification is to establish data ownership

• Virus scanners look for sequence of bits called signatures which are typical of a virus program




• SSL (Secure socket layer) uses symmetric encryption

• You need a business continuity plan to recover from a cyber attack

• Digital signatures provide authenticity, non-repudiation, and integrity, but NO confidentiality

• Anytime you use your private key to encrypt information, you can not repudiate it later






Business Continuity and Disaster Recovery

(28 questions in the exam)



• Incremental backups have the fastest backup time, Differential backups have the fastest recovery time

• RPO is the point to which data must be recovered to resume operations after a disaster/interruption






• Cold sites have the slowest recovery (drop shipment) and hot sites/replicated sites have the quickest

• It is very important when selecting an alternate facility for DR. It should not be affected by the same incident

• Outcome/result of BIA is list of critical business processes and their RTOs and RPOs

• Electronic vaulting is backing up of data/files at remote locations over telecom. Lines.




• RTO is the maximum delay a business process can tolerate to stay viable

• If you do not know RTO (recovery time objective) for various business processes, you can not develop strategy for BC

• Residual risk which jeopardizes human life can NOT be treated as acceptable residual risk.






• Without data to process, all disaster recovery efforts are useless. So, IS auditor during BC audit must verify that data backups are done and stored off-site

• Real time synchronous replication to a remote site is done to ensure low to zero RPO.

• After a BCP has been implemented, a paper test (desktop test) should be done first, then structured walkthrough, and then a full operational test




• Sequence of a BCP- risk assessment, BIA, develop recovery strategies, develop/test/implement a BC plan

• A recovery technique should not be dependent upon a process, if that process itself could be compromised by the disaster/incident

• Remote electronic vaulting is also called “Televaulting”.






• Cross training is a preventive control to mitigate the risk of a single individual knowing it all. It is a must for BC and DR. It is a usual practice to perform CSA to detect such threats.

• DR techniques from expensive to cheap: split processing for RTO, data mirroring for RPO, hot site, warm site, cold site, mobile site, reciprocal agreement




11 Types of Questions





• Questions to test knowledge– Example: What is RTO and RPO– They usually are straightforward

• Questions where two answers are very similar– Usually one answer is subset of the other

• Questions on Controls– All 4 choices look fine– But preventive control prevails amongst the choices

Types of Questions…..



• Question stem has too much superfluous information– You do not need all the information to answer

the question• Case study questions

– Case study followed by 2 to 4 questions– Do not get intimidated, they are easiest to

answer






• Questions of practical knowledge– You have to have practical experience– Example: Use of guards outside data center

• Questions requiring mathematical formulas– Example: How many symmetric key pairs required by

6 people. Answer: 15– Formula: (N x (N-1))/2

• Technical definition– Stem defines and asks you what is it?




• Dual Negative question– Which of the following is “NOT inappropriate”

… means which of the following three are “appropriate”

• Good vs. Bad situation– Example: which of the following will increase

costs of recovery (look for something bad)– Which of the following will speed up recovery

(look for something something good)






• Poorly worded questions– Poor grammar, wrong punctuation– Remember that questions are contributed

globally




24 Final Suggestions





• If you can, choose to take test in “English” language• Best overall vs. amongst choices• First overall vs. amongst choices• “Concern” is not always bad • Highest Priority • Most Critical• It is a Global Profession• Don’t think of how you do it in your company• Don’t overeat. Blood rushes to the stomach to digest food

while it is needed in your brain to understand the questions ☺

• Take a good night sleep the night before (remember it is always a Friday the evening before)

Do’s and Don’ts



• Plan on reaching the examination center at least 2 hours before the exam. Provide for delays due to accidents, traffic jams, cop stopping you for speeding etc ☺

• Don’t get tense or nervous. Tension is a state of mind not a state of being.

• Even if you think that you know the answer from first few choices, read all choices anyway.

• You have one hour (60 minutes) for each set of 50 questions.

• Feel free to underline key words on the question sheet (e.g. Best, First, Concern, Highest Priority etc.)

• Don’t skip answers. You can review them later of you have time. Skipped answer does not give you credit. Guessed answer has 25 percent probability of getting correct. You can put a check mark on guessed answers for speedy identification and reviewing them later if you have time.

Do’s and Don’ts





• Don’t feel discouraged if other candidates are flipping pages faster than you are. Keep your pace. Success depends upon total score, not how fast you flip pages ☺

• Spend all 4 hours even if you finish it earlier. Review the answers. Don’t hurry because your friends finished it earlier and are waiting outside for you.

• Not many people feel confident after CISA exam. Don’t let it bother you.• Don’t plan any activity after the exam. Go home and relax. • Expect results around end of July by email. Don’t forget to tell your

instructor at [email protected] and the sponsors TechnoDyneUniversity to let them know how you fared.

• Remember, ISACA has two other certifications called CISM and CGEIT. TechnoDyne University organize those webinars as well

• After you are certified, keep enhancing your knowledge as a life long passion. Passing CISA is the means, not an end in itself.

• Practice ISACA code of ethics. Stakeholders around the world depend upon auditors being ethical.

Do’s and Don’ts



• We will consolidate and answer pertinent questions

• Additional questions can be emailed to us up to June 4

• Consolidated questions and answers will be emailed soon to all participants who attend complete webinar/seminar set

Questions





• To Padma Allen and Reddy Allen for sponsoring this seminar and bearing all the expenses

• George Giraldo Director of Business Development for unselfish dedication to this worthy cause

• Peter Syrek for dedication and hard work in spreading the word for these webinars

• Bina Advani for logistics management • Kari Bruursema for superb operational support• Pallavi Singh for providing research • Rob Alti for technical support nobody else can provide• And lastly, Vinod Raj for everything else

Thanks…………



Questions

• Contact information– [email protected]– USA +1-917-971-9786

• Technodyne University– 502 Valley Road, Suite 103– Wayne, NJU 07470– USA





TDU’s ISACA Exam Training Courses

• If you are planning for an ISACA certification exam in June 2010, Jay Ranade provides full, in-depth ISACA certification training courses.

• Go to www.technodyneuniversity.com to sign up today. Jay has an over 90% exam pass rate and satisfaction is guaranteed.



cisa global webinari-2010v8-weeks 1- free

Documents