CISA Domain 2 Notes

Main points to remember (please excuse the brevity and spell errors):

  1. Sharing Risk is a Key Factor in TRANSFERRING RISK.
  2. Initial Step in establishing an information security program is –> Adoption of a corporate Information security policy statement.
  3. BEST enforce alignment of an IT project portfolio with strategic org priorities –> Select projects according to business benefits and risk.
  5. Errors in Audit Procedures –> PRIMARILY impact –> Detection Risk
  6. BEST WAY to ensure that org policies comply with legal req —> Ask Subject matter experts
  7. If Policy is not approved by management but employees follow the policies – Auditor should report the absence of documented approval.
  8. IS auditor evaluating newly developed IT policy for an org - Most imp factor to facilitate compliance with the policy – Existing IT mechanisms enabling compliance
  9. Auditor reviewing org Governance Model – Most concern to auditor is – Policy is not reviewed/refreshed by the upper management.
  10. IT policies - - Approval - Board of directors
  11. Security policy provides - broad framework – as security is laid down and approved by senior management. It includes a definition of those authorized to grant access and basis for granting access – that basis for access control authorization
  12. Most critical for the successful implementation and maintenance of a security policy —> Assimilation of FRAMEWORK and intent of a written security policy by all appropriate parties.
  13. Top Down approach to the development of operational policies helps to ensure –> They are consistent across the organization.
  14. When reviewing development of Infosec policy –> Primary focus of an IS auditor should be on assuring that these policies –> Aligned with business and security objective requirements
  15. Risk associated with electronic evidence gathering is MOST LIKELY reduced by an email –> Archive
  16. When reviewing HR policy, Auditor is MOST concerned with – Termination check-list
  17. MOST critical factor is –> Determining stakeholder involvement and requirements. This drives the success of the projects –> Assurance scope and objectives are determined.
  18. MOST IMP element for successful implementation of IT governance –> Identifying Organizational strategies.
  19. Transparency of IT’s COST, VALUE and RISK –> Is through Performance Measurement
  20. PRIMARY risk of BPR is – Controls are eliminated as part of BPR activity.
  21. IS auditor reviews s/w quality mgmnt process needs to understand –> Which standards are adopted
  22. PRIMARY benefit of Enterprise Architecture is –> Investment in most appropriate tech.
  23. Business unit new application did not consult with IT - Hence application may be inconsistent with the enterprise architecture
  24. Escrow Agreement : When vendor goes out of business, customer can use that code.
  25. When difficult to evaluate financial losses, then go for qualitative approach
  26. When reviewing Quality Management System - Is auditor should focus on collecting evidence to show that – continuous improvement targets are being monitored
  27. DSS – DSS emphasizes flexibility in decision making approach of management through data analysis and use of interactive models, not fixed criteria
  28. DSS – implementation RISK – if there is no specific purpose and usage patterns.
  29. IT BSC is a way to measure performance, a definition of key performances is required before implementing an IT BSC.
  30. If no measures are given which are objective and quantitative, it may give wrong impression about IT to the management. Give Wrong and misleading data.
  31. IT BSC –> provides a bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate.
  32. IT Project Portfolio: Portfolio analysis provides the best input into the decision making process relating to planning strategic IT initiatives. An analysis of the portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allowed IT strategy to be aligned with the business strategy.
  33. IT Strategic Plan:
    • Which Goals we can expect to find in an organizations strategic plan –> Approved suppliers for products offered by the company
    • Outcome of information security governance, strategic alignment provides: Security Requirements driven by enterprise requirements.
    • IT Strategic Plan – Should –> articulates IT Mission and Vision
    • When reviewing IT Strategic Plan –> Auditor should expect to find –> List of the approved suppliers of IT contract resources
  34. Segregation of duties:
    • System admin should be application programmer
    • developer should not push code in production
  35. Succession Planning – ensures that internal personnel with the potential to fill key positions in the organization are identified and developed.
  36. Output of risk management process is an input for making Security Policy Decisions
  37. IS auditor reviewing third party DC services - Best way to determine whether terms of the contract are adhered to is –> Conduct periodic audit reviews of the vendor
  38. IS auditor reviewing organization cross-training practices should assess the risk of –> One Person Knowing All Parts Of a system
  39. Best reference for an IS auditor to determine a vendors ability to meet SLA for a critical IT security service is: –> Agreed on KEY PERFORMANCE INDICATORS
  40. MOST IMP When reviewing SLA of service provider –> UPTIME GURANTEE
  41. MOST IMP –> For cloud hosting vendor in terms of contract –> Vendor agrees to provide annual external audit reports in the contract
  42. Most imp to ensure that service provider employees adhere to security policies –> An INDEMNITY CLAUSE –> Violations can lead to financial liability.
  43. Operations staff signing off before performing backup –> Control of Risk Mitigation
  44. PRIMARY NEED OF OUTSOURCED entity is to support the business
  45. Outsourcing of the core business of the organization should not happen
  46. IT Security Risk Management – Measures of security risk should consider –> Entire IT environment
  47. Which BEST supports the prioritization of new IT projects –> Investment portfolio analysis
  48. Insurance types provide for a loss arising from fraudulent acts by employees –> Fidelity Coverage
  49. Auditor told that IPS/Firewall is required to installed –> Which of the following method will ensure solutions are installed –> COST BENEFIT ANALYSIS
  50. Auditor reviewing IT risk management process –> MOST IMP consideration –> IT RISK IS PRESENTED IN TERMS OF BUSINESS
  51. IT STEERING COMMITEE –> Should note minutes of meeting and inform Board Members (only senior members to be part of steering committee)
  52. Most Imp element in SLA is uptime guarantee (indemnification clause is part of agreement)
  53. As a driver of IT governance transparency of IT cost, value and risk is achieved through Performance Management!
  54. Errors in audit procedures Primarily impact —> Detection Risk