Domain 1—The Process of Auditing Information Systems (21%) 10.
10. Evaluate the organization’s business continuity plan (BCP), including alignment
1. Execute a risk-based IS audit strategy in compliance with IS audit standards to
ensure that key risk areas are audited
2. Plan specific audits to determine whether information systems are protected,
controlled and provide value to the organization.
3. Conduct audits in accordance with IS audit standards to achieve planned audit
objectives.
4. Communicate audit results and make recommendations to key stakeholders
through meetings and audit reports to promote change when necessary.
5. Conduct audit follow-ups to determine whether appropriate actions have been
taken by management in a timely manner.
Domain 2—Governance and Management of IT (16%)
1. Evaluate the IT strategy, including IT direction, and the processes for the
strategy’s development, approval, implementation and maintenance for
alignment with the organization’s strategies and objectives.
2. Evaluate the effectiveness of the IT governance structure to determine
whether IT decisions, directions and performance support the organization’s
strategies and objectives.
3. Evaluate IT organizational structure and human resources (personnel)
management to determine whether they support the organization’s strategies
and objectives.
4. Evaluate the organization’s IT policies, standards and procedures, and the
processes for their development, approval, release/publishing, implementation
and maintenance to determine whether they support the IT strategy and
comply with regulatory and legal requirements.
5. Evaluate IT resource management, including investment, prioritization,
allocation and use, for alignment with the organization’s strategies and
objectives.
6. Evaluate IT portfolio management, including investment, prioritization and
allocation, for alignment with the organization’s strategies and objectives.
7. Evaluate risk management practices to determine whether the organization’s
IT-related risk is identified, assessed, monitored, reported and managed.
8. Evaluate IT management and monitoring of controls (e.g., continuous
monitoring, quality assurance [QA]) for compliance with the organization’s
policies, standards and procedures.
9. Evaluate monitoring and reporting of IT key performance indicators (KPIs) to
determine whether management receives sufficient and timely information.
of the IT disaster recovery plan (DRP) with the BCP, to determine the
organization’s ability to continue essential business operations during the
period of an IT disruption.
Domain 3—Information Systems Acquisition, Development and Implementation
(18%)
1 Evaluate the business case for the proposed investments in information
systems acquisition, development, maintenance and subsequent retirement to
determine whether the business case meets business objectives.
2 Evaluate IT supplier selection and contract management processes to ensure
that the organization’s service levels and requisite controls are met.
3 Evaluate the project management framework and controls to determine
whether business requirements are achieved in a cost-effective manner while
managing risk to the organization.
4 Conduct reviews to determine whether a project is progressing in accordance
with project plans, is adequately supported by documentation, and has timely
and accurate status reporting.
5 Evaluate controls for information systems during the requirements,
acquisition, development and testing phases for compliance with the
organization's policies, standards, procedures and applicable external
requirements.
6 Evaluate the readiness of information systems for implementation and
migration into production to determine whether project deliverables, controls
and the organization's requirements are met.
7 Conduct post-implementation reviews of systems to determine whether
project deliverables, controls and the organization's requirements are met.
Domain 4—Information Systems Operations, Maintenance and Service
Management (20%)
1 Evaluate the IT service management framework and practices (internal or third
party) to determine whether the controls and service levels expected by the
organization are being adhered to and whether strategic objectives are met.
2 Conduct periodic reviews of information systems to determine whether they
continue to meet the organization’s objectives within the enterprise
architecture (EA).
3 Evaluate IT operations (e.g., job scheduling, configuration management, 6 Evaluate the information security program to determine its effectiveness and
capacity and performance management) to determine whether they are alignment with the organization’s strategies and objectives.
controlled effectively and continue to support the organization’s objectives.
4 Evaluate IT maintenance (patches, upgrades) to determine whether they are
controlled effectively and continue to support the organization’s objectives.
5 Evaluate database management practices to determine the integrity and
optimization of databases.
6 Evaluate data quality and life cycle management to determine whether they
continue to meet strategic objectives.
7 Evaluate problem and incident management practices to determine whether
problems and incidents are prevented, detected, analyzed, reported and
resolved in a timely manner to support the organization´s objectives.
8 Evaluate change and release management practices to determine whether
changes made to systems and applications are adequately controlled and
documented.
9 Evaluate end-user computing to determine whether the processes are
effectively controlled and support the organization’s objectives.
10 Evaluate IT continuity and resilience (backups/restores, disaster recovery plan
[DRP]) to determine whether they are controlled effectively and continue to
support the organization’s objectives

Domain 5—Protection of Information Assets (25%)

1 Evaluate the information security and privacy policies, standards and
procedures for completeness, alignment with generally accepted practices and
compliance with applicable external requirements.
2 Evaluate the design, implementation, maintenance, monitoring and reporting
of physical and environmental controls to determine whether information
assets are adequately safeguarded.
3 Evaluate the design, implementation, maintenance, monitoring and reporting
of system and logical security controls to verify the confidentiality, integrity
and availability of information.
4 Evaluate the design, implementation and monitoring of the data classification
processes and procedures for alignment with the organization’s policies,
standards, procedures and applicable external requirements.
5 Evaluate the processes and procedures used to store, retrieve, transport and
dispose of assets to determine whether information assets are adequately
safeguarded.
Domain 1. The Process of Auditing Information Systems
1. 5 Task Statements
 Develop and implement a risk-based IT audit strategy in compliance with
IT audit standards to ensure that key areas are included.
 Plan specific audits to determine whether information systems are
protected, controlled and provide value to the organization.
 Conduct audits in accordance with IT audit standards to achieve planned
audit objectives.
 Report audit findings and make recommendations to key stakeholders to
communicate results and effect change.
 Conduct follow ups or advise on risk management & control practice
2. Code of Ethics – IPS PC DE
 Support the implementation of appropriate policies, standards, guidelines,
and procedures for information systems.
 Perform your duties with objectivity, professional care, and due diligence
in accordance with professional standards. Support the use of best
practices.
 Serve the interests of stakeholders in an honest and lawful manner that
reflects a credible image upon your profession.
 Maintain privacy and confidentiality of information obtained during your
audit except for required disclosure to legal authorities.
 Undertake only those activities in which you are professionally competent;
strive to improve your competency.
 Disclose accurate results of all work and significant facts to the appropriate
parties.
 Support ongoing professional education to help stakeholders enhance their
understanding of information systems security and control.
3. Working with IT professionals
 Data owner specifies controls, is responsible for acceptable use, and
appoints the data custodian.
 Data custodians: protect information and ensure its availability as well as
supporting the data users.
 Data users: comply with acceptable use and report violations.
4. CobiT – Control Objectives for Information and Related Technology. A
framework consisting of strategies, processes, and procedures for leading IT
organizations.
5. Organizations typically have four types of documents in place:
 Policies = goals; policies provide emphasis, set directions, and must be
backed by recognized management. Policies that are not managed in a
centralized manner may suggest a non-uniform measurement standard.
 Standards = definition of requirement; mid-level documents containing
measurement control points to ensure uniform implementation in support
of a policy. A missing standard indicates negligence by failing to define the
requirement. Compliance is mandatory.
i. Categories of standards (highest influence on lowest):
 Regulatory
 Industry
 Organizational
 Personal
 Guidelines = general instructions; provides vague direction of to provide
limited advice in absence of applicable standard. Guidelines are
discretionary and can be used to create new standards .
 Procedures = how to instructions; a step by step instructions to perform
desired actions. They provide support for standard, and compliance is
mandatory. Lack of written procedures represents negligence of duty.
6. Types of audit:
 Internal audits and assessments: self-assessment within an organization
and the finding cannot be used for licensing.
 External audits: a customer audits their vendor/supplier to ensure the
expected level of performance as mutually agreed upon in their contracts.
 Independent audits: relied on for licensing, certification, or product
approval.
7. Audit Program  General controls: preventive, detective, and corrective
 An audit is requested by client, who is responsible for setting the scope,  Organizational plans: present and future objectives
granting authority, and providing access to the auditee. iv. Identify objectives and restriction on scope
 Program management vs. Project  Undue restrictions on scope would be a major concern.
i. Program: ongoing activities managed by an executive.  Standards are mandatory, and any deviation would require
ii. Project: a short-term activity managed by a project manager operating justification
outside the normal organizational structure. v. Audits vs assessments:
 Audit program monitoring and review  Traditional audit
i. Key goal indicator (KGI): use goals as performance evaluation.  Assessments: for training and awareness purpose where the goal is
ii. Key performance indicator (KPI): use metric as performance evaluation. to determine value of current process.
 Planning audits:  Control self-assessments (CSA): executed by the auditee with auditor
i. Scope: the boundaries to be reviewed as facilitator. The goal is self improvement of the client or identify
ii. Criteria: identify a set of policies to be measured against. area with higher risk. Independence is not required.
iii. Team vi. Risk management strategies: applied to all organizational activities.
 Accept
8. Audit process  Mitigate
 Audit charter:  Transfer
i. Issued by executive management or the board of directors to grant the  Avoid
right to audit and delegate management’s assertions.  Performing the audit
ii. State management’s assertions: i. Determining competence and evaluating auditors
 Responsibility: goals & objectives  Skills matrix: area of knowledge, proficiency, and specialized training
 Authority: right to perform an audit and the right to obtain access required to fulfill the audit
relevant to the audit  Use the work of other requirements:
 Accountability: defines mutually agreed-upon actions between the o Independence and objectivity
audit committee and the auditor o Competence, qualification, and experience
 Audit committee: o Agreement on scope
i. Provide advice to the executive accounting officers concerning internal o Level of review and supervision required
control strategies, priorities, and assurance. ii. Data collection technique
ii. Issuing the audit charter to grant the authority for internal audits.  Observation (good)
 Preplanning  Surveys (poor)
i. Engagement letter: defines the responsibility, authority, and  Document review (good)
accountability to an independent auditor for individual assignments.  Interviews (good)
ii. Elements: All points outlined in the charter (responsibility, authority,  Workshops (mixed)
and accountability)  Computer-assisted audit tools (good)
iii. Selecting the type of audit:  Technical testing and analysis (excellent)
 Product or service: efficiency, effectiveness, controls, and life-cycle iii. Fundamental issues concerning internal controls
 Processes: method or result  Management is often exempt from controls
 System: design or configuration  How controls are implemented determines the level of assurance
 iv. Hierarchy of internal controls (highest to lowest) CAAT method Characteristics Complexity
 General control (overall): policies, structures, job description, simulation
segregation of duties, budgeting, and auditing. Snapshot Assembles a sequence of data Medium
 Pervasive controls (follows technology): they are those general captures into an audit trail.
controls that focus on the management and monitoring of the Embedded audit Processes dummy High
technology environment. module transactions along with
 Detailed controls (task): specific steps or tasks to be performed. genuine, live transaction
 Application controls (embedded in programs) System control audit System-level audit program High
v. Internal control categories: detective, preventive, and corrective. review file with used to monitor multiple
vi. Implementation methods: embedded audit EAMs inside the application
 Administrative ($): people-based control by using written policies modules software. This is a mainframe
and procedures class of control.
 Physical ($$): physical barriers or visual deterrents CAATs are able to perform faster than humans and produce more
 Technical ($$$): using software or hardware process to calculate an accurate data in functional testing. However, costs, training, and
approval or denial based on specific attributes (special technology) security of output are major consideration.
 Audit planning iv. Evidence life cycle: failure to maintain a proper chain of custody may
i. Work should be repeatable by another auditor (5Ws), and properly disqualify the evidence: The ideal is to ensure the evidence is properly
documented in working papers. collected, under appropriate custody, and unaltered during the process.
ii. Assign audit team: ensure adequate experience, competency, and v. Compliance testing: tests for the presence or absence of something.
training of the members.  Attribute sampling: determine the presence of certain attribute
iii. Shewhart’s process technique: plan-do-check-act cycle  Stop-and-go sampling: when few errors are expected
 Gather evidence  Discovery sampling: 100% sampling to detect fraud or when the
i. Direct evidence more preferable to indirect evidence likelihood of evidence existing is low
ii. Audit samples:  Precision or expected error rate: lower error rate = large sample in
 Statistic sampling: mathematical quantifiable and presented as a testing; smaller sample is used when the population is expected to
percentage. Examples include: random, cell (predefined interval), be error-free
and fixed interval. vi. Substantive testing: seek to verify the content and integrity of evidence
 Non-statistic sampling: based on judgment. Example includes  Variable sampling: used to designate dollar values or weights of an
haphazard. Ideal is to focus on materiality rather than entire subject population by prorating from a smaller sample.
representation of the actual population.  Unstratified mean estimation: attempt to project an estimated total
iii. Computer-Assisted Audit Tools methods for the whole subject population.
CAAT method Characteristics Complexity  Stratified mean estimation: calculate an average by group.
Online event Read logs & alarms Low  Difference estimation: used to determine the difference between
monitor audited and unaudited claims of value.
Embedded program Flags selected transactions Low  Audit findings:
audit hooks i. Independence is required in the report for external auditor.
Continuous & Audits any transaction that Medium ii. Indicators of illegal or irregular activity:
intermittent meets preselected criteria  Questionable payments
  Unsatisfactory record control  Capability Maturity Model (CMM): provides a framework for developing,
 Unsatisfactory explanations improving and sustaining business performance in your environment.
 Other questionable circumstance i. Level of maturity
iii. Examples of irregular activities: # Level Description Process ISO
 Fraud 1 Initial Adhoc Unique and chaotic; Performed
 Theft or embezzlement project completion
 Suppression: suppressing data or records depends on people
 Racketeering: the process of repeated fraud or other crime 2 Repeatable Documented Project management Managed
 Regulatory violations with basic standards
iv. Auditor should never take ownership of any problems found as such act and procedures
would violate independence. documented
v. Subsequent events: 3 Defined Well Standardization with Established
 Type 1 event: events occur before the B/S date documented objectives in
 Type 2 event: events occur after the B/S date and understood qualitative
measurement
4 Managed Management Predictable by Predictable
controls quantitative measures
processes
5 Optimized Continually Least freedom with Optimizing
improvement statistical process
control
 Key Performance Indicator (KPI)
i. Represent a historical average of monitored events
ii. KPI may indicate a failing score too late to implement a change
 The IT BSC is a tool that provides the bridge between IT objectives and
business objectives by supplementing the traditional financial evaluation
with measures to evaluate customer satisfaction, internal processes and
the ability to innovate.
 Assessment methods provide a mechanism, whereby IS management can
determine if the activities of the organization have deviated from planned
or expected levels. These methods include
i. IS budgets
ii. Capacity and growth planning
iii. Industry standards/benchmarking
iv. Financial management practices, and
v. Goal accomplishment.
Domain 2. Governance and Management of IT 2. Business process Reengineering: concerns with reducing costs of the existing
1. Performance Reporting process while increasing performance.
  Areas of improvement i. Gantt: resource details; uses schedule & sequence in waterfall-style (MS
i. Business efficiency Project); serial view w/bars & diamonds
ii. Improved techniques  Shows concurrent and sequential activities
iii. New requirements  Show project progress and impact of completing a task early or late
 Guiding Principles ii. PERT (Program Evaluation Review Technique)-illustrates relationships
i. Think big: unconstrained top-down approach. between planned activities
ii. Incremental: bottom-up approach that identify improvement for
current processes. BPR teams tend to spend too much time 9. Organizational control
documenting the current processes.  Goal of governance: hold executives at the top responsible for decision and
iii. Hybrid: top-down strategy and planning with bottom-up research. all the consequences.
 Application steps:  IT steering committee: convey the current business requirements from
i. Envision: develop an estimate of the ROI from the proposed change business executives to the IT executive.
ii. Initiate: setting BPR goal with the sponsor and focus on planning the i. Top management mediating between the imperatives of business and
collection of detailed evidence necessary technology is an IT strategic alignment best practice.
iii. Diagnose: document existing processes and identify what is working ii. Individuals that have the authority to act on behalf of their department
and the source of each requirement. iii. Usually managed by executive chairperson (COO)
iv. Redesign: develop redesign plans to be review and approve by the iv. Authorized by a formal charter
steering committee.  Planning decision
v. Reconstruct: implementation of the new process through deconstruct Strategic Long-term Operational
of current process. Time Frame 3+ year 1-3 years 1 year or less
vi. Evaluate: ensure the new process is producing the strategic value as Role Objective & Policy Standard Procedure
forecast and establish performance measure. Who? Board, CEO, COO, CEO, COO, CFO, Director,
 Rules CFO VP, Directors Managers,
i. Fix only broken processes Technical Leads
ii. Calculate ROI Primary Business trend to Forecast financial What to buy
iii. Understand current process first question exploit trend
iv. No leftovers Expand or Major business Forecast Resize
contract components organizational
3. Project Estimation changes
 Source Lines of Code (SLOC) – traditional method (also Kilo LOC or KLOC) – Concentration New product Forecast needs Minimum staffing
direct size-oriented measures based on trend
 Thousand Delivered Source Instructions (KDSI) – better with structured What Tasks to meet Forecast costs vs Initiate new
programming languages like BASIC, COBOL products and long-term plan expected revenue support training
 Function Point Analysis (FPA) – indirect measure based on number and services are
complexity of inputs, outputs, files, interfaces, and user queries • Functions planned
are weighted by complexity Focus General Financial plan Daily support
 Project Diagramming statement
Domain 3. Information Systems Acquisition, Development and Implementation
1. Strategic system (fundamental change) vs. tactical system (support)
2. Capability Maturity Model
 Goal: to eliminate decision-making authority from the department
manager and workers and shifts to executive management level.
 A baseline reference to chart current progress or regression .
 Levels of CMM:
i. Level 0 = Nonexistent: nothing is getting done and individual managers
hold the authority for decisions.
ii. Level 1 = Initial: Decision authority resides in the individual workers and
is supported by a local manager.
iii. Level 2 = repeatable: processes are documented in detail with specific
procedures for each worker that can be repeated with consistency.
Decisions are made by managers.
iv. Level 3 = defined: standardization and qualitative measurement for
detailed accounting. Decisions are made by formal review committees
while department managers have less authority.
v. Level 4 = managed: Quantitative measurements of ROI into all decision
and a formal project priority system is practiced with a project
management office governing projects.
vi. Level 5 = optimized: with continuous improvement using statistical
process control. Specific rules in place that anyone can perform the
tasks, controls reside in executives while department managers and
workers have no authority.
3. Executive Steering Committee
 Goal: align IT functions with current business objective.
 Methods: Critical success factors and scenario approach
 Aligning software to business needs
i. Establish the need (internal vs. external)
ii. Identify the work effort
iii. Summarize the impact
iv. Conduct initial feasibility analysis
v. Present the benefit
 IT steering committee provides open communication of business objective
for IT support. Focus is placed on fulfillment of the business objective.
5. SDLC Phases
4. Change Management
 Change control board: the board review all changes requires and
determine whether authorization should be granted. Change control
review must include input from business users.
 Approaches:
i. Evolutionary
 Traditional viewpoint where number one source of failures is a result
of error in planning and design.
 System Development Life Cycle:
a. Waterfall model: The waterfall method helps ensure that errors
are detected early in the development process. Waterfall
development is a procedure-focused development cycle with
formal sign-off at the completion of each level.
b. Spiral model: It’s a risk-driven model which means that the
overall success of a project highly depends on the risks analysis
phase. Risk analysis requires specific expertise on every iteration. 
<Note> The waterfall and spiral are based on gather requirements,
forecasting, designing, and building.
c. Agile Prototyping model: It fits when the project is unable to
forecast, plan, or don’t have a detailed design. A repeated trial-
and-error process is utilized.
ii. Revolutionary
 Business users should be allowed to experiment in an effort to
generate software program for their needs. The end user holds all
the power of success or failure.
 Lack of internal controls and failure to obtain objectives are major
concerns.
iii. Change Management Auditing
 Program library access is restricted
 Supervisory reviews occur
 User approves change
 A LAN administrator should not have programming responsibilities
but may have end-user responsibilities.
 Emergency Changes: Emergency ID use is logged and monitored with
normal change controls are applied, often retroactively
 Phase 1: Feasibility Study
i. Goal: determine the strategic benefits to be accomplished and the
anticipated payback schedule of the project.
ii. Constructive Cost Model: a method to estimate the effort, schedule,
and cost of developing a new software application.
 Source lines of code: forecasts estimate by counting the individual
lines of program source code regardless of the embedded design
quality.
 Function point analysis: divide program functions into classes and
rank them by complexity. Based on complexity, the estimated of
work is calculated.
iii. Statement of work: a formal approval by the executive management to
grant the go-ahead of the project and force cooperation.
iv. Auditor should focus on initial needs analysis and ensure the risk
mitigation strategy is in place.
 Phase 2: Requirements Definition
i. Goal: define inputs, outputs, current environment, and proposed
interaction. The specification is defined in this step.
ii. Entity-relationship diagram: defines high-level relationships between
the entities as well as data dictionary that standardize term of reference
for each data in the database.
iii. Auditor’s interest: project plan and estimated costs have been
approved and requirements include sufficient security (not using default
configuration) to protect the data classified in the record management
system.
 Phase 3: System Design and Selection
i. Goal: To plan a solution by using the objectives from phase 1 and the
specification from phase 2. The client has to determine to build the
system in-house or buy the hardware.
ii. Best time for software developer to work directly with the user.
iii. Cost estimates are compared to the assumptions made.
iv. Auditor’s interest: verifying that processing and output controls are
incorporated into the system.
 Phase 4: Development
i. Goal: Prototypes are built for functional testing and user acceptance
testing occur during this stage.
ii. Software testing methods:
 White-box: or crystal-box testing, assesses the effectiveness of
software program logic. Specifically, test data are used in
determining procedural accuracy or conditions of a program's logic
paths. Verifying the program can operate successfully with other
parts of the system is sociability testing.
 Black-box testing: the process is to put data through the system to
see whether the results come out as expected. Testing the program's
functionality without knowledge of internal structures.
 Sand-box testing: Controlled testing of programs in a semi-debugged
environment, either heavily controlled step-by-step or via
monitoring in virtual machines.
 Functional, or validation testing: compares the system against the
desired functional requirements to determine if the product has met
our objectives for its intended use.
 Regression testing: ensure that a change does not create a new
problem or conflict with other functions in the program. It is part of
the quality control process.
iii. Auditor objective:
 Verify that a quality control process has been used to develop an
computer program.
 Programs have undergone debugging with formal testing and
supporting document has been created to assure system integrity
and production use.
 The finished software capabilities have been verified for compliance
to original objective and acquired user acceptance.
 Phase 5: Implementation
i. Goal: Final acceptance testing begins, and users are trained in the new
system. System testing is undertaken by the developer team to
determine if the software meets user requirements per specifications.
ii. Certification: a technical process of testing against a known reference.
iii. Accreditation: an administrative process based on management’s
comfort level with demonstrated performance or fitness of use. The
purpose is to hold a management executive responsible to ensure
corporate governance.
iv. User training: system custodians need to be trained for normal
operations and emergency procedures.
v. Go live:
 Parallel operations: lowest risk
  Phased changeover: best suited upgrade or conversion; it has
modest risk
 Hard changeover: highest level of risk
vi. Program-to-program passwords in static configuration files should be
documented and ensure privileged passwords are listed for rotation.
 Phase 6: Postimplementation
i. Goal: Compare performance metrics to the original objective, and
implement requests for new requirements, updates, or disposal.
ii. ROI calculation to compare cost to the actual benefit received.
iii. Periodic reviews and monitoring procedures are necessary to verify that
the system is maintained in a manner that supports the original
objectives and controls.
 Phase 7: Disposal
i. Goals: Archive old data, and management signs a formal authorization
for the disposal and accepting liability.
6. A generation language may refer to any of the following:
 1GL: low-level languages that are machine language.
 2GL: also low-level assembly languages. They are sometimes used in
kernels and hardware drives, but more commonly used for video editing
and video games.
 3GL: English-like statement language, such as C, C++, Java, JavaScript, and
Visual Basic.
 4GL: English-like statement language with embedded database. Fourth
generation languages are commonly used in database programming and
scripts examples include Perl, PHP, Python, Ruby, and SQL.
 The fifth-generation languages, or 5GL, are programming languages that
contain artificial intelligence that are learning system. Examples of fifth
generation languages include Mercury, OPS5, and Prolog.
7. Alternative development techniques:
 Agile development method
i. Uses time-box management techniques to force individual iterations of
a prototype in a short time span by allowing programmers to start
writing a program using lots of trial and error without spending time on
preplanning documentation.
ii. It is designed for use by small teams of talented programmers.
iii. However, it does not scale very well.
iv. An ongoing team learning process to refine project management.
v. It places greater reliance on the undocumented knowledge contained in
a person’s head.
 Rapid application development method
i. Well defined methodology that works for small, well-trained team
ii. Uses 4GL programming language
 Hueristic (prototyping) development
i. Combines best of the SDLC with an iterative approach that enables
developer and customer to react to risks at each iteration
ii. Focuses on prototyping screens and reports
8. Data Architecture
 Database architecture
i. Data-oriented database: Data entries have fixed length and format;
thus, the information is predictable. It Is used when the structure and
format of the data is well known and predictable.
ii. Object-orient database: Data entries may be unpredictable as there is
not fixed format. Each programmed object has its own data for
reference and its own method of accomplishing a required task.
iii. ACID model for fata base integrity:
 Atomicity guarantees that either the entire transaction is processed
or none of it is.
 Consistency ensures that the database is in a legal state when the
transaction begins and ends.
 Isolation means that, while in an intermediate state, the transaction
data is invisible to external operations.
 Durability guarantees that a successful transaction will persist and
cannot be undone.
 Decision support system
i. Reference by context: value = low; supplies answers based on estimated
level of reference.
ii. Colleague, or associate, level: provides tedious calculation support but
leaves the real decisions to the user.
iii. Expert level: written by capturing specialized data from a person who
has been performing the desired work for 20 or 30 years.
Domain 4—Information Systems Operations, Maintenance and Service
Management 2. System access controls
1. Personnel roles and responsibility  Privileged login accounts security control:
Job Role Authorized Production Development Security Execute i. Password must be changed every 30 days
Changes Library Library Administration Production
Access Access Configuration Changes ii. Retired passwords are to be backed up and protected in a controlled
System user Approve Use No No No environment that is offsite
(End user) iii. Default login account should be disabled
System Request Monitor- No Implement When
 Required data protection controls:
administration Control approved
(Custodian) i. Standing data controls: requires additional controls such as storage in
Security Approve No No Specify control No encrypted format
administration ii. System control parameters: used to customize the configuration
(Custodian)
Programming/ Request No Create No No settings and software application
development software iii. Logical access controls: direct access through open databased
Change Test only No No Test only No connectivity should be prohibited and all access to data files should be
testing (use isolated (use isolated
test) test)
forced through authentication in a user right management program
Change Approve No No No NO (application processing control)
control iv. Transaction processing controls: should be controlled with
 Information security managements: ensures confidentiality, integrity, and authentication and validation checks
availability of computing resources.  Process control:
i. Chief information security office: define and enforce security policies for i. Batch totals: compare output
organization, and review periodically. ii. Total number of items: ensure each item was processed
ii. Chief privacy officer: protecting confidential information. iii. Transaction logs: record activity
iii. Information systems security manager: day-to-day process of ensuring iv. Run-to-run total: verify data values during the different stages of
compliance for system security. processing
iv. Data owner: responsible for data content and authorization. v. Limit checks
v. Data custodian: responsible for safeguard and availability of data. vi. Exception reporting
 Compensating controls: goal is to reduce errors or omission when vii. Job cost accounting
preferred control cannot be implemented.  Mobile software
i. Job rotation Low Risk Moderate Risk High Risk
ii. Audit / reconciliation PDF Applets ActiveX
iii. Exception report Adobe Flash PostScript
iv. Transaction logs JavaScript Visual Basic
v. Supervisor review i. ActiveX places no restrictions on what the programmer can do.
3. Business Continuity Plan
 The strategy for which the sum of downtime cost and recovery cost is the
lowest is the optimal strategy.
 Components
i. DRP plan: It is critical to initially identify information assets that can be
made more resilient to disasters.
ii. Plan to restore operations to normal following disaster
iii. Improvement of security operations
 BCP Lifecycle
i. Create BCP policy
ii. Business Impact Analysis (BIA) should be conducted with input from a
wide array of stakeholders, which identifies
 Protecting human resources during a disaster-related event should
be addressed first.
 Different business processes & criticality
 Critical IS resources supporting critical business processes
 Critical recovery period before significant losses occur
 A determination of acceptable downtime is made
iii. Classify of operations and criticality
iv. Identify IS processes that support business criticality
v. Develop BCP and IS DRP
vi. Develop resumption procedures
vii. Training and awareness programs
viii. Test and implement plan
ix. Monitoring: Periodic testing of the recovery plan is critical to ensure
that whatever has been planned and documented is feasible.
 Terms
i. Recovery point objective (RPO) – based on acceptable data loss; earliest
time in which it is acceptable to recover; date/time or synchronization
point to which systems/data will be restored.
ii. Recovery time objective (RTO) – based on acceptable downtime;
earliest time when business operations must resume.
iii. Interruption window – how long a business can wait before operations
resume (after this point, losses are unaffordable)
iv. Maximum Tolerable outage (MTO) – maximum time business can
operate in alternate processing mode before other problems occur
v. Service delivery objective (SDO) – acceptable level of services required
during alternate processing
 Recovery Alternatives
i. Hot site – fully configured and ready to operate within hours. Not for
extended use.
ii. Warm site – partially configured. Site ready in hours, operations ready
in days or weeks.
iii. Cold site – has basic utilities, ready in weeks.
iv. Redundant site – dedicated, self-developed sites.
v. Mobile site – data center in a box
vi. Reciprocal agreements with other businesses
4. The IS auditor might need to review specific reports associated with availability
and response. This list identifies log types and characteristics:
 System logs identify the activities performed on a system and can be
analyzed to determine the existence of unauthorized access to data by a
user or program.
 The review of abnormal job-termination reports should identify application
jobs that terminated before successful completion.
 Operator problem reports are used by operators to log computer
operations problems and their solutions. Operator work schedules are
maintained by IS management to assist in human resource planning.
 Capacity-monitoring software to monitor usage patterns and trends
enables management to properly allocate resources and ensure
continuous efficiency of operations.
 Network-monitoring devices are used to capture and inspect network
traffic data. The logs from these devices can be used to inspect activities
from known or unknown users to find evidence of unauthorized access.
 System downtime provides information regarding the effectiveness and
adequacy of computer preventive maintenance programs and can be very
helpful to an IS auditor when determining the efficacy of a systems-
maintenance program.
Information Systems Operations, Maintenance and Service Management Laye Name Example protocols Function
1. Redundant Array of Inexpensive/Independent Disks (RAID) r
 Level 0 Striping: It makes several disks appear as one big disk. It has the to provide error correction.
best performance, but data loss is likely. ii. Unconfirmed delivery: User
 Level 1: Disk mirroring, all the data is written to at least two separate Datagram Protocol (UDP). It
physical disks to prevent data loss. However, it cuts usable space in half. is faster with less overhead.
 Level 2 – Hamming code ECC – interweaving data based on hamming code 3 Network IP, ARP, ICMP, This layer handles addressing
(EXPENSIVE and rare; hardware based, resource intensive) Layer IPSec and routing the data -- sending it
 Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 in the right direction to the right
for parity (faster in HW) destination.
 Level 5 – block level; the most commonly used method. It uses less disk 2 Data Link PPP, ATM, It focuses on establishing data
space than RAID-1 for the same amount of usable storage. It is cheap yet Layer Ethernet, Switches communications via hardware
provides the best overall read and write performance. device drivers and the
 Level 6 – It uses independent disks with a very high transfer rate, and it is transmit/receive function
very expensive. The disks in the same string appear as one large disk. 1 Physical Ethernet, USB, The physical layer is responsible
 Level 10 – high reliability & performance; at least 4 drives, stripes level 1 Layer Bluetooth, for sending computer bits from
segments; hi I/O IEEE802.11 one device to another along the
 Level 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major network.
data loss
3. Network cables & topologies
2. Open Systems Interconnection Model: a conceptual model that characterizes  Topologies
and standardizes the communication functions of a telecommunication or i. Bus: uses coaxial cable but runs the risk of interrupted transmission
computing system without regard to its underlying internal structure and since computers are linked together with one cable.
technology. ii. Star: computers are connected to a network hub (or switch) with
Laye Name Example protocols Function additional cables. It offers flexibility but higher cost on more cables.
r iii. Ring: allows the redundant path to create a fault-tolerant network.
7 Application HTTP, FTP, DNS, Where user interact directly with iv. Meshed: has alternate connections for major backbone point on the
Layer SNMP, Telnet the software application and network. It also has higher cost of implementation.
calculation.  Cable types:
6 Presentation SSL, TLS Handles data and encryption; i. Coaxial: for longer distance and in areas prone to electrical interference
Layer also translates in the format all or for outdoor connections.
computers can understand. ii. Unshielded twisted-pair cable: inexpensive and is commonly used in
5 Session NetBIOS, PPTP It is where communications star topologies.
Layer between systems are managed. iii. Fiber optic cable: has an extremely wide bandwidth but is expensive
4 Transport TCP, UDP This layer specifies the method and fragile glass strands.
Layer of delivery.
i. Confirmed delivery: TCP 4. IDP vs. IDS
connection; however, slower
  A host-based intrusion prevention system (IPS) prevents unauthorized  Enable Encryption to protect data in transit.
changes to the host.  Disable SSID (service set identifier) broadcasting.
 A network-based intrusion detection system (IDS) relies on attack  Disable DHCP (Dynamic Host Configuration Protocol).
signatures based on known exploits and attack patterns.  Security ranking: randomly generated PSK > MAC-based PSK (MAC address
i. Statistical: calculation of network traffic and loadings of a computer is fixed and often accessible) > WEP (very weak encryption
ii. Signature: known patterns and techniques technique and can be cracked within minutes) > SSID.
iii. Neural: learning network  In any given scenario, WPA-2 (Wi-Fi Protected Access) is the strongest
iv. Honey bits, pot, net: sacrificial files, server, or subnet encryption standard for the wireless connection.
 In any given scenario, confidentiality of the data transmitted in a wireless
5. Firewall LAN is BEST protected, if the session is encrypted using dynamic keys (as
 Designs compared to static keys)
iv. Screened host implementation: a single host computer through the  Electromagnetic emissions from a terminal can be detected by
firewall. It is expected that the host computer to be attacked. sophisticated equipment and displayed, thus giving access to data to
v. Dual homed host: A special software application relays appropriate unauthorized persons.
communication between the two interface cards.  Configuration management is one of the key components of any network
vi. Screened subnet (DMZ design): allows for several computers to be since it establishes how the network will function internally and externally.
placed in a protected subnet that is accessible from the outside and by
systems inside the network.
vii. Stateful inspection: collects the history and nature of the connectionless
requests to determine whether the remote request should be
transmitted to the destination computer or discarded as hazardous.
 Types of Firewall
i. Out of all types of firewall, Application-Level Firewall provides greatest
security environment (as it works on application layer of OSI model).
ii. In any given scenario, most robust configuration in firewall rule is ‘deny
all traffic and allow specific traffic’ (as against ‘allow all traffic and deny
specific traffic’).
iii. Stateful Inspection Firewall allows traffic from outside only if it is in
response to traffic from internal hosts.
Firewall OSI Layer
Application Level Application Layer
Circuit Level Session Layer
Stateful Inspection Network Layer
Packet Filtering Router Network Layer

6. In any given scenario, following are the best practises for Wireless (Wi-Fi)
security:
 Enable MAC (Media Access Control) address filtering.
Domain 5—Protection of Information Assets  Security label bypass: a metadata control in MAC control environments
1. Security goal and matching control that specifies who may access the file and how the file may be used.
Security Goal Primary Control Failure Consequence Additional compensating controls are necessary in certain situations to
Confidentiality  Data classification  Unauthorized disclosure protect against the bypass of MAC security level.
 Separation of duties  Data breach  Internal access control lists should be used to implement least privileged .
 Least privilege  Organization failure
 Controls appropriate in every 4. Biometrics sensors:
step of users’ business
 The purpose of biometrics is to provide authentication of the person after
workflow
Integrity Control & trust Loss of control
they identify him/herself.
Availability Authentication of allowed users Unauthorized access with or  A biometrics sensor creates a new data template every time the sensor is
without detection used, which is compared to the database by the template matcher.
 An important benefit of a well-defined data classification process would be  Drawbacks
to lower the cost of protecting data by ensuring that the appropriate i. Enrollment failure: sample of user fail to be accepted by the system
controls are applied with respect to the sensitivity of the data. ii. False rejection: system rejects a legitimate user
 The IS auditor must identify the assets, look for vulnerabilities, and then iii. Equal error vs. crossover error rate: trade off between speed &
identify the threats and the likelihood of occurrence. efficiency
iv. Throughput rate: the samples system can process and still have
2. Technical protection accuracy; higher risk situation should have lower throughput rate.
 Mandatory access controls: use a set of rules determines which person
(subject) will be allowed to access he data (object). The access privileges 5. Kerberos single sign-on
are predetermined based on a list.  User log in once to Kerberos, and the system authenticates the user and
i. Changed by admins making decisions derived from policy grants access to all resources
ii. Example: password complexity requirements  A strong password and strong encryption will improve overall security
 Discretionary access controls: allows a designated individual to decide a
broad level of user access. The IS auditor needs to investigate how the 6. Encryption
decisions are selected, authorized, managed, and viewed at lest annually.  Methods
i. Controls that CAN be changed by normal users/data owners i. Private-key: secrete key that is shared between the authorized person,
ii. Example: access to departmental shared folder on server and the key must be protected with the highest due diligence. A shared
 Role-based access control: based on job requirement. key between sender and receiver is referred to as symmetric-key
 Task-based access control: bases on task requirement. cryptography. It is fast but must be protected with highest diligence.
 Attribute-based access controls: a selective control that is flexible.  Advanced encryption standard (AES) is a secure encryption algorithm
that is appropriate for encrypting passwords.
3. Application software control: Provide security by using a combination of user ii. Public-key: also known as asymmetric cryptography, uses a public key
identity, authentication, authorization, and accountability. to encrypt and a private key to decrypt. Using two private keys would
 Database view: read restriction placed on particular columns in the not be possible with asymmetric encryption. Asymmetric cryptography
database. is typically used for the transmission of data. It has 4 components:
 Restricted user interface
  Certificate Authority (CA) issues certificates. The primary role of the
CA is to authenticate the entity owning a certificate and to confirm
the integrity of any certificate it issued.
 Registration authority: delegated bookkeeping and issuing function
from the CA
 Certificate revocation list: maintained by the CA to indicate that
certificates have expired or are revoked
 Certification practice statement: disclosure document that specifies
how a CA will issue certificates
 Problems when using encryption
i. Creating and issuing keys requires discipline or the key can be easily
compromised
ii. Separate keys should be used for separate classification of data
iii. Encryption key must be rotated
iv. Encryption only protects the output file, not the original source file
v. The system is still vulnerable to attack
 Encryption-key management:
i. Proper authorization: never allow to encrypt files that management
cannot decrypt without the user
ii. Encryption keys must be individually managed, tracked (in a library),
and unique to each task
iii. Separation of duties:
 Encryption keys need to be generated on a system that is physically
and logically isolated from other system and transfer via read-only-
media
 Users should never have direct access to encryption key
iv. The use of specific encryption keys should be limited
v. The use, archiving, and destruction of encryption keys require a formal
review
vi. Nonrepudiation, achieved through the use of digital signatures,
prevents the senders from later denying that they generated and sent
the message.
 Digital rights management (DRM): uses public-key encryption to enforce
digital rights.
i. Steganography is a technique for concealing the existence of messages
or information.
7. Network security protocols
 Pretty Good Privacy: for personal file encryption
 Transport Layer Security (TLS): for secure transmission internally and over
Internet. TLS replaced SSL which was used by most websites. TLS is the
preferred method to use for all secure sessions.
 Secure Hypertext Transfer Protocol (HTTPS): older version still uses SSL.
The newer sites should all use TLS.
 Internet Protocol Security (IPsec): a secure network protocol suite that
authenticates and encrypts the packets of data sent over an IPv4 network.
VPN’s primary purpose is to protect data in transit using tunnelling.
 The Secure Electronic Transaction (SET) protocol provides a method for
purchasing over the internet without disclosing the credit card information
to the merchant. The buyer will be liable for transactions that involve
his/her personal SET certificate.
 Email anti-spamming techniques: Bayesian > Heuristic > Signature Based >
Pattern Matching
8. Risk assessment
 First step is to identify the assets. (in some cases, critical process)
 Second step is to identify relevant risk. (vulnerability/threat)
 Third step is to do impact analysis. (qualitative or quantitative)
 Fourth step is prioritizing the risk on the basis of impact. (IT risk analysis)
 Fifth step is to evaluate controls.
 Sixth step is to apply appropriate controls.
9. Security Requirements
 Authenticity – verification that message not changed in transit
 Nonrepudiation – verification of origin or receipt of message
 Accountability – actions traceable to an entity
 Network availability