CBT Nuggets - ISACA CISA

1. CISA Overview (11 min)
This Nugget provides an overview of the CISA exam and the five knowledge domains that the exam questions are based on. This Nugget also reviews the qualifications for the exam and suggests ways to gain some of the practical knowledge needed to be successful on the exam.
2. Exam Format (9 min)
This Nugget reviews the format of the CISA exam. Unlike many other IT certification exams, which are computer-based exams, the CISA exam is a paper-based exam that's offered only two times a year. The exam contains 200 multiple-choice questions and has a time limit of four hours.
3. The CISA Review Manual (7 min)
This Nugget reviews the CISA review manual. This review manual is issued annually by ISACA to ensure that it always represents the current state of IS auditing. While this knowledge of this manual is not mandatory to take and pass the CISA certification, it is highly recommended as it does provide the foundation for the CISA exam. This manual consists of five chapters, one for each of the domains tested, and each chapter has two sections: the first defines the tasks and knowledge statements a CISA auditor is expected to know and the second contains the details for the domain. This Nugget course is based on the knowledge statements and will thoroughly define information that will be tested on the CISA exam.
4. Passing the Exam (8 min)
This Nugget reviews the format of the CISA exam and provides some tips and hints on passing the exam. In many instances there will be multiple right answers, where the correct answer is the best, where best is described as also being the best implementation in a real-world situation. A passing grade is earning at least 450 points out of a possible 800 points.
5. What does a CISA Auditor do? (5 min)
This Nugget reviews the typical role of a CISA auditor, an independent external auditor who will produce an audit report for an organization’s C-level executives. The auditor must follow professional guidelines and standards and produce an objective audit report that is relevant to senior management.
6. Audit Standards (8 min)
This Nugget provides a brief overview of the ISACA audit standard that the CISA certification is based on, the ITAF 3rd edition. The Nugget reviews the three components of the standard: General, Performance and Reporting, and how each are relevant for IT auditing.
7. Types of Audits (7 min)
This Nugget reviews the types of audits that are most typical for a CISA auditor. These are external audits of an organization’s IT processes, systems, and operations.
8. Control Self-Assessment (6 min)
This Nugget reviews a concept called Control Self-Assessment. This is a process that an organization may choose to implement to validate that processes and procedures are being followed properly. As such, there is no role for an auditor. However, a control self-assessment is typically the result of an audit discovering a flaw or weakness, and the auditor is asked to facilitate the development of the self assessment.
9. Continuous Auditing (7 min)
This Nugget reviews a CISA audit role called continuous auditing. Continuous auditing is typically performed by an internal CISA auditor and involves ongoing auditing of the IT systems or processes, typically by using automated data collection methods such as transaction or database monitors or embedded audit modules, which extract the information needed to allow the CISA auditor to monitor and report on a regular/continuous basis.
10. Compensating Controls (7 min)
This Nugget reviews the processes an auditor should follow when they discover a compensating control. What is a Compensating Control — it is an extra step, process, or activity that an organization uses to address a weakness that cannot be cost-effectively eliminated. When an auditor discovers a compensating control, the first step is to validate that it adequately addresses the weakness, then validate that a better solution doesn’t exist and finally report on both the weakness and the compensating control to ensure that it continues to be applied.
11. Legacy Auditing (7 min)
This Nugget introduces a term called Legacy Auditing. Legacy auditing refers to the fact that as an auditor you may encounter some very old legacy hardware, software, or networks and that you need to have an understanding of these legacy systems — and more importantly the audit considerations of these legacy systems.
12. Third Party Auditors (6 min)
This Nugget reviews how an auditor should deal with third-party audit reports. Specifically, it discusses using the results of previous internal audits to develop your audit plan to ensure that all prior audit findings are considered. Secondly, this Nugget reviews considerations for integrating related audits into your audit report.
13. Audit Report (7 min)
This Nugget reviews the format of the audit report produced to present the results of the audit to the organization’s senior management. The final report should consist of three components, a briefing, a briefing presentation, and the detailed audit report. While the audit report format will vary based on the nature of the audit, it should present the findings, ranked by priority/importance and a timeline for when the solutions should be implemented. The key to a successful audit report is fact-based findings and buy in from the operational levels in the organization.
14. The Process of Auditing Information Systems (16 min)
This Nugget introduces the first of the five knowledge domains, the process of auditing information systems. Specifically. it discusses the five tasks: strategy, plans, standards, report, and follow-up.
15. IT Audit Standards, Guidelines, Tools and Techniques and Code of Ethics (12 min)
This Nugget is the first of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget is focused on the standards that are defined for CISA. Specifically, it discusses the code of ethics, CISA standards, guidelines and tools and techniques and the relationship that these have to other IT industry standards. The Nugget concludes with a brief discussion that the Information Technology Information Framework (ITAF) summarizes all the CISA audit requirements discussed.
16. Audit Risk Assessment (20 min)
This Nugget is the second of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget reviews the four components of audit risk assessment: risk analysis, risk- based auditing, risk materiality, and risk management techniques. The focus this Nugget is ensuring that the audit focuses on the areas of IT which present the highest business risk, as well as ensuring that the audit is executed without introducing additional business risk.
17. Control Objectives (9 min)
This Nugget is the third of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget reviews the importance of ensuring that the audit reflects the business objectives. This begins with a discussion on ensuring that the audit is aligned with the overall short and long term audit plans of the organization which is typically based on ensuring that the audit focus on the areas which have the largest potential damage the organization’s reputation. The Nugget then reviews the areas that should be considered to ensure that business risks are minimized and concludes with a discussion on the relationship COBIT5 has on IT audits — and the need to matching the IT controls to the business needs.
18. Audit Planning and Management (10 min)
This Nugget is the fourth of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget is focused on defining the audit methodology and the management approaches for ensuring that the audit is successfully delivered. An audit-specific methodology is presented to ensure that a thorough plan is developed to deliver the objective and scope of the audit and a project management approach, consistent with the PMI PMBOK, is presented to ensure that the audit is completed based on this plan.
19. Business Processes (6 min)
This Nugget is the fifth of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget is focused on ensuring that IT auditors have a fundamental understanding of the business processes that are being audited. This fundamental understanding should allow the auditor to understand what the business does, external influences on the business processes, management objectives and strategies, and how performance is measured.
20. Laws and Regulations (3 min)
This Nugget is the sixth of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget reviews the impact that laws and regulations have on IT audits.
21. Evidence (11 min)
This Nugget is the seventh of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget reviews the importance of using the proper procedures to gather and store the audit evidence. Ensuring that the audit evidence has integrity is key to any successful audit as this evidence will be the basis on which all audit recommendations are based, and if an audit recommendation is challenged, evidence will be required to validate the recommendations.
22. Sampling Methodologies (9 min)
This Nugget is the eighth of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget reviews methodologies that can be used to sample the business results to obtain the evidence needed to support an audit. The Nugget first reviews the principles of compliance testing and then substantive testing. Next, the Nugget provides a high-level review of statistical sampling methods and closes with a discussion on judgmental sampling, which is a method that is used when full statistical sampling doesn’t apply.
23. Reporting and Communications (5 min)
This Nugget is the ninth of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget reviews the importance of communications for successful audit completion. Effective communications is an ongoing event and consists of status reports, meeting minutes, emails, and casual conversations – every interaction between the audit team and the business needs to be professional and well managed to ensure effective reporting and communication.
24. Audit Quality Assurance (3 min)
This Nugget is the last of 10 discussing the knowledge statements for the process of auditing information systems knowledge domain. This Nugget reviews the role that quality assurance plays in the audit process; which is ensuring that all the standards, guidelines, and processes defined for a CISA audit are followed.
25. Governance and Management of IT (14 min)
This Nugget introduces the second of the five knowledge domains, governance and management of IT. Specifically, it discusses the 11 tasks: governance structure, organizational structure and HR management, IT strategy, resource investment and allocation, contracting policies, risk management, performance reporting, and business continuity plan.
26. Standards, Governance, and Frameworks (10 min)
This Nugget is the first of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget is focused on ensuring that the appropriate governance processes are in place with an emphasis on ensuring that senior management is engaged and part of its governance. The next item reviews the importance of having a well-defined IT organization structure ensuring that there is separation of duties ans ownership, and that there is a focus on meeting the availability targets set by the business.
27. Information Systems Strategy (11 min)
This Nugget is the second of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses the importance of having a strategic plan for IT and the role of the executive steering committee in the overall IT approval process.
28. IT Organization (6 min)
This Nugget is the third of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget reviews what considerations a CISA needs to review to validate the appropriateness of an IT organization. This begins with ensuring complete roles/responsibility definitions exist and that all IT members are assigned to one of those roles. Next, the Nugget reviews the role of governing committees and senior management and concludes with a review of a RACI chart (Responsible, Accountable, Consulted, and Informed).
29. Maintenance of Policies and Procedures (3 min)
This Nugget is the fourth of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget reviews importance of regular maintenance of all the IT policies, procedures, and guidelines to ensure that they are appropriate and relevant in today’s ever-changing business environment. And while all IT policies and procedures must be maintained, the Nugget explicitly calls out the information security policy and the acceptable use policy as two policies that need specific attention.
30. Enterprise Architecture (5 min)
This Nugget is the fifth of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses enterprise architecture and the importance of tying the enterprise architecture to the strategic plan and the overall business requirements by creating a architecture road map.
31. Legal Compliance (9 min)
This Nugget is the sixth of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses legal compliance, and focuses on ensuring that external contracts, specifically outsourcing contracts, are appropriate and consistent with legal and corporate policies. Next, the Nugget discusses approaches such as segregation of duties and compensating controls that can be put in place to ensure legal compliance.
32. Quality Management Systems (4 min)
This Nugget is the seventh of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses the quality management systems that can ensure that quality assurance and quality control systems are being properly applied by the IT department to control, measure, and improve IT in the organization.
33. Maturity Models (5 min)
This Nugget is the eighth of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses the role of the various IT maturity models and the role that they play in IT organizations. The Nugget provides an overview of the CMMI, IDEAL, and PAM models, as well as the considerations that an IT auditor needs to be aware of when conducting a CISA audit.
34. Process Optimization (3 min)
This Nugget is the ninth of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses process optimization, which is the improvement of performance without increasing costs. The Nugget also reviews the role of the CISA auditor in process optimization: To validate the effectiveness of the optimization and whether the results are consistent with IT best practices.
35. IT Investment Practices (5 min)
This Nugget is No. 10 of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses the importance of ensuring that IT investments provide monetary value and that the IT investments are aligned with the strategic plan.
36. IT Vendor Selection and Management (9 min)
This Nugget is the 11th of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses the importance of reviewing the IT vendor selection and management. This Nugget reviews the life cycle associated with proper vendor selection and management: Make or buy decision, fair and open selection process, contract negotiations, contract management, and contract closing. The Nugget concludes with a review of a spreadsheet which can be used in the vendor selection process.
37. IT Risk Management (9 min)
This Nugget is the 12th of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses the importance of effective enterprise risk management and reviews the five steps of risk management: Risk appetite, risk identification, risk analysis, risk plans, and risk management.
38. IT Performance Monitoring and Reporting (6 min)
This Nugget is the 13th of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget discusses the IT performance monitoring and reporting, specifically using balanced scorecard and key performance indicators (KPIs) to report the results of monitoring the operations and performance of IT to the organization.
39. BCP – HR Policies (5 min)
This Nugget is the 14th of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget kicks off a series of three Nuggets focused on validating the business continuity processes (BCP), and this one discusses what an auditor needs to validate to ensure that the human aspects of the BCP are appropriate. Specifically, the Nugget covers staff safety, contact call sheets, disaster procedures, temporary relocation of staff, security, and ensuring that temporary staff are easily available as needed when the organization is forced to activate the BCP.
40. BCP –Business Impact Analysis (8 min)
This Nugget is the 15th of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget continues the discussion on business continuity planning and how to ensure that plans are in place within an organization for all critical processes — and that they identify the recovery timeframes, dependencies, and appropriate recovery strategies.
41. BCP – Maintenance and Testing (4 min)
This Nugget is the last of 16 discussing the knowledge statements for the governance and management of IT knowledge domain. This Nugget concludes this business continuity plan discussion with a review of the importance of regular maintenance and testing of the plans to ensure ongoing validity of the BCP strategies.
42. Information Systems Acquisition, Development and Implementation (16 min)
This Nugget introduces the third of the 5 Knowledge Domains, Information Systems Acquisition, Development and Implementation. Specifically it discusses the six tasks: Business Case, Project Management, Project Reviews, Methodology Compliance, Implementation Readiness, and Post Implementation Review.
43. Benefits Realization (6 min)
This Nugget is the first of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget reviews the steps necessary to audit that IT is delivering the expected benefits. This is done by validating the benefits delivered against the original business statement. This includes identifying the measurement process and validating that someone is assigned the responsibility of collecting and validating the benefits.
44. Project Governance (9 min)
This Nugget is the second of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget reviews project governance and the project organizational structures that should be in place to ensure effective overall governance. Project Governance typically begins with a project steering committee formed from the appropriate managers directly involved with the project.
45. Project Management (19 min)
This Nugget is the third of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget provides an overview of the most common project management approaches used for IT project delivery and identified the key components that an Auditor needs to be concerned with to ensure that the project is being appropriately managed. This includes ensuring that the PM has the skills and experience for the type of project being delivered. The Nugget concludes with a review of project organizational structures and the audit considerations of each.
46. Risk Management (7 min)
This Nugget is the fourth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget reviews the sources of risks for IT projects and ensures that the project has a thorough and complete list of risks than can impact the successful delivery of the project.
47. Architecture (12 min)
This Nugget is the fifth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget reviews processes to be followed to ensure effective hardware implementations take place in the organization. This consists of: Analysis, Planning, Hardware Acquisition, Software Acquisition, and Implementation.
48. Vendor Management (6 min)
This Nugget is the sixth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget continues the discussion on vendor management and is focused on ensuring that the proper processes are followed to select the best vendor for the stated requirements. The Nugget reviews the RFI, RFP and contracting processes to ensure that the right items are purchased and that the contract and supporting documents properly document the final configuration purchased.
49. Requirements Management (8 min)
This Nugget is the seventh of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget continues the discussion on vendor management and is focused on ensuring that the proper processes are followed to select the best vendor for the stated requirements. The Nugget reviews the Requirements Management life cycle: Requirement Identification, Requirement Documentation, Requirement Confirmation, Solution Development, Testing and Final Approval. The Nugget concludes with a review of a Requirements Traceability Matrix which is key to ensuring successful Requirements Management
50. Systems Development Life Cycle (SDLC) (12 min)
This Nugget is the eighth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget is focused on ensuring that an appropriate SDLC has been selected, based on the type of project, and that there development of the test strategies is developed at the appropriate stages in the life cycle.
51. Control Objectives and Techniques (11 min)
This Nugget is the ninth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget is focused on ensuring that effective controls are in place during data input, processing and output. This includes edits on inputs, controls on processing and security on output to ensure that only appropriate staff see confidential or secure information.
52. Methodologies (13 min)
This Nugget is the tenth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget is focused reviewing the methodologies and the methodology tools and techniques that can be used for developing IT systems. This includes a review of the Project Management methodologies as well as review of the tools and techniques for application development.
53. Testing (10 min)
This Nugget is the eleventh of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget is focused Testing and reviews the various forms of testing that should be completed on a project: Unit, Integration, System, Quality and Business Acceptance Testing. The Nugget concludes with a review of some testing terms that are likely to be on the CISA exam.
54. Configuration and Change Management (7 min)
This Nugget is the twelth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget is focused Configuration and Change Management and reviews the four key components of this: Check-in, Version Management, Branching and Merging. The Nugget concludes with a review of a Change Management form that can be used to ensure that all changes are approved and properly controlled.
55. System Migration and Deployment (11 min)
This Nugget is the thirteenth of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget addresses deployment activities such as data conversion as well as reviewing the steps an Auditor should take to ensure that the development tools are used properly. The Nugget concludes with a discussion on several Industry Standards specifically relevant to development processes.
56. Post Implementation Reviews (4 min)
This Nugget is the last of 14 discussing the knowledge statements for the Information Systems Acquisition, Development and Implementation Knowledge Domain. This Nugget discusses the Post Implementation review which consists of the validation of the benefits realized, review of lessons learned, harvesting of reusable artifacts and the all-important post project party.
57. Information Systems Operations, Maintenance & Support (6 min)
This Nugget introduces the fourth of the 5 Knowledge Domains, Information Systems Operations, Maintenance & Support. Specifically it discusses the eleven tasks: systems meet org objectives, service levels defined and managed, 3rd party management practices are adhered to, operations and procedures fully executed, maintenance controlled and supports objectives, database admin ensures integrity and performance, capacity and performance monitoring, problem and incident management, change, configuration and release management, adequate backups and restore provisions and disaster recovery plan specific to data center.
58. Service Level Management (8 min)
This Nugget is the first of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the work defined for Service Level Management. The Nugget begins with a review of some key terms related to Service Level Management and then identifies the key activities for Support and Delivery Services. The Nugget concludes with a discussion on four items central to service levels: exception reports, logs, problem reports and operating schedules.
59. Monitor 3rd Party Compliance (4 min)
This Nugget is the second of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget continues the contract discussions from the previous knowledge domain, but with a focus on Contract Compliance. This Nugget reviews types of contracts, contract ownership and contractual commitments.
60. Managing Schedules (6 min)
This Nugget is the third of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget is focused on ensuring that the operational schedules are effectively executed. The Nugget discusses the importance of ensuring that the right resources are available and that they are trained in the standards and procedures associated with the batch schedules and that they understand the monitoring required to ensure that the schedule is properly executed. The Nugget concludes with a discussion on the actual execution of the batch schedule.
61. Computer Hardware, Software and Networks (23 min)
This Nugget is the fourth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget provides a high level review of the hardware, software and network environments that will be encountered during IT audits and reviews the risks that an auditor must be aware of based in the currency of the IT environment. The Nugget explicitly explores the different risks older technology presents compared to the risks that current technology will present.
62. Computer Hardware, Software and Networks (10 min)
This Nugget is the fifth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget provides a review of the System Interface Integrity. Or to put it more simply, this Nugget reviews the OSI model and examines the risks that are inherent in network topologies, local area networks, internet and WAN approaches.
63. Software Licensing and Inventory Interfaces (3 min)
This Nugget is the sixth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the process ensuring that appropriate management controls are in place in the organization to ensure that all software usage is consistent with the licensing terms and conditions.
64. Database Administration Practices (9 min)
This Nugget is the seventh of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget review database administration practices and reviews the importance of well document data architecture, including the data dictionary, data types and auditing for database performance. The Nugget then reviews the two database techniques an auditor will typically encounter: hierarchical and relational and concludes with some of the key items that a CISA auditor should examine during an audit.
65. Software Resiliency Tools and Techniques (4 min)
This Nugget is the eighth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews tools such as RAID, redundancy, high availability and alternative sites that can be used to ensure that the IT systems support the business availability requirements.
66. Capacity Planning (4 min)
This Nugget is the ninth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the audit considerations for ensuring that there is appropriate capacity planning taking place to ensure that the IT systems are sized for current and planned business volumes and that the capacity plan is tied closely to the business plan.
67. Performance Monitoring (3 min)
This Nugget is the tenth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the importance of performance monitoring to ensure that the IT systems are delivering to the business expectations. The Nugget specifically reviews the importance of reviewing the SLA reports to ensure that they are accurately produced and that remediation steps are performed whenever performance is below expectations.
68. Problem and Incident Management (5 min)
This Nugget is the eleventh of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget begins with a definition of incident and problem as these are terms often misused. The Nugget then goes on to discuss the help desk processes which should be followed for identifying, logging and resolving all incidents and concludes with a discussion of the Fishbone technique, which is a very common problem solving technique.
69. Managing Change to Production Environments (4 min)
This Nugget is the twelfth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the processes to be followed to ensure that changes to reproduction environments are properly tested and that appropriate change management environments are in place to ensure the changes are applied properly.
70. Data Backup (5 min)
This Nugget is the thirteenth h of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the steps required to ensure that all production data is properly backed up and recoverable in the case of a data failure.
71. Disaster Recovery – Legal and Contractual Issues (7 min)
This Nugget is the fourteenth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the different contractual issues that will be encountered for different DR strategies. It the reviews a list of generic contractual issues that should be considered for all DR contracts.
72. Business Impact of Disaster Recovery (2 min)
This Nugget is the fifteenth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the importance of having the DR plan aligned with the Business Impact Analysis along the lines of: recovery objectives, time to recovery, cost, critical systems, risk management and management support.
73. Disaster Recovery Plan Maintenance (5 min)
This Nugget is the sixteenth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the importance of regular maintenance to ensure that the DR plan properly supports the changing business requirements to ensure it reflects the business criticality, costs, time for recovery and security requirements.
74. Alternate Processing Sites (9 min)
This Nugget is the seventeenth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget reviews the pros and cons of using a cold site, mobile site, warm site, reciprical agreement, hot site or mirrored site for Disaster Recovery.
75. Invoking Disaster Recovery (6 min)
This Nugget is the eighteenth of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget discusses the importance of following the DR plan prior to declaring a disaster to ensure the plan is being properly followed. The Nugget also reviews the various reasons for invoking DR including natural disaster, health and safety, pandemic and damage to brand/reputation.
76. Disaster Recovery Testing (4 min)
This Nugget is the last of 19 discussing the knowledge statements for the Information Systems Operations, Maintenance & Support Domain. This Nugget discusses the importance of executing the DR test as no level of desk checking will be capable of identifying all the issues that require correction prior to having to actually invoke the DR plan for real.
77. Protection of Information Assets (8 min)
This Nugget introduces the final Knowledge Domains, Protection of Information Assets. Specifically it discusses the 5 tasks: information security policies, security controls, data classification, physical assets and environmental controls and data storage.
78. Security Controls (5 min)
This Nugget is the first of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget provides a high level overview of this domain and reviews the security controls that should be in place to protect the organization’s digital assets. Specifically, the Nugget reviews the controls required to ensure the integrity of the data which is based on ensuring proper policies and in place and that all data is properly classified.
79. Security Incidents (3 min)
This Nugget is the second of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews the processes that should be followed when a security incident takes place. The first step is ensuring that an effective management structure is in place to ensure that everyone knows what is expected of them. The Nugget then reviews the steps to resolve the incident in a timely manner and minimize impact and concludes with a discussion of the post incident review.
80. Logical Access Controls (4 min)
This Nugget is the third of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews the processes and procedures that ensure everyone has access to their jobs. Specifically the Nugget reviews that access needs to be managed at both the system and the application levels.
81. Identification and Authentication (3 min)
This Nugget is the fourth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget is focused on identifying each user using an access control process that is consistent with the organization’s information security requirements. The Nugget reviews the pros and cons of single sign versus individual application sign on and concludes with a discussion on password maintenance.
82. Virtual Systems (5 min)
This Nugget is the fifth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews specific attributes of virtual systems that must be reviewed as part of a CISA audit. The Nugget also provides a high level review of the pros and cons of VMs to aid in the audit.
83. Network Security Concerns (4 min)
This Nugget is the sixth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget provides a high level overview of audit concerns related to networks; specifically the robustness of the firewalls and the use of Intrusion Detection and Intrusion Prevention Systems. With the reliance on networks, it is important that an auditor have an appreciation for these systems.
84. Internet Security, Protocols and Techniques (9 min)
This Nugget is the seventh of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget focuses primarily of a high level description of Encryption and the importance of the existence of public/private keys as well as the key length to ensure that the encrypted messages cannot be hacked. Next, the Nugget does a review of the protocols and techniques used for
85. Cyber Attacks (7 min)
This Nugget is the eighth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget discusses the different forms of cyber-attacks that can be launched against an organization. First the Nugget reviews the source of these attacks and discusses that the internal attack, employee/ex-employee is the most prevalent form of attack and the one that must be carefully guarded against. Next the Nugget reviews the types of attacks that the organization must be prepared to prevent. The Nugget concludes with a discussion on the types of losses such as theft, denial of services and loss of reputation.
86. Detection Tools (4 min)
This Nugget is the ninth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget is focused on the tools needed to protect the organization from viruses. Most specifically the importance of having good virus protection and layered protection in case the first lay is compromised, another layer should be ready to protect the organization. The Nugget also discusses a tool called a ‘Honey Pot’ which is an unprotected device intended to lure attackers away from the main organizational systems.
87. Security Testing Techniques (6 min)
This Nugget is the tenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget is ensuring that the appropriate testing has taken place to ensure that the organization’s perimeter defenses are strong enough to repel a hacker attack and that the procedures are in place to effectively respond to an attack when it takes place.
88. Data Leakage (4 min)
This Nugget is the eleventh of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget discusses data leakage, or the accidental disclosure of important organizational details through such things as job postings, technical boards, corporate websites and social media.
89. Data Encryption (3 min)
This Nugget is the twelfth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews the key principles of data encryption: algorithm strengths, elimination of back doors, preventing known text breakage and ensuring that known knowledge can’t be used to break the organization’s encryption.
90. Public Key Infrastructure (5 min)
This Nugget is the thirteenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget provides a high level overview of PKI and discusses the digital certificate, certificate authority and registration authority. It concludes with a discussion of the importance of ensuring that certificates have expiry dates to ensure that the trusted relationships are reestablished to maintain the confidence in the encryption process.
91. Peer to Peer Computing (5 min)
This Nugget is the fourteenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews that risks of peer to peer computing such as social media, message boards, blogs and instant messaging which all if not properly managed provide ways to circumvent the well protected corporate infrastructures. The Nugget concludes with a review of the risks of allowing corporate PCs to home networks and/or allowing employee owned devices to connect to corporate networks.
92. Mobile Devices (3 min)
This Nugget is the fifteenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews the risks that mobile devices introduce to the compare environment. Specifically, it discusses the risks from theft of data and the need to have data protection in place, such as disk encryption.
93. Voice Communication (5 min)
This Nugget is the sixteenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget focuses on digital voice communication using Voice Over IP or Digital PBXs and reviews the issues with digital voice communication. These issues include encryption, availability, system impacts, software upgrades, and wire tapping.
94. Handling of Evidence (5 min)
This Nugget is the seventeenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews the processes that should be followed when handling either audit or criminal activity evidence. Key to handling evidence is to preserve and protect the evidence to ensure that it is permissible first hand evidence and that is has not been tampered with. The four steps: identify, preserve, analyze and present are also reviewed.
95. Data Classification Standards (4 min)
This Nugget is the eighteenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget discusses the three steps for data classification: discovery, inventory and risk assessment and in particular reviews the importance of the risk assessment as part of the classification process; i.e. what is the risk if this piece of data is lost or stolen.
96. Physical Access Controls (5 min)
This Nugget is the eighteenth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget the importance of ensuring that adequate physical access controls are in place for all components of the IT infrastructure that is consistent with the risks of inappropriate access and damage. The Nugget discusses the importance of access controls for not just the data center, but also the wiring cabinets, operations areas, power cabinets and tape libraries
97. Environmental Protection (6 min)
This Nugget is the twentieth of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget discusses the various environmental protections that should be in place to ensure a safe computing environment. This includes: power protection, physical attacks, water detection, fire alarms and fire suppression.
98. Handling Confidential Data (6 min)
This Nugget is the last of 21 discussing the knowledge statements for the Protection of Information Assets Domain. This Nugget reviews the steps to ensuring that confidential data is managed properly during storage, retrieval, transport and disposal.