CISA Cheat Sheet
The Certified Information Systems Auditor (CISA) is a world-renowned certification that certifies you to have expertise in IT/IS auditing, security, and control. With over 151,000 CISA certification holders, it’s also one of the most popular certifications in the world of IT. Since you’re reading this cheat sheet, it’s highly likely you already know this. The following content includes some of the basic concepts found in the CISA. To learn even more, we can help you with our CISA training.
CISA Cheat Sheet
The best control is having the production control group copy the source program to the production libraries and then compile the program.
Decision support is enhanced by using a data warehouse and data marts.
The primary objective of value delivery is to optimize security investments in support of business objectives.
The strongest method for disposing of magnetic media = Destroying
Data warehousing includes data cleaning, data integration and data consolidations.
When creating a contract with a cloud service provider, the best practice is to remove the customer lock-in clause. It could also be important for the client to secure the portability of their system assets, which is the right to transfer from one vendor to a new one.
Fault=ST LOSS POWER Spike=ST HIGH Volt Sag=ST LOW Volt Brownout=LT LOW Volt Surge=LT HIGH Volt Blackout= LT LOSS POWER
The hardest challenge of performing a quantitative risk analysis is obtaining accurate figures on the frequency of specific threats.
IDS can’t detect attacks within encrypted traffic. It’s a concern if someone were misinformed and assumed that the IDS could detect attacks in encrypted traffic.
A standard creates mandatory rules, specifications and metrics that measure compliance against quality, value and other measurements. Standards are typically made for compliance purposes and to deliver assurance to others who interact with a process, or outputs of a process.
The board of directors and executive officers are responsible for the functionality, reliability and security within IT Governance. A web application attack enables unauthorized access to a database= SQLI
Regression testing is used to ensure that changes made have not introduced new errors.
Capacity monitoring the primary objective is when you confirm compliance with the internal SLA between the business and IT. It also helps you arrive at an expected future capacity based on usage patterns and with initiating procurement centered on the current usage and expected future capacity.
Cryptographic hash is the main defense against alteration attacks.
Variable sampling is the preferred sampling technique to review an organization’s balance sheet for material transactions. It is sometimes known as dollar estimation.
Integrity of data = information is altered only in a detailed and authorized manner.
CSA highlights noncompliance to the current policy.
Batch control reconciliations is a compensatory control for lessening risk of inadequate segregation of duties.
RFID: Any RFID signal you can read can be replicated. This results in privacy issues.
Concurrency control runs simultaneous access to a database. It prevents two users from editing the same record concurrently while it also serializes transactions for backup and recovery.
The first criterion is to ensure that there are clear procedures and that security meets the applicable standards and lives up to the pre-determined policy.
The information security manager is accountable for creating a security strategy based on business objectives with the assistance of business process owners.
Load balancing makes sure there is uninterrupted system availability by distributing traffic across multiple servers. Load balancing also ensures that there is a consistent response time for web applications.
The IS Auditor's main responsibility during the plan’s test is to act as an observer to ensure timely business processing. The IS Auditor's findings should be documented and analyzed with appropriate recommendations given to management. The effectiveness of employees will be determined by their existing knowledge and capabilities.
Reviewing the access control configuration is the first task performed to find if security has been properly mapped in the system (during a postimplementation).
Investment portfolio analysis supports the prioritization of new IT projects.
Information security is a technical issue as well as a business and governance challenge that includes risk management, reporting and accountability. Successful security requires the active engagement of executive management.
The warm site is satisfactory to the business when the downtime is acceptable without breaching any legal requirements. Using a warm site is not about making a profit.
The key function of QoS is to optimize network performance by giving priority to business applications and end-users through the allocation of dedicated parts of the bandwidth to specific traffic.
One of the features of referential integrity checking arises when a record is deleted and all other referenced records are automatically deleted.
RFID RISKS = business process risk + business intelligence risk + privacy risk + externality risk re-engineering = reusing design and program components
Real-time application system is the transaction log.
RACI chart = responsibility assignment matrix
Information systems security policies are used as the outline for creating logical access controls. One solution to remove data remanence is with a degausser.
Proactive management is anticipating problems in advance and preparing for them with solutions and delivering automation plans for the help desk.
An audit program is a step-by-step set of audit procedures and instructions that should be followed to perform an audit.
Cloud bursting is an application deployment model where an application runs in a private cloud or data center and goes into a public cloud when the demand for computing capacity increases. Cloud bursting is used for load balancing between clouds.
The order of biometric devices with the best response times and lowest EERs are palm, hand, iris, retina, fingerprint and voice. (PH-I-RF-V)
If you want to detect lost transactions, automated systems balancing can be used.
Relative humidity (RH) is the amount of moisture in the air at a given temperature relative to the maximum amount of moisture the air can hold at the same temperature. In a data center or computer room, maintaining ambient relative humidity levels between 45% and 55% is suggested for optimal performance and reliability.
It is a commonly set standard in the IT industry that expensive IT equipment should not be operated in a computer room or data center where the ambient room temperature has exceeded 85°F (30°C).
The following are information gathering techniques: brainstorming, Delphi technique, interviewing and root cause analysis.
Quality assurance is another root-cause analysis process. Fishbone diagram/Ishikawa controls how various factors are linked to potential problems or effects, and it’s usually referred to as “root cause” analysis.
If the network is slow, use a protocol analyzer to execute network analysis and review error logs of local area network (LAN) equipment. Threat does not mean vulnerability. A threat exploits a vulnerability, such as a weak password (vulnerability), and is exploited by a dishonest employee (threat) to commit fraud leading to financial losses.
Substantive testing finds audit evidence on the completeness, accuracy or existence of activities or transactions from the audit period.
Batch controls: total monetary amount, total items, total documents, hash totals
The matrix organizational structure connected functional and product departmentalization, creates a dual reporting structure and is
optimal where product groups are essential.
Corporate governance contains a set of policies and internal controls that help organizations, regardless of size or form, with direction and management. Information security governance is a subgroup of an organization’s overall governance program. Risk management, reporting and accountability are central features of these policies and internal controls.
Prototyping is the process of rapidly creating a working model (a prototype) to test numerous aspects of a design, illustrate ideas or features and gather early user feedback.
An unsuccessful logon is monitored by the security administrator.
Most project risk can usually be identified before a project begins, allowing mitigation/avoidance plans to be implemented to handle this risk.
ATM is asynchronous. Time slots are obtainable on-demand with information identifying the source of the transmission covered in the header of each ATM cell.
Hash totals is a verification that the total in a batch corresponds with the total calculated by the system.
The IS auditor has a responsibility to the project sponsor and the organization to counsel on appropriate project management practices. Waiting for the possible appointment of a risk manager represents a needless and risky delay in implementing risk management.
Race conditions happen due to interferences initiated by the following conditions: Sequence or nonatomic + deadlock, livelock or locking failure.
Before implementing new technology, an organization should perform a risk assessment that is then presented to business unit management for review and acceptance.
Configuration management deals with all IT components, including software. Project management relates to scheduling, resource management and progress tracking of software development. Problem management records and oversees incidents. Risk management includes risk identification, impact analysis, an action plan, etc.
A penetration test is usually the only security assessment that can link vulnerabilities together by exploiting them sequentially.
What is the difference between the false acceptance rate and the false rejection rate?
False acceptance is an unauthorized user is permitted access= FAR-UP
False rejection means an authorized person is denied access= FRR-AD
IaaS: Company is attempting to reduce its sever environment footprint, so the in-house application servers are moved to another location that’s hosted by a 3rd party. Therefore, the application software and application servers are moved and supported by another company, which is IaaS.
Having access to the database might provide admission to database utilities, which can update the database without an audit trail and without using the application. Using SQL will only provide read access to information.
VPN = data confidentiality
An audit charter should state management’s goals for and delegation of authority to IS auditors.
Provisioning access to data on a must-know basis ensures data confidentiality face to face communications is an example of informal methods of monitoring and controlling a system development life cycle project since it is difficult to document the communication all the time. Evidence is difficult in informal methods.
LOG may be maintained in an automated or manual form where activities are logged with a sequential control number for tracking purposes.
Escrow: The client is permitted the benefit of only using the software and not owning it, unless they pay a higher price. Escrow can provide some protection if the vendor goes out of business, but it can’t prevent software from being discontinued.
4GL enables screen-authoring and report-writing utilities that automate database access. 4GL tools do not create the business logic needed for data transformation.
A flowchart is used to document internal program logic.
A feasibility study should be the foundation for management’s decision to buy available software or build a custom software application.
Recovery managers should be rotated to guarantee the experience of the recovery plan DRP that is given among the managers. An entity-relationship diagram (ERD) can help express the database schema. Function point analysis is utilized for work estimation during the feasibility study.
Parallel migration increases support requirements, yet lowers the overall risk. The old and new systems are run at the same time to verify integrity while building user familiarity with the new system.
Phased changeover. In larger systems, changing to the new system in little steps or phases may be possible. This may take a long time. The concept is best fitting to either an upgrade of an existing system or a conversion of one department at a time. The phased approach forms a support burden comparable to that of parallel operation. A well-managed phased changeover presents a reasonable level of risk.
Data-oriented databases (DODBs) are planned for predictable data that has a consistent structure and a known or fixed length. Object-oriented databases (OODBs) are for data that includes a variety of possible data formats.
Hard changeover. In some environments, creating an abrupt change to the new system might be necessary. This is called a hard changeover, which is a full change happening at a particular cutoff date and time. The goal is to force the migration of all the users at once. A hard changeover can be used after a successful parallel operation or in times of emergency.
Checklists are an example of an official method of communication between the affected parties. A checklist shows guidelines for reviewing functions and activities for assurance and evaluative purposes. Checklists can detect whether activities were performed according to plans, policies and procedures.
The agile method places more reliance on the undocumented knowledge found in a person’s head. Agile is the exact opposite of capturing knowledge through project documentation.
In the SDLC, there is an approval by management to go to the next phase or kill the project. The review at the end of every SDLC phase is for preventing the project from proceeding unless it receives management’s approval.
The ACID principle of database transaction refers to atomicity (all or nothing), consistency, isolation (transactions operate independently), and durability (data is maintained).
Major activities in software quality assurance involve project management, software verification and validation, software configuration management and software quality assurance. These activities become a baseline and any subsequent changes require management approvals. Proposed changes are compared to the baseline, which is the average.
Opportunity costs are costs given up in favor of another. When a software package's implementation is behind, inherent costs of other projects being delayed during its implementation is an example of opportunity cost. The time lost due to belated implementation of a current project could have been applied to creating a new project. Opportunity costs are hard to quantify exactly, but they can be one of many important factors in software selection.
Maintenance costs are the costs to revise and change the software to match fluctuating organizational needs. The maintenance costs of a system will change widely, depending upon such factors as the application type, the system’s complexity, and the need for periodic updates.
If the database is not normalized, the IS auditor should review the justification because, in some situations, denormalization is suggested for performance reasons. The IS auditor should not recommend normalizing the database until further investigation takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.
Spoofing is a type of impersonation where one computer attempts to take on the identity of another computer. When an attack originates from the external network, it uses an internal network address. The attacker is probably trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address.
DoS attack is created to limit the availability of a resource and is characterized by a high number of requests that require a response from the resource (usually a web site). The target uses so many resources responding to the attack requests that legitimate requests are not examined.
An application-layer gateway, or proxy firewall, and stateful inspection firewalls deliver the greatest degree of protection and control, since both firewall technologies inspect all seven OSI layers of network traffic.
Control objectives are created to attain acceptable levels of risk. The extent that each objective is achieved is a good measure of the effectiveness of the strategy.
Attribute sampling is the main sampling method used for compliance testing.
Social engineering includes impersonation through a telephone call, dumpster diving and shoulder surfing.
Downtime reports: Manage the availability of telecommunication lines and circuits. Interruptions due to power/line failure, traffic overload, operator error or other anomalous conditions are classified in a downtime report.
The first step in executing information security governance is to outline the security strategy based on which security baselines are determined.
Risk formed by a reciprocal agreement for disaster recovery can result in hardware and software incompatibility.
The Service Delivery Objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is reestablished. This is directly related to the business needs, which is the minimum acceptable operational capability.
Assigning accountability to individuals will most likely ensure that duties are properly carried out.
An Uninterruptible Power Supply (UPS) system is a backup power system that uses batteries to provide short-term power during power losses, such as when a blackout or a brownout is detected. Power conditioner devices help in keeping the electrical service constant by monitoring and regulating the power in the building. These devices can activate backup power supplies.
Surge protectors are passive devices that protect electrical components from spikes in the power line. Surge protectors typically utilize Metal Oxide Varistors (MOVs) to shunt the voltage spike to the ground.
Background checks of prospective employees help prevent attacks from originating within an organization.
There are two modes for biometric recognition: verification and identification. In verification, an identity is claimed and the comparison process is limited to checking the reference corresponding to this identity. In identification, no claim of identity is needed, and the system searches its reference database to look for a stored reference that matches the biometric characteristics recorded.
A generator is used when a continuous power supply is necessary for power loss situations and is activated when a loss in power is detected. It does not protect electrical components from spikes in the power line.
IT assets inventory is the essential input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IT infrastructure. The other choices are processes required to update the disaster recovery plan after having updated the required assets inventory.
Outsourcing of various information security activities could cut costs and increase resources for other security activities in a proactive manner, and so can automation of certain security procedures.
The role of an IT steering committee is to certify that the IS department is in compliance with the organization's mission and objectives.
Change control board (CCB) is a management review to ensure awareness and management control of changes in the IT environment.
Abrupt change over – Stop the current system abruptly to shift over to a new one
Phased change over – Both are run but output of both systems is used, as functions performed are different.
Parallel change over – Both systems are run concurrently for a period of time.
Emissions are detected by hi-tech equipment and displayed, therefore providing access to data to unauthorized persons. They should not cause disruption of CPUs or affect noise pollution.
Start your 30-day free trial with InfoSecAcademy.io and begin your CISA Training today!
We hope you found this short CISA cheat sheet helpful. With an average annual income of $110,000, CISA holders are well-compensated for earning the CISA certification. It’s an excellent way of proving you’re skilled in IT/IS auditing, security, and control. Connect with our experts to learn even more about the CISA.