Domain 1—The Process of Auditing Information Systems (21%) 10.
10. Evaluate the organization’s business continuity plan (BCP), including alignment
1. Execute a risk-based IS audit strategy in compliance with IS audit standards to
ensure that key risk areas are audited
2. Plan specific audits to determine whether information systems are protected,
controlled and provide value to the organization.
3. Conduct audits in accordance with IS audit standards to achieve planned audit
objectives.
4. Communicate audit results and make recommendations to key stakeholders
through meetings and audit reports to promote change when necessary.
5. Conduct audit follow-ups to determine whether appropriate actions have been
taken by management in a timely manner.
Domain 2—Governance and Management of IT (16%)
1. Evaluate the IT strategy, including IT direction, and the processes for the
strategy’s development, approval, implementation and maintenance for
alignment with the organization’s strategies and objectives.
2. Evaluate the effectiveness of the IT governance structure to determine
whether IT decisions, directions and performance support the organization’s
strategies and objectives.
3. Evaluate IT organizational structure and human resources (personnel)
management to determine whether they support the organization’s strategies
and objectives.
4. Evaluate the organization’s IT policies, standards and procedures, and the
processes for their development, approval, release/publishing, implementation
and maintenance to determine whether they support the IT strategy and
comply with regulatory and legal requirements.
5. Evaluate IT resource management, including investment, prioritization,
allocation and use, for alignment with the organization’s strategies and
objectives.
6. Evaluate IT portfolio management, including investment, prioritization and
allocation, for alignment with the organization’s strategies and objectives.
7. Evaluate risk management practices to determine whether the organization’s
IT-related risk is identified, assessed, monitored, reported and managed.
8. Evaluate IT management and monitoring of controls (e.g., continuous
monitoring, quality assurance [QA]) for compliance with the organization’s
policies, standards and procedures.
9. Evaluate monitoring and reporting of IT key performance indicators (KPIs) to
determine whether management receives sufficient and timely information.
of the IT disaster recovery plan (DRP) with the BCP, to determine the
organization’s ability to continue essential business operations during the
period of an IT disruption.
Domain 3—Information Systems Acquisition, Development and Implementation
(18%)
1 Evaluate the business case for the proposed investments in information
systems acquisition, development, maintenance and subsequent retirement to
determine whether the business case meets business objectives.
2 Evaluate IT supplier selection and contract management processes to ensure
that the organization’s service levels and requisite controls are met.
3 Evaluate the project management framework and controls to determine
whether business requirements are achieved in a cost-effective manner while
managing risk to the organization.
4 Conduct reviews to determine whether a project is progressing in accordance
with project plans, is adequately supported by documentation, and has timely
and accurate status reporting.
5 Evaluate controls for information systems during the requirements,
acquisition, development and testing phases for compliance with the
organization's policies, standards, procedures and applicable external
requirements.
6 Evaluate the readiness of information systems for implementation and
migration into production to determine whether project deliverables, controls
and the organization's requirements are met.
7 Conduct post-implementation reviews of systems to determine whether
project deliverables, controls and the organization's requirements are met.
Domain 4—Information Systems Operations, Maintenance and Service
Management (20%)
1 Evaluate the IT service management framework and practices (internal or third
party) to determine whether the controls and service levels expected by the
organization are being adhered to and whether strategic objectives are met.
2 Conduct periodic reviews of information systems to determine whether they
continue to meet the organization’s objectives within the enterprise
architecture (EA).
3 Evaluate IT operations (e.g., job scheduling, configuration management, 6 Evaluate the information security program to determine its effectiveness and
capacity and performance management) to determine whether they are alignment with the organization’s strategies and objectives.
controlled effectively and continue to support the organization’s objectives.
4 Evaluate IT maintenance (patches, upgrades) to determine whether they are
controlled effectively and continue to support the organization’s objectives.
5 Evaluate database management practices to determine the integrity and
optimization of databases.
6 Evaluate data quality and life cycle management to determine whether they
continue to meet strategic objectives.
7 Evaluate problem and incident management practices to determine whether
problems and incidents are prevented, detected, analyzed, reported and
resolved in a timely manner to support the organization´s objectives.
8 Evaluate change and release management practices to determine whether
changes made to systems and applications are adequately controlled and
documented.
9 Evaluate end-user computing to determine whether the processes are
effectively controlled and support the organization’s objectives.
10 Evaluate IT continuity and resilience (backups/restores, disaster recovery plan
[DRP]) to determine whether they are controlled effectively and continue to
support the organization’s objectives

Domain 5—Protection of Information Assets (25%)

1 Evaluate the information security and privacy policies, standards and
procedures for completeness, alignment with generally accepted practices and
compliance with applicable external requirements.
2 Evaluate the design, implementation, maintenance, monitoring and reporting
of physical and environmental controls to determine whether information
assets are adequately safeguarded.
3 Evaluate the design, implementation, maintenance, monitoring and reporting
of system and logical security controls to verify the confidentiality, integrity
and availability of information.
4 Evaluate the design, implementation and monitoring of the data classification
processes and procedures for alignment with the organization’s policies,
standards, procedures and applicable external requirements.
5 Evaluate the processes and procedures used to store, retrieve, transport and
dispose of assets to determine whether information assets are adequately
safeguarded.
Domain 1. The Process of Auditing Information Systems
1. 5 Task Statements
● Develop and implement a risk-based IT audit strategy in compliance with
IT audit standards to ensure that key areas are included.
● Plan specific audits to determine whether information systems are
protected, controlled and provide value to the organization.
● Conduct audits in accordance with IT audit standards to achieve planned
audit objectives.
● Report audit findings and make recommendations to key stakeholders to
communicate results and effect change.
● Conduct follow ups or advise on risk management & control practice
2. Code of Ethics – IPS PC DE
● Support the implementation of appropriate policies, standards, guidelines,
and procedures for information systems.
● Perform your duties with objectivity, professional care, and due diligence
in accordance with professional standards. Support the use of best
practices.
● Serve the interests of stakeholders in an honest and lawful manner that
reflects a credible image upon your profession.
● Maintain privacy and confidentiality of information obtained during your
audit except for required disclosure to legal authorities.
● Undertake only those activities in which you are professionally competent;
strive to improve your competency.
● Disclose accurate results of all work and significant facts to the appropriate
parties.
● Support ongoing professional education to help stakeholders enhance their
understanding of information systems security and control.
3. Working with IT professionals
● Data owner specifies controls, is responsible for acceptable use, and
appoints the data custodian.
● Data custodians: protect information and ensure its availability as well as
supporting the data users.
● Data users: comply with acceptable use and report violations.
4. CobiT – Control Objectives for Information and Related Technology. A
framework consisting of strategies, processes, and procedures for leading IT
organizations.
5. Organizations typically have four types of documents in place:
● Policies = goals; policies provide emphasis, set directions, and must be
backed by recognized management. Policies that are not managed in a
centralized manner may suggest a non-uniform measurement standard.
● Standards = definition of requirement; mid-level documents containing
measurement control points to ensure uniform implementation in support
of a policy. A missing standard indicates negligence by failing to define the
requirement. Compliance is mandatory.
i. Categories of standards (highest influence on lowest):
▪ Regulatory
▪ Industry
▪ Organizational
▪ Personal
● Guidelines = general instructions; provides vague direction of to provide
limited advice in absence of applicable standard. Guidelines are
discretionary and can be used to create new standards.
 ● Procedures = how to instructions; a step by step instructions to perform
desired actions. They provide support for standard, and compliance is
mandatory. Lack of written procedures represents negligence of duty.
6. Types of audit:
● Internal audits and assessments: self-assessment within an organization
and the finding cannot be used for licensing.
● External audits: a customer audits their vendor/supplier to ensure the
expected level of performance as mutually agreed upon in their contracts.
● Independent audits: relied on for licensing, certification, or product
● Audit committee:
approval.
● Preplanning
7. Audit Program
● An audit is requested by client, who is responsible for setting the scope,
granting authority, and providing access to the auditee.
● Program management vs. Project
i. Program: ongoing activities managed by an executive.
ii. Project: a short-term activity managed by a project manager operating
outside the normal organizational structure.
● Audit program monitoring and review
i. Key goal indicator (KGI): use goals as performance evaluation.
ii. Key performance indicator (KPI): use metric as performance evaluation.
● Planning audits:
i. Scope: the boundaries to be reviewed
ii. Criteria: identify a set of policies to be measured against.
iii. Team
8. Audit process
● Audit charter:
i. Issued by executive management or the board of directors to grant the
right to audit and delegate management’s assertions.
ii. State management’s assertions:
▪ Responsibility: goals & objectives
▪ Authority: right to perform an audit and the right to obtain access
relevant to the audit
▪ Accountability: defines mutually agreed-upon actions between the
audit committee and the auditor
i. Provide advice to the executive accounting officers concerning internal
control strategies, priorities, and assurance.
ii. Issuing the audit charter to grant the authority for internal audits.
i. Engagement letter: defines the responsibility, authority, and
accountability to an independent auditor for individual assignments.
ii. Elements: All points outlined in the charter (responsibility, authority,
and accountability)
iii. Selecting the type of audit:
▪ Product or service: efficiency, effectiveness, controls, and life-cycle
▪ Processes: method or result
▪ System: design or configuration
▪ General controls: preventive, detective, and corrective
▪ Organizational plans: present and future objectives
iv. Identify objectives and restriction on scope
▪ Undue restrictions on scope would be a major concern.
▪ Standards are mandatory, and any deviation would require
justification
v. Audits vs assessments:
 ▪ Traditional audit ▪ Technical testing and analysis (excellent)
iii. Fundamental issues concerning internal controls
▪ Assessments: for training and awareness purpose where the goal is
to determine value of current process. ▪ Management is often exempt from controls

▪ Control self-assessments (CSA): executed by the auditee with auditor ▪ How controls are implemented determines the level of assurance
as facilitator. The goal is self improvement of the client or identify iv. Hierarchy of internal controls (highest to lowest)
area with higher risk. Independence is not required.
▪ General control (overall): policies, structures, job description,
vi. Risk management strategies: applied to all organizational activities.
segregation of duties, budgeting, and auditing.
▪ Accept
▪ Pervasive controls (follows technology): they are those general
▪ Mitigate controls that focus on the management and monitoring of the
technology environment.
▪ Transfer
▪ Detailed controls (task): specific steps or tasks to be performed.
▪ Avoid
▪ Application controls (embedded in programs)
● Performing the audit
v. Internal control categories: detective, preventive, and corrective.
i. Determining competence and evaluating auditors vi. Implementation methods:
▪ Skills matrix: area of knowledge, proficiency, and specialized training ▪ Administrative ($): people-based control by using written policies
required to fulfill the audit and procedures
▪ Use the work of other requirements: ▪ Physical ($$): physical barriers or visual deterrents
o Independence and objectivity
o Competence, qualification, and experience ▪ Technical ($$$): using software or hardware process to calculate an
o Agreement on scope approval or denial based on specific attributes (special technology)
o Level of review and supervision required ● Audit planning
ii. Data collection technique
i. Work should be repeatable by another auditor (5Ws), and properly
▪ Observation (good) documented in working papers.
ii. Assign audit team: ensure adequate experience, competency, and
▪ Surveys (poor)
training of the members.
▪ Document review (good) iii. Shewhart’s process technique: plan-do-check-act cycle
● Gather evidence
▪ Interviews (good)
i. Direct evidence more preferable to indirect evidence
▪ Workshops (mixed) ii. Audit samples:
▪ Computer-assisted audit tools (good)
 iv. Evidence life cycle: failure to maintain a proper chain of custody may
▪ Statistic sampling: mathematical quantifiable and presented as a
disqualify the evidence: The ideal is to ensure the evidence is properly
percentage. Examples include: random, cell (predefined interval), collected, under appropriate custody, and unaltered during the process.
and fixed interval. v. Compliance testing: tests for the presence or absence of something.
▪ Non-statistic sampling: based on judgment. Example includes ▪ Attribute sampling: determine the presence of certain attribute
haphazard. Ideal is to focus on materiality rather than
representation of the actual population. ▪ Stop-and-go sampling: when few errors are expected
iii. Computer-Assisted Audit Tools methods
▪ Discovery sampling: 100% sampling to detect fraud or when the
CAAT method Characteristics Complexity
likelihood of evidence existing is low
Online event Read logs & alarms Low ▪ Precision or expected error rate: lower error rate = large sample in
monitor
testing; smaller sample is used when the population is expected to
Embedded program Flags selected transactions Low be error-free
audit hooks vi. Substantive testing: seek to verify the content and integrity of evidence
▪ Variable sampling: used to designate dollar values or weights of an
Continuous & Audits any transaction that Medium
intermittent meets preselected criteria entire subject population by prorating from a smaller sample.
simulation ▪ Unstratified mean estimation: attempt to project an estimated total
for the whole subject population.
Snapshot Assembles a sequence of Medium
data captures into an audit ▪ Stratified mean estimation: calculate an average by group.
trail.
▪ Difference estimation: used to determine the difference between
Embedded audit Processes dummy High audited and unaudited claims of value.
module transactions along with ● Audit findings:
genuine, live transaction
i. Independence is required in the report for external auditor.
System control audit System-level audit program High ii. Indicators of illegal or irregular activity:
review file with used to monitor multiple ▪ Questionable payments
embedded audit EAMs inside the application
modules software. This is a mainframe ▪ Unsatisfactory record control
class of control. ▪ Unsatisfactory explanations
CAATs are able to perform faster than humans and produce more ▪ Other questionable circumstance
accurate data in functional testing. However, costs, training, and
iii. Examples of irregular activities:
security of output are major consideration.
▪ Fraud
 ▪ Theft or embezzlement ● Capability Maturity Model (CMM): provides a framework for developing,
improving and sustaining business performance in your environment.
▪ Suppression: suppressing data or records
i. Level of maturity
▪ Racketeering: the process of repeated fraud or other crime # Level Description Process ISO

▪ Regulatory violations 1 Initial Adhoc Unique and chaotic; Performed

iv. Auditor should never take ownership of any problems found as such act project completion
would violate independence. depends on people
v. Subsequent events:
2 Repeatable Documented Project management Managed
▪ Type 1 event: events occur before the B/S date with basic standards
▪ Type 2 event: events occur after the B/S date and procedures
documented

3 Defined Well Standardization with Established

documented objectives in
and understood qualitative
measurement

4 Managed Management Predictable by Predictable

controls quantitative measures
processes

5 Optimized Continually Least freedom with Optimizing

improvement statistical process
control

● Key Performance Indicator (KPI)

i. Represent a historical average of monitored events
ii. KPI may indicate a failing score too late to implement a change
● The IT BSC is a tool that provides the bridge between IT objectives and
business objectives by supplementing the traditional financial evaluation
with measures to evaluate customer satisfaction, internal processes and
the ability to innovate.
Domain 2. Governance and Management of IT
1. Performance Reporting

● Assessment methods provide a mechanism, whereby IS management can
determine if the activities of the organization have deviated from planned
or expected levels. These methods include
i. IS budgets
ii. Capacity and growth planning
iii. Industry standards/benchmarking
iv. Financial management practices, and
v. Goal accomplishment.
2. Business process Reengineering: concerns with reducing costs of the existing
process while increasing performance.
● Areas of improvement
i. Business efficiency
ii. Improved techniques
iii. New requirements
● Guiding Principles
i. Think big: unconstrained top-down approach.
ii. Incremental: bottom-up approach that identify improvement for
current processes. BPR teams tend to spend too much time
documenting the current processes.
iii. Hybrid: top-down strategy and planning with bottom-up research.
● Application steps:
i. Envision: develop an estimate of the ROI from the proposed change
ii. Initiate: setting BPR goal with the sponsor and focus on planning the
collection of detailed evidence necessary
iii. Diagnose: document existing processes and identify what is working
and the source of each requirement.
iv. Redesign: develop redesign plans to be review and approve by the
steering committee.
v. Reconstruct: implementation of the new process through deconstruct
of current process.
vi. Evaluate: ensure the new process is producing the strategic value as
forecast and establish performance measure.
iii. Understand current process first
iv. No leftovers
3. Project Estimation
●Source Lines of Code (SLOC) – traditional method (also Kilo LOC or KLOC) –
direct size-oriented measures
●Thousand Delivered Source Instructions (KDSI) – better with structured
programming languages like BASIC, COBOL
●Function Point Analysis (FPA) – indirect measure based on number and
complexity of inputs, outputs, files, interfaces, and user queries • Functions
are weighted by complexity
●Project Diagramming
i. Gantt: resource details; uses schedule & sequence in waterfall-style (MS
Project); serial view w/bars & diamonds
▪ Shows concurrent and sequential activities
▪ Show project progress and impact of completing a task early or late
ii. PERT (Program Evaluation Review Technique)-illustrates relationships
between planned activities
9. Organizational control
● Goal of governance: hold executives at the top responsible for decision and
all the consequences.
● IT steering committee: convey the current business requirements from
business executives to the IT executive.
i. Top management mediating between the imperatives of business and
technology is an IT strategic alignment best practice.
ii. Individuals that have the authority to act on behalf of their department
iii. Usually managed by executive chairperson (COO)
iv. Authorized by a formal charter

● Rules ● Planning decision

i. Fix only broken processes Strategic Long-term Operational
ii. Calculate ROI
Time Frame 3+ year 1-3 years 1 year or less
 iii. Level 2 = repeatable: processes are documented in detail with specific
procedures for each worker that can be repeated with consistency.
Role Objective & Policy Standard Procedure Decisions are made by managers.
iv. Level 3 = defined: standardization and qualitative measurement for
Who? Board, CEO, COO, CEO, COO, CFO, Director,
detailed accounting. Decisions are made by formal review committees
CFO VP, Directors Managers,
while department managers have less authority.
Technical Leads v. Level 4 = managed: Quantitative measurements of ROI into all decision
Primary Business trend to Forecast financial What to buy and a formal project priority system is practiced with a project
question exploit trend management office governing projects.
vi. Level 5 = optimized: with continuous improvement using statistical
Expand or Major business Forecast Resize process control. Specific rules in place that anyone can perform the
contract components organizational tasks, controls reside in executives while department managers and
changes workers have no authority.

Concentration New product Forecast needs Minimum staffing 3. Executive Steering Committee
based on trend ● Goal: align IT functions with current business objective.
What products Tasks to meet Forecast costs vs Initiate new ● Methods: Critical success factors and scenario approach
and services long-term plan expected revenue support training
are planned ● Aligning software to business needs
i. Establish the need (internal vs. external)
Focus General Financial plan Daily support
ii. Identify the work effort
statement iii. Summarize the impact
Domain 3. Information Systems Acquisition, Development and Implementation iv. Conduct initial feasibility analysis
1. Strategic system (fundamental change) vs. tactical system (support) v. Present the benefit
● IT steering committee provides open communication of business objective
2. Capability Maturity Model for IT support. Focus is placed on fulfillment of the business objective.
● Goal: to eliminate decision-making authority from the department
manager and workers and shifts to executive management level.
4. Change Management
● A baseline reference to chart current progress or regression.
● Change control board: the board review all changes requires and
● Levels of CMM: determine whether authorization should be granted. Change control
i. Level 0 = Nonexistent: nothing is getting done and individual managers review must include input from business users.
hold the authority for decisions. ● Approaches:
ii. Level 1 = Initial: Decision authority resides in the individual workers and
i. Evolutionary
is supported by a local manager.
 ▪ Traditional viewpoint where number one source of failures is a result
of error in planning and design.
▪ System Development Life Cycle:
a. Waterfall model: The waterfall method helps ensure that errors
are detected early in the development process. Waterfall
development is a procedure-focused development cycle with
formal sign-off at the completion of each level.
b. Spiral model: It’s a risk-driven model which means that the
overall success of a project highly depends on the risks analysis
phase. Risk analysis requires specific expertise on every iteration.
<Note> The waterfall and spiral are based on gather requirements,
forecasting, designing, and building.
c. Agile Prototyping model: It fits when the project is unable to
forecast, plan, or don’t have a detailed design. A repeated trial-
and-error process is utilized.
ii. Revolutionary
▪ Business users should be allowed to experiment in an effort to
generate software program for their needs. The end user holds all
the power of success or failure.
▪ Lack of internal controls and failure to obtain objectives are major
concerns.
iii. Change Management Auditing
▪ Program library access is restricted
▪ Supervisory reviews occur
▪ User approves change
▪ A LAN administrator should not have programming responsibilities
but may have end-user responsibilities.
▪ Emergency Changes: Emergency ID use is logged and monitored with
normal change controls are applied, often retroactively
5. SDLC Phases
● Phase 1: Feasibility Study
i. Goal: determine the strategic benefits to be accomplished and the
anticipated payback schedule of the project.
ii. Constructive Cost Model: a method to estimate the effort, schedule,
and cost of developing a new software application.
▪ Source lines of code: forecasts estimate by counting the individual
lines of program source code regardless of the embedded design
quality.
▪ Function point analysis: divide program functions into classes and
rank them by complexity. Based on complexity, the estimated of
work is calculated.
iii. Statement of work: a formal approval by the executive management to
grant the go-ahead of the project and force cooperation.
iv. Auditor should focus on initial needs analysis and ensure the risk
mitigation strategy is in place.
● Phase 2: Requirements Definition
i. Goal: define inputs, outputs, current environment, and proposed
interaction. The specification is defined in this step.
ii. Entity-relationship diagram: defines high-level relationships between
the entities as well as data dictionary that standardize term of reference
for each data in the database.
iii. Auditor’s interest: project plan and estimated costs have been
approved and requirements include sufficient security (not using default
configuration) to protect the data classified in the record management
system.
● Phase 3: System Design and Selection
i. Goal: To plan a solution by using the objectives from phase 1 and the
specification from phase 2. The client has to determine to build the
system in-house or buy the hardware.
ii. Best time for software developer to work directly with the user.
iii. Cost estimates are compared to the assumptions made.
iv. Auditor’s interest: verifying that processing and output controls are
incorporated into the system.
● Phase 4: Development
 i. Goal: Prototypes are built for functional testing and user acceptance
testing occur during this stage.
ii. Software testing methods:
▪ White-box: or crystal-box testing, assesses the effectiveness of
software program logic. Specifically, test data are used in
determining procedural accuracy or conditions of a program's logic
paths. Verifying the program can operate successfully with other
parts of the system is sociability testing.
▪ Black-box testing: the process is to put data through the system to
see whether the results come out as expected. Testing the program's
functionality without knowledge of internal structures.
▪ Sand-box testing: Controlled testing of programs in a semi-debugged
environment, either heavily controlled step-by-step or via
monitoring in virtual machines.
▪ Functional, or validation testing: compares the system against the
desired functional requirements to determine if the product has met
our objectives for its intended use.
▪ Regression testing: ensure that a change does not create a new
problem or conflict with other functions in the program. It is part of
the quality control process.
iii. Auditor objective:
▪ Verify that a quality control process has been used to develop an
computer program.
▪ Programs have undergone debugging with formal testing and
supporting document has been created to assure system integrity
and production use.
▪ The finished software capabilities have been verified for compliance
to original objective and acquired user acceptance.
● Phase 5: Implementation
i. Goal: Final acceptance testing begins, and users are trained in the new
system. System testing is undertaken by the developer team to
determine if the software meets user requirements per specifications.
ii. Certification: a technical process of testing against a known reference.
iii. Accreditation: an administrative process based on management’s
comfort level with demonstrated performance or fitness of use. The
purpose is to hold a management executive responsible to ensure
corporate governance.
iv. User training: system custodians need to be trained for normal
operations and emergency procedures.
v. Go live:
▪ Parallel operations: lowest risk
▪ Phased changeover: best suited upgrade or conversion; it has
modest risk
▪ Hard changeover: highest level of risk
vi. Program-to-program passwords in static configuration files should be
documented and ensure privileged passwords are listed for rotation.
● Phase 6: Postimplementation
i. Goal: Compare performance metrics to the original objective, and
implement requests for new requirements, updates, or disposal.
ii. ROI calculation to compare cost to the actual benefit received.
iii. Periodic reviews and monitoring procedures are necessary to verify that
the system is maintained in a manner that supports the original
objectives and controls.
● Phase 7: Disposal
i. Goals: Archive old data, and management signs a formal authorization
for the disposal and accepting liability.
6. A generation language may refer to any of the following:
● 1GL: low-level languages that are machine language.
● 2GL: also low-level assembly languages. They are sometimes used in
kernels and hardware drives, but more commonly used for video editing
and video games.
● 3GL: English-like statement language, such as C, C++, Java, JavaScript, and
Visual Basic.
 iii. ACID model for fata base integrity:
● 4GL: English-like statement language with embedded database. Fourth
generation languages are commonly used in database programming and ▪ Atomicity guarantees that either the entire transaction is processed
scripts examples include Perl, PHP, Python, Ruby, and SQL. or none of it is.
● The fifth-generation languages, or 5GL, are programming languages that ▪ Consistency ensures that the database is in a legal state when the
contain artificial intelligence that are learning system. Examples of fifth transaction begins and ends.
generation languages include Mercury, OPS5, and Prolog.
▪ Isolation means that, while in an intermediate state, the transaction
7. Alternative development techniques: data is invisible to external operations.

● Agile development method ▪ Durability guarantees that a successful transaction will persist and
i. Uses time-box management techniques to force individual iterations of cannot be undone.
a prototype in a short time span by allowing programmers to start ● Decision support system
writing a program using lots of trial and error without spending time on i. Reference by context: value = low; supplies answers based on estimated
preplanning documentation. level of reference.
ii. It is designed for use by small teams of talented programmers. ii. Colleague, or associate, level: provides tedious calculation support but
iii. However, it does not scale very well. leaves the real decisions to the user.
iv. An ongoing team learning process to refine project management. iii. Expert level: written by capturing specialized data from a person who
v. It places greater reliance on the undocumented knowledge contained in has been performing the desired work for 20 or 30 years.
a person’s head.
● Rapid application development method
i. Well defined methodology that works for small, well-trained team
ii. Uses 4GL programming language Domain 4—Information Systems Operations, Maintenance and Service
Management
● Hueristic (prototyping) development 1. Personnel roles and responsibility
i. Combines best of the SDLC with an iterative approach that enables Job Role Authorized Production Development Security Execute
developer and customer to react to risks at each iteration Changes Library Library Access Administration Production
ii. Focuses on prototyping screens and reports Access Configuration Changes

System user Approve Use No No No

8. Data Architecture
(End user)
● Database architecture
System Request Monitor- No Implement When
i. Data-oriented database: Data entries have fixed length and format;
administration Control approved
thus, the information is predictable. It Is used when the structure and
format of the data is well known and predictable. (Custodian)
ii. Object-orient database: Data entries may be unpredictable as there is
Security Approve No No Specify control No
not fixed format. Each programmed object has its own data for administration
reference and its own method of accomplishing a required task.
 Job Role Authorized Production Development Security Execute
Changes Library Library Access Administration Production
● Privileged login accounts security control:
Access Configuration Changes i. Password must be changed every 30 days
(Custodian) ii. Retired passwords are to be backed up and protected in a controlled
environment that is offsite
Programming/ Request No Create No No
iii. Default login account should be disabled
development software
● Required data protection controls:
Change testing Test only No No Test only No
i. Standing data controls: requires additional controls such as storage in
(use isolated (use isolated
encrypted format
test) test)
ii. System control parameters: used to customize the configuration
Change Approve No No No NO settings and software application
control
iii. Logical access controls: direct access through open databased
connectivity should be prohibited and all access to data files should be
● Information security managements: ensures confidentiality, integrity, and
forced through authentication in a user right management program
availability of computing resources. (application processing control)
i. Chief information security office: define and enforce security policies for iv. Transaction processing controls: should be controlled with
organization, and review periodically. authentication and validation checks
ii. Chief privacy officer: protecting confidential information.
● Process control:
iii. Information systems security manager: day-to-day process of ensuring
compliance for system security. i.Batch totals: compare output
iv. Data owner: responsible for data content and authorization. ii.Total number of items: ensure each item was processed
v. Data custodian: responsible for safeguard and availability of data. iii.Transaction logs: record activity
iv. Run-to-run total: verify data values during the different stages of
● Compensating controls: goal is to reduce errors or omission when
processing
preferred control cannot be implemented. v. Limit checks
i. Job rotation vi. Exception reporting
ii. Audit / reconciliation vii. Job cost accounting
iii. Exception report
● Mobile software
iv. Transaction logs
v. Supervisor review Low Risk Moderate Risk High Risk

PDF Applets ActiveX

Adobe Flash PostScript

2. System access controls JavaScript Visual Basic

i. ActiveX places no restrictions on what the programmer can do.

 i. Recovery point objective (RPO) – based on acceptable data loss; earliest
time in which it is acceptable to recover; date/time or synchronization
point to which systems/data will be restored.
3. Business Continuity Plan ii. Recovery time objective (RTO) – based on acceptable downtime;
earliest time when business operations must resume.
● The strategy for which the sum of downtime cost and recovery cost is the
iii. Interruption window – how long a business can wait before operations
lowest is the optimal strategy. resume (after this point, losses are unaffordable)
● Components iv. Maximum Tolerable outage (MTO) – maximum time business can
i. DRP plan: It is critical to initially identify information assets that can be operate in alternate processing mode before other problems occur
made more resilient to disasters. v. Service delivery objective (SDO) – acceptable level of services required
ii. Plan to restore operations to normal following disaster during alternate processing
iii. Improvement of security operations ● Recovery Alternatives
● BCP Lifecycle i. Hot site – fully configured and ready to operate within hours. Not for
i. Create BCP policy extended use.
ii. Business Impact Analysis (BIA) should be conducted with input from a ii. Warm site – partially configured. Site ready in hours, operations ready
wide array of stakeholders, which identifies in days or weeks.
iii. Cold site – has basic utilities, ready in weeks.
▪ Protecting human resources during a disaster-related event should iv. Redundant site – dedicated, self-developed sites.
be addressed first. v. Mobile site – data center in a box
vi. Reciprocal agreements with other businesses
▪ Different business processes & criticality

▪ Critical IS resources supporting critical business processes 4. The IS auditor might need to review specific reports associated with availability
and response. This list identifies log types and characteristics:
▪ Critical recovery period before significant losses occur
● System logs identify the activities performed on a system and can be
▪ A determination of acceptable downtime is made analyzed to determine the existence of unauthorized access to data by a
iii. Classify of operations and criticality user or program.
iv. Identify IS processes that support business criticality ● The review of abnormal job-termination reports should identify application
v. Develop BCP and IS DRP
vi. Develop resumption procedures jobs that terminated before successful completion.
vii. Training and awareness programs ● Operator problem reports are used by operators to log computer
viii. Test and implement plan operations problems and their solutions. Operator work schedules are
ix. Monitoring: Periodic testing of the recovery plan is critical to ensure maintained by IS management to assist in human resource planning.
that whatever has been planned and documented is feasible.
● Capacity-monitoring software to monitor usage patterns and trends
● Terms
enables management to properly allocate resources and ensure
continuous efficiency of operations.
 ● Network-monitoring devices are used to capture and inspect network ● Level 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major
traffic data. The logs from these devices can be used to inspect activities data loss
from known or unknown users to find evidence of unauthorized access.
2. Open Systems Interconnection Model: a conceptual model that characterizes
● System downtime provides information regarding the effectiveness and
and standardizes the communication functions of a telecommunication or
adequacy of computer preventive maintenance programs and can be very computing system without regard to its underlying internal structure and
helpful to an IS auditor when determining the efficacy of a systems- technology.
maintenance program. Layer Name Example protocols Function

7 Application HTTP, FTP, DNS, Where user interact directly with

Layer SNMP, Telnet the software application and
calculation.

6 Presentation SSL, TLS Handles data and encryption;

Layer also translates in the format all
computers can understand.
Information Systems Operations, Maintenance and Service Management
1. Redundant Array of Inexpensive/Independent Disks (RAID) 5 Session NetBIOS, PPTP It is where communications
Layer between systems are managed.
● Level 0 Striping: It makes several disks appear as one big disk. It has the
best performance, but data loss is likely. 4 Transport TCP, UDP This layer specifies the method
Layer of delivery.
● Level 1: Disk mirroring, all the data is written to at least two separate
physical disks to prevent data loss. However, it cuts usable space in half. i. Confirmed delivery: TCP
● Level 2 – Hamming code ECC – interweaving data based on hamming code connection; however, slower
to provide error correction.
(EXPENSIVE and rare; hardware based, resource intensive)
ii. Unconfirmed delivery: User
● Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 Datagram Protocol (UDP). It
for parity (faster in HW) is faster with less overhead.
● Level 5 – block level; the most commonly used method. It uses less disk 3 Network IP, ARP, ICMP, This layer handles addressing
space than RAID-1 for the same amount of usable storage. It is cheap yet Layer IPSec and routing the data -- sending it
provides the best overall read and write performance. in the right direction to the right
● Level 6 – It uses independent disks with a very high transfer rate, and it is destination.
very expensive. The disks in the same string appear as one large disk. 2 Data Link PPP, ATM, It focuses on establishing data
● Level 10 – high reliability & performance; at least 4 drives, stripes level 1 Layer Ethernet, Switches communications via hardware
segments; hi I/O device drivers and the
 Layer Name Example protocols Function
3. Firewall
transmit/receive function
● Designs
1 Physical Ethernet, USB, The physical layer is responsible i. Screened host implementation: a single host computer through the
Layer Bluetooth, for sending computer bits from firewall. It is expected that the host computer to be attacked.
IEEE802.11 one device to another along the ii. Dual homed host: A special software application relays appropriate
network. communication between the two interface cards.
iii. Screened subnet (DMZ design): allows for several computers to be
placed in a protected subnet that is accessible from the outside and by
3. Network cables & topologies systems inside the network.
● Topologies iv. Stateful inspection: collects the history and nature of the connectionless
i. Bus: uses coaxial cable but runs the risk of interrupted transmission requests to determine whether the remote request should be
since computers are linked together with one cable. transmitted to the destination computer or discarded as hazardous.
ii. Star: computers are connected to a network hub (or switch) with ● Types of Firewall
additional cables. It offers flexibility but higher cost on more cables. i. Out of all types of firewall, Application-Level Firewall provides greatest
iii. Ring: allows the redundant path to create a fault-tolerant network. security environment (as it works on application layer of OSI model).
iv. Meshed: has alternate connections for major backbone point on the ii. In any given scenario, most robust configuration in firewall rule is ‘deny
network. It also has higher cost of implementation. all traffic and allow specific traffic’ (as against ‘allow all traffic and deny
● Cable types: specific traffic’).
i. Coaxial: for longer distance and in areas prone to electrical interference iii. Stateful Inspection Firewall allows traffic from outside only if it is in
or for outdoor connections. response to traffic from internal hosts.
ii. Unshielded twisted-pair cable: inexpensive and is commonly used in Firewall OSI Layer
star topologies. Application Level Application Layer
iii. Fiber optic cable: has an extremely wide bandwidth but is expensive
and fragile glass strands. Circuit Level Session Layer

2. IDP vs. IDS Stateful Inspection Network Layer

● A host-based intrusion prevention system (IPS) prevents unauthorized Packet Filtering Router Network Layer
changes to the host.
● A network-based intrusion detection system (IDS) relies on attack 4. In any given scenario, following are the best practises for Wireless (Wi-Fi)
signatures based on known exploits and attack patterns. security:
i. Statistical: calculation of network traffic and loadings ● Enable MAC (Media Access Control) address filtering.
ii. Signature: known patterns and techniques
iii. Neural: learning network ● Enable Encryption to protect data in transit.
iv. Honey bits, pot, net: sacrificial files, server, or subnet
● Disable SSID (service set identifier) broadcasting.

● Disable DHCP (Dynamic Host Configuration Protocol).

● Security ranking: randomly generated PSK > MAC-based PSK (MAC address
of a computer is fixed and often accessible) > WEP (very weak encryption
technique and can be cracked within minutes) > SSID.
● In any given scenario, WPA-2 (Wi-Fi Protected Access) is the strongest
encryption standard for the wireless connection.
● In any given scenario, confidentiality of the data transmitted in a wireless
LAN is BEST protected, if the session is encrypted using dynamic keys (as
compared to static keys)
● Electromagnetic emissions from a terminal can be detected by
sophisticated equipment and displayed, thus giving access to data to
unauthorized persons.
● Configuration management is one of the key components of any network
since it establishes how the network will function internally and externally.
Domain 5—Protection of Information Assets
● Task-based access control: bases on task requirement.
1. Security goal and matching control
Security Goal Primary Control Failure Consequence ● Attribute-based access controls: a selective control that is flexible.

▪ Data classification ▪ Unauthorized disclosure

Confidentiality
3. Application software control: Provide security by using a combination of user
▪ Separation of duties ▪ Data breach identity, authentication, authorization, and accountability.
● Database view: read restriction placed on particular columns in the
▪ Least privilege ▪ Organization failure
database.
▪ Controls appropriate in every
● Restricted user interface
step of users’ business
workflow ● Security label bypass: a metadata control in MAC control environments
Integrity Control & trust Loss of control that specifies who may access the file and how the file may be used.
Additional compensating controls are necessary in certain situations to
Availability Authentication of allowed users Unauthorized access with or protect against the bypass of MAC security level.
without detection
● Internal access control lists should be used to implement least privileged .
● An important benefit of a well-defined data classification process would be
4. Biometrics sensors:
to lower the cost of protecting data by ensuring that the appropriate
controls are applied with respect to the sensitivity of the data. ● The purpose of biometrics is to provide authentication of the person after
● The IS auditor must identify the assets, look for vulnerabilities, and then they identify him/herself.
identify the threats and the likelihood of occurrence. ● A biometrics sensor creates a new data template every time the sensor is
used, which is compared to the database by the template matcher.
2. Technical protection
● Drawbacks
● Mandatory access controls: use a set of rules determines which person i. Enrollment failure: sample of user fail to be accepted by the system
(subject) will be allowed to access he data (object). The access privileges ii. False rejection: system rejects a legitimate user
are predetermined based on a list. iii. Equal error vs. crossover error rate: trade off between speed &
i. Changed by admins making decisions derived from policy efficiency
ii. Example: password complexity requirements iv. Throughput rate: the samples system can process and still have
● Discretionary access controls: allows a designated individual to decide a accuracy; higher risk situation should have lower throughput rate.
broad level of user access. The IS auditor needs to investigate how the
5. Kerberos single sign-on
decisions are selected, authorized, managed, and viewed at lest annually.
i. Controls that CAN be changed by normal users/data owners ● User log in once to Kerberos, and the system authenticates the user and
ii. Example: access to departmental shared folder on server grants access to all resources
● Role-based access control: based on job requirement. ● A strong password and strong encryption will improve overall security

6. Encryption
● Methods
i. Private-key: secrete key that is shared between the authorized person,
and the key must be protected with the highest due diligence. A shared
key between sender and receiver is referred to as symmetric-key
cryptography. It is fast but must be protected with highest diligence.
▪ Advanced encryption standard (AES) is a secure encryption algorithm
that is appropriate for encrypting passwords.
ii. Public-key: also known as asymmetric cryptography, uses a public key
to encrypt and a private key to decrypt. Using two private keys would
not be possible with asymmetric encryption. Asymmetric cryptography
is typically used for the transmission of data. It has 4 components:
▪ Certificate Authority (CA) issues certificates. The primary role of the
CA is to authenticate the entity owning a certificate and to confirm
the integrity of any certificate it issued.
▪ Registration authority: delegated bookkeeping and issuing function
from the CA
▪ Certificate revocation list: maintained by the CA to indicate that
certificates have expired or are revoked
▪ Certification practice statement: disclosure document that specifies
how a CA will issue certificates
● Problems when using encryption
i. Creating and issuing keys requires discipline or the key can be easily
compromised
ii. Separate keys should be used for separate classification of data
iii. Encryption key must be rotated
iv. Encryption only protects the output file, not the original source file
v. The system is still vulnerable to attack
● Encryption-key management:
i. Proper authorization: never allow to encrypt files that management
cannot decrypt without the user
ii. Encryption keys must be individually managed, tracked (in a library),
and unique to each task
iii. Separation of duties:
▪ Encryption keys need to be generated on a system that is physically
and logically isolated from other system and transfer via read-only-
media
▪ Users should never have direct access to encryption key
iv. The use of specific encryption keys should be limited
v. The use, archiving, and destruction of encryption keys require a formal
review
vi. Nonrepudiation, achieved through the use of digital signatures,
prevents the senders from later denying that they generated and sent
the message.
● Digital rights management (DRM): uses public-key encryption to enforce
digital rights.
i. Steganography is a technique for concealing the existence of messages
or information.
7. Network security protocols
● Pretty Good Privacy: for personal file encryption
● Transport Layer Security (TLS): for secure transmission internally and over
Internet. TLS replaced SSL which was used by most websites. TLS is the
preferred method to use for all secure sessions.
● Secure Hypertext Transfer Protocol (HTTPS): older version still uses SSL.
The newer sites should all use TLS.
● Internet Protocol Security (IPsec): a secure network protocol suite that
authenticates and encrypts the packets of data sent over an IPv4 network.
VPN’s primary purpose is to protect data in transit using tunnelling.
● The Secure Electronic Transaction (SET) protocol provides a method for
purchasing over the internet without disclosing the credit card information
to the merchant. The buyer will be liable for transactions that involve
his/her personal SET certificate.
 ● Email anti-spamming techniques: Bayesian > Heuristic > Signature Based >
Pattern Matching

8. Risk assessment
● First step is to identify the assets. (in some cases, critical process)

● Second step is to identify relevant risk. (vulnerability/threat)

● Third step is to do impact analysis. (qualitative or quantitative)

● Fourth step is prioritizing the risk on the basis of impact. (IT risk analysis)

● Fifth step is to evaluate controls.

● Sixth step is to apply appropriate controls.

9. Security Requirements
● Authenticity – verification that message not changed in transit

● Nonrepudiation – verification of origin or receipt of message

● Accountability – actions traceable to an entity

● Network availability