http://bit.ly/1oJn5Hl
CBT Nuggets ISACA CISA 2016
CBT Nuggets ISACA CISA 2016
CBT Nuggets ISACA CISA 2016
As a Certified Information Systems Auditor (CISA), you'll perform business-critical functions by assessing your organization's IT and business systems to ensure they are monitored, controlled, and protected.
CISA is on the level of CISSP and CCIE in prestige — and in the way it distinguishes you from your peers. CISA is globally recognized within the IT industry and beyond, and is used by the US Department of Defense and others as a minimum requirement for many high-end security positions. And studies have found that having the CISA credential can increase your salary potential.
Recommended Experience
Familiarity with IT operations
Familiarity with IT development lifecycles and project management
Recommended Equipment
No special equipment or software needed
Related Certifications
Certified Information Systems Auditor (CISA)
Related Job Functions
Operations management
Development management
Project management
Auditor
Steve Caseley has been a CBT Nuggets trainer since 2004 and holds a variety of PMI certifications, including PMI-PMP, PMI-ACP, and PMI-SP.
CBT Nuggets ISACA CISA 2016 Free Download Links
Uploaded Download Links
Get Premium Uploaded Account: Max Speed & Resumable Support Download :
cnisacacisa2016.part1.rar
cnisacacisa2016.part2.rar
cnisacacisa2016.part3.rar
FileFactory Download Links
For Full Speed Download Buy FileFactory Premium Account:
FileFactory Links Not Yet Found
1. CISA Overview (7 min)
Steve provides an overview of the CISA exam and the five knowledge domains that the exam questions are based on. We also review the qualifications for the exam and ways to gain practical knowledge needed to correctly answer the exam questions.
2. The Process of Auditing Information Systems (11 min)
Steve introduces us to the first of the five Knowledge Domains, the Process of Auditing Information Systems. We discuss the five tasks within this domain: Strategy, Plans, Standards, Report and Follow-up.
3. IT Audit Standards, Guidelines, Tools and Techniques, and Code of Ethics (9 min)
This is the first of 11 videos covering the knowledge statements for the Process of Auditing Information Systems Knowledge Domain, and focuses on the standards that have been defined for CISA.
4. Audit Risk Assessment (15 min)
Steve reviews the four components of audit risk assessment: Risk Analysis, Risk Based Auditing, Risk Materiality and Risk Management Techniques. Audit Risk Assessments should ensure that the audit focuses on the areas of IT presenting the highest business risk without introducing additional business risk.
5. Business Processes (5 min)
Steve explains why IT auditors need to have a fundamental understanding of the business processes that are being audited. A fundamental understanding should allow the auditor to understand what the business does, external influences on the business processes, management objectives and strategies, and how performance is measured.
6. Control Objectives (8 min)
Steve reviews the importance of an audit that reflects the business objectives, aligns with the overall short- and long-term audit plans of the organization, and focuses on the areas with the largest potential damage to the organization’s reputation. Explore COBIT5 and its relationship to IT audits, learn how business risks are minimized, and match IT controls to the business needs.
7. Audit Planning and Management (9 min)
Steve defines the Audit Methodology and management approaches for a successfully delivered audit. We present an audit-specific methodology developed to deliver the objective and scope of the audit, and a project management approach consistent with the PMI PMBOK.
8. Laws and Regulations (3 min)
Steve reviews the impact that laws and regulations have on IT audits. Laws and regulations dictate the legal environment within which the organization operates, and define provisions that apply specifically to the audit, including evidence gathering and storage, and audit reporting.
9. Evidence (11 min)
Steve reviews the importance of using the proper procedures to gather and store the audit evidence. Key to any successful audit, the evidence must have integrity, which means the auditor should apply certain processes to ensure they've properly gathered and stored the evidence.
10. Sampling Methodologies (9 min)
Steve reviews methodologies used to sample business results and obtain the evidence necessary to support the audit. We review how to validate processes with Compliance Testing, and validate data with Substantive Testing. We also review statistical sampling methods and Judgmental Sampling, a method used when full statistical sampling doesn’t apply.
11. Reporting and Communications (5 min)
Steve reviews the importance of communications for successful audit completion. Effective communications is an ongoing event comprised of status reports, meeting minutes, emails, and casual conversations. Every interaction between the audit team and the business needs to be professional and well managed.
12. Audit Quality Assurance (3 min)
Steve reviews the role that Quality Assurance plays in the audit process. QA ensures that all the standards, guidelines, and processes defined for a CISA audit are followed.
13. Types of Audits (5 min)
Steve reviews the types of audits that are most typical for a CISA auditor. These are external audits of an organization’s IT processes, systems, and operations.
14. Governance and Management of IT (8 min)
Steve discusses 10 governance and management tasks: IT Strategy, Governance Structure, Organizational Structure and HR Management, IT Policies and Procedures, Resource Investment and Allocation, Portfolio Management, Risk Management, IT Controls, Key Performance Indicators, and Performance Reporting.
15. Information Systems Strategy (10 min)
Steve discusses the role of the Executive Steering Committee in the overall IT approval process, and the importance of having a strategic plan for IT.
16. Standards, Governance and Frameworks (9 min)
Steve focuses on appropriate governance processes with emphasis on senior management engagement, the importance of having a well-defined IT organization structure with separation of duties and ownership, and meeting the availability targets set by the business.
17. IT Organization (6 min)
Steve reviews the factors an auditor needs to consider when validating an IT organization, which include complete roles/responsibility definitions, and that the roles are appropriately assigned to IT members. We then define the role of governing committees and senior management, and review how the RACI chart (Responsible, Accountable, Consulted, and Informed) can clearly define the roles and responsibilities within the IT organization.
18. Legal Compliance (8 min)
Steve discusses legal compliance for external contracts, specifically whether outsourced contracts are appropriate and consistent with legal and corporate policies. We then discuss approaches to ensure overall legal compliance, such as segregation of duties and compensating controls.
19. Enterprise Architecture (4 min)
Steve reviews how to create a successful Architecture Road Map, which ties enterprise architecture to the strategic plan and overall business requirements.
20. Maintenance of Policies and Procedures (2 min)
Steve reviews the importance of regular maintenance of all the IT policies, procedures, and guidelines for appropriateness and relevance in today’s ever-changing business environment. While all IT policies and procedures must be maintained, Steve explicitly calls out the Information Security Policy and the Acceptable Use Policy as two policies that need specific attention.
21. Maturity Models (5 min)
Steve discusses the role of the various IT maturity models and the role that they play in IT organizations. We provide an overview of the CMMI, IDEAL, and PAM models, and the considerations an IT auditor needs to be aware of when conducting a CISA audit.
22. Process Optimization (3 min)
Steve discusses how to use process optimization to improve performance without increasing costs. We review the role of the CISA Auditor in validating the effectiveness of process optimization, and whether the results are consistent with IT best practices.
23. IT Investment Strategies (5 min)
Steve discusses the importance of IT investments providing value for the money, and aligning with the IT strategic plan.
24. IT Vendor Selection and Management (8 min)
Steve reviews the vendor selection and management life cycle: make or buy decision, fair and open selection process, contract negotiations, contract management and contract closing. We then review a spreadsheet that can be used to ensure fair and open vendor selection.
25. IT Risk Management (8 min)
Steve discusses effective enterprise risk management and reviews the five steps of Risk Management: Risk Appetite, Risk Identification, Risk Analysis, Risk Plans, and Risk Management.
26. Control Processes (4 min)
Steve discusses control processes for monitoring and validating Service Level Agreements. We then addresses continual monitoring and its role in catching and correcting any issues that may come up during normal operations.
27. Quality Management Systems (4 min)
Steve discusses how quality management systems ensure that both Quality Assurance and Quality Control systems are properly applied. These systems control, measure, and improve IT in the organization to ensure predictability, measurement, repeatability, and, where appropriate, certification.
28. IT Performance Monitoring and Reporting (6 min)
Steve discusses how Balanced Scorecard and Key Performance Indicators (KPI) report the results of monitoring the operations and performance of IT to the organization.
29. BCP – Business Impact Analysis (8 min)
Steve discusses how Business Continuity Planning ensures that plans are in place for all critical processes, and that they identify the recovery timeframes, dependencies, and appropriate recovery strategies.
30. BCP – Maintenance and Testing (3 min)
Steve concludes this Business Continuity Plan discussion with a review of the importance of regular maintenance and testing of the plans to ensure ongoing validity of the BCP.
31. BCP – Invoke and Return to Normal (7 min)
Steve concludes the Business Continuity Plan discussion with the steps required to actually invoke the BCP, activate the DR site, return to normal operations, and finally shut down the DR site.
32. Information Systems Acquisition, Development and Implementation (9 min)
Steve discusses six tasks for information system acquisition, development, and implementation: Business Case, Project Management, Project Reviews, Methodology Compliance, Implementation Readiness, and Post Implementation Review.
33. Benefits Realization (5 min)
Steve reviews the steps an auditor can use to determine whether or not an IT team is delivering the expected benefits. We reviews methods how an auditor can validate the benefits delivered against the original business statement, including identification of the measurement process, and validation that someone is assigned the responsibility of collecting and validating the benefits.
34. Vendor Management (7 min)
Steve continues the discussion on vendor management, focusing processes for selecting the best vendor for the stated requirements. We review the RFI, RFP, and contracting processes to ensure that the right items are purchased and that the contract and supporting documents properly document the final configuration purchased.
35. Project Governance (9 min)
Steve reviews project governance and the project organizational structures that should be in place to ensure effective overall governance. Project Governance typically begins with a project steering committee formed from the appropriate managers directly involved with the project.
36. Project Management (17 min)
Steve provides an overview of the most common project management approaches used for IT project delivery, reviews audit approaches for specific project organizational structures, and identifies the key components to determine whether a project was appropriately managed, including whether the project manager has the skills and experience for the type of project.
37. Risk Management (5 min)
Steve reviews the sources of risks for IT projects and ensures that the project has a thorough and complete list of risks than can impact the successful delivery of the project.
38. Requirements Management (7 min)
Steve reviews the Requirements Management life cycle: Requirement Identification, Requirement Documentation, Requirement Confirmation, Solution Development, Testing and Final Approval. We also review a Requirements Traceability Matrix, which is key to ensuring successful requirements management
39. Application Architecture (5 min)
Steve reviews the application architecture as well as the data and application layers, with a specific focus on web and cloud architectures.
40. Methodologies (12 min)
Steve reviews the methodologies and the methodology tools and techniques that can be used for developing IT systems, which includes a review of the project management methodologies, and tools and techniques for application development.
41. Control Objectives and Techniques (11 min)
Steve focuses how to ensure effective controls are in place during data input, processing, and output. We review edits on inputs, controls on processing, and security on output to ensure that only appropriate staff see confidential or secure information.
42. Testing (10 min)
Steve reviews the various forms of testing that should be completed on a project: Unit, Integration, System, Quality, and Business Acceptance Testing. We also review some testing terms that are likely to be on the CISA exam.
43. Configuration and Change Management (6 min)
Steve reviews the four key components of configuration and change management: Check-in, Version Management, Branching, and Merging. We also review a Change Management form that can be used to ensure that all changes are approved and properly controlled.
44. System Migration and Deployment (10 min)
Steve addresses deployment activities such as data conversion, reviews the steps an auditor should take to ensure that the development tools are used properly, and discusses several industry standards specific to development processes.
45. Project Success Criteria (5 min)
Steve reviews items an auditor needs to look at to determine project success, including adherence to standards, performance, operability, maintainability, and bug reports.
46. Post-Implementation Reviews (4 min)
Steve discusses the post-implementation review, which consists of the validation of the benefits realized, review of lessons learned, harvesting of reusable artifacts, and the all-important post-project party.
47. Information Systems Operations, Maintenance & Support (8 min)
Steve discusses the eleven tasks of the fourth Knowledge Domain: systems meet org objectives, service levels defined and managed, 3rd party management practices are adhered to, operations and procedures fully executed, maintenance controlled and supports objectives, database admin ensures integrity and performance, capacity and performance monitoring, problem and incident management, change, configuration and release management, adequate backups and restore provisions and disaster recovery plan specific to data center.
48. Service Level Frameworks (6 min)
Steve provides a high level overview of the three service-level frameworks that the CSA exam references: ITAF, COBIT and ITIL.
49. Service Level Management (7 min)
Steve reviews key terms related to Service Level Management, identifies the key activities for Support and Delivery Services, and then discusses the four items central to service levels: exception reports, logs, problem reports, and operating schedules.
50. Monitor 3rd Party Compliance (4 min)
Steve reviews types of contracts, contract ownership and contractual commitments.
51. Architecture (11 min)
Steve reviews the process for effective hardware implementation, which includes analysis, planning, hardware acquisition, software acquisition, and implementation.
52. Computer Hardware, Software and Networks (22 min)
Steve reviews common hardware, software, and network environments auditors will encounter, discusses the risks based in the currency of the IT environment, and explores the different risks older technology present compared to the risks associated with current technology.
53. Software Resiliency Tools and Techniques (4 min)
Steve reviews tools that support business availability requirements, such as RAID, redundancy, high availability, and alternative sites that can be used to ensure .
54. Software Licensing and Inventory Interfaces (3 min)
Steve reviews appropriate management controls that ensure all software usage is consistent with the licensing terms and conditions.
55. Managing Schedules (6 min)
Steve focuses on effectively executing operational schedules, discusses the importance of using the right resources are available, including training for the standards and procedures associated with the batch schedules, monitoring, and actual execution of the batch schedule.
56. System Interface Integrity (10 min)
Steve provides a review of the System Interface Integrity, or the OSI model, and examines the risks that are inherent in network topologies, local area networks, internet and WAN approaches.
57. Capacity Planning (4 min)
Steve reviews the audit considerations for appropriate capacity planning, so that IT systems are appropriately sized for current and planned business volumes. The capacity plan is tied closely to the business plan.
58. Performance Monitoring (3 min)
Steve reviews the importance of performance monitoring to ensure that the IT systems are delivering to the business expectations. We also discuss the importance of accurately produced SLA reports, and remediation steps whenever performance is below expectations.
59. Data Backup (5 min)
Steve reviews the steps required to ensure that all production data is properly backed up and recoverable in the case of a data failure.
60. Database Administration Practices (9 min)
Steve reviews the importance of well-documented data architecture, including the data dictionary, data types, and auditing for database performance. We then review the two database techniques an auditor will typically encounter, hierarchical and relational, and key items that a CISA auditor should examine during an audit.
61. Data Quality and Retention (6 min)
Steve demonstrates how to audit a database quality for completeness, accuracy and integrity, and also retention with aging and retention.
62. Problem and Incident Management (5 min)
Steve defines the two commonly misused words "incident" and "problem," discusses help desk processes for identifying, logging, and resolving all incidents, and reviews the Fishbone technique, a common problem-solving technique.
63. Managing Change to Production Environments (3 min)
Steve reviews the processes for properly testing changes to reproduction environments, and discusses how to ensure changes are applied properly in a change management environments.
64. Risks and Controls for End User Computing (6 min)
Steve reviews the risks and controls for end-user computing, including data access, local storage, edits, accuracy, and integrity.
65. Disaster Recovery – Legal and Contractual Issues (7 min)
Steve reviews the different contractual issues that will be encountered for different DR strategies. We then review a list of generic contractual issues that should be considered for all DR contracts.
66. Business Impact of Disaster Recovery (2 min)
Steve reviews the importance of having the DR plan aligned with the Business Impact Analysis along the lines of recovery objectives, time to recovery, cost, critical systems, risk management and management support.
67. Disaster Recovery Plan Maintenance (5 min)
Steve reviews the importance of regular maintenance to ensure that the DR plan properly supports the changing business requirements, and that it reflects the business criticality, costs, time for recovery, and security requirements.
68. Alternate Processing Sites (9 min)
Steve reviews the pros and cons of using a cold site, mobile site, warm site, reciprocal agreement, hot site, or mirrored site for disaster recovery.
69. Disaster Recovery Testing (4 min)
Steve discusses the importance of executing the DR test prior to invoke the plan in a real-world scenario. No level of desk checking will identify all the issues that require correction.
70. Invoking Disaster Recovery (6 min)
Steve discusses the importance of following the DR plan prior to declaring a disaster, and also the various reasons for invoking DR including natural disaster, health and safety, pandemic, and damage to brand/reputation.
71. Protection of Information Assets (8 min)
Steve discusses the five protection of information asset tasks: information security policies, security controls, data classification, physical assets and environmental controls and data storage.
72. Information Asset Protection (4 min)
Steve reviews the key components associated with protecting the organization’s information assets: physical, data, software, access, and reputation.
73. Privacy Principles (6 min)
Steve reviews the privacy concerns associated with protecting both corporate and public data, and the processes that allow a company to operate while ensuring adequate separation of data.
74. Security Controls (5 min)
Steve reviews the security controls that should be in place to protect the organization’s digital assets and the integrity of the data, which includes implementing proper policies and properly classifying data.
75. Environmental Protection (6 min)
Steve discusses the various environmental protections that should be in place to ensure a safe computing environment, including power protection, physical attacks, water detection, fire alarms, and fire suppression.
76. Physical Access Controls (5 min)
Steve reviews the importance of adequate physical access controls for all components of the IT infrastructure that mitigate the risks of inappropriate access and damage. We also discuss the importance of access controls for the data center, as well as the wiring cabinets, operations areas, power cabinets, and tape libraries.
77. Logical Access Controls (3 min)
Steve reviews the processes and procedures that ensure everyone has the appropriate access to do their jobs at both the system and application levels.
78. Identification and Authentication (3 min)
Steve focuses on an access control process that compares users against the organization’s information security requirements, reviews the pros and cons of single sign-on versus individual application sign-on, and discusses password maintenance.
79. Virtual Systems (5 min)
Steve reviews specific attributes of virtual systems that must be reviewed as part of a CISA audit, and discusses the pros and cons of using VMs to aide in an audit.
80. Mobile Devices (3 min)
Steve reviews the risks that mobile devices introduce to the environment, specifically the risks of theft of data and the need to have data protection in place, such as disk encryption.
81. Voice Communication (4 min)
Steve focuses on digital voice communication using Voice over IP or Digital PBXs, and reviews issues with digital voice communication, including encryption, availability, system impacts, software upgrades, and wire tapping.
82. Internet Security, Protocols and Techniques (9 min)
Steve defines appropriate encryption, reviews the importance and length of public/private keys to prevent hacking, discusses the protocols and techniques used for network communication, and outlines the use and risks of common business protocols.
83. Network Security Concerns (4 min)
Steve provides a high-level overview of audit concerns related to networks, specifically the robustness of the firewalls, the use of Intrusion Detection Systems, and Intrusion Prevention Systems.
84. Data Encryption (3 min)
Steve reviews the key principles of data encryption including algorithm strengths, elimination of back doors, preventing known text breakage, and ensuring that known knowledge can’t be used to break the organization’s encryption.
85. Public Key Infrastructure (5 min)
Steve reviews the digital certificate, certificate authority, and registration authority, and discusses the importance of certificate expiry dates as a tool to reestablish relationships and maintain the confidence in the encryption process.
86. Peer to Peer Computing (5 min)
Steve reviews the risks of peer-to-peer computing such as social media, message boards, blogs, and instant messaging. If not properly managed, peer-to-peer computing can provide ways to circumvent well-protected corporate infrastructures. We also discuss the risks of allowing corporate PCs to connect to home networks and/or allowing employee-owned devices to connect to corporate networks.
87. Data Classification Standards (4 min)
Steve discusses the three steps for data classification: discovery, inventory and risk assessment, and reviews the importance of risk assessment as part of the classification process.
88. Handling Confidential Data (4 min)
Steve reviews the steps to secure confidential data properly during storage, retrieval, transport, and disposal.
89. Data Leakage (4 min)
Steve discusses data leakage, or the accidental disclosure of important organizational details through such things as job postings, technical boards, corporate websites, and social media.
90. End-User Computing Security (5 min)
Steve discusses specific additional security requirements that end user computing will require to ensure that the power users are able to do their jobs while still protecting the organizations IT assets.
91. Security Awareness Program (4 min)
Steve discusses the importance of having a security awareness program that consists of training, posters, hot lines, and ownership.
92. Cyber Attacks (7 min)
Steve discusses cyberattacks that can be launched against an organization, including attack sources and types, and reviews the types of losses such as theft, denial of services, and loss of reputation.
93. Detection Tools (4 min)
Steve focuses on the tools necessary to protect an organization from viruses, specifically good virus protection and layered protection. Steve also discusses a tool called a "Honey Pot," which is an unprotected device intended to lure attackers away from the main organizational systems.
94. Security Testing Techniques (6 min)
Steve discusses how appropriate testing makes organization’s perimeter defenses strong enough to repel a hacker attack, and the necessary procedures to effectively respond to an attack when it takes place.
95. Security Incidents (3 min)
Steve reviews the processes for when a security incident takes place, including an effective management structure so that everyone knows what is expected of them. We also review the steps to resolve the incident in a timely manner, minimize impact, and develop a post-incident review.
96. Handling of Evidence (4 min)
Steve reviews the processes that should be followed when handling either audit or criminal activity evidence to ensure that it is permissible first-hand evidence, specifically the four steps for handling evidence: identify, preserve, analyze, and present.
97. Fraud Risk Factors (6 min)
Steve reviews risk factors of organizational fraud, including privileged users, process and organizational maturity, and environmental factors.
98. Passing the Exam (7 min)
Steve reviews the format of the CISA exam and provides some tips and hints on passing the exam. The paper-based exam consists of 200 multiple choice questions, with a time limit of four hours. The passing score is 450 out of a possible 800 points.
If this post was usefull for you, let us know in comments…
The post CBT Nuggets ISACA CISA 2016 appeared first on Free Download For All.
1 comments:
file is deleted
Enregistrer un commentaire