You are here :   Welcome » CISA Certification
 
Preview  Print...  Print this page...
Preview  Print...  Print this section...
!Introduction
Technical
Tools
Knowledge base
Visits

 1579881 visitors

 2 visitors online

Contact

site Link
griessenconsulting-Tag-Qrcode.png

info@griessenconsulting.ch

ch.linkedin.com/in/thierrygriessenCISA

Neuchâtel, Suisse


CONTACT
griessenconsulting-Tag-Vcard-OK.png

Genere YOUR Code

isaca2015-2.jpg

Audit des systèmes d’information

Programme détaillé du cours "Préparation à la certification internationale CISA"

ISEIG, av. des Boveresses 52, CP 99, CH - 1000 Laus anne 21, tél. : 021/654.40.60, fax : 021/654.40.69,e-mail : webmaster@iseig.ch
http://www.iseig.ch/

Audit des systèmes d’information

Domain 1 - The IS Audit Process (10%)

Provide IS audit services in accordance with IS audit standards, guidelines and best practices to assist the
organization in ensuring that its information technology and business systems are protected and controlled

Tasks

Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit
standards, guidelines and best practices.
Plan specific audits to ensure that IT and businesssystems are protected and controlled.
Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned
audit objectives.
Communicate emerging issues, potential risks and audit results to key stakeholders.
Advise on the implementation of risk management andcontrol practices within the organization, while
maintaining independence.

Knowledge Statements

Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and the Code of Professional Ethics
Knowledge of IS auditing practices and techniques
Knowledge of techniques to gather information and preserve evidence (e.g., observation, inquiry, interview, CAATTs and electronic media)
Knowledge of the evidence life cycle (e.g., the collection, protection, chain of custody)
Knowledge of control objectives and controls related to IS (e.g., COBIT)
Knowledge of risk assessment in an audit context
Knowledge of audit planning and management techniques
Knowledge of reporting and communication techniques(e.g., facilitation, negotiation and conflict resolution)
Knowledge of control self-assessment (CSA)
Knowledge of continuous audit techniques

Domain 2 - IT governance (15 percent)

Provide assurance that the organization has the structure, policies, accountability, mechanisms and monitoring
practices in place to achieve the requirements of corporate governance of IT.

Tasks

Evaluate the effectiveness of the IT governance structure to ensure adequate board control over the
decisions, directions and performance of IT so thatit supports the organization’s strategies and +objectives.
Evaluate the IT organizational structure and human resources (personnel) management to ensure that they support the organization’s strategies and objectives.
Evaluate the IT strategy and the process for its development, approval, implementation and
maintenance to ensure that it supports the organization’s strategies and objectives.
Evaluate the organization’s IT policies, standards and procedures and the processes for their
development, approval, implementation and maintenance to ensure that they support the IT strategy
and comply with regulatory and legal requirements.
Evaluate management practices to ensure compliance with the organization’s IT strategy, policies, standard and procedures.
Evaluate IT resource investment, use and allocationpractices to ensure alignment with the organization’s strategies and objectives.
Evaluate IT contracting strategies and policies andcontract management practices to ensure that they support the organization’s strategies and objectives.
Evaluate risk management practices to ensure that the organization’s IT-related risks are properly managed.
Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance.

Knowledge Statements

Knowledge of the purpose of IT strategies, policies, standards and procedures for an organization and
the essential elements of each
Knowledge of IT governance frameworks
Knowledge of the processes for the development, implementation and maintenance of IT strategies, policies, standards and
procedures (e.g., protection of information assets,business continuity and disaster recovery, systems and infrastructure life cycle management, and IT service delivery and support)
Knowledge of quality management strategies and policies
Knowledge of organizational structure, roles and responsibilities related to the use and management of IT
Knowledge of generally accepted international IT standards and guidelines
Knowledge of enterprise IT architecture and its implications for setting long-term strategic goals
Knowledge of risk management methodologies and tools
Knowledge of the use of control frameworks (e.g., COBIT, COSO and ISO/IEC 17799)
Knowledge of the use of maturity and process improvement models (e.g., CMM and COBIT)
Knowledge of contracting strategies, processes and contract management practices
Knowledge of practices for monitoring and reportingof IT performance (e.g., balanced scorecards and key performance indicators)
Knowledge of relevant legislative and regulatory issues (e.g., privacy, intellectual property and corporate governance requirements)
Knowledge of IT human resources (personnel) management
Knowledge of IT resource investment and allocation practices (e.g., portfolio management return on investment)

Domain 3 - Systems and infrastructure life cycle (16 percent)

Provide assurance that the management practices forthe development/acquisition, testing, implementation,
maintenance and disposal of systems and infrastructure will meet the organization’s objectives.

Tasks

Evaluate the business case for the proposed system development/acquisition to ensure that it meets
the organization’s business goals.
Evaluate the project management framework and project governance practices to ensure that business
objectives are achieved in a cost-effective manner,while managing risks to the organization.
Perform reviews to ensure that a project is progressing in accordance with project plans, is adequately
supported by documentation and its status reportingis accurate.
Evaluate proposed control mechanisms for systems and/or infrastructure during specification,
development/acquisition and testing to ensure that they will provide safeguards and comply with the
organization’s policies and other requirements.
Evaluate the processes by which systems and/or infrastructure are developed/acquired and tested to
ensure that the deliverables meet the organization’s objectives.
Evaluate the readiness of the system and/or infrastructure for implementation and migration into
production.
Perform postimplementation review of systems and/orinfrastructure to ensure that they meet the
organization’s objectives and are subject to effective internal control.
Perform periodic reviews of systems and/or infrastructure to ensure that they continue to meet the
organization’s objectives and are subject to effective internal control.
Evaluate the process by which systems and/or infrastructure are maintained to ensure the continued
support of the organization’s objectives and that the systems and/or infrastructure are subject to
effective internal control.
Evaluate the process by which systems and/or infrastructure are disposed of to ensure that they
comply with the organization’s policies and procedu res.

Knowledge Statements

Knowledge of benefits management practice (e.g., feasibility studies and business cases)
Knowledge of project governance mechanisms (e.g., steering committee and project oversight board)
Knowledge of project management practices, tools and control frameworks
Knowledge of risk management practices applied to projects
Knowledge of project success criteria and risks
Knowledge of configuration, change and release management in relation to development and
maintenance of systems and/or infrastructure
Knowledge of control objectives and techniques thatensure the completeness, accuracy, validity and
authorization of transactions and data within IT systems applications
Knowledge of enterprise architecture related to data, applications and technology (e.g., distributed
applications, web-based applications, web services and n-tier applications)
Knowledge of requirements analysis and management practices (e.g., requirements verification,
traceability and gap analysis)
Knowledge of acquisition and contract management processes (e.g., evaluation of vendors,
preparation of contracts, vendor management and escrow)
Knowledge of system development methodologies and tools and an understanding of their strengths
and weaknesses (e.g., agile development practices, prototyping, rapid application development and
object-oriented design techniques)
Knowledge of quality assurance methods
Knowledge of the management of testing processes (e.g., test strategies, test plans, test
environments, entry and exit criteria)
Knowledge of data conversion tools, techniques and procedures
Knowledge of system and/or infrastructure disposal procedures
Knowledge of software and hardware certification and accreditation practices
Knowledge of postimplementation review objectives and methods (e.g., project closure, benefits
realization and performance measurement)
Knowledge of system migration and infrastructure deployment practices

Domain 4 - IT service delivery and support (14 percent)

Provide assurance that the IT service management practices will ensure the delivery of the level of services
required to meet the organization’s objectives.

Tasks

Evaluate service-level management practices to ensure that the level of service from internal and
external service providers is defined and managed.
Evaluate operations management to ensure that IT support functions effectively meet business needs.
Evaluate data administration practices to ensure the integrity and optimization of databases.
Evaluate the use of capacity and performance monitoring tools and techniques to ensure that IT
services meet the organization’s objectives.
Evaluate change, configuration and release management practices to ensure that changes made to the
organization’s production environment are adequately controlled and documented.
Evaluate problem and incident management practices to ensure that incidents, problems and errors are
recorded, analyzed and resolved in a timely manner.
Evaluate the functionality of the IT infrastructure(e.g., network components, hardware and system
software) to ensure that it supports the organization’s objectives.

Knowledge Statements

Knowledge of service-level management practices
Knowledge of operations management best practices (e.g., workload scheduling, network services
management and preventive maintenance)
Knowledge of system performance monitoring processes, tools and techniques (e.g., network
analyzers, system utilization reports and load balancing)
Knowledge of the functionality of hardware and network components (e.g., routers, switches, firewalls
and peripherals)
Knowledge of database administration practices
Knowledge of the functionality of system software including operating systems, utilities and database
management systems
Knowledge of capacity planning and monitoring techniques

Knowledge of processes for managing scheduled and emergency changes to the production systems
and/or infrastructure including change, configuration, release and patch management practices
Knowledge of incident/problem management practices (e.g., help desk, escalation procedures and tracking)
Knowledge of software licensing and inventory practices
Knowledge of system resiliency tools and techniques(e.g., fault tolerant hardware, elimination of single point of failure and clustering)

Domain 5 - Protection of information assets (31 percent)

Provide assurance that the security architecture (policies, standards, procedures and controls) ensures the
confidentiality, integrity and availability of information assets.

Tasks

Evaluate the design, implementation and monitoring of logical access controls to ensure theconfidentiality, integrity, availability and authorized use of information assets.
Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorized use of the network and the information transmitted.
Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss.
Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded.
Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets.

Knowledge Statements

Knowledge of the techniques for the design, implementation and monitoring of security (e.g., threat and
risk assessment, sensitivity analysis and privacy impact assessment)
Knowledge of logical access controls for the identification, authentication and restriction of users to
authorized functions and data (e.g., dynamic passwords, challenge/response, menus and profiles)
Knowledge of logical access security architectures (e.g., single sign-on, user identification strategies
and identity management)
Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses, denial of service
and spamming)
Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation
procedures and emergency incident response teams)
Knowledge of network and Internet security devices,protocols and techniques (e.g., SSL, SET, VPN
and NAT)
Knowledge of intrusion detection systems and firewall configuration, implementation, operation and
maintenance
Knowledge of encryption algorithm techniques (e.g.,AESRSA)
Knowledge of public key infrastructure (PKI) components (e.g., certification authorities and registration
authorities) and digital signature techniques
Knowledge of virus detection tools and control techniques
Knowledge of security testing and assessment tools (e.g., penetration testing and vulnerability
scanning)
Knowledge of environmental protection practices anddevices (e.g., fire suppression, cooling systems
and water sensors)
Knowledge of physical security systems and practices (e.g., biometrics, access cards, cipher locks
and tokens)
Knowledge of data classification schemes (e.g., public, confidential, private and sensitive data)
Knowledge of voice communications security (e.g., voiceover IP)
Knowledge of the processes and procedures used to store, retrieve, transport and dispose of
confidential information assets
Knowledge of controls and risks associated with theuse of portable and wireless devices (e.g., PDAs,
USB devices and Bluetooth devices)

Domain 6 - Business continuity and disaster recovery (14 percent)

Provide assurance that, in the event of a disruption, the business continuity and disaster recovery processes
will ensure the timely resumption of IT services, while minimizing the business impact.

Tasks

Evaluate the adequacy of backup and restore provisions to ensure the availability of information
required to resume processing.
Evaluate the organization’s disaster recovery plan to ensure that it enables the recovery of IT
processing capabilities in the event of a disaster.
Evaluate the organization’s business continuity plan to ensure its ability to continue essential busin ess
operations during the period of an IT disruption.

Knowledge Statements

Knowledge of data backup, storage, maintenance, retention and restoration processes and practices
Knowledge of regulatory, legal, contractual and insurance issues related to business continuity and disaster recovery
Knowledge of business impact analysis (BIA)
Knowledge of the development and maintenance of thebusiness continuity and disaster recovery plans
Knowledge of business continuity and disaster recovery testing approaches and methods
Knowledge of human resources management practices as related to business continuity and disaster recovery (e.g., evacuation planning and response teams)
Knowledge of processes used to invoke the business continuity and disaster recovery plans
Knowledge of types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites and cold sites)

2. Préparation à la certification internationale CISA

La préparation à l'examen de certification s’appuiesur les activités suivantes :
répétition de la matière du module 1
stratégie de préparation à l’examen de certification
examens blancs
commentaires et approfondissements


Category : !Introduction - Security
Previous  
  Next