CISA Flashcards
(121 cards)
1
Q
Prentive control
A
Detect problems before they arise, prevent and error
2
Q
Detective control
A
Detect and report and occurance of an error
3
Q
Corrective control
A
Minimize the impact of a threat, correct errors arising from a problem
4
Q
Inherent Risk
A
Risk level without consideration of the controls
5
Q
Control risk
A
The risk that a material error exists that would not be prevented by the existing controls
6
Q
Detection risk
A
The risk that material errors or misstatements are not identified by IS Audit
7
Q
Overall audit risk
A
The probability that information or financial reports contain material errors or misstatements
8
Q
Risk Mitigatation
A
Reducing of risk with controls
9
Q
Risk Acceptance
A
Not taking any action towards the risk
10
Q
Risk Avoidance
A
Avoiding risk by not allowing the action that would cause risk
11
Q
Nonstasticical sampling
A
Judgemental method of determining the sample size
12
Q
Risk Sharing (Transfer)
A
Transferring the associated risk to other parties
13
Q
Statistical Sampling
A
Objective method of determining the sample size
14
Q
Attribute sampling
A
Answers the question “how many”? For example how many user access request out of the total were approved
15
Q
Stop or go sampling
A
Helps prevent excessive sampling by allowing the audit to stop testing at the earliest possible moment
16
Q
Inquiry
A
Interview of the respective personnel
17
Q
Observation
A
Observation of audit evidence
18
Q
Walkthroughs
A
Technique used to confirm the understanding of the controls
19
Q
Reperformance
A
Generally provides better audit evidence than other methods
20
Q
SCARF
A
System Control Audit Review File
Embedding of audit software to the host application for continuos auditing. Useful when regular processing cannot be interrupted.
21
Q
Snapshots
A
This technique involves taking “pictures” at the start and at the end of the process flow. Transactions are tagged by identifiers. Useful when audit trail is required.
22
Q
Audit Hooks
A
Embedding of hooks in the applications functions to work as an alert for detection and prevention. Useful when only selected transcations need to be examined.
23
Q
ITF
A
Test transactions are sent at the same time with the live transcations in the same environment. Useful when it is no beneficial to test use data.
24
Q
CIS ( Continuos and intermittent simulation)
A
Useful when transaction meeting certain criteria needs to be examined
25
CSA
Assessment of controls made by staff and management. Does not replace the external audit function. IS Auditor works as facilitator. Helps with early detection of risk and enchancec the external audit.
26
ISO 27000 series
Series of set of best practices that provide guidance to organizations implementing and maintaining information security programs
26
COBIT
Developed by ISACA to support EGIT by providing a framework that ensures that IT is aligned with business, IT enables the business and maximizes benefits.
27
ITIL
Framework used to achieve operational IT service management
28
High level information security policy
Should include statements on confidentiality integrity and availability
29
Data classification policy
Should describe the classification, level of control and responsibilities of all potential users including ownership
30
Acceptable use policy
Includes information for all information resources and describes the organizational permissions for the usage of IT and information related resources
31
End-user computing policy
describes the parameters and usage of desktop, mobile computing and other tools by users
32
Access control policies
Describe the method for defining and granting access to users to various IT resources
33
IT Steering commitee
Review long and short range plans of the IT deparment. Ensure that IT plans align with corporate objectives. Reporting of IS activities to board of directors
34
Risk Management program
1. Asset identification 2. Evaluation of threats and vulnerabilities to assets 3. Evaluation of Impact 4. Calculation of Risk 5. Evaluation of response to risk
35
Planning phase
1. Audit Subject 2. Audit Objective 3. Audit Scope 4. Preaudit planning 5. Determine procedures
35
Risk based audit approach
1. Gather information and plan 2. Obtain understanding of internal controls 3. Perform compliance tests 4. Performance substantive tests 5. Conclude audit
36
Fieldwork and documentation phase
1. Acquire data 2. Test Controls 3. Issue discovery and validation 4. Document results
37
Reporting phase
1. Gather report requirements 2. Draft report 3. Issue Report 4. Follow up§
38
CMMI
Capability maturity model integration. Evaluate management of a compuiter center and the development function, change management process
38
SOC 2
Report on the service organizations system controls relevant to security, availability, processing integrity, confidentiality or privacy..
39
SOC 1
Report on the service organizations system controls likely to be relevant to user entities internal control over financial reporting
40
SOC 3
Similar to SOC 2 but does not include the detailed understanding of the design of controls and the tests performed by the service auditor
40
IT Balanced Scoreboard
Drive the organization towards optimal use of IT, which is aligned with the organizations strategic goals.
41
QA
Verify that system changes authorized, tested and implemented in a controlled manner prior to being introduced to production
42
Project portfolio
All projects being carried out in the organization at a given point of time
43
FPA
Function point analysis. Multi-point technique used for estimating the complexity (size) in developing a large business application
44
SLOC
Count of source code. Can be used in estimation of small non complex application size
45
GANTT Charts
Aid in scheduling and monitoring of project activities
46
Critical path
The sequence of events that produces the longest path through a project. Helps to estimate the overall time required to complete the project.
47
Timebox management
Project management technique for defining and deploying a software deliverable in a certain short frame of time. Combines the QA and UAT functions
48
PERT
Program evalution review technique. Used to estimate the length of the project.
49
SDLC
Software development life cycle. 1. Feasiblity study 2. Requirement definitions 3A. Software selection and acquisition 3B. Design 4B. Development 5. Final testing and implementation 6. Post- Implementation
50
Prototyping
Software development methodology. Usually has a lack of controls when finished. Changes in design and requirements happen quickly which makes change management complicated.
51
RAD
Rapid Applicaiton development. Develop strategically important applications quickly while reducing developments costs and quality. RAD uses protyping.
52
OOSD
Object oriented system development. Data and procedures can be grouped into an enity known as an object. Advantages: Capacity to meet demands of changing environment, manage unrestricted variety of data types
52
Component based development
Reduces development time.
53
Sequence check
Any sequence or duplicated control numbers are rejected or noted for follow-up.
53
Limit check
Data should not exceed the predetermined amount
54
Data Atomicity
Transaction is either competed in its entirety or not at all.
54
Range check
Data should be in the predetermind range
55
Data Consistency
All integrity conditions in the database are maintained with each transaction.
55
Table lookups
Input data comply with predetermined in a computerized table.
55
Validity check
Programmed checking of the data validy in accordance with predetermined criteria
56
Check digit
A numeric value has been calculated mathematically and is added to data to ensure that the original data has not been altered during transposition and transcription.
56
Regression testing
Rerunning the same tests after change have been made to the program
57
White box testing (software)
Assess the effectiveness of software program logic.
58
Sociability testing
Test to confirm that the new or modified system can operate in the target environment
58
Black box testing (software)
Funcitional operational effectiveness testing
59
Pararrel testing
Feeding of test data to the original and system in development and compare the results
59
Top down software testing
Advantages: Test of major functions and processing are conducted early. Interface erros can be detected sooner
59
Bottom up software testing
Begin testing with atomic units, such as programs and modules. Advantages: Error in critical modules are found early, testing can be started before all programs are complete.
60
Data Isolation
Each transaction is isolated from other transactions
61
Data Durability
If the transaction is reported as complete, the database endures subsequent hardware or software failures
61
Snapshot (program)
Record flow of designated transactions through logic paths within program. Verifies program logic.
62
Mapping
Identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed. Identifies potential exposures, identifies efficiency
63
Tracing and tagging
Shows the trail of instructions executed during an application. Tagging involves placing and indicator on selected transactions at input and using tracing to track them. Provides exact picture of sequence of events.
64
Test data / deck
Simulates transactions through real programs
65
Pararrel operation
Process actual production data through current and in development system. Verifies new system before discontinue of old system
66
Pararrel simulation.
Process production data using computer programs that simulate application program logic. Eliminates need to prepare test data.
66
ITF
Integrated testing facility. Creates a fictiouis file in the database with test transactions processed simultaneously with live data. Periodic testing does not require separate test process.
66
Pararrel changeover
Running of old and new system in pararrel.
67
Phased changeover
Old system is phased out in pieces
68
Abrupt changeover
Old system is replaced by a cutoff at a certain date and time
68
BIA
Business Impact Analysis is used to evaluiate the critical processes and to determined the time frames, priorities, resources and interdepencies. To perform BIA you need an understanding of the organization, key business processes. Often this information can be obtained from the Risk Assessement results.
69
Alternative routing
Method of routing information via an alternate medium. This method uses different networks, circuits and end points.
69
DBSM
Database management software. Aids in organizing, controlling and using the data needed by the application program.
70
Diverse routing
The method of routing traffic through split cable facilities or duplicate cables
70
Long-haul Network diversity
Routing of network through multiple vendors / carriers in case one of the carriers goes out.
71
Full backup
Copies all file and folders to the backup media.
71
DRP
Disaster recovery plan. The technical aspect of BCP.
72
Incremential backup
Copies the files and folders that have changed since the last incremential or full backup.
73
Differential backup
Copies all files and folders that have been changed or added since full backup was performed.
74
BCP(steps)
Business continuity plan. Enable business to continue offering critical services in the event of a disruption and to survive disasterous interruption to activities.
1. Project planning 2. Risk assessment and Analysis 3. BIA 4. BC Strategy Developement 5. BC Strategy Developemtn 6. BC Awareness training 7. BC Plan testing 8. BC Plan Monitoring
75
COOP
Continuity of operations plan. Procedures and guidance to sustain organiszations MEFs at an alternative site for upt to 30 days
76
Preparedness test
Localized version of full test where actual resources are expended in the simulation of a system crash.
77
Paper test
Paper walkthrough of the plan, involing major players who reason out different scenarios.
78
Full Operational test
One step away from actaul service disruption.
79
Cold Site
Facility with space and basic infrastructure, but lacking any IT or communication equipment, programs data or office support
80
Mobile Site
For example a van packed with equipment to run small business operations
81
Warm site
Complete infrasturcture, but partially configured in terms of IT. Typically in a warm site the programs and data would need to be loaded to the site before they can be used.
82
Hot Site
Facility with space and basic infrastructureww and all IT and communication equipment required to support critical applications. Usually has up to date programs and data equivalent to the primary site.
83
Mirrored site
Fully redundant site with real-time data replicaiton from production site. Fully equipped and staffed.
84
Reciprocal agreement
Agreement between separate but similar companies on using the other companys premises in case of a disaster.
84
Symmetric encryption
A single key is used to encrypt and decrypt the messages
85
Asymmetric encryption
Two keys are used; one for encryption and another for decryption. Used to achieve Confidentiality, authentication and non-repudiation and Integrity
86
Confidentiality
Confidentiality in this context means that the data is only available to authorized parties.
87
Authentication
In authentication, the user or computer has to prove its identity to the server or client.
88
Non-repudiation
Nonrepudiation ensures that no party can deny that it sent or received a message via encryption and/or digital signatures or approved some information.
89
Integrity
Integrity means that data or information in your system is maintained so that it is not modified or deleted by unauthorized parties.
90
Availability
Availability guarantees that systems, applications and data are available to users when they need them.
91
Hash value
Used to ensure the integrity of message/content.
92
CA
Certificate Authority. REsponsible for the issuance and management of digital certificates.
93
RA
Registeration Authority. Delegated with the function of verifying the correctness of the information provided by applicants.
94
IDS
Intrustion Detection system. Can be placed either between a firewall and external network or between a firewall and the internal network. Used to detect intrusion.
95
IPS
Intrusion prevention system. Detect and prevent intrustion attacks.
96
97
98
99
100
Blackbox pen test
Assumes no prior knowledge of the infrastructure. Important to have management knowledge prior to testing.
