Index
Numbers
3DES (Triple Data Encryption Standard), 359
4GL programming languages, 258
5GL programming languages, 258
802.11 wireless connections, security, 406
802.11 wireless standard, 299-301
A
accepting risk (risk management), 45
access control
application controls, 244
authentication
by ownership, 338
centralized authentication, 345-346
geofencing, 337
multi-platform authentication, 343-345
somewhere you are systems, 340
tokens, 338
two-factor authentication, 338
cloud computing, 218
exterior security control
bollards, 350
dogs, 351
entry points, 351
gates, 350
guards, 352
HVAC, 356
identification, 336
information asset protection, 370
NAC, 415
perimeter security control
bollards, 350
dogs, 351
entry points, 351
gates, 350
guards, 352
HVAC, 356
turnstiles, 352
physical/environmental access control
bollards, 350
dogs, 351
entry points, 351
gates, 350
guards, 352
HVAC, 356
turnstiles, 352
remote access
Diameter, 346
encryption, 347
risks of, 347
TACACS, 346
security labels, bypassing, 414
SSH, 347
SSO, 340
advantages of, 341
Telnet, 347
accountability
IT governance, 77
organizations, 95
vendors, quality of, 95
accounting ethics
Arthur Andersen, 30
accreditation, 208
active discovery stage (penetration testing), 417
acts. See laws/regulatory standards
Adleman, Len, 363
administration, 104
administrative controls (security controls)
blogs, 397
message boards, 397
websites, 397
administrative support teams (BCP), 154
adverse opinions (audit reports), 58
advisory policies, 91
AES (Advanced Encryption Standard), 362
aggregation (databases), 278
agile software development, 213
AI (Artificial Intelligence)/expert systems, BI, 258
al-Kindi and cryptanalysis, Abu, 358
ALE (Annual Loss Expectancy)
BIA criticality analysis, 148
quantitative risk analysis, 85
algorithms (encryption), 358
alpha testing, 207
alternate processing sites
cold sites, 161
hot sites, 160
mobile sites, 160
oversubscription, 163
reciprocal agreements, 162-163
subscription services, 160, 163
warm sites, 161
alternate routing, telecommunications recovery, 170
alternative processing agreements, disaster recovery, 171
alternative system development
CBD, 220
cloud computing
access control, 218
encryption, 219
models of, 216
security, 219
services, 216
training, 218
DOSD, 219
OOSD, 220
WBAD, 220
analyzing risk, 44
anomaly detection IDS, 312
antivirus software, virtualization, 395
anycast addresses, 294
AP (Access Points)
trap doors, 411
automated application controls, 236-237
continuous online auditing, 247-249
data integrity controls, 245, 249
manual application controls, 236-237
separating duties, 244
understanding applications, 248
documentation, 243
application layer
OSI reference model, 287
TCP/IP reference model, 296-297
application proxies, 307
application switches, 304
application system (EDI), 254
applications
business application systems
e-commerce, 253
email, 255
flowcharts, 252
CBD, 220
copy software entries here, 186
DOSD, 219
hotspot security, 302
n-tier and application development, 220-221
OOSD, 220
smartphones/tablets security, 302
virtualization and application development, 221-222
WBAD, 220
applying for CISA certification, 8
ARM (Application Reference Model), FEAF, 112
ARO (Annual Rate of Occurrence)
BIA criticality analysis, 147
quantitative risk analysis, 85
ARP (Address Resolution Protocol), 294
Arthur Andersen, ethics, 30
assessing risk, 40
audit risk, 42
inherent risk, 41
material, defining, 41
qualitative judgments, 43
quantitative analysis, 42-43, 84-87
residual risk, 42
asset identification (ERM), 82
asset management
attack methods/techniques, 399-413
prevention/detection tools/techniques, 414-418
problem/incident management, 418-429
asset protection
access control
exterior security control, 349-356
identification, 336
perimeter security control, 349-356
physical/environmental access control, 349-356
SSH, 347
Telnet, 347
data breaches
data destruction, 378
Verizon Data Breach report, 374
hardware security controls, voice communications, 356-357
information asset protection
access control, 370
data life cycles, 369
keyloggers, 371
privacy controls, 372
risk-assessment, 372
security controls, 372
software security controls, 356-368
assignments (employee management), rotation of, 102, 107
asymmetric encryption, 358-359, 362-368
asynchronous attacks, 411
Atbash, encryption, 357
ATM (Asynchronous Transfer Mode), 313
Atomicity (ACID tests), 245, 282
attack methods/techniques
asynchronous attacks, 411
Bluebugging, 406
Bluejacking, 406
Bluesnarfing, 406
brute-force attacks, 413
buffer overflow attacks, 409
comparative analysis, 412
dictionary attacks, 412
droppers, 405
dumpster diving attacks, 400
email attacks, 400
hijacking attacks, 401
HOIC, 403
hping, 403
integer overflow attacks, 412
John the Ripper, 413
logic bombs, 411
LOIC, 403
MITM attacks, 401
password-cracking programs, 412-413
phishing attacks, 400
ping of death, 402
pretexting attacks, 400
rainbow tables, 413
rounding-down attacks, 412
RUDY, 403
salami technique, 412
slowloris, 403
smurfing attacks, 402
sniffing attacks, 400
social-engineering attacks, 399-400
spear phishing attacks, 400
spoofing attacks, 400
SQL injection attacks, 408-409
syn flooding, 403
thunder tables, 413
TOCTOU attacks, 411
trap doors, 411
Trojans, 405
viruses, 405
WAP-related attacks, 406
whaling attacks, 400
worms, 405
wrappers, 405
XSRF attacks, 411
XSS attacks, 411
zero-day attacks, 404
attack stage (penetration testing), 417
Attack Surface Analyzer (Microsoft), 409
attack-detection tools, 414
attenuation (cabling), 320
attribute sampling, 52
attributes (databases), 278
audit hooks, continuous online auditing, 248
audit planning, 236. See also audit universes
audit risk, 42
audit trails, employee management, 106
auditable entities, 235
defining, 235
refreshing, 235
risk assessment (ranking), 236
audit-reduction tools, 415
auditing
attribute sampling, 52
audit programs, 40
automated WP, 50
business processes, 39
chain of custody, 49
negotiations/conflict management, 58-59
Code of Professional Ethics, 27-30
compliance audits, 40
continuous online auditing, 247-249
corrective controls, 47
data classification, 98
detective controls, 47
disclaimers, 58
discovery sampling, 52
embedded audit modules, 52
fiduciary responsibility, 47
financial audits, 39
frameworks (IT governance), 80
frequency estimating sampling, 52
General Auditors, 89
guidance documents, 36
FIPS, 37
ISO, 37
NIST, 37
integrated audits, 39
ISACA
Code of Professional Ethics, 27-30
IT governance, frameworks, 80
ITF, 52
judgmental sampling, 51
laws/regulatory standards
compliance with, 38
methodologies, 48
negotiations/conflict resolution, 58-59
nonstatistical sampling, 51
objectiveness of, 89
operational audits, 40
parallel simulations, 52
preventive controls, 47
reconciliation audits, employee management, 106
regulatory standards
compliance with, 38
rating, 59
right-to-audit clauses, 127
risk assessment, 40
audit risk, 42
inherent risk, 41
material, defining, 41
qualitative judgments, 43
quantitative analysis, 42-43, 84-87
residual risk, 42
risk management
Coca-Cola, 43
risk acceptance, 45
risk analysis, 44
risk avoidance, 44
risk monitoring, 45
risk reduction, 44
risks, defining, 44
risk transference, 45
threats, defining, 44
soft skills, 27
statistical sampling, 51
stop-and-go sampling, 52
SURRE rule, 49
variable sampling, 52
WP
automated WP, 51
leveraging WP, 54
auditors, BCP, 143
access control
by ownership, 338
centralized authentication, 345-346
geofencing, 337
multi-platform authentication, 343-345
somewhere you are systems, 340
tokens, 338
two-factor authentication, 338
dual-factor authentication, 93
hotspots, 302
OpenID, 344
smartphones/tablets, 302
virtualization, 395
XSRF attacks, 411
authorization
application controls, 244
authorization controls, 238, 254
control systems, SCADA, 35
data classification and, 97
sales (CRM), 259
avoiding risk (risk management), 44
B
B-to-B (Business-to-Business) transactions, 253
B-to-C (Business-to-Consumer) transactions, 253
B-to-E (Business-to-Employee) transactions, 253
B-to-G (Business-to-Government) transactions, 253
backups
continuous backups, 166
database backups, 395
differential backups, 166
electronic vaulting, 169
full backups, 166
grandfather-father-son rotation method, 168
hotspots, 302
incremental backups, 166
location redundancy, 168
MAID, 166
media-rotation strategies, 167-168
offsite storage, 167
onsite storage, 167
point-in-time, 169
security, 169
simple rotation method, 167
smartphones/tablets, 302
standby database shadowing, 169
tape backups, 166
tape librarians, 167
testing, 167
Tower of Hanoi rotation method, 168
VSAN, 168
BAD (Business Application Development), 200
software development
agile development, 213
incremental development, 212
prototyping, 212
RAD, 212
reengineering, 213
scrums, 213
spiral development, 212
sprints, 213
XP, 213
waterfall model, systems-development methodology, 200-201
disposal phase, 211
operation/maintenance phase, 210
balance data (data categories), 241
banking attacks, 412
base case system evaluation (application testing), 246
baseband transmissions (cabling), 320
Basel III, 35
baselines
documentation, 92
IT governance, 93
policy development, 93
Bastille Linux, 392
BCP (Business Continuity Planning), 142
administrative support teams, 154
auditor role, 143
BIA, 144
qualitative assessment, 146
quantitative analysis, 145
communications teams, 154
coordination teams, 154
core processes, 158
corrective controls, 143
damage assessment teams, 153
detective controls, 143
discretionary processes, 159
emergency management teams, 153
emergency operations teams, 154
emergency response teams, 153
finance teams, 154
impact analysis phase, 144-149
incident response teams, 153
initiation phase, 143
interruptions, handling, 149-150
maintenance phase, 156
maximum acceptable outages, 158
maximum tolerable outages, 158
monitoring phase, 156
preventive controls, 143
project management, 143
recovery test teams, 154
relocation teams, 154
reviewing tasks, 170
RPO, 157
salvage teams, 153
SDO, 158
security teams, 154
supplies teams, 154
supporting processes, 158
team responsibilities, 143
paper tests, 155
training and awareness, 152-153
transportation teams, 154
verifying tasks, 170
WRT, 158
before-and-after image reports, 242
BI (Business Intelligence), business application systems, 256
AI/expert systems, 258
CRM, 258
data architectures, 256
data lakes, 257
data warehouses, 257
SCM, 259
social media, 260
BIA (Business Impact Analysis), 144
criticality analysis
ALE, 148
ARO, 147
interdependencies, 149
SLE, 147
system classification, 148
qualitative assessment, 146
quantitative analysis, 145
biometric systems, authentication by, 338-339
block ciphers, 361
blogs
BI, 260
security, 397
Blowfish encryption, 359
Bluebugging, 406
Bluejacking, 406
Bluesnarfing, 406
data breaches, 377
Discovery mode, 405
hacking, 406
Ubertooth, 406
Boehm, Barry, 194
bollards, physical/environmental access control, 350
bottom-up policy development (IT governance), 91
bottom-up testing, 206
BPA (Business Partnership Security Agreements), 215
brands, risk assessment (audit universes), 236
BRI (Basic Rate Interface), ISDN, 314
BRM (Business Reference Model), FEAF, 112
broadband transmissions (cabling), 321
broadcast addresses, 294
brute-force attacks, 413
BSC (Balanced Scorecards), performance management, 109-110
buffer overflow attacks, 409
building security, HVAC, 356
bus topologies (networks), 319
business application systems
BI
AI/expert systems, 258
CRM, 258
data architectures, 256
data lakes, 257
data warehouses, 257
SCM, 259
social media, 260
e-commerce, 253
email, 255
flowcharts, 252
business case analysis, project investment, 190
business ethics. See ethics
business interruptions, BCP recovery strategies, 150
business process controls
input controls, 237
authorization controls, 238
hashing controls, 238
long-term business goals, 237
output controls, 242
password controls, 242
printing controls, 242
processing controls
data integrity controls, 240-241
edit controls, 239
short-term business goals, 237
business processes, auditing, 39
business structures, 77
BYOD (Bring-Your-Own-Device) policies, 302-303, 377-378
bypass label processing, 414
C
CA (Certificate Authorities), PKI, 366
CAAT (Computer-Assisted Audit Techniques), 51-52
cabling
attenuation, 320
baseband transmissions, 320
broadband transmissions, 321
copper cabling, 322
plenum-grade cabling, 321
twisted-pair cabling, 321
Caesar’s cipher, encryption, 357
capacity planning, 314
cloud providers, 318
flow analysis, 315
load balancing, 318
network analyzers
port mirroring, 317
Wireshark, 316
network cabling
attenuation, 320
baseband transmissions, 320
broadband transmissions, 321
copper cabling, 322
plenum-grade cabling, 321
twisted-pair cabling, 321
SNMP, 315
vendors, 318
Windows Performance Monitor, 315
categorizing
data, 241
threats, 83
CBD (Component-Based Development), 220
CBT (Computer-Based Testing), CISA exams, 13
CCTV (Closed-Circuit Television) systems, physical/environmental access control, 352, 355-356
centralized authentication
Diameter, 346
TACACS, 346
centralized C&C (Command and Control) structures (botnets), 404
certificate servers, PKI, 366
certification, 208. See also CISA exam
change documents (programs), 243
change-control boards, 213
changeover techniques, implementation phase (NIST SDLC), 209
channels (frequencies), ISDN, 314
characteristic, authentication by, 338-340
chargeback corporate structures, 77
charters, IT steering committees, 76
check digits (edit controls), 240
chief executive officers, compliance with Sarbanes-Oxley Act, 4
chief financial officers, compliance with Sarbanes-Oxley Act, 4
CIPA (Children’s Internet Protection Act), 370
ciphertext (encryption), 358, 374
CIR (Committed Information Rates), frame relay, 313
circuit-level proxies, 307
CIS (Continuous Intermittent Simulation), continuous online auditing, 248
CISA (Certified Information Systems Auditor) exam
applying for certification, 8
CBT, 13
CPE
policies, 16
getting scores, 15
grading exams, 13
importance of certification, 4-5
maintaining certification, 16
mission statement, 3
passing, 9
Pearson Test Prep software, 437, 442
customizing practice exams, 439-440
Flash Card Mode, 439
Practice Exam Mode, 439
Premium Edition, 440
Study Mode, 439
updating practice exams, 440
website, 438
popularity of, 5
registering for exams, 7
retaking, 16
scheduling exams, 6
work experience waivers, 8
claims, integrity of, 39
Class A networks, IPv4 addressing, 293
Class B networks, IPv4 addressing, 293
Class C networks, IPv4 addressing, 294
classifying data
information asset protection, 373-374
PHI, 97
PII, 97
cleartext protocols, 378
click-wrap license agreements, 186
clients
CRM, BI, 258
customer service (CRM), 259
identification as authorization control, 238
clipping levels (passwords), 379
closing phase (project management), 199
cloud computing
access control, 218
cloud providers
capacity planning, 318
contracts, 218
security, 219
e-commerce, 253
encryption, 219
models of, 216
security, 219
services, 216
technical controls (security controls), 391
training, 218
clustering, hardware recovery, 164
CMM (Capability Maturity Model), 116-119
CMMI (Capability Maturity Model Integration), 117-118
COBIT 5 (Control Objectives for Information and Related Technologies 5), 31, 37, 41-42, 55, 78, 111, 273-274
ITIL versus, 79
Coca-Cola, risk management, 43
COCOMO II (Constructive Cost Model II) software estimation, 194
Code of Professional Ethics, 9-10, 27-30
coding
4GL programming languages, 258
5GL programming languages, 258
insecure code, 378
cold sites, disaster recovery planning, 161
collision domains, 303
collision-avoidance protocols, 293
collisions, defined, 303
communication-driven DSS (Decision Support Systems), BI, 257
communications handlers (EDI), 254
communications teams (BCP), 154
community clouds, 216
comparative analysis (passwords), 412
compensating controls (employee management), 106
completeness checks (edit controls), 240
compliance (laws/regulations)
audits, 40
regulatory compliance, risk assessment (audit universes), 236
tests, 39
verifying, 38
conflict resolution/negotiation, 58-59
conformity, verifying, 39
Consistency (ACID tests), 245, 282
content services switches, 304
content switches, 304
continuity planning. See BCP
continuous backups, 166
continuous online auditing, 247-249
contractors, relationship management, 129-130
contracts
cloud provider contracts, 218
disaster recovery, 171
control frameworks, management and
change management, 113
CSF, 111
control/execution phase (project management), 199
converting/migrating data, 209
cooling (data centers), 356
COOP (Continuity of Operations) websites, 172
coordination teams (BCP), 154
copper cabling, 322
core business risk assessments (audit universes), 236
core processes, BCP, 158
corporate structures, 77
COSO (Committee of Sponsoring Organizations of the Treadway Commission), 35, 110, 115-116
costs of
projects
reviewing, 211
software (project management, planning phase), 193-194
CPE (Continuing Professional Education)
policies, 16
CPM (Critical Path Methodology), project management, 198
CR (Change Requests), change management, 113
crashing (critical tasks), 198
credit/debit cards, PCI standards, 35-36, 119
crime (computer), prosecuting, 429
crime triangles
fraud risk factors, 419
incident response, 423
criminal hackers, 419
critical services, maintaining, 141
alternate processing sites
cold sites, 161
hot sites, 160
mobile sites, 160
oversubscription, 163
reciprocal agreements, 162-163
subscription services, 160, 163
warm sites, 161
alternative processing agreements, reviewing, 171
BCP, 142
administrative support teams, 154
auditor role, 143
communications teams, 154
coordination teams, 154
core processes, 158
corrective controls, 143
damage assessment teams, 153
detective controls, 143
discretionary processes, 159
emergency management teams, 153
emergency operations teams, 154
emergency response teams, 153
finance teams, 154
impact analysis phase, 144-149
incident response teams, 153
initiation phase, 143
maintenance phase, 156
maximum acceptable outages, 158
maximum tolerable outages, 158
monitoring phase, 156
preventive controls, 143
project management, 143
recovery test teams, 154
relocation teams, 154
reviewing tasks, 170
RPO, 157
salvage teams, 153
SDO, 158
security teams, 154
supplies teams, 154
supporting processes, 158
team responsibilities, 143
training and awareness, 152-153
transportation teams, 154
verifying tasks, 170
WRT, 158
contracts, reviewing, 171
COOP websites, 172
disaster recovery checklist, 172
clustering, 164
fault tolerance, 164
MTBF, 163
MTTF, 163
MTTR, 164
SLA, 164
incident classification, 141-142
insurance, reviewing, 171
MTD, 159
natural disasters, 140
power supplies, 171
redundant processing sites, 160
reviewing tasks, 170
telecommunications recovery, 169-170
verifying tasks, 170
critical tasks, planning (project management), 198
criticality analysis (BIA)
ALE, 148
ARO, 147
interdependencies, 149
SLE, 147
system classification, 148
CRL (Certificate Revocation List), PKI, 366
CRM (Customer Relationship Management), 258, 279
cryptanalysis, 358
cryptography
cryptography keys, 358
ECC, 363
PGP, 369
quantum cryptography, 364
SET, 368
S/MIME, 369
SSH, 368
CSA (Control Self-Assessments), 54-55
CSF (Cybersecurity Framework), 111
CSIRT (Computer Security Incident Response Teams), 420-422
CSMA/CD (Carrier-Sense Multiple Access/Collision Detection). See Ethernet
culture/objectives of projects (project management), 189
custody, chain of, 49
customers
CRM, BI, 258
customer service (CRM), 259
customizing practice exams, 439-440
cut-through switches, 304
D
DAM (Database Activity Monitoring), 394. See also SIEM
damage assessment teams (BCP), 153
data access layer (BI data architectures), 256
data acquisition, SCADA, 35
data breaches
data destruction, 378
Verizon Data Breach report, 374
data categories
balance data, 241
static data, 241
system control parameters, 241
transaction files, 241
data centers, HVAC, 356
data classification
information asset protection, 373-374
PHI, 97
PII, 97
policy development, 96
auditing, 98
automating classification, 97
destroying data, 97
DLP, 97
PHI, 97
PII, 97
data conversion, migrating data, 209
data file controls (business process controls), 241-242
data file security, 242
data frames, 289
MAC addresses, 293
data integrity
ACID tests, 245
application controls, 245, 249
databases and, 281
entity integrity, 245
online data integrity, 245
referential data integrity, 245
relational data integrity, 245
data interruptions, BCP recovery strategies, 149
data lakes (BI), 257
data life cycles, information asset protection, 369
data link layer (OSI reference model), 289
data mart layer (BI data architectures), 256
data migration and data conversion tools, 209
data packets, IPv4/IPv6 addresses, 294
data recovery, backups, 165
continuous backups, 166
differential backups, 166
electronic vaulting, 169
full backups, 166
grandfather-father-son rotation method, 168
incremental backups, 166
location redundancy, 168
MAID, 166
media-rotation strategies, 167-168
offsite storage, 167
onsite storage, 167
security, 169
simple rotation method, 167
standby database shadowing, 169
tape backups, 166
tape librarians, 167
testing, 167
Tower of Hanoi rotation method, 168
VSAN, 168
data remanence, VM, 222
data restoration, 302
data sources layer (BI data architectures), 256
data staging layer (BI data architectures), 256
data transfers, 302
data-driven DSS (Decision Support Systems), BI, 257
data-entry employees, 104
databases
ACID tests, 282
administrators, 104
aggregation, 278
attributes, 278
backups, 395
CRM, 279
database-management systems, 278
HDMS, 279
NDMS, 279
RDMS, 281
data integrity, 281
data mining, 278
data warehouses, 279
fields, 278
foreign keys, 278
granularity, 278
HDMS, 279
metadata, 278
NDMS, 279
RDMS, 281
relations, 278
schemas, 278
backups, 395
DAM, 394
database shadowing, 395
EDR, 394
OWASP top 10 security concerns, 393
WAF, 393
SQL injection attacks, 408-409
technical controls (security controls), 393-395
tuples, 281
DDoS (Distributed Denial of Service) attacks, 402-403
debit/credit cards, PCI standards, 35-36, 119
decentralized C&C (Command and Control) structures (botnets), 404
Defense model (ERM), Three Lines of, 87-89
Delphi technique (qualitative risk analysis), 87
DES (Data Encryption Standard), 359-361
design/development (project management), 251
Detail view (Wireshark), 316
detection/prevention tools/techniques
attack-detection tools, 414
audit-reduction tools, 415
integrity checks, 414
NAC, 415
NetFlow, 415
SIEM, 415
trend-detection tools, 414
variance-detection tools, 414
development phase (NIST SDLC), 204
exception handling, 207
high/low coupling, 205
input/output controls, 205
reverse engineering, 205
testing, 206
development/design (project management), 251
DevOps (Development Operations), 220
DHCP (Dynamic Host Configuration Protocol), 297
Diameter, 346
dictionary attacks, 412
DID (Direct Inward Dial), voice communication security, 357
differential backups, 166
Diffie, Dr. W, 362
digital evidence, forensics, 427
digital signatures, 365
direct changeover (changeover techniques), 209
directory services, OSI reference model, 291
disaster planning. See problem/incident management
alternate processing sites
cold sites, 161
hot sites, 160
mobile sites, 160
oversubscription, 163
reciprocal agreements, 162-163
subscription services, 160-163
warm sites, 161
alternative processing agreements, reviewing, 171
BCP, 142
administrative support teams, 154
auditor role, 143
communications teams, 154
coordination teams, 154
core processes, 158
corrective controls, 143
damage assessment teams, 153
detective controls, 143
discretionary processes, 159
emergency management teams, 153
emergency operations teams, 154
emergency response teams, 153
finance teams, 154
impact analysis phase, 144-149
incident response teams, 153
initiation phase, 143
maintenance phase, 156
maximum acceptable outages, 158
maximum tolerable outages, 158
monitoring phase, 156
preventive controls, 143
project management, 143
recovery test teams, 154
relocation teams, 154
reviewing tasks, 170
RPO, 157
salvage teams, 153
SDO, 158
security teams, 154
supplies teams, 154
supporting processes, 158
team responsibilities, 143
training and awareness, 152-153
transportation teams, 154
verifying tasks, 170
WRT, 158
contracts, reviewing, 171
COOP websites, 172
disaster recovery checklist, 172
hardware recovery
clustering, 164
fault tolerance, 164
MTBF, 163
MTTF, 163
MTTR, 164
SLA, 164
incident classification, 141-142
insurance, reviewing, 171
MTD, 159
natural disasters, 140
power supplies, 171
redundant processing sites, 160
reviewing tasks, 170
telecommunications recovery, 169-170
verifying tasks, 170
disclaimers (audit reports), 58
Discovery mode (Bluetooth), 405
discovery sampling, 52
discovery stage (penetration testing), 417
discretionary processes, BCP, 159
disposal phase (NIST SDLC), vulnerability assessments, 211
distance-vector protocols, 295
DITKA questions, final exam preparation, 442
diverse routing, telecommunications recovery, 170
DLP (Data Loss Prevention), 97
DMCA (Digital Millennium Copyright Act), 186
DMZ (Demilitarized Zones), 306, 309
DNS (Domain Name Service), 291, 297, 312
DNSSEC (Domain Name Service Security Extensions), 297
document-driven DSS (Decision Support Systems), BI, 258
documentation
applications, understanding, 243
baselines, 92
change-control process, 214
guidance documents, 36
FIPS, 37
ISO, 37
NIST, 37
levels of control, 92
policies, 92
procedures, 92
program change documents, 243
right-to-audit clauses, 127
standards, 92
third-party documentation, 94-96
transaction logs, 106
dogs, physical/environmental access control, 351
domain names, FQDN and DNS, 297
DoS (Denial of Service) attacks, 402-403
DOSD (Data-Oriented System Development), 219
downtime, MTD, 159
Draper, John, 357
DRM (Data Reference Model), FEAF, 112
DRM (Digital Rights Management), 283
droppers, 405
DSL (Digital Subscriber Lines), 314, 321
DSS (Decision Support Systems), BI, 257-258
DSSS (Direct-Sequence Spread Spectrum), 300
dual control, employee management, 102, 107
dual-factor authentication, 93
dual-homed gateways, 308
dumpster diving attacks, 400
duplicate checks (edit controls), 240
Durability (ACID tests), 246, 282
duties, separating (application controls), 244
dwell time, 300
dynamic forensic analysis, 427
E
e-commerce
B-to-B transactions, 253
B-to-C transactions, 253
B-to-E transactions, 253
B-to-G transactions, 253
business application systems, 253
cloud computing, 253
transaction process, 235
EA (Enterprise Architectures), 111-112
ECC (Elliptic Curve Cryptography), 363
echo requests (ICMP), 290
edge devices
firewalls
packet filter firewalls, 307-308
proxies, 307
screened host firewalls, 309
WAF, 308
IDP, 310
IDS
anomaly detection IDS, 312
HIDS, 310
NIDS, 310
pattern-matching (signature) IDS, 311
protocol decoding IDS, 312
IPS, 310
EDI (Electronic Data Interchange)
application system, 254
authorization controls, 254
business application systems, 254-255
communications handlers, 254
EDI interface, 254
EFT, 254
encryption controls, 254
manipulation controls, 254
transmission controls, 254
eDiscovery, 302
editing controls (data integrity controls), 239-240
EDR (Endpoint Detection and Response), 394
EER (Equal Error Rates), biometric systems, 339
EFT (Electronic Funds Transfers), 254
electronic vaulting, 169
attacks, 400
business application systems, 255
encryption, 255
OSI reference model services, 290
PEM, 255
PGP, 255
POP, 255
S/MIME, 255
embedded audit modules, 52
emergency changes, information systems maintenance, 214
emergency incident response teams, 420-422
emergency management teams (BCP), 153
emergency operations teams (BCP), 154
emergency response teams (BCP), 153
employees
BYOD policies, data breaches, 377-378
database administrators, 104
data-entry employees, 104
hiring, 100
logic bombs, 411
managing
audit trails, 106
compensating controls, 106
exception reports, 106
hiring practices, 100
job rotation, 106
performance assessments, 101
reconciliation audits, 106
roles/responsibilities, 103-104
rotation of assignments, 102, 107
separation events (termination), 102-103
supervisor reviews, 106
transaction logs, 106
network administrators, 104
performance assessments, 101
QA employees, 104
roles/responsibilities, 103-104
security architects, 104
separation events (termination), 102-103
systems administrators, 104
systems analysts, 104
termination (separation events), 102-103
encryption. See also tokenization
3DES, 359
802.11 wireless encryption, 299
AES, 362
algorithms, 358
asymmetric encryption, 358-359, 362, 367-368
digital signatures, 365
ECC, 363
hashing, 364
quantum cryptography, 364
RSA, 363
trap door functions, 362
Atbash, 357
block ciphers, 361
Blowfish, 359
Caesar’s cipher, 357
cloud computing, 219
cryptanalysis, 358
cryptography, 358
ECC, 363
PGP, 369
quantum cryptography, 364
SET, 368
S/MIME, 369
SSH, 368
digital signatures, 365
ECC, 363
encryption controls (EDI), 254
end-to-end encryption, 368
hashing, 364
key length, 358
link-state encryption, 368
man-in-the-middle attacks, 375
multiple encryption, 361
OS, 393
PEM, 255
PGP, email, 255
private key encryption
3DES, 359
AES, 362
Blowfish, 359
RC4, 360
RC5, 360
SAFER, 360
public key encryption
digital signatures, 365
ECC, 363
hashing, 364
quantum cryptography, 364
RSA, 363
trap door functions, 362
quantum cryptography, 364
RC4, 360
RC5, 360
remote access and, 347
RSA, 363
S/MIME, 255
SAFER, 360
stream ciphers, 361
symmetric encryption, 358, 367-368
3DES, 359
AES, 362
Blowfish, 359
RC4, 360
RC5, 360
SAFER, 360
virtualization, 395
weak encryption, 378
end-to-end encryption, 368
Enron, ethics, 30
enterprise marketing (CRM), 259
entity integrity (data integrity controls), 245
entry points, physical/environmental access control, 351
environmental/physical access control
bollards, 350
dogs, 351
entry points, 351
gates, 350
guards, 352
HVAC, 356
ERD (Entity Relationship Diagrams), primary keys, 203-204
ERM (Enterprise Risk Management), 80
asset identification, 82
risk assessments
risk management teams, 81
Three Lines of Defense model, 87-89
errors
correcting/controlling (application controls), 244
maintenance error reports, 242
escrow agreements (software), 185
ethical hacking. See penetration testing
Arthur Andersen, 30
Enron, 30
ISACA Code of Professional Ethics, 9-10, 27-30
eTOM (Enhanced Telecom Operations Map), 273-275
EU (European Union) Privacy Shield law, 35
EUC (End-User Computing), 208
EULA (End-User Licensing Agreements), 282
events
analyzing, incident response, 422
separation events (termination), 102-103
stochastic events, 85
evidence
digital evidence, forensics, 427
exams
CISA exam
applying for certification, 8
CBT, 13
getting scores, 15
grading exams, 13
importance of certification, 4-5
maintaining certification, 16
mission statement, 3
passing, 9
Pearson Test Prep software, 437-442
popularity of, 5
registering for exams, 7
retaking, 16
scheduling exams, 6
work experience waivers, 8
Pearson Test Prep Software, 437, 442
customizing practice exams, 439-440
Flash Card Mode, 439
Practice Exam Mode, 439
Premium Edition, 440
Study Mode, 439
updating practice exams, 440
website, 438
practice exams
Flash Card Mode, 439
Practice Exam Mode, 439
Study Mode, 439
updating, 440
exception handling, 207
execution phase (project management), 199
existence checks (edit controls), 240
expert systems/AI (Artificial Intelligence), BI, 258
exposure factor (quantitative risk analysis), 84
exterior lighting, physical/environmental access control, 355
exterior security control
bollards, 350
dogs, 351
entry points, 351
gates, 350
guards, 352
HVAC, 356
turnstiles, 352
external/internal labeling, 242
F
fabric virtualization. See VSAN
facility interruptions, BCP recovery strategies, 149
FACTA (U.S. Fair and Accurate Credit Transaction ACT of 2003), 35, 120
failures, hardware recovery, 163
FAR (False Accept Rates), biometric systems, 339
fault tolerance
hardware recovery, 164
FEAF (Federal Enterprise Architecture Framework), 112
feasibility
project investment, 191
project management, 251
fences, physical/environmental access control, 349-350
FERPA (Family Educational Rights and Privacy Act), 370
FFIEC Handbook, 36
FHSS (Frequency-Hopping Spread Spectrum), 300
fiduciary responsibility, auditing and, 47
fields (databases), 278
file sharing, OSI reference model, 290
file totals (data integrity controls), reconciliation of, 241
final acceptance testing, 206
final preparation, CISA exams
chapter-ending review tools, 441
DITKA questions, 442
Pearson Test Prep software, 437, 442
customizing exams, 439
customizing practice exams, 440
Flash Card Mode, 439
Practice Exam Mode, 439
Premium Edition, 440
Study Mode, 439
updating exams, 440
website, 438
review questions, 442
finance teams (BCP), 154
financial attacks, 412
financial audits, 39
financial reporting, COSO, 35
FIPS (Federal Information Processing Standards), 37
firewalls
packet filter firewalls, 307-308
proxies, 307
screened host firewalls, 309
firing employees. See separation events (termination)
FISMA (Federal Information Security Management Act), 35, 120, 370
Flash Card Mode (practice exams), 439
flow analysis, 315
flowcharts
applications, understanding, 243-244
business application systems, 252
foreign keys (databases), 278
forensics
chains of custody, 426
digital evidence, 427
dynamic forensic analysis, 427
network forensics, 427
problem/incident response, 425
software forensics, 427
static forensic analysis, 428
FPA (Function Point Analysis), software size estimation, 195-196
FQDN (Fully Qualified Domain Names), 292, 297
frame relay, 313
frames (data), 289
MAC addresses, 293
frameworks
ARM, 112
BRM, 112
DRM, 112
FEAF, 112
IRM, 112
IT governance, 77
auditing, 80
overlapping of, 79
management and control frameworks
change management, 113
CSF, 111
PRM, 112
SRM, 112
service management
DRM, 283
ITIL, 273
FRAP (Facilitated Risk Assessment Process), qualitative risk analysis, 87
fraud
risk factors (problem/incident management), 419-420
frequencies
bands, wireless technologies, 301
channels, ISDN, 314
frequency estimating sampling, 52
FRR (False Reject Rates), biometric systems, 339
FTP (File Transfer Protocol), network file sharing, 290
full backups, 166
full operation tests, BCP, 156
full-mesh networks, 320
function testing, 207
funding system services (IT governance), 77
fuzzing, 409
G
GAN (Global Area Networks), 284
gates, physical/environmental access control, 350
General Auditors, 89
general controls, 243
geofencing, 337
GLBA (Gramm-Leach-Bliley Act), 370
grading CISA exams, 13
grandfather-father-son backup rotation method, 168
granularity (databases), 278
guards, physical/environmental access control, 352
guidance documents, 36
FIPS, 37
ISO, 37
NIST, 37
H
hacking, 419
Bluetooth, 406
ethical hacking. See penetration testing
Halstead Complexity Measures, FPA and software size estimation, 196
Hanoi backup rotation method, Tower of, 168
hard skills, IS auditing, 27-28
hardening, VM, 395
hardware
recovery
clustering, 164
fault tolerance, 164
MTBF, 163
MTTF, 163
MTTR, 164
SLA, 164
security controls, voice communications, 356-357
unsecured devices, data breaches, 375-378
hashing, 364
hashing controls, hash totals, 238
HDMS (Hierarchical Database-Management Systems), 279
health care/insurance, HIPAA, 35, 119, 370
health information, PHI and data classification, 97
Hellman, Dr. M. E., 362
Hex view (Wireshark), 316
HIDS (Host-based Intrusion Detection Systems), 310
high/low coupling, 205
hijacking attacks, 401
HIPAA (Health Insurance Portability and Accountability Act), 35, 119, 370
hiring employees, 100
HOIC (High Orbit Ion Cannons), 403
host-to-host/transport layer (TCP/IP reference model), 295
hot sites, disaster recovery planning, 160
hot-swappable disks, RAID, 164
hping, 403
HR (Human Resources), employee management
audit trails, 106
compensating controls, 106
exception reports, 106
hiring practices, 100
job rotation, 106
performance assessments, 101
reconciliation audits, 106
roles/responsibilities, 103-104
rotation of assignments, 102, 107
separation events (termination), 102-103
supervisor reviews, 106
transaction logs, 106
HTTP (Hypertext Transfer Protocol), OSI reference model, 292
humidity (data centers), 356
HVAC (Heating, Ventilation and Air Conditioning) systems, physical/environmental access control, 356
hybrid botnets, 404
hybrid clouds, 216
I
I&A (Identification and Authentication)
authentication
by ownership, 338
geofencing, 337
somewhere you are systems, 340
tokens, 338
two-factor authentication, 338
identification, 336
ICMP (Internet Control Message Protocol), echo requests, 290
IDA Pro, static forensic analysis, 428
access control, 336
client identification as authorization control, 238
dual-factor authentication, 93
hotspots, 302
smartphones/tablets, 302
identifying
assets (ERM), 82
identity
PII, data classification, 97
IDP (Intrusion Detection and Prevention), 310
IDS (Intrusion Detection Systems)
anomaly detection IDS, 312
HIDS, 310
NIDS, 310
pattern-matching (signature) IDS, 311
protocol decoding IDS, 312
illegal software, 283
IM (Instant Messaging), security, 396-397
IMAP (Internet Message Access Protocol), 291, 297
impact analysis. See BIA
implementation phase
NIST SDLC
accreditation, 208
certification, 208
changeover techniques, 209
project management, 251
incident classification (disaster recovery), 141-142
incident response teams (BCP), 153
incident/problem management
change management, 418
computer crime jurisdictions, 429
criminal hackers, 419
hackers, 419
incident response
defining incidents, 422
escalation/response procedures, 424
event analysis, 422
forensic investigation, 425-428
honeypots, 422
incident response teams, 420-422
phreakers, 419
prosecuting computer crime, 429
script kiddies, 419
terrorists, 420
incremental backups, 166
incremental software development, 212
industry guidance documents, 36
FIPS, 37
ISO, 37
NIST, 37
information asset protection
access control, 370
data life cycles, 369
keyloggers, 371
privacy controls, 372
risk-assessment, 372
security controls, 372
information systems maintenance
change-control boards, 213
documenting, 214
emergency changes, 214
unauthorized changes, 214
informative policies, 92
infrastructures, data breaches, 378-379
inherent risk, 41
initiation phase
NIST SDLC, 202
RFP, 204
project management, 193
input controls (business process controls), 237
authorization controls, 238
hashing controls, 238
input/output controls, 205
insecure code, 378
insider fraud risk factors (problem/incident management), 419
insurance, disaster recovery, 171
integer overflow attacks, 412
integrated audits, 39
integrated testing facilities
application testing, 246
continuous online auditing, 247
integrity checks, 414
integrity of claims, 39
integrity of data and databases, 281
interface testing, 206
internal controls, auditing with, 45-47
internal/external labeling, 242
Internet layer (TCP/IP reference model)
distance-vector protocols, 295
link-state routing protocols, 295
Internet security
PGP, 369
SET, 368
S/MIME, 369
SSH, 368
interruptions, BCP recovery strategies, 149
investment in projects (project management)
business case analysis, 190
feasibility studies, 191
ROI, 191
IOCE (International Organization on Computer Evidence), forensics and digital evidence, 427
IP (Internet Protocol), 288
ARP, 294
IPv4
broadcast addresses, 294
Class A networks, 293
Class B networks, 293
Class C networks, 294
multicast addresses, 294
subnets, 293
unicast addresses, 294
IPv6, 294
IP addresses, verifying, 290
IP Security (Internet Protocol Security), 348
iPods, pod slurping, 376
IPS (Intrusion Prevention Systems), 310
IRM (Infrastructure Reference Model), FEAF, 112
IRR (Internal Rate of Return), ROI, 192
IS auditing
attribute sampling, 52
audit programs, 40
automated WP, 50
business processes, 39
chain of custody, 49
negotiations/conflict management, 58-59
Code of Professional Ethics, 27-30
compliance audits, 40
corrective controls, 47
data classification, 98
detective controls, 47
disclaiming, 58
discovery sampling, 52
embedded audit modules, 52
fiduciary responsibility, 47
financial audits, 39
frequency estimating sampling, 52
General Auditors, 89
guidance documents, 36
FIPS, 37
ISO, 37
NIST, 37
integrated audits, 39
ISACA
Code of Professional Ethics, 27-30
ITF, 52
judgmental sampling, 51
laws/regulatory standards
compliance with, 38
methodologies, 48
negotiations/conflict resolution, 58-59
nonstatistical sampling, 51
objectiveness of, 89
operational audits, 40
parallel simulations, 52
preventive controls, 47
reconciliation audits, employee management, 106
regulatory standards
compliance with, 38
rating, 59
right-to-audit clauses, 127
risk assessment, 40
audit risk, 42
inherent risk, 41
material, defining, 41
qualitative judgments, 43
quantitative analysis, 42-43, 84-87
residual risk, 42
risk management
Coca-Cola, 43
risk acceptance, 45
risk analysis, 44
risk avoidance, 44
risk monitoring, 45
risk reduction, 44
risks, defining, 44
risk transference, 45
threats, defining, 44
soft skills, 27
statistical sampling, 51
stop-and-go sampling, 52
SURRE rule, 49
variable sampling, 52
WP
automated WP, 51
leveraging WP, 54
ISA (Interconnection Security Agreements), 215
ISACA (Information Systems Audit and Control Association)
CISA exams
applying for certification, 8
CBT, 13
CPE policies, 16
getting scores, 15
grading, 13
maintaining certification, 16
registration, 7
reporting CPE hours earned, 16-17
retaking, 16
scheduling exams, 6
work experience waivers, 8
Code of Professional Ethics, 27-30
policies, 16
ISACA website, Code of Professional Ethics, 9-10
ISDN (Integrated Services Digital Network), 314
ISO (International Organization for Standardization), 37, 111
ISO 9001 certification, quality management, 114-115
Isolation (ACID tests), 245, 282
IT acquisition, software
escrow agreements, 185
IT governance
accountability, 77
auditing, 80
best practices, 77
corporate structures, 77
defining, 71
employee management
audit trails, 106
compensating controls, 106
exception reports, 106
hiring practices, 100
job rotation, 106
performance assessments, 101
reconciliation audits, 106
roles/responsibilities, 103-104
rotation of assignments, 102, 107
separation events (termination), 102-103
supervisor reviews, 106
transaction logs, 106
ERM
asset identification, 82
qualitative risk analysis, 86-87
quantitative risk analysis, 84-87
risk management teams, 81
Three Lines of Defense model, 87-89
frameworks, 77
overlapping of, 79
funding system services, 77
goals of, 77
ITSM, 79
management and control frameworks
change management, 113
CSF, 111
performance monitoring, 128
relationship management, 129-130
third-party outsourcing, 125-126
performance management, 107
KGI, 109
KPI, 109
risk thresholds, 109
target values, 108
thresholds, 109
units, 108
policies
defining supporting policies, 77
processes
defining supporting processes, 77
IT suppliers, outsourcing
performance monitoring, 128
relationship management, 129-130
third-party outsourcing, 125-126
ITF (Integrated Test Facilities), 52
ITIL (IT Infrastructure Library), 78-79, 273
ITSM (IT Service Management), 79
J
JBOD (Just a Bunch of Disks), hardware recovery, 165
job rotation, employee management, 106
John the Ripper, 413
judgmental sampling, 51
jurisdictions (computer crime), 429
K
Kali Linux, 379
key verification (edit controls), 240
keyloggers, information asset protection, 371
KGI (Key Goal Indicators), performance management, 109
KLOC (Kilo Lines of Code), software size estimation, 195
knowledge, authentication by, 336-337
knowledge-driven DSS (Decision Support Systems), BI, 258
known plaintext attacks, 374
KPI (Key Performance Indicators), performance management, 109
L
L2TP (Layer 2 Tunneling Protocol), 348
labeling (internal/external), 242
lagging risk indicators, 120
LAN (Local Area Networks), 284
last-mile protection, telecommunications recovery, 170
Basel III, 35
compliance with, 38
COSO, 35
EU Privacy Shield law, 35
FFIEC Handbook, 36
SCADA, 35
layer 2 switches, 304
leading risk indicators, 120
least privilege (security policies), principle of, 99
licensing
DRM, 283
software
EULA, 282
illegal software, 283
lighting, physical/environmental access control, 351, 354
limit checks
data integrity controls, 241
edit controls, 239
link-state encryption, 368
link-state routing protocols, 295
Linux
Bastille Linux, 392
Kali Linux, 379
live VM migration, 222
load balancing, capacity planning, 318
locks, physical/environmental access control, 353-354
logic bombs, 411
logical relationship checks (edit controls), 240
logs
OS logs, 393
LOIC (Low Orbit Ion Cannons), 403
long-haul diversity, telecommunications recovery, 170
long-term business goals, defined, 237
losses
ALE
BIA criticality analysis, 148
quantitative risk analysis, 85
defining, 83
quantitative risk analysis, 85-86
SLE
BIA criticality analysis, 147
quantitative risk analysis, 85
threats and, 83
lost/stolen smartphones/tablets, 302
LTO (Linear Tape-Open) backups, 166
M
MAC (Media Access Control) addresses, 293, 304
MAID (Massive Array of Inactive Disks), 166
maintenance error reports, 242
maintenance/operation phase (NIST SDLC)
patch management, 210
review process, 211
vulnerability assessments, 210
malicious software, 379
MAN (Metropolitan Area Networks), 284
man-in-the-middle attacks, 375
managed switches, 304
management services, OSI reference model, 291
assets
attack methods/techniques, 399-413
prevention/detection tools/techniques, 414-418
problem/incident management, 418-429
change, 113
changes, 418
customers, CRM and BI, 258
employees
audit trails, 106
compensating controls, 106
exception reports, 106
hiring practices, 100
job rotation, 106
performance assessments, 101
reconciliation audits, 106
roles/responsibilities, 103-104
rotation of assignments, 102, 107
separation events (termination), 102-103
supervisor reviews, 106
transaction logs, 106
management and control frameworks
change management, 113
CSF, 111
performance, 107
KGI, 109
KPI, 109
risk thresholds, 109
target values, 108
thresholds, 109
units, 108
problem/incident management
change management, 418
computer crime jurisdictions, 429
escalation/response procedures, 424
forensic investigation, 425-428
prosecuting computer crime, 429
projects
defining requirements, 251
design/development, 251
feasibility, 251
implementation phase, 251
post-implementation phase, 252
software acquisition process, 251
system change procedures, 252
testing, 251
quality
relationships (contractors/IS suppliers/vendors), 129-130
acceptance, 45
analysis, 44
avoidance, 44
Basel III, 35
Coca-Cola, 43
defining, 44
lagging risk indicators, 120
leading risk indicators, 120
management teams (ERM), 81
monitoring, 45
organizational risk, quantitative risk analysis, 85
qualitative risk analysis, 86-87
quantitative risk analysis, 84-87
reduction, 44
transference, 45
threats, defining, 44
supply chains. See SCM
manipulation controls (EDI), 254
manual application controls, 236-237
manual authorization controls, 238
manual recalculations (data integrity controls), 240
mapping (application testing), 246
master license agreements, 186
material (risk management), defining, 41
maximum acceptable outages, BCP, 158
maximum tolerable outages, BCP, 158
media-rotation strategies (backups)
grandfather-father-son rotation method, 168
simple rotation method, 167
Tower of Hanoi rotation method, 168
memory
buffer overflow attacks, 409
RAM lookup tables, 304
smartphones/tablets, 302
virtual memory, 277
memory tables, final exam preparation, 441-442
mesh topologies (networks), 319
message boards, security, 397
messaging
pretexting attacks, 400
metadata, 278
metrics (performance management), 108-109
Microsoft Attack Surface Analyzer, 409
migrations
data migration and data conversion tools, 209
VM migration (live), 222
MIMO (Multiple Input, Multiple Output), 301
mining data, 278
mirroring ports, 317
MITM (Man-In-The-Middle) attacks, 401
mobile sites, disaster recovery planning, 160
model-driven DSS (Decision Support Systems), BI, 257
modems, 305
MOM (Means, Opportunity, and Motive), fraud risk factors, 419
monitoring
DAM, 394
embedded audit modules, 52
information asset protection, 371-372
OSI reference model, 290
performance, 130
IT suppliers, 128
systems/capacity planning, 315-323
risk (risk management), 45
RMON, 290
third-party monitoring, 318
MOU (Memorandums of Understanding), 215
MPLS (Multiprotocol Label Switching), 313
MTBF (Mean Time Between Failures), hardware recovery, 163
MTD (Maximum Tolerable Downtime), 158-159. See also maximum acceptable outages
MTTF (Mean Time To Failure), hardware recovery, 163
MTTR (Mean Time To Repair), hardware recovery, 164
MU-MIMO (Multi-user Multiple Input, Multiple Output), 301
multi-platform authentication, Federation, 343-345
multicast addresses, 294
multiple encryption, 361
multiplexing, OFDM, 300
My Certifications (ISACA website), 7, 15-17
N
n-tier, application development, 220-221
NAC (Network Access Control), 415
NAT (Network Address Translation), 310
natural disasters, recovery planning, 140
NDA (Non-Disclosure Agreements), 102, 107
NDMS (Network Database-Management Systems), 279
negotiations/conflict resolution, 58-59
NetFlow, 415
network access layer (TCP/IP reference model), 292-293
network administrators, 104
network analyzers
port mirroring, 317
Wireshark, 316
network forensics, 427
network layer (OSI reference model), 288
network sniffers, 400
networking cards (wireless), 299
networks, 283
802.11 wireless standard, 299-301
anycast addresses, 294
ARP, 294
broadcast addresses, 294
bus topologies, 319
cabling
attenuation, 320
baseband transmissions, 320
broadband transmissions, 321
copper cabling, 322
plenum-grade cabling, 321
twisted-pair cabling, 321
collision domains, 303
DHCP, 297
DNSSEC, 297
firewalls
packet filter firewalls, 307-308
proxies, 307
screened host firewalls, 309
WAF, 308
FQDN, 292
FTP, 290
full-mesh networks, 320
GAN, 284
IDP, 310
IDS
anomaly detection IDS, 312
HIDS, 310
NIDS, 310
pattern-matching (signature) IDS, 311
protocol decoding IDS, 312
IP, VoIP, 313
IPS, 310
ISDN, 314
LAN, 284
MAC addresses, 293
MAN, 284
mesh topologies, 319
modems, 305
monitoring, 290
multicast addresses, 294
NAT, 310
OSI reference model, 286
application layer, 287
data link layer, 289
directory services, 291
email services, 290
file sharing services, 290
HTTP, 292
IP address verification services, 290
management services, 291
monitoring services, 290
network layer, 288
physical layer, 289
presentation layer, 287
print services, 291
protocol analysis services, 290
session layer, 288
TCP/IP model versus, 292
transport layer, 288
PAN, 284
ping, 290
PPTP, 293
RAM lookup tables, 304
repeaters, 303
ring topologies, 319
RIP, 295
RMON, 290
SAN, 285
SMTP, 290
SNMP, 291
social networks, BI, 260
SSH, 291
star topologies, 319
TCP, 295
TCP/IP reference model
DHCP, 297
DNSSEC, 297
host-to-host/transport layer, 295
OSI model versus, 292
Telnet, 291
Token Ring protocol, 293
traceroute, 290
UDP, 295
unicast addresses, 294
WAN, 284
WAP, 305
wireless technologies
802.11 wireless standard, 299-301
DSSS, 300
encryption, 299
FHSS, 300
frequency bands, 301
MIMO, 301
MU-MIMO, 301
OFDM, 300
spreading codes, 300
SSID, 299
WAP, 299
wireless networking card, 299
WPA, 299
WLAN, 322
WPAN, 284
NIDS (Network-based Intrusion Detection Systems), 310
NIST (National Institute of Standards and Technology), 37
CSF, 111
SDLC, waterfall model, 200-201
disposal phase, 211
operation/maintenance phase, 210
NOC (Net Present Value), ROI, 192
nonstatistical sampling, 51
O
objectives/culture of projects (project management), 189
observation, application controls, 244, 248
OBS (Object Breakdown Structure), project management, 189
occurrence (rates of), ARO and quantitative risk analysis, 85
OFDM (Orthogonal Frequency-Division Multiplexing), 300
Office Space, 412
offsite storage (backups), 167
OLA (Operating Level Agreements), 215
one-to-many search process. See identification
one-to-one checking (data file controls), 242
one-to-one search process. See authentication
online auditing (continuous), 247-249
online data integrity (data integrity controls), 245
onsite storage (backups), 167
OOSD (Object-Oriented System Development), 220
open Wi-Fi, data breaches, 377
OpenID, SOA, 344
operation/maintenance phase (NIST SDLC), 210
patch management, 210
review process, 211
vulnerability assessments, 210
operational audits, 40
operational interruptions, BCP recovery strategies, 149
opinions (audit reports), 52, 58
optimizing processes, 121
organizational forms (project management), 188-189
organizational risks, quantitative risk analysis, 85
organizations
accountability, 95
expectations of, 95
OS (Operating Systems), 275-276
encryption, 393
hardening, 392
log security, 393
password security, 393
patch security, 393
secondary storage, 277
technical controls (security controls), 391-393
user account security, 393
utility software, 277
virtual memory, 277
vulnerability assessments, security, 393
OSI (Open Systems Interconnection) reference model, 286
application layer, 287
data link layer, 289
directory services, 291
file sharing services, 290
HTTP, 292
IP address verification services, 290
IP email services, 290
management services, 291
monitoring services, 290
network layer, 288
physical layer, 289
presentation layer, 287
print services, 291
protocol analysis services, 290
session layer, 288
TCP/IP model versus, 292
transport layer, 288
OSPF (Open Shortest Path First), 295
OSSTMM (Open Source Security Testing Methodology Manual), penetration testing, 417
outages, BCP, 158
output controls (business process controls), 242
output/input controls, 205
outsider fraud risk factors (problem/incident management), 419-420
outsourcing, 214. See also vendors
BPA, 215
ISA, 215
MOU, 215
OLA, 215
performance monitoring, 128
relationship management, 129-130
third-party outsourcing, 125-126
UA, 215
oversight boards (project management), 188
oversubscription, disaster recovery planning, 163
OWASP top 10 security concerns, 393
ownership, authentication by, 338
P
Pac-Man, 412
packet filtering, firewalls, 307-308
PAN (Personal Area Networks), 284
parallel operation
application testing, 246
changeover techniques, 209
parallel testing, 207
parity checking (data file controls), 242
passive discovery stage (penetration testing), 417
passwords
as authorization control, 238
brute-force attacks, 413
changing, 337
clipping levels, 379
comparative analysis, 412
complexity of, 337
dictionary attacks, 412
dual-factor authentication, 93
good password characteristics, 337
John the Ripper, 413
OS security, 393
password controls (business process controls), 242
rainbow tables, 413
thunder tables, 413
verification policies, 337
weak passwords, 378
patches
managing, 210
OS patching, 393
unpatched systems, 378
pattern-matching (signature) IDS, 311
payback analysis, 211
payback period (ROI), 192
PBX (Private Branch Exchange) systems, voice communication security, 357
PCI (Payment Card Industry) standards, 35-36, 119
PCI-DSS (Payment Card Industry Data Security Standard), 370
PDCA (Plan-Do-Check-Act) process optimization technique, 123-125
Pearson IT Certification website, 438
Pearson Test Prep software, 437, 442
practice exams
Flash Card Mode, 439
Practice Exam Mode, 439
Study Mode, 439
updating, 440
Premium Edition, 440
website, 438
PEM (Privacy Enhanced Mail), 255
performance
assessments, employee management, 101
capacity planning
cloud providers, 318
flow analysis, 315
load balancing, 318
SNMP, 315
vendors, 318
Windows Performance Monitor, 315
managing, 107
KGI, 109
KPI, 109
risk thresholds, 109
target values, 108
thresholds, 109
units, 108
systems performance monitoring
cloud providers, 318
flow analysis, 315
load balancing, 318
SNMP, 315
vendors, 318
Windows Performance Monitor, 315
perimeter security control
bollards, 350
dogs, 351
entry points, 351
gates, 350
guards, 352
HVAC, 356
turnstiles, 352
personal data, classifying, 97
PERT (Program Evaluation and Review Technique), 197-198
PGP (Pretty Good Privacy), 255, 369
phased changeover (changeover techniques), 209
PHI (Protected Health Information), data classification, 97
phishing, 400
physical layer (OSI reference model), 289
physical/environmental access control
bollards, 350
dogs, 351
entry points, 351
gates, 350
guards, 352
HVAC, 356
turnstiles, 352
PIA (Privacy Impact Analysis), 372
picking locks, 354
PII (Personal Identifiable Information), data classification, 97
pilot changeover (changeover techniques), 209
pilot testing, 207
pineapples (Wi-Fi), 376
ping, 290
ping of death, 402
PKI (Public Key Infrastructure), 365-366
plaintext (encryption), 358, 374
planning audits. See also audit universes
planning phase (project management)
CPM, 198
software
timebox management, 199
planning stage (penetration testing), 417
plenum-grade cabling, 321
pod slurping, 376
point-in-time backups, 169
policy development (IT governance), 90
advisory policies, 91
bottom-up policy development, 91
defining policies, 91
documentation, 92
informative policies, 92
regulatory policies, 91
standards
documentation, 92
supporting policies, 77
top-down policy development, 91
POP (Post Office Protocol), 255
POP3 (Post Office Protocol), 291, 297
ports
common port numbers, 297
mirroring, 317
USB ports (uncontrolled), data breaches, 377
post-implementation phase (project management), 252
POTS (Plain Old Telephone Service), 314
power supplies, UPS, 171
PPTP (Point-to-Point Tunneling Protocol), 293, 348
practice exams
Flash Card Mode, 439
Practice Exam Mode, 439
Study Mode, 439
updating, 440
pre-disaster planning. See problem/incident management
preparedness tests, BCP, 155-156
preparing for CISA exams
chapter-ending review tools, 441
DITKA questions, 442
Pearson Test Prep software, 437, 442
customizing exams, 439
customizing practice exams, 440
Flash Card Mode, 439
Practice Exam Mode, 439
Premium Edition, 440
Study Mode, 439
updating exams, 440
website, 438
review questions, 442
presentation layer
BI data architectures, 256
OSI reference model, 287
pretexting attacks, 400
prevention/detection tools/techniques
attack-detection tools, 414
audit-reduction tools, 415
integrity checks, 414
NAC, 415
NetFlow, 415
SIEM, 415
trend-detection tools, 414
variance-detection tools, 414
PRI (Primary Rate Interface), ISDN, 314
primary keys (ERD), 203
principle of least privilege (security policies), 99
print services, OSI reference model, 291
printing controls (business process controls), 242
privacy controls, 372
private clouds, 216
private key encryption
3DES, 359
AES, 362
Blowfish, 359
RC4, 360
RC5, 360
SAFER, 360
privileges
escalation of privileges, virtualization, 222
principle of least privilege, security policies, 99
security policies, 99
PRM (Performance Reference Model), FEAF, 112
change management, 418
computer crime jurisdictions, 429
criminal hackers, 419
hackers, 419
incident response
defining incidents, 422
escalation/response procedures, 424
event analysis, 422
forensic investigation, 425-428
honeypots, 422
incident response teams, 420-422
phreakers, 419
prosecuting computer crime, 429
script kiddies, 419
terrorists, 420
procedures
documentation, 92
IT governance, 93
policy development, 93
processes
IT governance, defining supporting processes, 77
optimization techniques, 121
processing controls (business process controls)
data integrity controls, 240-241
edit controls, 239
program change documents, 243
programmed application controls. See automation, application controls
programming controls (data integrity controls), 240
project management
attributes of projects, 187
closing phase, 199
control/execution phase, 199
cost, 187
critical tasks, 198
culture/objectives, 189
design/development, 251
feasibility, 251
gap analysis, 192
implementation phase, 251
initiation phase, 193
investment in projects
business case analysis, 190
feasibility studies, 191
ROI, 191
objectives/culture, 189
OBS, 189
oversight boards, 188
planning phase
CPM, 198
timebox management, 199
post-implementation phase, 252
project managers, 188
QA, 188
requirements, defining, 251
scope creep, 204
security requirements, 191
senior management, 188
software acquisition process, 251
sponsors, 188
stakeholders, 188
steering committees, 188
system change procedures, 252
teams, 188
testing, 251
time, 187
WBS, 190
prosecuting computer crime, 429
protocol decoding IDS, 312
analyzing, OSI reference model, 290
prototyping, 212
proxies, 307
public clouds, 216
public key encryption
digital signatures, 365
ECC, 363
hashing, 364
quantum cryptography, 364
RSA, 363
trap door functions, 362
Q
project management, 188
quality assurance employees, 104
qualified opinions (audit reports), 58
qualitative analysis, risk assessment, 86-87
qualitative judgments, risk assessment, 43
quality assurance, systems controls, 250-251
quality management
quantitative analysis, risk assessment, 42-43, 84-87
quantum cryptography, 364
questions
DITKA questions, final exam preparation, 442
review questions, final exam preparation, 442
R
RA (Registration Authorities), PKI, 366
RAD (Rapid Application Development), 212
RADIUS (Remote Access Dial-In User Service), 345-346
RAID (Redundant Array of Independent Disks), 164-165
rainbow tables, 413
RAM (Random Access Memory) lookup tables, 304
range checks (edit controls), 239
ransomware, 395
rates of occurrence, ARO and quantitative risk analysis, 85
rating audit reports, 59
RC4 (Rivest Cipher 4) encryption, 360
RC5 (Rivest Cipher 5) encryption, 360
RDMS (Relational Database-Management Systems), 281
reasonableness checks (edit controls), 239
reasonableness verification (data integrity controls), 240
recalculations (manual), data integrity controls, 240
reciprocal agreements, disaster recovery planning, 162-163
reconciliation audits, employee management, 106
reconciliation of file totals (data integrity controls), 241
recovery planning
alternate processing sites, 160
cold sites, 161
hot sites, 160
mobile sites, 160
oversubscription, 163
reciprocal agreements, 162-163
subscription services, 160, 163
warm sites, 161
alternative processing agreements, reviewing, 171
BCP, 142
administrative support teams, 154
auditor role, 143
communications teams, 154
coordination teams, 154
core processes, 158
corrective controls, 143
damage assessment teams, 153
detective controls, 143
discretionary processes, 159
emergency management teams, 153
emergency operations teams, 154
emergency response teams, 153
finance teams, 154
impact analysis phase, 144-149
incident response teams, 153
initiation phase, 143
maintenance phase, 156
maximum acceptable outages, 158
maximum tolerable outages, 158
monitoring phase, 156
preventive controls, 143
project management, 143
recovery test teams, 154
relocation teams, 154
reviewing tasks, 170
RPO, 157
salvage teams, 153
SDO, 158
security teams, 154
supplies teams, 154
supporting processes, 158
team responsibilities, 143
training and awareness, 152-153
transportation teams, 154
verifying tasks, 170
WRT, 158
contracts, reviewing, 171
COOP websites, 172
disaster recovery checklist, 172
hardware recovery
clustering, 164
fault tolerance, 164
MTBF, 163
MTTF, 163
MTTR, 164
SLA, 164
incident classification, 141-142
insurance, reviewing, 171
MTD, 159
natural disasters, 140
power supplies, 171
redundant processing sites, 160
reviewing tasks, 170
telecommunications recovery, 169-170
verifying tasks, 170
recovery test teams (BCP), 154
recovery times, disaster recovery planning, 161-162
red team activities. See penetration testing
reducing risk (risk management), 44
redundancy, telecommunications recovery, 169
redundant processing sites, 160
reengineering, 213
referential data integrity (data integrity controls), 245
registering for CISA exams, 7
regression testing, 207
regulatory compliance risk assessments (audit universes), 236
regulatory policies, 91
regulatory standards
compliance with, 38
relational data integrity (data integrity controls), 245
relations (databases), 278
relationship management (contractors/IT suppliers/vendors), 129, 130
relocation teams (BCP), 154
remanence (data), VM, 222
remote access
Diameter, 346
encryption, 347
risks of, 347
security, 396
TACACS, 346
repeaters, 303
reporting stage (penetration testing), 417
reports
rating, 59
before-and-after image reports, 242
distribution on (application controls), 244
financial reports, COSO, 35
maintenance error reports, 242
transaction logs, 242
residual risk, 42
restoring data, 302
retaking CISA exams, 16
reverse engineering, 205
reviewing projects, 211
review questions, final exam preparation, 442
RFP (Requests for Proposal), 204
right-to-audit clauses, 127
ring topologies (networks), 319
RIP (Routing Information Protocol), 295
risk analysis, 44
risk assessment, 40
audit risk, 42
audit universe risk ranking, 236
information asset protection, 372
inherent risk, 41
material, defining, 41
qualitative judgments, 43
quantitative analysis, 42-43, 87
ALE, 85
ARO, 85
exposure factor, 84
organizational risks, 85
SLE, 85
stochastic events, 85
residual risk, 42
risk management
Basel III, 35
Coca-Cola, 43
ERM, 80
asset identification, 82
qualitative risk analysis, 86-87
quantitative risk analysis, 84-87
risk management teams, 81
Three Lines of Defense model, 87-89
lagging risk indicators, 120
leading risk indicators, 120
organizational risk, quantitative risk analysis, 85
risk acceptance, 45
risk analysis, 44
risk avoidance, 44
risk monitoring, 45
risk reduction, 44
risk, defining, 44
risk transference, 45
threats, defining, 44
risk thresholds, performance management, 109
Rivest, Ron, 363
RMON (Remote Network Monitoring), 290
ROI (Return on Investment), 191, 211
rotating jobs, employee management, 106
rotation of assignments (employee management), 102, 107
rounding-down attacks, 412
telecommunications recovery, 170
Royce, W.W., 200
RPO (Recovery Point Objectives), BCP, 157
RSA (Rivest, Shamir, Adleman) encryption, 363
RTO (Recovery Time Objectives), BCP, 157-159
RUDY (R U Dead Yet?), 403
run-to-run totals (data integrity controls), 240
S
S/MIME (Secure/Multipurpose Internet Mail Extensions), 255, 369
SAFER (Secure and Fast Encryption Routine), 360
salami technique, 412
sales automation (CRM), 259
salvage teams (BCP), 153
SAML (Security Assertion Markup Language), SOA, 344
SAN (Storage Area Networks), 166, 285
SCSI, 168
snapshots, 169
VSAN, 168
Sarbanes-Oxley Act (SOX), 4-5, 35, 119
satisfactory audit reports, 58
SCADA (U.S. Supervisory Controls and Data Acquisition), 35
SCARF/EAM (Systems Control Audit Review File/Embedded Audit Modules), continuous online auditing, 247
scheduling
CISA exams, 6
tasks, project management, 197-198
schemas, 278
SCM (Supply Chain Management), BI, 259
scope of projects (project management)
scope creep, 204
scores (CISA exams), getting, 15
screened host firewalls, 309
screened subnets, 309
script kiddies, 419
scripting, XSS attacks, 411
scrubbing locks, 354
scrums, software development, 213
SCSI (Small Computer System Interface), SAN, 168
SDLC (Systems Development Life Cycle)
auditor’s role in, 249
BAD
systems-development methodology, 200-211
software development
agile development, 213
incremental development, 212
prototyping, 212
RAD, 212
reengineering, 213
scrums, 213
spiral development, 212
sprints, 213
XP, 213
waterfall model, systems-development methodology, 200-201
disposal phase, 211
operation/maintenance phase, 210
SDO (Service Delivery Objectives), BCP, 158
secondary storage, virtual memory, 277
security
architects, 104
asynchronous attacks, 411
backups, 395
black-box testing, 409
blogs, 397
Bluetooth, 406
brute-force attacks, 413
buffer overflow attacks, 409
bypass label processing, 414
cloud computing, 219
DAM, 394
backups, 395
DAM, 394
EDR, 394
OWASP top 10 security concerns, 393
shadowing, 395
WAF, 393
dictionary attacks, 412
droppers, 405
dumpster diving attacks, 400
EDR, 394
email attacks, 400
FIPS, 37
fuzzing, 409
hijacking attacks, 401
HOIC, 403
hping, 403
integer overflow attacks, 412
labels, bypassing, 414
logic bombs, 411
LOIC, 403
message boards, 397
MITM attacks, 401
NIST, 37
OS, 391
encryption, 393
hardening OS, 392
logs, 393
passwords, 393
patches, 393
user accounts, 393
vulnerability assessments, 393
OWASP top 10 security concerns, 393
passwords
brute-force attacks, 413
comparative analysis, 412
dictionary attacks, 412
John the Ripper, 413
OS security, 393
rainbow tables, 413
thunder tables, 413
phishing attacks, 400
ping of death, 402
pretexting attacks, 400
project management, 191
ransomware, 395
rounding-down attacks, 412
RUDY, 403
salami technique, 412
security teams (BCP), 154
slowloris, 403
smurfing attacks, 402
sniffing attacks, 400
social-engineering attacks, 399-400
spear phishing attacks, 400
spoofing attacks, 400
SQL injection attacks, 394, 408-409
syn flooding, 403
testing
vulnerability scanning, 416
TOCTOU attacks, 411
trap doors, 411
Trojans, 405
viruses, 405
VM, hardening, 395
vulnerability scanning, 416
WAF, 393
websites, 397
whaling attacks, 400
wireless networks, 406
worms, 405
wrappers, 405
XSRF attacks, 411
XSS attacks, 411
zero-day attacks, 404
security controls
administrative controls
blogs, 397
message boards, 397
websites, 397
encryption
3DES, 359
AES, 362
algorithms, 358
asymmetric encryption, 358-359, 362-368
Atbash, 357
block ciphers, 361
Blowfish, 359
Caesar’s cipher, 357
ciphertext, 358
cryptanalysis, 358
cryptography, 358, 363-364, 367-368, 374-375
digital signatures, 365
ECC, 363
end-to-end encryption, 368
hashing, 364
key length, 358
link-state encryption, 368
multiple encryption, 361
plaintext, 358
private key encryption, 359-362
public key encryption, 362-366
quantum cryptography, 364
RC4, 360
RC5, 360
RSA, 363
SAFER, 360
stream ciphers, 361
symmetric encryption, 358-362, 367-368
hardware, voice communications, 356-357
information asset protection, 372
software
technical controls
cloud computing, 391
voice communications
PBX systems, 357
phreakers, 356
VoIP, 357
security teams (BCP), 154
semi-quantitative analysis (qualitative risk analysis), 87
senior management (project management), 188
separating duties (application controls), 244
separation events (termination), 102-103
sequence checks (edit controls), 239
certificate servers, PKI, 366
clustering, hardware recovery, 164
service management frameworks
databases
ACID tests, 282
aggregation, 278
attributes, 278
CRM, 279
data integrity, 281
data mining, 278
data warehouses, 279
database-management systems, 278-281
fields, 278
foreign keys, 278
granularity, 278
HDMS, 279
metadata, 278
NDMS, 279
RDMS, 281
relations, 278
schemas, 278
tuples, 281
DRM, 283
ITIL, 273
software licensing
EULA, 282
illegal software, 283
services
SPML, 344
session layer (OSI reference model), 288
SET (Secure Electronic Transaction), 368
shadowing databases (standby), 169
Shamir, Adi, 363
shared cost corporate structures, 77
sharing files, OSI reference model, 290
Shewart, Walter A., 123
Shodan, 420
short-term business goals, defined, 237
shrink-wrap license agreements, 186
SIEM (Security Information and Event Management), 394, 415. See also DAM
signatures
as authorization control, 238
digital signatures, 365
simple backup rotation method, 167
site-to-site VPN, 348
size of software (project management, planning phase), 195-196
skills (work-related) for IS auditing, 27-28
SLA (Service Level Agreements), 127-128, 164
SLE (Single Loss Expectancy)
BIA criticality analysis, 147
quantitative risk analysis, 85
SLOC (Source Lines of Code), software size estimation, 195
slowloris, 403
smartphones/tablets, 302-303, 377
SMTP (Simple Mail Transfer Protocol), 255, 290
smurfing attacks, 402
application testing, 246
continuous online auditing, 248
SAN, 169
sniffing attacks, 400
SNMP (Simple Network Management Protocol), 291, 315
SOA (Service-Oriented Architectures)
OpenID, 344
SAML, 344
SPML, 344
WAYF, 345
WS Security, 344
XML, 344
sociability testing, 207
social media
BI, 260
social-engineering attacks, 399-400
SoD (Segregation of Duties), employee management, 105-107
soft skills, IS auditing, 27
software
acquisition process (project management), 251
antivirus software, virtualization, 395
buffer overflow attacks, 409
COCOMO II software estimation, 194
costs of (project management, planning phase), 193-194
development tools/methods
agile development, 213
incremental development, 212
prototyping, 212
RAD, 212
reengineering, 213
scrums, 213
spiral development, 212
sprints, 213
XP, 213
escrow agreements, 185
forensics, 427
licensing, 185
click-wrap agreements, 186
DMCA, 186
EULA, 282
illegal software, 283
master agreements, 186
shrink-wrap agreements, 186
malicious software, 379
Pearson Test Prep software, 437, 442
customizing practice exams, 439-440
Flash Card Mode, 439
Practice Exam Mode, 439
Premium Edition, 440
Study Mode, 439
updating practice exams, 440
website, 438
ransomware, 395
security controls
size estimation (project management, planning phase), 195-196
utility software, 277
somewhere you are systems, authentication by, 340
SOX (Sarbanes-Oxley) Act, 4-5, 35, 119
spear phishing, 400
spiral software development, 212
SPML (Service Provisioning Markup Language), SOA, 344
sponsors
project management, 188
sponsor pays corporate structures, 77
spoofing attacks, 400
spreading codes, 300
sprints, software development, 213
SQL injection attacks, 394, 408-409
SRM (Security Reference Model), FEAF, 112
SSAE 16 (Statement on Standards for Attestation Engagements 16) assessments, 127
SSAE 18 (Statement on Standards for Attestation Engagements 18) assessments, 127
SSH (Secure Shell), 291, 347, 368
SSID (Service Set ID), 299
SSL (Secure Sockets Layer), 348
SSO (Single Sign-On), 340
advantages of, 341
stakeholders (project management), 188
standards
documentation, 92
IT governance, 92
policy development, 92
SSAE 16, 127
SSAE 18, 127
standby database shadowing, 169
star topologies (networks), 319
stateless connections, 292
static data (data categories), 241
static forensic analysis, 428
statistical sampling, 51
steering committees (project management), 188
stochastic events, 85
stolen/lost smartphones/tablets, 302
stop-and-go sampling, 52
storage
backups
electronic vaulting, 169
grandfather-father-son rotation method, 168
location redundancy, 168
media-rotation strategies, 167-168
offsite storage, 167
onsite storage, 167
security, 169
simple rotation method, 167
standby database shadowing, 169
testing, 167
Tower of Hanoi rotation method, 168
offsite storage, 167
onsite storage, 167
storage cards, smartphones/tablets, 302
store-and-forward switches, 304
stream ciphers, 361
Study Mode (practice exams), 439
subscription services, disaster recovery planning, 160, 163
Summary view (Wireshark), 316
Superman III, 412
superusers (privileged accounts), 99
supervisor reviews, employee management, 106
supplies teams (BCP), 154
supply chains, managing. SCM, 259
supply interruptions, BCP recovery strategies, 149
supporting processes, BCP, 158
SURRE rule, evidence handling, 49
symmetric encryption, 358, 367-368
3DES, 359
AES, 362
Blowfish, 359
RC4, 360
RC5, 360
SAFER, 360
syn flooding, 403
systems
administrators, 104
alternative system development
CBD, 220
DOSD, 219
OOSD, 220
WBAD, 220
analysts, 104
change procedures (project management), 252
controls
parameters (data categories), 241
SDLC, auditor’s role in, 249
copy software entries here, 186
performance monitoring
cloud providers, 318
flow analysis, 315
load balancing, 318
SNMP, 315
vendors, 318
Windows Performance Monitor, 315
testing, 206
T
T-carriers, 314
table lookups (edit controls), 240
tables
memory tables, final exam preparation, 441-442
rainbow tables, 413
thunder tables, 413
TACACS (Terminal Access Control Access Control System), 346
tagging (application testing), 246
Taguchi process optimization technique, 122-125
tape backups, 166
tape librarians, 167
target values (performance management), 108
TCO (Total Cost of Ownership), ROI, 192
TCP (Transmission Control Protocol), 288, 295
TCP/IP reference model
DHCP, 297
DNSSEC, 297
host-to-host/transport layer, 295
Internet layer
distance-vector protocols, 295
link-state routing protocols, 295
OSI model versus, 292
teams (project management), 188
technical controls (security controls)
cloud computing, 391
telecommunications recovery, 169-170
tension wrenches, picking locks, 354
termination (separation events), 102-103
terrorists, incident/problem management, 420
TES (Terminal-Emulation Software), 291
testing
ACID tests, 245
alpha testing, 207
application controls, 244, 248
backups, 167
full operation tests, 156
paper tests, 155
bottom-up testing, 206
CISA tests
applying for certification, 8
CBT, 13
getting scores, 15
grading exams, 13
importance of certification, 4-5
maintaining certification, 16
mission statement, 3
passing, 9
Pearson Test Prep software, 437-442
popularity of, 5
registering for exams, 7
retaking, 16
scheduling exams, 6
work experience waivers, 8
compliance tests, 39
final acceptance testing, 206
function testing, 207
integrated testing facilities
application testing, 246
continuous online auditing, 247
interface testing, 206
ITF, 52
parallel testing, 207
Pearson Test Prep software, 437, 442
customizing practice exams, 439-440
Flash Card Mode, 439
Practice Exam Mode, 439
Premium Edition, 440
Study Mode, 439
updating practice exams, 440
website, 438
pilot testing, 207
practice tests
Flash Card Mode, 439
Practice Exam Mode, 439
Study Mode, 439
updating, 440
project management, 251
regression testing, 207
security
vulnerability scanning, 416
socialability testing, 207
system testing, 206
top-down testing, 206
unit testing, 206
walk-through testing, 155
white-box testing, 207
text messaging, pretexting attacks, 400
third-party audits, 94-96, 126-127
third-party monitoring, 318
third-party outsourcing, 125-126, 214-215
third-party vendors, capacity planning, 318
threat analysis, ARO and BIA criticality analysis, 147
ThreatExpert, dynamic forensic analysis, 427
threats
categorizing, 83
losses and, 83
risk management, defining, 44
vulnerabilities and, 83
Three Lines of Defense model (ERM), 87-89
thresholds (performance management), 109
thumb drives, data breaches, 375
thunder tables, 413
time, project management, 187, 192
critical tasks, planning, 198
timebox management, project management, 199
TLS (Transport Layer Security), 348
TOCTOU (Time-Of-Check, Time-Of-Use) attacks, 411
Token Ring protocol, 293
tokenization, 219. See also encryption
tokens, authentication by, 338
tolerating risk (risk management), 45-47
top-down policy development (IT governance), 91
top-down testing, 206
total document numbers (batch controls), 238
total dollar amounts (batch controls), 238
total item counts (batch controls), 238
Tower of Hanoi backup rotation method, 168
traceroute, 290
tracing (application testing), 246
tracking changes, 418
traffic monitoring, add capacity planning entries, 316
training
cloud computing, 218
transaction files (data categories), 241
transaction selection (application testing), 246
transferring
data, 302
risk (risk management), 45
transmission controls (EDI), 254
transport layer (OSI reference model), 288
transport/host-to-host layer (TCP/IP reference model), 295
transportation teams (BCP), 154
trap door functions, public key encryption, 362
trap doors, 411
trend-detection tools, 414
Trojans, 405
tubular locks, 353
tumbler locks, 353
tunneling, 348
tuples (databases), 281
turnstiles (access control), 352
twisted-pair cabling, 321
two-factor authentication, 338
U
U.S. government laws/regulations
FIPS, 37
NIST, 37
SCADA, 35
UA (Uptime Agreements), 215
UAT (User Acceptance Testing), 207-209
Ubertooth, 406
UDP (User Datagram Protocol), 288, 295
unauthorized changes, information systems maintenance, 214
unicast addresses, 294
unit testing, 206
units (performance management), 108
unpatched systems, 378
unqualified opinions (audit reports), 58
unrated audit reports, 58
unsatisfactory audit reports, 58
unsecured devices, data breaches, 375-378
untied websites, 397
updating practice exams, 440
UPS (Uninterruptible Power Supplies), 171
USB drives, data breaches, 375
USB Killer, 375
USB ports (uncontrolled), data breaches, 377
USB Rubber Ducky, 376
user location systems. See somewhere you are systems
users
access control
exterior security control, 349-356
identification, 336
perimeter security control, 349-356
physical/environmental access control, 349-356
SSH, 347
Telnet, 347
BYOD policies, data breaches, 377-378
CRM, BI, 258
customer service (CRM), 259
identification as authorization control, 238
logic bombs, 411
security, 393
user accounts, 393
utility software, 277
utilization reports, capacity planning, 315-317
V
validity checks (edit controls), 239
variable sampling, 52
variance-detection tools, 414
vaulting (electronic), 169
vendors. See also outsourcing
accountability, 95
BPA, 215
capacity planning, 318
expectations of, 95
ISA, 215
MOU, 215
OLA, 215
quality of, 95
relationship management, 129-130
RFP, 204
UA, 215
ventilation (data centers), 356
verification
BCP tasks, 170
conformity, 39
disaster recovery tasks, 170
IP addresses, 290
key verification (edit controls), 240
passwords, 337
reasonableness verification (data integrity controls), 240
regulatory compliance, 38
virtual memory, 277
virtual servers, 221
virtualization
application development, 221-222
authentication, 395
encryption, 395
fabric virtualization. See VSAN
physical controls, security, 395
remote access services, security, 396
resource access, security, 396
technical controls (security controls), 395-396
VM escapes, 395
viruses, 405
VLAN (Virtual Local Area Networks), 304-305
VM (Virtual Machines), 221
data remanence, 222
escapes, 395
hardening, 395
live VM migration, 222
security, hardening, 395
recovery, telecommunications recovery, 170
security controls
PBX systems, 357
phreakers, 356
VoIP, 357
VoIP (Voice over Internet Protocol), 295, 313, 357
VPN (Virtual Private Networks), 293, 347-348
VSAN (Virtual Storage Area Networks), 168
vulnerabilities
assessments, 210
defining, 83
OS vulnerability assessments, 393
scanning, 416
threats and, 83
W
WAF (Web Application Firewalls), 308, 393
walk-through testing, 155
WAN (Wide Area Networks), 284
WAP (Wireless Access Points), 299, 305, 406-407
warded locks, 353
warehouses (data), 279
warm sites, disaster recovery planning, 161
WAYF (Where Are You From), SOA, 345
WBAD (Web-based Application Development), 220
WBS (Work Breakdown Structure), project management, 190
web pages, XSS attacks, 411
websites
Basel III, 35
COOP websites, 172
COSO, 35
FACTA, 35
FISMA, 35
HIPAA, 35
ISACA website
Code of Professional Ethics, 9-10
CPE policies, 16
ethics/standards/competency agreements, 9-10
getting CISA exam scores, 15
maintaining CISA certification, 16
registering for CISA exams, 7
reporting CPE hours earned, 16-17
laws/regulatory standards, 35
Pearson IT Certification website, 438
Pearson Test Prep website, 438
SCADA, 35
security, 397
untied websites, 397
XSRF attacks, 411
WEP (Wired Equivalent Privacy), 299-301, 407
whaling, 400
white-box testing, 207
Wi-Fi
open Wi-Fi, data breaches, 377
pineapples, 376
Wigle, WAP security, 406
Windows Performance Monitor, 315
wireless technologies
802.11 wireless standard, 299-301
DSSS, 300
encryption, 299
FHSS, 300
frequency bands, 301
MIMO, 301
MU-MIMO, 301
OFDM, 300
spreading codes, 300
SSID, 299
WAP, 299
wireless networking cards, 299
WPA, 299
WLAN (Wireless Local Area Networks), 299-301, 322
work experience waivers, CISA certification, 8
worms, 405
WP (Work Papers), 50
automated WP, 51
leveraging WP, 54
WPA (Wi-Fi Protected Access), 299, 407
WPA2 (Wi-Fi Protected Access 2), 407
WPAN (Wireless Personal Area Networks), 284
wrappers, 405
wrenches (tension), picking locks, 354
WRT (Work Recovery Time), BCP, 158
WS Security (Web Services Security), SOA, 344
X
X.25, 313
X.509 standard, PKI, 366
XML (Extensible Markup Language), SOA, 344
XP (Extreme Programming) development model, 213
XSRF (Cross-Site Request Forgery) attacks, 411
XSS (Cross-Site Scripting) attacks, 411
Y-Z
Zachman, John, 112
zero-day attacks, 404