Course  Outline   q  q  q  q  q  q  q  The Information Systems Audit Process IT Governance Systems and Infrastructure Lifecycle Management Systems and Infrastructure Lifecycle Maintenance IT Service Delivery and Support Protection of Information Assets Business Continuity and Disaster Recovery Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - The  Informa,on  Systems  Audit  Process   q  q  q  q  q  q  q  ISACA Information Systems Auditing Standards and Guidelines Develop and Implement an Information Systems Audit Strategy Plan an Audit Conduct an Audit The Evidence Lifecycle Communicate Issues, Risks, and Audit Results Support the Implementation of Risk Management and Control Practices Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - ISACA  Code  of  Professional  Ethics   q  Guides the professional and personal conduct of members of the association and its certification holders q  All ISACA members and certification holders are required to follow the guidelines stated q  CISA candidates must perform auditing tasks that adhere to the Code of Professional Ethics Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - Audi,ng   Auditing is an evaluation of a: q  q  q  q  q  Process Procedure Organization Job function System Copyright © 2013 IT University Online All rights reserved IS Auditor www.ituonline.com OV - The  Informa,on  Systems  Audit  Func,on   q  Planning, performing, reporting, and managing IS audit functions q  Perform audits according to auditing standards and legal requirements Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - ISACA  IS  Audi,ng  Standards   Published by ISACA that provide a framework to all auditing procedures: q  q  q  q  q  q  q  q  q  q  q  q  q  q  q  q  S1: Audit Charter S2: Independence S3: Professional Ethics and Standards S4: Professional Competence S5: Planning S6: Performance S7: Reporting S8: Follow-Up Activities S9: Irregularities and Illegal Acts S10: IT Governance S11: Use of Risk Assessment in Audit Planning S12: Audit Materiality S13: Using the Work of Other Experts S14: Audit Evidence S15: IT Controls S16: E-Commerce Copyright © 2013 IT University Online All rights reserved ISACA IS Auditing Standards www.ituonline.com OV - ISACA  IS  Audi,ng  Guidelines   q  Resources to guide you in performing auditing q  Use guidelines when implementing the IS auditing standards ISACA IS Auditing Guidelines Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - ISACA  IS  Audi,ng  Procedures   ISACA IS auditing procedures allow auditors to implement specific auditing methods that align with the auditing standards: q  q  q  q  q  q  q  q  q  q  q  P1: IS Risk Assessment Measurement P2: Digital Signatures P3: Intrusion Detection P4: Viruses and Other Malicious Code P5: Control Risk Self-assessment P6: Firewalls P7: Irregularities and Illegal Acts P8: Security Assessment—Penetration Testing and Vulnerability Analysis P9: Evaluation of Management Controls Over Encryption Technologies P10: Business Application Change Control P11: Electronic Funds Transfer (EFT) ISACA IS Auditing Procedures Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - ITAF   The Information Technology Assurance Framework (ITAF) is an allinclusive assurance model published by ISACA and ITGI that includes: q  Design elements q  IT assurance auditing guidelines q  Assurance standards used by professionals ITAF Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - Categories  of  the  ITAF  Model   q  General standards for the IS auditor to perform auditing functions q  Performance standards used to provide auditing and assurance expectations on the job q  Reporting standards that cover all elements of audit reporting q  Guidelines provided to assist the auditor through the entire auditing process q  Tools and techniques that support the ITAF guidelines and standards Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - Restora*on  Prac*ces   Recovery practices cover what to in case of: q  q  q  q  Operating system failure Physical damage to hardware Logical damage to hardware Accidentally overwritten or deleted data Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 10 How  to  Evaluate  the  Adequacy  of  Backup  and  Restore   q  Ensure that a backup schedule has been established q  Ensure that the offsite library is thorough, documented, and controlled q  Verify that the restores are actually tested, and that the backed-up data has data integrity q  Verify that a proper media rotation method has been put into practice Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 11 Business  Con*nuity  and  Disaster  Recovery  Regula*ons   Sources for a BCP or DRP include: q  q  q  q  q  q  The Business Continuity Institute (BCI) The U.S National Fire Protection Agency (NFPA) The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Control Objectives for Information and related Technology (COBIT) Disaster Recovery Institute International (DRII) The U.S Federal Emergency Management Association (FEMA) Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 12 BIA   Business Impact Analysis (BIA) Separates organizational functions into critical and non-critical categories Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 13 RPO  &  RTO   RPO: q  Defines an acceptable level of data loss RTO: q  Expresses the maximum acceptable amount of downtime Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 14 BCP and DRP Development Understand the organization, including key business processes Understand the information systems resources Establish the criticality of all information resources Determine the business impact should one or more processes be lost Prioritize the information systems used to support business processes Identify strategies for recovering enough information systems facilities to support the business process until the full systems are available Create a plan for recovering the facilities (the DRP) Create a plan that allows for the business functions to operate at an acceptable level (the BCP) Test both plans 10 Maintain each plan as the business grows and processes change Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 15 BCP  and  DRP  Tes*ng  Methods   q  Desk-based q  Preparedness q  Full operational Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 16 BCP and DRP Trigger States Incident Copyright © 2013 IT University Online All rights reserved Invoke the BCP or DRP www.ituonline.com OV - 17 Types  of  Insurance  Coverage   q  q  q  q  q  q  q  q  Information systems equipment and facilities Software reconstruction Extra expenses Business interruption Valuable documents and records Error and omission Fidelity coverage Transportation of media Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 18 Alternate Processing Site Primary site Copyright © 2013 IT University Online All rights reserved Business functions transfer to alternate site www.ituonline.com OV - 19 Alternate  Site  Management   q  q  q  q  q  Design of service solutions Design of the service portfolio Design of the architecture Design of processes Design of measurement systems and metrics Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 20 Telecommunica*on  Network  Protec*on  Methods   q  q  q  q  q  q  Redundancy Alternative routing Diverse routing Long-haul network diversity Last-mile circuit protection Voice recovery Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 21 BCP and DRP HR Management Practices IT Department Human Resources Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 22 How  to  Evaluate  the  BCP  and  the  DRP   q  Remember that an information systems auditor's goals in evaluating an organization's business continuity q  Review how the alternate site management is handled q  Review how the policies are tested q  Determine the recovery plan q  Confirm that backup, restore, and recovery procedures are being followed properly q  Evaluate whether or not the recovery plan(s) cover all important systems or equipment q  Confirm that the plan covers disasters of all types Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 23 Reflective Questions What are some backup and restore policies that you have experienced in your workplace? Was it ever necessary to used backed-up data? What were the circumstances? Have you ever had to invoke the BCP or DRP? What were its strengths or weaknesses? Copyright © 2013 IT University Online All rights reserved www.ituonline.com OV - 24 ... q  All ISACA members and certification holders are required to follow the guidelines stated q  CISA candidates must perform auditing tasks that adhere to the Code of Professional Ethics Copyright... implementations q  Used by executives, managers, auditors, and IT personnel q  Related to the CISA job practice tasks COBIT Copyright © 2013 IT University Online All rights reserved www.ituonline.com