Wednesday, August 4, 2010

CISA Chapter 1.1

Administrative note:  I decided to split this up into multiple posts, because it was getting really really long.  I'll shoot for more frequent posts in the future that are not so long.  If you would like single long posts instead, sound off in the comments!

Test results

26/30 correct = 87%

Questions I missed:

What is a work breakdown structure? 
I thought it was a sequence of steps with milestones in support of the project scope, but the correct answer is “Decomposition of tasks”.  Those seem pretty similar in my mind, you decompose tasks into steps with milestones, but I guess the author of the book doesn’t think that way.

What is not a responsibility of the Audit Committee?
The not tripped me up here, I chose “The audit committee is composed of members from the board of directors. This committee
has the authority to hire external auditors, and external auditors may meet with the committee
on a quarterly basis without other executives present.” which is a responsibility of the committee.  Paying attention to the wording of questions is important.

What type of audit checks attributes against the design specifications?
I chose a System audit, the correct answer is a Product audit.  I’m in the mode of thinking about IS audits and IS systems, so I’ll have to keep in mind the other types of audits that exist.

What is the purpose of the skills matrix?
I had no idea what a skills matrix was, so I just guessed on this question.  Turns out the correct answer is “Describe the person needed during the performance phase of the audit”.

Chapter Overview
Basically, auditors rock.  They save the world from all sorts of nasty things and really should be considered superheros.  Good career choice.  One thing though... you always have to wear a suit and tie, use “professional” humor, and impress your clients.  And if you ever pirate software or certain CISA training books, ninjas will hunt you down and kill you.  Great start to the book, huh?

Policies - High level, general, issued by someone high in the company and are mandatory
Standards - Mid level, more specific than policies.  One policy may have several supporting standards.  Also mandatory.
Guidelines - General guidelines, intended for advice when there is no policy or standard around a certain subject.  Discretionary.
Procedures - Step by step guide for doing a certain task.  Mandatory.

Members and ISACA certification holders shall:
1.    Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
2.    Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
3.    Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
4.    Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5.    Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
6.    Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
7.    Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's, and/or certification holder's conduct and, ultimately, in disciplinary measures.

Know the code of ethics.  You can see a FAQ here.  Don’t do anything stupid to get yourself in trouble.

Types of Audits
For a slightly different list, see here.

Internal audits - carried out by the same organization that is being audited.  Not independent, so of limited use.  Sometimes also called an assessment.
External audits - This is usually a customer auditing a company, or a company auditing a supplier.  Usually contract motivated, to make sure things are being done as agreed.
Independent audits - As the name says, these are independent, performed by someone with no relationship to the company, someone who wont be biased.

Those are the general types of audits, there are also different audit objectives that can fit into each type of audit.  Here are some examples:

Product audit - Compare finished product to what was originally designed.  Most often thought of as with a physical product, but can apply to software systems as well.
Process audits - examine a process to decide if it is accomplishing the stated objective, and identify opportunities for increased efficiency.
System audits - Big one.  System configuration, controls, monitoring, change control, authentication, authorization, maintinance, etc.
Financial audit - Another big one.  Checking of accounting procedures, records, balances, etc.
Operational audit - SAS-70.  Operational effectiveness and efficiency.
Integrated audit - SAS-94.  Combined operational and financial audit.
Compliance audit - To verify compliance with a set standard or regulation.  SOX and PCI are common.
Administrative audit - Mostly about documentation of policies and procedures.
Information systems certification - Testing against a standard reference.

There are 2 categories of roles, audit and non-audit.  Audit roles are auditor and auditee.  The non-audit role is the client, which may be the company being audited.

It is important that as an auditor you maintain independence from what you are auditing.  Basically independence means that you are not personally involved in what you are auditing, and that you won’t be biased to report anything more or less favorably then the evidence suggests.

Auditing Standards

There are quite a few standards, including the following:

American Institute of Certified Public Accountants (AICPA) and International Federation
of Accountants (IFAC).
Financial Accounting Standards Board (FASB) with Statement on Auditing Standards
(SAS), standards 1 through 114, which are referenced and applied by the AICPA and IFAC.
Generally Accepted Accounting Principles (GAAP).
Committee of Sponsoring Organizations of the Treadway Commission (COSO), providing
the COSO internal control framework that is the basis for standards used in global commerce.
COSO is the parent for the standards used by governments around the world.
Public Company Accounting Oversight Board (PCAOB) of the Securities and Exchange Commission,
issuing audit standards AS-1, AS-2, AS-3, AS-4, and AS-5. PCAOB is the standards
body for Sarbanes-Oxley, including the international implementation by the Japanese government
and European Union (US-SOX, J-SOX and E-SOX).
Organization for Economic Cooperation and Development (OECD), providing guidelines
for participating countries to promote standardization in multinational business for
world trade.
International Organization for Standardization (ISO), which represents participation
from more than member governments.
U.S. National Institute of Standards and Technology (NIST), providing a foundation
of modern IS standards used worldwide. When combined with British Standards/ISO
(BS/ISO), you get a wonderful amount of useful guidance.
U.S. Federal Information Security Management Act (FISMA), which specifies minimum
security compliance standards for all systems relied on by the government, including the
military and those systems operated by government contractors. (The U.S. government is
the world’s largest customer.)
IS Audit and Control Association (ISACA) and IT Governance Institute (ITGI) issue the
Control OBjectives for IT (CObIT) guidelines which are derived from COSO with a more
specific emphasis on information systems.
Basel Accord Standard II (Basel II), governing risk reduction in banking.

The 16 Standards are:

S1 Audit Charter The audit charter authorizes the scope of the audit and grants you responsibility,
authority, and accountability during the audit.

S2 Independence Every auditor is expected to demonstrate professional and organizational
independence, like we talked about earlier.

S3 Professional Ethics and Standards of Conduct The auditor must act in a manner that
denotes professionalism and respect.

S4 Professional Competence The auditor must have the necessary skills to perform the
audit. Continuing education is required to improve and maintain skills.

S5 Planning Successful audits are the result of advance preparation. Proper planning is
necessary to ensure that the audit will fulfill the intended objectives.

S6 Performance of Audit Work This standard provides guidance to ensure that the auditor
has proper supervision, gains the correct evidence to form conclusions, and creates the required
documentation of the audit.

S7 Audit Reporting The auditor report contains several required statements and legal disclosures.
This standard provides guidance concerning the contents of the auditor’s report.

S8 Follow-up Activities The follow-up activities include determining whether management
has taken action on the auditor’s recommendations in a timely manner.

S9 Irregularities and Illegal Acts This standard outlines how to handle the discovery of
irregularities and illegal acts involving the auditee.

S10 IT Governance This standard covers the authority, direction, and control of the information
technology function. Technology is now pervasive in all areas of business. Is the auditee
properly managing IT to meet their needs?

S11 Use of Risk Analysis in Audit Planning This standard provides guidance for implementing
a risk-based approach in audit planning. Risk planning is used to determine whether an audit
is possible. Auditors always weigh our level of competency to conduct the audit. Audit plans
should be structured for the maximum return on investment when designing specific audits, aka
impact for the dollar spent.

S12 Audit Materiality Auditors must use evidence that portrays the most accurate story.
The absence of controls or a potential weakness may cumulatively result in unacceptable risk
to the organization. Ineffective controls, absence of controls, and control deficiencies should
be disclosed in the audit report.

S13 Using the Work of Other People It’s impossible for the auditor to perform all the work
alone. The work of other experts may be included in the audit, provided the auditor is satisfied
with their competencies, relevant experience, professional qualifications, independence, and
quality control. A scope limitation may be required in the final audit opinion if the other
experts do not provide appropriate and sufficient evidence. An expert working in the same
area as the one being audited should not be relied on.

S14 Proper Audit Evidence Appropriate evidence includes the written procedures performed
by the auditor, source documents, corroborating records, samples, and corresponding test results.
Reliable evidence is based on its source, natural state, and authenticity. Audit evidence must be
specifically identified, cataloged, and cross-referenced in the audit documentation, via auditor
notes and working papers.

S15 Effective IT Controls Working IT controls represent an integral foundation in the organization’s
overall internal control environment. IS auditors should monitor and evaluate the
effect or absence of IT controls. It’s necessary to help management understand the IT controls’
design, implementation, and methods of improvement. The level of effective controls provided
by outsourcing, or their absence, may help or hurt the organization.

S16 Electronic Commerce Controls E-commerce allows the business to conduct electronic
transactions with other businesses and directly to consumers over the public Internet. E-commerce requires the auditor to implement risk-based audit plans with data-gathering techniques for continuous assurances regarding the security and integrity of the environment. This only applies to the public internet, not to private networks between various companies.

Thursday, July 29, 2010

CISA preparation and pre-test

So I recently started a new job, and one of the requirements is to get your CISA certification within the first year.  Luckily they pay for it, so I don’t have to worry about that part.  I’ll be heading off to a CISA bootcamp in December, but decided that I want to study for it beforehand as well.  I’ve been studying for the CISSP, but I’ll put that on hold for now and focus on the CISA since it is required.

I think overall the CISSP will help me out more, but whatever.  The CISA is the certification these guys decided they want everyone to have, so that's the one I’ll get first.

I’m studying from a book, the CISA Certified Information Systems Auditor Study Guide that I got off Amazon.  I took the pretest today, and here are the results:

Correct    45
Incorrect    35
% correct    56.25%

The incorrect by Chapter results are:


And the list of chapters are:

Chapter 1    Secrets of a Successful IS Auditor
Chapter 2    Audit Process
Chapter 3    IT Governance
Chapter 4    Networking Technology
Chapter 5    Life Cycle Management
Chapter 6    IT Service Delivery
Chapter 7    Information Asset Protection
Chapter 8    Disaster Recovery and Business Continuity

As you can see, I’ve got some studying to do in order to pass.  I’m not too worried though, I actually did better on the pretest then I thought I would.  I’m not an auditor (as you can see), so those chapters will probably have the most new material for me.


As far as schedule goes, right now I’m thinking that I can probably read a chapter a week, which will put me finishing the book by end of September, leaving plenty of extra time before December to review and attend the bootcamp and take the test.  I’ll be updating my progress here, along with chapter notes, tips tricks and other useful bits that I find along the way.  If any recent CISA’s out there have anything to share as well, feel free to shout out in the comments!

Tuesday, December 1, 2009

Google Wave

I know it has been forever since I have posted here, maybe has something to do with having a new baby boy :-)  Hopefully I should have some more time in the near future.  Anyways, for those faithful readers out there, I have 5 google wave invites to give out!  First 5 people to leave comments on this post with an email address to send the invite to will get em!  Merry Early Christmas :-)

Friday, December 19, 2008

End of RIAA Lawsuits (For a week at least)

Today there was some surprising news revealed by the RIAA. The RIAA has been involved for a long time in a public relations disaster, suing people that pirate and share the music of their artists. Protecting copyright in not necessarily a bad thing, but the RIAA really botched the whole process. From suing dead people to 10 year olds, to people who didnt even own a computer, they really have done a bad job. Today they announced that they would (finally) stop prosocuting individual file-sharers. At first when I saw the headlines, I expected (foolishly) an accompanying announcement about a rollout of a new, relevant, online store to purchase music at a reasonable price, or otherwise rearrange its business model to join the 21st century. Nope.

Instead what they are doing is outsourcing the bullying to the ISP. Not exactly the huge step forward that I was hoping for. But, at least it is change. And with a system as flawed as the RIAA, any change is good change. One of the best comments I've read about the change is included here:

Funny. Nowhere in the article did I see the RIAA:

1) Promoting better artists to make CDs with more than one good song
2) Trimming production costs to lower music prices
3) Increasing support for music format options (OGGs, AACs, etc...)
4) Increasing music licensing options (transferal from person to person, etc...)
5) Improved CD and online music libraries
6) Enforcing music source (i.e. iTunes) and music player (i.e. Zune) interoperability

I'm just sayin'... -

For those interested in finding out more about the in's and outs of the RIAA's new stance, see the excellent post here at torrentfreak.

And one more awesome quote to finish things off:

RIAA is like the doctor in medical dramas who just won't stop trying to
revive the patient and eventualy has to be pulled off the corpse. - DarthWader(Lifehacker)

Merry Christmas everyone!

Note:Image above courtesy of Engadget

Friday, June 27, 2008

Hard Drive Backup

Here I will be testing some applications to make an image of your hard drive. Images are basically a snapshot of all the data on the hard drive, so that if something gets messed up down the road, you can simply restore the image and everything will be just like when you created the image. I just finished school, so I decided it was time to reinstall XP and test several image programs to see which would be the best choice for me.

The test environment consists of two computers: A dell latitude D620 that I just reinstalled Windows XP Pro on, along with the following programs that I want to have whenever I restore the image

MS Office 2007
Firefox 3 with Greasemonkey and Adblock Plus

XP and the above programs used up about 6 gigs of the 60 gig harddrive. The second system is my desktop, which will actually be running the imaging programs. It's a quad-core with 4gigs ram, 500 GB harddrive also running XP Pro. I don't think that the speed of the desktop really affects the speed of creating images, but I could be wrong there. Note that you do not actually need two computers to run many of these programs, I just found it to be easier to actually take my laptop drive out and stick it into an external drive instead of messing with the options to get it working some other way.

There are literally tons of programs that create images of your harddrive, so I decided to narrow down my selection some. I wanted something that would create a complete image, and put that on a different drive (not on a separate partition, but on a completely different physical drive). Because this is much easier in windows, I also only looked at programs that run in windows. This means no bootable cd's. I know that they are great, but I won't be reviewing any of those in this post. Possibly in another one though :-)

Free Programs

Macrium Reflect - Free Edition

Macrium is a solid product that has both free and pro flavors. I chose the free version to test, which has all the features I need anyway. The pro includes options for incremental and differential image backups, but I prefer do to a fresh full backup whenever I need to update. The fact that there is a paid version as well as a free has some positive aspects - it is much more likely that Macrium will still be around in a couple years so that you can restore the image you make if you don't keep the program installed on your computer. Some freeware can get abandoned without notice, leaving you up a creek if you don't have the original program still around. Macrium is a good product, with creation times just a bit longer that acronis, but still not long at all.

Some things that I especially liked about Macrium is that it offers some user-friendly options that none of the other products I tested had. The first was the option to validate the restore operation after it finished, which is nice. Restore operations should always work, but they can't be perfect, so it's a good practice to validate it. The other option that I really liked is that after validating, you can use Macrium to set the hard drive to run checkdisk next time it is booted up. This is a simple thing to do by yourself, but it's great that Macrium has the option for you to automatically set it if you want.

Image creation time: 4:47
Image size: 3.31 GB
Image restore time:4:22

SelfImage v1.2

SelfImage is the very first imaging program I used, a couple years ago. Unfortunatly, that seems to be the last time it was updated as well. The current version was released in 2005, and there hasn't been any updates since. It is, however, open source, so if anyone wants to download the source code and crank out some updates that would be great. Let me know if there are any newer versions, and I'll check them out.

I had a soft spot for selfimage just because it's been around for a long time, but unfortunately it turned out to be one of the worse programs that I tested. It seems that instead of checking which sections of the harddrive are in use, it backs up the entire disk, even if most of it is empty. This leads to much longer create and restore times, as well as larger file sizes. It is open source though, and that's a plus.

Image creation time: 38:37
Image size: 11 GB
Image restore time:**Unable to test this part, see the end of the post for full details

DriveImage XML

DriveImage XML was probably the biggest disappointment out of all the programs that I tested. I first read about it over at lifehacker, and most of the people there said it was just amazing. So I tried it out with very high hopes, which was not the best idea. It took as long as SelfImage to restore and backup, which is something that is hard for me to grasp. SelfImage was made in 2005, so it is understandable that it would be slow. What's the excuse here?

It's not all bad though, DriveImage does have some nice options, including "hot imaging" a drive. Basically this means making a backup of your drive while you are using it. I did not try this option, but I imagine that it would take a little bit longer, but not be as intrusive since it would be doing all the copying in the background. It also has a big plus in the fact that it is not proprietary at all. It gives you 2 files when the backup is done, a .dat which contains all the data, and a .xml which is a map of the data. So if something where to happen do the program, you should still be able to use the xml file to search the .dat file and restore what you need.

Image creation time: 38:21 (yes, the screenshot shows 31:38, but after that it creates the .xml file, which takes extra time)
Image size: 6.93 GB
Image restore time:59:22

Commercial Programs

Acronis True Image Home v.11

The first program that I tested was Acronis True Image Home v.11. I had heard many good things about acronis, so it was first on my list. It has a good user interface, allowing many options without making things too confusing. It was also the fastest program I tested, and had the smallest final image size which are two very important things. The major downside to acronis is that it is not free. When I checked, the price was around $50. Not too expensive for a good backup solution, but fifty bucks is a lot more than free.

Another option that I love about acronis is that in additon to being able to backup to an external drive, it also has the option to create a hidden partition and store the backup there. This is not that exciting by itself, the really cool part is that it can be set up to show an option at boot time to restore the image in this 'secure zone'. You can do the same thing with some linux live cd's, but I personally would rather stay in windows. Anyways, Acronis is a very solid program.

Image creation time: 3:28
Image size: 3.25 GB
Image restore time:2:59

Norton Ghost

Norton Ghost is one of the original disk imaging programs. Ghost is a program that comes loaded with a ton of features and options. Ghost has typically been used in big companies, which means it has many features that are very powerful, but won't really be used by home users. All the extra options to jack up the price as well, with a single license costing $70. Norton is part of Symantec, so if you happen to use antivirus by them, ghost will automatically be added to the symantec live update tool.

I am biased against pretty much all things Norton, so while ghost does a good job scheduling and performing backups, I personally don't like it very much. It auto loads a tray icon on windows startup, and there is no easy way to get rid of it. It also is popping up notices for every little thing. From the stats below you can see that the time it takes is very low, and it also provides a small sized backup file. However, I just don't like it. It does have some advanced options that I would never use, but others might love. There is a way to manage different backup schedules on different computers from a central console. If you have more than a few computers in your house, this could be a big time saver. Otherwise, the high price and annoying notifications would steer me away from this product.

Image creation time: 3:29
Image size: 3.47 GB
Image restore time:6:55


Overall, it was pretty fun to test out all of these different backup programs and run them through their paces. On the freeware side, Macrium is the product that I chose to use, because it has the speed and size of the commercial products while still being free. If I did decide to pay out some money I'd chose Acronis for its ease of use and the ability to restore an image at boot with a simple key press.

On a side note, you can see that I was unable to finish testing selfimage... The reason why is because during the processing of restoring and testin images, as I was taking my laptop harddrive out of the external enclosure to put back in my laptop and test, i accidentaly tripped on some cords and the drive came crashing down. Of course this caused some sectors to go bad on the drive, thus preventing me from writing data back to those sectors. So, backing up your hard drive to an external one has dangers of iits own, especially if you are clumsy ;-) Although, there is a positive outcome to this: I know have a subject for my next post - How to fix bad sectors on a harddrive

If you have any comments or want to see some other imaging programs tested once I have my HD fixed, let me know in the comments!