Post on 06-Mar-2018
transcript
CISA® Prep Course, 28-30/3/2013
CISM® Prep Course, 1-3/4/2013
What you will learn:
• IntroductiontotheCISA&CISMExam
• OverviewofthecontentareasasdeterminedbyISACA
• Determinethelevelofknowledgerequiredforthecontentareastomeettheexamination’sexpectations
• Particulartopicswhicharepopularexamquestions
• Analyzethe“philosophy”oftheexaminations’questions
• Whatthetestingconditionswillbe,afterhavingdiscussed“model”answerstosamplequestions
• Referencetools
Course Leader: Dr. Derek Oliver, CISA, CISM, CRISC, CFE, FBCS, FIAP
CISA Prep Course 24 hours
Day 1Introduction to CISA: ApproachingtheCISAExamination• Percentageoftestquestionsandsurveyresults• Definitionofcontent,tasksquestions,modelanswers
Domain 1: TheProcessofAuditingInformationSystems—ProvideauditservicesinaccordancewithITauditstandardstoassisttheorganizationwithprotectingandcontrollinginformationsystems.• Developandimplementarisk-basedITauditstrategyincompliancewithITauditstandardstoensurethatkeyareasareincluded.
• Planspecificauditstodeterminewhetherinformationsystemsareprotected,controlledandprovidevaluetotheorganization.
• ConductauditsinaccordancewithITauditstandardstoachieveplannedauditobjectives.
• Reportauditfindingsandmakerecommendationstokeystakeholderstocommunicateresultsandeffectchangewhennecessary.
• Conductfollow-upsorpreparestatusreportstoensurethatappropriateactionshavebeentakenbymanagementinatimelymanner.
Domain 2:GovernanceandManagementofIT—Provideassurancethatthenecessaryleadershipandorganizationalstructuresandprocessesareinplacetoachieveobjectivesandtosupporttheorganization’sstrategy.• EvaluatetheeffectivenessoftheITgovernancestructuretodeterminewhetherITdecisions,directionsandperformancesupporttheorganization’sstrategiesandobjectives.
• EvaluateITorganizationalstructureandhumanresources(personnel)managementtodeterminewhethertheysupporttheorganization’sstrategiesandobjectives.
• EvaluatetheITstrategy,includingtheITdirection,andtheprocessesforthestrategy’sdevelopment,approval,implementationandmaintenanceforalignmentwiththeorganization’sstrategiesandobjectives.
• Evaluatetheorganization’sITpolicies,standards,andprocedures,andtheprocessesfortheirdevelopment,approval,implementation,maintenance,andmonitoring,todeterminewhethertheysupporttheITstrategyandcomplywithregulatoryandlegalrequirements.
• EvaluateITmanagementandmonitoringofcontrols(e.g.,continuousmonitoring,qualityassurance[QA])forcompliancewiththeorganization’spolicies,standardsandprocedures.
• EvaluateITresourceinvestment,useandallocationpractices,includingprioritizationcriteria,foralignmentwiththeorganization’sstrategiesandobjectives.
• EvaluateITcontractingstrategiesandpolicies,andcontractmanagementpracticestodeterminewhethertheysupporttheorganization’sstrategiesandobjectives.
• Evaluateriskmanagementpracticestodeterminewhethertheorganization’sIT-relatedrisksareproperlymanaged.
• EvaluatemonitoringandassurancepracticestodeterminewhethertheboardandexecutivemanagementreceivesufficientandtimelyinformationaboutITperformance.
• Evaluatetheorganization’sbusinesscontinuityplantodeterminetheorganization’sabilitytocontinueessentialbusinessoperationsduringtheperiodofanITdisruption.
Day 2 Domain 3:InformationSystemsAcquisition,DevelopmentandImplementation—Provideassurancethatthepracticesfortheacquisition,development,testing,andimplementationofinformationsystemsmeettheorganization’sstrategiesandobjectives.• Evaluatethebusinesscaseforproposedinvestmentsininformationsystemsacquisition,development,maintenanceandsubsequentretirementtodeterminewhetheritmeetsbusinessobjectives.
• Evaluatetheprojectmanagementpracticesandcontrolstodeterminewhetherbusinessrequirementsareachievedinacost-effectivemannerwhilemanagingriskstotheorganization.
• Conductreviewstodeterminewhetheraprojectisprogressinginaccordancewithprojectplans,isadequatelysupportedbydocumentationandstatusreportingisaccurate.
AGENDA
• Evaluatecontrolsforinformationsystemsduringtherequirements,acquisition,developmentandtestingphasesforcompliancewiththeorganization’spolicies,standards,proceduresandapplicableexternalrequirements.
• Evaluatethereadinessofinformationsystemsforimplementationandmigrationintoproductiontodeterminewhetherprojectdeliverablescontrolsandtheorganization’srequirementsaremet.
• Conductpost-implementationreviewsofsystemstodeterminewhetherprojectdeliverables,controlsandtheorganization’srequirementsaremet.
Domain 4:InformationSystemsOperations,MaintenanceandSupport—Provideassurancethattheprocessesforinformationsystemsoperations,maintenanceandsupportmeettheorganization’sstrategiesandobjectives.• Conductperiodicreviewsofinformationsystemstodeterminewhethertheycontinuetomeettheorganization’sobjectives.
• Evaluateservicelevelmanagementpracticestodeterminewhetherthelevelofservicefrominternalandexternalserviceprovidersisdefinedandmanaged.
• Evaluatethird-partymanagementpracticestodeterminewhetherthelevelsofcontrolsexpectedbytheorganizationarebeingadheredtobytheprovider.
• Evaluateoperationsandend-userprocedurestodeterminewhetherscheduledandnon-scheduledprocessesaremanagedtocompletion.
• EvaluatetheuseofcapacityandperformancemonitoringtoolsandtechniquestodeterminewhetherITservicesmeettheorganization’sobjectives.
• Evaluateproblemandincidentmanagementpracticestodeterminewhetherincidents,problemsorerrorsarerecorded,analyzedandresolvedinatimelymanner.
• Evaluatechange,configurationandreleasemanagementpracticestodeterminewhetherscheduledandnonscheduledchangesmadetotheorganization’sproductionenvironmentareadequatelycontrolledanddocumented.
• Evaluatetheadequacyofbackupandrestoreprovisionstodeterminetheavailabilityofinformationrequiredtoresumeprocessing.
• Evaluatetheorganization’sdisasterrecoveryplantodeterminewhetheritenablestherecoveryofITprocessingcapabilitiesintheeventofadisaster.
Day 3 Domain 5: ProtectionofInformationAssets—Provideassurancethattheorganization’ssecuritypolicies,standards,proceduresandcontrolsensuretheconfidentiality,integrityandavailabilityofinformationassets.• Evaluatetheinformationsecuritypolicies,standardsandproceduresforcompletenessandalignmentwithgenerallyacceptedpractices.
• Evaluatethedesign,implementationandmonitoringofsystemandlogicalsecuritycontrolstoverifytheconfidentiality,integrityandavailabilityofinformation.
• Evaluatethedesign,implementationandmonitoringofthedataclassificationprocessesandproceduresforalignmentwiththeorganization’spolicies,standards,proceduresandapplicableexternalrequirements.
• Evaluatethedesign,implementationandmonitoringofphysicalaccessandenvironmentalcontrolstodeterminewhetherinformationassetsareadequatelysafeguarded.
• Evaluatetheprocessesandproceduresusedtostore,retrieve,transportanddisposeofinformationassets(e.g.,backupmedia,offsitestorage,hardcopy/printdataandsoftcopymedia)todeterminewhetherinformationassetsareadequatelysafeguarded.
The Anatomy of a CISA Question• HowCISAquestionsarewritten• Theprocessofwritingtheexamination• Questionwriterrules• ThebestapproachtotheCISAexam
Ourthree-dayseminarfocusesontheessentialareascoveredinthenewCISAexam,asdesignedanddevelopedbytheISACACertificationBoard.CISAisanexamthattestsexperienceandexperiencecannotbetaught.Howeverthiscourse,whichisbaseduponISACA’sresearchprojectasevidencebytheCISASyllabus,willgiveyouspecificguidelinesinyourstudybyprovidinganoverviewofthecoreknowledgebasesincludedintheexamination‘CommonBodyofKnowledge’.Followingeachsection,youwillworkthroughaseriesofsamplequestionstogiveyoua“feel”fortheformatandthetypesofquestionsyouwillencounter.
Who should attend:InformationSecurityAuditors,ITAdministrators,ChiefInformationSecurityOfficers,Riskmanagersandcompliancepersonnel;ExecutiveandOperationalManagersseekinganoverallunderstandingofessentialITAuditmanagement,risksandcontrols.
AGENDA
CISM Prep Course24 hours
Ourthreedaypreparationseminarcoversthecoreknowledgeareasincludedintheexamination“CommonBodyofKnowledge”.
Thecoursewillhelpyoudiscoverpossibleareasofweaknessesinthesubjectscoveredinthetestandalsoenableyoutobecomefamiliarwiththetestingconditionsandquestion’sphilosophy.
Who should attend: InformationSecurityManagersandAdministrators,ChiefInformationSecurityOfficers,RiskManagersandcompliancepersonnel;ExecutiveandOperationalManagersseekinganoverallunderstandingofessentialsecuritymanagement,risksandcontrols.
Day 1
Information Security Governance• Developtheinformationsecuritystrategyinsupportofbusinessstrategyanddirection.
• Obtainseniormanagementcommitmentandsupportforinformationsecuritythroughouttheenterprise.
• Ensurethatdefinitionsofrolesandresponsibilitiesthroughouttheenterpriseincludeinformationsecuritygovernanceactivities.
• Establishreportingandcommunicationchannelsthatsupportinformationsecuritygovernanceactivities
• Identifycurrentandpotentiallegalandregulatoryissuesaffectinginformationsecurityandaccesstheirimpactontheenterprise.
• Establishandmaintaininformationsecuritypoliciesthatsupportbusinessgoalsandobjectives.
• Ensurethedevelopmentofproceduresandguidelinesthatsupportinformationsecuritypolicies.
• Developbusinesscaseandenterprisevalueanalysisthatsupportinformationsecurityprogram(me)investments.
Risk Management and Compliance• Developasystematic,analytical,andcontinuousriskmanagementprocess.
• Ensurethatriskidentification,analysis,andmitigationactivitiesareintegratedintolifecycleprocesses.
• Applyriskidentificationandanalysismethods.• Definestrategiesandprioritizeoptionstomitigaterisktolevelsacceptabletotheenterprise.
• Reportsignificantchangesinrisktoappropriatelevelsofmanagementonbothaperiodicandevent-drivenbasis.
Day 2
Information Security Program Management• Createandmaintainplanstoimplementtheinformationsecuritygovernanceframework.
• Developinformationsecuritybaseline(s).• Developproceduresandguidelinestoensurebusinessprocessesaddressinformationsecurityrisk.
• DevelopproceduresandguidelinesforITinfrastructureactivitiestoensurecompliancewithinformationsecuritypolicies.
• Integrateinformationsecurityprogramrequirementsintotheorganization’slifecycleactivities.
• Developmethodsofmeetinginformationsecuritypolicyrequirementsthatrecognizeimpactonend-users.
• Promoteaccountabilitybybusinessprocessownersandotherstakeholdersinmanaginginformationsecurityrisks.
• Establishmetricstomanagetheinformationsecuritygovernanceframework.
• Ensurethatinternalandexternalresourcesforinformationsecurityareidentified,appropriatedandmanaged.
Information Security Management• Ensurethattherulesofuseforinformationsystemscomplywiththeenterprise’sinformationsecuritypolicies.
• Ensurethattheadministrativeproceduresforinformationsystemscomplywiththeenterprise’sinformationsecuritypolicies.
• Ensurethatservicesprovidedbyotherenterprisesincludingoutsourcedprovidersareconsistentwithestablishedinformationsecuritypolicies.
• Usemetricstomeasure,monitor,andreportontheeffectivenessandefficiencyofinformationsecuritycontrolsandcompliancewithinformationsecuritypolicies.
• Ensurethatinformationsecurityisnotcompromisedthroughoutthechangemanagementprocess.
• Ensurethatvulnerabilityassessmentsareperformedtoevaluateeffectivenessofexistingcontrols.
• Ensurethatnon-complianceissuesandothervariancesareresolvedinatimelymanner.
• Ensurethedevelopmentanddeliveryoftheactivitiesthatcaninfluencecultureandbehaviourofstaffincludinginformationsecurityeducationandawareness.
Day 3
Information Security Incident Management• Developandimplementprocessesfordetecting,identifyingandanalyzingsecurityrelatedevents.
• Developresponseandrecoveryplansincludingorganizing,training,andequippingtheteams.
• Ensureperiodictestingoftheresponseandrecoveryplanswhereappropriate.
• Ensuretheexecutionofresponseandrecoveryplansasrequired.• Establishproceduresfordocumentinganeventasabasisforsubsequentactionincludingforensicswhennecessary.
• Manageposteventreviewstoidentifycausesandcorrectiveactions
The Anatomy of a CISM Question• HowCISMquestionsarewritten&evaluated• Theprocessofcompilingtheexamination• Questionwriterstyle“rules”• ThebestapproachtotheCISMexam.
AGENDA
The CISA Examination
TheexamsconsistoftasksthatareroutinelyperformedbyaCISAandtherequiredknowledgetoperformthesetasks.
Youaregivenfourhourstocompletea200multiple-choicequestionexamthatcoverthefollowingareas:
1. TheProcessofAuditingInformationSystems(14%)
2. GovernanceandManagementofIT(14%)
3. InformationSystemsAcquisition,DevelopmentandImplementation(19%)
4. InformationSystemsOperations,MaintenanceandSupport(23%)
5. ProtectionofInformationAssets(30%)
The CISM Examination
TheexamsconsistoftasksthatareroutinelyperformedbyanInformationSecurityManagerandtherequiredknowledgetoperformthesetasks.A
candidateisgivenfourhourstocompletea200multiple-choicequestionexamthatcoversthefollowingareas:
1. InformationSecurityGovernance(24%)
2. RiskManagementandCompliance(33%)
3. InformationSecurityProgramDevelopmentandManagement(25%)
4. InformationSecurityIncidentManagement(18%)
Youcanregisteron-lineatwww.isaca.org,providedyoumeetaboveeligibilityrequirementsforeachcertificate.
TheexamsarehostedattheHellenicAmericanUnion’sConferenceCenter.FormoreinformationonISACA,youmayalsocontacttheISACA
AthensChapter,Mr.AnestisDemopoulos,Tel:210-2886041orvisitwww.isaca.gr.
Course LeaderDrDerekJ.Oliver,CISA,CISM,CRISC,CFE,FBCS,FIAPanInformationAudit&Securityspecialistwithover25yearsexperience.HeisaCharteredFellowofthe
BritishComputerSociety,aFellowoftheInstituteofITServiceManagementandaFellowoftheInstituteofAnalysts&Programmers.In1996hewasmadeaFreemanoftheCityofLondon.AnMScininformationtechnologywasfollowedbyaPhDinInformationSecurityManagementandaDBAinRisk&SecurityManagement.HeisinternationallyregardedasanexpertinInformationSecurityandISO27001andhasspokenatinternationalconferencesandseminarsfromOslotoCapeTownbywayofOrlandoandCanberraonvariousinformationsecurityandaudittopics.HeispastPresidentoftheInformationSystemsAudit&ControlAssociationinLondon(ISACA),currentmemberofCISATestEnhancementcommitteeandamemberoftheInstituteofInternalAuditorsandtheInformationSystemsSecurityAssociation.HavingbeenamemberoftheISACACredentialingTaskForcethatcreatedtheCISMdesignation,hewasappointedthefoundingChairoftheCISMExaminationEnhancementCommitteein2004andcurrentlychairstheWorkingPartydevelopinganinternationalBusinessModelforInformationSecurity(BMIS);inadditiontothisandhisappointmentasco-chairoftheCobiT5TaskForceheisamemberofISACA’sFutureFrameworkCommittee.AsamemberoftheCISACertificationBoardhewasjointlyresponsibleforsettingtheannual,internationalCISAexamination.Followinghisearlyyearsinthe“TravelTrade”withThos.CooksandTransWorldAirlines,15years’servicewithH.M.Customs&
Excise,Mr.OliverbecameheadoftheUKinternalauditteamofFirstDataCorporation,theworld’slargestthird-partyprocessorofcreditanddebittransactions.
Since1985hehasconductedbothhighlevelandin-depthauditandsecurityreviewsacrosstheinformationprocessingspectrum,including:
-ISO17799“InformationSecurityGuidelines”Complianceauditing&consultancy
-AllaspectsofLANandWANsecurityfromstrategiesthroughaccesscontroltoinfrastructure
-Physicalsecurity&riskanalysis
-GeneralControlsReviews,includinginformationsecuritystrategies&policies
-Physicalandlogicalsecuritypenetration/invasiontesting
-DisasterRecoveryandBusinessContinuity,bothauditingandplandevelopment
-VariousaspectsofPCsecurityincludingtheuseofillegal/piratesoftware
-PICKsystemssecurity,AS400security
-IBMMainframesecurity,specificapplicationsecurityandaccesscontrol,includingfinancial,stockcontroletc.
AsamemberoftheBS7799workinggroupin1995/96,DerekwaspartlyresponsibleforthedevelopmentoftheBS7799“CodeofPracticefortheManagementof
InformationSecurity”;hehassincegivenadviceonimplementingtheStandardstobankingandgovernmentorganisationsinHungary,SlovakiaandSlovenia.He
alsoworkedontherevisedversion,issuedApril,1999,andwasamemberofthec:cure(BS7799compliancecertificationscheme)steeringgroup,whichwasdirected
bythedepartmentofTradeandIndustry.Hehaswrittenseveralarticlesforvariousnationalandinternationalmagazines,includingauditingsoftwarepiracy,
BS7799andthec:cureschemeandphysicalsecurity.
CISA & CISMExaminations 2013
Exam Date Early Registration Date Final Registration Date
8 June 2013 13 February 2013 3 April 2013
Contactdetails:
MsEleniTsirigoti,Tel:210-3680907,Fax:210-3633174,e-mail:etsirigoti@hau.gr
MsVasilikiZafiri:Tel:210-3680927,www.hau.gr/management