Abbasi Mirza (AB)’s CISA Study Notes

AB  is a qualified Chartered Accountant from ICAI and also having prestigious qualifications such as CFE and CISA. Through his wide  experience and positive attitude he has been instrumental and mentor for many cisa aspirants to get CISA certification. We can reach him at

‘AB’ as we lovingly call Abbasi Mirza shares his success quote:

“Success comes to those who never stop dreaming…. Life is rocking, until you keep yourself joking….”

We know CISA is not an easy job. We can see high level of dedication, efforts and hard work that AB has gone through for creating below notes for CISA studies. We truly appreciate this gentleman who willingly shared all his easy to understand notes for our benefits.

1) Prototyping

It often has poor internal controls because the focus is primarily on functionality, not on security. Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements.

However, they also have several disadvantages, including

  • loss of overall security focus,
  • Project oversight and implementation of a prototype that is not yet ready for production.
  • Change control becomes much more complicated with prototyping.
  • Prototyping often leads to functions or extras being added to the system that were not originally intended.

2) Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.

3) Detection risk is directly affected by the IS auditor’s selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue.

4) Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the company’s management.

5) Business risk is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.

6) If inherent and control risk are high, additional testing would be required.

7) Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

8) Reducing the scope and focusing on auditing high-risk areas is the best course of action in case of resource constrains.

9) A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.

10) Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, i.e., proof of submission, proof of delivery and message origin authentication. However, nonrepudiation provides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation.

11) The PRIMARY goal of a web site certificate is: authentication of the web site that will be surfed.

12) Secure Sockets Layer (SSL) uses a symmetric key for message encryption.

13) A message authentication code (MAC) is used for ensuring data integrity.

14) Hash function is used for generating a message digest which can provide message integrity; it is not used for message encryption.

15) Digital signature certificates are used by SSL for server authentication.

16) Two-factor authentication control is a combination of two of any three authentication factors, i.e., “what the user knows,” “what the user has” and “what the user is.” Password and token is a combination of two factors of authentication because a password is “what the user knows” and a token is “what the user has,” a user-registered device on which he/she receives one-time passwords valid for a short period.

17) Providing security awareness training is the best method to mitigate the risk of disclosing confidential information on social networking sites. It is important to remember that users may access these services through other means such as mobile phones and home computers; therefore, awareness training is most critical.

18) In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator.

19) Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies.

20) Identification of the assets to be protected is the first step in the development of a risk management program.

21) The most important metric is the extent to which the key goal indicators (KGIs) are aligned with specific goals that are relevant and meaningful to the organization.

22) Critical success factors (CSFs) are important considerations for determining that a goal is being achieved, but are not metrics in themselves.

23) The BIA provides an important input into business continuity planning, but not a framework for effective disaster recovery planning (DRP).

24) A BIA helps one understand the cost of an interruption and identifies which applications and processes are most critical to the continued functioning of the organization.

25) Three main accuracy measures are used for a biometric solution:

  • FRR is a measure of how often valid individuals are rejected.
  • FAR is a measure of how often invalid individuals are accepted.
  • CER is a measure of when the FRR = FAR.

26) The EER of a biometric system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective.

27) False-acceptance rate (FAR) is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptance is more important that the impact on the false reject rate.

28) Quality of the metadata is the most important element in the design of a data warehouse.

A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information.

Companies that have built warehouses believe that metadata are the most important component of the warehouse.

29) A software baseline is the cutoff point in the design and development of a system.

Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis.

Failure to adequately manage a system through baselining can result in uncontrolled changes in a project’s scope and may incur time and budget overruns.

30) Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used.

31) Determining the deliverables and time lines of a project are a part of the early project planning work.

32) Alternative routing is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves the use of different networks, circuits or end points should the normal network be unavailable.

33) Diverse routing routes traffic through split-cable facilities or duplicate-cable facilities. This can be accomplished with different and/or duplicate cable sheaths (cover).

If different cable sheaths are used, the cable may be in the same conduit (channel) and, therefore, subject to the same interruptions as the cable it is backing up.

The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit.

The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual-entrance facilities. This type of access is time consuming and costly.

34) Long-haul network diversity – It is a diverse, long-distance network utilizing different packet switching circuits among the major long-distance carriers. It ensures long-distance access should any carrier experience a network failure.

35) Last-mile circuit protection – It is a redundant combination of local carrier T-1s (E-1s in Europe), microwave and/or coaxial cable access to the local communications loop.

This enables the facility to have access during a local carrier communication disaster.

Alternate local-carrier routing is also utilized.

36) Internet Protocol Security (IPSec) works on two basic packet componentsencapsulated security payload (ESP) and authentication header (AH).

ESP encrypts the data and stores them in an encapsulated security payload packet component for data protection.

37) The annual loss expectancy (ALE) of critical business assets and processes is determined during risk assessment and will be reviewed in the BIA, but this is not the primary advantage.

38) The incident response plan (IRP) determines the information security responses to incidents such as cyberattack on systems and/or networks. This plan establishes procedures to enable security personnel to identify, mitigate and recover from malicious computer incidents such as unauthorized access to a system or data, denial of service (DoS) or unauthorized changes to system hardware or software.

39) Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functionality of a system represents the tasks, operations and purpose of the system in achieving its objective (i.e., supporting a business requirement).

40) Portability – The ability of the software to be transferred from one environment to another refers to portability.

41) Reliability – The capability of software to maintain its level of performance under stated conditions refers to reliability.

42) Efficiency- The relationship between the performance of the software and the amount of resources used refers to efficiency.

43) The use of unshielded twisted-pair (UTP) in copper will reduce the likelihood of crosstalk.

While the twisted nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded copper wire does not provide adequate protection against wiretapping.

Attenuation (weakening/reducing) sets in if copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a repeater.

The tools and techniques to install UTP are not simpler or easier than other copper-based cables.

44) Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data.

45) A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization’s network.

46) An application gateway firewall (Most effective) is effective in preventing applications such as File Transfer Protocols (FTPs) from entering the organization’s network.

47) A packet filter firewall or screening router will allow or prevent access based on IP packets/address.

48) A screening router is not able to effectively control application level security.

49) Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee’s. The goal of such a discussion is to confirm the accuracy of the findings and to propose or recommend a course of corrective action.

50) A screened subnet firewall would provide the best protection.

The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc.

The subnet would isolate Internet-based traffic from the rest of the corporate network. AB Special_

51) Application-level gateways are mediators between two entities that want to communicate, also known as proxy gateways.

The application level (proxy) works at the application level, not just at a packet level.

This would be the best solution to protect an application but not a network.

52) A packet filtering router examines the header of every packet or data traveling between the Internet and the corporate network. This is a low-level control.

53) A circuit level gateway, such as a Socket Secure (SOCKS) server, will protect users by acting as a proxy, but is not the best defense for a network.

54) Library control software should be used to separate test from production libraries in mainframe and/or client server environments.

The main objective of library control software is to provide assurance that program changes have been authorized.

Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production.

55) Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the chief information officer (CIO). Pragmatically, lack of documenting test results could have more significant consequences.

56) Secure Sockets Layer (SSL) generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality.

Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature is not the primary objective.

SSL provides message integrity through the use of hash functions, but the primary objective is to enable secure, confidential communications.

57) The Session Key is used for encrypting the data to be transmitted, but not for identification.

58) Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling.

59) Earned value analysis (EVA) is an industry standard method for measuring a project’s progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists.

60) CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes testing the design of automated application controls.

61) Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message.

62) A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project.

The project sponsor is not responsible for reviewing the progress of the project.

63) A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project’s progress to ensure that it will deliver the expected results.

64) To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance.

65) The restore window is the amount of time taken to recover the data. Because these are compliance-related backup data and are not being used for production, this is less critical than reliability.

66) A warm site would have adequate telecommunications capability. A warm site would have adequate heating, ventilation and air conditioning (HVAC) equipment.

67) Blind testing is also known as black-box testing.

This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted.

68) Targeted testing is also known as white-box testing.

This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point.

69) Double-blind testing is also known as zero-knowledge testing.

This refers to a test where the penetration tester is not given any information and the target organization is not given any warningboth parties are “blind” to the test.

This is the best scenario for testing response capability because the target will react as if the attack were real.

70) External testing refers to a test where an external penetration tester launches attacks on the target’s network perimeter from outside the target network (typically from the Internet).

71) Database integrity checks are important to ensure database consistency and accuracy. These include isolation, concurrency and durability controls.

72) Atomicity—the requirement for transactions to complete entirely and commit or else roll back to the last known good point.

73) Database commits ensure that the data are saved after the transaction processing is completed.

74) Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved, if the entire transaction does not complete successfully.

75) A voltage regulator protects against short-term power fluctuations.

76) The most effective method of rendering data irrecoverable is physical destruction of the storage media. Running a low-level data wipe utility may leave some residual data that could be recovered. Erasing data directories is easily reversed, exposing all data on the drive to unauthorized individuals.

77) Spyware is a program that picks up information from PC drives by making copies of their contents.

78) Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to coordinate distributed denial-of-service (DDoS) attacks that overload a site so that it may no longer be able to process legitimate requests.

79) Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during the course of an application software review need to be reported to management.

80) To ensure synchronization and protection of the source and object, the source code should be moved first into an access-protected library before compiling.

The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program. This would ensure synchronization of the source and object code.

81) Function point analysis (FPA) is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal files. While this will help determine the size of individual activities, it will not assist in determining project duration because there are many overlapping tasks.

82) A program evaluation review technique (PERT) chart will help determine project duration once all the activities and the work involved with those activities are known.

83) A critical path’s activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project.

Activities on the critical path become candidates for crashing, i.e., for reduction in their time by payment of a premium for early completion.

Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path.

By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained.

84) The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. This will allow other users to access information formerly held only by experts.

85) Replay Attack: Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access.

86) In a mimic attack, the attacker reproduces characteristics similar to those of the enrolled user, such as forging a signature or imitating a voice.

87) A nonce (coined for one occasion) is defined as a “parameter that changes over time” and is similar to a number generated to authenticate one specific user session. Nonce are not related to database security (they are commonly used in encryption schemes).

88) The top-down approach testing ensures that interface errors are detected early and that testing of major functions is conducted early.

89) Organizational independence is to be checked before start of any engagement.

Professional independence is to be checked during the engagement.

90) Online monitors measure telecommunication transmissions and determine whether transmissions were accurate and complete.

91) Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.

92) A SaaS provider does not normally have onsite support for the organization.

Therefore, incident handling procedures between the organization and its provider are critical for the detection, communication and resolution of incidents, including effective lines of communication and escalation processes.

93) A War driving attack uses a wireless Ethernet card, set in promiscuous (loose) mode, and a powerful antenna to penetrate wireless systems from outside.

94) Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time.

95) An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate.

96) Business process reengineering (BPR) is an excellent tool to review and improve business processes, but is not focused on aligning IT with organizational objectives.

97) The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker.

Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.

98) One of the key factor to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls.

99) The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time.



2 thoughts on “Abbasi Mirza (AB)’s CISA Study Notes”

  1. Abbasi Mirza, I must say your notes are precise with needed pointers. Productive to the core, these are good enough review notes. Period.
    Thanks a lot.

Leave a Reply

Your email address will not be published.