Shweta Rai’s CISA Study Notes

Shweta is a very well known buddy in CISA whatsapp group. She is the reason behind success of many cisa achievers. Her notes are in much demand for the ease of language and simplicity of the concepts. I personally know some candidates who even didn’t purchase isaca’s database and solely relied on shweta’s question-answer session in whatsapp group and cleared CISA in first attempt. We can reach shweta at

We are grateful to her for sharing her notes for our benefits:
(1)Audit role in governance of enterprise IT:

  • Audit plays a significant role in the successful implementation of IT governance within an organizations
  • Reporting on IT governance involves auditing at the highest level in the organization and may cross     division, function or departmental boundaries.
  • Oversight committees.

In accordance with the defined role of the IS auditor, the following aspect related to IT governance need to be assessed;

  • How enterprise governance and Governance of Enterprise IT are aligned
  • Alignment of the IS function with the organization’s mission, vision, values, objectives and strategies.
  • Achievement of performance objectives established by the business ( e.g., effectiveness and efficiency by the IS functions.
  • Legal, environmental, information quality, fiduciary, security, and privacy requirements
  • The control environment of the organization
  • The inherent risk with the IS environment
  • IT investment/expenditure

(2)Separating Governance from Management


  • Governance ensures that stakeholder needs to be achieved by setting direction and monitoring performance
  • Board of Directors under the leadership of Chairperson.


  • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body.

(3)IT Governing Committees

  • The creating of an IT strategy committee is an industry best practice
  • Committee should broaden its scope to include not only advise on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance.

(4)IT Balance Scorecard

  • A process management evaluation technique that can be applied to the IT governance proses
  • Method goes beyond the traditional financial evaluation
  • One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment

Objective of IT BSC

  • To measure and evaluate performance of IT
  • To optimize the performance

What to measure   (CIA)

  • Customer satisfaction
  • Internal processes
  • Ability to innovate

How to measure

  • Key performance indicator to be defined before implementing IT BSC
  • These KPIs to be evaluated to measure the performance.

Objective of IT Balance Score Card

  • To measure and evaluate performance of IT
  • To optimize the performance

What to measure

  • Customer satisfaction
  • Internal processes
  • Ability to innovate

How to measure

  • Key performance indicator to be defined before implementing IT BSC
  • These KPIs to be evaluated to measure the performance.

Effective Information security governance

  • To achieve effective information security governance, management must establish and maintain a framework to guide the development and management of a comprehensive information security program that supports business objective.
  • This framework provides the basis for the development of a cost-effective information security program that supports organization business goals.

(5)Information security governance requires strategic direction and inputes from:

  • Boards of directors / senior management
  • Senior management
  • Information Security Steering committee
  • Chief information security officers

(6)Information Security Policy

  • Defines information security, overall objectives and scope
  • IS a statement of management intent
  • IS a framework for setting control objective including risk management
  • Defines responsibilities for information security management.

(7)Acceptable Use Policy (AUP)

  • Defines a set of guidelines and/or rules to control how its information system resource will be used
  • Other security policies might include 1)data classification, 2)acceptable use, 3) End-user computing, and 4) Access control
  • Know the different things to look for when you review the information security policy
  • Procedures are required and they are “step by step instructions”  <– that’s a hint!!!!!

Procedures are detailed documents that:

  • Documents and define steps for achieving policy objectives
  • Must be derived from the parent policy
  • Must implement the spirit (intent) of the policy statement
  • Must be written in clear and concise manner.

(8)Risk Management

The process of identifying vulnerabilities and threat to the information resources used by an organization in achieving business objectives.

  • Avoid
  • Mitigate
  • Transfer
  • Accept

To develop a risk management program:

  • Establish the purpose of the risk management program
  • Assign responsibility for the risk management plan

(9)Risk Management Process

  • Identification and collection of relevant data to enable effective IT-relate risk identification, analysis and reporting
  • Assess threats and vulnerabilities and likelihood of their occurrence
  • Once the elements of risk have been established they are combined to form an overall view of risk
  • Evaluate existing controls or design new controls to reduce the vulnerabilities to an acceptable level of residual risk

(10)Outsourcing practice and strategies

  • Contractual agreements under which organization hands over control of part or all the function of the IS department to an external party.
  • Becoming increasingly important in many organizations
  • The IS auditor must be aware of the various forms outsourcing can take as well as the associated risks.
  • The IS auditor can assist an organization in moving IS functions offsite or offshore by ensuring that IS management consider the following.
  • Legal, regulatory and tax issues
  • Continuity of operations
  • Personnel
  • Telecommunication issues
  • Cross-border and cross-cultural issues
  • Accountability remains with the management of the client organization

(11)Segregation of Duties within IS

  • Avoids possibility of errors or misappropriation
  • Discourages fraudulent acts
  • Limits access to data
  • Control measures to enforce segregation of duties include:
  • Transaction authorization
  • Custody of assets
  • Access to data  1) Authorization forms 2) User authorization tables

Compensating controls for lack of segregation duties include:

  • Audit trails (Detective Control)
  • Reconciliation  (Detective Control)
  • Exception reporting (Detective Control)
  • Transaction logs (Detective Control)
  • Supervisory reviews(Detective Control)
  • Independent reviews  (Detective Control)

(12) Business Continuity Planning

Business continuity Planning is a process designed to reduce the organization’s business risk.  – BC

A BCP is much more than just a plan for the information systems.  –DR

Corporate risks could cause an organization to suffer

Inability to maintain critical customer service

Damage to market share, reputation or brand

Failure to protect the company assets including intellectual  properties and personnel.

Business control failure

Failure to meet legal or regulatory requirements

(13)Critical step in developing the business continuity plan

Three main question to consider during BIA phase:

What are the different business process?

What are the critical information resources related to an organiztion’s critical business process?

What is the critical recovery time period for information resources in which business processing must be resume before significant or unacceptable losses are suffered?

(14)Development of BCP

Factors to consider when developing the plans:

Pre disaster  readiness covering incident response management to address all relevant incidents affecting business processes

Evacuation procedures

Procedure for declaring a disaster (escalation procedures)

Circumstance under which disaster should be declared

The clear identification of the responsibilities in the plan.

The clear identification of the person responsible for each function in the plan

The clear identification of contract information

The set-by-step explanation of the recovery process

The clear identification of the various resources required for recovery and continued operation of the organization.

(14)BCP Plan Testing

Schedule testing at a time that will minimize disruption to normal operations

Test must simulate actual processing conditions

Test execution:

Documentation of results

Results analysis

Recovery / continuity plan maintenance

(15)Process for developing and maintaining the BCP/DRP

Conduct risk assessment

Prepare Business Impact Analysis

Choose appropriate controls and measures for recovering IT components to support the CRITICAL BUSINESS PROCESS

Developed the detailed plan for recovering IS facilities (DRP).

Developed detailed plan for the critical business function to continue to operate at an acceptable level (BCP).

Test the plans

Maintain the plans as the business changes and systems develop.

(16) Auditing Business Continuity

Review the BCP

Review the test results, we’re assuming they tested the BCP of course and they should have documented “Lessons Learned”  <–  Another hint, ISACA likes this term

Understand and evaluate business continuity strategy

Evaluate plans for accuracy and adequacy

Verify plan effectiveness

Evaluate offsite storage

Evaluate ability of IS and user personnel to respond effectively

Ensue plan maintenance is in place

Evaluate readability of business continuity manuals and procedure.

(17)Reviewing Alternative Processing

An  IS auditor should obtain a copy of the contract with the vendor

The contract should be reviewed against a number of guidelines

  • Contract is clear and understandable
  • Organization’s agreement with the rules

Reviewing Insurance Coverage

Insurance coverage must reflect actual cost of recovery

Coverage of the following must be reviewed fro adequacy

  • Media damage
  • Business interruption
  • Equipment replacement
  • Business continuity processing

(18)The IS auditor when auditing the IT functions, some of the more significant indicators of potential problems include:

  • Unfavorable end-user attitudes
  • Excessive costs
  • Budget overruns
  • Late projects
  • High staff turnovers
  • Inexperienced staff
  • Frequent HW/SW errors
  • An excessive backlog of user request
  • Slow computer response time
  • Numerous aborted
  • or suspended development projects
  • Unsupported or unauthorized HW/SW purchase
  • Frequent HW/SW upgrades
  • Extensive exception reports
  • Exception reports that were not followed up
  • Poor motivation
  • Lack of succession plans
  • A reliance on one or two key personnel
  • Lack of adequate training

(19)In reviewing a sample of contracts, the IS auditor should evaluate the adequacy of the following terms and conditions.

  • Service level
  • Right to audit or third-party audit reporting
  • Software escrow
  • Penalties for noncompliance
  • Adherence to security policies and procedures
  • Protection of customer information
  • Ownership of intellectual property (IP)
  • Contract change process
  • Contract termination and any associated penalties

(20)A program is a group of projects and time-bound task that are closely linked together through common objectives, a common budget, intertwined schedules and strategies (n number of inter-related projects with a common objective, managed together).

A portfolio is all the projects belonging to an owner

(21)Project Management Structure

Know the three major forms of organizational alignment Know three different ways to communicate during project initiation Project objectives are aligned with what?

Business objectives, of course Know the roles and responsibilities for project steering committee, project sponsor, and quality assurance

Three major forms of organizational alignment for projects management are:

  1. Influence project organization
  2. Pure project organization
  3. Matrix project organization

(22) Project Management Practices

Know the three elements of a project and the effect of increasing or decreasing one of the elements of the nine ways of project planning, concentrate on







(23)Business Application Development

What is the major risk of any software development project – final outcome does not meet all requirements.

Understand the eight phases of the traditional SDLC approach In which phase does testing start In which phase does security start (control specs) In which phase does UAT occur What should be in an RFP What is software base lining and when does it occur What is the auditor’s focus in SDLC What’s an IDE Know the difference between Unit Testing, Interface/Integration Testing, System Testing and Final Acceptance Testing When is it the most, or least, expensive time to make changes (which phase for each condition) What’s a structured walkthrough test, white box test, black box test, blue team, red team, yellow box testing and regression testing When does data conversion occur in which phase Know the different types of cutover

The implementation process for business applications, commonly referred to as an SDLC, begins when an individual application is initiated as a result of one or more of the following situations:

  • A new opportunity that relates to a new or existing business process
  • A problem that relates to an existing business process
  • A new opportunity that will enable the organization to take advantage of technology.
  • A problem with the current technology.
  • Confilicting

(24)Description of Traditional SDLC Phase

Phase 1-Feasibility Study

Phase 2-Requirements Definition

Phase 3A-Software Selection & Acquisition

Phase 4A -Development (in-house)

Phase 4B-Configuration

Phase  5-Final Testing and

Phase 6-Implementation

Phase 7 -Post implementation

(25)Benefits Realization

The objective of benefits realization is to ensure that IT and the business fulfill their value management responsibilit8ies. Particular that;

  • IT-enabled business investment achieve the promised benefits and deliver measurable business value
  • Required capabilities (solution and service) are delivered:
  • On time, both with respect to schedule and time-sensitive market, industry and regulatory requirements
  • Within budget
  • IT service and other IT assets continue to contribute to business value.

The premise of benefits realization is that there is strong concern at board and senior management levels that the high expenditures on IT-related initiative are not realizing business benefits they promise.

Benefits realization of projects is a compromise among major factors such as cost, quality, development/delivery time, reliability and dependability.

(26)Critical Path Methodology (CPM)

A PERT chart helps to illustrate how a project is a “network” of related and sequenced tasks. In this network it is possible to draw “paths” through ordered tasks from the beginning to the end of the project.

When a PERT chart includes notation regarding the elapsed time required for each task, then you can follow each path through the network and add the elapsed time to get a total time for each path.

A project’s critical path is that path through the PERT chart with the highest total elapsed time.

It is important to identify the critical path in a project, because this allows the project manager to understand which tasks are most likely to impact the project schedule and to determine when the project will finally conclude. When a project manager knows which tasks are on the critical path, he or she can perform analysis and attempt to improve the project plan through one of the following:

  • Start critical tasks earlier If a critical-path task on a project can be started earlier, then this will directly affect the project’s end date. To be able to start a task earlier, it may be necessary to change the way that earlier dependent tasks are performed. For example, a Unix system administrator can be brought into a project a week earlier to begin critical tasks such as building servers.
  • Reduce dependencies If earlier tasks in the project can be changed, then it may be possible to remove one or more dependencies that will allow critical tasks to begin (and hence, end) earlier. For example, a task “Install operating system” depends on an earlier task, “Purchase server.” If the organization has an available server in-house, then the project does not need to wait to order, purchase, and receive a server. By using an in-house server, the task “Install operating system” can be started earlier.

Peaks and valleys of resource utilization are more costly and disruptive. They’re more costly, especially when external resources (for example, contractors and consultants) are used, since on-again off-again resource utilization may incur extra fees. But they can also be costly for internal resources if personnel are being shuttled back and forth between projects. Starts and stops can mean that personnel incur startup time as they move back and forth between projects.

(27)Security administrator need to have read-only access to security log files to make sure that logs are not modified. However, the security administrator needs to have rights to modify and update users’ rights and privileges.

(28)Logging options in a system means the system of controlling the way users’ activities are being monitored and reported in a system. A security administrator need to have write access to the logging option to make sure that users’ activities and transactions are stored the proper way.

(29)Data owners are responsible for the overall use of data in an organization. The owner should provide written authorization to the users to access the data.

(30)Data classification is necessary to provide proper access rights to the users. If you do not classify data according to their sensitivity and importance to the business, you cannot apply proper access rules to them. Data owners are responsible for defining access rules. The data classification process starts with the process of establishing ownership of data. This process also helps to prepare data dictionary.

(31)The purpose of data criticality analysis is to protect data and its takes input for analysis from the output of data classification.

(32)The same person should not both capture and verify data. It represents the problem of segregation of duty.

(33)Depending on the functional importance, IS functions can be divided into three broad categories: sensitive, critical, vital and non-critical. The IS functions those cannot be replaced by manual methods are considered critical functions. You can manually perform sensitive functions (with tolerable cost) for an extended period of time. Vital functions can be performed manually only for a short period of time. If some functions can be irrupted for a longer period of time with low cost or no cost and can be restored to its original state with little or zero cost, then those functions are called non-critical IS functions.

(34) Creating an inventory of all IS resources is the basis for resource classification. You need to create an inventory of IS resources for implementing access control.

(35)Defense-in-depth: it means using various types of security devices or technology at the same time so that if one type of security mechanism fails then the other types of mechanism provide the security. For example, you can use both firewall and logical access control to your system at the same time.

(36)Diversity in defense: it means using the same type of security devices from different manufacturers. For instance, you can install two firewalls from two different manufactures.

(37)Piggybacking refers to unauthorized persons following an authorized person, either physically or virtually, in order to gain access to the system

(38)Dumpster diving is all about looking through an organization’s trash for finding valuable information.

(39) Without an appropriate authorization process, it will be impossible to establish functional limits and accountability.

(40)Authentication=identification (user name) + verification(password)

(41)If more than one user claim their identity as a specific user then that is an authentication process problem.

(42)Stenography is used to hide digital rights information into the messages or files. Example-water marking. An IS auditor should find the use of stenography while auditing or reviewing digital rights management (DRM).

(43)Paring is a widely used technique in computer programming and data entry editing work. It is a process that breaks data blocks into smaller portion so as they can be easily managed and interpreted by the computer.


(44)Changing the value of the data before they enter into the database or computer system is known as data diddling, which is an inherent risk of the computer system without any reventive control. Anyone without any technical knowledge can do it. That is why data diddling cannot be prevented with information security.

(45)Network based intrusion detection system create a database of pattern by monitoring various traffic activity in the network. It is very similar to statistical type of intrusion detection system. However, it has self-learning capacity.

(46)Statistical based intrusion detection system has no self-learning capacity. It makes decision based on its database, which has an extensive list of commonly known and expected behavior of network traffic.

(47)IDS types are determined by the way they functions such as analyzing statistics (statistical IDS).

(48) IDS categories are determined by the place where they reside. One category of IDS is host based IDS.

(49)The only purpose of using hashing is to ensure message integrity i.e make sure the message has not been modified by anyone on the way to its destination. Hashing does not provide data  privacy. Hashing is generated from the original message and is attached to the original message. The receiver receive both the hash and the original message and he generates a hashing message from the original message that he received and compare it with the hash that was send with the original message. If both the messages match, then it confirms the integrity of the message. You must remember that hashing is an irreversible process—you cannot create original message from the message hash.

(50) SSL or secure socket layer only provides data confidentially. It does not ensure integrity of the message.

(51)To maintain message integrity, confidentiality and nonrepudiation, use the following steps

-Create a digest of your message with hash algorithm—it ensures message integrity.

-Encrypt your digest with the sender’s private key—this will confirm nonrepudiation.

-Encrypt your message with a symmetric key and then encrypt the key with the receiver’s public key key—this will ensure both confidentiality and receiver’s nonrepudiation.

(52)What is virus wall? It works like a logical wall at the entry point of a network to detect viruses. Normally, a virus scanner along with a firewall forms a virus wall. It is considered as an effective virus detection technique than detecting virus in servers or computers.

(53) Certification authority statement (CAS) is a set of rules that govern the operation of CA(certification authority)

(54) Web of trust is a method of distributing public key for establishing communication in a small group.

(55)Key distribution center is a key distribution method that is suitable for establishing international communication for a large number of uses symmetric key distribution.

(56)CA (certification authority) is a third party organization that ensures or validates the authenticity of the digital certification owner. It is used to establish a secure communication among a larger number of users.

(57)Kerberos authentication system helps to extend the functionality of a key distribution center.

(58)Buffer overflow is the cause of inadequate programming and coding practices.

(59) A deadman door helps to prevent piggy backing. A deadman door uses a pair of doors to prevent piggybacking. The second door will only open when the first door is closed.

(60)The only way to make sure that confidential information stored in the magnetic media cannot be retrieved is to destroy it.

(61)The damage of the wires around servers is prevented by installing a raised floor. That is why both data and power cables are installed under the raised floor.

(62) At first make a IS resource inventory. Next classify the assets and then design the access control on your IS resources.

(63) Wi-Fi protected access (WPA-2) use AES (advanced encryption system) and it is considered as most secured wireless system against unauthorized access attempts. It supports the extensible authentication protocol and the pre-hashed secret key authentication model.

(64)WEP uses a static key that need to be communicated to all the authorized users—thus cause a key management problem. Besides, WEP can be easily cracked.

(65)Man-in-the-middle attack is considered a major risk with the wireless personal area network (WPAN).

(66)DDOS attacks are initiated centrally using multiple compromised computers. The attacks work by flooding the target site with spurious data, thereby overwhelming the network and the other related resources. To achieve this objective, the attack needs to be directed at a specific target and occurs simultaneously.

(67)A firewall can prevent IP spoofing attack by discarding packets with source routing field enabled. An attacker can modify the source IP address of the packet when the source routing filed remains enabled.