Free cisa notes pdf

No source required, no need to know procedural or class libraries. Also identifies the web service available to be used Universal Description, Discovery, and Integration UDDI is used to make an entry in the UDDI directory, which allows others to find and use the available web services.

Reengineering updating an existing system by extracting and reusing design and program components. Decompilers depends on specific computers, OSs, and programming languages. Any changes to these require a new decompiler. Review of existing architecture Analysis and design Draft functional requirements start vendor selection Function requirements Define final functional requirements Proof of Concept.

After processing data to the master file, reconciliation is performed between the initial edit file totals and the master file. Error Handling and Reporting Input Error Handing Reject only transactions trx with errors Reject the whole batch of trxs Hold the batch in suspense until errors corrected Accepting the batch and flagging error transactions.

Input Control Techniques Trx Log of all updates, verified to source documents Reconciliation of data Documentation written evidence of user, data entry, and data control procedures Error correction procedures o Logging of errors o Timely corrections o Upstream resubmission o Approval of corrections o Suspense file o Error file o Validity of corrections Anticipation user or control group anticipates the receipt of data Transmittal log of transmission or receipt of data Cancellation of source documents punching or marking to avoid duplicate entry.

Should occur as close to the time and point of origination as possible Edits and Controls types of checks Sequence control numbers are sequential Limit Range Validity Reasonableness Table lookups Existence Key verification two people key the data and both sets are compared Check digit detects transposition and transcription errors Completeness Duplicate Logical relationship.

Processing Controls Ensure completeness and accuracy of accumulated data Processing Control Techniques Manual recalculations Edit check Run-to-run totals Programmed controls e. Changes should be authorized and logged. Output Controls Ensures delivered data is presented, formatted, and delivered consistently and securely Logging and storage of negotiable, sensitive, and critical forms securely Computer generation of negotiable instruments, forms, and signatures Report distribution o All reports logged prior to distribution o Secure print spools to avoid deletion or redirection of print jobs o Restricted to certain IT resources, websites, or printers o Confidential disposal Balancing and reconciling Output error handling Output report retention Verification of receipt of reports.

Data Integrity Testing Cyclical testing checking data against source documents, one section of data at a time. Whole file is eventually checked after multiple cycles.

EDI Controls Message format and content standards to avoid transmission errors Controls to ensure transmissions are converted properly for the application software Receiving organization controls to ensure reasonableness of messages received, based on trading partners trx history or documentation Controls to guard against manipulation of trxs in files and archives Procedures for ensuring messages are from authorized parties and were authorized Dedicated transmission channels between partners to prevent tapping Data is encrypted and digitally signed to identify source and destination Message authentication codes are used to ensure what was sent is received.

Error handling for trxs that are nonstandard or from unauthorized parties. Digital Signatures Unique to each document; cannot be transferred or reused Verifies sender and that document has not been altered Based on message digest, a short, fixed length number o Some messages have the same digest, but cant produce message from them o bit cryptographic hash o Similar to checksum or fingerprint of the document DES symmetric ; RSA asymmetric public key.

Risk Management for e-banking 1. Security controls 3. Legal and reputational risk management Purchase Order Accounting functions Accounts payable processing Goods received processing Order processing Artificial Intelligence.

Also contains o Knowledge interface allows entry of knowledge without needing a programmer o Data interface Enables system to collect data from nonhuman sources other systems, like temperatures Used in auditing! Errors in system have a bigger impact, especially in health care. Functionality of the software processes Usability Ease of use Reliability with consistent performance Portability between environments Efficiency Maintainability for modifications. Block broadcast data. Synchronous transmission bits transmitted at constant speed.

Sending modem uses specific character when it starts sending data block to synchronize the receiving device. Provides maximum efficiency. Asynchronous transmission Sender uses start and stop bit before and after each data byte. Lower efficiency, but simpler. Multiplexing dividing physical circuit into multiple circuits by: Time-division regardless of whether data is ready to transmit Asynchronous time division dynamically assigned time slots as needed for transmission Frequency based on signal frequency Statistical dynamic allocation of any data channel based on criteria.

Services include identification, authentication, authorization, directories, and security Resides between the application and the network Manages the interaction between the GUI and the database back-end.

Operating System States Supervisory security front end not loaded; requests are run at highest authority level without security controls. Wait computer busy and unable to respond to additional requests. Threat Who or what can cause an undesirable event.

Vulnerability How a weakness in technology or organizational process can be exploited by a threat. Mandatory access control MAC Control that cannot be changed by normal users or data owners; they act by default; prohibitive Changed by admins making decisions derived from policy Example: password complexity requirements. Bypassing Security Controls Only system software programmers should have access to: Bypass label processing BLP bypasses the reading of the file, which most access control rules are based, and bypasses the associated security on the file System exits system software feature that allows complex system maintenance.

Exits often exist outside of the computer security system, so they are not restricted or logged. Special system logon IDs vendor provided. Wireless Security 9 categories of overall security threats 1. Errors and omissions 2. Employee sabotage 4. Loss of physical and infrastructure support 5. Malicious hackers 6. Industrial espionage 7. Malicious code 8. Foreign government espionage 9.

Personal privacy threats Main Wireless Threats 1. Theft 2. DOS 3. Malicious hackers 4. Industrial espionage 5. Malicious code 6. Foreign government espionage 7. Theft of service. Security Requirements Authenticity verification that message not changed in transit Nonrepudiation verification of origin or receipt of message Accountability actions traceable to an entity Network availability Scanners strobe, jakal, asmodeous Install local firewall, turn off scripting.

Miniature fragment attack - fragment the IP packet into smaller ones; the first packets will be examined, and the rest won't. Uses 2 packet filtering routers and bastion host Provides network packet filtering and application-level security with a DMZ network Insider router manages DMZ access to the internal network, accepting traffic only from the bastion host Requires compromise of 3 hosts; hides internal network addresses. Hardware firewalls faster, but not as flexible or scalable Software firewalls more slower, but more scalable.

Intrusion Detection Systems IDS Monitor network anomalies Network-based Host-based monitor modification of programs, files; detect privileged command execution Components o Sensors that collect data o Analyzers that receive input and determine intrusive activity o Administrative console o User interface.

IDS Types Signature-based Statistical-based must be configured with known and expected system behaviors Neural networks monitors general activity, similar to statistical-based, but capable of self-learning. IDS cannot help with Policy definition weaknesses Application-level vulnerabilities Backdoors in applications Identification and authentication scheme weaknesses. Digital signatures Uses public key algorithm to ensure identify of sender and integrity of the data Hash algorithm creates message digest, smaller version of the original message Changes variable length messages into a fixed, bit length digest Hashes are one-way functions, can't reverse o MD5, SHA-1, SHA Digital signature encrypted by sender's private key, receiver decrypts with public key, then recomputes a digital signature and compares it to the original signature Ensure data integrity, authentication, and non-repudiation but not confidentiality Vulnerable to man-in-the-middle attack.

Uses asymmetric keys to protect the data integrity, authentication, and non-repudiation gained by symmetric key. Runs at the network layer Used for communicating between two or more hosts, subnets, or hosts and subnets establishes VPNs Transport mode only data portion of packet encapsulation security payload ESP is encrypted confidentiality Tunnel mode ESP payload data and header are encrypted. Additional authentication header AH provides non-repudiation Uses security associations SAs to define the security parameters to use algorithms, keys, initialization vectors, etc.

Used to secure telnet and ftp. Encryption Risks Secrecy of keys is paramount Randomness of key generation relates to how easy a key can be compromised Tying passwords to key generation weakens the keys randomness, so important to use strong passwords.

Computer Forensics IPAP Identify information Preserve retrieving data, documenting chain of custody Who had access to the data How evidence gathered Proving that analysis based on copies of original, unaltered evidence Analyze Present. Recovery time objective RTO based on acceptable downtime; earliest time when business operations must resume. Interruption window how long a business can wait before operations resume after this point, losses are unaffordable Maximum Tolerable outage MTO maximum time business can operate in alternate processing mode before other problems occur Service delivery objective SDO acceptable level of services required during alternate processing Recovery Alternatives Hot site fully configured and ready to operate within hours.

Not for extended use. Warm site partially configured network and peripheral devices, but no main computers. Site ready in hours, operations ready in days or weeks. Cold site has basic utilities, ready in weeks.

Redundant site dedicated, self-developed sites. Difference between ISACA book and Sybex Sybex is easier to read and digest Layout is better and more reader-friendly More bullet points, charts, and tables that summarize the information and show relationships or differences in the subject matter Less subject matter on a page, so eyes dont get so tired as you read.

I would never read just one book. Read one book and take notes. Then read the other book and supplement your notes. This process will help you understand the difference between the two sources.

Each perspective is helpful. Open navigation menu. Close suggestions Search Search. User Settings. Skip carousel. Carousel Previous. Carousel Next. What is Scribd? Explore Ebooks. Bestsellers Editors' Picks All Ebooks. Explore Audiobooks. Bestsellers Editors' Picks All audiobooks. Explore Magazines. Editors' Picks All magazines. Explore Podcasts All podcasts. Difficulty Beginner Intermediate Advanced. Explore Documents. Uploaded by gadget Did you find this document useful?

Is this content inappropriate? Report this Document. Statement of work: a formal approval by the executive management to desired functional requirements to determine if the product has met grant the go-ahead of the project and force cooperation.

Goal: define inputs, outputs, current environment, and proposed iii. Auditor objective: interaction. The specification is defined in this step. Entity-relationship diagram: defines high-level relationships between computer program. Goal: Final acceptance testing begins, and users are trained in the new i. Goal: To plan a solution by using the objectives from phase 1 and the system.

System testing is undertaken by the developer team to specification from phase 2. The client has to determine to build the determine if the software meets user requirements per specifications.

Certification: a technical process of testing against a known reference. Best time for software developer to work directly with the user. Cost estimates are compared to the assumptions made. The iv. User training: system custodians need to be trained for normal i. Goal: Prototypes are built for functional testing and user acceptance operations and emergency procedures.

Go live: ii. An ongoing team learning process to refine project management. Uses 4GL programming language i. Combines best of the SDLC with an iterative approach that enables ii. ROI calculation to compare cost to the actual benefit received.

Periodic reviews and monitoring procedures are necessary to verify that ii. Focuses on prototyping screens and reports the system is maintained in a manner that supports the original objectives and controls. Goals: Archive old data, and management signs a formal authorization i.

Data-oriented database: Data entries have fixed length and format; for the disposal and accepting liability. It Is used when the structure and format of the data is well known and predictable. A generation language may refer to any of the following: ii.

They are sometimes used in reference and its own method of accomplishing a required task. ACID model for fata base integrity: and video games. Visual Basic. Fourth transaction begins and ends. Examples of fifth cannot be undone. Alternative development techniques: level of reference.

Colleague, or associate, level: provides tedious calculation support but i. Uses time-box management techniques to force individual iterations of leaves the real decisions to the user. Expert level: written by capturing specialized data from a person who writing a program using lots of trial and error without spending time on has been performing the desired work for 20 or 30 years.

It is designed for use by small teams of talented programmers. However, it does not scale very well. System access controls 1.

Retired passwords are to be backed up and protected in a controlled System user Approve Use No No No environment that is offsite End user iii. Standing data controls: requires additional controls such as storage in Security Approve No No Specify control No encrypted format administration ii.

Logical access controls: direct access through open databased Change Test only No No Test only No connectivity should be prohibited and all access to data files should be testing use isolated use isolated test test forced through authentication in a user right management program Change Approve No No No NO application processing control control iv.

Chief information security office: define and enforce security policies i. Batch totals: compare output for organization, and review periodically. Total number of items: ensure each item was processed ii. Chief privacy officer: protecting confidential information. Transaction logs: record activity iii. Information systems security manager: day-to-day process of ensuring iv. Run-to-run total: verify data values during the different stages of compliance for system security.

Data owner: responsible for data content and authorization. Limit checks v. Data custodian: responsible for safeguard and availability of data. Job cost accounting preferred control cannot be implemented. Exception report Adobe Flash PostScript iv. Transaction logs JavaScript Visual Basic v. Supervisor review i. ActiveX places no restrictions on what the programmer can do. Hot site — fully configured and ready to operate within hours.

Not for lowest is the optimal strategy. Warm site — partially configured. Site ready in hours, operations ready i. DRP plan: It is critical to initially identify information assets that can be in days or weeks.

Cold site — has basic utilities, ready in weeks. Plan to restore operations to normal following disaster iv. Redundant site — dedicated, self-developed sites. Improvement of security operations v. Reciprocal agreements with other businesses i. Create BCP policy ii. The IS auditor might need to review specific reports associated with availability wide array of stakeholders, which identifies and response.

Classify of operations and criticality operations problems and their solutions. Operator work schedules are iv. Identify IS processes that support business criticality maintained by IS management to assist in human resource planning. Develop resumption procedures enables management to properly allocate resources and ensure vii. Training and awareness programs continuous efficiency of operations.

Monitoring: Periodic testing of the recovery plan is critical to ensure traffic data. The logs from these devices can be used to inspect activities that whatever has been planned and documented is feasible. Recovery time objective RTO — based on acceptable downtime; earliest time when business operations must resume.

Interruption window — how long a business can wait before operations resume after this point, losses are unaffordable iv. Maximum Tolerable outage MTO — maximum time business can operate in alternate processing mode before other problems occur v. It best performance, but data loss is likely. However, it cuts usable space in half. It uses less disk device drivers and the space than RAID-1 for the same amount of usable storage. The disks in the same string appear as one large disk.

Bus: uses coaxial cable but runs the risk of interrupted transmission 2. Open Systems Interconnection Model: a conceptual model that characterizes since computers are linked together with one cable.

Star: computers are connected to a network hub or switch with computing system without regard to its underlying internal structure and additional cables. It offers flexibility but higher cost on more cables. Ring: allows the redundant path to create a fault-tolerant network. Layer Name Example protocols Function iv. It also has higher cost of implementation.

Coaxial: for longer distance and in areas prone to electrical interference 6 Presentation SSL, TLS Handles data and encryption; or for outdoor connections. Layer also translates in the format all ii. Unshielded twisted-pair cable: inexpensive and is commonly used in computers can understand. Fiber optic cable: has an extremely wide bandwidth but is expensive Layer between systems are managed. IDP vs. IDS i. Screened host implementation: a single host computer through the compared to static keys firewall.

It is expected that the host computer to be attacked. Dual homed host: A special software application relays appropriate sophisticated equipment and displayed, thus giving access to data to communication between the two interface cards.

Stateful inspection: collects the history and nature of the connectionless requests to determine whether the remote request should be transmitted to the destination computer or discarded as hazardous.

Out of all types of firewall, Application-Level Firewall provides greatest security environment as it works on application layer of OSI model.

Stateful Inspection Firewall allows traffic from outside only if it is in response to traffic from internal hosts. Security goal and matching control that specifies who may access the file and how the file may be used.

Enrollment failure: sample of user fail to be accepted by the system controls are applied with respect to the sensitivity of the data. Equal error vs. Throughput rate: the samples system can process and still have 2. Technical protection accuracy; higher risk situation should have lower throughput rate. The access privileges 5. Kerberos single sign-on are predetermined based on a list. Changed by admins making decisions derived from policy grants access to all resources ii. The IS auditor needs to investigate how the 6.

Encryption decisions are selected, authorized, managed, and viewed at lest annually. Private-key: secrete key that is shared between the authorized person, ii.