分类： 国际注册信息系统审计师（CISA）资格考试（二区）

CISA Review Questions, Answers & Explanations Manual 2009 Supplement English Edition.pdf影印版下载

1978年以来由信息系统审计与控制协会（ISACA®）发起的注册信息系统审计师（CISA）认证计划已经成为涵盖信息系统审计、控制与安全等专业领域的全球公认的标准。CISA推广与评价的专业技术和实务是在该领域中取得成功的基石。拥有CISA 资格证书说明持证人具备的实践能力和专业程度。2014年6月官方香港分会统计中国大陆通过人员达666人，目前中国大陆地区约1200人左右。国内这些获得认证的审计师在信息安全与控制领域内发挥着重要的作用，信息系统审计也越来越被国内企业认可，许多大型国有企业及跨国公司在招聘信息安全与控制方面高级管理人员中，都明确了对CISA证书的要求。SPISEC根据官方标准大纲，结合自身五年以上的培训经验，专业制定以下培训课程：

培训对象：

企业内部传统审计人员

企业内部负责IS审计从业人员

IT经理、信息安全经理

审计经理、CISA应试人员等

企业内部负责信息系统安全管理从业人员

其他从事IT审计相关人员

培训内容：
信息系统的审计流程 (14%)

依据IT审计标准提供审计服务，帮助组织保护和控制信息系统；

IT治理与管理(14%)

为确保组织具有满足公司IT治理要求和符合战略发展的结构、政策、责任机制和监督实务提供保证；

信息系统的购置、开发与实施(19%)

为购置、开发、测试、实施信息系统的实践符合组织的战略和目标提供保证；

信息系统的操作、维护与支持(23%)

为信息系统操作、维护和支持的过程满足组织的战略和目标提供保证；

信息资产的保护(30%)

为组织的安全政策、标准、程序和控制确保信息资产的保密性、完整性和可用性提供保证；

培训特色：
课程以认证和实践为原则，通过培训可以使学员撑握CISA各章节内容顺利通过考试；

结合学习内容切入案例，进行精细化授课为学员解决实践问题，切实做到学员工作和发展的好帮手

专业的讲师团队和独立的后续服务团队，为学员的认证和实践提供持续服务；

通过五天培训及网络在线交流指导，一方面帮助学员熟练撑握CISA专业知识通过考试；

加入SPISEC售后学习群体，扩展学员的专业水平和行业交流；

注：考前模考与问题梳理半天

http://www.spisec.com/

CISA考试光盘习题六章（900道）

第一章光盘习题（90道）、第二章光盘习题（126道）、第三章光盘习题（146道）、第四章光盘习题（128道）、第五章光盘习题（284道）、第六章光盘习题（126道）

截取光盘屏幕影像编辑而成。

国际注册信息系统审计师知识体系中文版2009（6章）

国际注册信息系统审计师知识体系中文版2009（6章）下载，国际注册信息系统审计师知识体系中文版2009（6章），国际注册信息系统审计师知识体系中文版2009（6章），CISA2009中文版，2009中文版CISA知识体系

CISA Review Manual 2010英文原版书扫描

CISA Review Manual 2010英文原版书扫描件下载，CISA Review Manual 2010英文原版书扫描452页，CISA Review Manual 2010英文原版书扫描

书籍介绍(英文)

The CISA Review Manual 2010 is a comprehensive reference guide designed to assist individuals in preparing for the CISA exam and individuals who wish to understand the roles and responsibilities of an information systems auditor. The manual has evolved over the past editions and now represents the most current, comprehensive, globally peer-reviewed information security management resource available.

The CISA Review Manual 2010 features a new format. Each of the six chapters has been divided into two sections for focused study. The first section of each chapter contains the definitions and objectives for the six areas, with the corresponding tasks performed by information systems (IS) auditors and knowledge statements (required to plan, manage and perform IS audits) that are tested on the exam.

Section One is an overview that provides:
Definitions for the six areas
Objectives for each area
Descriptions of the tasks
A map of the relationship of each task to the knowledge statements
A reference guide for the knowledge statements, including the relevant concepts and explanations
References to specific content in Section Two for each knowledge statement
Sample practice questions and explanations of the answers
Suggested resources for further study
Section Two consists of reference material and content that supports the knowledge statements. Material included is pertinent for CISA candidates knowledge and/or understanding when preparing for the CISA certification exam. In addition, the CISA Review Manual 2010,includes brief chapter summaries focused on the main topics and case studies to assist candidates in understanding current practices. Also included are definitions of terms most commonly found on the exam.

This manual can be used as a stand-alone document for individual study or as a guide or reference for study groups and chapters conducting local review courses.

The 2010 edition has been developed and is organized to assist candidates in understanding essential concepts and studying the following job practice areas:
IS audit process
IT governance
Systems and infrastructure life cycle management
IT service delivery and support
Protection of information assets
Business continuity and disaster recovery
检讨手册回顾2015年的 CISA 手册是一个全面的参考指南旨在协助个人系统审计师在编制和个人的CISA考试谁希望了解信息的作用和责任的。该手册已演变在过去的版本和现在代表了最新，全面的，全球同行审查的信息安全管理的资源可用。

回顾2015年的 CISA 手册采用了新的格式。六个章节都有被分为两部分进行集中学习。每一章的第一部分包含了六个领域的定义和目标，与信息系统（执行相应的任务IS）的审计师和知识的陈述（要求来规划，管理和执行的IS审计）是对考试进行测试。

第一部分为概述，提供：
定义为六个领域
每个区域的目标
说明的任务
作者：每项任务的关系映射到知识的陈述
该参考指南知识陈述，包括有关的概念和解释
每个知识提及的第二部分具体内容的声明
样本练习题及答案解释
为进一步研究建议资源

2015年8月6日、2015年8月17日CISA培训班讲课录音

2015年8月6日当天CISA培训班讲课录音，9个MP3录音文件，65M

2015年8月17日当天CISA培训班讲课录音，4个VY4录音文件，80M

CISA考前串讲讲义和录音

CISA1.ppt、CISA2.ppt、CISA3.ppt

上午对照1－3章PPT串讲：VOICE_0001.MP3、VOICE_0002.MP3、VOICE_0003.MP3

下午打乱章节整体串讲：VOICE_0004.MP3、VOICE_0005.MP3、VOICE_0006.MP3

下午打乱章节整体串讲的一些单词：

Chain of custody
CSMA/CD
CA
TDM
ATDM
FDM
Ad hoc
WLAN
WEP
802.11i
802.11＋EAP
WAP

CGI
Sevelet
Applet
Cookie
Latency
Throughput
Rounding Down
Piggybacking
Deadman door
Phishing
Circuit level
Proxy
Alternative routing
Diverse routing

Long-haul network
Last-mile circuit protection

Ad hoc access

Tuple
Entry
Record
Attribute
Field
Regression
Sociability

Batch control
/balancing
reconciling
verification
negotiable instruments, forms, signature

Assurance
ACK

Source document retention
Internal/external labeling
Version usage
Prerecorded input
Parity
Key verification

Emergency action team

Emergency management team

Emergency operation team

Transportation team
Salvage team
Relocation team

Service downtime

Recovery time

RPO
RTO

Subscribers per site
Subscribers per area

Hot warm cold

Duplicated IPF
Mobile site
Reciprocal agreement

Paper test
Desk-based evaluation
Preparedness test
Full operational test

Location chosen
Protection

Due care/due diligence
Professional skepticism
Judgement
Materiality
Awareness
E&E
Accountability
Traceability
Auditability

Alignment
Compliance
Light-out
Unattended

C.I.A
Conformity

CISA2.ppt：

Chapter 2
IT Governance
Chapter Overview
Corporate Governance
Monitoring and Assurance Practices for Board and Executive Management
Information Systems Strategy
Policies and Procedures
Risk Management
IS Management Practices
IS Organization Structure and Responsibilities
Auditing IT Governance Structure and Implementation
Chapter Objective
Ensure that the CISA candidate…

"Understands and can provide assurance that the organization has the structure, policies, accountability mechanisms and monitoring practices in place to achieve the requirements of corporate governance of IT. "
Chapter Summary
15% of the CISA examination
Around 30 questions

Corporate Governance
Defined as ethical corporate behavior by directors or others charged with governance in the creation and presentation of wealth for all stakeholders.
Contents
Objectives
Means
Monitoring
Outputs
Reduce the frequency of inaccurate financial reporting
Provide greater transparency and accountability
Monitoring and Assurance Practices for Board and Executive Management
IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are mitigated. The first is driven by strategic alignment for IT with the business. The second is driven by embedding accountability into the enterprise.
IT governance is the responsibility of the board of directors and executive management.
IT governance is an integral part of enterprise governance, consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.
A key element of IT governance is the alignment of business and IT
The key IT governance practice are IT strategy committee, risk management and standard IT balanced scorecard
Monitoring and Assurance Practices for Board and Executive Management
Best Practices for IT Governance
IT Strategy Committee
Standard IT Balance Scorecard
Information Security Governance
Enterprise Architecture

Monitoring and Assurance Practices for Board and Executive Management
Best Practices for IT Governance
Audit Role in IT governance
Helps ensure compliance with IT governance initiatives implemented within an organization.
The following aspects related to IT governance need to be assessed:
Alignment (between IT and organization)
Performance (Effectiveness and Efficiency)
Compliance (Legal, environmental…)
The control environment of the organization
The inherent risk within the IS environment

Monitoring and Assurance Practices for Board and Executive Management
IT Strategy Committee
IT Strategy Committee is different from IT Steering Committee
IT Strategy Committee
Provides insight and advice to the board.
IT value, risk, performance
Focus on current and future strategic IT issues
IT Steering Committee
Decides the overall level of IT spending and how costs will be allocated.
Focus on implementation
Monitoring and Assurance Practices for Board and Executive Management
Standard IT Balance Scorecard
Standard IT BSC covers the following aspects
Traditional financial evaluation
Customer satisfaction
Internal (operational) processes
Ability to innovate
Optimum use of IT
Three-layered structure is used in addressing the above perspectives:
Mission
Strategies
Measures
An effective means to aid the IT strategy committee and management in achieving IT and business alignment.
Monitoring and Assurance Practices for Board and Executive Management
Information Security Governance
Information is more important than the IT systems that store and process it, or, data is more important than facilities
Importance of information security governance
Outcomes of security governance
Strategic alignment
Risk management
Value delivery
Resource management
Performance measurement

CISA Review Questions, Answers & Explanations Manual 2008.pdf影印版下载

2008CISA考试前整体串讲录音（半天讲课）mp3下载

2008CISA考试前串讲讲义+录音（1-3章串讲）

The role of the IS internal audit should be established by and audit charter.
The audit charter should be approved by the highest level of management and the audit committee.
The internal audit function should report to an audit committee, or to the highest management level, such as the board of directors.
The scope and objectives of external audit should be documented in a formal contract.
Management of the IS Audit Function
IS Audit Resource Management
Competency of IS auditor
Staff training plan
Management of the IS Audit Function
Audit Planning
Annual Planning
Short- and long-term planning
Analysis of audit plan
Reviewed by senior audit management
Approved by the audit committee, or the board of directors
Individual Audit Assignments
Periodic risk assessments
Changes in the application of technology
Evolving privacy issues and regulatory requirements

5月CISA冲刺培训讲义第一部分.PPT下载

Management of the IS Audit Function
ISACA IS Auditing Standards and Guidelines
Risk Analysis
Internal Controls
Performing an IS audit
Control Self-assessment
Emerging Changes in the IS Audit Process

Effect of Laws and Regulations on IS Audit Planning
How to determine an organization’s level of compliance with external requirements
Identify those government or other relevant external requirements.
Document pertinent laws and regulations
Assess whether the management of the organization and the IS function have considered the relevant external requirements in making plans and in setting policies, standards and procedures
Review internal IS department/function/activity documents that address adherence to laws applicable to the industry
Determine adherence to established procedures that address these requirements
Determine if there are procedures in place to ensure that contracts or agreements with external IT SP reflect any legal requirements related to responsibilities

2006CISA认证考试复习丛书-信息系统审计实务手册-影印版

2006CISA认证考试复习丛书-信息系统审计实务手册-影印版，分为六章。

CISA 2006-725题题库

1. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.
The correct answer is:C.
Explanation:Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business
The correct answer is:B. Explanation:Detection risks are directly affected by the auditor’s selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the company’s management. Business risks are not affected by the IS auditor.
3. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.
The correct answer is:B.

CISA Questions And Answer 2005试题资料

大量题目试题资料，DOC文档289页。

试题统计表：

SectionTotal
Section 1
65
Section 2
69
Section 3
92
Section 4
160
Section 5
63
Section 6
106
Section 7
95
Summary650

63. In a critical server, an IS auditor discovers a Trojan horse that was produced by a known virus that exploits a vulnerability of an operating system. Which of the following should an IS auditor do FIRST?
A. Investigate the virus author.
B. Analyze the operating system log.
C. Ensure that the malicious code is removed.
D. Install the patch that eliminates the vulnerability.

The correct answer is:
C. Ensure that the malicious code is removed.
Explanation:
The priority is safeguarding the system; therefore, the IS auditor should suggest corrective controls, i.e., remove the code. The IS auditor is not responsible for investigating the virus. The IS auditor may analyze the virus information and determine if it has affected the operating system, but this is an investigative task that would take place after ensuring that the malicious code has been removed. Installing the patch that eliminates the vulnerability should be done by technical support.

64. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.

The correct answer is:
B. inform management of his/her inability to conduct future audits.
Explanation:
In this situation the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee area. An IS auditor can perform non-audit assignments where the IS auditor’s expertise can be of use to the management; however, by performing the non-audit assignment, the IS auditor cannot conduct the future audits of the auditee as his/her independence may be compromised. However, the independence of the IS auditor will not be impaired when suggesting/recommending controls to the auditee after the audit.

65. Which of the following is the PRIMARY advantage of using computer forensic software for investigations?
A. The preservation of the chain of custody for electronic evidence
B. Time and cost savings
C. Efficiency and effectiveness
D. Ability to search for violations of intellectual property rights

CISA Questions And Answer 2005试题资料

大量题目试题资料，DOC文档289页。

试题统计表：

SectionTotal
Section 1
65
Section 2
69
Section 3
92
Section 4
160
Section 5
63
Section 6
106
Section 7
95
Summary650

63. In a critical server, an IS auditor discovers a Trojan horse that was produced by a known virus that exploits a vulnerability of an operating system. Which of the following should an IS auditor do FIRST?
A. Investigate the virus author.
B. Analyze the operating system log.
C. Ensure that the malicious code is removed.
D. Install the patch that eliminates the vulnerability.

The correct answer is:
C. Ensure that the malicious code is removed.
Explanation:
The priority is safeguarding the system; therefore, the IS auditor should suggest corrective controls, i.e., remove the code. The IS auditor is not responsible for investigating the virus. The IS auditor may analyze the virus information and determine if it has affected the operating system, but this is an investigative task that would take place after ensuring that the malicious code has been removed. Installing the patch that eliminates the vulnerability should be done by technical support.

64. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.

The correct answer is:
B. inform management of his/her inability to conduct future audits.
Explanation:
In this situation the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee area. An IS auditor can perform non-audit assignments where the IS auditor’s expertise can be of use to the management; however, by performing the non-audit assignment, the IS auditor cannot conduct the future audits of the auditee as his/her independence may be compromised. However, the independence of the IS auditor will not be impaired when suggesting/recommending controls to the auditee after the audit.

65. Which of the following is the PRIMARY advantage of using computer forensic software for investigations?
A. The preservation of the chain of custody for electronic evidence
B. Time and cost savings
C. Efficiency and effectiveness
D. Ability to search for violations of intellectual property rights

CISA Questions And Answer 2006试题资料

大量题目试题资料，DOC文档258页。

Area: 3
141. Which of the following data validation edits could be used by a bank, to ensure the correctness of bank account numbers assigned to customers, thereby helping to avoid transposition and transcription errors?
A. Sequence check
B. Validity check
C. Check digit
D. Existence check

The correct answer is:
C. Check digit
Explanation:
A check digit is a mathematically calculated value that is added to data to ensure that the original data have not been altered. This helps in avoiding transposition and transcription errors. Thus, a check digit can be added to an account number to check for accuracy. Sequence checks ensure that a number follows sequentially and any out of sequence or duplicate control numbers are rejected or noted on an exception report. Validity checks and existence checks match data against predetermined criteria to ensure accuracy.

Area: 3
142. Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems?
A. Parallel testing
B. Pilot testing
C. Interface/integration testing
D. Sociability testing

The correct answer is:
D. Sociability testing
Explanation:
The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure.

CISA Review Questions， Answers & Explanations Manual 2009 supplement.pdf下载

CISA Review Questions， Answers & Explanations Manual 2009 supplement，CISA复习题、答案、解释手册2009增补材料下载，PDF影印格式。

5月CISA冲刺培训讲义第三部分.PPT下载

Chapter 3
Systems and Infrastructure Life Cycle Management

Business Realization
Project Management Structure
Project Management Practices
Business Application Development
Alternative Application Development Approaches
Alternative Forms of Software Project Organization
Alternative Development Methods
Infrastructure Development/Acquisition Practices
Information Systems Maintenance Practices
System Development Tools and Productivity Aids
Process Improvement Practices
Application Controls
Auditing Application Controls
Auditing Systems Development, Acquisition and Maintenance
Business Application Systems

Project Organizational Forms
3 major forms of organizational alignment for project management can be observed:
Influence project organization – the project manager has only a staff function without formal management authority
Pure project organization – the project manager has formal authority over those taking part in the project
Matrix project organization – management authority is shared between the project manager and the department heads
Requests for major projects should be submitted to, and prioritized by, the IS steering committee.
The project manager should be identified and appointed by the IS steering committee.

5月CISA冲刺培训讲义第二部分.PPT下载

Chapter 2
IT Governance

Corporate Governance
Monitoring and Assurance Practices for Board and Executive Management
Information Systems Strategy
Policies and Procedures
Risk Management
IS Management Practices
IS Organization Structure and Responsibilities
Auditing IT Governance Structure and Implementation

IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are mitigated. The first is driven by strategic alignment for IT with the business. The second is driven by embedding accountability into the enterprise.
IT governance is the responsibility of the board of directors and executive management.
IT governance is an integral part of enterprise governance, consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.
A key element of IT governance is the alignment of business and IT
The key IT governance practice are IT strategy committee, risk management and standard IT balanced scorecard