CISA Domain 3 Information Systems Acquisition, Development and Implementation

March 29, 2011 by Kenneth Magee

It’s interesting to notice how ISACA is aligning itself with the International Organization of Standards ISO/IEC 27002.  The title for Domain 3 is Information Systems Acquisition, Development and Implementation and the title for Section 12 of ISO/IEC 27002 is Information Systems Acquisition, Development and Maintenance.

There are 14 areas that you need to understand for Domain 3.

1)      Business realization

  • Know the difference between portfolio management and program management
  • Know the seven steps of benefit realization or benefits management (question might refer to either)

2)     Project Management Structure

  • Know the three major forms of organizational alignment
  • Know three different ways to communicate during project initiation
  • Project objectives are aligned with what? Business objectives,of course
  • Know the roles and responsibilities for project steering committee, project sponsor, and quality assurance

3)     Project Management Practices

  • Know the three elements of a project and the effect of increasing or decreasing one of the elements
  • Of the nine ways of project planning, concentrate on LOSC, FPA, CPM, GANTT, PERT and TBM

4)     Business Application Development

  • What is the major risk of any software development project – final outcome does not meet all requirements.
  • Understand the eight phases of the traditional SDLC approach
  • In which phase does testing start
  • In which phase does security start (control specs)
  • In which phase does UAT occur
  • What should be in an RFP
  • What is software baselining and when does it occur
  • What is the auditor’s focus in SDLC
  • What’s an IDE
  • Know the difference between Unit Testing, Interface/Integration Testing, System Testing and Final Acceptance Testing
  • When is it the most, or least, expensive time to make changes (which phase for each condition)
  • What’s a structured walkthrough test, white box test, black box test, blue team, red team, yellow box testing and regression testing
  • When does data conversion occur in which phase
  • Know the different types of cutover

5) Business Application Systems

  • Be able to define authentication and nonrepudiation
  • Know the difference between an RA and a CA
  • If you are your own CA, who does the CRL and what is the biggest issue?
  • In EDI what does the comm handler do?  The appl interface do?
  • What is the biggest risk in EDI?
  • How do we get positive assurance in an EDI transaction world?
  • What is a digital signature when speaking of eMail?
  • What’s the objective of EMM and how do you audit eCash?
  • Don’t forget: Neural networks are —

6)     Alternative Forms of Software Project Organization

  • What is SCRUM
  • Know the difference between Incremental and Iterative development
  • Know the variants (Evolutionary, Spiral, Agile)
  • Speaking of which, what is AGILE DEV?
  • What is prototyping
  • What is RAD and JAD

7)     Alternative Development Methods

  • What’s the major advantage of OOSD
  • What’s the advantage of component based development
  • What’s the difference between reengineering and reverse reengineering

8)    Infrastructure Development/Acquisition Practices

  • What are the phases of Physical architecture analysis and what happens during the functional requirement phase
  • What are the phases of “Planning the Implementation of Infrastructure” and know the details of each of the four phases.
  • Understand why change control procedures are critical in the acquisition process.

9) Information Systems Maintenance Practices

  • Why is change management important?
  • How should emergency changes be handled?
  • How do you audit for unauthorized changes?

10) System Development Tools and Productivity Aids

  • Care should be taken when using fourth-generation languages since some of them lack the lower level detail commands necessary to perform some of the more intense data operations.

11) Process Improvement Practices

  • Document the current existing baseline processes
  • Major concern of BPR is that key controls may be reengineered out of a process.
  • What does ISO 9126 define?
  • Why was CMM by SEI developed?
  • Need SPICE?

12) Application Controls

  • What are the objectives of Application Controls?
  • Batch header forms are what type of control?  Who uses batch anyway?
  • There are two charts in this section.  The first one is on Data Validation Edits and Controls and the second is on Data File Controls.  You need to memorize both

13) Auditing Application Controls

  • There’s a chart on testing application systems in the review manual which enumerates several different techniques – memorize this chart
  • Know the difference between atomicity and consistency.
  • There are five types of automated evaluation techniques applicable to continuous online auditing.  These you’ll need to know, particularly: SCARF, ITF, CIS, snapshots and audit hooks.

14) Auditing Systems Development, Acquisition and Maintenance

  • What do you do if the development group is fast-tracking IV&V?  Let the project steering committee know what the risks are, of course.
Posted: March 29, 2011
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.