Information Systems & Controls (ISC) CPA Exam Study Guide

Frameworks & Regulations

NIST Frameworks

The National Institute of Standards and Technology provides key cybersecurity and privacy guidance.

Cybersecurity Framework (CSF) Core

Consists of 6 core functions for managing cybersecurity risks:

Govern: Establish and monitor the organization's cybersecurity risk management strategy.
Identify: Understand assets, business environment, and risks.
Protect: Implement safeguards and access control.
Detect: Monitor for and identify cybersecurity events.
Respond: Take action upon detecting an incident.
Recover: Restore systems and return to normal operations.

Implementation Tiers

Shows the effectiveness of organizational profiles.

Tier 1 (Partial): Least sophisticated; ad-hoc, reactive risk management.
Tier 2 (Risk-Informed): Aware of risks but management is not formalized.
Tier 3 (Repeatable): Formal, repeatable policies and procedures.
Tier 4 (Adaptive): Most sophisticated; proactive, continuous improvement based on incidents.

Framework Profiles

Profiles indicate a company's cybersecurity position.

Current Profile: Where the company is now.
Target Profile: Where the company wants to be.
Community Profile: Industry profile used to develop your own profile.

5-Step Approach to Create an Org Profile: Scope the Org Profile, gather info to prepare the profile, create the org profile, analyze gaps between current and target profiles to create an action plan, and implement the action plan.

NIST Privacy Framework

Addresses privacy risks with 5 core functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. The concepts of Profiles (Current, Target, Community) and Implementation Tiers (1-4) function identically to the CSF.

NIST SP 800-53

Provides controls to protect information systems from sophisticated threats using three implementation approaches:

Common (Inheritable): Controls at the organizational level.
System-Specific: Controls at the information system level.
Hybrid: A mix of both organizational and system-level controls.

Key Data Regulations

GDPR (General Data Protection Regulation)

European Union law regulating data privacy. It applies to data processors based in the EU, and data processors not based in the EU but doing business in the EU.

Lawfulness, fairness, transparency: Process data legally.
Purpose limitation: Use data only for its intended purpose.
Data minimization: Store only necessary data.
Accuracy: Keep data updated.
Storage limitation: Store only as long as needed.
Integrity and Confidentiality: Process data securely.

Note on US & EU Data Transfers: Previous agreements such as Safe Harbor (2000-2015) and Privacy Shield (2016-2020) have been invalidated.

HIPAA & HITECH

HIPAA governs the privacy and security of Protected Health Information (PHI) to protect the healthcare industry.

Permitted Disclosures: To the individual; for treatment/payment/operations; with valid authorization; as a redacted dataset for research; or for public interest as allowed by law.
Covered Entities: Must ensure confidentiality, integrity, and availability of electronic PHI.
Safeguards: Requires Administrative (policies/people), Physical (places/devices), and Technical (technology) protections.

HITECH (Health Info Tech for Economic and Clinical Health): Requires that notices of a breach must be sent to impacted individuals.

Payment Card Industry (PCI DSS)

A framework with 6 goals and 12 requirements for protecting cardholder data, based on the PCI DSS v4.x Quick Reference Guide.

Goal	Example Requirements
Build and Maintain a Secure Network	Install and maintain a firewall; Do not use vendor-supplied defaults.
Protect Cardholder Data	Protect stored cardholder data; Encrypt data transmission.
Maintain a Vulnerability Management Program	Use and regularly update anti-virus software.
Implement Strong Access Control	Restrict access by need-to-know; Assign unique IDs to users.
Regularly Monitor and Test Networks	Track and monitor all access; Regularly test security systems.
Maintain an Information Security Policy	Maintain a policy that addresses information security for all personnel.

Governance & IT Controls

COBIT 2019 Framework

A framework developed by ISACA to implement best practices for the governance and management of enterprise Information and Technology.

Governance vs. Management

Governance evaluates, directs, and monitors (EDM). Management plans, builds, runs, and monitors daily administration.

Internal Stakeholders: Board of Directors (BoD), Management, Managers, etc.
External Stakeholders: Investors, regulators, business partners, etc.

COBIT Core Model Domains

Evaluate, Direct, and Monitor (EDM): Governance domain evaluating strategic objectives and directing management.
Align, Plan, and Organize (APO): Focuses on IT's overall strategy, organization, and supporting activities.
Build, Acquire, and Implement (BAI): Addresses acquiring and implementing IT solutions into business processes.
Deliver, Service, and Support (DSS): Addresses the daily delivery, service, and support of IT services.
Monitor, Evaluate, and Assess (MEA): Addresses IT conformance to the company's performance targets.

Governance System Principles

Six principles describing a good governance system:

Provide Stakeholder Value: Create value by balancing benefits and risks.
Holistic Approach: Use all components across the organization for strong governance.
Dynamic Governance System: Adapt to changing technologies, risks, and needs.
Governance Distinct From Management: Separate management and governance activities.
Tailored to Enterprise Needs: Models should be tailored to each company's specific requirements.
End-to-End Governance System: Cover all business processes, not just the IT department.

Design Factors & Focus Areas

11 Design Factors influence a tailored IT system: Enterprise Strategy, Enterprise Goals, Risk Profile, IT-Related Issues, Threat Landscape, Compliance Requirements, Role of IT, Sourcing Model, IT Implementation Methods, Enterprise Size, and Industry. Focus Areas highlight specific governance aspects needing special attention (e.g., cybersecurity, cloud computing).

COSO Frameworks

Guidance for internal controls, enterprise risk management, and fraud deterrence.

Internal Control Framework

Relates to policies and procedures ensuring management guidelines are applied and objectives achieved.

Control Environment: The overall control culture, covering board oversight, ethics, and retaining competent employees.
Risk Assessment: Identifying risks, considering potential fraud, and understanding changes impacting controls.
Information and Communication: Obtaining, generating, and controlling internal and external communication.
Monitoring Activities: Ongoing evaluations of control activities and communicating deficiencies.
Existing Control Activities: Policies implemented to mitigate risk (e.g., Logical and Physical Access Controls, System Operations, Change Management, Risk Mitigation).

Enterprise Risk Management (ERM) Framework

Integrates with strategy and performance.

Governance and Culture: Sets the organization's tone and reinforces risk oversight.
Strategy and Objective-Setting: Aligns risk appetite with strategy during planning.
Performance: Identifies, assesses, prioritizes, and responds to risks.
Review and Revision: Reviews performance over time and makes revisions.
Information, Communication, and Reporting: Continual process for sharing risk info.

Center for Internet Security (CIS) Controls

A prioritized set of 18 best practices to mitigate common cyber attacks, maintained by the Center for Internet Security.

Implementation Groups (IGs)

IG1 (Basic): Small/medium-sized org, limited cybersecurity defense.
IG2 (Foundational): Bigger org, sensitive data; includes IG1.
IG3 (Organizational): Biggest org, highly sensitive data; includes IG1 & IG2.

Controls 1-9 (Basic & Foundational)

Inventory & Control: Track all hardware (C1) and software (C2) to block unauthorized assets.
Data Protection: Securely manage, protect, and classify data based on sensitivity (C3).
Secure Configuration: "Harden" configurations of systems and software to reduce vulnerabilities (C4).
Account & Access Control Management: Manage credentials (C5) and ensure users only have access necessary for their duties (C6).
Continuous Vulnerability Management: Continuously scan and remediate infrastructure vulnerabilities (C7).
Audit Log Management: Establish log management (C8) for system logs, audit logs, and event logs.
Email & Web Browser Protections: Protect against cybercrimes via email or internet by engaging employees (C9).

Controls 10-18 (Operational & Organizational)

Malware Defenses: Prevent installation and propagation of malware across network (C10).
Data Recovery: Establish processes to restore data to a pre-incident state (C11).
Network Infrastructure Management: Secure infrastructure like firewalls and routers (C12).
Network Monitoring: Defend infrastructure against internal/external threats (C13).
Security Awareness: Provide skills training to employees to reduce risk (C14).
Service Provider Management: Evaluate third-party providers with access to sensitive data (C15).
Application Software Security: Identify and fix vulnerabilities throughout the software lifecycle (C16).
Incident Response: Establish a program to detect, respond, and prepare for attacks (C17).
Penetration Testing: Simulate attacks to find and exploit weaknesses (C18).

System and Organization Controls (SOC) Framework

SOC reports provide assurance over the controls at a service organization for a user entity.

Report	Subject Matter & Focus	Primary Audience
SOC 1	Focuses on the user entity's Internal Control over Financial Reporting (ICFR).	Management of the user entity and their independent auditors.
SOC 2	Focuses on the Trust Services Criteria (TSC).	Knowledgeable users familiar with the service organization, agreed upon by management.
SOC 3	Provides assurance based on TSC but lacks detailed system details or test results.	General public; intended for users lacking technical understanding.
SOC for Cybersecurity	Examines an entity's organization-wide cybersecurity risk management program and controls.	General use for stakeholders evaluating cybersecurity posture.
SOC for Supply Chain	Examines controls over security, availability, processing integrity, confidentiality, or privacy within supply chain systems.	Business partners and customers in the supply chain.

Trust Services Criteria (TSC)

Security (Common Criteria): No additional criteria; Common Criteria alone is suitable.
Availability: Ensure systems are continuously available by maintaining capacity, responding to threats, and having tested recovery plans.
Processing Integrity: Ensure quality information supports objectives via completeness/accuracy controls.
Confidentiality: Ensure confidential information is handled appropriately.
Privacy: Ensure personal data is collected with consent, used appropriately, and records are maintained.

Report Types: Type 1 vs. Type 2

Type 1 Report: Evaluates fairness of system description and suitability of control design at a given point in time.
Type 2 Report: Evaluates fairness of description and both the design and operating effectiveness of controls over a period of time. SOC 3 is ALWAYS a Type 2 report.

Subservice Organizations & User Entities

Complementary Subservice Organization Controls (CSOCs): Controls a vendor must execute for the primary service organization's controls to function. Can be reported via the Inclusive Method (controls included/tested) or the Carve-Out Method (controls excluded from scope).
Complementary User Entity Controls (CUECs): Controls the user entity must implement (e.g., physical access controls, authorization policies) alongside the service organization's controls. Disclosures are REQUIRED in SOC 1 & 2 system descriptions.

SOC Engagements: Reporting & Auditing

Auditor Independence & Management Assertions

Independence: Service auditor must be independent of the service organization. If a subservice organization is presented inclusively, independence is required for it as well.
Management's Assertion: Written assertions confirming the system description is fair, controls were suitably designed, and (for Type 2) operated effectively.

Materiality & Misstatements

Materiality: In SOC 1, relates to fair presentation of the description, not user financial statements. In SOC 2, relates to risks affecting service commitments.
Description Misstatement: Errors or omissions in the system description.
Deficiency in Design: A necessary control is missing or improperly designed.
Deficiency in Operating Effectiveness: A properly designed control fails to operate as intended, or the person lacks competency.

Reasons for Opinion Modification

An auditor modifies their opinion if they are unable to obtain sufficient evidence or if the subject matter is not in accordance with criteria.

Qualified: "Except for" specified issues, the report is fairly presented.
Adverse: Material and pervasive misstatements or deficiencies exist.
Disclaimer: Auditor does not express an opinion (e.g., due to lack of independence).

Subsequent Events

Events after the engagement period but before the report date.

Requiring Disclosure: IT director granting improper access, confidentiality breaches, or forged signatures.
Generally No Disclosure: Natural disasters or acquisitions occurring after the period.
Representation Letter: A SOC report CANNOT be issued until this letter is received from management.

System Development & Change Management

Controls to ensure changes to applications and infrastructure are authorized, tested, and approved, mitigating the risk of unauthorized modifications.

Environments & Testing

Systems must progress through segregated environments to ensure stability (Development -> Staging/Test -> Production).

Unit Testing: Testing individual functions or components in isolation.
Integration Testing: Verifying that different modules work together correctly.
System Testing: Evaluating the complete, integrated system's compliance with requirements.
User Acceptance Testing (UAT): Final validation by end-users before going live.

Development Methodologies

Waterfall: A rigid, sequential approach where phases are completed one after another.
Agile: An iterative approach focusing on flexibility and short development cycles (sprints).
CI/CD (Continuous Integration / Continuous Deployment): Automated pipelines that build, test, and deploy code changes quickly and safely.

System Conversion Approaches

Direct (Cutover): Turn off the old system, turn on the new (High risk).
Parallel: Run both simultaneously for a period (Low risk, high cost).
Phased: Implement in modules or stages over time.
Pilot: Implement fully for a small, select group of users first.

IT Infrastructure & Operations

Core Network Hardware

The fundamental physical and virtual devices that enable network connectivity and communication.

Routers: Manage network traffic by connecting different devices to form a network. They act as a link between a modem and the organization's switches.
Switches: Connect and divide devices within a single computer network, essentially turning one network jack into several.
Firewalls: Protect a network by filtering incoming and outgoing traffic through security protocols with predefined rules.
Gateways: Act as an intermediary between different networks by transforming data from one protocol into another.

Network Topologies & OSI Model

Network Topologies

The physical layout or arrangement of equipment (nodes) in a network.

Star: Data passes through a central hub or switch. If a hub fails, only the nodes connected to it stop working.
Mesh: Features numerous connections between nodes, promoting network stability if one node is damaged, but can be costly to implement.
Ring: Nodes are connected in a circular path. This can result in very slow network performance.
Bus: Nodes are connected to a single line/cable. If the central line is compromised, the entire network goes offline.

OSI 7-Layer Model

A conceptual framework developed by ISO that segregates network functions into seven different layers to explain how devices communicate.

Layer 7 (Application): Interface between user applications and the network.
Layer 6 (Presentation): Transforms data into a format that other devices can interpret.
Layer 5 (Session): Establishes and maintains sessions between devices.
Layer 4 (Transport): Controls communication connections between devices.
Layer 3 (Network): Adds routing and addressing headers to data.
Layer 2 (Data Link): Formats data packets for transmission.
Layer 1 (Physical): Converts messages into bits for physical transmission.

Cloud Computing

The delivery of computing services over the internet. According to the COSO ERM for Cloud Computing guidance, while management can outsource IT operations to a Cloud Service Provider (CSP), they cannot outsource the responsibility for the governance and risk management of their data.

Cloud Service Models (Shared Responsibility)

Model	Provider Responsibilities	Customer Responsibilities
IaaS (Infrastructure)	Physical data center, servers, network, storage hardware.	Operating systems, applications, data, access controls.
PaaS (Platform)	IaaS + Operating systems, middleware, runtime environments.	Applications, data, user access.
SaaS (Software)	PaaS + The application itself and its functionality.	Data classification, user access/authorization.

Deployment Models

Public: Owned and managed by a CSP and made available to multiple organizations over the public internet.
Private: Created for a single organization and exists on or off the organization's premises.
Hybrid: Composed of two or more clouds (e.g., one private, one public) enabling data portability between them.

Testing IT Controls & Walkthroughs

Procedures used by practitioners to assess the design and operating effectiveness of IT controls, heavily utilized in SOC engagements.

Walkthroughs

Tracing a transaction from its origination through the information system to its final reporting. This helps the practitioner:

Confirm their understanding of the documented process flow (e.g., flowcharts, narratives).
Identify points where a material misstatement or control failure could occur.
Verify that controls have been implemented as designed.

Testing Operating Effectiveness

Technique	Description & Reliability
Inquiry	Asking personnel about control execution. (Least reliable on its own; must be corroborated).
Observation	Watching personnel perform the control. (Only provides evidence for the specific moment it is observed).
Inspection	Examining documents, logs, or system configurations to verify the control occurred (e.g., reviewing a system-generated audit log).
Reperformance	The auditor independently executes the control to verify the outcome matches the client's result. (Most reliable).

Evaluating Deviations

When testing reveals an exception, the practitioner must analyze the deviation to determine if it constitutes a deficiency in the suitability of design (the control is missing or flawed) or a deviation in the operating effectiveness (the control was not applied consistently or correctly by personnel).

Security & Risk Management

Cyberattacks & Threat Intelligence

Stages of a Cyber-Attack (Cyber Kill Chain)

                            flowchart LR
                                A[Reconnaissance] --> B[Gaining Access]
                                B --> C[Escalation of Privileges]
                                C --> D[Maintaining Access]
                                D --> E[Network Exploitation]
                                E --> F[Covering Tracks]

Network & Application Attacks

Denial-of-Service (DoS/DDoS): Flooding a network with excessive requests so it becomes unavailable to legitimate users.
Ransomware: Malware that encrypts an organization's systems or data, demanding payment for the decryption key.
Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed by other users.
SQL Injection: Injecting malicious SQL code into input fields to gain unauthorized database access.
Buffer Overflow: Overloading a program's memory buffer to overwrite adjacent memory, potentially executing malicious code.

Social Engineering

Phishing: Using deceptive emails or messages to trick users into revealing sensitive information.
Business Email Compromise (BEC)/Whaling: Phishing that specifically targets high-ranking executives.

Mobile & IoT Threats

Internet of Things (IoT): Connected smart devices often lack built-in security, use default passwords, and have unpatchable firmware, making them easy targets to hijack for DDoS botnets.
Mobile & BYOD: "Bring-Your-Own-Device" policies increase the risk of data leakage, lost/stolen hardware, and interception via unsecured public Wi-Fi. Mitigated via Mobile Device Management (MDM) software and Acceptable Use Policies.

Defensive Security Concepts

Zero Trust

A security model that eliminates implicit trust by requiring continuous verification for all users and devices, assuming the network is always at risk. It focuses on users, assets, and resources in real time to determine access.

Least Privilege & Need-to-Know

Least Privilege: Focuses on the minimum level of access and permissions a user needs to perform their job role.
Need-to-Know: Focuses on the specific data a user needs to perform their job, which is more granular than least privilege.

System Hardening

A comprehensive security approach that reduces risk by minimizing the number of access points (attack vectors) through which a company can be attacked.

Defense-in-Depth

A multilayered security strategy that combines people, policies, and technology. It uses redundant controls to ensure that a failure in one layer does not compromise the entire system.

Data Encryption & Authentication

Data Encryption Types

Symmetric Encryption: Uses a single, shared private key for both encrypting and decrypting data. It is fast but does not facilitate non-repudiation.
Asymmetric (Public Key) Encryption: Uses two keys, a public key to encrypt the message and a private key to decrypt it. This method is slower but foundational for digital signatures.
Hashing vs. Encryption: Hashing is a one-way process that converts a message into a fixed-length value to ensure data integrity. Encryption is a two-way process used to ensure confidentiality.

Authentication Methods

Multifactor Authentication (MFA): A technique that uses two or more factors to validate someone's identity.
Biometrics: A method that uses unique physical characteristics like fingerprints, eye scans, or facial recognition for identification.
Smart Cards: Plastic cards containing a microprocessor that can process data or act as a certificate to authenticate a user.

Incident Response Plan (IRP) Lifecycle

A formal plan for responding to security incidents.

Preparation: Establishing the tools, roles, and training needed.
Detection & Analysis: Identifying an incident has occurred.
Containment: Isolating the affected systems to prevent further damage.
Eradication: Removing the threat from the environment.
Recovery: Restoring systems to normal operation.
Reporting: Communicating incident details to relevant stakeholders.
Lessons Learned (Post-Incident): Reviewing the response to make improvements.

Business Resiliency & Disaster Recovery

Core Concepts

Business Resiliency: Ability to continue or quickly return to operations after a disruption.
Business Continuity (BCP): Focuses on keeping business operational during a disaster.
Disaster Recovery (DRP): Focuses on restoring IT infrastructure after a disaster.

Recovery Sites

Site Type	Description	Cost
Hot Site	Fully equipped and ready to operate immediately.	Most Expensive
Warm Site	Has hardware but may lack full processing capabilities.	Moderate
Cold Site	Has space and infrastructure but no equipment.	Cheapest

Key Metrics

RTO (Recovery Time Objective): The target time to restore business operations.
RPO (Recovery Point Objective): The maximum acceptable amount of data loss.
MTD (Maximum Tolerable Downtime): The longest an outage can last without causing significant damage.

Data Management & Repositories

Data Life Cycle & Repositories

The sequence data goes through from creation to final disposition.

Data Life Cycle Stages

Stage	Explanation
1. Definition	Identifying the business need, defining data requirements, and establishing governance policies.
2. Capture / Creation	Generating new data internally or acquiring it from external sources.
3. Preparation / Cleaning	Transforming, standardizing, and cleansing data to ensure accuracy and quality.
4. Synthesis	Integrating and combining data from multiple sources to create a unified dataset.
5. Analytics & Usage	Analyzing the data to extract insights, generate reports, and support decision-making.
6. Publication	Distributing the final data products, reports, or dashboards to stakeholders.
7. Archival	Moving inactive data to secure, long-term storage for compliance and historical reference.
8. Purging	Securely and permanently destroying data at the end of its required retention period.

Data Repositories & Schemas

Concept	Description
Data Lake	Stores vast amounts of raw data, both structured and unstructured.
Data Warehouse	Central repository of structured, organized data for reporting and analysis.
Data Mart	A subset of a data warehouse focused on a specific business line.
Star Schema	A centralized fact table connected to multiple dimension tables. Optimized for fast query reading.
Snowflake Schema	An extension of the star schema where dimension tables are normalized into multiple related tables to save space.

Relational Database Normalization

Form	Rule / Requirement
1NF	Each cell holds a single value, and each record has a unique Primary Key.
2NF	All non-key attributes depend on the entire composite primary key.
3NF	All attributes depend only on the primary key, not other non-key attributes.

Structured Query Language (SQL)

A standardized programming language used to extract, manage, and manipulate data within a relational database.

Category	Common Examples & Functions
Commands & Clauses	`SELECT` (retrieve data), `FROM` (specify table), `WHERE` (filter rows), `JOIN` (combine tables), `GROUP BY` (group rows).
Operators	`=`, `<>`, `>`, `AND`, `OR`, `IN`, `LIKE`.
Aggregate Functions	`COUNT()`, `SUM()`, `AVG()`, `MIN()`, `MAX()`.
String Functions	`CONCAT()`, `SUBSTRING()`, `TRIM()`, `UPPER()`.

Accounting Systems & Emerging Tech

AIS & ERP Systems

Enterprise Resource Planning (ERP)

A cross-functional system that supports different business functions and integrates information from across departments (accounting, finance, HR) into a centralized database.

Accounting Information Systems (AIS)

The system that collects, records, stores, and compiles accounting information using accounting rules to report financial and nonfinancial information to decision makers.

AIS Subsystems

Transaction Processing System (TPS): Converts economic events into financial transactions (e.g., journal entries) and supports daily operations.
Financial Reporting System (FRS): Aggregates daily financial information from the TPS and other sources to enable timely financial reporting.
Management Reporting System (MRS): Provides internal financial information to solve daily business problems, such as for budgeting and variance analysis.

Emerging Tech & Blockchain

Technologies for Process Improvement

Robotic Process Automation (RPA): The use of software programs ("bots") capable of extracting information from a user interface and initiating further processes, designed to automate repetitive, rules-based tasks.
Blockchain: A decentralized, distributed ledger that records transactions into immutable (unchangeable) blocks, ensuring strong record integrity.

The COSO Internal Control Framework can be applied to blockchain by assessing risks in the IT environment (e.g., smart contract flaws, consensus mechanism vulnerabilities) and implementing specific control activities, like strict private key management and logical access controls, to ensure the reliability of financial reporting.