Information Systems & Controls (ISC) Cheat Sheet

Back

Our Information Systems and Controls (ISC) CPA Exam cheat sheet is optimized to simplify the complexities of IT governance and data management for test day success. This guide focuses on exactly what you need to pass, delivering clear explanations of heavily-tested topics in cybersecurity, IT audits, and information security. Key concepts, like understanding SOC reports, and critical frameworks like COBIT are broken down, providing the essential knowledge you need to pass the ISC exam with confidence.

Studying for other sections? Check out our cheat sheets for FAR, AUD, REG, BAR, ISC, and TCP.

Frameworks & Regulations

NIST Frameworks

The National Institute of Standards and Technology provides key cybersecurity and privacy guidance.

Cybersecurity Framework (CSF) Core

Consists of 6 core functions for managing cybersecurity risks:

  • Govern: Establish and monitor the organization's cybersecurity risk management strategy.
  • Identify: Understand assets, business environment, and risks.
  • Protect: Implement safeguards and access control.
  • Detect: Monitor for and identify cybersecurity events.
  • Respond: Take action upon detecting an incident.
  • Recover: Restore systems and return to normal operations.

Implementation Tiers

Shows the effectiveness of organizational profiles.

  • Tier 1 (Partial): Least sophisticated; ad-hoc, reactive risk management.
  • Tier 2 (Risk-Informed): Aware of risks but management is not formalized.
  • Tier 3 (Repeatable): Formal, repeatable policies and procedures.
  • Tier 4 (Adaptive): Most sophisticated; proactive, continuous improvement based on incidents.

Framework Profiles

Profiles indicate a company's cybersecurity position.

  • Current Profile: Where the company is now.
  • Target Profile: Where the company wants to be.
  • Community Profile: Industry profile used to develop your own profile.

5-Step Approach to Create an Org Profile: Scope the Org Profile, gather info to prepare the profile, create the org profile, analyze gaps between current and target profiles to create an action plan, and implement the action plan.

NIST Privacy Framework

Addresses privacy risks with 8 core functions: Govern, Identify, Control, Communicate, Protect, Detect, Respond, and Recover. Profiles and Tiers are the same as the CSF.

NIST SP 800-53

Provides controls to protect information systems from sophisticated threats using three implementation approaches:

  • Common (Inheritable): Controls at the organizational level.
  • System-Specific: Controls at the information system level.
  • Hybrid: A mix of both organizational and system-level controls.

Key Data Regulations

GDPR (General Data Protection Regulation)

European Union law regulating data privacy. It applies to data processors based in the EU, and data processors not based in the EU but doing business in the EU.

  • Lawfulness, fairness, transparency: Process data legally.
  • Purpose limitation: Use data only for its intended purpose.
  • Data minimization: Store only necessary data.
  • Accuracy: Keep data updated.
  • Storage limitation: Store only as long as needed.
  • Integrity and Confidentiality: Process data securely.

Note on US & EU Data Transfers: Previous agreements such as Safe Harbor (2000-2015) and Privacy Shield (2016-2020) have been invalidated.

HIPAA & HITECH

HIPAA governs the privacy and security of Protected Health Information (PHI) to protect the healthcare industry.

  • Permitted Disclosures: To the individual; for treatment/payment/operations; with valid authorization; as a redacted dataset for research; or for public interest as allowed by law.
  • Covered Entities: Must ensure confidentiality, integrity, and availability of electronic PHI.
  • Safeguards: Requires Administrative (policies/people), Physical (places/devices), and Technical (technology) protections.

HITECH (Health Info Tech for Economic and Clinical Health): Requires that notices of a breach must be sent to impacted individuals.

Payment Card Industry (PCI DSS)

A framework with 6 goals and 12 requirements for protecting cardholder data, based on the PCI DSS v4.x Quick Reference Guide.

Goal Example Requirements
Build and Maintain a Secure Network Install and maintain a firewall; Do not use vendor-supplied defaults.
Protect Cardholder Data Protect stored cardholder data; Encrypt data transmission.
Maintain a Vulnerability Management Program Use and regularly update anti-virus software.
Implement Strong Access Control Restrict access by need-to-know; Assign unique IDs to users.
Regularly Monitor and Test Networks Track and monitor all access; Regularly test security systems.
Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel.

Governance & IT Controls

COBIT 2019 Framework

A framework developed by ISACA to implement best practices for the governance and management of enterprise Information and Technology.

Governance vs. Management

Governance evaluates, directs, and monitors (EDM). Management plans, builds, runs, and monitors daily administration.

  • Internal Stakeholders: Board of Directors (BoD), Management, Managers, etc.
  • External Stakeholders: Investors, regulators, business partners, etc.

COBIT Core Model Domains

  • Evaluate, Direct, and Monitor (EDM): Governance domain evaluating strategic objectives and directing management.
  • Align, Plan, and Organize (APO): Focuses on IT's overall strategy, organization, and supporting activities.
  • Build, Acquire, and Implement (BAI): Addresses acquiring and implementing IT solutions into business processes.
  • Deliver, Service, and Support (DSS): Addresses the daily delivery, service, and support of IT services.
  • Monitor, Evaluate, and Assess (MEA): Addresses IT conformance to the company's performance targets.

Governance System Principles

Six principles describing a good governance system:

  1. Provide Stakeholder Value: Create value by balancing benefits and risks.
  2. Holistic Approach: Use all components across the organization for strong governance.
  3. Dynamic Governance System: Adapt to changing technologies, risks, and needs.
  4. Governance Distinct From Management: Separate management and governance activities.
  5. Tailored to Enterprise Needs: Models should be tailored to each company's specific requirements.
  6. End-to-End Governance System: Cover all business processes, not just the IT department.

Design Factors & Focus Areas

11 Design Factors influence a tailored IT system: Enterprise Strategy, Enterprise Goals, Risk Profile, IT-Related Issues, Threat Landscape, Compliance Requirements, Role of IT, Sourcing Model, IT Implementation Methods, Enterprise Size, and Industry. Focus Areas highlight specific governance aspects needing special attention (e.g., cybersecurity, cloud computing).

COSO Frameworks

Guidance for internal controls, enterprise risk management, and fraud deterrence.

Internal Control Framework

Relates to policies and procedures ensuring management guidelines are applied and objectives achieved.

  • Control Environment: The overall control culture, covering board oversight, ethics, and retaining competent employees.
  • Risk Assessment: Identifying risks, considering potential fraud, and understanding changes impacting controls.
  • Information and Communication: Obtaining, generating, and controlling internal and external communication.
  • Monitoring Activities: Ongoing evaluations of control activities and communicating deficiencies.
  • Existing Control Activities: Policies implemented to mitigate risk (e.g., Logical and Physical Access Controls, System Operations, Change Management, Risk Mitigation).

Enterprise Risk Management (ERM) Framework

Integrates with strategy and performance.

  • Governance and Culture: Sets the organization's tone and reinforces risk oversight.
  • Strategy and Objective-Setting: Aligns risk appetite with strategy during planning.
  • Performance: Identifies, assesses, prioritizes, and responds to risks.
  • Review and Revision: Reviews performance over time and makes revisions.
  • Information, Communication, and Reporting: Continual process for sharing risk info.

Center for Internet Security (CIS) Controls

A prioritized set of 18 best practices to mitigate common cyber attacks, maintained by the Center for Internet Security.

Implementation Groups (IGs)

  • IG1 (Basic): Small/medium-sized org, limited cybersecurity defense.
  • IG2 (Foundational): Bigger org, sensitive data; includes IG1.
  • IG3 (Organizational): Biggest org, highly sensitive data; includes IG1 & IG2.

Controls 1-9 (Basic & Foundational)

  • Inventory & Control: Track all hardware (C1) and software (C2) to block unauthorized assets.
  • Data Protection: Securely manage, protect, and classify data based on sensitivity (C3).
  • Secure Configuration: "Harden" configurations of systems and software to reduce vulnerabilities (C4).
  • Account & Access Control Management: Manage credentials (C5) and ensure users only have access necessary for their duties (C6).
  • Continuous Vulnerability Management: Continuously scan and remediate infrastructure vulnerabilities (C7).
  • Audit Log Management: Establish log management (C8) for system logs, audit logs, and event logs.
  • Email & Web Browser Protections: Protect against cybercrimes via email or internet by engaging employees (C9).

Controls 10-18 (Operational & Organizational)

  • Malware Defenses: Prevent installation and propagation of malware across network (C10).
  • Data Recovery: Establish processes to restore data to a pre-incident state (C11).
  • Network Infrastructure Management: Secure infrastructure like firewalls and routers (C12).
  • Network Monitoring: Defend infrastructure against internal/external threats (C13).
  • Security Awareness: Provide skills training to employees to reduce risk (C14).
  • Service Provider Management: Evaluate third-party providers with access to sensitive data (C15).
  • Application Software Security: Identify and fix vulnerabilities throughout the software lifecycle (C16).
  • Incident Response: Establish a program to detect, respond, and prepare for attacks (C17).
  • Penetration Testing: Simulate attacks to find and exploit weaknesses (C18).

System and Organization Controls (SOC) Framework

SOC reports provide assurance over the controls at a service organization for a user entity.

Report Subject Matter & Focus Primary Audience
SOC 1 Focuses on the user entity's Internal Control over Financial Reporting (ICFR). Management of the user entity and their independent auditors.
SOC 2 Focuses on the Trust Services Criteria (TSC). Knowledgeable users familiar with the service organization, agreed upon by management.
SOC 3 Provides assurance based on TSC but lacks detailed system details or test results. General public; intended for users lacking technical understanding.
SOC for Cybersecurity Examines an entity's organization-wide cybersecurity risk management program and controls. General use for stakeholders evaluating cybersecurity posture.
SOC for Supply Chain Examines controls over security, availability, processing integrity, confidentiality, or privacy within supply chain systems. Business partners and customers in the supply chain.

Trust Services Criteria (TSC)

  • Security (Common Criteria): No additional criteria; Common Criteria alone is suitable.
  • Availability: Ensure systems are continuously available by maintaining capacity, responding to threats, and having tested recovery plans.
  • Processing Integrity: Ensure quality information supports objectives via completeness/accuracy controls.
  • Confidentiality: Ensure confidential information is handled appropriately.
  • Privacy: Ensure personal data is collected with consent, used appropriately, and records are maintained.

Report Types: Type 1 vs. Type 2

  • Type 1 Report: Evaluates fairness of system description and suitability of control design at a given point in time.
  • Type 2 Report: Evaluates fairness of description and both the design and operating effectiveness of controls over a period of time. SOC 3 is ALWAYS a Type 2 report.

Subservice Organizations & User Entities

  • Complementary Subservice Organization Controls (CSOCs): Controls a vendor must execute for the primary service organization's controls to function. Can be reported via the Inclusive Method (controls included/tested) or the Carve-Out Method (controls excluded from scope).
  • Complementary User Entity Controls (CUECs): Controls the user entity must implement (e.g., physical access controls, authorization policies) alongside the service organization's controls. Disclosures are REQUIRED in SOC 1 & 2 system descriptions.

SOC Engagements: Reporting & Auditing

Auditor Independence & Management Assertions

  • Independence: Service auditor must be independent of the service organization. If a subservice organization is presented inclusively, independence is required for it as well.
  • Management's Assertion: Written assertions confirming the system description is fair, controls were suitably designed, and (for Type 2) operated effectively.

Materiality & Misstatements

  • Materiality: In SOC 1, relates to fair presentation of the description, not user financial statements. In SOC 2, relates to risks affecting service commitments.
  • Description Misstatement: Errors or omissions in the system description.
  • Deficiency in Design: A necessary control is missing or improperly designed.
  • Deficiency in Operating Effectiveness: A properly designed control fails to operate as intended, or the person lacks competency.

Reasons for Opinion Modification

An auditor modifies their opinion if they are unable to obtain sufficient evidence or if the subject matter is not in accordance with criteria.

  • Qualified: "Except for" specified issues, the report is fairly presented.
  • Adverse: Material and pervasive misstatements or deficiencies exist.
  • Disclaimer: Auditor does not express an opinion (e.g., due to lack of independence).

Subsequent Events

Events after the engagement period but before the report date.

  • Requiring Disclosure: IT director granting improper access, confidentiality breaches, or forged signatures.
  • Generally No Disclosure: Natural disasters or acquisitions occurring after the period.
  • Representation Letter: A SOC report CANNOT be issued until this letter is received from management.

IT General Controls (ITGCs) & Change Management

ITGCs are foundational controls applying to the overall IT environment, including all systems, applications, and data.

1. Change Management Controls

Controls to ensure changes to applications and infrastructure are authorized, tested, and approved.

  • Development Methodologies: Waterfall is a rigid, linear approach where phases must be completed sequentially. Agile is an iterative approach focusing on flexibility, short cycles (sprints), and continuous feedback.
  • Tools & Testing: Use version control, build automation, and testing tools for CI/CD processes. Test the design of change control policies including acceptance criteria and separation of duties.
  • System Conversion Methods:
    • Direct: Turn off old system, turn on new (High risk).
    • Parallel: Run both simultaneously for a period (Low risk, high effort).
    • Phased: Implement in modules or stages.
    • Pilot: Implement fully for a small user group first.
  • Patch Management: Prioritizing, scheduling, validating, and testing patches for stability.

2. Logical Access Controls

Ensuring only authorized individuals can access systems and data (least privilege).

  • User Provisioning: Formal process for creating accounts based on documented approval.
  • Authentication & Authorization: Verifying identity and granting specific permissions based on job function.
  • Periodic Reviews & De-provisioning: Regularly recertifying user access and timely removal upon termination/transfer.

3. IT Operations Controls

Controls regarding the day-to-day functioning of the IT department.

  • Job Scheduling: Controls over automated processes (batch jobs) to ensure timely completion.
  • Problem and Incident Management: Formal process for logging, tracking, and resolving system issues.
  • System Backups:
    • Full: Exact copy of the entire database.
    • Incremental: Copies data changed since the last backup (fast to create, slow to restore).
    • Differential: Copies changes made since the last full backup.

IT Infrastructure & Operations

Core Network Hardware

The fundamental physical and virtual devices that enable network connectivity and communication.

  • Routers: Manage network traffic by connecting different devices to form a network. They act as a link between a modem and the organization's switches.
  • Switches: Connect and divide devices within a single computer network, essentially turning one network jack into several.
  • Firewalls: Protect a network by filtering incoming and outgoing traffic through security protocols with predefined rules.
  • Gateways: Act as an intermediary between different networks by transforming data from one protocol into another.

Network Topologies & OSI Model

Network Topologies

The physical layout or arrangement of equipment (nodes) in a network.

  • Star: Data passes through a central hub or switch. If a hub fails, only the nodes connected to it stop working.
  • Mesh: Features numerous connections between nodes, promoting network stability if one node is damaged, but can be costly to implement.
  • Ring: Nodes are connected in a circular path. This can result in very slow network performance.
  • Bus: Nodes are connected to a single line/cable. If the central line is compromised, the entire network goes offline.

OSI 7-Layer Model

A conceptual framework developed by ISO that segregates network functions into seven different layers to explain how devices communicate.

  1. Layer 7 (Application): Interface between user applications and the network.
  2. Layer 6 (Presentation): Transforms data into a format that other devices can interpret.
  3. Layer 5 (Session): Establishes and maintains sessions between devices.
  4. Layer 4 (Transport): Controls communication connections between devices.
  5. Layer 3 (Network): Adds routing and addressing headers to data.
  6. Layer 2 (Data Link): Formats data packets for transmission.
  7. Layer 1 (Physical): Converts messages into bits for physical transmission.

Cloud Computing

A model that uses shared computing resources (servers, storage, applications) over the internet.

Cloud Service Models

  • IaaS (Infrastructure-as-a-Service): A third party provides an entire virtual data center of resources, and organizations can outsource servers, storage, and networking services. The organization is typically responsible for managing the operating systems and applications.
  • PaaS (Platform-as-a-Service): A third party provides proprietary tools and solutions for a specific business purpose, such as building an online platform. The provider manages all the back-end infrastructure.
  • SaaS (Software-as-a-Service): A third party provides a business application or software that organizations use to perform specific functions, typically through a license.

Cloud Deployment Models

  • Public: Owned and managed by a Cloud Service Provider (CSP) and made available to people or organizations who want to purchase them.
  • Private: Created for a single organization and can exist on or off the organization's premises.
  • Hybrid: Composed of two or more clouds (e.g., one private, one public) that remain unique but have technology enabling data portability between them.
  • Community: Shared by multiple organizations to support a common interest or mission.

IT Audit & Testing Techniques

Auditors use specific techniques to test the effectiveness of IT controls and the accuracy of processed data.

Approaches to Auditing Systems

  • Auditing Around the Computer: The auditor treats the computer as a "black box," focusing only on the inputs and outputs of the system. This approach is simple but may fail to detect processing errors within the application.
  • Auditing Through the Computer: The auditor directly examines the processing operations within the IT system. This is a more complex but also more effective approach.

Computer-Assisted Audit Techniques (CAATs)

These are techniques used when auditing through the computer:

  • Test Data: The auditor processes a set of dummy transactions (with both valid and invalid data) through a test environment or a copy of the client's program. The results are compared to predetermined outcomes to test application controls.
  • Integrated Test Facility (ITF): A "dummy" entity (e.g., a fake department or vendor) is created within the client's live production system. The auditor processes test transactions against this entity throughout the year, allowing for continuous monitoring of controls.
  • Parallel Simulation: The auditor uses their own software to re-process a subset of the client's actual data. The results produced by the auditor's system are then compared to the results from the client's system to verify processing accuracy.

Security & Risk Management

Common Cyberattacks

Network-Based

  • Denial-of-Service (DoS/DDoS): Cyberattacks that flood a network with excessive requests so it becomes overloaded and unavailable to legitimate users.
  • Man-in-the-Middle (MITM): Intercepting communications between two parties.

Application & Host-Based

  • Ransomware: An attacker gains access to a company's system and threatens to keep all systems blocked or leak sensitive data unless paid.
  • SQL Injection: Injecting malicious SQL code to gain database access.
  • Malware: Malicious software intended to damage or disable systems.
  • Brute Force Attack: Automated trial-and-error to guess passwords.

Social Engineering

  • Phishing: Using deceptive emails or messages to trick users into revealing sensitive information.
  • Business Email Compromise (BEC)/Whaling: Phishing that targets high-ranking executives.

Defensive Security Concepts

Zero Trust

A security model that eliminates implicit trust by requiring continuous verification for all users and devices, assuming the network is always at risk. It focuses on users, assets, and resources in real time to determine access.

Least Privilege & Need-to-Know

  • Least Privilege: Focuses on the minimum level of access and permissions a user needs to perform their job role.
  • Need-to-Know: Focuses on the specific data a user needs to perform their job, which is more granular than least privilege.

System Hardening

A comprehensive security approach that reduces risk by minimizing the number of access points (attack vectors) through which a company can be attacked.

Defense-in-Depth

A multilayered security strategy that combines people, policies, and technology. It uses redundant controls to ensure that a failure in one layer does not compromise the entire system.

Data Encryption & Authentication

Data Encryption Types

  • Symmetric Encryption: Uses a single, shared private key for both encrypting and decrypting data. It is fast but does not facilitate non-repudiation.
  • Asymmetric (Public Key) Encryption: Uses two keys—a public key to encrypt the message and a private key to decrypt it. This method is slower but foundational for digital signatures.
  • Hashing vs. Encryption: Hashing is a one-way process that converts a message into a fixed-length value to ensure data integrity. Encryption is a two-way process used to ensure confidentiality.

Authentication Methods

  • Multifactor Authentication (MFA): A technique that uses two or more factors to validate someone's identity.
  • Biometrics: A method that uses unique physical characteristics like fingerprints, eye scans, or facial recognition for identification.
  • Smart Cards: Plastic cards containing a microprocessor that can process data or act as a certificate to authenticate a user.

Incident Response Plan (IRP) Lifecycle

A formal plan for responding to security incidents.

  1. Preparation: Establishing the tools, roles, and training needed.
  2. Detection & Analysis: Identifying an incident has occurred.
  3. Containment: Isolating the affected systems to prevent further damage.
  4. Eradication: Removing the threat from the environment.
  5. Recovery: Restoring systems to normal operation.
  6. Reporting: Communicating incident details to relevant stakeholders.
  7. Lessons Learned (Post-Incident): Reviewing the response to make improvements.

Business Resiliency & Disaster Recovery

Core Concepts

  • Business Resiliency: Ability to continue or quickly return to operations after a disruption.
  • Business Continuity (BCP): Focuses on keeping business operational during a disaster.
  • Disaster Recovery (DRP): Focuses on restoring IT infrastructure after a disaster.

Recovery Sites

Site Type Description Cost
Hot Site Fully equipped and ready to operate immediately. Most Expensive
Warm Site Has hardware but may lack full processing capabilities. Moderate
Cold Site Has space and infrastructure but no equipment. Cheapest

Key Metrics

  • RTO (Recovery Time Objective): The target time to restore business operations.
  • RPO (Recovery Point Objective): The maximum acceptable amount of data loss.
  • MTD (Maximum Tolerable Downtime): The longest an outage can last without causing significant damage.

Systems, Data, & Change

Data Life Cycle Management

The sequence data goes through from creation to disposal.

  1. Definition: Defining data needs and sources.
  2. Capture/Creation: Obtaining the data.
  3. Preparation: Cleaning, validating, and formatting data.
  4. Synthesis: Creating calculated fields from existing data.
  5. Analytics & Usage: Using data for internal reporting and decisions.
  6. Publication: Sharing data with external users.
  7. Archival: Moving data from active to passive systems.
  8. Purging: Permanently removing data from all systems.

Database Concepts

Data Repositories (Largest to Smallest)

  • Data Lake: Stores vast amounts of raw data, both structured and unstructured.
  • Data Warehouse: Central repository of structured, organized data for reporting and analysis.
  • Data Mart: A subset of a data warehouse focused on a specific business line.

Relational Database Normalization

Ensures data is stored efficiently without redundancy.

  • 1NF ("The Key"): Each cell holds a single value, and each record is unique (has a Primary Key).
  • 2NF ("The Whole Key"): All non-key attributes depend on the entire composite primary key.
  • 3NF ("Nothing But The Key"): All attributes depend only on the primary key, not other non-key attributes.

Accounting Systems & Emerging Tech

AIS & ERP Systems

Enterprise Resource Planning (ERP)

A cross-functional system that supports different business functions and integrates information from across departments (accounting, finance, HR) into a centralized database.

Accounting Information Systems (AIS)

The system that collects, records, stores, and compiles accounting information using accounting rules to report financial and nonfinancial information to decision makers.

AIS Subsystems

  • Transaction Processing System (TPS): Converts economic events into financial transactions (e.g., journal entries) and supports daily operations.
  • Financial Reporting System (FRS): Aggregates daily financial information from the TPS and other sources to enable timely financial reporting.
  • Management Reporting System (MRS): Provides internal financial information to solve daily business problems, such as for budgeting and variance analysis.

Emerging Tech & Blockchain

Technologies for Process Improvement

  • Robotic Process Automation (RPA): The use of software programs ("bots") capable of extracting information from a user interface and initiating further processes, designed to automate repetitive, rules-based tasks.
  • Blockchain: A control system, often decentralized, that records transactions with minimal human input into immutable (unchangeable) blocks, creating strong record integrity.