title
CISA Training Video | Process of Auditing Information Systems - Part 1

description
🔥Post Graduate Program In Cyber Security: https://www.simplilearn.com/pgp-cyber-security-certification-training-course?utm_campaign=CISA-training-video-part1-i7XGhj3UPxE&utm_medium=Description&utm_source=youtube 🔥IIIT Bangalore Advanced Executive Program In Cybersecurity (India Only): https://www.simplilearn.com/pgp-advanced-executive-program-in-cyber-security?utm_campaign=SCE-IIITBangaloreCS&utm_medium=DescriptionFF&utm_source=youtube 🔥Cyber Security Masters Program (Discount Code - YTBE15): https://www.simplilearn.com/cyber-security-expert-master-program-training-course?utm_campaign=SCE-MasterCS&utm_medium=DescriptionFF&utm_source=youtube CISA Training Video: The Process of Auditing Information Systems Domain 1 from CISA accounts you 21% of the exam and it talks about, how to conduct an Audit? 🔥Free CISA Course With Course Completion Certificate: https://www.simplilearn.com/learn-information-systems-fundamentals-skillup?utm_campaign=CISA&utm_medium=Description&utm_source=youtube 🔥IIIT Bangalore Advanced Executive Program In Cybersecurity (India Only): https://www.simplilearn.com/pgp-advanced-executive-program-in-cyber-security?utm_campaign=SCE-IIITBangaloreCS&utm_medium=DescriptionFF&utm_source=youtube 🔥Cyber Security Masters Program (Discount Code - YTBE15): https://www.simplilearn.com/cyber-security-expert-master-program-training-course?utm_campaign=SCE-MasterCS&utm_medium=DescriptionFF&utm_source=youtube CISA Certification Training: https://www.simplilearn.com/cyber-security/cisa-certification-training?utm_campaign=CISA-training-video-part1-i7XGhj3UPxE&utm_medium=SC&utm_source=youtube 🔥IIIT Bangalore Advanced Executive Program In Cybersecurity (India Only): https://www.simplilearn.com/pgp-advanced-executive-program-in-cyber-security?utm_campaign=SCE-IIITBangaloreCS&utm_medium=DescriptionFF&utm_source=youtube 🔥Cyber Security Masters Program (Discount Code - YTBE15): https://www.simplilearn.com/cyber-security-expert-master-program-training-course?utm_campaign=SCE-MasterCS&utm_medium=DescriptionFF&utm_source=youtube #cisa #cisacertification #cisatrainingvideos #cisatrainingvideos2017 #cisa2017 ➡️ About Post Graduate Program In Cyber Security This Post Graduate Program in Cyber Security will help you learn comprehensive approaches to protecting your infrastructure and securing data, including risk analysis, mitigation, and compliance. You will get foundational to advanced skills through industry-leading cyber security certification courses that are part of the program. ✅ Key Features - Simplilearn Post Graduate Certificate - Masterclasses from MIT Faculty - Featuring Modules from MIT SCC and EC-Council - 8X higher interaction in live online classes conducted by industry experts - Simplilearn's JobAssist helps you get noticed by top hiring companies - Industry case studies in cyber security - Access to CEH Pro Version - 25+ hands-on projects - Capstone project in 3 domains - MIT CSAIL Professional Programs Community ✅ Skills Covered - Advanced Hacking Concepts - Network Packet Analysis - Ethical Hacking - IDS Firewalls and Honeypots - Security and Risk Management - Network Security - Software Development Security - Cryptography OSI and TCPIP Models - Identity and Access Management - Security Assessment and Testing - Trojans Backdoors and Countermeasures - Mobile and Web Technologies For more updates on courses and tips follow us on: - Facebook: https://www.facebook.com/Simplilearn - Twitter: https://twitter.com/simplilearn Get the android app: http://bit.ly/1WlVo4u Get the iOS app: http://apple.co/1HIO5J0 🔥🔥 Interested in Attending Live Classes? Call Us: IN - 18002127688 / US - +18445327688

detail
{'title': 'CISA Training Video | Process of Auditing Information Systems - Part 1', 'heatmap': [{'end': 569.821, 'start': 521.308, 'weight': 0.718}, {'end': 713.061, 'start': 613.218, 'weight': 0.969}, {'end': 1566.352, 'start': 1514.539, 'weight': 0.942}, {'end': 2711.354, 'start': 2654.662, 'weight': 0.855}, {'end': 2894.706, 'start': 2749.032, 'weight': 0.732}, {'end': 3323.671, 'start': 3272.195, 'weight': 0.753}, {'end': 3466.832, 'start': 3414.6, 'weight': 0.701}, {'end': 3758.292, 'start': 3605.778, 'weight': 0.979}], 'summary': 'Covers cisa training on auditing information systems and professional ethics, emphasizing risk analysis, it controls, and best practices, including topics such as risk definitions, loss expectancy calculation, enterprise frameworks, control principles, audit methodology, and legal requirements for cisa audit.', 'chapters': [{'end': 839.352, 'segs': [{'end': 26.398, 'src': 'embed', 'start': 0.389, 'weight': 0, 'content': [{'end': 4.711, 'text': 'Welcome to Domain 1, the process of auditing information systems.', 'start': 0.389, 'duration': 4.322}, {'end': 8.212, 'text': 'This domain will account for 21% of the exam.', 'start': 5.251, 'duration': 2.961}, {'end': 11.273, 'text': "And it's really the guts of an audit.", 'start': 8.892, 'duration': 2.381}, {'end': 14.774, 'text': 'This is where we talk about how you actually conduct an audit.', 'start': 11.653, 'duration': 3.121}, {'end': 23.817, 'text': "At this point, we're not as concerned with regulations and laws and technical issues so much as we're concerned with actual auditing process.", 'start': 15.214, 'duration': 8.603}, {'end': 26.398, 'text': 'And it is a formal process.', 'start': 24.318, 'duration': 2.08}], 'summary': 'Domain 1 covers 21% of the exam, focusing on the formal process of auditing information systems.', 'duration': 26.009, 'max_score': 0.389, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE389.jpg'}, {'end': 80.548, 'src': 'embed', 'start': 53.373, 'weight': 4, 'content': [{'end': 56.773, 'text': "So let's go ahead and get started with Domain 1.", 'start': 53.373, 'duration': 3.4}, {'end': 65.078, 'text': "After completing this domain, domain one, you'll be able to understand basically what an audit is and how an IS audit function should be managed.", 'start': 56.773, 'duration': 8.305}, {'end': 70.602, 'text': "You'll be able to detail the ISAC IS audit and assurance guidelines and standards.", 'start': 65.779, 'duration': 4.823}, {'end': 77.566, 'text': "You'll be able to discuss risks and how to analyze them and discuss and understand internal controls.", 'start': 71.422, 'duration': 6.144}, {'end': 80.548, 'text': "You'll also be able to explain the control assessment.", 'start': 78.246, 'duration': 2.302}], 'summary': "After completing domain 1, you'll understand is audit, isac guidelines, and internal controls.", 'duration': 27.175, 'max_score': 53.373, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE53373.jpg'}, {'end': 222.201, 'src': 'embed', 'start': 196.187, 'weight': 1, 'content': [{'end': 201.268, 'text': 'tools and techniques standards and has a comprehensive code of professional ethics.', 'start': 196.187, 'duration': 5.081}, {'end': 206.731, 'text': 'ISACA standards provide you with a benchmark for any information systems audit.', 'start': 202.648, 'duration': 4.083}, {'end': 216.397, 'text': 'Now the main areas that are covered under this knowledge statement include first and foremost, the ISACA code of professional ethics.', 'start': 209.933, 'duration': 6.464}, {'end': 222.201, 'text': "That's important to keep in mind because ISACA will emphasize this in the CISA exam.", 'start': 217.057, 'duration': 5.144}], 'summary': 'Isaca standards set benchmark for information systems audit, emphasizes code of professional ethics in cisa exam.', 'duration': 26.014, 'max_score': 196.187, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE196187.jpg'}, {'end': 401.123, 'src': 'embed', 'start': 368.651, 'weight': 3, 'content': [{'end': 372.774, 'text': 'Members and certification holders should also maintain competency in their respective fields.', 'start': 368.651, 'duration': 4.123}, {'end': 379.404, 'text': 'and agree to undertake only those activities which they can reasonably expect to complete with professional competence.', 'start': 373.499, 'duration': 5.905}, {'end': 387.211, 'text': 'What this means is, first and foremost, you have to continue learning, make sure you increase your competency,', 'start': 380.605, 'duration': 6.606}, {'end': 393.997, 'text': "you're aware of new techniques and strategies, and also make sure you don't take on projects you're not fully qualified for.", 'start': 387.211, 'duration': 6.786}, {'end': 401.123, 'text': 'Inform appropriate parties of the results of work performed, revealing all significant facts known to them.', 'start': 395.158, 'duration': 5.965}], 'summary': 'Members must maintain competency, continue learning, and disclose all significant facts.', 'duration': 32.472, 'max_score': 368.651, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE368651.jpg'}, {'end': 569.821, 'src': 'heatmap', 'start': 521.308, 'weight': 0.718, 'content': [{'end': 524.532, 'text': "There's actually 42 categories of guidelines.", 'start': 521.308, 'duration': 3.224}, {'end': 527.88, 'text': "In the next few screens, we'll briefly look at all of them.", 'start': 525.598, 'duration': 2.282}, {'end': 532.503, 'text': "You don't have to memorize them, and therefore we won't read every one to you.", 'start': 528.6, 'duration': 3.903}, {'end': 537.587, 'text': 'I will point out a few of them that are of particular importance on the certification test.', 'start': 533.123, 'duration': 4.464}, {'end': 549.135, 'text': 'What we see here, due professional care, that ties directly in with the professional code of ethics, so G7 is particularly important.', 'start': 541.149, 'duration': 7.986}, {'end': 557.437, 'text': "There's an entire knowledge statement on G10 audit sampling, which discusses how to do proper sampling.", 'start': 550.455, 'duration': 6.982}, {'end': 562.539, 'text': 'Audit evidence requirement G2 also is prominent on the certification test.', 'start': 558.377, 'duration': 4.162}, {'end': 569.821, 'text': "G15 planning, a properly planned audit is the only way you're going to have a good audit.", 'start': 564.699, 'duration': 5.122}], 'summary': '42 categories of guidelines, g7, g10, g2, g15 are important on the certification test.', 'duration': 48.513, 'max_score': 521.308, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE521308.jpg'}, {'end': 713.061, 'src': 'heatmap', 'start': 613.218, 'weight': 0.969, 'content': [{'end': 616.959, 'text': 'Those are always a common point to check during your audit.', 'start': 613.218, 'duration': 3.741}, {'end': 627.092, 'text': 'ISAC also has standards and guidelines related to audit, the ITAF, and you can see here a listing of those standards.', 'start': 619.77, 'duration': 7.322}, {'end': 634.215, 'text': "As with the G standards, you don't have to memorize each of these, and we won't read them to you, but you should be familiar with them.", 'start': 627.692, 'duration': 6.523}, {'end': 642.837, 'text': 'This concludes Knowledge Statement 1.1.', 'start': 635.275, 'duration': 7.562}, {'end': 653.358, 'text': 'CISA Knowledge Statement 1.2 Knowledge of the risk assessment concepts and tools and techniques used in planning, examination,', 'start': 642.837, 'duration': 10.521}, {'end': 654.338, 'text': 'reporting and follow-up.', 'start': 653.358, 'duration': 0.98}, {'end': 662.603, 'text': 'First of all, your overall audit plan has to focus on business risks related to the use of IT.', 'start': 656.76, 'duration': 5.843}, {'end': 668.507, 'text': "Now, throughout this course, we're going to look at a lot of methodologies, standards, and techniques.", 'start': 663.664, 'duration': 4.843}, {'end': 675.531, 'text': "But if you think about it for just a moment, I think you'll agree that information system auditing comes down to one simple concept.", 'start': 669.127, 'duration': 6.404}, {'end': 684.797, 'text': 'identify the risks a business faces, look at the controls in place to mitigate those risks, and evaluate the efficacy of those controls.', 'start': 676.374, 'duration': 8.423}, {'end': 686.938, 'text': "That's really what auditing is all about.", 'start': 685.237, 'duration': 1.701}, {'end': 691.819, 'text': 'The area under our audit represents the audit scope.', 'start': 688.798, 'duration': 3.021}, {'end': 695.981, 'text': "We're not going to audit everything, so let's find out what we are going to audit.", 'start': 692.519, 'duration': 3.462}, {'end': 697.341, 'text': 'What is the scope of our audit?', 'start': 696.001, 'duration': 1.34}, {'end': 705.415, 'text': 'Auditors should use risk analysis techniques to find out what are the critical areas to focus on within the audit scope.', 'start': 698.749, 'duration': 6.666}, {'end': 709.418, 'text': 'In other words, you determine the audit scope by risk analysis.', 'start': 705.895, 'duration': 3.523}, {'end': 713.061, 'text': 'You obviously have limited audit resources.', 'start': 710.719, 'duration': 2.342}], 'summary': 'Cisa audit involves understanding isac standards, applying risk assessment methods, and scoping audits based on risk analysis.', 'duration': 99.843, 'max_score': 613.218, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE613218.jpg'}, {'end': 842.854, 'src': 'embed', 'start': 813.595, 'weight': 2, 'content': [{'end': 816.898, 'text': 'This will involve beginning your introduction to risk assessment techniques.', 'start': 813.595, 'duration': 3.303}, {'end': 820.361, 'text': "We'll also be discussing reporting techniques and follow-up.", 'start': 817.678, 'duration': 2.683}, {'end': 826.766, 'text': "Let's start with looking at risk analysis.", 'start': 824.884, 'duration': 1.882}, {'end': 832.127, 'text': 'This is a process that helps an auditor recognize the vulnerabilities and risks.', 'start': 827.304, 'duration': 4.823}, {'end': 833.588, 'text': "That's the first part.", 'start': 832.747, 'duration': 0.841}, {'end': 839.352, 'text': 'You have to be aware of what the risks and vulnerabilities to this specific organization are.', 'start': 834.228, 'duration': 5.124}, {'end': 842.854, 'text': 'Now some risks and some vulnerabilities are common to everyone.', 'start': 840.152, 'duration': 2.702}], 'summary': 'Introduction to risk assessment techniques, risk analysis, and common organizational vulnerabilities.', 'duration': 29.259, 'max_score': 813.595, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE813595.jpg'}], 'start': 0.389, 'title': 'Auditing information systems and professional ethics', 'summary': 'Delves into domain 1, constituting 21% of the exam, covering scientific auditing methods, key topics, and isaca standards. it also stresses professional competence, stakeholder communication, ethics compliance, and understanding of it audit and assurance standards framework, focusing on risk analysis, audit methodology, reporting techniques, and follow-up.', 'chapters': [{'end': 366.929, 'start': 0.389, 'title': 'Domain 1: auditing information systems', 'summary': 'Discusses domain 1 which accounts for 21% of the exam, emphasizing the scientific approach to auditing, key topics covered, and the importance of isaca standards and professional ethics.', 'duration': 366.54, 'highlights': ['Domain 1 accounts for 21% of the exam.', 'The importance of a methodical, scientific approach to auditing.', 'Key topics covered include IS audit and assurance guidelines, standards, risks, internal controls, and control assessment.', 'Emphasis on ISACA standards and professional ethics.']}, {'end': 839.352, 'start': 368.651, 'title': 'Professional ethics and audit standards', 'summary': "Emphasizes the importance of maintaining professional competence, informing stakeholders about audit results, complying with the code of professional ethics, and understanding isaca's it audit and assurance standards framework, with a focus on risk analysis, audit methodology, reporting techniques, and follow-up.", 'duration': 470.701, 'highlights': ['Members and certification holders should maintain competency and undertake activities within their professional competence.', 'Failure to comply with the Code of Professional Ethics can result in disciplinary measures such as revocation of certification.', "ISACA's IT Audit and Assurance Standards Framework has specific objectives, and auditors should strive to exceed the minimum standards.", 'The importance of risk analysis, audit methodology, reporting techniques, and follow-up in the audit process is highlighted.']}], 'duration': 838.963, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE389.jpg', 'highlights': ['Domain 1 accounts for 21% of the exam.', 'Emphasis on ISACA standards and professional ethics.', 'Importance of risk analysis, audit methodology, and reporting techniques.', 'Members should maintain professional competence and adhere to ethics.', 'Key topics include IS audit and assurance guidelines and internal controls.']}, {'end': 1083.399, 'segs': [{'end': 924.036, 'src': 'embed', 'start': 840.152, 'weight': 0, 'content': [{'end': 842.854, 'text': 'Now some risks and some vulnerabilities are common to everyone.', 'start': 840.152, 'duration': 2.702}, {'end': 845.516, 'text': 'Everyone is at risk for a virus outbreak.', 'start': 843.474, 'duration': 2.042}, {'end': 848.357, 'text': 'Everyone is at risk for a fire in the server room.', 'start': 846.156, 'duration': 2.201}, {'end': 852.22, 'text': 'But we also have very specific risks to specific industries.', 'start': 849.198, 'duration': 3.022}, {'end': 860.657, 'text': 'Then we need to look at how do we define controls that can be put in place or may already be in place to mitigate those risks.', 'start': 853.453, 'duration': 7.204}, {'end': 866.741, 'text': "Now throughout this lesson, you're going to see several different phrasings of the definition of risk.", 'start': 861.918, 'duration': 4.823}, {'end': 872.885, 'text': "They're all worded slightly differently because they come from different sources, but they all essentially mean the same thing.", 'start': 867.201, 'duration': 5.684}, {'end': 874.826, 'text': "Let's start with this first one.", 'start': 873.645, 'duration': 1.181}, {'end': 880.605, 'text': 'Risk is defined as the mixture of the likelihood of an event and its magnitude.', 'start': 875.962, 'duration': 4.643}, {'end': 884.947, 'text': "First of all, an event we're defining as some negative incident.", 'start': 881.485, 'duration': 3.462}, {'end': 889.229, 'text': 'How likely is it to happen? Some events are more likely than others.', 'start': 885.667, 'duration': 3.562}, {'end': 891.851, 'text': 'Not everything has an equal likelihood.', 'start': 889.79, 'duration': 2.061}, {'end': 899.157, 'text': 'For example, for any organization, the likelihood of a hard drive crash in a server is relatively high.', 'start': 892.731, 'duration': 6.426}, {'end': 909.746, 'text': 'But the likelihood of an intrusion by a state-sponsored cyber terrorist is only high for certain businesses, high-tech companies, defense contractors.', 'start': 899.917, 'duration': 9.829}, {'end': 913.649, 'text': "It's extremely low for a pizza delivery business or a bookseller.", 'start': 910.106, 'duration': 3.543}, {'end': 915.871, 'text': 'So we have to look at the likelihood of an event.', 'start': 914.11, 'duration': 1.761}, {'end': 918.273, 'text': "Then let's look at the magnitude.", 'start': 916.892, 'duration': 1.381}, {'end': 921.675, 'text': 'Not all events have the same magnitude for every industry.', 'start': 918.913, 'duration': 2.762}, {'end': 924.036, 'text': "Let's consider a hypothetical.", 'start': 922.716, 'duration': 1.32}], 'summary': 'Risk is the likelihood and magnitude of negative events, varying by industry.', 'duration': 83.884, 'max_score': 840.152, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE840152.jpg'}, {'end': 1021.88, 'src': 'embed', 'start': 994.415, 'weight': 1, 'content': [{'end': 997.457, 'text': 'involvement and adoption of information technology within a business.', 'start': 994.415, 'duration': 3.042}, {'end': 999.418, 'text': "Now let's think about that for just a moment.", 'start': 997.477, 'duration': 1.941}, {'end': 1003.34, 'text': 'We all like new technologies, myself more than most.', 'start': 1000.379, 'duration': 2.961}, {'end': 1009.123, 'text': 'The convenience, the productivity, all these things that are afforded us by new technologies.', 'start': 1004.401, 'duration': 4.722}, {'end': 1013.366, 'text': 'But every technology also involves a risk simply by owning and using it.', 'start': 1009.844, 'duration': 3.522}, {'end': 1015.987, 'text': 'For example, we already mentioned websites.', 'start': 1014.186, 'duration': 1.801}, {'end': 1021.88, 'text': 'that expands your customer base, lets you sell to customers more conveniently and, in some cases,', 'start': 1016.397, 'duration': 5.483}], 'summary': 'Adopting new technologies in business carries both benefits and risks.', 'duration': 27.465, 'max_score': 994.415, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE994415.jpg'}, {'end': 1068.176, 'src': 'embed', 'start': 1037.204, 'weight': 6, 'content': [{'end': 1040.228, 'text': 'Everyone has one, and I personally depend on mine all the time.', 'start': 1037.204, 'duration': 3.024}, {'end': 1047.012, 'text': "And many people now bring these phones into the workplace and connect them to the organization's Wi-Fi.", 'start': 1041.088, 'duration': 5.924}, {'end': 1049.956, 'text': 'This is referred to as BYOD, bring your own device.', 'start': 1047.534, 'duration': 2.422}, {'end': 1053.342, 'text': 'Well, that poses a lot of risks.', 'start': 1051.24, 'duration': 2.102}, {'end': 1060.308, 'text': "Yes, it's incredibly convenient, and it allows employees to blend work with personal time.", 'start': 1053.882, 'duration': 6.426}, {'end': 1068.176, 'text': 'They may, on their own time, address a work issue through their phone and they may be able to take a critical personal issue, such as a sick relative,', 'start': 1060.689, 'duration': 7.487}], 'summary': 'Byod brings convenience but poses security risks.', 'duration': 30.972, 'max_score': 1037.204, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1037204.jpg'}], 'start': 840.152, 'title': 'Risks and controls in it', 'summary': 'Emphasizes the identification and addressing of common and specific risks, defining risk as the combination of likelihood and magnitude of an event. it also discusses the assessment of it risk likelihood and magnitude, emphasizing the varying impact on different industries and the risks associated with owning and using new technologies such as websites and smartphones.', 'chapters': [{'end': 880.605, 'start': 840.152, 'title': 'Understanding risks and controls', 'summary': 'Emphasizes the need to identify and address common and specific risks, and defines risk as the combination of likelihood and magnitude of an event.', 'duration': 40.453, 'highlights': ['The chapter emphasizes the need to identify and address common and specific risks.', 'Risk is defined as the mixture of the likelihood of an event and its magnitude.', 'Everyone is at risk for a virus outbreak and a fire in the server room.']}, {'end': 1083.399, 'start': 881.485, 'title': 'It risk and magnitude assessment', 'summary': 'Discusses the assessment of it risk likelihood and magnitude, emphasizing the varying impact on different industries and the risks associated with owning and using new technologies such as websites and smartphones.', 'duration': 201.914, 'highlights': ['The likelihood of a hard drive crash in a server is relatively high for any organization, while the likelihood of an intrusion by a state-sponsored cyber terrorist is higher for certain businesses such as high-tech companies and defense contractors, but extremely low for businesses like pizza delivery or bookselling.', "The magnitude of an event varies for different industries, as illustrated by the impact of a web server crash on a pizza chain's business compared to an e-commerce business, where the latter faces a complete loss of revenue for every minute the server is down.", 'The ownership, use, and adoption of information technology within a business inherently involve risks, exemplified by the vulnerabilities of websites to denial of service attacks and other cyber threats, as well as the risks associated with the widespread use of smartphones in the workplace, known as BYOD (bring your own device).']}], 'duration': 243.247, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE840152.jpg', 'highlights': ['The likelihood of a hard drive crash in a server is relatively high for any organization.', 'The ownership, use, and adoption of information technology within a business inherently involve risks.', "The magnitude of an event varies for different industries, as illustrated by the impact of a web server crash on a pizza chain's business compared to an e-commerce business.", 'Risk is defined as the mixture of the likelihood of an event and its magnitude.', 'The chapter emphasizes the need to identify and address common and specific risks.', 'Everyone is at risk for a virus outbreak and a fire in the server room.', 'The risks associated with the widespread use of smartphones in the workplace, known as BYOD (bring your own device).', 'The likelihood of an intrusion by a state-sponsored cyber terrorist is higher for certain businesses such as high-tech companies and defense contractors, but extremely low for businesses like pizza delivery or bookselling.', 'The assessment of IT risk likelihood and magnitude, emphasizing the varying impact on different industries.']}, {'end': 1579.314, 'segs': [{'end': 1179.417, 'src': 'embed', 'start': 1108.567, 'weight': 0, 'content': [{'end': 1112.67, 'text': 'Now what I really like about this definition is the use of the word probable.', 'start': 1108.567, 'duration': 4.103}, {'end': 1121.537, 'text': "It's unlikely that you'll be able to know exactly how frequent an event may occur or the exact magnitude.", 'start': 1114.932, 'duration': 6.605}, {'end': 1123.478, 'text': 'You have to perform an estimate.', 'start': 1121.997, 'duration': 1.481}, {'end': 1132.485, 'text': 'The second definition the potential that a given threat will exploit vulnerabilities of an asset or group of assets and cause harm to the organization.', 'start': 1125.099, 'duration': 7.386}, {'end': 1139.675, 'text': "Now this comes from the standard ISO 27005, which you're definitely going to see on the CISA exam.", 'start': 1132.95, 'duration': 6.725}, {'end': 1146.02, 'text': "Not just this definition, but you'll see more about the standard and we'll revisit again in future lessons.", 'start': 1140.316, 'duration': 5.704}, {'end': 1150.064, 'text': 'Definitely be familiar with ISO 27005.', 'start': 1146.221, 'duration': 3.843}, {'end': 1152.866, 'text': 'But I like this definition because it emphasizes two things.', 'start': 1150.064, 'duration': 2.802}, {'end': 1156.669, 'text': "First and foremost, we're concerned about harm to the organization.", 'start': 1153.466, 'duration': 3.203}, {'end': 1163.248, 'text': "If a particular IT system is offline, but it doesn't harm the organization, it's not that big a concern.", 'start': 1157.685, 'duration': 5.563}, {'end': 1167.51, 'text': "If you have 20 printers and one of them is offline, it's an inconvenience.", 'start': 1164.049, 'duration': 3.461}, {'end': 1170.472, 'text': "It doesn't have great harm to the organization.", 'start': 1168.151, 'duration': 2.321}, {'end': 1176.796, 'text': "I also like this definition because it's talking about the exploiting of vulnerabilities,", 'start': 1171.513, 'duration': 5.283}, {'end': 1179.417, 'text': "and that's what we're really concerned about in risk mitigation.", 'start': 1176.796, 'duration': 2.621}], 'summary': 'Iso 27005 defines risk as the probability of exploiting vulnerabilities to cause harm to the organization.', 'duration': 70.85, 'max_score': 1108.567, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1108567.jpg'}, {'end': 1233.416, 'src': 'embed', 'start': 1205.796, 'weight': 2, 'content': [{'end': 1210.016, 'text': 'First, it helps the auditor identify threats and risks within the IS environment.', 'start': 1205.796, 'duration': 4.22}, {'end': 1213.637, 'text': "We've already stated that your audit has to be risk-driven.", 'start': 1210.476, 'duration': 3.161}, {'end': 1219.956, 'text': 'but that begins by identifying the threats and risks that are of most concern in this specific environment.', 'start': 1214.087, 'duration': 5.869}, {'end': 1225.104, 'text': 'It also lets you plan the audit by looking at the controls in place,', 'start': 1221.077, 'duration': 4.027}, {'end': 1229.871, 'text': "and we look at those controls in light of the specific risks and threats we've already identified.", 'start': 1225.104, 'duration': 4.767}, {'end': 1233.416, 'text': "Now you're in a position to know the audit objectives.", 'start': 1230.814, 'duration': 2.602}], 'summary': 'Identifying threats and risks helps plan risk-driven audits and set specific audit objectives.', 'duration': 27.62, 'max_score': 1205.796, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1205796.jpg'}, {'end': 1326.356, 'src': 'embed', 'start': 1293.011, 'weight': 3, 'content': [{'end': 1294.812, 'text': 'And there may be a host of other objectives.', 'start': 1293.011, 'duration': 1.801}, {'end': 1300.675, 'text': 'But before you can even begin looking at the audit, you have to know what the business is trying to do.', 'start': 1295.312, 'duration': 5.363}, {'end': 1308.159, 'text': 'Now, that flows very naturally into identifying those information assets that support the business objective.', 'start': 1301.476, 'duration': 6.683}, {'end': 1313.472, 'text': 'It may sound odd, but normally an organization has a number of information systems,', 'start': 1309.031, 'duration': 4.441}, {'end': 1316.933, 'text': 'some of which are not absolutely critical to the business objective.', 'start': 1313.472, 'duration': 3.461}, {'end': 1318.854, 'text': "We're concerned about those that are.", 'start': 1317.434, 'duration': 1.42}, {'end': 1326.356, 'text': "Again, if you have 20 printers and most of your business is online anyway, doesn't require printing for each transaction.", 'start': 1319.854, 'duration': 6.502}], 'summary': 'Identify critical information assets to support business objectives.', 'duration': 33.345, 'max_score': 1293.011, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1293011.jpg'}, {'end': 1368.378, 'src': 'embed', 'start': 1336.443, 'weight': 7, 'content': [{'end': 1341.766, 'text': "Now that you've identified the information assets that support those business objectives,", 'start': 1336.443, 'duration': 5.323}, {'end': 1345.608, 'text': 'now we flow straight to doing a risk assessment on those assets.', 'start': 1341.766, 'duration': 3.842}, {'end': 1355.592, 'text': 'What are the threats to those assets? What vulnerabilities are in those assets that would allow a threat to be realized? And what would be the impact?', 'start': 1346.588, 'duration': 9.004}, {'end': 1360.875, 'text': "Now, impact often involves something we haven't discussed yet called a criticality analysis.", 'start': 1356.133, 'duration': 4.742}, {'end': 1368.378, 'text': "That's just a nice way of saying we look at each particular asset and evaluate how critical it is to the organization.", 'start': 1362.093, 'duration': 6.285}], 'summary': 'Identify assets, assess risks, evaluate impact and criticality for organizational assets.', 'duration': 31.935, 'max_score': 1336.443, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1336443.jpg'}, {'end': 1407.562, 'src': 'embed', 'start': 1380.126, 'weight': 1, 'content': [{'end': 1383.429, 'text': "Let's look at the risks and map them to existing controls.", 'start': 1380.126, 'duration': 3.303}, {'end': 1389.93, 'text': 'Although that can be an involved process, it really comes down to two questions.', 'start': 1386.147, 'duration': 3.783}, {'end': 1394.133, 'text': 'Are there controls in place that address each and every risk you have?', 'start': 1390.93, 'duration': 3.203}, {'end': 1400.177, 'text': "Any place you have a risk that does not have a control, that's an obvious place that needs to be addressed.", 'start': 1394.633, 'duration': 5.544}, {'end': 1407.562, 'text': 'The second question is assuming there is a control in place for that risk, does it adequately mitigate the risk?', 'start': 1401.498, 'duration': 6.064}], 'summary': 'Identifying risks and assessing controls are crucial for risk management.', 'duration': 27.436, 'max_score': 1380.126, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1380126.jpg'}, {'end': 1566.352, 'src': 'heatmap', 'start': 1514.539, 'weight': 0.942, 'content': [{'end': 1520.901, 'text': "Risk, and this is yet another definition that may seem to be worded differently, but means essentially the same that we've seen so far.", 'start': 1514.539, 'duration': 6.362}, {'end': 1525.403, 'text': "It's the potential that a chosen action or activity will lead to a loss.", 'start': 1521.562, 'duration': 3.841}, {'end': 1529.544, 'text': 'Threats, any negative action that could harm a system.', 'start': 1526.523, 'duration': 3.021}, {'end': 1534.296, 'text': 'Vulnerabilities, any weakness that allows a threat to cause harm.', 'start': 1530.728, 'duration': 3.568}, {'end': 1536.981, 'text': 'Impact, the severity of damage.', 'start': 1535.378, 'duration': 1.603}, {'end': 1539.968, 'text': 'Whenever possible, we like to express this in dollars.', 'start': 1537.422, 'duration': 2.546}, {'end': 1548.23, 'text': 'Now to express that in dollars we have some very specific formulas.', 'start': 1544.727, 'duration': 3.503}, {'end': 1553.053, 'text': 'These formulas are also borrowed from disaster recovery and business continuity planning.', 'start': 1549.09, 'duration': 3.963}, {'end': 1554.874, 'text': 'Exposure factor.', 'start': 1553.914, 'duration': 0.96}, {'end': 1558.557, 'text': 'This is the percentage value of an asset lost due to an incident.', 'start': 1555.335, 'duration': 3.222}, {'end': 1562.4, 'text': "Now what we mean is in many cases you won't completely lose an asset.", 'start': 1559.118, 'duration': 3.282}, {'end': 1566.352, 'text': "Let's assume you have a database and you do a full backup every hour.", 'start': 1563.191, 'duration': 3.161}], 'summary': 'Risk is the potential for loss from threats and vulnerabilities, measured in dollars using specific formulas borrowed from disaster recovery and business continuity planning.', 'duration': 51.813, 'max_score': 1514.539, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1514539.jpg'}], 'start': 1083.399, 'title': 'Risk definitions and analysis', 'summary': 'Explains definitions of risk, emphasizing the importance of harm to the organization and the need for risk estimation and mitigation. it also discusses key steps in risk analysis for information systems audit, emphasizing the identification of threats and risks, mapping them to controls, and the cyclical nature of the risk assessment process.', 'chapters': [{'end': 1179.417, 'start': 1083.399, 'title': 'Understanding risk definitions', 'summary': 'Explains two definitions of risk - probable frequency and magnitude of future loss, and the potential threat exploitation of vulnerabilities, emphasizing the importance of harm to the organization and the need for risk estimation and mitigation.', 'duration': 96.018, 'highlights': ['The potential threat exploitation of vulnerabilities emphasizes the importance of harm to the organization and the need for risk mitigation.', "The probable frequency and magnitude of future loss requires risk estimation as it's unlikely to know exact occurrences.", 'ISO 27005 standard emphasizes the importance of harm to the organization and will be relevant for the CISA exam.']}, {'end': 1579.314, 'start': 1183.792, 'title': 'Risk analysis in information systems', 'summary': 'Discusses the key steps in risk analysis for information systems audit, emphasizing the identification of threats and risks, mapping them to controls, and the cyclical nature of the risk assessment process.', 'duration': 395.522, 'highlights': ['The chapter discusses the key steps in risk analysis for information systems audit, emphasizing the identification of threats and risks, mapping them to controls, and the cyclical nature of the risk assessment process.', 'Risk analysis is used to identify threats and risks within the IS environment, enabling risk-driven audit planning and decision-making processes.', 'Identifying business objectives is crucial before conducting an audit, and it naturally leads to the assessment of information assets supporting these objectives.', 'The process involves risk assessment on information assets, including evaluating their criticality to the organization and determining the impact of potential threats.', 'Risk management involves mapping risks to existing controls, addressing areas without controls, and ensuring that controls adequately mitigate the identified risks.']}], 'duration': 495.915, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1083399.jpg', 'highlights': ['The ISO 27005 standard emphasizes the importance of harm to the organization and will be relevant for the CISA exam.', 'Risk management involves mapping risks to existing controls, addressing areas without controls, and ensuring that controls adequately mitigate the identified risks.', 'The chapter discusses the key steps in risk analysis for information systems audit, emphasizing the identification of threats and risks, mapping them to controls, and the cyclical nature of the risk assessment process.', 'Identifying business objectives is crucial before conducting an audit, and it naturally leads to the assessment of information assets supporting these objectives.', 'Risk analysis is used to identify threats and risks within the IS environment, enabling risk-driven audit planning and decision-making processes.', 'The potential threat exploitation of vulnerabilities emphasizes the importance of harm to the organization and the need for risk mitigation.', "The probable frequency and magnitude of future loss requires risk estimation as it's unlikely to know exact occurrences.", 'The process involves risk assessment on information assets, including evaluating their criticality to the organization and determining the impact of potential threats.']}, {'end': 1881.875, 'segs': [{'end': 1625.809, 'src': 'embed', 'start': 1580.294, 'weight': 1, 'content': [{'end': 1588.895, 'text': 'Now, if we look at a single loss expectancy, that means what do we lose in a single negative incident? We start with the asset value.', 'start': 1580.294, 'duration': 8.601}, {'end': 1595.527, 'text': 'How much is the asset worth times that exposure factor? That will give us a single loss expectancy.', 'start': 1588.995, 'duration': 6.532}, {'end': 1598.928, 'text': 'Next, we have to consider the annual rate of occurrence.', 'start': 1596.628, 'duration': 2.3}, {'end': 1602.209, 'text': "That's the number of losses you might expect to have in a year.", 'start': 1599.508, 'duration': 2.701}, {'end': 1607.05, 'text': 'Now this can be effectively estimated through a number of different methods.', 'start': 1602.969, 'duration': 4.081}, {'end': 1609.071, 'text': 'First, look at previous years.', 'start': 1607.55, 'duration': 1.521}, {'end': 1613.112, 'text': 'What was the number of losses last year and the year before??', 'start': 1609.911, 'duration': 3.201}, {'end': 1622.126, 'text': 'Then there are a variety of security firms that every year publish reports that tell you the preceding years various losses, various attacks,', 'start': 1613.672, 'duration': 8.454}, {'end': 1625.809, 'text': 'various threats, broken down by industry and size of company.', 'start': 1622.126, 'duration': 3.683}], 'summary': 'Determine single loss expectancy by asset value and exposure factor, and estimate annual rate of occurrence using historical data and security firm reports.', 'duration': 45.515, 'max_score': 1580.294, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1580294.jpg'}, {'end': 1709.342, 'src': 'embed', 'start': 1679.227, 'weight': 3, 'content': [{'end': 1681.369, 'text': "No, it's not exact, but it's a good estimate.", 'start': 1679.227, 'duration': 2.142}, {'end': 1684.691, 'text': 'You should do the same thing when looking at asset value,', 'start': 1682.189, 'duration': 2.502}, {'end': 1692.017, 'text': "exposure factor or any number of factors that we've already discussed or will discuss where we say it's an estimate.", 'start': 1684.691, 'duration': 7.326}, {'end': 1694.059, 'text': 'Estimates should never be guessed.', 'start': 1692.677, 'duration': 1.382}, {'end': 1700.88, 'text': 'I would also recommend that in your final audit report, you actually include the basis for your estimates.', 'start': 1695.019, 'duration': 5.861}, {'end': 1706.701, 'text': "Where'd you get this number? Now with that said, we're ready to compute annualized loss expectancy.", 'start': 1700.92, 'duration': 5.781}, {'end': 1709.342, 'text': "That's the yearly cost due to a risk.", 'start': 1707.581, 'duration': 1.761}], 'summary': 'Emphasize the importance of basing estimates on solid data for accurate annualized loss expectancy calculations.', 'duration': 30.115, 'max_score': 1679.227, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1679227.jpg'}, {'end': 1781.274, 'src': 'embed', 'start': 1746.376, 'weight': 6, 'content': [{'end': 1747.837, 'text': 'What will it cost to mitigate that?', 'start': 1746.376, 'duration': 1.461}, {'end': 1752.54, 'text': "If there's a control that will reduce that to two times a year.", 'start': 1749.158, 'duration': 3.382}, {'end': 1754.101, 'text': 'so our loss goes from $10, 000 a year to $2, 000 a year.', 'start': 1752.54, 'duration': 1.561}, {'end': 1757.135, 'text': 'Should we implement that control??', 'start': 1755.874, 'duration': 1.261}, {'end': 1758.856, 'text': "Well, it's a very simple formula.", 'start': 1757.155, 'duration': 1.701}, {'end': 1766.242, 'text': "How much does the control cost? If it costs $5, 000 but saves us $8, 000, then it's well worth it.", 'start': 1759.357, 'duration': 6.885}, {'end': 1772.207, 'text': "If it costs $15, 000 and saves us $8, 000, we're actually better off without it.", 'start': 1767.023, 'duration': 5.184}, {'end': 1781.274, 'text': "Now let's look at the three formulas at the bottom that use these terms.", 'start': 1777.871, 'duration': 3.403}], 'summary': 'Mitigating the risk can reduce loss from $10,000 to $2,000 a year, making it worth implementing controls.', 'duration': 34.898, 'max_score': 1746.376, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1746376.jpg'}, {'end': 1836.609, 'src': 'embed', 'start': 1795.554, 'weight': 2, 'content': [{'end': 1803.681, 'text': 'If you take the value of the asset, however much it was worth, that can include purchase cost, maintenance cost, development cost,', 'start': 1795.554, 'duration': 8.127}, {'end': 1805.943, 'text': 'whatever the complete value of the asset is.', 'start': 1803.681, 'duration': 2.262}, {'end': 1808.726, 'text': 'Multiply that by the exposure factor.', 'start': 1806.664, 'duration': 2.062}, {'end': 1812.269, 'text': 'The result is the single loss expectancy.', 'start': 1809.386, 'duration': 2.883}, {'end': 1815.88, 'text': "how much you expect to lose if there's a single loss.", 'start': 1812.779, 'duration': 3.101}, {'end': 1823.824, 'text': 'What is risk? You take the probability of something happening times the cost if that happened.', 'start': 1817.461, 'duration': 6.363}, {'end': 1830.187, 'text': "For example, what would it cost you for your server to be down for a week? Let's say your web server.", 'start': 1824.364, 'duration': 5.823}, {'end': 1832.188, 'text': 'Calculate that cost.', 'start': 1831.187, 'duration': 1.001}, {'end': 1836.609, 'text': 'Now that should be something you can do with concrete numbers with very little guessing.', 'start': 1832.228, 'duration': 4.381}], 'summary': 'Calculate single loss expectancy by multiplying asset value with exposure factor, and assess risk by multiplying probability with cost of occurrence.', 'duration': 41.055, 'max_score': 1795.554, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1795554.jpg'}, {'end': 1881.875, 'src': 'embed', 'start': 1855.681, 'weight': 0, 'content': [{'end': 1864.488, 'text': "and remember, this is an estimate, but it's an estimate, hopefully based on statistical averages, past performance and reports from industry.", 'start': 1855.681, 'duration': 8.807}, {'end': 1871.546, 'text': 'But in any case, once you multiply ARO times SLE, you have the annualized loss expectancy.', 'start': 1864.96, 'duration': 6.586}, {'end': 1877.311, 'text': 'These three formulas and these terms are central to impact analysis.', 'start': 1872.326, 'duration': 4.985}, {'end': 1881.875, 'text': "thus they're central to business continuity planning and disaster recovery planning.", 'start': 1877.311, 'duration': 4.564}], 'summary': 'Estimate aro times sle for annualized loss expectancy, vital for impact analysis in business continuity and disaster recovery planning.', 'duration': 26.194, 'max_score': 1855.681, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1855681.jpg'}], 'start': 1580.294, 'title': 'Estimating loss expectancy and ale calculation', 'summary': 'Explains how to estimate single loss expectancy and annual rate of occurrence, emphasizing the use of historical data and industry reports. it also covers the calculation of annualized loss expectancy (ale) and its importance in evaluating the cost effectiveness of controls using concrete examples and formulas.', 'chapters': [{'end': 1700.88, 'start': 1580.294, 'title': 'Estimating loss expectancy in security', 'summary': 'Explains how to calculate single loss expectancy and annual rate of occurrence, emphasizing the importance of using historical data and industry reports to make informed estimates, rather than relying on random guesses.', 'duration': 120.586, 'highlights': ['Calculating single loss expectancy involves multiplying the asset value by the exposure factor, while annual rate of occurrence can be estimated using historical data and industry reports.', "An effective method to estimate the annual rate of occurrence is to analyze previous years' losses and utilize industry reports to determine the norm for the industry and business size.", 'Emphasizing the importance of making informed estimates using historical data and industry reports, rather than relying on random guesses or arbitrary numbers.']}, {'end': 1881.875, 'start': 1700.92, 'title': 'Calculating annualized loss expectancy', 'summary': 'Explains the process of calculating annualized loss expectancy (ale) and its importance in determining the cost effectiveness of mitigating controls, using concrete examples and formulas involving single loss expectancy (sle), annual rate of occurrence (aro), and exposure factor.', 'duration': 180.955, 'highlights': ['The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) with the annual rate of occurrence (ARO), helping to assess the cost effectiveness of mitigating controls.', 'Concrete examples and formulas are used to illustrate the cost effectiveness of mitigating controls, where the potential loss and the cost of mitigation measures are compared to determine their viability.', 'The value of the asset multiplied by the exposure factor yields the single loss expectancy (SLE), representing the expected loss in the event of a single loss.', 'The concept of risk is explained as the product of the probability of an event occurring and the cost associated with that event, emphasizing the importance of using concrete numbers for accurate estimations.', 'The chapter emphasizes the use of statistical averages, past performance, and industry reports to estimate the annual rate of occurrence (ARO) and the annualized loss expectancy (ALE).']}], 'duration': 301.581, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1580294.jpg', 'highlights': ['The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) with the annual rate of occurrence (ARO), helping to assess the cost effectiveness of mitigating controls.', "An effective method to estimate the annual rate of occurrence is to analyze previous years' losses and utilize industry reports to determine the norm for the industry and business size.", 'The value of the asset multiplied by the exposure factor yields the single loss expectancy (SLE), representing the expected loss in the event of a single loss.', 'Emphasizing the importance of making informed estimates using historical data and industry reports, rather than relying on random guesses or arbitrary numbers.', 'The chapter emphasizes the use of statistical averages, past performance, and industry reports to estimate the annual rate of occurrence (ARO) and the annualized loss expectancy (ALE).', 'Calculating single loss expectancy involves multiplying the asset value by the exposure factor, while annual rate of occurrence can be estimated using historical data and industry reports.', 'Concrete examples and formulas are used to illustrate the cost effectiveness of mitigating controls, where the potential loss and the cost of mitigation measures are compared to determine their viability.', 'The concept of risk is explained as the product of the probability of an event occurring and the cost associated with that event, emphasizing the importance of using concrete numbers for accurate estimations.']}, {'end': 2330.576, 'segs': [{'end': 1971.104, 'src': 'embed', 'start': 1882.315, 'weight': 0, 'content': [{'end': 1884.717, 'text': 'In other words, this is how you calculate risk.', 'start': 1882.315, 'duration': 2.402}, {'end': 1887.94, 'text': 'Risk should have as little guessing as possible.', 'start': 1885.318, 'duration': 2.622}, {'end': 1895.562, 'text': 'The risk-based audit approach is simply based on the concept of determining which areas should be audited based on the level of risk.', 'start': 1888.817, 'duration': 6.745}, {'end': 1903.048, 'text': "The things we've already talked about, including the formulas we just looked at, are how you decide the level of risk.", 'start': 1896.002, 'duration': 7.046}, {'end': 1913.416, 'text': "Now, once you've looked at a risk and you've looked at controls, even added or enhanced controls, you have not totally eliminated risks.", 'start': 1904.569, 'duration': 8.847}, {'end': 1916.538, 'text': "There is some risk left over, and that's called residual risk.", 'start': 1913.796, 'duration': 2.742}, {'end': 1922.889, 'text': "Now, how much residual risk is okay? Well, that depends on the management's risk appetite.", 'start': 1917.321, 'duration': 5.568}, {'end': 1932.161, 'text': "So the goal of an audit is to make sure mitigating controls, reduce risk, take that residual risk down to a level that's acceptable to management.", 'start': 1923.569, 'duration': 8.592}, {'end': 1936.157, 'text': 'We have another risk, risks in the audit itself.', 'start': 1933.695, 'duration': 2.462}, {'end': 1938.058, 'text': "These aren't risks from outside threats.", 'start': 1936.237, 'duration': 1.821}, {'end': 1943.601, 'text': "These are risks, for example, your report might contain an error, an error that's material.", 'start': 1938.558, 'duration': 5.043}, {'end': 1947.744, 'text': "A simple typo isn't what we're concerned about, although those certainly look bad.", 'start': 1944.182, 'duration': 3.562}, {'end': 1950.266, 'text': "We're concerned about an error that's material.", 'start': 1948.204, 'duration': 2.062}, {'end': 1954.749, 'text': 'This can be through some mistake in your reporting or auditing process.', 'start': 1951.186, 'duration': 3.563}, {'end': 1961.533, 'text': "Or it's possible that an audit might not detect a specific threat, risk, or vulnerability.", 'start': 1955.769, 'duration': 5.764}, {'end': 1966.141, 'text': 'that audit risk that something might be undetected is very important.', 'start': 1962.259, 'duration': 3.882}, {'end': 1971.104, 'text': 'Now, risk assessment.', 'start': 1969.883, 'duration': 1.221}], 'summary': 'Risk-based audit approach aims to reduce residual risk to an acceptable level for management, addressing internal and external threats.', 'duration': 88.789, 'max_score': 1882.315, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1882315.jpg'}, {'end': 2041.034, 'src': 'embed', 'start': 1997.47, 'weight': 1, 'content': [{'end': 2005.513, 'text': 'What are the objectives and risk tolerance for this organization? Risk assessments have to be carried out regularly because things change.', 'start': 1997.47, 'duration': 8.043}, {'end': 2007.234, 'text': 'The risk environment change.', 'start': 2006.033, 'duration': 1.201}, {'end': 2009.425, 'text': 'Regulatory requirements change.', 'start': 2007.904, 'duration': 1.521}, {'end': 2010.805, 'text': 'Legal requirements change.', 'start': 2009.545, 'duration': 1.26}, {'end': 2013.446, 'text': 'The risk appetite of a business may change.', 'start': 2011.325, 'duration': 2.121}, {'end': 2018.268, 'text': "So it's not adequate to base your audit on a really old risk assessment.", 'start': 2014.047, 'duration': 4.221}, {'end': 2023.531, 'text': 'The risk assessment should either immediately precede your audit or very soon before your audit.', 'start': 2018.689, 'duration': 4.842}, {'end': 2029.733, 'text': "Once you've identified a risk.", 'start': 2027.872, 'duration': 1.861}, {'end': 2036.316, 'text': 'while we may have dozens and hundreds of different technological answers, all risk treatment comes down to four categories.', 'start': 2029.733, 'duration': 6.583}, {'end': 2041.034, 'text': 'The first is risk mitigation, and this is by far the most common.', 'start': 2037.489, 'duration': 3.545}], 'summary': 'Regular risk assessments needed for changing risk environment and regulatory requirements. risk treatment falls into four categories.', 'duration': 43.564, 'max_score': 1997.47, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1997470.jpg'}, {'end': 2284.715, 'src': 'embed', 'start': 2256.141, 'weight': 6, 'content': [{'end': 2261.324, 'text': 'You need to understand the specific part that IS plays in any given business process.', 'start': 2256.141, 'duration': 5.183}, {'end': 2263.345, 'text': 'Information system.', 'start': 2262.225, 'duration': 1.12}, {'end': 2271.322, 'text': 'auditing involves assessment of all the information system related controls, but also understanding those control objectives,', 'start': 2263.345, 'duration': 7.977}, {'end': 2275.226, 'text': 'which is why you need to understand the fundamental business processes.', 'start': 2271.322, 'duration': 3.904}, {'end': 2284.715, 'text': 'It also involves identifying key controls that help achieve a well-controlled environment as per particular standards.', 'start': 2276.367, 'duration': 8.348}], 'summary': 'Understanding is role in business processes and identifying key controls for a well-controlled environment.', 'duration': 28.574, 'max_score': 2256.141, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2256141.jpg'}], 'start': 1882.315, 'title': 'Risk-based audit approach', 'summary': 'Explains the risk-based audit approach, including the calculation of risk, residual risk, and the significance of mitigating controls in reducing risk to an acceptable level for management. it also emphasizes the importance of regular risk assessments, the four categories of risk treatment, and the need for understanding fundamental business processes and information systems in is auditing.', 'chapters': [{'end': 1971.104, 'start': 1882.315, 'title': 'Risk-based audit approach', 'summary': 'Explains the risk-based audit approach, emphasizing the calculation of risk, residual risk, and the importance of mitigating controls in reducing risk to an acceptable level for management.', 'duration': 88.789, 'highlights': ['The risk-based audit approach is simply based on the concept of determining which areas should be audited based on the level of risk.', "Mitigating controls aim to reduce risk to a level that's acceptable to management.", "Residual risk exists even after adding or enhancing controls, and its acceptability depends on management's risk appetite.", 'Audit risks include the possibility of errors in reports that are material, as well as undetected threats, risks, or vulnerabilities.']}, {'end': 2330.576, 'start': 1972.105, 'title': 'Risk assessment and treatment', 'summary': 'Emphasizes the importance of regular risk assessments for organizations, the four categories of risk treatment - risk mitigation, acceptance, avoidance, and transfer, and the need for understanding fundamental business processes and information systems in is auditing.', 'duration': 358.471, 'highlights': ['The importance of regular risk assessments for organizations as the risk environment and regulatory requirements change.', 'The four categories of risk treatment - risk mitigation, acceptance, avoidance, and transfer.', 'The need for understanding fundamental business processes and information systems in IS auditing.']}], 'duration': 448.261, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE1882315.jpg', 'highlights': ["Mitigating controls aim to reduce risk to a level that's acceptable to management.", 'The importance of regular risk assessments for organizations as the risk environment and regulatory requirements change.', 'The risk-based audit approach is simply based on the concept of determining which areas should be audited based on the level of risk.', 'The four categories of risk treatment - risk mitigation, acceptance, avoidance, and transfer.', "Residual risk exists even after adding or enhancing controls, and its acceptability depends on management's risk appetite.", 'Audit risks include the possibility of errors in reports that are material, as well as undetected threats, risks, or vulnerabilities.', 'The need for understanding fundamental business processes and information systems in IS auditing.']}, {'end': 2617.681, 'segs': [{'end': 2407.031, 'src': 'embed', 'start': 2331.016, 'weight': 0, 'content': [{'end': 2336.223, 'text': "Whatever the particular business you're auditing, you need to understand what it is that business does.", 'start': 2331.016, 'duration': 5.207}, {'end': 2341.828, 'text': 'and what are the particular processes that are most critical to that business,', 'start': 2337.085, 'duration': 4.743}, {'end': 2350.553, 'text': "what information systems those processes use and then apply things that we've looked at in earlier lessons, such as risk assessment,", 'start': 2341.828, 'duration': 8.725}, {'end': 2358.818, 'text': "a risk assessment that's particular to the specific fundamental business processes for the organization that you're about to audit.", 'start': 2350.553, 'duration': 8.265}, {'end': 2364.441, 'text': 'Now, there are a few different ways of looking at and understanding a business better.', 'start': 2360.599, 'duration': 3.842}, {'end': 2369.077, 'text': 'The following few screens will show you a few of these methodologies.', 'start': 2365.535, 'duration': 3.542}, {'end': 2372.979, 'text': 'None of these do you have to memorize for the CESA exam.', 'start': 2369.737, 'duration': 3.242}, {'end': 2377.561, 'text': "And we won't cover them in any significant depth.", 'start': 2374.74, 'duration': 2.821}, {'end': 2383.124, 'text': 'You just need to basically identify what these frameworks or processes are.', 'start': 2378.141, 'duration': 4.983}, {'end': 2391.808, 'text': 'The Zachman framework is a common one used for defining an enterprise.', 'start': 2388.146, 'duration': 3.662}, {'end': 2397.903, 'text': 'There are two ways to classify an enterprise that are combined together in the Zachman framework.', 'start': 2392.659, 'duration': 5.244}, {'end': 2399.525, 'text': 'The first is very simple.', 'start': 2398.364, 'duration': 1.161}, {'end': 2401.186, 'text': 'What is the enterprise?', 'start': 2400.125, 'duration': 1.061}, {'end': 2402.627, 'text': 'How does it work?', 'start': 2401.867, 'duration': 0.76}, {'end': 2403.848, 'text': 'When does it work?', 'start': 2403.047, 'duration': 0.801}, {'end': 2405.61, 'text': "Who's involved?", 'start': 2404.649, 'duration': 0.961}, {'end': 2407.031, 'text': 'Where do they work?', 'start': 2406.27, 'duration': 0.761}], 'summary': 'Understanding critical business processes and information systems for effective auditing', 'duration': 76.015, 'max_score': 2331.016, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2331016.jpg'}, {'end': 2509.308, 'src': 'embed', 'start': 2481.621, 'weight': 2, 'content': [{'end': 2487.104, 'text': 'but more focused on the risk associated with specific security architectures.', 'start': 2481.621, 'duration': 5.483}, {'end': 2497.526, 'text': 'The primary characteristic of this Sherwood applied business security architecture is that everything must be derived from an analysis of the business requirements for security.', 'start': 2487.824, 'duration': 9.702}, {'end': 2503.607, 'text': "So you look at what that business needs for security and see if that's being met.", 'start': 2498.006, 'duration': 5.601}, {'end': 2509.308, 'text': 'It also involves an ongoing what they call manage and measure phases of the life cycle.', 'start': 2504.947, 'duration': 4.361}], 'summary': 'Sherwood applied business security architecture emphasizes deriving security from business requirements and involves ongoing management and measurement.', 'duration': 27.687, 'max_score': 2481.621, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2481621.jpg'}, {'end': 2548.636, 'src': 'embed', 'start': 2521.687, 'weight': 4, 'content': [{'end': 2530.572, 'text': 'I personally think that Sherwood applied business security architecture should be used in combination with Zachman to give you a more comprehensive understanding of the business.', 'start': 2521.687, 'duration': 8.885}, {'end': 2542.318, 'text': 'A third model you might consider, devised by Michael Bell, is the service-oriented modeling framework, often simply called SOMF.', 'start': 2535.354, 'duration': 6.964}, {'end': 2548.636, 'text': 'It allows you to model business and software systems to specify service orientation.', 'start': 2543.174, 'duration': 5.462}], 'summary': "Combining sherwood's business security architecture and zachman with somf can provide a comprehensive understanding of the business and software systems.", 'duration': 26.949, 'max_score': 2521.687, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2521687.jpg'}], 'start': 2331.016, 'title': 'Understanding business processes and enterprise frameworks for auditing and security', 'summary': 'Emphasizes the importance of understanding fundamental business processes and information systems for auditing, along with risk assessment. it also discusses the application of enterprise frameworks such as zachman framework, sherwood applied business security architecture, and service-oriented modeling framework to enhance security measures.', 'chapters': [{'end': 2377.561, 'start': 2331.016, 'title': 'Understanding business processes for auditing', 'summary': 'Emphasizes the importance of understanding the fundamental business processes and information systems for auditing, and mentions the application of risk assessment specific to these processes.', 'duration': 46.545, 'highlights': ['Understanding fundamental business processes and the information systems they use is crucial for auditing.', 'Applying risk assessment tailored to the specific fundamental business processes is essential for effective auditing.', 'Different methodologies for understanding a business better will be briefly covered in the following screens, although not required for the CESA exam.']}, {'end': 2617.681, 'start': 2378.141, 'title': 'Enterprise frameworks and security models', 'summary': 'Discusses the zachman framework, sherwood applied business security architecture, and service-oriented modeling framework, emphasizing their applications in understanding enterprise processes and enhancing security measures.', 'duration': 239.54, 'highlights': ['The Sherwood Applied Business Security Architecture focuses on security from a risk-driven perspective and emphasizes deriving security measures from business requirements.', 'The Zachman framework is used for defining an enterprise and classifies it based on specific business elements, representation, specification, configuration, and instantiation.', 'The Service-Oriented Modeling Framework (SOMF) allows modeling of business and software systems to specify service orientation and can be used in combination with other architectural approaches.', 'The goal is to be aware of these frameworks as tools to understand underlying businesses and not necessarily memorize each of them.']}], 'duration': 286.665, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2331016.jpg', 'highlights': ['Understanding fundamental business processes and the information systems is crucial for auditing.', 'Applying risk assessment tailored to specific fundamental business processes is essential for effective auditing.', 'The Sherwood Applied Business Security Architecture focuses on security from a risk-driven perspective.', 'The Zachman framework classifies an enterprise based on specific business elements.', 'The Service-Oriented Modeling Framework (SOMF) allows modeling of business and software systems.']}, {'end': 3175.143, 'segs': [{'end': 2711.354, 'src': 'heatmap', 'start': 2654.662, 'weight': 0.855, 'content': [{'end': 2662.215, 'text': 'understand the different types of controls and how they function, and you can explain how those control principles relate to information systems.', 'start': 2654.662, 'duration': 7.553}, {'end': 2669.708, 'text': "Primarily we're concerned with internal controls.", 'start': 2667.486, 'duration': 2.222}, {'end': 2680.296, 'text': 'External controls would be laws and regulations that are external to a particular enterprise but do impact how they handle information security in their information systems.', 'start': 2670.428, 'duration': 9.868}, {'end': 2689.703, 'text': "But internal controls are the enterprise's own internal processes that have been implemented to achieve specific objectives while minimizing risk.", 'start': 2680.876, 'duration': 8.827}, {'end': 2693.006, 'text': 'They comprise the enterprise structures.', 'start': 2690.804, 'duration': 2.202}, {'end': 2698.826, 'text': 'procedures, policies, and practices that have been implemented to lower the level of risk in an enterprise.', 'start': 2693.663, 'duration': 5.163}, {'end': 2711.354, 'text': 'Now. that includes everything from information technology projects such as intrusion detection system, anti-malware, to policies, to training,', 'start': 2699.406, 'duration': 11.948}], 'summary': 'Internal controls, such as procedures and policies, minimize risk in enterprises, including information technology projects and training.', 'duration': 56.692, 'max_score': 2654.662, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2654662.jpg'}, {'end': 2711.354, 'src': 'embed', 'start': 2680.876, 'weight': 1, 'content': [{'end': 2689.703, 'text': "But internal controls are the enterprise's own internal processes that have been implemented to achieve specific objectives while minimizing risk.", 'start': 2680.876, 'duration': 8.827}, {'end': 2693.006, 'text': 'They comprise the enterprise structures.', 'start': 2690.804, 'duration': 2.202}, {'end': 2698.826, 'text': 'procedures, policies, and practices that have been implemented to lower the level of risk in an enterprise.', 'start': 2693.663, 'duration': 5.163}, {'end': 2711.354, 'text': 'Now. that includes everything from information technology projects such as intrusion detection system, anti-malware, to policies, to training,', 'start': 2699.406, 'duration': 11.948}], 'summary': 'Internal controls are implemented to minimize risk in an enterprise, including it projects and policies.', 'duration': 30.478, 'max_score': 2680.876, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2680876.jpg'}, {'end': 2894.706, 'src': 'heatmap', 'start': 2749.032, 'weight': 0.732, 'content': [{'end': 2752.714, 'text': 'By implementing this control what can be attained or what can be evaded?', 'start': 2749.032, 'duration': 3.682}, {'end': 2754.594, 'text': 'What can be attained?', 'start': 2753.714, 'duration': 0.88}, {'end': 2759.456, 'text': "Let's take, for example, manual spot checks of source code.", 'start': 2754.654, 'duration': 4.802}, {'end': 2765.379, 'text': 'Someone reviews source code before the project is compiled and distributed throughout the organization.', 'start': 2759.597, 'duration': 5.782}, {'end': 2769.581, 'text': 'What can be attained by that? Well, first and foremost, better quality of software.', 'start': 2765.719, 'duration': 3.862}, {'end': 2774.603, 'text': 'We can look and see that all the basic software procedures were implemented correctly.', 'start': 2770.021, 'duration': 4.582}, {'end': 2780.135, 'text': 'What can be evaded? Well, at least some of the more obvious bugs will be evaded through this process.', 'start': 2775.472, 'duration': 4.663}, {'end': 2783.997, 'text': 'Internal controls and procedures have two categories.', 'start': 2781.095, 'duration': 2.902}, {'end': 2786.258, 'text': 'The general control procedures.', 'start': 2784.577, 'duration': 1.681}, {'end': 2792.642, 'text': 'Previously, we mentioned having a second party authorized payments over a certain level.', 'start': 2786.959, 'duration': 5.683}, {'end': 2794.283, 'text': "Well, that's a business control.", 'start': 2792.982, 'duration': 1.301}, {'end': 2797.405, 'text': "That's a general control for the entire enterprise.", 'start': 2794.323, 'duration': 3.082}, {'end': 2801.007, 'text': 'It may or may not be implemented through technology.', 'start': 2797.765, 'duration': 3.242}, {'end': 2808.941, 'text': 'Information system control procedures regard control procedures directly related to your information systems.', 'start': 2802.498, 'duration': 6.443}, {'end': 2813.482, 'text': 'How do we secure databases, web servers, and that sort of thing.', 'start': 2809.401, 'duration': 4.081}, {'end': 2820.725, 'text': 'All internal controls fall into one of three categories.', 'start': 2817.584, 'duration': 3.141}, {'end': 2825.227, 'text': 'Preventative controls, corrective controls, and detective controls.', 'start': 2821.386, 'duration': 3.841}, {'end': 2831.91, 'text': 'Preventatives stop something before it occurs.', 'start': 2829.609, 'duration': 2.301}, {'end': 2836.072, 'text': 'locking an office to prevent unauthorized access.', 'start': 2832.868, 'duration': 3.204}, {'end': 2838.275, 'text': 'using RSA tokens.', 'start': 2836.072, 'duration': 2.203}, {'end': 2847.246, 'text': 'encrypting a hard drive to prevent someone from viewing files using a virtual private network to prevent eavesdroppers from monitoring your communication.', 'start': 2838.275, 'duration': 8.971}, {'end': 2858.37, 'text': 'Corrective controls are meant to either minimize or actually correct when a problem occurs.', 'start': 2852.526, 'duration': 5.844}, {'end': 2860.251, 'text': 'For example, data backup.', 'start': 2858.83, 'duration': 1.421}, {'end': 2864.494, 'text': 'You can put the data back to where it was and correct the situation.', 'start': 2860.331, 'duration': 4.163}, {'end': 2873.42, 'text': 'Detective controls help you learn that something negative has occurred.', 'start': 2869.577, 'duration': 3.843}, {'end': 2877.082, 'text': 'Now these can be things that are physical or information security.', 'start': 2873.82, 'duration': 3.262}, {'end': 2885.817, 'text': "In the information security realm, you're probably thinking of things like automated systems, intrusion detection systems, and things of that nature.", 'start': 2877.648, 'duration': 8.169}, {'end': 2894.706, 'text': 'But something as simple as a physical access log, an audit trail, access control list to server room.', 'start': 2886.297, 'duration': 8.409}], 'summary': 'Implementing control procedures can achieve better software quality and evade obvious bugs, with internal controls falling into general and information system categories, including preventative, corrective, and detective controls.', 'duration': 145.674, 'max_score': 2749.032, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2749032.jpg'}, {'end': 2939.82, 'src': 'embed', 'start': 2900.543, 'weight': 0, 'content': [{'end': 2905.749, 'text': "Now it's not the case that any one of these three types of controls is more important than the other.", 'start': 2900.543, 'duration': 5.206}, {'end': 2910.814, 'text': 'A good system has to have preventative, corrective, and detective controls.', 'start': 2906.37, 'duration': 4.444}, {'end': 2916.501, 'text': "And during your audit, you need to ensure that all three are in place to support the enterprise's objectives.", 'start': 2911.255, 'duration': 5.246}, {'end': 2930.491, 'text': 'Now IS control objectives are top level requirements that management sets for adequate control of each IT process.', 'start': 2922.844, 'duration': 7.647}, {'end': 2933.354, 'text': 'IS. control objectives are, first of all,', 'start': 2931.312, 'duration': 2.042}, {'end': 2939.82, 'text': 'a statement of the preferred purpose or result to be attained by applying controls to particular information systems.', 'start': 2933.354, 'duration': 6.466}], 'summary': 'A good system requires preventative, corrective, and detective controls to support enterprise objectives, with is control objectives setting top level requirements.', 'duration': 39.277, 'max_score': 2900.543, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2900543.jpg'}, {'end': 3083.647, 'src': 'embed', 'start': 3012.13, 'weight': 3, 'content': [{'end': 3016.712, 'text': 'For example, ensure the integrity of the system, for example, an operating system.', 'start': 3012.13, 'duration': 4.582}, {'end': 3023.334, 'text': 'Ensure the integrity of sensitive and critical application systems, your financial data, your customer data.', 'start': 3017.792, 'duration': 5.542}, {'end': 3025.936, 'text': 'Safeguard your assets.', 'start': 3024.835, 'duration': 1.101}, {'end': 3029.217, 'text': 'That includes physical assets as well as technology assets.', 'start': 3026.336, 'duration': 2.881}, {'end': 3033.36, 'text': 'Ensure the effectiveness and efficiency of operations.', 'start': 3030.419, 'duration': 2.941}, {'end': 3036.161, 'text': "It's not enough that things work, they have to work well.", 'start': 3033.84, 'duration': 2.321}, {'end': 3040.082, 'text': 'Ensure proper authentication processes for users.', 'start': 3037.321, 'duration': 2.761}, {'end': 3043.323, 'text': 'This is a critical part of information system security.', 'start': 3040.562, 'duration': 2.761}, {'end': 3051.626, 'text': 'Ensure the availability of any given service, and this is accomplished through disaster recovery planning and business continuity planning.', 'start': 3044.783, 'duration': 6.843}, {'end': 3059.308, 'text': 'There are other knowledge objectives later on in this course which will cover disaster recovery and business continuity in much more detail.', 'start': 3052.266, 'duration': 7.042}, {'end': 3067.779, 'text': "Information system control procedures include all of the following, and let's talk briefly about each of these.", 'start': 3062.876, 'duration': 4.903}, {'end': 3070.9, 'text': 'Strategy and direction of the IT function.', 'start': 3068.559, 'duration': 2.341}, {'end': 3074.582, 'text': 'What are we trying to accomplish with this specific function??', 'start': 3071.581, 'duration': 3.001}, {'end': 3077.604, 'text': 'How does it integrate with the organizational goals??', 'start': 3074.983, 'duration': 2.621}, {'end': 3083.647, 'text': 'It sometimes occurs that enterprise goals change and technology changes,', 'start': 3078.564, 'duration': 5.083}], 'summary': 'Ensure system integrity, safeguard assets, and optimize operations for effective it function and disaster recovery planning.', 'duration': 71.517, 'max_score': 3012.13, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3012130.jpg'}, {'end': 3161.121, 'src': 'embed', 'start': 3128.367, 'weight': 7, 'content': [{'end': 3129.248, 'text': 'How is it organized?', 'start': 3128.367, 'duration': 0.881}, {'end': 3134.372, 'text': 'Are there operation procedures in place that support enterprise objectives?', 'start': 3130.609, 'duration': 3.763}, {'end': 3137.734, 'text': 'Are there appropriate physical access controls?', 'start': 3135.652, 'duration': 2.082}, {'end': 3148.162, 'text': "If a database is involved and it usually is with an information system is database administration done in a way that's consistent with enterprise objectives?", 'start': 3139.075, 'duration': 9.087}, {'end': 3152.115, 'text': 'What about access to IT programs, data and resources?', 'start': 3149.053, 'duration': 3.062}, {'end': 3154.097, 'text': 'Is it controlled appropriately?', 'start': 3152.595, 'duration': 1.502}, {'end': 3161.121, 'text': 'Are there appropriate system programming and system support departments to support the enterprise objectives?', 'start': 3155.077, 'duration': 6.044}], 'summary': 'Assess if enterprise procedures support objectives and control access appropriately.', 'duration': 32.754, 'max_score': 3128.367, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3128367.jpg'}], 'start': 2618.122, 'title': 'Cisa knowledge on control principles and information system control procedures', 'summary': 'Explains cisa knowledge statement 1.4 on control principles related to information systems, covering internal controls, types of controls, and control objectives, emphasizing the importance of preventative, corrective, and detective controls. it also covers the importance of ensuring system integrity, safeguarding assets, ensuring effectiveness and efficiency of operations, proper authentication processes, availability of services through disaster recovery planning, and information system control procedures.', 'chapters': [{'end': 3011.59, 'start': 2618.122, 'title': 'Cisa knowledge on control principles', 'summary': 'Explains the cisa knowledge statement 1.4 on control principles related to information systems, covering internal controls, types of controls, and control objectives, emphasizing the importance of preventative, corrective, and detective controls.', 'duration': 393.468, 'highlights': ["The chapter emphasizes the importance of preventative, corrective, and detective controls in information systems, highlighting that a good system needs all three types of controls to support the enterprise's objectives.", 'The chapter explains that internal controls include enterprise structures, procedures, policies, and practices, both manual and automated, meant to minimize risk and achieve specific objectives within the enterprise.', 'The chapter defines IS control objectives as top-level requirements that management sets for adequate control of each IT process, including procedures, policies, organizational structures, and practices intended to reasonably assure that enterprise objectives will be achieved while undesired events are detected, corrected, or prevented.']}, {'end': 3175.143, 'start': 3012.13, 'title': 'Information system control procedures', 'summary': 'Covers the importance of ensuring system integrity, safeguarding assets, ensuring effectiveness and efficiency of operations, proper authentication processes, availability of services through disaster recovery planning, and information system control procedures.', 'duration': 163.013, 'highlights': ['Ensuring the effectiveness and efficiency of operations, including safeguarding physical and technology assets and the integrity of critical application systems.', 'Proper authentication processes for users are critical for information system security.', 'The availability of services is ensured through disaster recovery planning and business continuity planning.', 'Information system control procedures cover various aspects such as the strategy and direction of the IT function, system development procedures, quality assurance processes, communication network security, and general organization and management of the IT function.', 'Ensuring appropriate physical access controls, database administration, access to IT programs, data, and resources, and system programming and support departments to support enterprise objectives are essential for effective information system control procedures.']}], 'duration': 557.021, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE2618122.jpg', 'highlights': ["The chapter emphasizes the importance of preventative, corrective, and detective controls in information systems, highlighting that a good system needs all three types of controls to support the enterprise's objectives.", 'The chapter explains that internal controls include enterprise structures, procedures, policies, and practices, both manual and automated, meant to minimize risk and achieve specific objectives within the enterprise.', 'The chapter defines IS control objectives as top-level requirements that management sets for adequate control of each IT process, including procedures, policies, organizational structures, and practices intended to reasonably assure that enterprise objectives will be achieved while undesired events are detected, corrected, or prevented.', 'Ensuring the effectiveness and efficiency of operations, including safeguarding physical and technology assets and the integrity of critical application systems.', 'Proper authentication processes for users are critical for information system security.', 'The availability of services is ensured through disaster recovery planning and business continuity planning.', 'Information system control procedures cover various aspects such as the strategy and direction of the IT function, system development procedures, quality assurance processes, communication network security, and general organization and management of the IT function.', 'Ensuring appropriate physical access controls, database administration, access to IT programs, data, and resources, and system programming and support departments to support enterprise objectives are essential for effective information system control procedures.']}, {'end': 3786.794, 'segs': [{'end': 3201.489, 'src': 'embed', 'start': 3175.743, 'weight': 1, 'content': [{'end': 3182.385, 'text': 'All of these questions need to be addressed when looking at each and every IS control during the course of your audit.', 'start': 3175.743, 'duration': 6.642}, {'end': 3191.089, 'text': 'An audit work program represents your audit plan and strategy.', 'start': 3187.807, 'duration': 3.282}, {'end': 3193.269, 'text': 'It has procedure, scope, and objectives.', 'start': 3191.409, 'duration': 1.86}, {'end': 3201.489, 'text': "It's basically a guide for documenting the various steps you take during the audit, the type and extent of evidentiary matters reviewed.", 'start': 3193.95, 'duration': 7.539}], 'summary': 'An audit work program outlines audit plan, strategy, and evidentiary matters.', 'duration': 25.746, 'max_score': 3175.743, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3175743.jpg'}, {'end': 3248.304, 'src': 'embed', 'start': 3223.131, 'weight': 0, 'content': [{'end': 3228.617, 'text': 'You always assess risks first and you develop your audit program in light of those risks.', 'start': 3223.131, 'duration': 5.486}, {'end': 3232.181, 'text': 'You also have objectives and procedures.', 'start': 3230.019, 'duration': 2.162}, {'end': 3235.205, 'text': 'Recall Guidance 5 that we looked at in an earlier lesson.', 'start': 3232.261, 'duration': 2.944}, {'end': 3240.458, 'text': 'Once you have your plan, you have to obtain and evaluate evidence.', 'start': 3236.955, 'duration': 3.503}, {'end': 3242.239, 'text': "It's all about evidence.", 'start': 3241.058, 'duration': 1.181}, {'end': 3248.304, 'text': "You don't have any preconceived notions about whether or not a control is meeting the objectives.", 'start': 3242.76, 'duration': 5.544}], 'summary': 'Audit program based on risk assessment, recall guidance 5, focus on obtaining and evaluating evidence.', 'duration': 25.173, 'max_score': 3223.131, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3223131.jpg'}, {'end': 3323.671, 'src': 'heatmap', 'start': 3272.195, 'weight': 0.753, 'content': [{'end': 3274.256, 'text': 'Or do those negative conditions still exist??', 'start': 3272.195, 'duration': 2.061}, {'end': 3275.537, 'text': "That's very important.", 'start': 3274.696, 'duration': 0.841}, {'end': 3285.719, 'text': 'Audit methodology are the standard audit procedures that are used to obtain the objectives of the audit.', 'start': 3280.535, 'duration': 5.184}, {'end': 3293.566, 'text': 'This is a documented approach for performing the audit in a continuous recurring manner in order to achieve the planned audit objectives.', 'start': 3286.24, 'duration': 7.326}, {'end': 3300.952, 'text': 'Audit methodology always has a scope of the audit, the audit objectives, and the work programs we previously mentioned.', 'start': 3294.286, 'duration': 6.666}, {'end': 3311.567, 'text': 'That concludes Knowledge Statement 1.4.', 'start': 3302.093, 'duration': 9.474}, {'end': 3323.671, 'text': 'CISA Knowledge Statement 1.5 Knowledge of risk-based audit planning and audit project management techniques, including follow-up.', 'start': 3311.567, 'duration': 12.104}], 'summary': 'Audit methodology includes standard procedures to achieve objectives. cisa knowledge statement 1.5 emphasizes risk-based audit planning and project management.', 'duration': 51.476, 'max_score': 3272.195, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3272195.jpg'}, {'end': 3366.7, 'src': 'embed', 'start': 3334.934, 'weight': 2, 'content': [{'end': 3339.015, 'text': "As you already realize, it's usually not possible, or at least not practical,", 'start': 3334.934, 'duration': 4.081}, {'end': 3345.29, 'text': 'to audit every single function of every single IS that you have in the organization.', 'start': 3339.707, 'duration': 5.583}, {'end': 3354.414, 'text': 'All of your information systems are very complex and checking each and every control in each and every possible scenario is usually impractical.', 'start': 3345.53, 'duration': 8.884}, {'end': 3359.737, 'text': "Risk-based audit planning starts with identifying the key enterprises' risks.", 'start': 3355.375, 'duration': 4.362}, {'end': 3366.7, 'text': 'What are the risks that are particularly important to this enterprise? In other words, a risk analysis has been conducted.', 'start': 3360.437, 'duration': 6.263}], 'summary': 'Auditing every single function of every is is impractical. risk-based audit planning involves identifying key enterprise risks through risk analysis.', 'duration': 31.766, 'max_score': 3334.934, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3334934.jpg'}, {'end': 3466.832, 'src': 'heatmap', 'start': 3414.6, 'weight': 0.701, 'content': [{'end': 3420.482, 'text': "You also need to understand the flow of these transactions and how they're captured in information systems.", 'start': 3414.6, 'duration': 5.882}, {'end': 3425.924, 'text': "Remember, our focus is information system auditing, so it's not just the transactions.", 'start': 3421.022, 'duration': 4.902}, {'end': 3436.094, 'text': "but how are they processed within computer systems? There are four different risks we're concerned about.", 'start': 3426.547, 'duration': 9.547}, {'end': 3438.115, 'text': "Let's begin with inherent risk.", 'start': 3436.634, 'duration': 1.481}, {'end': 3446.862, 'text': 'Stated formally the probability of an error existing that might be material, assuming compensating controls do not exist.', 'start': 3438.976, 'duration': 7.886}, {'end': 3452.322, 'text': 'This exists irrespective of an audit and is contributed to by the nature of a business.', 'start': 3447.719, 'duration': 4.603}, {'end': 3458.987, 'text': 'Put another way, certain businesses have certain risks that are just part of how they do business.', 'start': 3453.003, 'duration': 5.984}, {'end': 3466.832, 'text': "If your business routinely takes in paper checks, then there's always the chance of fraudulent checks or insufficient funds.", 'start': 3459.607, 'duration': 7.225}], 'summary': 'Information system auditing focuses on understanding and managing inherent risks in business transactions.', 'duration': 52.232, 'max_score': 3414.6, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3414600.jpg'}, {'end': 3452.322, 'src': 'embed', 'start': 3426.547, 'weight': 3, 'content': [{'end': 3436.094, 'text': "but how are they processed within computer systems? There are four different risks we're concerned about.", 'start': 3426.547, 'duration': 9.547}, {'end': 3438.115, 'text': "Let's begin with inherent risk.", 'start': 3436.634, 'duration': 1.481}, {'end': 3446.862, 'text': 'Stated formally the probability of an error existing that might be material, assuming compensating controls do not exist.', 'start': 3438.976, 'duration': 7.886}, {'end': 3452.322, 'text': 'This exists irrespective of an audit and is contributed to by the nature of a business.', 'start': 3447.719, 'duration': 4.603}], 'summary': 'Computer systems process risks: 4 types, starting with inherent risk.', 'duration': 25.775, 'max_score': 3426.547, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3426547.jpg'}, {'end': 3522.647, 'src': 'embed', 'start': 3478.7, 'weight': 4, 'content': [{'end': 3486.986, 'text': 'that is a probability that a material error exists which will not be prevented or detected in a timely basis by the system of internal controls.', 'start': 3478.7, 'duration': 8.286}, {'end': 3497.213, 'text': "Put another way you either lack the appropriate controls to detect an issue, or the controls won't detect it in time, or there is some issue,", 'start': 3487.566, 'duration': 9.647}, {'end': 3502.377, 'text': 'some difference between what you would like the control to do and what it actually accomplishes.', 'start': 3497.213, 'duration': 5.164}, {'end': 3504.614, 'text': 'Then we have detection risk.', 'start': 3503.353, 'duration': 1.261}, {'end': 3506.795, 'text': 'Now this is very important to the auditor.', 'start': 3504.654, 'duration': 2.141}, {'end': 3517.383, 'text': 'Put formally the probability that the information system auditor used inadequate checks and surmises that material errors are absent when in fact they are present.', 'start': 3507.556, 'duration': 9.827}, {'end': 3522.647, 'text': 'Put much more succinctly and simply, the chance that you, the auditor, missed something.', 'start': 3518.144, 'duration': 4.503}], 'summary': 'Probability of material errors going undetected by controls and auditors.', 'duration': 43.947, 'max_score': 3478.7, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3478700.jpg'}, {'end': 3758.292, 'src': 'heatmap', 'start': 3605.778, 'weight': 0.979, 'content': [{'end': 3617.024, 'text': "we have an overall audit risk for that specific control being the application firewall that's there to help prevent attacks on a very specific business process,", 'start': 3605.778, 'duration': 11.246}, {'end': 3618.444, 'text': 'the e-commerce transactions.', 'start': 3617.024, 'duration': 1.42}, {'end': 3630.331, 'text': 'Gap analysis, now this term has been used in marketing and other areas to mean something a little different than what we mean here.', 'start': 3623.887, 'duration': 6.444}, {'end': 3632.516, 'text': 'Here we really have two issues.', 'start': 3631.075, 'duration': 1.441}, {'end': 3634.857, 'text': 'We have a product gap and a usage gap.', 'start': 3632.956, 'duration': 1.901}, {'end': 3636.738, 'text': "Let's start with usage gap.", 'start': 3635.477, 'duration': 1.261}, {'end': 3646.122, 'text': 'In a usage gap issue, you have a control that if used totally properly, would be an adequate control.', 'start': 3637.598, 'duration': 8.524}, {'end': 3653.905, 'text': 'But either the control is not implemented, or the control is not properly configured, or is not being properly used.', 'start': 3646.662, 'duration': 7.243}, {'end': 3661.261, 'text': 'There is some gap between the potential that control has to mitigate risk and the actual use of the control.', 'start': 3653.945, 'duration': 7.316}, {'end': 3667.062, 'text': "Now a product gap is when there's some issue, the product itself is missing something.", 'start': 3662.321, 'duration': 4.741}, {'end': 3670.183, 'text': "It's unable to fully meet your control needs.", 'start': 3667.523, 'duration': 2.66}, {'end': 3678.785, 'text': "That's actually fairly common, which is why most security situations require multiple controls to address specific issues.", 'start': 3670.783, 'duration': 8.002}, {'end': 3687.626, 'text': 'Now when doing your risk-based audit, there are some definitions you need to have in mind.', 'start': 3683.584, 'duration': 4.042}, {'end': 3689.688, 'text': 'Target of evaluation.', 'start': 3688.387, 'duration': 1.301}, {'end': 3695.851, 'text': 'This is the particular information security deliverable, the object for which assurances are made.', 'start': 3690.368, 'duration': 5.483}, {'end': 3703.696, 'text': "What is it you're testing? Assurance activities are the things you use to test, the methods of testing.", 'start': 3696.251, 'duration': 7.445}, {'end': 3705.857, 'text': "We'll discuss those at length later on.", 'start': 3704.056, 'duration': 1.801}, {'end': 3707.878, 'text': 'The security target.', 'start': 3706.837, 'duration': 1.041}, {'end': 3714.141, 'text': 'These are the security specifications and requirements that you use to test the target of evaluation.', 'start': 3708.516, 'duration': 5.625}, {'end': 3724.892, 'text': 'Put another way, assurance activities check a target of evaluation to discover whether or not that target of evaluation has met the security targets.', 'start': 3714.742, 'duration': 10.15}, {'end': 3731.418, 'text': "A security protection profile is similar to a security target, but it's broader in scope.", 'start': 3726.273, 'duration': 5.145}, {'end': 3733.56, 'text': "It's not about a specific deliverable.", 'start': 3731.818, 'duration': 1.742}, {'end': 3738.716, 'text': "but it's more about general security needs of a given business or group.", 'start': 3734.633, 'duration': 4.083}, {'end': 3746.963, 'text': 'There are some risk-based audit definitions you need to be familiar with.', 'start': 3743.58, 'duration': 3.383}, {'end': 3752.388, 'text': "We've used some of these terms already and I believe you probably know what they mean, but let's just make sure.", 'start': 3747.664, 'duration': 4.724}, {'end': 3758.292, 'text': "What is a control? I think we addressed this in earlier lessons, but let's be clear again.", 'start': 3753.469, 'duration': 4.823}], 'summary': 'Audit identifies gaps in application firewall usage and product, using risk-based approach.', 'duration': 152.514, 'max_score': 3605.778, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3605778.jpg'}, {'end': 3695.851, 'src': 'embed', 'start': 3670.783, 'weight': 6, 'content': [{'end': 3678.785, 'text': "That's actually fairly common, which is why most security situations require multiple controls to address specific issues.", 'start': 3670.783, 'duration': 8.002}, {'end': 3687.626, 'text': 'Now when doing your risk-based audit, there are some definitions you need to have in mind.', 'start': 3683.584, 'duration': 4.042}, {'end': 3689.688, 'text': 'Target of evaluation.', 'start': 3688.387, 'duration': 1.301}, {'end': 3695.851, 'text': 'This is the particular information security deliverable, the object for which assurances are made.', 'start': 3690.368, 'duration': 5.483}], 'summary': 'Multiple controls needed for common security situations in risk-based audit.', 'duration': 25.068, 'max_score': 3670.783, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3670783.jpg'}], 'start': 3175.743, 'title': 'Audit methodology and information system auditing', 'summary': 'Discusses the importance of audit work programs, risk-based audit planning, and project management techniques, emphasizing the need to assess risks, obtain and evaluate evidence, and follow-up on corrective actions. it also covers the risks involved in information system auditing, including inherent risk, control risk, and detection risk, and explains the concept of gap analysis and risk-based audit definitions.', 'chapters': [{'end': 3399.955, 'start': 3175.743, 'title': 'Cisa audit methodology', 'summary': 'Discusses the importance of audit work programs, risk-based audit planning, and project management techniques, emphasizing the need to assess risks, obtain and evaluate evidence, and follow-up on corrective actions.', 'duration': 224.212, 'highlights': ['Audit work program represents the audit plan and strategy, providing a guide for documenting steps, type and extent of evidentiary matters reviewed, and ensuring accountability for performance.', 'Importance of obtaining and evaluating evidence in auditing, focusing on determining the strengths and weaknesses of controls without preconceived notions.', "Significance of risk-based audit planning, which starts with identifying key enterprise risks and understanding the organization's business, control objectives, and transaction nature."]}, {'end': 3786.794, 'start': 3400.495, 'title': 'Information system auditing', 'summary': 'Discusses the risks involved in information system auditing, including inherent risk, control risk, and detection risk, and explains the concept of gap analysis and risk-based audit definitions.', 'duration': 386.299, 'highlights': ['The chapter introduces the concept of inherent risk, which is the probability of an error existing that might be material, assuming compensating controls do not exist, and gives examples like the chance of fraudulent checks or insufficient funds in businesses dealing with paper checks or the susceptibility of e-commerce websites to attacks such as SQL injections.', 'The chapter discusses control risk, which is the probability that a material error exists that will not be prevented or detected in a timely basis by the system of internal controls, and explains the potential issues related to lacking appropriate controls or the controls not detecting issues in time.', 'The chapter explains detection risk, highlighting its significance to auditors and the importance of using appropriate standards, tools, and techniques to combat it, emphasizing the chance that an auditor might miss something.', 'The chapter details the concept of gap analysis, distinguishing between usage gap and product gap, and explains the definitions of target of evaluation, assurance activities, security target, and security protection profile in the context of risk-based audit.']}], 'duration': 611.051, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3175743.jpg', 'highlights': ['Importance of obtaining and evaluating evidence in auditing, focusing on determining the strengths and weaknesses of controls without preconceived notions.', 'Audit work program represents the audit plan and strategy, providing a guide for documenting steps, type and extent of evidentiary matters reviewed, and ensuring accountability for performance.', "Significance of risk-based audit planning, which starts with identifying key enterprise risks and understanding the organization's business, control objectives, and transaction nature.", 'The chapter introduces the concept of inherent risk, which is the probability of an error existing that might be material, assuming compensating controls do not exist, and gives examples like the chance of fraudulent checks or insufficient funds in businesses dealing with paper checks or the susceptibility of e-commerce websites to attacks such as SQL injections.', 'The chapter discusses control risk, which is the probability that a material error exists that will not be prevented or detected in a timely basis by the system of internal controls, and explains the potential issues related to lacking appropriate controls or the controls not detecting issues in time.', 'The chapter explains detection risk, highlighting its significance to auditors and the importance of using appropriate standards, tools, and techniques to combat it, emphasizing the chance that an auditor might miss something.', 'The chapter details the concept of gap analysis, distinguishing between usage gap and product gap, and explains the definitions of target of evaluation, assurance activities, security target, and security protection profile in the context of risk-based audit.']}, {'end': 4726.77, 'segs': [{'end': 3869.353, 'src': 'embed', 'start': 3848.121, 'weight': 1, 'content': [{'end': 3860.388, 'text': 'examining the controls that are put in place to mitigate those risks and then gathering evidence that will determine factually whether or not those controls meet their control objectives or not.', 'start': 3848.121, 'duration': 12.267}, {'end': 3862.149, 'text': "It's as simple as that.", 'start': 3861.148, 'duration': 1.001}, {'end': 3864.01, 'text': 'It all comes down to evidence.', 'start': 3862.709, 'duration': 1.301}, {'end': 3869.353, 'text': 'IT governance is the entire process of managing your information systems.', 'start': 3865.351, 'duration': 4.002}], 'summary': 'It governance: managing information systems with controls and evidence.', 'duration': 21.232, 'max_score': 3848.121, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3848121.jpg'}, {'end': 3998.289, 'src': 'embed', 'start': 3966.594, 'weight': 0, 'content': [{'end': 3969.215, 'text': 'All these things can be placed on your audit or the auditee.', 'start': 3966.594, 'duration': 2.621}, {'end': 3979.314, 'text': 'Management and audit personnel in any organization have to be aware of these external requirements for computer system practices and controls how your data is processed,', 'start': 3970.225, 'duration': 9.089}, {'end': 3980.435, 'text': 'transmitted or stored.', 'start': 3979.314, 'duration': 1.121}, {'end': 3988.203, 'text': "There's a need to comply with lots of different laws and lots of different legal requirements, and that has an impact on your audit.", 'start': 3981.116, 'duration': 7.087}, {'end': 3993.008, 'text': 'Now, what we mean by all this is every industry is affected by some laws.', 'start': 3988.964, 'duration': 4.044}, {'end': 3998.289, 'text': 'And in this lesson, we will look at a few laws from the United States.', 'start': 3994.747, 'duration': 3.542}], 'summary': 'Organizations must comply with external laws and regulations for computer system practices, impacting audits.', 'duration': 31.695, 'max_score': 3966.594, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3966594.jpg'}, {'end': 4107.359, 'src': 'embed', 'start': 4082.575, 'weight': 2, 'content': [{'end': 4088.118, 'text': 'In respect to legal, regulatory, or contractual requirements, those are usually relatively clear.', 'start': 4082.575, 'duration': 5.543}, {'end': 4096.845, 'text': "You need evidence that the information systems you're auditing, the controls you're auditing, either do or do not meet those requirements.", 'start': 4088.919, 'duration': 7.926}, {'end': 4102.948, 'text': 'Now, of course, that requires you to have in-depth familiarization with that particular requirement.', 'start': 4097.564, 'duration': 5.384}, {'end': 4107.359, 'text': 'Evidence goes hand in hand with audit documentation.', 'start': 4104.417, 'duration': 2.942}], 'summary': 'Auditing requires evidence of information system compliance with clear requirements.', 'duration': 24.784, 'max_score': 4082.575, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4082575.jpg'}, {'end': 4153.64, 'src': 'embed', 'start': 4130.661, 'weight': 6, 'content': [{'end': 4139.108, 'text': 'It may mean such a simple thing as internal spot checks, it may mean log examination, it may mean automated systems,', 'start': 4130.661, 'duration': 8.447}, {'end': 4147.676, 'text': 'but something to ensure that not only did the organization meet its legal, regulatory and contractual requirements today when you did the audit,', 'start': 4139.108, 'duration': 8.568}, {'end': 4149.317, 'text': "but that they're still meeting them next month.", 'start': 4147.676, 'duration': 1.641}, {'end': 4153.64, 'text': 'Legal requirements are perhaps the most important.', 'start': 4151.359, 'duration': 2.281}], 'summary': 'Regular checks ensure ongoing legal compliance for organizations.', 'duration': 22.979, 'max_score': 4130.661, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4130661.jpg'}, {'end': 4216.223, 'src': 'embed', 'start': 4184.383, 'weight': 7, 'content': [{'end': 4186.823, 'text': "Here's a few laws that are very important in the United States.", 'start': 4184.383, 'duration': 2.44}, {'end': 4192.206, 'text': 'HIPAA and HITECH, the Health Insurance Portability and Accountability Act of 1996.', 'start': 4187.644, 'duration': 4.562}, {'end': 4195.367, 'text': "Now that's a very lengthy law,", 'start': 4192.206, 'duration': 3.161}, {'end': 4202.409, 'text': 'but most important for auditing is it identifies what is considered personal health information and how it has to be handled.', 'start': 4195.367, 'duration': 7.042}, {'end': 4209.011, 'text': 'This was augmented by the HITECH, or Health Information Technology for Economic and Clinical Health Act,', 'start': 4203.669, 'duration': 5.342}, {'end': 4216.223, 'text': 'which redefined what a breach is and gave stricter standards for notifying people in case of a breach.', 'start': 4209.639, 'duration': 6.584}], 'summary': 'Hipaa and hitech define personal health info and breach standards in the us.', 'duration': 31.84, 'max_score': 4184.383, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4184383.jpg'}, {'end': 4287.137, 'src': 'embed', 'start': 4257.053, 'weight': 8, 'content': [{'end': 4264.9, 'text': 'Sarbanes-Oxley was a rather complex piece of legislation, and it was meant to address some financial fraud that had taken place in the early 2000s.', 'start': 4257.053, 'duration': 7.847}, {'end': 4272.271, 'text': 'Most important for IT is the publicly traded companies must keep electronic records for five years.', 'start': 4266.289, 'duration': 5.982}, {'end': 4278.193, 'text': 'The reason I point out this specific one is not so much that you have to memorize this for the test,', 'start': 4272.912, 'duration': 5.281}, {'end': 4287.137, 'text': "but it gives us a great example of how we take a legal requirement and that gives us a very clear control objective and it's very easy to audit.", 'start': 4278.193, 'duration': 8.944}], 'summary': 'Sarbanes-oxley requires publicly traded companies to keep electronic records for five years, facilitating easy audit.', 'duration': 30.084, 'max_score': 4257.053, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4257053.jpg'}, {'end': 4355.9, 'src': 'embed', 'start': 4327.94, 'weight': 9, 'content': [{'end': 4335.564, 'text': "It's the Visa, MasterCard, Discover, American Express companies saying look, if you're going to process and handle credit card data,", 'start': 4327.94, 'duration': 7.624}, {'end': 4337.617, 'text': 'You have to do these things.', 'start': 4336.496, 'duration': 1.121}, {'end': 4340.541, 'text': 'And that applies in many, many countries.', 'start': 4338.198, 'duration': 2.343}, {'end': 4345.767, 'text': "In fact, anywhere that you're processing credit cards, PCI DSS comes into play.", 'start': 4340.621, 'duration': 5.146}, {'end': 4355.9, 'text': "So anytime you're auditing a company that processes credit card information, you need to be familiar with PCI DSS and incorporate that in your audit.", 'start': 4346.268, 'duration': 9.632}], 'summary': 'Visa, mastercard, discover, and american express require companies processing credit cards to adhere to pci dss in many countries.', 'duration': 27.96, 'max_score': 4327.94, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4327940.jpg'}, {'end': 4471.711, 'src': 'embed', 'start': 4447.376, 'weight': 3, 'content': [{'end': 4456.101, 'text': 'First of all, obviously, who are you auditing the organization? Who should receive a copy of this audit? And are there restrictions??', 'start': 4447.376, 'duration': 8.725}, {'end': 4459.944, 'text': 'Should this audit not be forwarded? Can it be forwarded to certain people??', 'start': 4456.181, 'duration': 3.763}, {'end': 4463.166, 'text': 'Basically, these are demographic issues.', 'start': 4460.444, 'duration': 2.722}, {'end': 4468.069, 'text': "Who's being audited? Who gets to know about the audit? Then the scope.", 'start': 4463.666, 'duration': 4.403}, {'end': 4469.61, 'text': 'What was the scope of your audit?', 'start': 4468.349, 'duration': 1.261}, {'end': 4470.43, 'text': 'What did you audit?', 'start': 4469.67, 'duration': 0.76}, {'end': 4471.711, 'text': 'Now, I personally.', 'start': 4470.891, 'duration': 0.82}], 'summary': 'Auditing organization, recipients, restrictions, and scope of audit are discussed.', 'duration': 24.335, 'max_score': 4447.376, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4447376.jpg'}, {'end': 4552.589, 'src': 'embed', 'start': 4515.529, 'weight': 4, 'content': [{'end': 4519.371, 'text': 'Timing is important because auditing at different times may give different results.', 'start': 4515.529, 'duration': 3.842}, {'end': 4526.155, 'text': "For example, if you're auditing retail credit card transactions in a heavy holiday season,", 'start': 4520.011, 'duration': 6.144}, {'end': 4528.676, 'text': 'you may get different results than you would at a different time.', 'start': 4526.155, 'duration': 2.521}, {'end': 4535.5, 'text': 'My favorite part is findings, conclusions, recommendations, follow-up, reservations, or qualifications.', 'start': 4530.077, 'duration': 5.423}, {'end': 4538.101, 'text': 'What this means is, first of all, what did you find?', 'start': 4536.1, 'duration': 2.001}, {'end': 4539.982, 'text': 'What did your audit discover?', 'start': 4538.802, 'duration': 1.18}, {'end': 4542.724, 'text': 'Next, what do you conclude from that??', 'start': 4541.223, 'duration': 1.501}, {'end': 4547.124, 'text': 'Probably the most important thing is what are your recommendations?', 'start': 4544.502, 'duration': 2.622}, {'end': 4552.589, 'text': 'If a particular control you found to be inadequate, how do you recommend they fix it?', 'start': 4548.105, 'duration': 4.484}], 'summary': 'Timing affects audit results, e.g. holiday season vs. other times. key steps: findings, conclusions, recommendations.', 'duration': 37.06, 'max_score': 4515.529, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4515529.jpg'}, {'end': 4695.148, 'src': 'embed', 'start': 4669.728, 'weight': 10, 'content': [{'end': 4677.731, 'text': "Basically, it's looking at, here is an objective, how is that objective meant? Sort of a scorecard, that's the name.", 'start': 4669.728, 'duration': 8.003}, {'end': 4686.894, 'text': 'Now, you can use this to measure controls, their performance against an expected value, and you can look at things from four perspectives.', 'start': 4678.591, 'duration': 8.303}, {'end': 4695.148, 'text': 'Financial perspective, how much did it cost? Was there a return on investment? Was money lost? Customer perspective.', 'start': 4687.395, 'duration': 7.753}], 'summary': 'Measuring controls against objectives using a scorecard from four perspectives: financial, customer, internal, and learning and growth.', 'duration': 25.42, 'max_score': 4669.728, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE4669728.jpg'}], 'start': 3788.069, 'title': 'It controls, cisa audit, and best practices', 'summary': 'Emphasizes specific it control objectives, risk-based auditing, and compliance, discusses legal requirements for cisa audit, and highlights key legal and regulatory requirements such as sarbanes-oxley and pci dss, as well as auditing best practices and reporting.', 'chapters': [{'end': 4008.475, 'start': 3788.069, 'title': 'It controls and risk-based auditing', 'summary': 'Emphasizes the importance of specific it control objectives, risk-based auditing, and compliance with laws and regulations, illustrating the significance of evidence and governance in ensuring it security.', 'duration': 220.406, 'highlights': ['The importance of specific IT control objectives and risk-based auditing is emphasized, highlighting the significance of evidence and governance in ensuring IT security.', 'The significance of evidence and its role in auditing is highlighted, emphasizing the need for data collection to make factual determinations, particularly in the context of risk-based auditing.', 'The impact of laws and regulations on auditing and IT security is discussed, emphasizing the need for compliance with external requirements and the potential impact on the audit process.']}, {'end': 4225.009, 'start': 4008.975, 'title': 'Cisa audit legal requirements', 'summary': 'Discusses the legal, regulatory, and contractual requirements for cisa audit, emphasizing the importance of evidence, thorough documentation, and continuous auditing, while also highlighting the impact of important laws such as hipaa and hitech in the united states.', 'duration': 216.034, 'highlights': ['The importance of evidence and thorough documentation in meeting legal, regulatory, and contractual requirements for CISA audit.', 'The significance of continuous auditing to ensure ongoing compliance with legal, regulatory, and contractual requirements.', 'The impact of HIPAA and HITECH laws on the auditing of healthcare-related entities in the United States.']}, {'end': 4490.059, 'start': 4225.009, 'title': 'Key legal and regulatory requirements', 'summary': 'Highlights key legal and regulatory requirements such as sarbanes-oxley and pci dss, emphasizing the importance of electronic records retention for five years and the global impact of pci dss on organizations processing credit card data.', 'duration': 265.05, 'highlights': ['Sarbanes-Oxley requires publicly traded companies to keep electronic records for five years to address financial fraud.', 'PCI DSS applies globally to organizations processing credit card data, as it is a set of industry standards, not a law.', 'Understanding the scope, objectives, and potential omissions in an audit report is essential, along with identifying the organization being audited and the recipients of the audit.']}, {'end': 4726.77, 'start': 4491.547, 'title': 'Auditing best practices and reporting', 'summary': 'Explains the key aspects of auditing, including the period of coverage, nature of the audit, findings, conclusions, recommendations, and the use of balanced scorecard for measuring control performance.', 'duration': 235.223, 'highlights': ['The chapter emphasizes the importance of the period of coverage in auditing, as different timings may yield different results, for example, auditing retail credit card transactions during a heavy holiday season.', 'It stresses the significance of providing findings, conclusions, and recommendations in audit reports, emphasizing the need to not only identify inadequacies in controls but also provide actionable solutions for rectifying them.', 'It introduces the balanced scorecard as a tool for measuring control performance, highlighting its four perspectives: financial, customer, internal processes, and innovation/learning.']}], 'duration': 938.701, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i7XGhj3UPxE/pics/i7XGhj3UPxE3788069.jpg', 'highlights': ['The impact of laws and regulations on auditing and IT security is discussed, emphasizing the need for compliance with external requirements and the potential impact on the audit process.', 'The importance of specific IT control objectives and risk-based auditing is emphasized, highlighting the significance of evidence and governance in ensuring IT security.', 'The importance of evidence and thorough documentation in meeting legal, regulatory, and contractual requirements for CISA audit.', 'Understanding the scope, objectives, and potential omissions in an audit report is essential, along with identifying the organization being audited and the recipients of the audit.', 'The chapter emphasizes the importance of the period of coverage in auditing, as different timings may yield different results, for example, auditing retail credit card transactions during a heavy holiday season.', 'It stresses the significance of providing findings, conclusions, and recommendations in audit reports, emphasizing the need to not only identify inadequacies in controls but also provide actionable solutions for rectifying them.', 'The significance of continuous auditing to ensure ongoing compliance with legal, regulatory, and contractual requirements.', 'The impact of HIPAA and HITECH laws on the auditing of healthcare-related entities in the United States.', 'Sarbanes-Oxley requires publicly traded companies to keep electronic records for five years to address financial fraud.', 'PCI DSS applies globally to organizations processing credit card data, as it is a set of industry standards, not a law.', 'It introduces the balanced scorecard as a tool for measuring control performance, highlighting its four perspectives: financial, customer, internal processes, and innovation/learning.']}], 'highlights': ['Domain 1 accounts for 21% of the exam.', 'The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) with the annual rate of occurrence (ARO), helping to assess the cost effectiveness of mitigating controls.', 'The ISO 27005 standard emphasizes the importance of harm to the organization and will be relevant for the CISA exam.', 'The likelihood of a hard drive crash in a server is relatively high for any organization.', "Mitigating controls aim to reduce risk to a level that's acceptable to management.", 'The importance of risk analysis, audit methodology, and reporting techniques.', 'The likelihood of an intrusion by a state-sponsored cyber terrorist is higher for certain businesses such as high-tech companies and defense contractors, but extremely low for businesses like pizza delivery or bookselling.', "The chapter emphasizes the importance of preventative, corrective, and detective controls in information systems, highlighting that a good system needs all three types of controls to support the enterprise's objectives.", "The likelihood of an event varies for different industries, as illustrated by the impact of a web server crash on a pizza chain's business compared to an e-commerce business.", 'The chapter introduces the concept of inherent risk, which is the probability of an error existing that might be material, assuming compensating controls do not exist, and gives examples like the chance of fraudulent checks or insufficient funds in businesses dealing with paper checks or the susceptibility of e-commerce websites to attacks such as SQL injections.']}