中钢协考试包括哪些内容?
注册信息系统审计师® (中钢协®) exam consists of 150 questions covering 5 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals. (Note: We recently updated 中钢协’s job practice and exam-prep material. 了解更多.)
ISACA的承诺
自1978年成立以来, 超过200人,000 people have obtained ISACA’s 中钢协 certification to validate their expertise in understanding and performing vital roles in audit, 安全和控制. 该域, 子主题和任务是广泛研究的结果, feedback and validation from subject matter experts and prominent industry leaders from around the globe.
Job practice areas tested for and validated by a 中钢协 certification
18%域1 -信息系统审计流程
Providing industry-standard audit services to assist organizations in protecting and controlling information systems, Domain-1 affirms your credibility to offer conclusions on the state of an organization’s IS/IT security, 风险和控制解决方案.
规划
- 审计准则、准则和道德准则是什么
- 审计、评估和评审的类型
- 基于风险的审计计划
- 控制类型和注意事项
B-EXECUTION
- 审计项目管理
- 审计测试和抽样方法
- 审计证据收集技巧
- 审计数据分析
- 报告和沟通技巧
- 审计过程的质量保证和改进
18%域2 ——治理 & it管理
This domain confirms to stakeholders your abilities to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.
它的治理
- 法律、法规和行业标准
- 组织结构、IT治理和IT战略
- 信息技术政策、标准、程序和实践
- 365买球网站下载架构和注意事项
- 365买球网站下载风险管理
- 隐私程序和原则
- 数据治理和分类
这个节目管理
- IT资源管理
- IT供应商管理
- IT性能监控和报告
- 资讯科技品质保证及品质管理
12% domain 3 -信息系统的获取、开发 & 实现
Domains 3 and 4 offer proof not only of your competency in IT 控制, 还包括你对IT与业务之间关系的理解.
信息系统的获取和发展
- 项目管治及管理
- 商业案例和可行性分析
- 系统开发方法
- 控制识别与设计
b -信息系统实施
- 系统准备和实现测试
- 实施配置和发布管理
- 系统迁移、基础设施部署、数据转换
- 实现后的审查
26%域4 -资讯系统运作 & 业务弹性
Domains 3 and 4 offer proof not only of your competency in IT 控制, 还包括你对IT与业务之间关系的理解.
a -信息系统操作
- 它的组件
- IT资产管理
- 作业调度和生产过程自动化
- 系统接口
- 影子IT和终端用户计算
- 系统可用性和容量管理
- 问题及事件管理
- IT变更、配置和补丁管理
- 操作日志管理
- IT服务水平管理
- 数据库管理
B-BUSINESS弹性
- 业务影响分析
- 系统和操作弹性
- 数据备份、存储和恢复
- 业务连续性计划
- 灾难恢复计划
26% domain 5 ——保护信息资产
网络安全 now touches virtually every information systems role, 理解它的原理, 最佳实践和陷阱是领域5的主要焦点.
a -信息资产安全与控制
- 信息资产安全框架、标准和指南
- 物理和环境控制
- 身份和访问管理
- 网络和端点安全
- 防止数据丢失
- 数据加密
- 公开密码匙基础设施
- 云和虚拟化环境
- 移动、无线和物联网设备
b -安全事件管理
- 安全意识培训和计划
- 信息系统攻击方法与技术
- 安全测试工具和技术
- 安全监控工具和技术
- 安全事件响应管理
- 证据收集及鉴证
二级分类-任务
- Plan an audit to determine whether information systems are protected, 控制, 并为组织提供价值.
- Conduct audits in accordance with IS audit standards and a risk based IS audit strategy.
- 在审计过程中应用项目管理方法.
- 沟通并收集审核进度反馈, 发现, 结果, 和利益相关者的建议.
- Conduct post-audit follow up to evaluate whether identified risk has been sufficiently addressed.
- 利用数据分析工具加强审计流程.
- Evaluate the role and/or impact of automatization and/or decision-making systems for an organization.
- Evaluate audit processes as part of quality assurance and improvement programs.
- Evaluate the IT strategy for alignment with the organization's strategies and objectives.
- Evaluate the effectiveness of IT governance structure and IT organizational structure.
- Evaluate the organization's management of IT policies and practices, 包括遵守法律和法规要求.
- Evaluate IT resource and project management for alignment with the organization's strategies and objectives.
- Evaluate the organization's enterprise risk management (ERM) program.
- Determine whether the organization has defined ownership of IT risk, 控制, and standards.
- Evaluate the monitoring and reporting of IT key performance indicators (KPIs) and IT key risk indicators (KRIs).
- Evaluate the organization's ability to continue business operations.
- Evaluate the organization's storage, backup, and restoration policies and processes.
- Evaluate whether the business cases related to information systems meet business objectives.
- Evaluate whether IT vendor selection and contract management processes meet business, 法律, 以及监管要求.
- 评估供应链的IT风险因素和完整性问题.
- Evaluate 控制 at all stages of the information systems development life cycle.
- Evaluate the readiness of information systems for implementation and migration into production.
- Conduct post-implementation reviews of systems to determine whether project deliverables, 控制, 并且满足了要求.
- Evaluate whether effective processes are in place to support end users.
- Evaluate whether IT service management practices align with organizational requirements.
- Conduct periodic review of information systems and enterprise architecture (EA) to determine alignment with organizational objectives.
- Evaluate whether IT operations and maintenance practices support the organization's objectives.
- 评估组织的数据库管理实践.
- 评估组织的数据治理计划.
- 评估公司的隐私保护计划.
- Evaluate data classification practices for alignment with the organization's data governance program, 隐私保护程序, 适用的外部要求.
- Evaluate the organization's problem and incident management program.
- Evaluate the organization's change, configuration, release, and patch management programs.
- 评估组织的日志管理程序.
- Evaluate the organization's policies and practices related to asset life cycle management.
- Evaluate risk associated with shadow IT and end-user computing (EUC) to determine effectiveness of compensating 控制.
- 评估组织的信息安全计划.
- Evaluate the organization's threat and vulnerability management program.
- Utilize technical security testing to identify potential vulnerabilities.
- 评估逻辑, 物理, 并进行环境控制以验证机密性, 完整性, 以及信息资产的可用性.
- 评估组织的安全意识培训计划.
- Provide guidance to the organization in order to improve the quality and control of information systems.
- Evaluate potential opportunities and risks associated with emerging technologies, 规定, 以及行业惯例.
正在为这次考试做准备
ISACA offers a variety of exam preparation resources including group training, self-paced training and study resources in various languages to help you prepare for the current certification exam. 选择适合你的时间表和学习需要的方法.