Steps Flashcards
1
Q
The auditor’s ROLE is to
A
EVALUATE the design and operation of internal controls.
2
Q
The 5 Steps in Verifying Compliance with External Regulations (General Process)
A
(1) IDENTIFY the external requirements with which the company is responsible for being in compliance.
(2) REVIEW the specific laws and regulations with which the organization must be compliant.
(3) DETERMINE whether the organization CONSIDERED these laws and regulations when policies and procedures were developed.
(4) DETERMINE whether identified policies and procedures ADHERE to external laws and requirements.
(5) DETERMINE whether the employees are adhering to specified policies and procedures or whether DISCREPENCIES exist.
3
Q
it is so important for auditors to verify compliance by
A
developing a good audit plan
4
Q
The goal of the audit function is
A
to present an independent and objective evaluation of the state of the internal controls with appropriate recommendations to mitigate any detected risks if applicable.
5
Q
The audit department should report
A
to the audit committee.
6
Q
The audit department should NOT report
A
to senior management directly.
because it might create an independence problem.
7
Q
At the highest level, the audit FUNCTION requires
A
an audit charter to establish the IS audit function.
8
Q
The charter defines
A
what responsibilities senior management is delegating.
9
Q
The audit committee is responsible only to
A
senior management and the board of directors
10
Q
The audit committee should report findings directly to
A
senior management and the board of directors
11
Q
Long-term plans are considered
A
STRATEGIC.
12
Q
Strategic planning looks at what effect management’s planned long-term changes
A
to the infrastructure will have on the security of the organization.
13
Q
Short-term planning is referred to as .
A
tactical planning
14
Q
Tactical planning looks at issues the organization currently faces,
A
such as what is to be audited during the current year
15
Q
Understanding the company is
A
just the first step
16
Q
Next, the auditor must develop a plan to
A
help determine what type of audits should be performed.
17
Q
STEP BY STEP
1.2 Audit Planning Process
A
- Learn the business, review the mission statement, and understand its purpose and goals.
- Review documentation and evaluate existing policies, procedures, and guidelines.
- Identify threats, risks, and concerns.
- Carry out a risk analysis.
- Identify internal controls.
- Define audit objectives and scope of audit.
- Identify resources needed for the audit and assign appropriate personnel.
18
Q
an auditor must know when
A
to perform a compliance test or a sub- stantive test, and must understand the differences between them.
19
Q
Compliance tests are used to
A
verify conformity,
20
Q
substantive tests verify
A
the integrity of a claim.
21
Q
Standards are
A
agreed upon principles of protocol
22
Q
standards detail mandatory requirements, whereas guidelines and procedures
A
offer guidance on how to maintain compliance.
23
Q
Fourteen categories of standards exist:
A
S1—Audit Charter S2—Independence S3—Professional Ethics and Standards S4—Competence S5—Planning S6—Performance of Audit Work S7—Reporting S8—Follow-Up Activities S9—Irregularities and Illegal Acts S10—IT Governance 1 September 2005 S11—Use of Risk Assessment in Audit Planning S12—Audit Materiality S13—Using the Work of Other Experts S14—Audit Evidence
24
Q
Thirty-five categories of guidelines exist (1-15):
A
G1—Using the Work of Other Auditors
G2—Audit Evidence Requirement
G3—Use of Computer-Assisted Audit Techniques (CAATs)
G4—Outsourcing of IS Activities to Other Organizations
G5—Audit Charter
G6—Materiality Concepts for Auditing Information Systems
G7—Due Professional Care
G8—Audit Documentation
G9—Audit Considerations for Irregularities
G10—Audit Sampling
G11—Effect of Pervasive IS Controls
G12—Organizational Relationship and Independence
G13—Use of Risk Assessment in Audit Planning
G14—Application Systems Review
G15—Planning Revised
25
Thirty-five categories of guidelines exist (16 - 29)
G16—Effect of Third Parties on an Organization’s IT Controls
G17—Effect of Nonaudit Role on the IS Auditor’s Independence
G18—IT Governance
G19—Irregularities and Illegal Acts
G20—Reporting
G21—Enterprise Resource Planning (ERP) Systems Review
G22—Business-to-Consumer (B2C) E-Commerce Review
G23—System Development Lifecycle (SDLC) Review
G24—Internet Banking
G25—Review of Virtual Private Networks
G26—Business Process Reengineering (BPR) Project Reviews
G27—Mobile Computing
G28—Computer Forensics
G29—Post-Implementation Review
26
Thirty-five categories of guidelines exist (30 -35)
. G30—Competence
. G31—Privacy
. G32—Business Continuity Plan (BCP) Review from IT Perspective
. G33—General Considerations on the Use of the Internet
. G34—Responsibility, Authority, and Accountability
. G35—Follow-Up Activities
27
Risk management follows a defined process that includes the following steps:
1. Develop a risk management team
2. Identify assets
3. Identify threats
4. Perform risk analysis
5. Perform risk mitigation
6. Monitor
28
STEP BY STEP
| 1.3 Risk-Based Audit Process
1. Gather information and plan:
. Understand the business
. Review audits from prior years
. Examine financial data
. Evaluate regulatory statutes
. Conduct inherent risk assessments
2. Determine internal controls and review their functionality:
. Control environment and control procedures
. Detection and control risk assessment
. Total risks
3. Perform compliance tests—Test and verify that controls are being applied.
4. Perform substantive testing—Measure the strength of the process and verify accounts.
5. Conclude the audit—Prepare the report.
29
Best control
would be provided by having the production control group copy the source program to the production libraries and then compile the program.
30
Decision Support
will be enhanced by using a data warehouse and data marts.
31
Primary objective of value delivery is to:
optimize security investments in support of business objectives.
32
The MOST robust method for disposing of magnetic media
Destroying
33
Data warehousing
involves data cleaning, data integration, and data consolidations.
34
When drawing up a contract with a cloud service provider, the ideal practice is to remove the customer lock-in clause. It may be important for the client to secure ___________ of their system assets, i.e., the right to transfer from one vendor to another
portability
35
Fault
ST LOSS POWER
36
Spike
ST HIGH Volt
37
Sag
ST LOW Volt
38
Brownout
LT LOW
39
Volt Surge
LT HIGH Volt
40
Blackout
LT LOSS POWER
41
The GREATEST challenge of performing a quantitative risk analysis
Obtaining accurate figures on the frequency of specific threats
42
IDS
cannot detect attacks within encrypted traffic and it would be a concern if someone were misinformed and thought that the IDS could detect attacks in encrypted traffic.
43
Standard establishes mandatory
rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process.
44
The board of directors and executive officers are accountable for the functionality, reliability, and security within
IT Governance.
45
Web application attack facilitates unauthorized access to a database
SQLI
46
Regression testing is undertaken PRIMARILY to ensure that
applied changes have not introduced new errors.
47
Capacity monitoring
the primary objective is to ensure compliance with the internal SLA between the business and IT, helps in arriving at expected future capacity based on usage patterns, helps in initiating procurement based on the current usage and expected future capacity.
48
Cryptographic hash
is a primary defense against alteration attacks.
49
Variable sampling
would be the best sampling technique to review an organization’s balance sheet for material transactions. It is also known as dollar estimation.
50
Integrity of data
information are changed only in a specified and authorized manner
51
CSA
highlight noncompliance to the current policy
52
Batch control reconciliations
is a compensatory control for mitigating risk of inadequate segregation of duties
53
RFID
Any RFID signal you can read can be duplicated = Issues of privacy
54
Concurrency control
manages simultaneous access to a database. It prevents two users from editing the same record at the same time and also serializes transactions for backup and recovery.
55
The first criteria must be to ensure that there is no ______ in the procedures and that, from a security perspective, they meet the applicable standards and, therefore, comply with policy.
ambiguity
56
The information security manager
is responsible for developing a security strategy based on business objectives with help of business process owners.
57
Load balancing
best ensures uninterrupted system availability by distributing traffic across multiple servers. Load balancing helps ensure consistent response time for web applications
58
The IS Auditor's main responsibility during the test of the plan is to act as _________ to the success of being able to resume timely business processing.
an observer
59
The IS Auditor's observations
should be documented, analyzed with appropriate recommendations brought forth to management.
60
The level of effectiveness of employees will be determined by their existing knowledge and capabilities, in other words, their
proficiencies.
61
Reviewing the access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system
(During a postimplementation)
62
Control Objectives for Information and Related Technology (CobiT) is a framework designed around four domains
. Plan and organize
. Acquire and implement
. Deliver and support
. Monitor and evaluate
63
As an auditor, you have a position of
fiduciary responsibility
64
Chain of Custody
One important issue that cannot be overlooked during a forensic audit is chain of custody. Chain of custody means that the auditor can account for who had access to the collected data, that access to the information is controlled, and that it is protected from tampering.
65
The audit program should be defined so that the scope audit objective and procedures are
properly defined to develop and support reliable conclusions and opinions
66
Procedures for testing and evaluation can include the following:
. Auditing through observation
. Reviewing documentation
. Documenting systems and processes by means of flowcharting
. Using standard audit software controls to examine log files and data records
. Using specialized software packages to examine system parameter files
67
An audit methodology
is a documented approach for performing the audit in a consistent and repeatable manner.
68
The audit methodology is designed to meet audit objectives by defining the following (3):
(1) A statement of work
(2) A statement of scope
(3) A statement of audit objectives
69
The methodology should be approved
by management
70
The methodology should be horoughly documented so that it
provides a highly repeatable process.
71
All audit employees must be trained and must have
knowledge of the methodology.
72
Using a structured and repeatable methodology fosters the establishment of boundaries and builds
confidence in the audit process.
73
step of the audit process
1.4 Audit Methodology
1. Audit subject—Identify which areas are to be audited
2. Audit objective—Define why the audit is occurring. As an example, the objective of the audit might be
to ensure that access to private information such as social security numbers is controlled.
3. Audit scope—Identify which specific functions or systems are to be examined.
4. Pre-audit planning—Identify what skills are needed for the audit, how many auditors are required, and what other resources are needed. Necessary policies or procedures should be identified, as should the plans of the audit. The plans should identify what controls will be verified and tested.
5. Data gathering—Identify interviewees, identify processes to be tested and verified, and obtain docu- ments such as policies, procedures, and standards. Develop procedures to test controls.
6. Evaluation of test results—These will be organization specific. The objective will be to review the results.
7. Communication with management—Document preliminary results and communicate to management.
8. Preparation of audit report—The audit report is the culmination of the audit process and might include
the identification of follow-up items.
74
Findings, activities, and tests should be documented in
work papers (WPs)
75
Confidentiality
Auditors are responsible for maintaining confidentiality of paper, electronic, and sensitive client information. Sensitive information should always be protected.
76
At what step in the audit process should specific functions to be examined be identified?
At the audit scope step is where specific functions to be examined should be identified.
77
At what step in the audit process do you identify follow-up review procedures?
Follow-up review procedures should be developed at the audit report preparation step.
78
At what step in the audit process do you identify the individuals to be interviewed?
(5) At the data gathering step, the individuals to be interviewed should be determined.
79
In fraud detection, auditors should perform the following:
. Observe employee activity
. Examine and review actual procedures and processes
. Verify employee security awareness training and knowledge
. Examine actual reporting relationships to verify segregation of duties
80
Common law defines four general elements that must be present for fraud to exist:
. A material false statement
. Knowledge that the statement was false
. Reliance on the false statement
. Resulting damages or losses
81
Auditors should not overlook any of the following fraud indicators:
. No clear lines of authority
. A lack of documents and records
. A lack of independent checks and balances
. Nonexistent or poor separation of duties
. Few internal controls
82
The audit opinion is part of the auditor’s report and should include the following components:
```
. Name of organization being audited
. Title, date, and signature
. Statement of audit objectives
. Audit scope
. Any limitations of scope
. Audience
. Standards used in the audit
. A detail of the findings
. Conclusions, reservations, and qualifications
. Suggestions for corrective actions
. Other significant events
```
83
Integrated auditing typically involves the following:
. Key controls must be identified.
. Key controls must be reviewed and understood.
. Key controls must be tested to verify that they are supported by the IT system.
. Management controls must be tested to verify that they operate correctly.
. Control risks, design problems, and weaknesses are delivered in the audit report.
84
six precondi- tions should be present before an organization can adopt continuous auditing:
. The system must have acceptable characteristics. Cost and items such as technical skill must be considered.
. The information system must be reliable, have existing primary controls, and collect data on the system.
. The information system must have a highly automated secondary control system.
. The auditor must be proficient in the system and information technology.
. The audit process must offer a reliable method for obtaining the audit procedure results.
. Verifiable controls of the audit reporting process must exist.
85
Continuous assurance can be achieved by combining the following:
. Continuous auditing—A methodology of providing assurance that enables auditors to provide written reports quickly.
. Continuous monitoring—Monitoring provided by tools, such as antivirus, used to meet fiduciary responsibilities.
86
The primary role of an auditor in IT governance is to
provide guidance and recommendations to senior management
87
The objective of providing IT governance information
is to improve quality and effectiveness.
88
The first step of IT governance process is to review the following:
. Learn the organization—Know the company’s goals and objectives. Start by review- ing the mission statement.
. Review the IT strategic plan—Strategic plans provide details for the next three to five years.
. Analyze organizational charts—Become familiar with the roles and responsibility of individuals within the company.
. Study job descriptions—Job descriptions detail the level of responsibility and accountability for employees’ actions.
. Evaluate existing policies and procedures—These documents detail the approved activities of employees.
89
The committee consists of members of high-level manage- ment from within the company:
. Business management—The committee is managed by the CEO or by a personally appointed and instructed representative.
. IT management—This group is represented by the CIO or a CIO representative.
. Legal—This group is represented by an executive from the legal department.
. Finance—A representative from finance is needed to provide financial guidance.
. Marketing—A representative from marketing should also be on the committee.
. Sales—A senior manager for sales should be on the committee to make sure that the organization has the technology needed to convert shoppers into buyers.
. Quality control—Quality control ensures that consumers view products and services favorably and that products meet required standards. As such, quality control should be represented on the committee.
. Research and development (R&D)—Because R&D focuses on developing new prod- ucts, this department should be represented on the committee. IT must meet the needs of new product development.
. Human resources (HR)—Managing employees is as complex as the technology need- ed to be successful. HR should be represented on the committee.
90
The balanced score card gathers input from the following four perspectives:
. The customer perspective—Includes the importance the company places on meeting customer needs. Even if financial indicators are good, poor customer ratings will even- tually lead to financial decline.
. Internal operations—Includes the metrics managers use to measure how well the organization is performing and how closely its products meet customer needs.
. Innovation and learning—Includes corporate culture and its attitudes toward learn- ing, growth, and training.
. Financial evaluation—Includes timely and accurate financial data. Typically focuses on profit and market share.
91
Federal law requires government agencies to set up
EA and a structure for its governance.
92
The FEA is designed to use five models:
. Performance reference model—A framework used to measure performance of major IT investments
. Business reference model—A framework used to provide an organized, hierarchical model for day-to-day business operations
. Service component reference model—A framework used to classify service compo- nents with respect to how they support business or performance objectives
. Technical reference model—A framework used to categorize the standards, specifica- tions, and technologies that support and enable the delivery of service components and capabilities
. Data reference model—A framework used to provide a standard means by which data may be described, categorized, and shared
93
The three most common funding practice include these:
. Shared cost—With this method, all departments of the organization share the cost. The advantage of this method is that it is relatively easy to implement and for account- ing to handle. Its disadvantage is that some departments might feel that they are paying for something they do not use.
. Chargeback—With this method, individual departments are directly charged for the services they use. This is a type of pay-as-you-go system. Proponents of this system believe that it shifts costs to the users of services. Those opposing the chargeback sys- tem believe that it is not that clear-cut. As an example, what if your city of 1,000 people decided to divide electrical bills evenly so that everyone pays? Many might complain, as not everyone uses the same amount of electricity. Opponents of the chargeback system make the same argument, as end users don’t consume IT resources evenly.
. Sponsor pays—With this method, project sponsors pay all costs. Therefore, if sales asks for a new system to be implemented, sales is responsible for paying the bills. Although this gives the sponsor more control over the project, it might lead to the feeling that some departments are getting a free ride and, thus, can cause conflicts.
94
Per ISACA, the following items should be examined:
```
. Human resources documents
. Quality-assurance procedures
. Process and operation manuals
. Change-management documentation
. IT forecasts and budgets
. Security policies and procedures
. Organizational charts and functional diagrams
. Job details and descriptions
. Steering committee reports
```
95
During the review process of policies, procedures, and documentation, any of the following might indicate potential problems:
```
. Excessive costs
. Budget overruns
. Late projects
. A high number of aborted projects
. Unsupported hardware changes or unauthorized purchases
. Lack of documentation
. Out-of-date documentation
. Employees unaware of or unknowledgeable about documentation
```
96
Risks can be:
. Accepted—The risk is understood and has been evaluated. Management has decieded that the benefits outweigh the risk. As an example, the company might be considering setting up an e-commerce website. Although it is agreed that risks exist, the benefit of the added cash flow make these risks acceptable.
. Reduced—Installing a firewall is one method in which risk can be reduced.
. Transferred—The risk is transferred to a third party. As an example, insurance is
obtained.
. Rejected—Depending on the situation, any one of the preceding methods might be an acceptable way to handle risk. Risk rejection is not acceptable, as it means that the risk will be ignored on the hope that it will go away or not occur.
97
The assets commonly examined include:
. Hardware . Software
. Employees . Services
. Reputation
. Documentation
98
These considerations are key:
. What did the asset cost to acquire or create?
. What is the liability if the asset is compromised?
. What is the production cost if the asset is made unavailable?
. What is the value of the asset to competitors and foreign governments?
. How critical is the asset, and how would its loss affect the company?
99
These individuals or sources should be consulted or considered to help identify current and emerging threats:
```
. Business owners and senior managers
. Legal counsel
. HR representatives
. IS auditors
. Network administrators
. Security administrators
. Operations
. Facility records
. Government records and watchdog groups, such as CERT and Bugtraq
```
100
categorize the common types of threats:
```
. Physical threat/theft
. Human error
. Application error/buffer overflow
. Equipment malfunction
. Environmental hazards
. Malicious software/covert channels
```
101
Examples of losses or impacts include the following:
. Financial loss
. Loss of reputation
. Danger or injury to staff, clients, or customers
. Loss of business opportunity
. Breach of confidence or violation of law
102
Risk analy- sis can be performed in one of two basic methods:
. Quantitative risk assessment—Deals with dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.
. Qualitative risk assessment—Ranks threats by nondollar values and is based more on scenario, intuition, and experience.
103
Quantitative Risk Assessment involves six basic steps
1. Determine the asset value (AV) for each information asset.
2. Identify threats to the asset.
3. Determine the exposure factor (EF) for each information asset in relation to each threat.
4. Calculate the single loss expectancy (SLE).
5. Calculate the annualized rate of occurrence (ARO).
6. Calculate the annualized loss expectancy (ALE).
104
STEP BY STEP
| 2.1 Quantitative Risk Assessment
1. Determine the exposure factor—This is a subjective potential percentage of loss to a specific asset if a specific threat is realized. This is usually in the form of a percentage, similar to how weather reports predict the likelihood of weather conditions.
2. Calculate the single loss expectancy (SLE)—The SLE value is a dollar figure that represents the orga- nization’s loss from a single loss or the loss of this particular information asset. SLE is calculated as follows:
Single Loss Expectancy = Asset Value × Exposure Factor
Items to consider when calculating the SLE include the physical destruction or theft of assets, loss of data, theft of information, and threats that might delay processing.
3. Assign a value for the annualized rate of occurrence (ARO)—The ARO represents the estimated fre- quency at which a given threat is expected to occur. Simply stated, how many times is this expected to happen in one year?
4. Assign a value for the annualized loss expectancy (ALE)—The ALE is an annual expected financial loss to an organization’s information asset because of a particular threat occurring within that same cal- endar year. ALE is calculated as follows:
Annualized Loss Expectancy (ALE) =
Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO)
The ALE is typically the value that senior management needs to assess to prioritize resources and deter-
mine what threats should receive the most attention.
5. Analyze the risk to the organization—The final step is to evaluate the data and decide to accept,
reduce, or transfer the risk.
105
The team should review these items for such costs:
. Lost productivity
. Cost of repair
. Value of the damaged equipment or lost data
. Cost to replace the equipment or reload the data
106
Other types of qualitative assessment techniques include these:
. The Delphi Technique—A group assessment process that allows individuals to con- tribute anonymous opinions.
. Facilitated Risk Assessment Process (FRAP)—A subjective process that obtains results by asking a series of questions. It places risks into one of 26 categories. FRAP is designed to be completed in a matter of hours, making it a quick process to perform.
107
Some basic common controls should be used dur- ing the hiring practice:
```
. Background checks
. Educational checks
. Reference checks
. Confidentiality agreements
. Noncompete agreements
. Conflict-of-interest agreements
```
108
Per ISACA, the handbook should address the following issues:
. Security practices, policies, and procedures
. Employee package of benefits
. Paid holiday and vacation policy
. Work schedule and overtime policy
. Moonlighting and outside employment
. Employee evaluations
. Disaster response and emergency procedures
. Disciplinary action process for noncompliance
109
Common training methods include the following:
```
. In-house training
. Classroom training
. Vendor training
. On-the-job training
. Apprenticeship programs
. Degree programs
. Continuing education programs
```
110
IS services can be provided in these ways:
. Internally—Insourced
. Externally—Outsourced
. Combination—Hybrid
111
Third parties commonly provide these services:
```
. Data entry
. Application/web hosting
. Help desk
. Payroll processing
. Check processing
. Credit card processing
```
112
The following steps are a generic overview of the change management process:
1. Request a change.
2. Approve the request.
3. Document the proposed change.
4. Test the proposed change.
5. Implement the change.
113
The auditor should be knowledgeable in these areas:
```
. Hardware and software requisitioning
. Software development
. Information systems operations
. Human resources management
. Security
```
114
The ISO 9001 is actually six documents that specify the following:
```
. Control of documents
. Control of records
. Control of nonconforming product
. Corrective action
. Preventive action
. Internal audits
```
115
ISO 17799 provides best-practice guidance on information security management and is divided into 12 main sections:
```
. Risk assessment and treatment
. Security policy
. Organization of information security
. Asset management
. Human resources security
. Physical and environmental security
. Communications and operations management
. Access control
. Information systems acquisition, development, and maintenance
. Information security incident management
. Business continuity management
. Compliance
```
116
CobiT is designed around 34 key processes, which address the following:
. Performance concerns
. IT control profiling . Awareness
. Benchmarking
117
Business process reengi- neering was done in the following steps:
1. Envision
2. Initiate
3. Diagnose
4. Redesign
5. Reconstruct 6. Evaluate
118
After obtaining and reviewing the organizational chart, the auditor should spend some time review- ing each employee’s area to see how the job description matches actual activities. The areas to focus attention on include these:
```
. Help desk
. End-user support manager
. Quality assurance manager
. Data manager
. Rank and file employees
. Systems-development manager
. Software-development manager
```
119
Segregation of duties usu- ally falls into four areas of control:
. Authorization—Verifying cash, approving purchases, and approving changes
. Custody—Accessing cash, merchandise, or inventories
. Record keeping—Preparing receipts, maintaining records, and posting payments.
. Reconciliation—Comparing dollar amounts, counts, reports, and payroll summaries
120
In small organizations, it is usually very difficult to adequately sep- arate job tasks. In these instances, one or more of the following compensating controls should be considered:
. Job rotation—The concept is to not have one person in one position for too long a period of time. This prevents a single employee from having too much control.
. Audit trail—Although audit trails are a popular item after a security breach, they should be examined more frequently. Audit trails enable an auditor to determine what actions specific individuals performed; they provide accountability.
. Reconciliation—This is a specific type of audit in which records are compared to make sure they balance. Although they’re primarily used in financial audits, they are also useful for computer batch processing and other areas in which totals should be compared.
. Exception report—This type of report notes errors or exceptions. Exception reports should be made available to managers and supervisors so that they can track errors and other problems.
. Transaction log—This type of report tracks transactions and the time of occurrence. Managers should use transaction reports to track specific activities.
. Supervisor review—Supervisor reviews can be performed through observation or inquiry, or remotely using software tools and applications.
121
Supports the prioritization of new IT projects
Investment portfolio analysis
122
Information security
is not only a technical issue, but also a business and governance challenge that involves risk management,reporting and accountability. Effective security requires the active engagement of executive management.
123
The warm site is
acceptable to the business when the downtime is acceptable without breaching any legal requirements. Making a profit is not the reason for using a warm site.
124
The main function of QoS is to
optimize network performance by assigning priority to business applications and end users, through the allocation of dedicated parts of the bandwidth to specific traffic.
125
One of the features of referential integrity checking occurs
when a record is deleted and all other referenced records are automatically deleted.
126
RFID RISKS =
Business process risk + Business intelligence risk + Privacy risk + Externality risk
127
Re-engineering =
reusing design and program components
128
Real-time application system =
transaction log
129
RACI chart =
responsibility assignment Matrix
130
Information systems security policies are used
as the framework for developing logical access controls.
131
One way to remove data remanence is with
a degausser
132
Proactive management means
anticipating problems in advance and readying with solutions, and providing automation plans for the help desk.
133
Audit program—
A step-by-step set of audit procedures and instructions that should be performed to complete an audit
134
Cloud bursting is
an application deployment model in which an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes
135
Ordering of biometric devices with the best response times and lowest EERs are
palm, hand, iris, retina, fingerprint and voice, respectively. (PH-I-RF-V)
136
Cloud bursting for
load balancing between clouds
137
To detect lost transactions –
automated systems balancing could be used.
138
Cloud bursting is an application deployment model in which
an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes
139
Relative humidity (RH) is defined as the
amount of moisture in the air at a given temperature in relation to the maximum amount of moisture the air could hold at the same temperature. In a data center or computer room, maintaining ambient relative humidity levels between 45% and 55% is recommended for optimal performance and reliability.
140
It is a generally agreed upon standard in the computer industry that expensive IT equipment should not be operated in a computer room or data center where the ambient room temperature has
exceeded 85°F (30°C).
141
Information gathering techniques – Brainstorming, Delphi technique, Interviewing, Root cause analysis
Quality Assurance is also a root-cause analysis process. Fishbone diagram/Ishikawa: Determines how various factors linked to potential problems or effects, it’s majorly referred
as “root cause” analysis.
142
Network slow =
use a protocol analyzer to perform network analysis and review error logs of local area network (LAN) equipment.
143
Threat is not vulnerability. A threat exploits a vulnerability e.g. weak password (vulnerability) is exploited by a dishonest employee (threat) to commit fraud leading to
financial losses
144
Substantive testing obtains audit evidence
on the completeness, accuracy or existence of activities or transactions during the audit period
145
Batch controls:
total menetary amount, total items, total documents, hash totals
146
Matrix organizational structure
combines functional and product departmentalization, creates a dual reporting structure, and is optimal where product groups are necessary.
147
Corporate governance consists of
the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of an organization’s overall governance program. Risk management, reporting, and accountability are accountability are central features of these policies and internal controls
148
Auditors are respon- sible for helping to ensure that sufficient controls are designed
during SDLC and that these controls work as expected.
149
Systems require
maintenance, review of changes, and review and redesign of processes.
150
Projects have unique attributes:
. A unique purpose
. A temporary nature
. A primary customer and/or sponsor . Uncertainty
151
Projects are constrained by their scope, time, and cost; therefore, you must consider the following:
. Scope—How much work is defined? What do the sponsor and the customer expect from this project?
. Time—How long is this project scheduled to run? Does it have a defined schedule? When does the product need to be launched, or when does the service need to be operational? Answering these questions will help determine how long the project will run.
. Cost—How much money is this project expected to cost? Has the sponsor approved it?
152
The most well known of thE PM approaches and standards
are PMBOK (IEEE Standard 1490) Prince 2 (projects in a controlled environment) and Project Management Institute (PMI).
153
Auditors should understand who is responsible and be able to identify key stakeholders, some of which include the following:
. Senior management—Provides necessary resources to complete project.
. Stakeholders—A person, group, or business unit that has a share or an interest in the
project activities.
. Project steering committee—Ultimately responsible. Must ensure that the stake- holders’ needs are met and oversee direction and scope of project. The committee acts as project-oversight board.
. Project sponsor—Works with the project manager to ensure success and is responsi- ble for allocating funding for the project.
. Project manager—Responsible for day-to-day management of the project team.
. Project team—Responsible for performing operational tasks within the project.
. Quality assurance—Responsible for reviewing the activities of the project-manage- ment team and ensuring that output meets quality standards. This role/group does not necessarily act as part of the project team as a whole. QA activities can be carried out by external parties to the project team; including auditors.
154
As the team progresses, it typically goes through four stages:
. Forming
. Storming
. Norming
. Performing
155
Work Breakdown Structure
Developing the work breakdown structure is an important task at the start of the project-management process because it identifies specific tasks and specifies what resources are needed for completion of the task
156
The three constraints of project management include the following:
. Scope—The scope of the project can be better defined by understanding areas/activi- ties/personnel needed to complete the project. For example, software projects must define how big the applications will be. Will the project involve a few thousand lines of code or millions of lines of code?
. Time—Time can be better established by building a project timeline that lists each task and specifies a timeframe for each.
. Cost—Cost can be determined by examining the lines of code, the number of people in the project team, and the time needed for each phase of the project.
157
These components drive up the cost of software:
. The chosen source code language—Using an obscure or unpopular language will most likely drive up costs.
. The size of the application—The size or complexity of the application has a bearing on cost. As an example, the level of security needed is something that will affect the complexity of a given application. This also has a direct correlation to the scope of the project.
. The project time constraints—If a project is projected to be completed in one month versus three months, this might mean that more overtime needs to be paid, along with fees for rushed services.
. Computer and resource accessibility—If resources are available only during certain times, the output of the project team will most likely be reduced.
. Project team experience—Every individual has a learning curve that adds cost to inexperienced team members.
. The level of security needed—A project that needs very high levels of security con- trols will take additional time and effort to develop.
158
Traditional software sizing has been done by
counting source lines of code (SLOC).
159
function point analysis (FPA).
is a method that the ISO has approved as a standard to estimate the complexity of soft- ware. FPA can be used to budget application-development costs, estimate productivity after project completion, and determine annual maintenance costs. FPA is based on the number of inputs, outputs, interfaces, files, and queries.
160
The five functional point values are
the number of user inputs, number of user outputs, number of user inquiries, number of files, and number of external interfaces.
161
Function Point Metrics
If an organization decides to use function point metrics, it must develop criteria for determining whether an entry is simple, average, or complex.
162
When the table is completed, the organization can use the computed totals to run through an algorithm that determines factors such as reliability, cost, and quality, such that:
. Productivity = FP/person-month
. Quality = defects/FP
. Cost= $/FP
163
With these calculations completed, the project team can
identify resources needed for each specific task.
164
Function Point Analysis Exam candidates should know that when assessing the scope of an applica- tion-development project,
function point analysis is one of the best techniques for estimating the scope and cost of the project.
165
Program Evaluation and Review Technique (PERT) is the preferred tool
for estimating time when a degree of uncertainty exists.
166
Scheduling involves linking individual tasks. The relationship between these tasks is linked either by earliest start date or by latest expected finish date. The _____ _______ is one way to dis- play these relationships.
Gantt chart
167
PERT uses
a critical-path method that applies a weighed average duration estimate.
168
PERT uses probabilistic time estimates to
estimate the best and worst time estimates.
169
PERT uses a three-point time estimate to develop
best, worst, and most likely time estimates.
170
A PERT chart is used to depict this information. Each chart begins with the first task that branches out to a connecting line that contains three estimates:
. The most optimistic time in which the task will be completed
. The most likely time in which the task will be completed
. The worst-case scenario or longest the task will take
171
Estimating Time Estimating the time and resources needed for application development is typically the most ______ part of initial application-development activities.
DIFFICULT
172
STEP BY STEP
| 3.1 Calculating Time Estimates with PERT
1. Determine the average amount of time to complete the task. In the previous example, this was estimat- ed to be five work days.
2. Estimate the best possible completion time for the task. For this step by step, assume that it is three work days.
3. Estimate the worst possible completing time. For this step, assume 10 work days.
4. Plug these values into the PERT weighted average formula:
(3 + 10 +(4 × 5) ÷ 6)= 5.5 days
5. The value of 5.5 days would be recorded as the critical path time.
173
Critical path methodology (CPM) determines what activities are critical and what the dependen- cies are between the various tasks. CPM is accomplished by the following:
. Compiling a list of each task required to complete the project
. Determining the time that each task will take, from start to finish
. Examining the dependencies between each task
174
If the total project time needs to be reduced, one of the tasks on the CPM path must be finished earlier. This is called
crashing, in that the project sponsor must be prepared to pay a premium for early completion as a bonus or in overtime charges.
175
The disadvantage to CPM is that
the relation of tasks is not as easily seen as it is with Gantt charts.
176
Critical Path Methodology Exam candidates should understand that CPM is considered
a project- management planning and control technique.
177
Timebox management is used in projects when time
is the most critical aspect and software projects need to be delivered quickly.
178
Auditors must be aware of any PROJECT
changes and must examine how this could affect any existing controls and the overall project.
179
The auditor must also be concerned with
end-user training. When new software products are released to users, the users must be trained on how the application works, what type of authentication is required, and how overrides or dual controls work.
180
The last step in the project-management process is
to close the project.
181
At the conclusion of the project, the project manager must
transfer control to the appropriate individuals.
182
The project closing includes the following tasks:
. Administrative closure
. Release of final product or service
. Update of organizational assets
183
At the close of the project, surveys or post-project reviews might be performed. This is a chance to survey the project team and end users to gauge their satisfaction with the project and
examine how things could have been done differently or what changes should be implement- ed next time.
184
A postmortem review is similar but is usually held
after the project has been in use for some time.
185
Organizations use a structure approach TO Business application development for these reasons:
. To minimize risk
. To maximize return
. To establish controls so that the likelihood that the software meets user needs is high
186
As an auditor, you are not expected to be an expert programmer or understand the inner work- ings of a Java program. Instead, the auditor must know how to manage the development process so that adequate controls are developed and implemented.
The auditor must be able to review information at each step of the process and provide input on the adequacy of con- trols being designed. Auditors are also responsible for reporting independently to management on the status of the project and the implementation of controls. Auditors might also become more deeply involved in the process, based on their individual skills and abilities.
187
ISACA uses a modified model OF SDLC that has
five primary phases and the post implementation phase.
188
Design Phase Exam candidates should understand that auditors must verify
controls during the design phase of the SDLC.
189
Waterfall Model A primary characteristic of the classic waterfall model is that when each step ends,
there is no turning back.
190
The National Institute of Standards and Technology (NIST) defines the SDLC in ___________ as “the scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.”
NIST SP 800-34
191
Tthe goal of the SDLC is to control the development process and
add security checks at each phase
192
The failure to adopt a structured development model will increase risk and the likelihood that the final product
may not meet the customer’s needs.
193
Phase 1: Feasibility (SDLC)
In this step, the feasibility of the project is considered. The cost of the project must be dis- cussed, as well as the potential benefits that it will bring to the system’s users. A payback analy- sis must be performed to determine how long the project will take to pay for itself. In other words, the payback analysis determines how much time will lapse before accrued benefits will overtake accrued and continuing costs. If it is deter- mined that the project will move forward, the team will want to develop a preliminary time- line. During the feasibility phase, everyone gets a chance to meet and understand the goals of the project.
194
Phase 2: Requirements Definition (SDLC)
This phase entails fully defining the need and then mapping how the proposed solution meets the need. This requires the participation of management as well as users. Users should also be involved because they should have input on how the applications are designed.
At this phase, an entity relationship diagram (ERD) is often used. An ERD helps map the requirements and define the relationship between elements. The basic components of an ERD are an entity and a relationship. An entity is very much like a database, in that it is a grouping of like data elements. An entity has specific attributes, which are called the entity’s primary key. Entities are drawn as a rectangular box with an identifying name. Relationships describe how entities are related to each other and are defined as a diamond. ERDs can be used to help define a data dictionary. When a data dictionary is designed, the database schema can be devel- oped. The database schema defines the database tables and fields, and the relationship between them. The completed ERD will be used in the design phase as the blueprint for the design.
195
During the requirements phase, auditors must
verify the requirements and determine whether adequate security controls are being defined.
196
These controls should include the following mechanisms:
. Preventive—Preventive controls can include user authentication and data encryption.
. Detective—Detective controls can include embedded audit modules and audit trails.
. Corrective—Corrective controls can include fault tolerance controls and data integrity mechanisms.
197
SDLC Requirements Phase You might be tested on the fact that user acceptance plans are
usually developed during the requirements phase.
198
Build Versus Buy Although this is not a step in the SDLC, an organization might decide to buy a product instead of building it. The decision typically comes down to
time, cost, and availability of a pre- designed substitute.
199
Before moving forward with the option to buy, the project team should develop a ___________ __ __________to solicit bids from vendors. Vendor responses should be closely examined to find the vendor that best meets the project team’s requirements.
request for proposal (RFP)
200
Some of the questions that should be asked include these:
. Does the vendor have a software product that will work as is?
. Will the vendor have to modify the software product to meet our needs?
. Will the vendor have to create a new, nonexistent software product for us?
201
The reputation of the vendor is also important. MUST CONSIDER:
(1) Is the vendor reliable, and
| (2) do references demonstrate past commitment to service?
202
When a vendor is chosen, the last step is
to negotiate and sign a contract. Auditors will want to make sure that a sufficient level of security will be designed into the product and that risks are minimized.
203
Phase 3: Design (SDLC)
During the design phase, users might not be involved, but the auditor will still be working in an advisory role. The auditor must again check that security controls are still in the design and test documents. Test plans should detail how security controls will be tested. Tests should be performed to validate specific program units, subsystems, interfaces, and backup/recovery. Change-control procedures should be developed to prevent uncontrolled changes.
204
Scope Creep Scope creep is the addition of products, features, or items to the original design so that more and more items are added on. This is sometimes refered to as the
“kitchen sink syndrome.” Scope creep is most likely to occur in the design phase. Little changes might not appear to have a big cost impact on a project, but they will have a cumulative effect and increase the length and cost of the project
205
There are ways to decrease design and development time. _________ __________ is one such technique.
Reverse engineering
Reverse engineering converts executable code into human-readable format and can be performed with tools such as IDA Pro. This is a somewhat controversial subject because, although reverse engineering has legitimate uses, a company could use it to disassemble anoth- er company’s program. Most software licenses make this illegal. Reverse engineering is also sometimes used to bypass access-restriction mechanisms.
206
Phase 4: Development (SDLC)
During the development phase, programmers work to develop the application code. Programmers might use online programming facilities so that many programmers can access the code directly from their workstation. Although this typically increases productivity, it also increases risk because someone might gain unauthorized access to the program library. Programmers should strive to develop modules that have high cohesion and low coupling. Cohesion addresses the fact that a module is focused on a single task. Coupling is the meas- urement of the interconnection between modules. Low coupling means that a change to one module should not affect another.
207
Cohesion and Coupling Programmers should strive to develop modules that have
high cohesion and low coupling.
208
During development phase of SDLC, auditors must verify
that input and output controls, audit mechanisms, and file-protection schemes are used.
209
Examples of input controls include
dollar counts, transaction counts, error detection, and correction.
210
Examples of output controls include
validity checking and authorizing controls.
211
Testing these controls and the functionality of the program is
an important part of the Development phase of SDLC.
212
Testing can be done by using one of the following testing methods:
. Top down—Top-down testing starts with a depth or breadth approach. Its advantage is that it gets programmers working with the program so that interface problems can be found sooner. It also allows for early testing of major functions.
. Bottom up—Bottom-up testing works up from the code to modules, programs, and all the way to systems. The advantage of bottom-up testing is that it can be started as soon as modules are complete; work does not have to wait until the entire system is finished. This approach also allows errors in modules to be discovered early. Most application testing follows the bottom-up approach.
213
Regardless of the chosen approach, test classifications are divided into the following cate- gories:
. Unit testing—Examines an individual program or module
. Interface testing—Examines hardware or software to evaluate how well data can be
passed from one entity to another
. System testing—A series of tests that can include recovery testing, security testing, stress testing, volume testing, and performance testing. Although unit and interface testing focus on individual objects, the objective of system testing is to assess how well the system functions as a whole.
. Final acceptance testing—When the project staff is satisfied with all other tests, final acceptance testing, or user acceptance testing, must be performed. This occurs before the application is implemented into a production environment.
214
tests that are used for requirement verification.
```
Alpha test
Pilot test White-box test
Black-box test Function test Regression test
Parallel test
Sociability test
```
215
Before coding can begin, programmers must
decide what programming language they will use.
216
there are five generations of programming languages:
. Generation Five (5GL)—Natural language
. Generation Four (4GL)—Very high-level language . Generation Three (3GL)—High-level language
. Generation Two (2GL)—Assembly language
. Generation One (1GL)—Machine language
217
Citizen Programmers Organizations might have many individuals who have the ability to write code, but this does not mean they
are authorized to write code. These citizen programmers can have a detrimental effect on security. No single user should ever have complete control over the development of an application program.
218
Phase 5: Implementation (SDLC)
In the implementation phase, the application is prepared for release into its intended environ- ment. Final user acceptance is performed, as are certification and accreditation. This is typi- cally the final step in accepting the application and agreeing that it is ready for use. Certification is the technical review of the system or application. Certification testing might include an audit of security controls, a risk assessment, or a security evaluation. Accreditation is management’s formal acceptance of a system or application. Typically, the results of the certification testing are compiled into a report, and management’s acceptance of the report is used for accredita- tion. Management might request additional testing, ask questions about the certification report, or accept the results as is. Once accepted, a formal acceptance statement is usually issued.
219
SDLC Implementation Phase You might be tested on the fact that final user acceptance testing is
performed during the implementation phase.
220
Computer-aided software engineering (CASE) is used for
program and data conversions.
221
The training strategy can include
classroom training, online training, practice sessions, and user manuals.
222
The rollout of the application might be
all at once or phased in over time.
223
Changeover techniques include the following:
. Parallel operation—Both the old and new systems are run at the same time. Results between the two systems can be compared. Fine-tuning can also be performed on the new system as needed. As confidence in the new system improves, the old system can be shut down. The primary disadvantage of this method is that both systems must be maintained for a period of time.
. Phased changeover—If the system is large, a phased changeover might be possible. With this method, systems are upgraded one piece at a time.
. Hard changeover—This method establishes a date at which users are forced to change over. The advantage of the hard changeover is that it forces all users to change at once. However, this introduces a level of risk into the environment because things can go wrong.
224
Phase 6: Post-Implementation (SDLC)
In the post-implementation phase, some might be ready to schedule a party and declare suc- cess. What really needs to be done is to assess the overall success of the project. Actual costs versus projected costs should be reviewed to see how well cost-estimating was done at the fea- sibility phase. Return on investment (ROI) and payback analysis should be reviewed. A gap analysis can determine whether there is a gap between requirements that were or were not met. An independent group might conduct performance measurement, such as an audit. If this is the case, it should not be done by auditors who were involved in the SDLC process.
225
Overall, post-implementation should answer the following questions:
. Is the system adequate?
. What is the true ROI?
. Were the chosen standards followed?
. Were good project-management techniques used?
226
Disposal Typically, disposal of an existing application might be required when
the maintenance cost sur- passes the benefits/returns from the application.
227
Disposal (SDLC)
This means that, at some point, these systems must be decommissioned and disposed of. This step of the process is reached when the application or system is no longer needed. Those involved in the disposal process must consider the dis- position of the application. Should it be destroyed or archived, or does the information need to be migrated into a new system? Disk sanitization and destruction are also important, to ensure confidentiality. This is an important step that is sometimes overlooked.
228
As an auditor, you must be knowledgeable of other development methods and have a basic understanding of their opera- tions. Some popular models include the following:
. Incremental development—Defines an approach that develops systems in stages so that development is performed one step at a time. A minimal working system might be deployed while subsequent releases build on functionality or scope.
. Spiral development—The spiral model was developed based on the experience of the waterfall model. The spiral model is based on the concept that software development is evolutionary. The spiral model begins by creating a series of prototypes to develop a solution. As the project continues, it spirals out, becoming more detailed. Each step passes through planning, requirements, risks, and development phases.
. Prototyping—The prototyping model reduces the time required to deploy applica- tions. Prototyping uses high-level code to quickly turn design requirements into appli- cation screens and reports that the users can review. User feedback can fine-tune the application and improve it. Top-down testing works well with prototyping. Although prototyping clarifies user requirements, it can result in overly optimistic project time- lines. Also, when change happens quickly, it might not be properly documented, which is a real concern for the auditor.
. Rapid application development (RAD)—RAD uses an evolving prototype and requires heavy user involvement. Per ISACA, RAD requires well-trained development teams that use integrated power tools for modeling and prototyping. With the RAD model, strict limits are placed on development time. RAD has four unique stages, which include concept, functional design, development, and deployment.
229
Prototyping The advantage of prototyping is that it can provide
real savings in development time and costs.
230
Rapid Application Development The CISA exam might question you on the fact that RAD
uses proto- typing as its core development tool.
231
A second category of application development can be defined as
agile software development. With this development model, teams of programmers and business experts work closely together. Project requirements are developed using an iterative approach because the project is both mission driven and component based. The project manager becomes much more of a facilitator in these situations.
232
Popular agile development models include the following:
. Extreme programming (XP)—The XP development model requires that teams include business managers, programmers, and end users. These teams are responsible for developing useable applications in short periods of time. Issues with XP are that teams are responsible not only for coding, but also for writing the tests used to verify the code. Lack of documentation is also a concern. XP does not scale well for large projects.
. Scrum—Scrum is an iterative development method in which repetitions are referred to as sprints and typically last 30 days. Scrum is typically used with object-oriented tech- nology and requires strong leadership and a team meeting each day for a short time. The idea here is for more planning and directing tasks from the project manager to the team. The project manager’s main task is to work on removing any obstacles from the team’s path.
233
Reengineering Reengineering converts an existing business process. Reengineering attempts
to update software by reusing as many of the components as possible instead of designing an entirely new system.
234
Application-Development Approaches
he information also can be grouped for the development process in various ways, including data-oriented system development (DOSD),
object-oriented systems development (OOSD),
component-based development (CBD),
and web- based application development (WBAD).
235
The change-control board is responsible for
developing a change- control process and also for approving changes.
236
Although the types of changes vary, change control follows a predictable process:
1. Request the change.
2. Approve the change request.
3. Document the change request.
4. Test the proposed change.
5. Present the results to the change-control board.
6. Implement the change, if approved.
7. Document the new configuration.
237
The auditor should ensure that backup copies of critical documents are
created. These documents should be kept off-site in case of a disaster or other situation.
238
The auditor should also watch for the possibility of unauthorized changes because of
poor oversight or the lack of proper security controls. Items to look for include the following:
239
Items to look for include the following:
. Changes are implemented directly by the software vendor, without internal control.
. Programmers place code in an application that has not been tested or validated.
. The changed source code has not been reviewed by the proper employee.
. No formal change process is in place.
. The change review board has not authorized the change.
. The programmer has access to both the object code and the production library.
240
Prototyping:
The process of quickly putting together a working model (a prototype) in order to test various aspects of a design, illustrate ideas or features and gather early user feedback.
241
Unsuccessful logon =
monitored by the security administrator.
242
The majority of project risk
can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk.
243
Frame Relay is
more efficient than X.25
244
ATM is asynchronous,
time slots are available on demand with information identifying the source of the transmission contained in the header of each ATM cell
245
Hash totals:
Verification that the total in a batch agrees with the total calculated by the system.
246
The IS auditor has an obligation to the project sponsor and the organization
to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.
247
Race conditions occur due to
interferences caused by the following conditions: Sequence or nonatomic + Deadlock, live lock, or locking failure.
248
Prior to implementing new technology,
an organization should perform a risk assessment, which would then be presented to business unit management for review and acceptance
249
Configuration management accounts for
all IT components, including software. Project management is about scheduling, resource management and progress tracking of software development. Problem management records and monitors incidents. Risk management involves risk identification, impact analysis, an action plan, etc.
250
Penetration test is normally
the only security assessment that can link vulnerabilities together by exploiting them sequentially.
251
What is the difference between the false acceptance rate and false rejection rate?
False acceptance means unauthorized user is permitted access= FAR-UP False rejection is when authorized person is denied access= FRR- AD
252
IaaS:
company is trying to reduce it's sever environment footprint, so the in-house application servers were moved to another location, hosted by a 3rd party. So the application software, application servers were being moved and supported by another company which is IaaS.
253
Having access to the database
could provide access to database utilities, which can update the database without an audit trail and without using the application. Using SQL only provides read access to information.
254
VPN =
data confidentiality
255
An Audit charter should state
management’s objectives for and delegation of authority to IS auditors.
256
Provisioning access to data on a need-to-know basis PRIMARILY
ensures Data confidentiality
257
face to face communications are an example of
informal methods of monitoring and controlling a system development life cycle project since it is hard to document the communication all the time. Evidence is hard in informal methods
258
LOG can be maintained in
a manual or automated form where activities are logged with a sequential control number for tracking purposes.
259
ESCROW: The client is entitled to the benefit of only using the software
and not owning it, unless they pay more money. Escrow may provide some protection if the vendor goes out of business, but does not prevent software from being discontinued.
260
4GL provides
screen-authoring and report-writing utilities that automate database access.
261
4GL tools do not
create the business logic necessary for data transformation.
262
Flowchart is used to
document internal program logic.
263
Feasibility study =
should be the basis for management’s decision to buy available software or to build a custom software application
264
Recovery managers should be
rotated to ensure the experience of the recovery plan DRP is spread among the managers.
265
Entity-relationship diagram (ERD) is used
to help define the database schema.
266
Function point analysis is used
for estimation of work during the feasibility study.
267
Parallel migration increases
support requirements but lowers the overall risk. The old and new systems are run in parallel to verify integrity while building user familiarity with the new system.
268
Phased Changeover In larger systems, converting
to the new system in small steps or phases may be possible. This may take an extended period of time. The concept is best suited to either an upgrade of an existing system, or to the conversion of one department at a time. The phased approach creates a support burden similar to that of parallel operation. A well-managed phased changeover presents a moderate level of risk.
269
Data-oriented databases (DODBs)
are designed for predictable data that has a consistent structure and a known or fixed length.
270
Object-oriented databases (OODBs)
are designed for data that has a variety of possible data formats.
271
Hard Changeover
In certain environments, executing an abrupt change to the new system may be necessary. This is known as a hard changeover, a full change occurring at a particular cutoff date and time. The purpose is to force migration of all the users at once. A hard changeover may be used after successful parallel operation or in times of emergency
272
Checklists are an example of a
formal method of communication between the affected parties. A checklist provides guidelines for reviewing functions and activities for assurance and evaluative purposes. Checklists can detect whether activities were performed according to plans, policies, and procedures
273
Agile method places greater reliance
on the undocumented knowledge contained in a person’s head. Agile is the direct opposite of capturing knowledge through project documentation.
274
in the SDLC, Approval by management to proceed to the next phase or possibly kill the project;
i.e. The review at the end of every SDLC phase is intended to prevent the project from proceeding unless it receives management’s approval.
275
The ACID principle of database transaction refers to
atomicity (all or nothing), consistency, isolation (transactions operate independently), and durability (data is maintained).
276
Major activities in software quality assurance include
project management, software verification and validation, software configuration management, and software quality assurance. These activities become a baseline and any subsequent changes require management approvals. Proposed changes are compared to the baseline, which is the standard.
277
Opportunity costs
are those costs inherent in selecting one option in favor of another. When a software package's implementation is delayed, inherent costs of other projects being deferred during its implementation is an example of opportunity cost. The time lost due to delayed implementation of a current project could have been applied to developing a new project. Opportunity costs are hard to quantify precisely, but can be among the most important factors in software selection
278
Maintenance costs
are the costs to update and adapt software to match changing organizational needs. The maintenance costs of a system will vary widely, depending upon such factors as the type of application, the complexity of the system, and the need for periodic updates
279
If the database is not normalized, the IS auditor should review the justification
since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigation takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.
280
Spoofing
is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network, but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address.
281
DoS attack
is designed to limit the availability of a resource and is characterized by a high number of requests which require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced.
282
An application-layer gateway, or proxy firewall, and stateful inspection firewalls
provide the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic.
283
Control objectives are developed to achieve acceptable levels of risk.
To the extent that is achieved is a good measure of the effectiveness of the strategy.
284
Attribute sampling
is the primary sampling method used for compliance testing.
285
Social engineering include
impersonation through a telephone call, dumpster diving and shoulder surfing.
286
Downtime reports:
Track the availability of telecommunication lines and circuits. Interruptions due to power/line failure, traffic overload, operator error or other anomalous conditions are identified in a downtime report.
287
The first step in implementing information security governance is to define the
security strategy based on which security baselines are determined
288
Risk created by a reciprocal agreement for disaster recovery =
may result in hardware and software incompatibility
