You are on page 1of 3


Obtain a copy of COBIT (available at, and read the control objectives
that relate to encryption (DS5.8 and DS5.11). What are the essential control
procedures that organizations should implement when using encryption?
COBIT control objective DS5.8 addresses key management policies with respect to
encryption. This should include procedures concerning:

Minimum key lengths

Use of approved algorithms

Procedures to authenticate recipients

Secure distribution of keys

Secure storage of keys

Key escrow

Policies governing when to use encryption and which information should be
encrypted (this probably requires the organization to classify and label all
information assets so that employees can identify the different categories)

Procedures for revoking compromised keys

COBIT control objective DS5.11 addresses the use of encryption during the
transmission of information. This should include procedures concerning:

Procedures to ensure information is encrypted prior to transmission

Specification of approved encryption algorithms

Access controls over incoming encrypted information

Secure storage of encryption keys

For each of the three basic options for replacing IT infrastructure (cold sites, hot
sites, and real-time mirroring), give an example of an organization that could use
that approach as part of its DRP. Be prepared to defend your answer?
Many solutions are possible. The important point is to justify that the method
yields an appropriate RTO for the organization. Cold sites yield RTOs measured in
days; hot sites result in RTOs measured in hours; and real-time mirroring have RTOs
measured in minutes. Here are some possible examples:

CPA firms can probably function without their main information system for a day or a couple of days. Hot site: Many businesses could function for several hours using paper-based forms until their data center was back up and running. the manager of administrative data processing. They should not prepare records or engage in any activity that could compromise their objectivity and independence. you met with IssaArnita. . He also wants internal auditing to make suggestions during system development. because internal auditing is a staff function. Objectivity is essential to the audit function. He recommends that your department assume line responsibility for auditing suppliers’ invoices prior to payment. The request that you make suggestions during system development? It would be advantageous for internal auditing to make specific suggestions during the design phase concerning controls and audit trails to be built into a system. and internal auditors should be independent of the activities they must review. Recently. new sales orders could be processed on paper and entered later. Issa wants your help with a new computerized accounts payable system currently in development.1 You are the director of internal auditing at a university. Most employees have laptops and could continue to do much of their work (collecting audit evidence. if a retailer’s information system went down. The recommendation that your department be responsible for the pre-audit of suppliers’ invoices? Internal auditing should not assume responsibility for pre-audit of disbursements. writing reports. Required Would you accept or reject each of the following? Why? a. Real-time mirroring: Internet-only companies need this because they can only earn revenue when their web site is up and running. they need to have a backup system available at all times.Cold site: smaller businesses. b. Internal auditing should build an appropriate interface with the Data Processing Department to help achieve this goal. • Review testing plans. and expressed the desire to establish a more effective interface between the two departments. internal auditing may: • Provide a list of control requirements. Nor can airlines and financial institutions operate using paper-based forms. 11. and approve the completed system after making a final review. Neither objectivity nor independence is compromised if the auditor makes recommendations for controls in the system under review. assist in its installation. For example. involvement in such a line function would be inconsistent with the proper role of an internal auditor. For example. working on spreadsheets) and then upload their work to the main servers once the cold site is up and running. such as a local CPA firm. In most situations. Furthermore.

Therefore. particularly during the implementation period. .• Determine that there are documentation standards and that they are being followed. and adequacy of documentation of program and procedures in order to determine readiness of the system for installation or conversion. however. c. results of testing. from actual participation in system design. The auditor may help in the installation or conversion of the system by continuing to offer suggestions for controls. The request that you assist in the installation of the system and approve the system after making a final review? The auditor must remain independent of any system they will subsequently audit. • Determine that the project itself is under control and that there is a system for gauging design progress. the auditor may review for missing segments. In this situation. Internal auditing must refrain. After installation or conversion. the auditor must refrain from giving overall approval of the system in final review. either alone or as part of a team. the auditor may participate in a post-installation audit.