1) Compensating Controls – They are internal controls that are intended to reduce the risk of

an existing or potential control weakness when duties cannot be appropriately segregated.

(Pg-115 CRM’12)
2) Preventive Controls - These are controls that prevent the loss or harm from occurring. For
example, a control that enforces segregation of responsibilities (one person can submit a
payment request, but a second person must authorize it), minimizes the chance an
employee can issue fraudulent payments.
3) Overlapping Controls –
4) Logical Access Controls- http://en.wikipedia.org/wiki/Logical_access_control
5) Before implementing an IT balanced scorecard, an organization must define key
performance indicators.
6) To assist an organization in planning for IT investments, the IS auditor should recommend
the use of enterprise architecture.
7) Controls are basically to mitigate the risk.
8) IS audit services can be provided externally or internally. The role of IS internal audit
function should be established by an audit charter approved by senior management.If IS
audit services are provided externally, then it should be documented in a formal contract
or statement of work between the contracting org. and the service provider.
9) Audit Charter vs Engagement Letter (S1 Audit Charter) – (Pg 33 CRM’12)
10) S4 , Professional Competence – ISACA IS Auditing Standards require that the IS auditors be
technically competent, having the skills & knowledge to perform the auditor’s work.
11) A PRIMARY benefit derived from an organization employing control self-assessment (CSA)
techniques is that itcan identify high-risk areas that might need a detailed review
later.
12) RFP - http://en.wikipedia.org/wiki/Request_for_proposal
13) An IS auditor should expect References from other customers (an item)to be included in
the request for proposal (RFP) when IS is procuring services from an independent service
provider (ISP).
14) IT governance ensures that an organization aligns its IT strategy with enterprise objectives.
15) Legal issues also impact org.’s business operations in terms of compliance with
ergonomic(intended to provide optimum comfort and to avoid stress and injury, human
factor) regulations, the US Health Insurance Portability and Accountability Act(HIPAA), etc.
16) US Sarbanes Oxley Act of 2002 – It requires evaluating an org.’s internal control. It provides
regulations and standards for specified public companies including US SEC registrants. It
requires org. to select and implement a suitable internal control framework.IS auditors have
to consider the impact of Sarbanes-Oxley as part of audit planning.
17) COSO – Committee of Sponsoring Org. of the Treadway Commission.They provide internal
Control framework.
18) Basel II Accord – It regulates the minimum amount of capital 4 financial org. based on the
level of risk faced by these org.
19) Steps an IS auditor would perform to determine an org.’ level of compliance with external
requirements – (Pg 25 CRM’12)
20) An IS auditor should ensure that IT governance performance measures evaluate the
activities of IT oversight committees.
21) IS strategic plans would include analysisof future business objectives.
 22) Scope Creep - Scope creep (also called requirement creep and feature creep) in
project management refers to uncontrolled changes or continuous growth in a
project’s scope. This phenomenon can occur when the scope of a project is not
properly defined, documented, or controlled. It is generally considered a negative
occurrence, to be avoided.

Typically, the scope increase consists of either new products or new features of already
approved product designs, without corresponding increases in resources, schedule, or budget.
As a result, the project team risks drifting away from its original purpose and scope into
unplanned additions. As the scope of a project grows, more tasks must be completed within
the budget and schedule originally designed for a smaller set of tasks. Accordingly, scope
creep can result in a project team overrunning its original budget and schedule.

If budget, resources, and schedule are increased along with the scope, the change is usually
considered an acceptable addition to the project, and the term “scope creep” is not used.

23) Hardware Configuration Analysis is critical to the selection and acquisition of the correct
operating system software.
24) When conducting a review of business process reengineering, an IS auditor found that a key
preventive control had been removed. The IS auditor shouldinform management of the finding
and determine whether management is willing to accept the potential material risk of not having
that preventive control.
25) Data Sanitization - Data sanitization is the process of deliberately, permanently, and irreversibly
removing or destroying the data stored on a memory device. A device that has been sanitized has no
usable residual data and even advanced forensic tools should not ever be able recover erased data.
Sanitization processes include using a software utility that completely erases the data, a separate
hardware device that connects to the device being sanitized and erases the data, and/or a mechanism
that physically destroys the device so its data cannot be recovered.
26) An organization decides to purchase a package instead of developing it. In such a case, the
design and development phases of a traditional software development life cycle (SDLC)
would be replaced withselection and configuration phases.
27) G11 must read pg 39 (CRM’12) ..The total population…..
28) Mobile Computing - Mobile computing is human–computer interaction by which a
computer is expected to be transported during normal usage. Mobile computing involves
mobile communication, mobile hardware, and mobile software. Communication issues
include ad-hoc and infrastructure networks as well as communication properties, protocols,
data formats and concrete technologies. Hardware includes mobile devices or device
components. Mobile software deals with the characteristics and requirements of mobile
applications.

29) Computer Forensics - Computer forensics (sometimes known as computer forensic

science[1]) is a branch of digital forensic science pertaining to legal evidence found in
computers and digital storage media. The goal of computer forensics is to examine
digital media in a forensically sound manner with the aim of identifying, preserving,
recovering, analyzing and presenting facts and opinions about the information.

Although it is most often associated with the investigation of a wide variety of computer
crime, computer forensics may also be used in civil proceedings. The discipline involves
similar techniques and principles to data recovery, but with additional guidelines and
practices designed to create a legal audit trail.
Evidence from computer forensics investigations is usually subjected to the same guidelines
and practices of other digital evidence. It has been used in a number of high-profile cases and
is becoming widely accepted as reliable within U.S. and European court systems.

30) The IS auditor should consider on the use of internet as per G33
31) G38 Must Read Access Control – Pg41 of CRM’12
32) Capacity Management - Capacity Management is a process used to manage information technology
(IT). Its primary goal is to ensure that IT capacity meets current and future business requirements in a
cost-effective manner. One common interpretation of Capacity Management is described in the ITIL
framework. ITIL version 3 views capacity management as comprising three sub-processes: business
capacity management, service capacity management, and component capacity management (known
as resource capacity management in ITIL version 2).Capacity monitoring software is MAINLY used
to ensurecontinuity of efficient operations.
33) The exposures associated with the spooling (transfer data intended for a peripheral device
(usually a printer) into temporary storage) of sensitive reports for offline printing should an
IS auditor consider to be the MOST serious?
Unauthorized report copies can be printed
34) Data Redundancy - Data redundancy occurs in database systems which have a field that is
repeated in two or more tables. For instance, in case when customer data is duplicated and
attached with each product bought then redundancy of data is a known source of
inconsistency, since customer might appear with different values for given attribute.[1] Data
redundancy leads to data anomalies and corruption and generally should be avoided by
design.
35) The database administrator has decided to disable certain normalization controls in the
database management system (DBMS) software to provide users with increased query
performance. This will MOST likely increase the risk of redundancy of data.
36) Resilience - The ability to recover quickly from illness, change, or misfortune;
buoyancy.
37) An IS auditor evaluating the resilience of a high-availability network should be MOST
concerned ifthe network servers are clustered in a site.
38) SLA (Service Level Agreement) - A service-level agreement (SLA) is a part of a service
contract where a service is formally defined. In practice, the term SLA is sometimes used to
refer to the contracted delivery time (of the service or performance). As an example,
internet service providers will commonly include service level agreements within the terms
of their contracts with customers to define the level(s) of service being sold in plain language
terms. In this case the SLA will typically have a technical definition in terms of mean time
between failures (MTBF), mean time to repair or mean time to recovery (MTTR); various data
rates; throughput; jitter; or similar measurable details.
39) When reviewing a service level agreement for an outsourced computer center, an IS auditor
should FIRST determine thatthe services in the agreement are based on an analysis of business
needs.
40) An IS auditor should recommend the use of library control software to provide reasonable
assurance thatprogram changes have been authorized.
41) Benchmarking provides the BEST method for determining the level of performance provided
by similar information-processing-facility environments.
42) Two factor and three factor authentication - http://searchsecurity.techtarget.com/definition/two-
factor-authentication
43) Naming conventions for system resources are important for access control because
theyreduce the number of rules required to adequately protect resources.
44) Social engineering, in the context of information security, is understood to mean the art of
manipulating people into performing actions or divulging confidential information.[1] This is a
type of confidence trick for the purpose of information gathering, fraud, or gaining computer
system access. It differs from traditional cons in that often the attack is a mere step in a
more complex fraud scheme. Security awareness training is the most effective way to reduce
social engineering incidents.
45) Important for exam perspective – G5, G9/S9, G17/S2, G35
46) The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS
auditor discovers that the database servers are clustered for high availability, all default database
accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What
other area should the IS auditor check to ensure that the databases are appropriately secured?
- Database Initialization Parameters.
When a database is opened, many of its configuration options are governed by initialization
parameters. These parameters are usually governed by a file (“init.ora” in the case of Oracle
DBMS) which contains many settings. The system initialization parameters address many “global”
database settings, including authentication, remote access and other critical security areas. In order
to effectively audit a database implementation, the IS auditor must examine the database
initialization parameters. Digital signatures are used for authentication and nonrepudiation, and are
not commonly used in databases. As a result, this is not an area in which the IS auditor should
investigate. A nonce is defined as a “parameter that changes over time” and is similar to a number
generated to authenticate one specific user session. Nonces are not related to database security
(they are commonly used in encryption schemes). A MAC address is the hardware address of a
network interface. MAC address authentication is sometimes used with wireless local area network
(WLAN) technology, but is not related to database security.

47) Upon receipt of the initial signed digital certificate the user will decrypt the certificate with the public key
of the Certificate Authority.A CA is a network authority that issues and manages security credentials
and public keys for message encryption. As a part of the public key infrastructure, a CA checks with an
RA to verify information provided by the requestor of a digital certificate. If the RA verifies the
requestor's information, the CA can issue a certificate. The CA signs the certificate with its private key
for distribution to the user. Upon receipt, the user will decrypt the certificate with the CA's public key.
48) Sniffing vs Spoofing - sniffing : to gather information without actually touching it (or being
detected or in hiding), e.g., network packet sniffing. Sniffing is "listening" to network traffic to
collect information. A common usage of sniffing is to listen to network traffic to look for
patterns of a worm spreading itself.
spoofing : to mimic something and create an illusion of the presence of the original, e.g.,
email spoofing. spoofing is sending network traffic that's pretending to come from someone
else. a common usage for spoofing is sending an email message, but to reformat the header
so it looks like it comes from someone else, like their boss.
49) Network security reviews include reviewing router access control lists, port scanning, internal and
external connections to the system, etc.
50) Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the
message and a private key to decrypt it.

51) Difference between symmetric and assymetric encryption - Symmetric key encryption requires that
the keys be distributed. The larger the user group, the more challenging the key distribution. Symmetric
key cryptosystems are generally less complicated and, therefore, use less processing power than
asymmetric techniques, thus making it ideal for encrypting a large volume of data. The major
disadvantage is the need to get the keys into the hands of those with whom you want to exchange data,
particularly in e-commerce environments, where customers are unknown, untrusted
 entities.http://stackoverflow.com/questions/5478952/difference-between-asymmetric-
and-symmetric-encryption-methods
52) A digital signature contains a message digest to show if the message has been altered after
transmission.The message digest is calculated and included in a digital signature to prove that the
message has not been altered. It should be the same value as a recalculation performed upon receipt. It
does not define the algorithm or enable the transmission in digital format and has no effect on the
identity of the user; it is there to ensure integrity rather than identity.
53) The best control to mitigate the risk of pharming attacks to an Internet banking application is Domain
name system (DNS) server security hardening. The pharming attack redirects the traffic to an
unauthorized web site by exploiting vulnerabilities of the DNS server. In order to avoid this kind of
attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older
versions of DNS software are vulnerable to this kind of attack and should be patched.

Pharming[p] is an attacker's attack intended to redirect a website's traffic to another, bogus

site. Pharming can be conducted either by changing the hosts file on a victim's computer or
byexploitation of a vulnerability in DNS server software. DNS servers are computers
responsible for resolving Internet names into their real IP addresses. Compromised DNS
servers are sometimes referred to as "poisoned". Pharming requires unprotected access to
target a computer, such as altering a customer's home computer, rather than a corporate
business server.

54) The most reliable sender authentication method is Digital Certificates. Digital certificates are
issued by a trusted third party. The message sender attaches the certificate and the recipient can verify
authenticity with the certificate repository. Asymmetric cryptography, such as public key infrastructure
(PKI), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. Digital
signatures are used for both authentication and confidentiality, but the identity of the sender would still
be confirmed by the digital certificate. Message authentication code is used for message integrity
verification.

55) An application-level gateway is the best way to protect against hacking because it can define with
detail rules that describe the type of user or connection that is or is not permitted. It analyzes in detail
each package, not only in layers one through four of the OSI model but also layers five through seven,
which means that it reviews the commands of each higher-level protocol (Hypertext Transmission
Protocol [HTTP], File Transfer Protocol [FTP], Simple Network Management Protocol [SNMP], etc.). For
a remote access server, there is a device (server) that asks for a username and password before
entering the network. This is good when accessing private networks, but it can be mapped or scanned
from the Internet creating security exposure. Proxy servers can provide protection based on the IP
address and ports. However, an individual is needed who really knows how to do this, and applications
can use different ports for the different sections of the program. Port scanningworks when there is a
very specific task to complete, but not when trying to control what comes from the Internet, or when all
the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked
and the IP addresses would be available for the application and browsing, but would not respond to
Ping.
56) Firewall - In computing, a firewall is a software or hardware-based network security system
that controls the incoming and outgoing network traffic by analyzing the data packets and
determining whether they should be allowed through or not, based on a rule set. A firewall
establishes a barrier between a trusted, secure internal network and another network (e.g.,
the Internet) that is not assumed to be secure and trusted.[1] The objective of a firewall is to
protect a trusted network from an untrusted network; therefore, locations needing firewall
implementations would be at the existence of the external connections.

Many personal computer operating systems include software-based firewalls to protect against
threats from the public Internet. Manyrouters that pass data between networks contain firewall
components and, conversely, many firewalls can perform basic routing functions. [2]

57) Biometrics Terminolgy:

 a) false acceptance rate or false match rate (FAR or FMR): the probability that the
system incorrectly matches the input pattern to a non-matching template in the database.
It measures the percent of invalid inputs which are incorrectly accepted.
b) false rejection rate or false non-match rate (FRR or FNMR): he probability that the
system fails to detect a match between the input pattern and a matching template in the
database. It measures the percent of valid inputs which are incorrectly rejected.
c) equal error rate or crossover error rate (EER or CER): the rate at which both accept
and reject errors are equal. A low EER is a combination of a low FRR and a low FAR. EER,
expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal.
A low EER is the measure of the more effective biometrics control device. Low FRRs or low FARs
alone do not measure the efficiency of the device.

Hence, the BEST overall quantitative measure of the performance of biometric control devices is
EER.

58) ITAF (IT Assurance Framework) – Pg 42 of CRM’12

ITAF includes three categories of standards – general, performance and reporting.

59) Current ISACA IT audit and assurance standards include the following general standards:

- S2 Independence
- S3 Professional Ethics and Standards
- S4 Competence
- S6 Performance of Audit work

60) Current ISACA IT audit and assurance standards include the following performance standards:

- S1 Audit charter
- S5 Planning
- S9 Irregularities and Illegal Acts
- S10 IT Governance
- S11 Use of Risk Assessment in Audit Planning
- S12 Audit Materiality
- S13 Using the work of other experts
- S14 Audit Evidence
- S15 IT Controls
- S16 E-Commerce

61) Voice over IP (voice over Internet Protocol, VoIP) is a methodology and group of
technologies for the delivery of voice communications and multimedia sessions over Internet
Protocol (IP) networks, such as the Internet. VoIP services that utilize existing broadband
Internet access, by which subscribers place and receive telephone calls in much the same
manner as they would via the public switched telephone network (PSTN).
62) A Session Border Controller (SBC) is a device regularly deployed in Voice over Internet
Protocol (VoIP) networks to exert control over the signaling and usually also the media
streams involved in setting up, conducting, and tearing down telephone calls or other
interactive media communications.To protect a VoIP infrastructure against a denial-
of-service attack, it is MOST important to secure the SBC.
63) Honeypots- Honeypot is a trap set to detect, deflect, or in some manner counteract attempts
at unauthorized use of information systems. Generally it consists of a computer, data, or a
network site that appears to be part of a network, but is actually isolated and monitored, and
which seems to contain information or a resource of value to attackers. Honeypots acts as a
decoy to detect active internet attack.
64) Traffic analysis is the process of intercepting and examining messages in order to deduce
information from patterns in communication. It can be performed even when the messages
areencrypted and cannot be decrypted. In general, the greater the number of messages
observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic
analysis can be performed in the context of military intelligence or counter-intelligence, and is
a concern in computer security.
 65) An IS auditor has just completed a review of an organization that has a mainframe
and a client-server environment where all production data reside. The weakness that
would be considered most serious isPassword controls are not administered over the client-
server environment.

66) A utility is available to update critical tables in case of data inconsistency. This utility
can be executed at the OS prompt or as one menu option in an application. The BEST
control to mitigate the risk of unauthorized manipulation of data is toprovide access to
the utility on a need-to-use basis.

67) To address a maintenance problem, a vendor needs remote access to a critical

network. The MOST secure and effective solution is to provide the vendor with
asecure shell (SSH-2) tunnel for the duration of the problem.

Secure Shell (SSH) is a cryptographic network protocol for secure data communication,
remote command-line login, remote command execution, and other secure network services between
two networked computers that connects, via a secure channel over an insecure network, a server and
a client (running SSH server and SSH client programs, respectively).[1] The protocol specification
distinguishes between two major versions that are referred to as SSH-1 and SSH-2.

68) MOST appropriate to ensure the confidentiality of transactions initiated via the
Internet is the public key encryption.
69) In the event of a data center disaster, the MOST appropriate strategy to enable
complete recovery of a critical database is Real-time replication to a remote site.
70) A PRIMARY objective of testing a business continuity plan (BCP) is to identify
limitations of the BCP.