Professional Documents
Culture Documents
10. Evaluate the organization’s business continuity plan (BCP), including alignment
1. Execute a risk-based IS audit strategy in compliance with IS audit standards to of the IT disaster recovery plan (DRP) with the BCP, to determine the
ensure that key risk areas are audited organization’s ability to continue essential business operations during the
2. Plan specific audits to determine whether information systems are protected, period of an IT disruption.
controlled and provide value to the organization.
3. Conduct audits in accordance with IS audit standards to achieve planned audit Domain 3—Information Systems Acquisition, Development and Implementation
objectives. (18%)
4. Communicate audit results and make recommendations to key stakeholders 1 Evaluate the business case for the proposed investments in information
through meetings and audit reports to promote change when necessary. systems acquisition, development, maintenance and subsequent retirement to
5. Conduct audit follow-ups to determine whether appropriate actions have been determine whether the business case meets business objectives.
taken by management in a timely manner. 2 Evaluate IT supplier selection and contract management processes to ensure
that the organization’s service levels and requisite controls are met.
Domain 2—Governance and Management of IT (16%) 3 Evaluate the project management framework and controls to determine
1. Evaluate the IT strategy, including IT direction, and the processes for the whether business requirements are achieved in a cost-effective manner while
strategy’s development, approval, implementation and maintenance for managing risk to the organization.
alignment with the organization’s strategies and objectives. 4 Conduct reviews to determine whether a project is progressing in accordance
2. Evaluate the effectiveness of the IT governance structure to determine with project plans, is adequately supported by documentation, and has timely
whether IT decisions, directions and performance support the organization’s and accurate status reporting.
strategies and objectives. 5 Evaluate controls for information systems during the requirements,
3. Evaluate IT organizational structure and human resources (personnel) acquisition, development and testing phases for compliance with the
management to determine whether they support the organization’s strategies organization's policies, standards, procedures and applicable external
and objectives. requirements.
4. Evaluate the organization’s IT policies, standards and procedures, and the 6 Evaluate the readiness of information systems for implementation and
processes for their development, approval, release/publishing, implementation migration into production to determine whether project deliverables, controls
and maintenance to determine whether they support the IT strategy and and the organization's requirements are met.
comply with regulatory and legal requirements. 7 Conduct post-implementation reviews of systems to determine whether
5. Evaluate IT resource management, including investment, prioritization, project deliverables, controls and the organization's requirements are met.
allocation and use, for alignment with the organization’s strategies and
objectives. Domain 4—Information Systems Operations, Maintenance and Service
6. Evaluate IT portfolio management, including investment, prioritization and Management (20%)
allocation, for alignment with the organization’s strategies and objectives. 1 Evaluate the IT service management framework and practices (internal or third
7. Evaluate risk management practices to determine whether the organization’s party) to determine whether the controls and service levels expected by the
IT-related risk is identified, assessed, monitored, reported and managed. organization are being adhered to and whether strategic objectives are met.
8. Evaluate IT management and monitoring of controls (e.g., continuous 2 Conduct periodic reviews of information systems to determine whether they
monitoring, quality assurance [QA]) for compliance with the organization’s continue to meet the organization’s objectives within the enterprise
policies, standards and procedures. architecture (EA).
9. Evaluate monitoring and reporting of IT key performance indicators (KPIs) to
determine whether management receives sufficient and timely information.
3 Evaluate IT operations (e.g., job scheduling, configuration management, 6 Evaluate the information security program to determine its effectiveness and
capacity and performance management) to determine whether they are alignment with the organization’s strategies and objectives.
controlled effectively and continue to support the organization’s objectives.
4 Evaluate IT maintenance (patches, upgrades) to determine whether they are
controlled effectively and continue to support the organization’s objectives.
5 Evaluate database management practices to determine the integrity and
optimization of databases.
6 Evaluate data quality and life cycle management to determine whether they
continue to meet strategic objectives.
7 Evaluate problem and incident management practices to determine whether
problems and incidents are prevented, detected, analyzed, reported and
resolved in a timely manner to support the organization´s objectives.
8 Evaluate change and release management practices to determine whether
changes made to systems and applications are adequately controlled and
documented.
9 Evaluate end-user computing to determine whether the processes are
effectively controlled and support the organization’s objectives.
10 Evaluate IT continuity and resilience (backups/restores, disaster recovery plan
[DRP]) to determine whether they are controlled effectively and continue to
support the organization’s objectives
5. SDLC Phases
Phase 1: Feasibility Study White-box: or crystal-box testing, assesses the effectiveness of
i. Goal: determine the strategic benefits to be accomplished and the software program logic. Specifically, test data are used in
anticipated payback schedule of the project. determining procedural accuracy or conditions of a program's logic
ii. Constructive Cost Model: a method to estimate the effort, schedule, paths. Verifying the program can operate successfully with other
and cost of developing a new software application. parts of the system is sociability testing.
Source lines of code: forecasts estimate by counting the individual Black-box testing: the process is to put data through the system to
lines of program source code regardless of the embedded design see whether the results come out as expected. Testing the program's
quality. functionality without knowledge of internal structures.
Function point analysis: divide program functions into classes and Sand-box testing: Controlled testing of programs in a semi-debugged
rank them by complexity. Based on complexity, the estimated of environment, either heavily controlled step-by-step or via
work is calculated. monitoring in virtual machines.
iii. Statement of work: a formal approval by the executive management to Functional, or validation testing: compares the system against the
grant the go-ahead of the project and force cooperation. desired functional requirements to determine if the product has met
iv. Auditor should focus on initial needs analysis and ensure the risk our objectives for its intended use.
mitigation strategy is in place. Regression testing: ensure that a change does not create a new
Phase 2: Requirements Definition problem or conflict with other functions in the program. It is part of
i. Goal: define inputs, outputs, current environment, and proposed the quality control process.
interaction. The specification is defined in this step. iii. Auditor objective:
ii. Entity-relationship diagram: defines high-level relationships between Verify that a quality control process has been used to develop an
the entities as well as data dictionary that standardize term of reference computer program.
for each data in the database. Programs have undergone debugging with formal testing and
iii. Auditor’s interest: project plan and estimated costs have been supporting document has been created to assure system integrity
approved and requirements include sufficient security (not using default and production use.
configuration) to protect the data classified in the record management The finished software capabilities have been verified for compliance
system. to original objective and acquired user acceptance.
Phase 3: System Design and Selection Phase 5: Implementation
i. Goal: To plan a solution by using the objectives from phase 1 and the i. Goal: Final acceptance testing begins, and users are trained in the new
specification from phase 2. The client has to determine to build the system. System testing is undertaken by the developer team to
system in-house or buy the hardware. determine if the software meets user requirements per specifications.
ii. Best time for software developer to work directly with the user. ii. Certification: a technical process of testing against a known reference.
iii. Cost estimates are compared to the assumptions made. iii. Accreditation: an administrative process based on management’s
iv. Auditor’s interest: verifying that processing and output controls are comfort level with demonstrated performance or fitness of use. The
incorporated into the system. purpose is to hold a management executive responsible to ensure
Phase 4: Development corporate governance.
i. Goal: Prototypes are built for functional testing and user acceptance iv. User training: system custodians need to be trained for normal
testing occur during this stage. operations and emergency procedures.
ii. Software testing methods: v. Go live:
Parallel operations: lowest risk
Phased changeover: best suited upgrade or conversion; it has iv. An ongoing team learning process to refine project management.
modest risk v. It places greater reliance on the undocumented knowledge contained in
Hard changeover: highest level of risk a person’s head.
vi. Program-to-program passwords in static configuration files should be Rapid application development method
documented and ensure privileged passwords are listed for rotation. i. Well defined methodology that works for small, well-trained team
Phase 6: Postimplementation ii. Uses 4GL programming language
i. Goal: Compare performance metrics to the original objective, and Hueristic (prototyping) development
implement requests for new requirements, updates, or disposal. i. Combines best of the SDLC with an iterative approach that enables
ii. ROI calculation to compare cost to the actual benefit received. developer and customer to react to risks at each iteration
iii. Periodic reviews and monitoring procedures are necessary to verify that ii. Focuses on prototyping screens and reports
the system is maintained in a manner that supports the original
objectives and controls. 8. Data Architecture
Phase 7: Disposal Database architecture
i. Goals: Archive old data, and management signs a formal authorization i. Data-oriented database: Data entries have fixed length and format;
for the disposal and accepting liability. thus, the information is predictable. It Is used when the structure and
format of the data is well known and predictable.
6. A generation language may refer to any of the following: ii. Object-orient database: Data entries may be unpredictable as there is
1GL: low-level languages that are machine language. not fixed format. Each programmed object has its own data for
2GL: also low-level assembly languages. They are sometimes used in reference and its own method of accomplishing a required task.
kernels and hardware drives, but more commonly used for video editing iii. ACID model for fata base integrity:
and video games. Atomicity guarantees that either the entire transaction is processed
3GL: English-like statement language, such as C, C++, Java, JavaScript, and or none of it is.
Visual Basic. Consistency ensures that the database is in a legal state when the
4GL: English-like statement language with embedded database. Fourth transaction begins and ends.
generation languages are commonly used in database programming and Isolation means that, while in an intermediate state, the transaction
scripts examples include Perl, PHP, Python, Ruby, and SQL. data is invisible to external operations.
The fifth-generation languages, or 5GL, are programming languages that Durability guarantees that a successful transaction will persist and
contain artificial intelligence that are learning system. Examples of fifth cannot be undone.
generation languages include Mercury, OPS5, and Prolog. Decision support system
i. Reference by context: value = low; supplies answers based on estimated
7. Alternative development techniques: level of reference.
Agile development method ii. Colleague, or associate, level: provides tedious calculation support but
i. Uses time-box management techniques to force individual iterations of leaves the real decisions to the user.
a prototype in a short time span by allowing programmers to start iii. Expert level: written by capturing specialized data from a person who
writing a program using lots of trial and error without spending time on has been performing the desired work for 20 or 30 years.
preplanning documentation.
ii. It is designed for use by small teams of talented programmers.
iii. However, it does not scale very well.
Domain 4—Information Systems Operations, Maintenance and Service
Management 2. System access controls
1. Personnel roles and responsibility Privileged login accounts security control:
Job Role Authorized Production Development Security Execute i. Password must be changed every 30 days
Changes Library Library Administration Production
Access Access Configuration Changes ii. Retired passwords are to be backed up and protected in a controlled
System user Approve Use No No No environment that is offsite
(End user) iii. Default login account should be disabled
System Request Monitor- No Implement When
Required data protection controls:
administration Control approved
(Custodian) i. Standing data controls: requires additional controls such as storage in
Security Approve No No Specify control No encrypted format
administration ii. System control parameters: used to customize the configuration
(Custodian)
Programming/ Request No Create No No settings and software application
development software iii. Logical access controls: direct access through open databased
Change Test only No No Test only No connectivity should be prohibited and all access to data files should be
testing (use isolated (use isolated
test) test)
forced through authentication in a user right management program
Change Approve No No No NO (application processing control)
control iv. Transaction processing controls: should be controlled with
Information security managements: ensures confidentiality, integrity, and authentication and validation checks
availability of computing resources. Process control:
i. Chief information security office: define and enforce security policies for i. Batch totals: compare output
organization, and review periodically. ii. Total number of items: ensure each item was processed
ii. Chief privacy officer: protecting confidential information. iii. Transaction logs: record activity
iii. Information systems security manager: day-to-day process of ensuring iv. Run-to-run total: verify data values during the different stages of
compliance for system security. processing
iv. Data owner: responsible for data content and authorization. v. Limit checks
v. Data custodian: responsible for safeguard and availability of data. vi. Exception reporting
Compensating controls: goal is to reduce errors or omission when vii. Job cost accounting
preferred control cannot be implemented. Mobile software
i. Job rotation Low Risk Moderate Risk High Risk
ii. Audit / reconciliation PDF Applets ActiveX
iii. Exception report Adobe Flash PostScript
iv. Transaction logs JavaScript Visual Basic
v. Supervisor review i. ActiveX places no restrictions on what the programmer can do.
3. Business Continuity Plan Recovery Alternatives
The strategy for which the sum of downtime cost and recovery cost is the i. Hot site – fully configured and ready to operate within hours. Not for
lowest is the optimal strategy. extended use.
Components ii. Warm site – partially configured. Site ready in hours, operations ready
i. DRP plan: It is critical to initially identify information assets that can be in days or weeks.
made more resilient to disasters. iii. Cold site – has basic utilities, ready in weeks.
ii. Plan to restore operations to normal following disaster iv. Redundant site – dedicated, self-developed sites.
iii. Improvement of security operations v. Mobile site – data center in a box
BCP Lifecycle vi. Reciprocal agreements with other businesses
i. Create BCP policy
ii. Business Impact Analysis (BIA) should be conducted with input from a 4. The IS auditor might need to review specific reports associated with availability
wide array of stakeholders, which identifies and response. This list identifies log types and characteristics:
Protecting human resources during a disaster-related event should System logs identify the activities performed on a system and can be
be addressed first. analyzed to determine the existence of unauthorized access to data by a
Different business processes & criticality user or program.
Critical IS resources supporting critical business processes The review of abnormal job-termination reports should identify application
Critical recovery period before significant losses occur jobs that terminated before successful completion.
A determination of acceptable downtime is made Operator problem reports are used by operators to log computer
iii. Classify of operations and criticality operations problems and their solutions. Operator work schedules are
iv. Identify IS processes that support business criticality maintained by IS management to assist in human resource planning.
v. Develop BCP and IS DRP Capacity-monitoring software to monitor usage patterns and trends
vi. Develop resumption procedures enables management to properly allocate resources and ensure
vii. Training and awareness programs continuous efficiency of operations.
viii. Test and implement plan Network-monitoring devices are used to capture and inspect network
ix. Monitoring: Periodic testing of the recovery plan is critical to ensure traffic data. The logs from these devices can be used to inspect activities
that whatever has been planned and documented is feasible. from known or unknown users to find evidence of unauthorized access.
Terms System downtime provides information regarding the effectiveness and
i. Recovery point objective (RPO) – based on acceptable data loss; earliest adequacy of computer preventive maintenance programs and can be very
time in which it is acceptable to recover; date/time or synchronization helpful to an IS auditor when determining the efficacy of a systems-
point to which systems/data will be restored. maintenance program.
ii. Recovery time objective (RTO) – based on acceptable downtime;
earliest time when business operations must resume.
iii. Interruption window – how long a business can wait before operations
resume (after this point, losses are unaffordable)
iv. Maximum Tolerable outage (MTO) – maximum time business can
operate in alternate processing mode before other problems occur
v. Service delivery objective (SDO) – acceptable level of services required
during alternate processing
Information Systems Operations, Maintenance and Service Management Laye Name Example protocols Function
1. Redundant Array of Inexpensive/Independent Disks (RAID) r
Level 0 Striping: It makes several disks appear as one big disk. It has the to provide error correction.
best performance, but data loss is likely. ii. Unconfirmed delivery: User
Level 1: Disk mirroring, all the data is written to at least two separate Datagram Protocol (UDP). It
physical disks to prevent data loss. However, it cuts usable space in half. is faster with less overhead.
Level 2 – Hamming code ECC – interweaving data based on hamming code 3 Network IP, ARP, ICMP, This layer handles addressing
(EXPENSIVE and rare; hardware based, resource intensive) Layer IPSec and routing the data -- sending it
Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 in the right direction to the right
for parity (faster in HW) destination.
Level 5 – block level; the most commonly used method. It uses less disk 2 Data Link PPP, ATM, It focuses on establishing data
space than RAID-1 for the same amount of usable storage. It is cheap yet Layer Ethernet, Switches communications via hardware
provides the best overall read and write performance. device drivers and the
Level 6 – It uses independent disks with a very high transfer rate, and it is transmit/receive function
very expensive. The disks in the same string appear as one large disk. 1 Physical Ethernet, USB, The physical layer is responsible
Level 10 – high reliability & performance; at least 4 drives, stripes level 1 Layer Bluetooth, for sending computer bits from
segments; hi I/O IEEE802.11 one device to another along the
Level 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major network.
data loss
3. Network cables & topologies
2. Open Systems Interconnection Model: a conceptual model that characterizes Topologies
and standardizes the communication functions of a telecommunication or i. Bus: uses coaxial cable but runs the risk of interrupted transmission
computing system without regard to its underlying internal structure and since computers are linked together with one cable.
technology. ii. Star: computers are connected to a network hub (or switch) with
Laye Name Example protocols Function additional cables. It offers flexibility but higher cost on more cables.
r iii. Ring: allows the redundant path to create a fault-tolerant network.
7 Application HTTP, FTP, DNS, Where user interact directly with iv. Meshed: has alternate connections for major backbone point on the
Layer SNMP, Telnet the software application and network. It also has higher cost of implementation.
calculation. Cable types:
6 Presentation SSL, TLS Handles data and encryption; i. Coaxial: for longer distance and in areas prone to electrical interference
Layer also translates in the format all or for outdoor connections.
computers can understand. ii. Unshielded twisted-pair cable: inexpensive and is commonly used in
5 Session NetBIOS, PPTP It is where communications star topologies.
Layer between systems are managed. iii. Fiber optic cable: has an extremely wide bandwidth but is expensive
4 Transport TCP, UDP This layer specifies the method and fragile glass strands.
Layer of delivery.
i. Confirmed delivery: TCP 4. IDP vs. IDS
connection; however, slower
A host-based intrusion prevention system (IPS) prevents unauthorized Enable Encryption to protect data in transit.
changes to the host. Disable SSID (service set identifier) broadcasting.
A network-based intrusion detection system (IDS) relies on attack Disable DHCP (Dynamic Host Configuration Protocol).
signatures based on known exploits and attack patterns. Security ranking: randomly generated PSK > MAC-based PSK (MAC address
i. Statistical: calculation of network traffic and loadings of a computer is fixed and often accessible) > WEP (very weak encryption
ii. Signature: known patterns and techniques technique and can be cracked within minutes) > SSID.
iii. Neural: learning network In any given scenario, WPA-2 (Wi-Fi Protected Access) is the strongest
iv. Honey bits, pot, net: sacrificial files, server, or subnet encryption standard for the wireless connection.
In any given scenario, confidentiality of the data transmitted in a wireless
5. Firewall LAN is BEST protected, if the session is encrypted using dynamic keys (as
Designs compared to static keys)
iv. Screened host implementation: a single host computer through the Electromagnetic emissions from a terminal can be detected by
firewall. It is expected that the host computer to be attacked. sophisticated equipment and displayed, thus giving access to data to
v. Dual homed host: A special software application relays appropriate unauthorized persons.
communication between the two interface cards. Configuration management is one of the key components of any network
vi. Screened subnet (DMZ design): allows for several computers to be since it establishes how the network will function internally and externally.
placed in a protected subnet that is accessible from the outside and by
systems inside the network.
vii. Stateful inspection: collects the history and nature of the connectionless
requests to determine whether the remote request should be
transmitted to the destination computer or discarded as hazardous.
Types of Firewall
i. Out of all types of firewall, Application-Level Firewall provides greatest
security environment (as it works on application layer of OSI model).
ii. In any given scenario, most robust configuration in firewall rule is ‘deny
all traffic and allow specific traffic’ (as against ‘allow all traffic and deny
specific traffic’).
iii. Stateful Inspection Firewall allows traffic from outside only if it is in
response to traffic from internal hosts.
Firewall OSI Layer
Application Level Application Layer
Circuit Level Session Layer
Stateful Inspection Network Layer
Packet Filtering Router Network Layer
6. In any given scenario, following are the best practises for Wireless (Wi-Fi)
security:
Enable MAC (Media Access Control) address filtering.
Domain 5—Protection of Information Assets Security label bypass: a metadata control in MAC control environments
1. Security goal and matching control that specifies who may access the file and how the file may be used.
Security Goal Primary Control Failure Consequence Additional compensating controls are necessary in certain situations to
Confidentiality Data classification Unauthorized disclosure protect against the bypass of MAC security level.
Separation of duties Data breach Internal access control lists should be used to implement least privileged .
Least privilege Organization failure
Controls appropriate in every 4. Biometrics sensors:
step of users’ business
The purpose of biometrics is to provide authentication of the person after
workflow
Integrity Control & trust Loss of control
they identify him/herself.
Availability Authentication of allowed users Unauthorized access with or A biometrics sensor creates a new data template every time the sensor is
without detection used, which is compared to the database by the template matcher.
An important benefit of a well-defined data classification process would be Drawbacks
to lower the cost of protecting data by ensuring that the appropriate i. Enrollment failure: sample of user fail to be accepted by the system
controls are applied with respect to the sensitivity of the data. ii. False rejection: system rejects a legitimate user
The IS auditor must identify the assets, look for vulnerabilities, and then iii. Equal error vs. crossover error rate: trade off between speed &
identify the threats and the likelihood of occurrence. efficiency
iv. Throughput rate: the samples system can process and still have
2. Technical protection accuracy; higher risk situation should have lower throughput rate.
Mandatory access controls: use a set of rules determines which person
(subject) will be allowed to access he data (object). The access privileges 5. Kerberos single sign-on
are predetermined based on a list. User log in once to Kerberos, and the system authenticates the user and
i. Changed by admins making decisions derived from policy grants access to all resources
ii. Example: password complexity requirements A strong password and strong encryption will improve overall security
Discretionary access controls: allows a designated individual to decide a
broad level of user access. The IS auditor needs to investigate how the 6. Encryption
decisions are selected, authorized, managed, and viewed at lest annually. Methods
i. Controls that CAN be changed by normal users/data owners i. Private-key: secrete key that is shared between the authorized person,
ii. Example: access to departmental shared folder on server and the key must be protected with the highest due diligence. A shared
Role-based access control: based on job requirement. key between sender and receiver is referred to as symmetric-key
Task-based access control: bases on task requirement. cryptography. It is fast but must be protected with highest diligence.
Attribute-based access controls: a selective control that is flexible. Advanced encryption standard (AES) is a secure encryption algorithm
that is appropriate for encrypting passwords.
3. Application software control: Provide security by using a combination of user ii. Public-key: also known as asymmetric cryptography, uses a public key
identity, authentication, authorization, and accountability. to encrypt and a private key to decrypt. Using two private keys would
Database view: read restriction placed on particular columns in the not be possible with asymmetric encryption. Asymmetric cryptography
database. is typically used for the transmission of data. It has 4 components:
Restricted user interface
Certificate Authority (CA) issues certificates. The primary role of the 7. Network security protocols
CA is to authenticate the entity owning a certificate and to confirm Pretty Good Privacy: for personal file encryption
the integrity of any certificate it issued. Transport Layer Security (TLS): for secure transmission internally and over
Registration authority: delegated bookkeeping and issuing function Internet. TLS replaced SSL which was used by most websites. TLS is the
from the CA preferred method to use for all secure sessions.
Certificate revocation list: maintained by the CA to indicate that Secure Hypertext Transfer Protocol (HTTPS): older version still uses SSL.
certificates have expired or are revoked The newer sites should all use TLS.
Certification practice statement: disclosure document that specifies Internet Protocol Security (IPsec): a secure network protocol suite that
how a CA will issue certificates authenticates and encrypts the packets of data sent over an IPv4 network.
Problems when using encryption VPN’s primary purpose is to protect data in transit using tunnelling.
i. Creating and issuing keys requires discipline or the key can be easily The Secure Electronic Transaction (SET) protocol provides a method for
compromised purchasing over the internet without disclosing the credit card information
ii. Separate keys should be used for separate classification of data to the merchant. The buyer will be liable for transactions that involve
iii. Encryption key must be rotated his/her personal SET certificate.
iv. Encryption only protects the output file, not the original source file Email anti-spamming techniques: Bayesian > Heuristic > Signature Based >
v. The system is still vulnerable to attack Pattern Matching
Encryption-key management:
i. Proper authorization: never allow to encrypt files that management 8. Risk assessment
cannot decrypt without the user First step is to identify the assets. (in some cases, critical process)
ii. Encryption keys must be individually managed, tracked (in a library), Second step is to identify relevant risk. (vulnerability/threat)
and unique to each task Third step is to do impact analysis. (qualitative or quantitative)
iii. Separation of duties: Fourth step is prioritizing the risk on the basis of impact. (IT risk analysis)
Encryption keys need to be generated on a system that is physically Fifth step is to evaluate controls.
and logically isolated from other system and transfer via read-only- Sixth step is to apply appropriate controls.
media
Users should never have direct access to encryption key 9. Security Requirements
iv. The use of specific encryption keys should be limited Authenticity – verification that message not changed in transit
v. The use, archiving, and destruction of encryption keys require a formal Nonrepudiation – verification of origin or receipt of message
review Accountability – actions traceable to an entity
vi. Nonrepudiation, achieved through the use of digital signatures, Network availability
prevents the senders from later denying that they generated and sent
the message.
Digital rights management (DRM): uses public-key encryption to enforce
digital rights.
i. Steganography is a technique for concealing the existence of messages
or information.