Professional Documents
Culture Documents
1. Extending the time frame for audit and delaying the go-live date is unlikely to be acceptable
where system involved is business-critical
2. Delay to go-live date must be decision of business management, not the IS auditor
3. Failure to obtain sufficient evidence in one part of an audit engagement does not justify
cancelling or postponing the audit->violate the audit guideline concerning due professional
care
4. Report when you find there are some policies that have not been approved by management
5. It is critical for the EA to include the future state because the gap between the current state
and the future state will determine IT strategic and tactical plans. If the EA does not include
a future-state representation, it is not complete, and this issue should be reported as a
finding
6. Primary requirement that a data mining and auditing software tool should meet is to
accurately capture data from organization’s systems without causing excessive performance
problems
7. Continuous auditing enables a real-time feed of information to management through
automated reporting processes so that management may implement corrective acions more
quickly
8. Detection risk: chance an auditor will fail to find material misstatements exist in an entity’s
financial statements
9. Audit risk: risk that financial statements are materially incorrect (you want to reduce the
audit risk)
10. Control risk: probability that financial statements are materially misstated due to failures in
the systems of controls used by a business
11. Inherent risk: risk posed by an error or omission in a financial statement due to a factor
other than failure of internal control
12. Detection risk is directly affected by IS auditor’s section of audit procedures and techniques
13. Usually executive management is not required to approve the audit plan->typically approved
by audit committee or board of directors
14. Performing a risk assessment is the most critical
15. Service level agreement is a contract between a service provider and its internal or external
customers that documents what services the provider will furnish and defines the service
standards the provider is obligated to meet
16. Security Assertion Markup Language: open standard for exchanging authentication and
authorization data between parties in particular between an identity provider and service
provider
17. Audit charter( also known as terms of reference): formal document that defines internal
audit’s purpose authority, responsibility and position within an organization
18. Audit charter will state the authority and reporting requirements for the audit but not the
details of maintenance of internal control
19. Attribute sampling: primary sampling method used for compliance testing ->used to
estimate the rate of occurrence of a specific quality in a population and is used in
compliance testing to confirm whether the quality exists
20. Variable sampling: based on calculation of a mean from a sample extracted from the entire
population and using the characteristics of the entire population
21. Stratified mean sampling: ensure the entire population is represented in the sample; divides
the population into separate groups->then a probability sample is drawn from each group
22. Difference estimation sampling: measure deviations and extraordinary items->not a good
way to measure compliance
23. Q A1-18
24. How to impair the independence of an IS auditor? Implement specific functionality during
the development of an application
QA1-23
23. Control design testing: assess whether control is structured to meet specific control
objective
24. Assessment or risk should be made to provide reasonable assurance that audit will cover
material items
25. A1-26
27. A129
A130.For risk analysis, identified threats and potential impacts->identify and evaluate
existence and effectiveness of existing and planned controls
A131. Evidence obtained from independent third parties is always more reliable than
assurance provided by local management
A133. Observation and interviews is good to evaluate segregation of duties->identify
whether they are performing any incompatible operations, and by interviewing IT staff,
auditor can get an overview of tasks performed
A134. Disaster recovery planning process: documented process to execute an organization’s
disaster recovery processes and recover and protect business IT infrastructure
A135. When performing an investigation to capture evidence which may be used for legal
purposes, maintaining integrity of evidence should be the foremost goal
A138. Independent test performed by IS auditor is more reliable than confirmation letter
from third party because the letter is result of an analysis and may not be based on
authoritative audit techniques
A139. Organizational chart provides information about responsibilities and authority of
individuals->proper segregation of functions
A140.How to test the effectiveness of the control?sample of system-generated report with
evidence that reviewer followed up on exception represents best possible evidence of
effective operation of control->documented evidence that reviewer has reviewed and taken
actions
A141.Integrated test facility: process test transactions simultaneously with live input; adv:
periodic testing does not require separate test processes; test data must be isolated from
production data
A142. Attribute sampling is most effective in determining whether PO issued to vendors
have been authorized as per the authorization matrix->an item being sampled either will or
won’t possess certain qualities or attributes
A143. Preparing simulated transactions for processing and compare results to
predetermined results is the best method
A144
A146. Stop or go sampling: evaluation of each sample taken from a population to see if it
fits a desired conclusion->stops evaluating samples as soon as there is sufficient support for
the conclusion
Classical variable sampling: associated with dollar amounts and has a sample based on a
representative sample of the population but is ot focused on fraud
Discovery sampling: use of sample to determine whether a percentage error does not
exceed a designated percentage of population->if sample does not contain error, actual
error rate is assumed to be lower than minimum unacceptable rate
Probability proportional to size sampling: associated with cluster sampling when there are
groups within a sample
A147
A148. Role of auditor is to inform management clearly about the risk
A153. To ensure org is complying with privacy issues, first address legal and regulatory
requirements
To comply with legal and regulatory requirements, rg need to adopt appropriate
infrastructure
After understand legal and regulatory requirements, evaluate organizational policies,
standards and procedures whether they address privacy requirements, review adherence to
these specific policies, standards, procedures
A155. In the planning stage of IS audit, primary goal is to address audit objectives
A157. Substantive test includes gathering evidence to evaluate integrity (completeness,
accuracy, validity) of individual transactions, data or other information
A160. IS auditor should not recommend a specific vendor->this compromises auditor’s
professional independence
A161. Primary reason to perform functional walk-through during preliminary phase of audit
assignment: understand business process-> develop risk assessment
A162
A163. Primary purpose for meeting with auditees prior to formally closing a review is to gain
agreement on findings
A164. Test data runs: verify processing of preselected transactions
Code review: determine whether the code follows coding standards or contains potential
errors or inefficient statement, can be used as a means of code comparison but inefficient
and unlikely to detect any changes in code
Automated code comparison: compare two versions of same program ->determine whether
two correspond ->can detect unauthorized program changes
A167. IS auditor’s manager may recommend what should be included but should not
influence the content of the report
IS auditor should make final decision about what to include or exclude
Audit trail: system that traces the detailed transactions relating to any item in an accounting
record
A171. Steps to evaluate logical access control: obtain understanding of security risk to
information processing->documentation and evaluation to assess adequacy, efficiency and
effectiveness of control->test the access path to determine if they are functional->evaluate
security environment in relation to written policies and practices
A172. What a IS audit charter should include: role of IS audit function-describe overall
authority, scope and responsibilities,obj and scope of audit function
What a IS audit charter should not include:obj and scope of IS audit engagement
A173. Computer-assisted audit techniques (CAATs): review entire invoice file to look for
those items that meet the selection criteria
Integrated test facility (ITF): test transactions through production systems, but would not
compare records to identify duplicates
A174. Identification of assets to be protected is the first step in development of risk
management program
A175. System log analysis: identify changes and activity on system, would not identify
whether change was authorized unless conducted as part of compliance test
Compliance testing: verify the change management process(evaluate existence of trial of
documentary evidence) has been applied
Forensic analysis: for criminal investigation
Analytical review: assess general control environment of an organization
A177. Reboot the system may result in change in system state and loss of files
A179. Forensic audit: systematic collection and analysis of evidence after a system
irregularity
A181. Integrated test facility: ensure test data are isolated from production data
A182. Overriding of computer processing jobs by computer operators->unauthorized
changes to data or programs
A183
A186. Auditor is not authorized to shut the system down but the manager is
A187.objective to discuss audit finding: confirm findings, propose course of corrective action
*based on this discussion, finalize report and present report after findings are confirmed
A188
A190.Computer-aided software engineering (CASE) : assist in software development
Embedded data collection software such as system control audit review file or systems
audit review file: used to provide sampling and production statistics but not to conduct an
audit log analysis
Trend/ variance detection tools: look for anomalies in user or system behavior such as
invoices with increasing invoice number
Heuristic scanning tools: type of virus scanning used to indicate possible infected traffic
A192. Introduce automated monitoring and auditing solution can help to discover
unnecessary or overlapping key controls as all key controls need to be clearly aligned for
systematic implementation
Integrated test facility only test accuracy
A193.validity check: verify required format eg. Not using a dictionary word
A194. Transferring risk eg. Taking an insurance policy->way to share risk
A195. Control self-assessment helps to identify high-risk areas that might need a detailed
review later
A196.Audit universe: IT strategic plan, organizational structure and authorization matrix
A101. Reperformance: evaluate operating effectiveness of control rather than design of
control
Walk-through: combination of inquiry and inspection of evidence with respect to business
process control->most effective basis for evaluation of design of control as it actually exists
A102. Risk assessment helps to focus the audit procedures on highest risk areas included in
scope of audit
A103. Substantive testing: obtain audit evidence on completeness, accuracy, existence of
data ->compare data in application to the base document
-example: conduct bank confirmation to test ending cash balance, observe period-end
counting of inventory, contact lenders to confirm loan balances are correct
Compliance testing: test control designed to obtain audit evidence on both effectiveness of
control and operation
-example: verify configuration of router for controls, review system access right, review of
firewall settings, review compliance with password policy
A1106
A1108: project management is the most important skills needed
A110.* Residual risk: remaining risk after management has implemented a risk response
Compliance risk: penalty applied to current and future earnings for nonconformance to laws
and regulations
A113. Walk-through follows the manual log review process from start to finish to gain a
thorough understanding of overall process and identify potential control weaknesses
A115. Lack of adequate controls represents a vulnerability, exposing sensitive information
and data to risk of malicious damage, attack->result in loss of sensitive information, financial
loss, legal penalties or other losses
A1119. When internal controls are strong->lower confidence coefficient ->smaller sample
size
A1121. Dual control requires two people carry out an operation; observation help to
ascertain whether two individuals do get involved in execution of operation and an element
of oversight exists
Re-performance wire transfer at bank would not be an option
A1124. IS audit charter does not dictate the reporting requirement of IS audit department
A1125. The e-commerce application enables the execution of business transactions-
>important to understand the nature and criticality of business process supported by e-
commerce application to identify specific controls to review
A1126.evaluate organizational structure only give a limited view on allocation of IT
responsibilities and the responsibilities may have changed over time
A1127.Directive control: manual control consists of policy or procedure that specifies what
actions are to be performed
A1128. Any weakness noticed should be reported, even if it is outside the scope of current
audit but no need to execute audits and reviews
A1129
A1130.Re-performance is most effective to ensure effectiveness of controls ->when same
result is obtained after performance by an independent person, this provides the strongest
assurance
A1137. Control self assessment: emphasizes management of and accountability for
developing and monitoring the controls of an organization’s business processes
->attributes: empowered employees, continuous improvement, extensive employee
participation and training->all represent broad stakeholder involvement
A1140. Generalized audit software: data analytic tool used to filter large amounts of data
Integrated test facility: test the processing of the data, cannot be used to monitor real-time
transactions
Regression test: test new versions of software to ensure previous changes and functionality
are not inadvertently overwritten or disabled by new changes
A1141.
A1142. Primary objective of control self assessment: leverage internal audit function by
shifting some of the control monitoring responsibilities to functional area line managers-
>depends on degree to which line managers assume responsibility for controls->enable line
managers to detect and respond to control errors promptly
A1143. Table lookups are preventive controls-> input data are checked against predefined
tables which prevent any undefined data to be entered
Domain 2
1. Mandatory vacation is required to ensure irregularities and fraud are detected
2. Software capability maturity model (CMM):
Continuous improvement-level 5
Quantitative quality goals-level 4
Documented process-level 3 and below
Process tailored to specific projects-level 2 or below
3. *Primary consideration when reviewing prioritization and coordination of IT projects and
program management: projects are aligned with organization’s strategy
4. Termination checklist is more crucial than Non-disclosure
5. *IT governance implementation: determine stakeholder requirements and involvement-
>based on this, assurance scope and objectives would be determined
6. Secondary employment: having two jobs
7. Position of security administrator is a staff-level position but not management->would
not have authority to approve the policy
8. *Primary risk of business process reengineering (BPR): controls are eliminated as part of
reengineering effort
11. data retention policy is important when auditing the archiving of company’s email
communications
12.* by evaluating org’s development projects against CMM, auditor determines whether
the development organization follows a stable, predictable software development process
CMM : wont evaluate technical process eg. Programming efficiency
Wont evaluate security requirements or other application controls
13.* enterprise architecture: primary goal is to ensure technology investment are consistent
with platform, data and development standards of IT organization->goal is to help
organization to implement technology that is most effective
14.*Software escrow: legal agreement between software vendor and a customer, to
guarantee access to source code-> the application source code is held by trusted third party
->agreement is necessary that software vendor goes out of business ->used to protect
intellectual property of software developed by one organization and sold to another
organization
*not used for software being reviewed by an auditor of organization that wrote the software
16. Reciprocal agreement: two organizations agree to provide computing resources to each
other in the event of a disaster is a form of risk mitigation->works well if both organizations
have similar information processing facilities
Risk avoidance: example: stop accepting credit card payment to avoid risk of credit card
information disclosure
Risk acceptance: accept the risk and do nothing
17.* interruption window: amount of time which organization is unable to maintain
operations from point of failure to the time that critical services are restored
Recovery time objective (RTO): based on acceptable downtime in the case of a disruption of
operations
The Service delivery objective (SDO): directly related to business needs->level of services to
be reached during the alternate process mode until normal situation is restored
The recovery point of objective (RPO): based on acceptable data loss in the case of a
disruption of operations; defines the point in time from which it is necessary to recover the
data and quantities, the permissible amount of data loss in the case of interruption
18. * Primary requirement to achieve business objective for quality management system
(QMS): continuous and measurable improvement of quality
19. * IT’s value delivery to business is driven by aligning IT with enterprise’s strategy
22. Check whether existing IT mechanisms in place that enable the organization and its
employees to comply with the policy
23. *approval of contracts is a business process and would be controlled through financial
process
24.vendor change control->monitored by IT management
Separation of duties within information’s processing environment->IT management
responsibility
Approve and monitor major projects ie status of IT plans and budgets->IT steering
committee
Liaising between IT department and end user->function of individual parties not a
committee responsibility
26. involve senior management in strategic plan to ensure the enterprise meets its goal and
objectives
28.* Responsibilities:
-senior management: establish acceptable risk level because they have ultimate or final
responsibility for effective and efficient operation of organization
-Chief security officer (CSO): responsible for enforcing the decision of senior management
team
35. LAN admin may have end-user responsibilities but wont have programming
responsibilities
36. DR services can only be expected from vendor when explicitly listed in contract with
well-defied recovery time objectives(RTO) and recovery point objectives->without the
contractual language, vendor is not required to provide DR services
40.integration of IT and business personnel is an operational issue and should be considered
while reviewing short-range plan
46.A person with both security and programming rights could do almost anything on a
system->creates a problem of separation of duties
49.
53. basis for access control authorization should be included in organization’s information
security policy
54.
55.
56.
58. when an IT security baseline has been defined, an IS auditor should first ensure
sufficiency of control baseline to meet security requirement
61. security policy statement: reflects the intent and support provided by executive
management for proper security and establishes a starting point for developing the security
program
63. *Most important stakeholder in terms of developing a business continuity plan (BCP):
process owner-identify critical business functions, recovery times and resources needed
*BOD usually approve the plan but not involved in details of developing
66. *Capability Maturity Model (CMM) : methodology used to develop and refine an
organization’s software development process, measures the maturity of IT processes from
level 0 to level 5
68.* risk management process: making specific, security-related decisions such as level of
acceptable risk
71. it is important to conduct periodic audit review to ensure the terms of contract are
adhered to after the contract is signed
Lack of adequate security controls represents a vulnerability, exposing sensitive info and
data to risk of malicious damage, attack or unauthorized access by hackers
-value delivery: provide standard set of security practices, effectiveness and efficiency of
solutions
-risk management
-performance measurement
76. Business objectives drive information security policy->information security policy drives
selection of IT department objectives
78. *risk acceptance levels are set by senior management not by IT management
79. it is possible that not all of the critical IT assets and projects will have recently been
audited and there may not be a sufficient assessment of strategic IT risk
82. cross-training: training more than one individual to perform a specific job or procedure
Lack of segregation of duties=Is auditor would expect to find that a person has higher levels
of access than would be ideal
85. *Business impact analysis (BIA)->business continuity strategy(identify the best way to
recover)->test and exercise plan
86. primary focus when reviewing the development of information security policies: strike a
balance between business and security requirements
Business impact analysis (BIA): calculate impact on business in the event of an incident that
affects business operations
IT balance scorecard (BSC): provides bridge between IT objectives and business objectives
91. database activity logs record activities is performed by database administrator (DBA)-
>deleting them should be performed by others->compensating control to aid in ensuring an
appropriate segregation of duties
Job duties of database administrator: define backup and recovery procedures, monitor
database usage, implement database optimization tools
94.* first step to determine if IS auditor has been assigned to review IT structures and
activities recently outsourced to various providers: ensure contracts support the business
95. *IT balance scorecard (BSC) is a tool that provides bridge between IT objectives and
business objectives by supplementing the traditional financial evaluation with measures to
evaluate customer satisfaction ,internal process and ability to innovate->measure the
success of IT investment and strategy
96. outsourcing contract cannot be expected to cover every action and detail expected of
the parties involved, but should cover business requirements
101.* if business case was not established, it is likely the business rationale, risk and risk
mitigation strategies for outsourcing the application development were not fully evaluated
and he appropriate information was not provided to senior management for formal approval
Lack of change management procedures may present a risk especially with the possibility of
extraordinary charges for any required changes
103.
Measures of security risk should not be limited to network risk but rather focus on those
areas with the highest criticiality so as to achieve maximum risk reduction at the lowest
possible cost
107. most important element of SLA: measurable terms of performance eg. Uptime
agreements
-things will be included in the master agreement: payment terms, indemnification clause
*governance is applied through use of good practices but this is not the objective of
corporate governance
109. after you understand the organization’s threat, vulnerability and risk profile you are
able to understand risk exposure and potential consequences of compromise
110.*Value delivery
Goal: provide strategic direction, ensure objectives are achieved, risk is managed
appropriately
114. Responsibility of
Staff assigned to development and User application and other software testing
maintenance and evaluation
System, network or database Granting and revoking access to IT resources
administrators
Data and application owner Approval of access to data and applications
115. executive sponsor would be the most critical success factor for developing a formal
enterprise security program
118.* Prioritization of projects on the basis of expected benefit to business and related risk is
best measure for achieving alignment of project portfolio to an organization’s strategic
priorities
120.
121. test results not being adequately documented is a major concern for IS auditor
reviewing a business continuity plan
123. organizational data governance practices be put in place solve the problem of product
definition being used by two departments being different
Compliance with organizational security policies is important but there is no way to verify or
prove that that is the case
126. effort should be consolidated to ensure alignment with overall strategy of postmerger
organization->if resource allocation is not centralized, separate projects are at risk of
overestimating the availability of key knowledge resources for in-house developed legacy
applications
128. overall quantitative business risk for a particular threat= product of the likelihood and
magnitude of the impact should a threat(not a threat source) successfully exploit a
vulnerability
*it is not possible to exercise all possible disaster scenarios and ensure all residual risk is
addressed
132. most important element in any business continuity process is protection of human life
133.Types of insurance:
-review results from previous test (compare to standards will give some assurance but will
not reveal anything about its effectiveness
135. *interview key stakeholders to evaluate how well they understand their roles and
responsibilities->when all stakeholders have detailed understanding of their roles and
responsibilities in the event of disaster, can deem the business continuity plan to be clear
and simple
136.
138. the business continuity plan should be reviewed every time a risk assessment is
completed for the organization
139.*integrating the BCP into the development process ensures complete coverage of the
requirements through each phase of the project
140.*
141.*the initiation of a business continuity plan should primarily be based on the maximum
period for which a business function can be disrupted before the disruption threatens the
achievement of organizational objectives
145.** full-scale test:this is the first time that the plan is actually exercised, and a number of
resources and time would be wasted
Walk-through test: basic type of testing->intention is to make key staff familiar with the plan
and discuss critical plan elements
47. correction of code is not responsibility of quality assurance because it would not ensure
segregation of duties and would impair team’s independence
Deskcheck testing: requires least effort->ensure plan is up to date and promote familiarity of
BCP to critical personnel from all areas
152.
*regression test is not a disaster recovery plan and is used in software development and
maintenance
-address technological aspect of business continuity planning that focuses on IT systems and
operations
158. the cost of ongoing operations when a disaster recovery plan (DRP) is in place,
compared to not having a disaster recovery plan will most likely increase because there will
be additional cost of testing
Paper test-walk through of entire BCP or part, reason out what may happen in a particular
disaster
System test-integrated test used to test a new IT system-not appropriate for BCP
162. after identifying the critical business processes should be addressed first so that risk
163.
Domain 3
1. User management should review and approve system deliverables as they are defined
and accomplished to ensure the successful completion and implementation of a new
business system application
Earned value analysis-measure project’s progress at any given point in time, forecasting its
completion date and final cost (do not prioritize task)
Program evaluation and review technique-analyze the time needed to complete each task
and to identify the minimum time needed to complete the total project; principle of
obtaining project time lines based on project events for three likely scenarios (worst, best,
normal)->time line is calculated by a predefined formula and identifies the critical path,
which identifies the key activities that must be prioritized
3.
4.
Also allow application developers and administrators to simultaneously run operational task
so as to ensure new system is reliable before unplugging the old system
7.
11. server configuration hardening is important to patch known vulnerabilities and to disable
all non-required functions before production
*because the Vm are only used in a development environment and not in production, it may
not be necessary to include VMs in the disaster recovery plan
12. UAT should be performed prior to implementation (during the development phase)
13. maximise the usefulness of testing by concentrating on the most important aspects of
the system and on the areas where defects represent the greatest risk to user acceptance
Vouching-
13.
*compliance with security standards is essential but too early in the procurement process
18. software as a service: software licensing and delivery model in which software is licensed
on subscription basis and is centrally hosted
*provisioned on a usage basis and number of users is monitored by the SaaS provider->no
risk of noncompliance with software license agreements
*cost should be fixed part of service contract and considered in business case presented to
management for approval of the solution
*open design and internet connectivity allow most SaaS to run on virtually any type of
hardware
19. lack of adequate user involvement, especially in the system’s requirements phase will
result in system does not fully or adequately address the needs of the user
20.
*SaaS provider does not normally have onsite support for the organization
->*incident handling procedures between organization and its provider are critical for the
detection, communication and resolution of incidents, including effective lines of
communication and escalation processes
22. Reason for establishing a stop or freezing point on design of a new system:
23.* Prototyping: draft version of a product that allows you to explore your ideas and show
the intention behind a feature or the overall design concept to users before investing time
and money into development
*changes in requirement and design happen so quickly that they are seldom documented or
approved
27. checksum calculated on an amount field and included in electronic data interchange-
>can be used to identify unauthorized modifications->integrity
-nonrepudiation: that person cannot deny for something->ensured by using digital signature
29. *
33.
36. *
37.
Beyond this point, additional requirements or modifications to the scope must go through
formal, strict procedures for approval based on a business cost-benefit analysis
Scope creep: changes, continuous, or uncontrolled growth in a project’s scope, at any point
after the project begins
40. review application data flow diagram -> understand the flow of data within the
application and o other systems->enable the auditor to evaluate the design and
effectiveness of the data integrity controls
41.request for proposal: document that solicits proposal, made through a bidding process,
by an agency or company interested in procurement of a commodity, service, or valuable
asset to potential suppliers to submit business proposals
42.
Although standardization can reduce support cost, the transition to a standardized kit can be
expensive->overall level of IT infrastructure investment is not likely to be reduced
Data warehouse: copy of transaction data specifically structured for query and analysis
Metadata: describes the data in the warehouse and aims to provide a table of contents to
the stored information
45. stress testing: computer simulation technique used to test resilience of institutions and
investment portfolios against possible future financial situations
->help gauge investment risk and adequacy of asset, evaluate internal processes and
controls
*we use test environment using live workloads->ensure system will operate effectively when
moved into production
48.risk management is never-ending process, so project planning cannot wait until all risk
has been identified
-often leads to functions or extras being added to the system that were not originally
intended
Cons:-has poor internal controls because the focus is primarily on functionality, not on
security
Pros:-provide significant time and cost savings through better user interaction and ability to
rapidly adapt to changing requirements
-analyzes massive amounts of data, compiling comprehensive information that can be used
to solve problems and in decision-making
Purpose: ensure implementation of new system will meet user requirements by comparing
the results of the old system with new system to ensure correct processing
56.
Bottom up testing: lowest level modules are tested first and then high level modules and
integrating the high level modules to a low level to ensure the system is working as intended
-test begins with the tesing of atomic units such as programs and modules, and works
upward until a complete system testing has taken place
During requirement definition, user acceptance test plan should be ready->define precise
objectives and functional needs
61. when a new system is to be implemented within a short time frame, it is most important
to perform user acceptance testing->ensure the system to be implemented is working
correctly
62. whenever proprietary application software is purchased, the contract should provide for
a source code escrow agreement ->ensure the purchasing company will have the
opportunity to modify the software should the vendor cease to be in business
63.
Efficiency: relationship between the performance of the software and the amount of
resources
67. By combining quality assurance testing and user acceptance testing, user may apply
pressure to accept a program that meet their needs even though it does not meet quality
assurance standards
*** in reviewing proposed application, should ensure the products to be purchased are
compatible with the current or planned OS
70. expert system: in AI, it is a computer system that emulates decision making ability of a
human expert
Greatest benefit: capture and record of the knowledge and experience of individuals in an
organization->allow other users to access information formerly held only by experts
71.
73*
77. hash total: numerical sum of one or more fields in the file, including data not normally
used in calculations such as account number
When necessary, the hash total is recalculated and compared with the original
Postimplementation review: evaluate how successfully the project results match original
goals, objectives and deliverables
-also evaluates how effective the project management practices were in keeping the project
on track
Management approval: based on reduced functionality and does not verify the system is
operating as designed
79. ***
Log all customer orders in ERP system->detect inaccuracies but not guarantee accurate
processing
Hash total ensure accurate order transmission but not accurate processing centrally
82. both systems sending and receiving data must be reviewed because the output for one
system is the input for the other
83. physical control is important and may provide protection from unauthorized people
accessing the system but would not provide protection from unauthorized transactions by
authorized users
84.initial validation should confirm whether the card is valid->established through the card
number and personal identification number (PIN) entered by the user->ensure data entered
are valid
It is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data
will corrupt the integrity of the data in the data warehouse
89. automated release management software can prevent unauthorized changes by moving
code into production without any manual intervention
90. when dealing with offshore operations, it is essential that detailed specifications be
created->language difference and a lack of interaction between developers and physically
remote and users could create gaps in communication in which assumptions and
modifications may not be adequately communicated
93. Timebox
-with timeboxing, the deadline is fixed, meaning that the scope would have to be reduced-
>organizations have to focus on completing the most important deliverables first,
timeboxing often goes hand-in-hand with a scheme for prioritizing of deliverables
94. waterfall model: breakdown of project activities into linear sequential phases, where
each phase depends on the deliverables of the previous one and corresponds to a
specialization of tasks
* is most appropriately used when requirements are well understood and are expected to
remain stable, as is the business environment in which the system will operate
96.
Enciphering the message digest: using sender’s private key, which signs the sender’s digital
signature to the document, helps in authenticating the source and integrity of the
transaction but will not prevent duplicate processing
100. top-down approach: ensure interface errors are detected early and that testing of
major functions is conducted early
Domain 5
1.*
4.
Virtual local area network(VLAN): control traffic between different ports even though they
are in the same physical local access network (LAN), but they do not effectively deal with
authorized vs unauthorized traffic
6. global system for mobile communications (GSM) technology combined with the use of
virtual private network (VPN) are appropriate
Confidentiality is ensured by the use of encryption and the use of VPN signifies an encrypted
session is established
-have multiple overlapping security features which prevent eavesdropping, session hijacking
or unauthorized use of GSM carrier network
-does not allow any devices to connect to the system unless all relevant security features are
active and enabled
-other wireless technology eg. 802.11b wireless local area network (LAN) ->designed to allow
the user to adjust or even disable security settings
**GSM network is being used rather than wireless LAN->not possible to configure settings
for two-factor authentication over wireless link
8.*
10. separate virtual local area network (VLAN) is the best solution because it ensures both
authorized and unauthorized users are prevented from gaining network access to database
servers, while allowing internet access to authorized users
11. **no practical control to prevent database admin from accessing to all data on the
server
Database audit logs normally would not contain any confidential data->no need to encrypt
the log files
When a database is opened, many of its configuration options are governed by initialization
parameters->these parameters are usually governed by a file which contains many settings-
>system initialization parameters address many global database setting, including
authentication, remote access and other critical security areas
->to effectively audit a database implementation, the IS auditor must examine the database
initialization parameter
13.
15. access to a port is not restricted->anyone can connect to the internal network->allow
individuals to connect that were not authorized to be on the corporate network
->segregation of duties
19. digital watermarking is used to protect intellectual property rights for document rather
than to protect the confidentiality of email
20.
22. **stateful inspection firewall ->screen all packets from wireless network into the
company network, however, the configuration of the firewall would need to be audited and
firewall compromises although unlikely are possible
23. Local area network (LAN): computer network that links devices within a building or group
of adjacent buildings, especially one with a radius of less than 1 km
25.port 80 must be open for web application to work and port 443 for a secured hypertext
transmission protocol (HTTPS) to operate
Perform web application security review is necessary effort that would uncover security
vulnerabilities that could be exploited by hackers
26.
Blind testing (black-box testing) Where the penetration tester is not given
any information and is forced to rely on
publicly available information
-simulates a real attack, the target
organization is not aware of the test being
conducted
Targeted testing (white box testing) -test where the penetration tester is
provided with information and the target
organization is also aware of the testing
activities
-in some case, the tester is provided with a
limited-privilege account to be used as a
starting point
Double-blind testing (zero-knowledge -test where the penetration tester is not
testing) given any information and the target
organization is not given any warning-both
parties are blind to the test
*best scenario for testing respose capability
because the target will react as if the attack
were real
External testing -test where an external penetration tester
launches attacks on the target’s network
perimeter from outside the target network
(typically from the internet)
27. *segregate (separate) the voice-over internet protocol (VoIP) traffic using virtual local
area networks (VLANs) would best protect the VoIP infrastructure from network-based
attacks, potential eavesdropping and network traffic issues (which would help to ensure
uptime)
-use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security
method
-encryption is used when VoIP calls use the internet (not the local LAN) for transport
because the assumption is that the physical security of the building as well as the Ethernet
switch and VLAN security is adequate
28. *
Data encryption standard (DES) -susceptible to brute force attack and has
been broken publicly->does not provide
assurance that data encrypted using DES
will be protected from unauthorized
disclosure
Message digest 5 (MD5) -algorithm used to generate a one-way hash
of data (fixed length value) to test and
verify data integrity
-does not encrypt data bus puts data
through a mathematical process that
cannot be reversed
Advanced encryption standard (AES) -provides the strongest encryption of all of
the choices listed and would provide the
great assurance that data are protected
-recovering data encrypted with AES is
considered computationally infeasible so
AES is the best choice for encrypting
sensitive data
Secure Shell (SSH) -used to establish a secure, encrypted,
command-line shell session, typically for
remote logon
-although SSH encrypts data transmitted
during a session, SSH cannot encrypt data at
rest, including data on USB drives
Brute force attack: gain access to a site->tries various combinations of usernames and
passwords again and again until it gets in
-does not introduce any unique risk with respect to equipment failure and redundancy can
be used to address network failure (backup when a network fail)
-distributed denial of service (DDoS) attack would potentially disrupt the organization’s
ability to communicate among its office and have the highest impact
Toll fraud: someone compromises the phone system and makes unauthorized long distance
calls
Social engineering attack: it uses psychological manipulation to trick users into making
security mistakes or giving away sensitive information
31. content-filtering proxy server will effectively monitor user access to internet sites and
block access to unauthorized web sites
Reverse proxy server: allow secure remote connection to a corporate site not to control
employee web access
Firewall: block unauthorized inbound and outbound network traffic->some can be used to
block or allow access to certain sites but the term firewall is generic (there are many types of
firewalls, and this is not the best answer)
Client software utilities: can block inappropriate content (however, installing and
maintaining additional software on a large number of PCs is less effective than controlling
the access from a single, centralized proxy server
32. Common Gateway Interface: offers a standard protocol for web servers to execute
programs that execute like console applications running on a server that generates web
pages dynamically
Untested CGI have security weakness that allow unauthorized access to private systems
because CGIs are typically executed on publicly available internet servers
33. most significant risk would be if factory default passwords are not changed on critical
network equipment->allow anyone to change the configurations of network equipment
Encryption for communication links may not be appropriate due to cost and complexity
34. when reviewing third party agreement, most important with regard to privacy: return or
secure destruction of information at the end of the contract
-network and intrusion detection ->helpful when securing the data do not guarantee data
privacy stored at a third-party provider
-patch management process: secure servers and may prohibit unauthorized disclosure of
data , but does not affect privacy data
40. *voice-over internet protocol (VoIP) telephone systems use standard network cabling
and typically each telephone gets power over the network cable from the wiring closet
where the network switch is installed->if local area network switches do not have backup
power, the phones will lose power if there is a utility interruption and potentially not be able
to make emergency calls (lack of power protection)
Advantage of VoIP telephone system : use the same cable types and even network switches
as standard PC network connections
Password should not be shared but it is less important than ensuring the password files
are encrypted
There may be business requirements such as the use of contractors that requires them to
have system access
42. encrypting all outgoing email is expensive and is not common business practice
43.information asset owner: responsible for ensuring that specific information assets are
handled and managed appropriately->making sure information assets are properly
protected and their value is fully exploited
44. race condition: undesirable situation that occurs when device or system attempts to
perform two or more operations at the same time, but because of the nature of the device
or system, the operations must be one in proper sequence to be done correctly
Buffer overflow: take advantage of defect in the way an application or system uses memory-
>by overloading memory storage mechanism, the system will perform in unexpected ways
->organization should have policy in place that directs employees to follow certain
procedures when collecting evidence that may be used in a court of law
46.Discretionary access control (DAC) : allows data owners to modify access, which is a
normal procedure in a low-risk application
47.Electronmagnetic emission:
Most emission are low level and do not pose a significant health risk
48.log provide evidence and track suspicious transactions and activities->read only to
security log files
50.*data classification
-define access rules based on a need-to-do and need-to-know basis
->enrollment
54.segregation of duties: one individual should only capture and send their own message
and not verify their own message
55. first step in implementing access controls is: inventory of IS resources->basis for
establishing ownership and classification
**using two different products ->so that same attack would not destroy two products
59. piggybacking: a person tags along with another person who is authorized to gain entry
into a restricted area or pass a certain checkpoint
Dumpster diving: salvaging from large commercial containers unused items discarded by
their owners
61. digital right management: access control technologies for restricting the use of
proprietary hardware and copyrighted work
Hashing Encryption
One way-non reversible Reversible
output Fixed length output smaller Same length as the original
than the original message message
Verify integrity but not
security
Use different keys or a
reverse process at the
sending and receiving ends
to encrypt and decrypt
65.* symmetric vs asymmetric encryption
SYM:Uses a single key that needs to be shared among the people who need to receive the
message
ASY: uses a pair of public key and a private key to encrypt and decrypt messages when
communicating; take relatively more time
Hash is shorter than the original message->smaller overhead is required if the hash is
encrypted rather than the message
Use of a secret key as a symmetric encryption jey is generally small and used for the purpose
of encrypting user data
->there will be good general control such as scanning of USB for malware once they are
inserted in a computer
68. honeypot: computer security mechanism set to detect, deflect and counteract attempts
at unauthorized use of information system (attract someone to attack just like putting some
honey and bee will come)
A digital certificate certifies the ownership of a public key by the named subject of the
certificate
70.ping of death: sending a malformed or otherwise malicious ping with a packet size>65kb
to a computer
Leapfrog attack: attacker tries to steal once ID or pw for another separate attack
73.teaching developers to write secure code is the best way to secure a web application
*encryption is not sufficient because other flaws in coding could compromise the application
and data
74. enterprisewide antivirus software is important means to control the spread of virusin an
interconnected corporate network->provides a layered defense model that is more likely to
detect malware
78. evidence is the most important->preservation of evidence->if data and evidence are not
collected properly, valuable information could be lost and would not be admissible
79. Three main accuracy measures are used for a biometric solution:
-Cross-error rate (CER)-when false rejection rate equals the false acceptance rate
80.security level of private key system depends on encryption key bits(key length)->larger
number of bits, more difficult it would be to brute force the key
82.
84**
86. CA: maintains a directory of digital certificate for the reference of those receiving them
->manages the certificate life cycle, including certificate directory maintenance and
certificate revocation list (CRL) maintenance and publication
87.* Tunnel mode with Internet Protocol (IP) security provides encryption and
authentication of the complete IP package->to accomplish this, the authentication header
(AH) and encapsulating security payload (ESP) services can be nested
89.data integrity: changes in plaintext message that would result in the recipient failing to
compute the same message hash
Nonrepudiation: ensure claimed sender cannot later deny generating and sending the
message
Replay protection: a recipient can use to check that the message was not intercepted and
re-sent
94. authorization and authentication of the user prior to granting access to system resources
is a preventive measure
95.
99.sniffing: tap into the phone call and listen to the conversation
Password sniffing attack: gain access to systems on which proprietary information is stored
100.
103. programmers who have access to the production database are considered a
segregation of duties conflict and should be concern
104.application level gateway: protect against hacking ->can be configured with details
rules that describe the type of user or connection that is or is not permitted
For remote access server, there is a device ask for username and password->but can be
mapped from internet, creating security exposure
107.dedicated line: quite expensive and only needed when there are specific confidentiality
and availability needs
Integrated services digital network (ISDN) is not encrypted and would need additional
security
108. insecure connecting points make unauthorized access possible if the individual has
knowledge of a valid user ID and password
111. *
115. improper router configuration and rules could lead to an exposure to denial-of-
service(DoS) attack
118.points of entry
121.nonrepudiation can provide strongest evidence that a specific action has occurred
Role of CA: check the identity of entity owning a certificate and to confirm the integrity of
any certificate it issued
126. if IDS detect traffic for internal network did not originate from the mail gateway->create
an entry in the log
127.*
130. it is important for the information owner to understand organizational policies and
standards including the data classification schema so they can be properly classified
133.
135. war driving: locating and gaining access to wireless networks by driving or walking
around a building with a wireless-equipped computer
136.
139.power line conditioners: compensate for peaks and valleys in the power supply and
reduce peaks in the power flow to what is needed by the machine-> protect computer
equipment against short-term reductions in electrical power
Alternative power supplies: intended for power failures that last for longer periods and are
normally coupled with other devices such as an uninterruptible power supply to compensate
for the power loss
Interruptible power supply: cause the equipment to come down whenever there was a
power failure
140. both co2 and halon reduce oxygen ratio in the atmosphere, which can induce serious
personal hazard
151.
155. greatest concern associated with the use of peer-to-peer computing : data leakage
->sensitive data can be shared with others
156. reliability and quality of service (QoS) are primary considerations to be addressed-
>voice communications require consistent level of service, which may be provided through
QoS and class of service (CoS) controls
157.
158.
Certificate revocation list (CRL) -list of certificates that have been revoked
before their scheduled expiration date
Certification practice statement (CPS) -how-to document used in policy-based
public key infrastructure (PKI)
*provide detailed descriptions for dealing
with a compromised private key
Certificate policy -sets the requirement that are
subsequently implemented by CPS
PKI disclosure statement -covers critical items eg. Warranties,
limitations and obligations that legally bind
each party
159.use of residual biometric information to gain unauthorized access->replay attack
164. the use of a cryptographic hash function may be helpful to validate the integrity of data
files, in this case, it would not be useful for a production support team connecting remotely
As ABC and XYZ are communicating over the internet, which is an untrusted network,
establishing an encrypted virtual private network tunnel would best ensure that the
transmission of information was secure
165.