Notes For CISA

Notes
1. Extending the time frame for audit and delaying the go-live date is unlikely to be acceptable
where system involved is business-critical
2. Delay to go-live date must be decision of business management, not the IS auditor
3. Failure to obtain sufficient evidence in one part of an audit engagement does not justify
cancelling or postponing the audit->violate the audit guideline concerning due professional
care
4. Report when you find there are some policies that have not been approved by management
5. It is critical for the EA to include the future state because the gap between the current state
and the future state will determine IT strategic and tactical plans. If the EA does not include
a future-state representation, it is not complete, and this issue should be reported as a
finding
6. Primary requirement that a data mining and auditing software tool should meet is to
accurately capture data from organization’s systems without causing excessive performance
problems
7. Continuous auditing enables a real-time feed of information to management through
automated reporting processes so that management may implement corrective acions more
quickly
8. Detection risk: chance an auditor will fail to find material misstatements exist in an entity’s
financial statements
9. Audit risk: risk that financial statements are materially incorrect (you want to reduce the
audit risk)
10. Control risk: probability that financial statements are materially misstated due to failures in
the systems of controls used by a business
11. Inherent risk: risk posed by an error or omission in a financial statement due to a factor
other than failure of internal control
12. Detection risk is directly affected by IS auditor’s section of audit procedures and techniques
13. Usually executive management is not required to approve the audit plan->typically approved
by audit committee or board of directors
14. Performing a risk assessment is the most critical
15. Service level agreement is a contract between a service provider and its internal or external
customers that documents what services the provider will furnish and defines the service
standards the provider is obligated to meet
16. Security Assertion Markup Language: open standard for exchanging authentication and
authorization data between parties in particular between an identity provider and service
provider
17. Audit charter( also known as terms of reference): formal document that defines internal
audit’s purpose authority, responsibility and position within an organization
18. Audit charter will state the authority and reporting requirements for the audit but not the
details of maintenance of internal control
19. Attribute sampling: primary sampling method used for compliance testing ->used to
estimate the rate of occurrence of a specific quality in a population and is used in
compliance testing to confirm whether the quality exists
20. Variable sampling: based on calculation of a mean from a sample extracted from the entire
population and using the characteristics of the entire population
21. Stratified mean sampling: ensure the entire population is represented in the sample; divides
the population into separate groups->then a probability sample is drawn from each group
22. Difference estimation sampling: measure deviations and extraordinary items->not a good
way to measure compliance
23. Q A1-18
24. How to impair the independence of an IS auditor? Implement specific functionality during
the development of an application
QA1-23
23. Control design testing: assess whether control is structured to meet specific control
objective
24. Assessment or risk should be made to provide reasonable assurance that audit will cover
material items
25. A1-26
26. 28.generalized audit software: mathematical computations, stratification, statistical analysis,

sequence checking, duplicate checking and recomputations
27. A129
A130.For risk analysis, identified threats and potential impacts->identify and evaluate
existence and effectiveness of existing and planned controls
A131. Evidence obtained from independent third parties is always more reliable than
assurance provided by local management
A133. Observation and interviews is good to evaluate segregation of duties->identify
whether they are performing any incompatible operations, and by interviewing IT staff,
auditor can get an overview of tasks performed
A134. Disaster recovery planning process: documented process to execute an organization’s
disaster recovery processes and recover and protect business IT infrastructure
A135. When performing an investigation to capture evidence which may be used for legal
purposes, maintaining integrity of evidence should be the foremost goal
A138. Independent test performed by IS auditor is more reliable than confirmation letter
from third party because the letter is result of an analysis and may not be based on
authoritative audit techniques
A139. Organizational chart provides information about responsibilities and authority of
individuals->proper segregation of functions
A140.How to test the effectiveness of the control?sample of system-generated report with
evidence that reviewer followed up on exception represents best possible evidence of
effective operation of control->documented evidence that reviewer has reviewed and taken
actions
A141.Integrated test facility: process test transactions simultaneously with live input; adv:
periodic testing does not require separate test processes; test data must be isolated from
production data
A142. Attribute sampling is most effective in determining whether PO issued to vendors
have been authorized as per the authorization matrix->an item being sampled either will or
won’t possess certain qualities or attributes
A143. Preparing simulated transactions for processing and compare results to
predetermined results is the best method
A144
A146. Stop or go sampling: evaluation of each sample taken from a population to see if it
fits a desired conclusion->stops evaluating samples as soon as there is sufficient support for
the conclusion
Classical variable sampling: associated with dollar amounts and has a sample based on a
representative sample of the population but is ot focused on fraud
Discovery sampling: use of sample to determine whether a percentage error does not
exceed a designated percentage of population->if sample does not contain error, actual
error rate is assumed to be lower than minimum unacceptable rate
Probability proportional to size sampling: associated with cluster sampling when there are
groups within a sample
A147
A148. Role of auditor is to inform management clearly about the risk
A153. To ensure org is complying with privacy issues, first address legal and regulatory
requirements
To comply with legal and regulatory requirements, rg need to adopt appropriate
infrastructure
After understand legal and regulatory requirements, evaluate organizational policies,
standards and procedures whether they address privacy requirements, review adherence to
these specific policies, standards, procedures
A155. In the planning stage of IS audit, primary goal is to address audit objectives
A157. Substantive test includes gathering evidence to evaluate integrity (completeness,
accuracy, validity) of individual transactions, data or other information
A160. IS auditor should not recommend a specific vendor->this compromises auditor’s
professional independence
A161. Primary reason to perform functional walk-through during preliminary phase of audit
assignment: understand business process-> develop risk assessment
A162
A163. Primary purpose for meeting with auditees prior to formally closing a review is to gain
agreement on findings
A164. Test data runs: verify processing of preselected transactions
Code review: determine whether the code follows coding standards or contains potential
errors or inefficient statement, can be used as a means of code comparison but inefficient
and unlikely to detect any changes in code
Automated code comparison: compare two versions of same program ->determine whether
two correspond ->can detect unauthorized program changes
A167. IS auditor’s manager may recommend what should be included but should not
influence the content of the report
IS auditor should make final decision about what to include or exclude
Audit trail: system that traces the detailed transactions relating to any item in an accounting
record
A171. Steps to evaluate logical access control: obtain understanding of security risk to
information processing->documentation and evaluation to assess adequacy, efficiency and
effectiveness of control->test the access path to determine if they are functional->evaluate
security environment in relation to written policies and practices
A172. What a IS audit charter should include: role of IS audit function-describe overall
authority, scope and responsibilities,obj and scope of audit function
What a IS audit charter should not include:obj and scope of IS audit engagement
A173. Computer-assisted audit techniques (CAATs): review entire invoice file to look for
those items that meet the selection criteria
Integrated test facility (ITF): test transactions through production systems, but would not
compare records to identify duplicates
A174. Identification of assets to be protected is the first step in development of risk
management program
A175. System log analysis: identify changes and activity on system, would not identify
whether change was authorized unless conducted as part of compliance test
Compliance testing: verify the change management process(evaluate existence of trial of
documentary evidence) has been applied
Forensic analysis: for criminal investigation
Analytical review: assess general control environment of an organization
A177. Reboot the system may result in change in system state and loss of files
A179. Forensic audit: systematic collection and analysis of evidence after a system
irregularity
A181. Integrated test facility: ensure test data are isolated from production data
A182. Overriding of computer processing jobs by computer operators->unauthorized
changes to data or programs
A183
A186. Auditor is not authorized to shut the system down but the manager is
A187.objective to discuss audit finding: confirm findings, propose course of corrective action
*based on this discussion, finalize report and present report after findings are confirmed
A188
A190.Computer-aided software engineering (CASE) : assist in software development
Embedded data collection software such as system control audit review file or systems
audit review file: used to provide sampling and production statistics but not to conduct an
audit log analysis
Trend/ variance detection tools: look for anomalies in user or system behavior such as
invoices with increasing invoice number
Heuristic scanning tools: type of virus scanning used to indicate possible infected traffic
A192. Introduce automated monitoring and auditing solution can help to discover
unnecessary or overlapping key controls as all key controls need to be clearly aligned for
systematic implementation
Integrated test facility only test accuracy
A193.validity check: verify required format eg. Not using a dictionary word
A194. Transferring risk eg. Taking an insurance policy->way to share risk
A195. Control self-assessment helps to identify high-risk areas that might need a detailed
review later
A196.Audit universe: IT strategic plan, organizational structure and authorization matrix
A101. Reperformance: evaluate operating effectiveness of control rather than design of
control
Walk-through: combination of inquiry and inspection of evidence with respect to business
process control->most effective basis for evaluation of design of control as it actually exists
A102. Risk assessment helps to focus the audit procedures on highest risk areas included in
scope of audit
A103. Substantive testing: obtain audit evidence on completeness, accuracy, existence of
data ->compare data in application to the base document
-example: conduct bank confirmation to test ending cash balance, observe period-end
counting of inventory, contact lenders to confirm loan balances are correct
Compliance testing: test control designed to obtain audit evidence on both effectiveness of
control and operation
-example: verify configuration of router for controls, review system access right, review of
firewall settings, review compliance with password policy
A1106
A1108: project management is the most important skills needed
A110.* Residual risk: remaining risk after management has implemented a risk response
Compliance risk: penalty applied to current and future earnings for nonconformance to laws
and regulations
A113. Walk-through follows the manual log review process from start to finish to gain a
thorough understanding of overall process and identify potential control weaknesses
A115. Lack of adequate controls represents a vulnerability, exposing sensitive information
and data to risk of malicious damage, attack->result in loss of sensitive information, financial
loss, legal penalties or other losses
A1119. When internal controls are strong->lower confidence coefficient ->smaller sample
size
A1121. Dual control requires two people carry out an operation; observation help to
ascertain whether two individuals do get involved in execution of operation and an element
of oversight exists
Re-performance wire transfer at bank would not be an option
A1124. IS audit charter does not dictate the reporting requirement of IS audit department
A1125. The e-commerce application enables the execution of business transactions-
>important to understand the nature and criticality of business process supported by e-
commerce application to identify specific controls to review
A1126.evaluate organizational structure only give a limited view on allocation of IT
responsibilities and the responsibilities may have changed over time
A1127.Directive control: manual control consists of policy or procedure that specifies what
actions are to be performed
A1128. Any weakness noticed should be reported, even if it is outside the scope of current
audit but no need to execute audits and reviews
A1129
A1130.Re-performance is most effective to ensure effectiveness of controls ->when same
result is obtained after performance by an independent person, this provides the strongest
assurance
A1137. Control self assessment: emphasizes management of and accountability for
developing and monitoring the controls of an organization’s business processes
->attributes: empowered employees, continuous improvement, extensive employee
participation and training->all represent broad stakeholder involvement
A1140. Generalized audit software: data analytic tool used to filter large amounts of data
Integrated test facility: test the processing of the data, cannot be used to monitor real-time
transactions
Regression test: test new versions of software to ensure previous changes and functionality
are not inadvertently overwritten or disabled by new changes
A1141.
A1142. Primary objective of control self assessment: leverage internal audit function by
shifting some of the control monitoring responsibilities to functional area line managers-
>depends on degree to which line managers assume responsibility for controls->enable line
managers to detect and respond to control errors promptly
A1143. Table lookups are preventive controls-> input data are checked against predefined
tables which prevent any undefined data to be entered
Domain 2
1. Mandatory vacation is required to ensure irregularities and fraud are detected
2. Software capability maturity model (CMM):
Continuous improvement-level 5
Quantitative quality goals-level 4
Documented process-level 3 and below
Process tailored to specific projects-level 2 or below
3. *Primary consideration when reviewing prioritization and coordination of IT projects and
program management: projects are aligned with organization’s strategy
4. Termination checklist is more crucial than Non-disclosure
5. *IT governance implementation: determine stakeholder requirements and involvement-
>based on this, assurance scope and objectives would be determined
6. Secondary employment: having two jobs
7. Position of security administrator is a staff-level position but not management->would
not have authority to approve the policy
8. *Primary risk of business process reengineering (BPR): controls are eliminated as part of
reengineering effort
11. data retention policy is important when auditing the archiving of company’s email
communications
12.* by evaluating org’s development projects against CMM, auditor determines whether
the development organization follows a stable, predictable software development process
CMM : wont evaluate technical process eg. Programming efficiency
Wont evaluate security requirements or other application controls
13.* enterprise architecture: primary goal is to ensure technology investment are consistent
with platform, data and development standards of IT organization->goal is to help
organization to implement technology that is most effective
14.*Software escrow: legal agreement between software vendor and a customer, to
guarantee access to source code-> the application source code is held by trusted third party
->agreement is necessary that software vendor goes out of business ->used to protect
intellectual property of software developed by one organization and sold to another
organization
*not used for software being reviewed by an auditor of organization that wrote the software
16. Reciprocal agreement: two organizations agree to provide computing resources to each
other in the event of a disaster is a form of risk mitigation->works well if both organizations
have similar information processing facilities
Risk avoidance: example: stop accepting credit card payment to avoid risk of credit card
information disclosure
Risk acceptance: accept the risk and do nothing
17.* interruption window: amount of time which organization is unable to maintain
operations from point of failure to the time that critical services are restored
Recovery time objective (RTO): based on acceptable downtime in the case of a disruption of
operations
The Service delivery objective (SDO): directly related to business needs->level of services to
be reached during the alternate process mode until normal situation is restored
The recovery point of objective (RPO): based on acceptable data loss in the case of a
disruption of operations; defines the point in time from which it is necessary to recover the
data and quantities, the permissible amount of data loss in the case of interruption
18. * Primary requirement to achieve business objective for quality management system
(QMS): continuous and measurable improvement of quality
19. * IT’s value delivery to business is driven by aligning IT with enterprise’s strategy
22. Check whether existing IT mechanisms in place that enable the organization and its
employees to comply with the policy
23. *approval of contracts is a business process and would be controlled through financial
process
24.vendor change control->monitored by IT management
Separation of duties within information’s processing environment->IT management
responsibility
Approve and monitor major projects ie status of IT plans and budgets->IT steering
committee
Liaising between IT department and end user->function of individual parties not a
committee responsibility
26. involve senior management in strategic plan to ensure the enterprise meets its goal and
objectives
28.* Responsibilities:
-quality assurance (QA) management: reliability and consistency of processes
-senior management: establish acceptable risk level because they have ultimate or final
responsibility for effective and efficient operation of organization
-Chief information officer(CIO): accountable for IT advocacy, alighing IT and business

strategies, and planning, resourcing and managing the delivery of IT services, information
and the deployment of associated human resources
-Chief security officer (CSO): responsible for enforcing the decision of senior management
team
29. CEO: implement IT governance
Board of directors: IT governance
IT steering committee: facilitates deployment of IT resources for specific projects in support

of business plans, enforces governance on behalf of BOD
Audit committee: monitor implementation of audit recommendations
31. background screen provide best assurance of integrity of new staff
35. LAN admin may have end-user responsibilities but wont have programming
responsibilities
36. DR services can only be expected from vendor when explicitly listed in contract with
well-defied recovery time objectives(RTO) and recovery point objectives->without the
contractual language, vendor is not required to provide DR services
40.integration of IT and business personnel is an operational issue and should be considered
while reviewing short-range plan
46.A person with both security and programming rights could do almost anything on a
system->creates a problem of separation of duties
49.
50. approval of information systems security policy is responsibility of top management or

board of directors
53. basis for access control authorization should be included in organization’s information
security policy
54.
55.
56.
58. when an IT security baseline has been defined, an IS auditor should first ensure
sufficiency of control baseline to meet security requirement
59.*Steering committee: consists f representatives from business and IT, ensure IT

investment is based on business objectives rather than on IT priorities; not responsible for
enforcing security controls,not responsible for implementing development methodologies
60.* IS control objective: statement of desired result or purpose to be achieved by

implementing control procedures
61. security policy statement: reflects the intent and support provided by executive
management for proper security and establishes a starting point for developing the security
program
63. *Most important stakeholder in terms of developing a business continuity plan (BCP):
process owner-identify critical business functions, recovery times and resources needed
*BOD usually approve the plan but not involved in details of developing
66. *Capability Maturity Model (CMM) : methodology used to develop and refine an
organization’s software development process, measures the maturity of IT processes from
level 0 to level 5
Project management: assist in definition, prioritization, approval and running of set of

projects within given organization->these tools offer data capture, workflow and scenario
planning functionality which can help identify the optimum set of projects from full set of
ideas to take forward within a given budget
Configuration management: system engineering process for establishing and maintaining

consistency of a product’s performance, functional and physical attributes with its
requirements, design and operational information; for IT service delivery in particular
change management->provide information that would influence prioritization of projects
PMBOK: methodology for management and delivery of projects->offers no specific guidance

or assistance in optimizing a project portfolio
67.*
68.* risk management process: making specific, security-related decisions such as level of
acceptable risk
70. Responsibilities of IT steering committee:
-project approval and prioritization
-oversight of development of long-term IT plan
-advises the board of directors on status of developments in IT
71. it is important to conduct periodic audit review to ensure the terms of contract are
adhered to after the contract is signed
73. threat exists regardless of controls or lack of controls
Lack of adequate security controls represents a vulnerability, exposing sensitive info and
data to risk of malicious damage, attack or unauthorized access by hackers
74. IT performance measurement process: used to optimize performance, measure and

manage products/services, assure accountability and make budget decisions
75. **outcome of Information security governance:
-strategic alignment: provides input for security requirements driven by enterprise

requirements
-value delivery: provide standard set of security practices, effectiveness and efficiency of
solutions
-risk management
-performance measurement
76. Business objectives drive information security policy->information security policy drives
selection of IT department objectives
->information security policy shld not be driven by IT department’s objectives
77.* top management mediating between imperatives of business and technology is an IT

strategic alignment good practice
78. *risk acceptance levels are set by senior management not by IT management
Business strategy drives IT strategy
IT governance is an integral part of overall enterprise governance
IT strategy extends organization’s strategies and objectives
79. it is possible that not all of the critical IT assets and projects will have recently been
audited and there may not be a sufficient assessment of strategic IT risk
82. cross-training: training more than one individual to perform a specific job or procedure
->helps decrease dependence on a single person

->assist in succession planning
Disadvantage: risk of one person knowing all parts of a system
83. **if there is an environment where duties cannot be appropriately segregated,

compensating controls is intended to reduce risk of an existing or potential control weakness
Lack of segregation of duties=Is auditor would expect to find that a person has higher levels
of access than would be ideal
85. *Business impact analysis (BIA)->business continuity strategy(identify the best way to
recover)->test and exercise plan
86. primary focus when reviewing the development of information security policies: strike a
balance between business and security requirements
89. Most important element for the successful implementation of IT governance:
-identifying organizational strategies
*risk assessment is important but it is also based on organizational strategies
90. Control self-assessment: improve monitoring of security controls
Business impact analysis (BIA): calculate impact on business in the event of an incident that
affects business operations
IT balance scorecard (BSC): provides bridge between IT objectives and business objectives
Business process reengineering (BPR): review and improve business processes
91. database activity logs record activities is performed by database administrator (DBA)-
>deleting them should be performed by others->compensating control to aid in ensuring an
appropriate segregation of duties
Job duties of database administrator: define backup and recovery procedures, monitor
database usage, implement database optimization tools
92. risk mitigation: address the risk described
93. vulnerabilities: weaknesses of information resources that may be exploited by a threat-

>weakness that could be addressed by security specialist
Threat: usually outside the control of security specialist
94.* first step to determine if IS auditor has been assigned to review IT structures and
activities recently outsourced to various providers: ensure contracts support the business
95. *IT balance scorecard (BSC) is a tool that provides bridge between IT objectives and
business objectives by supplementing the traditional financial evaluation with measures to
evaluate customer satisfaction ,internal process and ability to innovate->measure the
success of IT investment and strategy
96. outsourcing contract cannot be expected to cover every action and detail expected of
the parties involved, but should cover business requirements
Core activities should not be outsourced

100.* job description contain clear statement of accountability for information security is
the best criterion for evaluating adequacy of an organization’s security awareness program
101.* if business case was not established, it is likely the business rationale, risk and risk
mitigation strategies for outsourcing the application development were not fully evaluated
and he appropriate information was not provided to senior management for formal approval
Lack of change management procedures may present a risk especially with the possibility of
extraordinary charges for any required changes
103.
Business impact analysis Risk assessment

Inventory of critical asset Yes Yes
Identification of Yes Yes
vulnerabilities
Listing of threats Yes Yes
Determination of acceptable Yes no
downtime
105. * * when assessing IT security risk, it is important to take into account the entire IT
environment
Measures of security risk do not identify tolerances
Measures of security risk should not be limited to network risk but rather focus on those
areas with the highest criticiality so as to achieve maximum risk reduction at the lowest
possible cost
106. IT governance is intended to encourage optimal use of IT->specify the combination of

decision rights and accountability that is best for the enterprise
*you may not want to decentralize IT resources or centralize control of IT
107. most important element of SLA: measurable terms of performance eg. Uptime
agreements
-things will be included in the master agreement: payment terms, indemnification clause
-default SLA: default solution
108. corporate governance: set of management practices to provide strategic direction to

the organization as a whole->ensure goals are achievable, risk is properly addressed and
organizational resources are properly utilize
*governance is applied through use of good practices but this is not the objective of
corporate governance
109. after you understand the organization’s threat, vulnerability and risk profile you are
able to understand risk exposure and potential consequences of compromise
110.*Value delivery
Primary objective Optimize security investment in support of

business objectives
How to achieve such objective? Implement a standard set of security
practices
Continuous improvement culture in relation
to a security program is a process not an
objective
111. Strategic alignment: focus on ensuring linkage of business and IT plans
Value delivery: ensure IT investment deliver on promised values
Resource management: optimal investment in and proper management of critical IT

resources
Performance measurement: transparency
113. IT governance is a set of responsibilities exercised by board and executive management
Goal: provide strategic direction, ensure objectives are achieved, risk is managed
appropriately
114. Responsibility of
chief information security officer (CISO): -periodically review and evaluate

security policy->prevent
unauthorized access to company
assets, including data, programs and
equipment
Staff assigned to development and User application and other software testing
maintenance and evaluation
System, network or database Granting and revoking access to IT resources
administrators
Data and application owner Approval of access to data and applications
115. executive sponsor would be the most critical success factor for developing a formal
enterprise security program
117. first step for developing a security architecture:
Define security policy->provide direction for procedures, standards and baselines
118.* Prioritization of projects on the basis of expected benefit to business and related risk is
best measure for achieving alignment of project portfolio to an organization’s strategic
priorities
120.
121. test results not being adequately documented is a major concern for IS auditor
reviewing a business continuity plan
123. organizational data governance practices be put in place solve the problem of product
definition being used by two departments being different
124. best method to prioritize IT projects is to conduct investment portfolio analysis

125.agrees to subject to external security review is important because customer credit
information will be kept there
Compliance with organizational security policies is important but there is no way to verify or
prove that that is the case
126. effort should be consolidated to ensure alignment with overall strategy of postmerger
organization->if resource allocation is not centralized, separate projects are at risk of
overestimating the availability of key knowledge resources for in-house developed legacy
applications
128. overall quantitative business risk for a particular threat= product of the likelihood and
magnitude of the impact should a threat(not a threat source) successfully exploit a
vulnerability
130. Primary objective to test a business continuity plan:
Identify limitations of business continuity plan
*it is not possible to exercise all possible disaster scenarios and ensure all residual risk is
addressed
132. most important element in any business continuity process is protection of human life
133.Types of insurance:
Business interruption insurance Loss of profits due to disruption in the

operations of an organization
Fidelity insurance Loss arising from dishonest or fraudulent
acts by employees
Errors and omissions insurance Legal liability protection in the event that
professional practitioner commits an act
that results in financial loss to a client
Extra expense insurance Cover extra costs of continuing operations
following a disaster/disruption within an
organization
134. best method for assessing effectiveness of business continuity plan:
-review results from previous test (compare to standards will give some assurance but will
not reveal anything about its effectiveness
135. *interview key stakeholders to evaluate how well they understand their roles and
responsibilities->when all stakeholders have detailed understanding of their roles and
responsibilities in the event of disaster, can deem the business continuity plan to be clear
and simple
136.
138. the business continuity plan should be reviewed every time a risk assessment is
completed for the organization
139.*integrating the BCP into the development process ensures complete coverage of the
requirements through each phase of the project
140.*
141.*the initiation of a business continuity plan should primarily be based on the maximum
period for which a business function can be disrupted before the disruption threatens the
achievement of organizational objectives
Business Continuity Plan
What Process involved in creating a system of

prevention and recovery from potential
threats to a company->ensure personnel
and assets are protected and are able to
function quickly in the event of disaster
Different from disaster recovery plan which
focuses on recovery of company’s IT system
after a crisis
Steps Business impact analysis(determine the
business processes must be recovered
following a disaster to ensure org’s survival),
recovery(identify and implement steps to
recover critical business functions),
organization(devise a plan to
manage),training
How to test if it is effective Review results from previous BC test
performed by end users
Involvement of user department in BCP is
crucial for identification of business
processing priorities and development of an
effective plan
144.Risk appetite: level of risk an organization is prepared to accept
Senior management must be involved and aware of roles and responsibilities->so as to

ensure IT governance is effective
145.** full-scale test:this is the first time that the plan is actually exercised, and a number of
resources and time would be wasted
Walk-through test: basic type of testing->intention is to make key staff familiar with the plan
and discuss critical plan elements
Functional test: mobilization of staff to exercise the administrative and organizational

functions of a recovery
46. key benefit of Control self-assessment:
Management ownership become more aware of internal control and responsibility
47. correction of code is not responsibility of quality assurance because it would not ensure
segregation of duties and would impair team’s independence
48.Different types of BCP testing methods:
Plan review -Typically involve higher level management

and department head
-analyze BCP and discuss potential
improvement, make sure contact
information is up to date
Tabletop exercise/structured walk-through -scenario-based role playing exercise
test -ensure all critical personnel are aware and
familiar
-discussion of more than one disaster
scenario (sitting around a table and
discuss)
-ensure BCP remain up to date
Walk-through drill/simulation test -actual recovery actions eg. Restoring
backups, live testing of redundant systems
-validation of response processes,
simulated response at alternate locations
Functional/full recovery test Complete process of spinning up your
backup systems and processing
transactions or data
-involve mobilization of personnel and
resources at various geographic sites
149.*Full-scale testing: involve enterprisewide participation and full involvement of external

organizations
Deskcheck testing: requires least effort->ensure plan is up to date and promote familiarity of
BCP to critical personnel from all areas
150. cost-benefit analysis
152.
153. IT risk should align with business objectives
154.*Disaster recovery plan:
Preparedness test-performed by each local office to test the adequacy of preparedness of

local operations for disaster recovery
Paper test: structured walk-through of disaster recovery plan
*regression test is not a disaster recovery plan and is used in software development and
maintenance
156. Disaster recovery planning:
-address technological aspect of business continuity planning that focuses on IT systems and
operations
158. the cost of ongoing operations when a disaster recovery plan (DRP) is in place,
compared to not having a disaster recovery plan will most likely increase because there will
be additional cost of testing
160. Steps in business continuity planning process:
Complete business impact analysis->develop recovery strategies

161.
Pilot test-small scale test for implementing a new process or technology
Paper test-walk through of entire BCP or part, reason out what may happen in a particular
disaster
Unit test-test new software components-not appropriate for BCP
System test-integrated test used to test a new IT system-not appropriate for BCP
162. after identifying the critical business processes should be addressed first so that risk
163.
Domain 3
1. User management should review and approve system deliverables as they are defined
and accomplished to ensure the successful completion and implementation of a new
business system application
Project steering committee Overall directions, ensure appropriate

representation of major stakeholders in
project’s outcome, reviews project progress
regularly and holds emergency meetings
when required
Senior management Commitment to the project, approve
necessary resources
Quality assurance staff Review results and deliverables within each
phase, at the end confirm compliance with
standards and requirements
2. gantt chart-type of bar chart that illustrates a project schedule
Earned value analysis-measure project’s progress at any given point in time, forecasting its
completion date and final cost (do not prioritize task)
Program evaluation and review technique-analyze the time needed to complete each task
and to identify the minimum time needed to complete the total project; principle of
obtaining project time lines based on project events for three likely scenarios (worst, best,
normal)->time line is calculated by a predefined formula and identifies the critical path,
which identifies the key activities that must be prioritized
Function point: unit of measurement to express the amount of business functionality an

information system provides to a user (does not help to prioritize project activities)
3.
Project scope management Process required to ensure project includes

all of the required work, and only the
required work to complete the project
Project time management Process required to ensure timely
completion of project
Project risk management Process concerned with identifying,
analyzing and responding to project risk
Project procurement management Process required to acquire goods and
services from outside the performing
organization
Because too much functionality lead to over budget
4.
PROGRAM OUTPUT TESTING CHECKING THE PROGRAM INPUT AND

COMPARE IT WITH SYSTEM OUTPUT
SYSTEM CONFIGURATION -too technical to be accomplished by a user and
this could create security issues
PROGRAM LOGIC SPECIFICATION Technical task normally performed by
programmer
PERFORMANCE TUNING Requires high level of technical skill and will not
be effectively accomplished by a user
-improvement of system performace
6. advantage of parallel operation: provide assurance that new system meets its functional
requirement (even new system fails, old system is still available for production use)
Also allow application developers and administrators to simultaneously run operational task
so as to ensure new system is reliable before unplugging the old system
7.
Alpha testing -Testing stage before beta testing

-Performed by programmers and business
analysts
-identify bugs or glitches that can be fixed
before beta testing
White box testing -performed much earlier in software
development life cycle than alpha or beta
testing
-assess effectiveness of software program
logic
-typically does not involve external users
Regression testing -process of re-running a portion of a test
scenario to ensure changes or corrections
have not introduced more errors
-ensure the fix of one problem did not
break another part
-not the last stage of testing and does not
typically involve external users
Beta testing -final stage of testing
-includes users outside the development
area
-form of user acceptance testing (UAT)
Involves a limited number of external users
8.
11. server configuration hardening is important to patch known vulnerabilities and to disable
all non-required functions before production
*because the Vm are only used in a development environment and not in production, it may
not be necessary to include VMs in the disaster recovery plan
12. UAT should be performed prior to implementation (during the development phase)
Cost-benefit or return on investment should be re-performed after implementation phase to

verify the original business case benefits are delivered
Audit trail being performed during the implementation
Updating enterprise architecture normally not be part of postimplementation review
13. maximise the usefulness of testing by concentrating on the most important aspects of
the system and on the areas where defects represent the greatest risk to user acceptance
14.electronic funds transfer reconciliation procedure:
Vouching-
Authorization-normally done automatically by the system not during reconciliation
Correction entries-reviewed during reconciliation but normally done by an individual other

than person entrusted to do reconciliations and not as important as tracing
Tracing-follow transaction from original source to its final destination
13.
Recalculation Ensure processing is Performed after the output

accomplishing the phase
anticipated task
Limit check(processing As close as possible to the
control) point of data entry
-provide preventive control
to ensure invalid data
cannot be entered because
values must fall within a
predetermined limit
Run-to-run totals Verify data values through Performed after output
the stages of application phase
processing
-ensures data read into the
computer were accepted
and then applied to
updating process
Reconciliation Performed on a routine Performed after the output
basis phase
-performed through the use
of manually maintained
account, a file control
record or an independent
control file
16.process owners have not been identified would be greatest concern for IS auditor when
one application is expanded to multiple departments
17.* when auditing the proposed acquisition of a new computer system, an IS auditor should
first ensure a clear business case has been approved by management->the proposal meets
the needs of the business
*compliance with security standards is essential but too early in the procurement process
18. software as a service: software licensing and delivery model in which software is licensed
on subscription basis and is centrally hosted
Eg. Google apps, dropbox
*provisioned on a usage basis and number of users is monitored by the SaaS provider->no
risk of noncompliance with software license agreements
*SaaS relies on internet for connectivity->encounter speed and availability issues
*cost should be fixed part of service contract and considered in business case presented to
management for approval of the solution
*open design and internet connectivity allow most SaaS to run on virtually any type of
hardware
19. lack of adequate user involvement, especially in the system’s requirements phase will
result in system does not fully or adequately address the needs of the user
20.
Function point analysis -determine size of development task based

on number of function points (inputs,
outputs, inquiries and logical internal files)
-will not assist in determining project
duration
Program evaluation review technique chart -determine project duration once all
activities and work involved with those
activities are known
Rapid application development -enables organizations to develop
strategically important systems faster
while reducing development costs and
maintaining quality
Object-oriented system development -process of solution specification and
modeling but will not assist in calculating
project duration
21 benefits of Saas: reduction of software acquisition cost
*SaaS provider does not normally have onsite support for the organization
->*incident handling procedures between organization and its provider are critical for the
detection, communication and resolution of incidents, including effective lines of
communication and escalation processes
22. Reason for establishing a stop or freezing point on design of a new system:
-provide greater control over requirement other than systems design

-allow a review over cost effectiveness cos often the expansion grows to a point where
originally anticipated cost benefits are diminished
23.* Prototyping: draft version of a product that allows you to explore your ideas and show
the intention behind a feature or the overall design concept to users before investing time
and money into development
*changes in requirement and design happen so quickly that they are seldom documented or
approved
27. checksum calculated on an amount field and included in electronic data interchange-
>can be used to identify unauthorized modifications->integrity
-nonrepudiation: that person cannot deny for something->ensured by using digital signature
28. purpose of a control is to mitigate risk
29. *
Console log printout Would not record activity from a specific

terminal
Transaction journal Record all transaction activity, compared to
authorized source documents to identify
any unauthorized input
Automated suspense file listing List only transaction activity where an edit
error occurred
User error report List only input that resulted in an edit error
and would not record improper user input
31.data entered from a remote site is edited and validated prior to transmission to the
central processing site
33.
Regression testing : used to test for the introduction of

new errors in the system after
changes have been applied
->confirm a recent program change
has not adversely affected existing
features
Validation testing Test functionality of the system against

detailed requirements to ensure the
software construction is traceable to
customer requirements
Sociability testing Whether the system can operate in the
target environment without adverse
impacts on existing systems
Software quality assurance and code Determine whether development standards
review are maintained
Regression (dictionary meaning- ‘to return’) is test to check again that
changes/modifications have not introduced any new errors.
Sociability (dictionary meaning- ‘’ability to have companionship with others’) is test
to determine adoptability of new system to settle in existing environment.
Integration (dictionary meaning-‘to connect’) is test to ensure flow of
information between two or more system is correct and accurate.
34.automated systems balancing->ensure no transactions are lost as any imbalance between

total inputs and total outputs would be reported for investigation and correction
36. *
37.
Range check Checking data that matches a

predetermined range of allowable values
Check digit Numeric value that is calculated
mathematically and is appended to data to
ensure that the originally data have not
been altered
Validity check Programmed checking of the data validity in
accordance with predetermined criteria
Duplicate check New or fresh transactions are matched to
those previously entered to ensure that
they are not already in the system
38.*Software baseline: cutoff point in the design and development of a system
Beyond this point, additional requirements or modifications to the scope must go through
formal, strict procedures for approval based on a business cost-benefit analysis
Failure to adequately manage a system through baselining can result in uncontrolled

changes in a project’s scope and may incur time and budget overruns
Scope creep: changes, continuous, or uncontrolled growth in a project’s scope, at any point
after the project begins
40. review application data flow diagram -> understand the flow of data within the
application and o other systems->enable the auditor to evaluate the design and
effectiveness of the data integrity controls
41.request for proposal: document that solicits proposal, made through a bidding process,
by an agency or company interested in procurement of a commodity, service, or valuable
asset to potential suppliers to submit business proposals
42.
System testing Determine if the combined units of

software work together and that the
software meets user requirements per
specifications
Acceptance testing Final stage before software is installed and
is available for use
Greatest impact would occur if software
fails at acceptance testing level because this
could result in delays and cost overruns
Integration testing Examines the units/modules as one
integrated system
->failure would be expensive and require
re-work of the modules but would not be as
expensive as a problem found just prior to
implementation
*performed during various stages of
development
Unit testing Examines the individual units or
components of the software
->failure would be expensive and require
re-work of the modules but would not be as
expensive as a problem found just prior to
implementation
*performed during various stages of
development
43. standardized IT infrastructure: provides consistent set of platforms and operating
systems across the organization->reduce time and effort required to manage a set of
disparate platforms and operating systems
->implementation of enhanced operational support tools (eg. Password management tools)

is simplified->help organization reduce cost of IT service delivery and operational support
However, as it is standardized->result in a more homogeneous environment->more prone to

attacks
Although standardization can reduce support cost, the transition to a standardized kit can be
expensive->overall level of IT infrastructure investment is not likely to be reduced
44.*Most important element in the design of a data warehouse:
Quality of the metadata
Data warehouse: copy of transaction data specifically structured for query and analysis
*used for analysis and research->therefore speed of transaction is not relevant
Metadata: describes the data in the warehouse and aims to provide a table of contents to
the stored information
45. stress testing: computer simulation technique used to test resilience of institutions and
investment portfolios against possible future financial situations
->help gauge investment risk and adequacy of asset, evaluate internal processes and
controls
*we use test environment using live workloads->ensure system will operate effectively when
moved into production
46.assignement of process ownership is essential in system development projects will

ensure system be designed according to needs of business processes that depend on system
functionality
48.risk management is never-ending process, so project planning cannot wait until all risk
has been identified
50.incorrect parameters would lead to system breach, failure or noncompliance

51.Prototyping:
-often leads to functions or extras being added to the system that were not originally
intended
Cons:-has poor internal controls because the focus is primarily on functionality, not on
security
Pros:-provide significant time and cost savings through better user interaction and ability to
rapidly adapt to changing requirements
52. decision support system
-solve less structured problems
-supports semistructured decision-making tasks
-computerized program used to support determinations, judgements and courses of action
-analyzes massive amounts of data, compiling comprehensive information that can be used
to solve problems and in decision-making
54. sanitized data=meaning the sensitive data is being removed
55. parallel testing:
*unit and system testing are completed before parallel testing
Purpose: ensure implementation of new system will meet user requirements by comparing
the results of the old system with new system to ensure correct processing
56.
Rules Expression of declarative knowledge

through the use of if-then relationships
Decision trees Questionnaire to lead a user through a
series of choices until a conclusion is
reached
Semantic nets Graph in which nodes represent physical or
conceptual objects and the arcs describe
the relationship between the nodes
Dataflow diagram Map progress of data through a system and
examine logic, error handline and data
management
57.Top down testing: test from top to bottom->high level modules are tested first and then
low-level modules and finally integrating the low-level modules to a high level to ensure the
system is working as intended
Bottom up testing: lowest level modules are tested first and then high level modules and
integrating the high level modules to a low level to ensure the system is working as intended
-test begins with the tesing of atomic units such as programs and modules, and works
upward until a complete system testing has taken place
Pros: errors in critical modules are found earlier

-interface errors will not be found until later in the testing process-as a result of integration
of system testing
58. phases in software development
Requirement gathering and analysis->design->implementation(when tests are conducted)->

deployment->maintenance
During requirement definition, user acceptance test plan should be ready->define precise
objectives and functional needs
59. one of the major benefits of object-oriented design and development
61. when a new system is to be implemented within a short time frame, it is most important
to perform user acceptance testing->ensure the system to be implemented is working
correctly
62. whenever proprietary application software is purchased, the contract should provide for
a source code escrow agreement ->ensure the purchasing company will have the
opportunity to modify the software should the vendor cease to be in business
63.
Program evaluation review technique Project management technique used in

planning and control of system projects
Function point analysis Determine the size of a development task
based on number of function points (such
as inputs, outputs, inquiries and logical
internal sites)
Counting source lines of code Gives a direct measure of program size, but
it does not allow for complexity that may be
caused by having multiple, linked modules
and a variety of inputs and outputs
White box testing Detailed review of behavior of program
code
-suited to simpler applications during
design and building stage of development
66. functionality: set of attributes that bear on existence of a set of functions and their
specified properties
Portability: ability to be transferred from one environment to another
Reliability: capability to maintain its level of performance under stated conditions
Efficiency: relationship between the performance of the software and the amount of
resources
67. By combining quality assurance testing and user acceptance testing, user may apply
pressure to accept a program that meet their needs even though it does not meet quality
assurance standards
68. Rapid application development (RAD) vs System development life cycle
Emphasize greater user involvement-

>ensure system meets user requirement
No early testing Allow early testing
No facilitate conversion to a new system
Greatest advantage: shorter time frame for
development of a system
69. If the operating system (OS) is currently being used, it is compatible with the existing
hardware platform->if it were incompatible, it would not operate properly
*** in reviewing proposed application, should ensure the products to be purchased are
compatible with the current or planned OS
70. expert system: in AI, it is a computer system that emulates decision making ability of a
human expert
Greatest benefit: capture and record of the knowledge and experience of individuals in an
organization->allow other users to access information formerly held only by experts
71.
Parallel testing -process of feeding data into two systems-

the modified system and an alternate
system-and compare the results
-old and new systems operate concurrently
for a period of time and perform the same
processing functions
-allows a new system to be tested without
affecting existing systems
Pilot testing -take place first at one location and is then
extended to other locations
-see if new system operates satisfactorily
in one place before implementing it at
other locations
-the cutover to the new system will disable
existing systems
Interface/integration testing Hardware or software test that evaluates
the connection of two or more
components that pass information from
one area to another
-obj: take unit-tested modules and build an
integrated structure
-will not test in a true production
environment
Sociability test -confirm that a new or modified system
can operate in its target environment
without adversely impacting existing
systems
73*
76. during a postimplementation review of an enterprise resource management system, an

IS auditor would most likely review access control configuration->determine whether
security has been appropriately mapped in the system
**postimplementation review is done after user acceptance testing and actual
implementation
**issue of reviewing detailed design documentation is not relevant to entrerprise resoruces

management system because these are usually vendor packages with user manuals
77. hash total: numerical sum of one or more fields in the file, including data not normally
used in calculations such as account number
When necessary, the hash total is recalculated and compared with the original
If data are lost or changed, a mismatch occurs which signals an error
Programmed edit check Automated control Preventive control

Well-designed data entry Automated control Preventive control
screen
Segregation of duties Ensure single individual Method to prevent error
does not have the authority
to both create and approve
a transaction
Hash total Indicate an error in data Detect errors in data
integrity processing
78. user acceptance testing: verifies the system functionality has bee deemed acceptable by
the end users of the system
Risk assessment: highlight the risk
Postimplementation review: evaluate how successfully the project results match original
goals, objectives and deliverables
-also evaluates how effective the project management practices were in keeping the project
on track
Management approval: based on reduced functionality and does not verify the system is
operating as designed
79. ***
Isolation -ensure each transaction is isolated from

other transactions
->each transaction can only access data if it
is not being simultaneously accessed or
modified by another process
Consistency Ensures all integrity conditions in the
database be maintained with each
transaction
Atomicity Transaction be completed in its entirely or
not at all
->if an error or interruption occurs, all
changes made up to that point are backed
out
Durability When a transaction has been reported back
to a user as complete, the resultant change
to the database will survive subsequent
hardware or software failure
81. verify production to customer orders ensure orders are processed accurately and the
corresponding products are produced
Log all customer orders in ERP system->detect inaccuracies but not guarantee accurate
processing
Hash total ensure accurate order transmission but not accurate processing centrally
82. both systems sending and receiving data must be reviewed because the output for one
system is the input for the other
83. physical control is important and may provide protection from unauthorized people
accessing the system but would not provide protection from unauthorized transactions by
authorized users
84.initial validation should confirm whether the card is valid->established through the card
number and personal identification number (PIN) entered by the user->ensure data entered
are valid
85.* Efficient data mapping
Key verification Encryption and protection of data

One for one checking Transactions are accurate and complete
Manual recalculations Verify processing is correct
Functional acknowledgment Acting as an audit trail for EDI transactions
88.* accuracy of source data is most important for quality of the data in a data warehouse
It is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data
will corrupt the integrity of the data in the data warehouse
89. automated release management software can prevent unauthorized changes by moving
code into production without any manual intervention
90. when dealing with offshore operations, it is essential that detailed specifications be
created->language difference and a lack of interaction between developers and physically
remote and users could create gaps in communication in which assumptions and
modifications may not be adequately communicated
*postimplementation review is important but it is too late in the process to ensure

successful project delivery
Project management triangle

Changes in one dimension might be compensated by changing either one or both remaining
dimensions
93. Timebox
-with timeboxing, the deadline is fixed, meaning that the scope would have to be reduced-
>organizations have to focus on completing the most important deliverables first,
timeboxing often goes hand-in-hand with a scheme for prioritizing of deliverables
-prevent cost overruns and delivery delays
94. waterfall model: breakdown of project activities into linear sequential phases, where
each phase depends on the deliverables of the previous one and corresponds to a
specialization of tasks
* is most appropriately used when requirements are well understood and are expected to
remain stable, as is the business environment in which the system will operate
96.
Project database -contain information about control

effectiveness for one specific project and
updates
Policy documents -set direction for the design, development,
implementation and monitoring of the
project
Project portfolio database -basis for project portfolio management
-includes project data such as owner,
schedules, objectives, project type
Program organization Team required eg. Steering committee,
quality assurance, systems personnel
97.
Buffer overflow Anomaly where a program, while writing

data to a buffer, overruns the buffer’s
boundary and overwrites adjacent memory
locations
-poorly written code, especially in web-
based applications is often exploited by
hackers
Brute force attack Crack passwords, not related to coding
standards
Distributed denial-of-service(DDoS) Malicious attempt to disrupt normal traffic
of a targeted server, service or network by
overwhelming the target or its surrounding
infrastructure with a flood of internet traffic
War dialing attack Uses modem-scanning tools to hack private
branch exchanges (PBXs) or other
telecommunications services
99. timestamp: sequence of characters or encoded information identifying when a certain
event occurred, usually giving date and time of day, sometimes accurate to a small fraction
of a second
Encipher=convert a coded form
Enciphering the message digest: using sender’s private key, which signs the sender’s digital
signature to the document, helps in authenticating the source and integrity of the
transaction but will not prevent duplicate processing
Cryptographic hashing algorithm=can be run on data such as an individual file or a password

to produce a value called a checksum->verify the authenticity of a piece of data->achieve
data integrity
100. top-down approach: ensure interface errors are detected early and that testing of
major functions is conducted early
Domain 5
1.*
Parameter tampering -certain parameters in the URL or Web

page form field data entered by a user are
changed without that user’s authorization
Cross-site scripting Compromise of web page to redirect users
to content on the attacker web site
Cookie poisoning Interception and modification of session
cookies to impersonate the user or steal
logon credentials
Stealth commanding Hijacking of a we server by the installation
of unauthorized code
2.
Reasonableness check Ensure input data is within expected

values
Parity bits Weak form of data integrity checks used
to detect errors in transmission
Hash values Calculated on the file and are very
sensitive to any changes in the data
values in the file
Check digits Detect an error in an account number
-usually related to a transposition or
transcribing error
3. primary purpose of audit trails: establish accountability and responsibility for processed
transactions
4.
Intrusion detection system Detecting network or host-based errors but

not effective in measuring fraudulent
transactions
Data mining Detect trends or patterns of transactions or
data; if the historical pattern of charges
against a credit card account is changed,
then it is a flag that the transaction may
have resulted from a fraudulent use of the
card
Firewall Protect network and system but not in
detecting fraudulent transactions
Packet filtering router Operates at a network level and cannot see
a transaction
5.*hardening a system means to configure it in the most secure manner (install latest
security patches, properly define access authorization for users and administrators, disable
insecure options and uninstall unused services) to prevent nonprivileged users from gaining
the right to execute priviledged instructions and take control of the entire machine
6. Firewall: prevent unauthorized access between networks
Routers: filter packets based on parameters, not a security tool
Layer 2 switches: separate traffic without determining whether it is authorized or

unauthorized traffic
Virtual local area network(VLAN): control traffic between different ports even though they
are in the same physical local access network (LAN), but they do not effectively deal with
authorized vs unauthorized traffic
6. global system for mobile communications (GSM) technology combined with the use of
virtual private network (VPN) are appropriate
Confidentiality is ensured by the use of encryption and the use of VPN signifies an encrypted
session is established
-have multiple overlapping security features which prevent eavesdropping, session hijacking
or unauthorized use of GSM carrier network
-does not allow any devices to connect to the system unless all relevant security features are
active and enabled
-other wireless technology eg. 802.11b wireless local area network (LAN) ->designed to allow
the user to adjust or even disable security settings
**GSM network is being used rather than wireless LAN->not possible to configure settings
for two-factor authentication over wireless link
8.*
9.*2 factor authentication is the most effective in preventing unauthorized access to a

system administration account on a web server
10. separate virtual local area network (VLAN) is the best solution because it ensures both
authorized and unauthorized users are prevented from gaining network access to database
servers, while allowing internet access to authorized users
11. **no practical control to prevent database admin from accessing to all data on the
server
Database audit logs normally would not contain any confidential data->no need to encrypt
the log files
When a database is opened, many of its configuration options are governed by initialization
parameters->these parameters are usually governed by a file which contains many settings-
>system initialization parameters address many global database setting, including
authentication, remote access and other critical security areas
->to effectively audit a database implementation, the IS auditor must examine the database
initialization parameter
13.
Mandatory access control Expensive and difficult to implement and

maintain in a large complex organization
Role-based access Limit access according to job roles and
responsibilities and would be best method
to allow only authorized users to view
reports on a need-to-know basis
Discretionary access control(DAC) Owner of the resources decides who should
have access to that resource
*most access control systems are an
implementation of DAC
Single sing on Access control technology used to manage
access to multiple systems, networks, and
applications
15. access to a port is not restricted->anyone can connect to the internal network->allow
individuals to connect that were not authorized to be on the corporate network
16. preventive control
->segregation of duties
17.malware: any program or file that is harmful to a computer user
Types of malware includes: virus, worms, trojan horses
*damage by malware is more widespread and severe
19. digital watermarking is used to protect intellectual property rights for document rather
than to protect the confidentiality of email
20.
Broadband network digital transmission

Baseband network Shared with many other users and requires
encryption of traffic but still may allow
some traffic analysis by an attacker
Dialup Form of internet access that uses the
facilitates of the public switched telephone
network to establish a connection to an
internet service provider by dialing a
telephone number on a conventional
telephone line
-private connection, but it is too slow to be
considered for most commercial
applications today
Dedicated lines Communication cable dedicated to a
specific application, in contrast with a
shared resource
-communication path between two points
-no sharing of lines or intermediate entry
points->risk of interception or disruption of
messages is lower
21.*
22. **stateful inspection firewall ->screen all packets from wireless network into the
company network, however, the configuration of the firewall would need to be audited and
firewall compromises although unlikely are possible
23. Local area network (LAN): computer network that links devices within a building or group
of adjacent buildings, especially one with a radius of less than 1 km
Network diagram->node list->acceptance test report->users list
25.port 80 must be open for web application to work and port 443 for a secured hypertext
transmission protocol (HTTPS) to operate
Perform web application security review is necessary effort that would uncover security
vulnerabilities that could be exploited by hackers
26.
Blind testing (black-box testing) Where the penetration tester is not given
any information and is forced to rely on
publicly available information
-simulates a real attack, the target
organization is not aware of the test being
conducted
Targeted testing (white box testing) -test where the penetration tester is
provided with information and the target
organization is also aware of the testing
activities
-in some case, the tester is provided with a
limited-privilege account to be used as a
starting point
Double-blind testing (zero-knowledge -test where the penetration tester is not
testing) given any information and the target
organization is not given any warning-both
parties are blind to the test
*best scenario for testing respose capability
because the target will react as if the attack
were real
External testing -test where an external penetration tester
launches attacks on the target’s network
perimeter from outside the target network
(typically from the internet)
27. *segregate (separate) the voice-over internet protocol (VoIP) traffic using virtual local
area networks (VLANs) would best protect the VoIP infrastructure from network-based
attacks, potential eavesdropping and network traffic issues (which would help to ensure
uptime)
-use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security
method
-encryption is used when VoIP calls use the internet (not the local LAN) for transport
because the assumption is that the physical security of the building as well as the Ethernet
switch and VLAN security is adequate
28. *
Denial of service -any type of attack where the attackers

attempt to prevent legitimate users from
accessing the service
-attacker usually sends excessive messages
asking the network or server to
authenticate requests that have invalid
return addresses
Spoofing -a person or program successfully identifies
as another by falsifying data to gain an
illegitimate advantage
Port scanning -designed to probe a server or host for open
ports
-verify security policies of their network and
by attackers to identify network services
running on a host and exploit vulnerabilities
-gather information about a target before a
more active attack
*might be used to determine the internal
address of the payroll server, but would not
normally create a log entry that indicated
external external traffic from an internal
server address
A man in the middle attack -active eaverdropping where the attacker
intercepts a computerized conversation
between two parties and then allows the
conversation to continue by relaying the
appropriate data to both parties, while
simultaneously monitoring the same data
passing through the attacker’s conduit
-this type of attack would not register as an
attack originating from the payroll server,
but instead it might be designed to hijack an
authorized connection between a
workstation and the payroll server
29.*
Data encryption standard (DES) -susceptible to brute force attack and has
been broken publicly->does not provide
assurance that data encrypted using DES
will be protected from unauthorized
disclosure
Message digest 5 (MD5) -algorithm used to generate a one-way hash
of data (fixed length value) to test and
verify data integrity
-does not encrypt data bus puts data
through a mathematical process that
cannot be reversed
Advanced encryption standard (AES) -provides the strongest encryption of all of
the choices listed and would provide the
great assurance that data are protected
-recovering data encrypted with AES is
considered computationally infeasible so
AES is the best choice for encrypting
sensitive data
Secure Shell (SSH) -used to establish a secure, encrypted,
command-line shell session, typically for
remote logon
-although SSH encrypts data transmitted
during a session, SSH cannot encrypt data at
rest, including data on USB drives
Brute force attack: gain access to a site->tries various combinations of usernames and
passwords again and again until it gets in
30. Voice over internet protocol (VoIP) eg. Skype
-does not introduce any unique risk with respect to equipment failure and redundancy can
be used to address network failure (backup when a network fail)
-distributed denial of service (DDoS) attack would potentially disrupt the organization’s
ability to communicate among its office and have the highest impact
Toll fraud: someone compromises the phone system and makes unauthorized long distance
calls
Social engineering attack: it uses psychological manipulation to trick users into making
security mistakes or giving away sensitive information
31. content-filtering proxy server will effectively monitor user access to internet sites and
block access to unauthorized web sites
Reverse proxy server: allow secure remote connection to a corporate site not to control
employee web access
Firewall: block unauthorized inbound and outbound network traffic->some can be used to
block or allow access to certain sites but the term firewall is generic (there are many types of
firewalls, and this is not the best answer)
Client software utilities: can block inappropriate content (however, installing and
maintaining additional software on a large number of PCs is less effective than controlling
the access from a single, centralized proxy server
32. Common Gateway Interface: offers a standard protocol for web servers to execute
programs that execute like console applications running on a server that generates web
pages dynamically
Such programs are known as CGI scripts
Untested CGI have security weakness that allow unauthorized access to private systems
because CGIs are typically executed on publicly available internet servers
Untested CGIs do not inherently lead to malware exposures
33. most significant risk would be if factory default passwords are not changed on critical
network equipment->allow anyone to change the configurations of network equipment
Use of web proxy is required depends on the enterprise
Encryption for communication links may not be appropriate due to cost and complexity
34. when reviewing third party agreement, most important with regard to privacy: return or
secure destruction of information at the end of the contract
-network and intrusion detection ->helpful when securing the data do not guarantee data
privacy stored at a third-party provider
-patch management process: secure servers and may prohibit unauthorized disclosure of
data , but does not affect privacy data
35.most effective control is to ensure granting of temporary access is based on services to be

provided and that there is an expiration date
38.write once and read many (WORM) drives
39.*verification of user authorization at the field level is a database-and/or an application-

level access control function and not applicable to an operating system
Review of data communication access activity logs is network control feature
Periodic review of changing data files is related to a change control process
40. *voice-over internet protocol (VoIP) telephone systems use standard network cabling
and typically each telephone gets power over the network cable from the wiring closet
where the network switch is installed->if local area network switches do not have backup
power, the phones will lose power if there is a utility interruption and potentially not be able
to make emergency calls (lack of power protection)
Advantage of VoIP telephone system : use the same cable types and even network switches
as standard PC network connections
41*.when evaluating technical aspects of logical security, unencrypted passwords represent

the greatest risk because it would be assumed that remote access would be over an
untrusted network where passwords could be discovered
Password should not be shared but it is less important than ensuring the password files
are encrypted
There may be business requirements such as the use of contractors that requires them to
have system access
42. encrypting all outgoing email is expensive and is not common business practice
Sensitive data can be exposed to unauthorized individuals outside the organization>exposed

to other employees
43.information asset owner: responsible for ensuring that specific information assets are
handled and managed appropriately->making sure information assets are properly
protected and their value is fully exploited
->responsible for defining the criticality(and sensitivity) level of information assets
Data custodians: implementation of information security within an application,

implementation of access rules
Security administrator: provision of physical and logical security for data
44. race condition: undesirable situation that occurs when device or system attempts to
perform two or more operations at the same time, but because of the nature of the device
or system, the operations must be one in proper sequence to be done correctly
Privilege escalation: act of exploiting a bug, design flaw or configuration oversight in an

operating system or software application to gain elevated access to resources that are
normally protected from an application or user
Buffer overflow: take advantage of defect in the way an application or system uses memory-
>by overloading memory storage mechanism, the system will perform in unexpected ways
Impersonation attacks: error in the identification of a privileged user (pretend to be

someone else)
45.Chain of custody: documentation of how digital evidence is acquired, processed, handled,

stored and protected and who handled the evidence and why
->organization should have policy in place that directs employees to follow certain
procedures when collecting evidence that may be used in a court of law
46.Discretionary access control (DAC) : allows data owners to modify access, which is a
normal procedure in a low-risk application
47.Electronmagnetic emission:
Normal terminals are designed to limit these emissions
It will not disrupt CPUs
Most emission are low level and do not pose a significant health risk
Can be detected by sophisticated equipment and displayed, thus giving unauthorized

persons access to data
48.log provide evidence and track suspicious transactions and activities->read only to
security log files
50.*data classification
-define access rules based on a need-to-do and need-to-know basis
Data owner: responsible for defining the access rules
->establishing ownership is the first step in data classification
51. biometrics system operation->using physical parts eg. Fingerprint
->enrollment
52. back door: Allow surreptitious unauthorized access to data
Sniffer: computer tool to monitor the traffic in networks
53.audit trail is not effective if the details in it can be amended
54.segregation of duties: one individual should only capture and send their own message
and not verify their own message
55. first step in implementing access controls is: inventory of IS resources->basis for
establishing ownership and classification
56.Defense in depth (DiD): approach to cybersecurity in which a series of defensive

mechanisms are layered in order to protect valuable data and information->if one
mechanism fails, another steps up immediately to thwart an attack
**using two different products ->so that same attack would not destroy two products
57.data owner: establish the access rights
IS administrator: implement or update user authorization tables at the direction of the

owner
59. piggybacking: a person tags along with another person who is authorized to gain entry
into a restricted area or pass a certain checkpoint
Dumpster diving: salvaging from large commercial containers unused items discarded by
their owners
Shoulder surfing: obtain information by looking over the victim’s shoulder
60. automated password management tool: preventive measure->prevent repetition and

would enforce syntactic rules->ensure frequent changes and prevent same user from
reusing password for a designated period of time
61. digital right management: access control technologies for restricting the use of
proprietary hardware and copyrighted work
61.parsing: process of analyzing a string of symbols, either in natural language, computer

languages or data structures
Steganography: practice of hiding a file, message within another file, message
An important steganographical technique is digital watermarking-encoding rights

information in a picture or music file without altering the picture or music’s perceivable
aesthetic qualities
63. data diddling: type of cybercrime in which data is altered as it is entered into a computer
system, most often by a data entry clerk or a computer virus->requires limited technical
knowledge and occurs before computer security can protect the data
this is an inherent risk with no distinct identifiable preventive control
64. hashing works one way->not reversible
But encryption works two ways
Hashing Encryption
One way-non reversible Reversible
output Fixed length output smaller Same length as the original
than the original message message
Verify integrity but not
security
Use different keys or a
reverse process at the
sending and receiving ends
to encrypt and decrypt
65.* symmetric vs asymmetric encryption
SYM:Uses a single key that needs to be shared among the people who need to receive the
message
ASY: uses a pair of public key and a private key to encrypt and decrypt messages when
communicating; take relatively more time
Long asymmetric algorithm cause more time
Hash is shorter than the original message->smaller overhead is required if the hash is
encrypted rather than the message
Use of a secret key as a symmetric encryption jey is generally small and used for the purpose
of encrypting user data
66.** black box penetration testing assumes no prior knowledge of infrastructure to be

tested->tester simulate an attack from someone who is unfamiliar with the system-
>important to have management knowledge of the proceedings so that f the test is
identified by the monitoring systems, the legality of the actions can be determined quickly
67. theft or loss is the greatest risk for USB
->there will be good general control such as scanning of USB for malware once they are
inserted in a computer
68. honeypot: computer security mechanism set to detect, deflect and counteract attempts
at unauthorized use of information system (attract someone to attack just like putting some
honey and bee will come)
->learn from intruder’s actions
Trapdoor: hidden method to bypass security to gain access to a security system
Traffic analysis: passive attack based on capturing network traffic

69. Certificate authority: entity that distribute digital certificates
A digital certificate certifies the ownership of a public key by the named subject of the
certificate
Responsibility: revocation and suspension of subscriber certificate; generation and

distribution of CA public key; issuance and distribution of subscriber certificate
70.ping of death: sending a malformed or otherwise malicious ping with a packet size>65kb
to a computer
->result in denial-of-service(DoS) attack
Leapfrog attack: attacker tries to steal once ID or pw for another separate attack
Negative acknowledgment (NAK): penetration technique that capitalizes on a potential

weakness in an operating system that does not handle asynchronous interrupts properly,
leaving the system in an unprotected state during such interrupts
71.Elliptic curve encryption (ECC) vs RSA encryption
Higher computation speed (use of smaller

keys)
Support digital signatures Support digital signature
Used for public key encryption and Used for public key encryption and
distribution distribution
Offer message integrity controls Offer message integrity controls
72.*
Secure sockets layer (SSL) Set up a secure channel for

communications providing confidentiality
through a combination of public and
symmetric key encryption and integrity
through hash message authentication code
(HMAC)
Intrusion detection system(IDS) Log network activity but is not used for
protecting traffic over the internet
Public key infrastructure Used in conjunction with SSL or for securing
communications such as e-commerce and
email
Virtual private network (VPN) Provide confidentiality, integrity and
authentication (reliability)
-operate at different levels of Open Systems
Interconnection (OSI) stack and may not
always be used in conjunction with
encryption
73.teaching developers to write secure code is the best way to secure a web application
*encryption is not sufficient because other flaws in coding could compromise the application
and data
74. enterprisewide antivirus software is important means to control the spread of virusin an
interconnected corporate network->provides a layered defense model that is more likely to
detect malware
75. home computer is of highest concern
77. masquerade: false show-alter data by modifying the origin->active attack
Email spoofing: alters the email header->active
78. evidence is the most important->preservation of evidence->if data and evidence are not
collected properly, valuable information could be lost and would not be admissible
79. Three main accuracy measures are used for a biometric solution:
-False-rejection rate (FRR)-how often valid individuals are rejected
-Cross-error rate (CER)-when false rejection rate equals the false acceptance rate
False acceptance rate (FAR)-how often invalid individuals are accepted
80.security level of private key system depends on encryption key bits(key length)->larger
number of bits, more difficult it would be to brute force the key
81. degaussing=erasing the data completely from the tapes
82.
Environmental review Examine physical security eg. Power and

physical access
Network security review Review router access control lists, port
scanning, internal and external connections
to the system
Business continuity Ensure BCP is up to date, adequate to
protect org , do not require a review of the
router access control lists
Data integrity review Validate data accuracy and protect from
improper alterations, do not require review
of the router access control lists
83. Components in an intrusion detection system (IDS)
Analyzer Receive input from sense and determine

the presence of and type of intrusive
activity
Administration console Management interface component of an
IDS
User interface Allows administrators to interact with the
IDS
Sensors Responsible for collecting data
-attached to a network, server or other
location and may gather data from many
points for later analysis
84**
86. CA: maintains a directory of digital certificate for the reference of those receiving them
->manages the certificate life cycle, including certificate directory maintenance and
certificate revocation list (CRL) maintenance and publication
87.* Tunnel mode with Internet Protocol (IP) security provides encryption and
authentication of the complete IP package->to accomplish this, the authentication header
(AH) and encapsulating security payload (ESP) services can be nested
88.signer: private key receiver: public key
89.data integrity: changes in plaintext message that would result in the recipient failing to
compute the same message hash
Authentication: ensure message has been sent by the claimed sender
Nonrepudiation: ensure claimed sender cannot later deny generating and sending the
message
Replay protection: a recipient can use to check that the message was not intercepted and
re-sent
90.hydrogen detector->compensating control for ventilation system failure
91. self-signed digital certificate are not signed by certificate authority
93. preventive measure is better than detective
94. authorization and authentication of the user prior to granting access to system resources
is a preventive measure
95.
Scanners -Look for sequence of bits called signatures

that are typical of virus programs
-examine memory, disk boot sectors for bit
patterns that match a known virus->need to
be updated periodically to remain effective
Active monitors -can be misleading because they cannot
distinguish between a user request and a
program or virus request->users are asked
to confirm actions
Integrity checkers (most effective) Compute binary number on a virus free
program then stored in a database file-
>compare to number in the database-
>match means no infection
Vaccines Need to be updated periodically to remain
effective
97.
Encapsulation Used to encrypt the traffic payload so that

it can be securely transmitted over an
insecure network
Wrapping Where original packet is wrapped in
another packet but is not directly related to
security
Transforming Transform or change the state the
communication would not be used for
security
Hashing Used in VPN to ensure message integrity
98.message authentication: prove message integrity and source but not confidentiality
99.sniffing: tap into the phone call and listen to the conversation
Password sniffing attack: gain access to systems on which proprietary information is stored
100.
Proxy server Type of firewall installation used as an

intermediary to filter and control traffic
between internal and external parties
Firewall installations Primary line of defense, need to have
encryption and a VPN to secure remote
access traffic
Demilitarized zone Isolated network used to permit outsiders
to access certain corporate information in a
semi-trusted environment
-traffic to a DMZ is not usually encrypted
unless it is terminating on a VPN
Encrypted VPN Allow remote users a secure connection to
the main systems
103. programmers who have access to the production database are considered a
segregation of duties conflict and should be concern
104.application level gateway: protect against hacking ->can be configured with details
rules that describe the type of user or connection that is or is not permitted
For remote access server, there is a device ask for username and password->but can be
mapped from internet, creating security exposure
Proxy server: not as effective as application gateway
Port scanning: detect vulnerabilities or open ports
107.dedicated line: quite expensive and only needed when there are specific confidentiality
and availability needs
Leased line: expensive but private option
Integrated services digital network (ISDN) is not encrypted and would need additional
security
108. insecure connecting points make unauthorized access possible if the individual has
knowledge of a valid user ID and password
System password provide protection against unauthorized use of terminals located in

insecure locations
109: VPN: hides information from sniffers on the internet using tunneling ->works based on
encapsulation and encryption of sensitive traffic
111. *
115. improper router configuration and rules could lead to an exposure to denial-of-
service(DoS) attack
116. message confidentiality->symmetric encryption
Message authentication code (MAC)->data integrity
Hash function->message integrity
Digital signature certificate->used by SSL for server authentication
117. primary goal of web certificate: authenticating the site to be surfed
118.points of entry
119.most common problem in the operation of an intrusion detection system (IDS) is

detection of false positives->recognition of events that are not really security incidents
120.deprovision=remove the access
Risk: developers would have the ability to create or deprovision servers
121.nonrepudiation can provide strongest evidence that a specific action has occurred
124. primary activity of CA: issue certificate
Role of CA: check the identity of entity owning a certificate and to confirm the integrity of
any certificate it issued
126. if IDS detect traffic for internal network did not originate from the mail gateway->create
an entry in the log
127.*
130. it is important for the information owner to understand organizational policies and
standards including the data classification schema so they can be properly classified
133.
Key distribution center -part of a Kerberos implementation suitable

for internal communication for a large
group within an institution and it will
distribute symmetric keys for each session
Certificate authority (CA) -trusted third party that ensures the
authenticity of the owner of the certificate
-necessary for large groups and formal
communication
Web of trust -key distribution method suitable for
communication in a small group
-used by tools such as pretty good
privacy(PGP) and distributes the public keys
of users within a group
Kerberos Authentication System -extends the function of a key distribution
center by generating “tickets” to define the
facilities on networked machines, which are
accessible to each user
134. Most important action in recovering from a cyberattack: activating an incident response
team
135. war driving: locating and gaining access to wireless networks by driving or walking
around a building with a wireless-equipped computer
136.
Statistical-based intrusion detection -relies on a definition of known and

system(IDS) expected behavior of systems
-normal network activity includes
unexpected behavior (eg. A sudden massive
download by multiple users)->these
activities will be flagged as suspicious
Signature-based IDS -limited to its predefined set of detection
rules, just like a virus scanner
-low levels of false positives, but maybe
weak at detecting new attacks
Neutral network -combines statistical and signature based
IDs to create a hybrid and better system
Host-based -would not be used to monitor network
activity
137. voltage regulator: hardware is protected against power surges->power fluctuations
138.sprinklers must be dry-pipe to prevent the risk of leakage
139.power line conditioners: compensate for peaks and valleys in the power supply and
reduce peaks in the power flow to what is needed by the machine-> protect computer
equipment against short-term reductions in electrical power
Surge protective devices: protect against high-voltage bursts
Alternative power supplies: intended for power failures that last for longer periods and are
normally coupled with other devices such as an uninterruptible power supply to compensate
for the power loss
Interruptible power supply: cause the equipment to come down whenever there was a
power failure
140. both co2 and halon reduce oxygen ratio in the atmosphere, which can induce serious
personal hazard
141. piggybacking is more serious than duplicating access card
142. false-acceptance rate is more important than false reject rate
143.application tester should be restricted to nonproduction environment
144.Registration authority: verify information supplied by subject requesting certificate

148.provides most relevant info for proactively strengthening security settings
Bastion host -hardened system used to host services

-does not provide information about an
attack
Intrusion detection system (IDS) -detect and address an attack in progress
and stop it asap
Honeypot -lures the hacker and provides clues as to
the hacker’s methods and strategies and
the resources required to address such
attacks
-allows the attack to continue, so as to
obtain information about the hacker’s
strategy and methods
Intrusion prevention systems -detect and address an attack in progress
and stop it asap
149. postevent reviews by incident response team has greatest potential to find gaps and
shortcomings in the actual incident response processes
151.
Logic bomb Destroy or modify data at specific event or

time in the future
Spyware Pick up info from PC drives by making
copies of their contents
Trojan horses Coordinate distributed denial of service
attacks that overload a site so that it may
no longer be able to process legitimate
requests
153. Encapsulating Security Payload (ESP) protocol is advantageous over Authentication
Header (AH) protocol because it provides confidentiality via encryption
155. greatest concern associated with the use of peer-to-peer computing : data leakage
->sensitive data can be shared with others
156. reliability and quality of service (QoS) are primary considerations to be addressed-
>voice communications require consistent level of service, which may be provided through
QoS and class of service (CoS) controls
*authentication, privacy of voice transmission and confidentiality of data transmission has

been implemented by VPN
157.
Heuristic (rule-based) -you have to define the rules

Signature-based -useless against variable-length messages
because the calculated message-digest
algorithm 5 (MD5) hash changes all the
time
Pattern matching -degraded rule-based technique where
rules operate at the world level using
wildcards and not at higher levels
Baysian (statistical) -perform frequent analysis on each word
within the message and then evaluating the
message as a whole->ignore a suspicious
keyword if the entire message is within
normal bounds
158.
Certificate revocation list (CRL) -list of certificates that have been revoked
before their scheduled expiration date
Certification practice statement (CPS) -how-to document used in policy-based
public key infrastructure (PKI)
*provide detailed descriptions for dealing
with a compromised private key
Certificate policy -sets the requirement that are
subsequently implemented by CPS
PKI disclosure statement -covers critical items eg. Warranties,
limitations and obligations that legally bind
each party
159.use of residual biometric information to gain unauthorized access->replay attack
164. the use of a cryptographic hash function may be helpful to validate the integrity of data
files, in this case, it would not be useful for a production support team connecting remotely
As ABC and XYZ are communicating over the internet, which is an untrusted network,
establishing an encrypted virtual private network tunnel would best ensure that the
transmission of information was secure
165.

Notes For CISA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Notes For CISA

Uploaded by

Copyright:

Available Formats

Notes

26. 28.generalized audit software: mathematical computations, stratification, statistical analysis,

-quality assurance (QA) management: reliability and consistency of processes

-Chief information officer(CIO): accountable for IT advocacy, alighing IT and business

29. CEO: implement IT governance

Board of directors: IT governance

IT steering committee: facilitates deployment of IT resources for specific projects in support

Audit committee: monitor implementation of audit recommendations

31. background screen provide best assurance of integrity of new staff

50. approval of information systems security policy is responsibility of top management or

59.*Steering committee: consists f representatives from business and IT, ensure IT

60.* IS control objective: statement of desired result or purpose to be achieved by

Project management: assist in definition, prioritization, approval and running of set of

Configuration management: system engineering process for establishing and maintaining

PMBOK: methodology for management and delivery of projects->offers no specific guidance

70. Responsibilities of IT steering committee:

-project approval and prioritization

-oversight of development of long-term IT plan

-advises the board of directors on status of developments in IT

73. threat exists regardless of controls or lack of controls

74. IT performance measurement process: used to optimize performance, measure and

75. **outcome of Information security governance:

-strategic alignment: provides input for security requirements driven by enterprise

->information security policy shld not be driven by IT department’s objectives

77.* top management mediating between imperatives of business and technology is an IT

Business strategy drives IT strategy

IT governance is an integral part of overall enterprise governance

IT strategy extends organization’s strategies and objectives

->helps decrease dependence on a single person

Disadvantage: risk of one person knowing all parts of a system

83. **if there is an environment where duties cannot be appropriately segregated,

89. Most important element for the successful implementation of IT governance:

-identifying organizational strategies

*risk assessment is important but it is also based on organizational strategies

90. Control self-assessment: improve monitoring of security controls

Business process reengineering (BPR): review and improve business processes

92. risk mitigation: address the risk described

93. vulnerabilities: weaknesses of information resources that may be exploited by a threat-

Threat: usually outside the control of security specialist

Core activities should not be outsourced

Business impact analysis Risk assessment

Measures of security risk do not identify tolerances

106. IT governance is intended to encourage optimal use of IT->specify the combination of

*you may not want to decentralize IT resources or centralize control of IT

-default SLA: default solution

108. corporate governance: set of management practices to provide strategic direction to

Primary objective Optimize security investment in support of

111. Strategic alignment: focus on ensuring linkage of business and IT plans

Value delivery: ensure IT investment deliver on promised values

Resource management: optimal investment in and proper management of critical IT

Performance measurement: transparency

113. IT governance is a set of responsibilities exercised by board and executive management

chief information security officer (CISO): -periodically review and evaluate

117. first step for developing a security architecture:

Define security policy->provide direction for procedures, standards and baselines

124. best method to prioritize IT projects is to conduct investment portfolio analysis

130. Primary objective to test a business continuity plan:

Identify limitations of business continuity plan

Business interruption insurance Loss of profits due to disruption in the

Business Continuity Plan

What Process involved in creating a system of

144.Risk appetite: level of risk an organization is prepared to accept

Senior management must be involved and aware of roles and responsibilities->so as to