Professional Documents
Culture Documents
PAPER : 6
Information Systems
Control and Audit
BOARD OF STUDIES
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted, in any form, or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without prior permission, in writing, from
the publisher.
Edition : January, 2021
Website : www.icai.org
E-mail : bosnoida@icai.org
ISBN No. :
Printed by :
This booklet on case scenarios on Information Systems Control and Audit is the
collection of various techniques and technologies used in development,
implementation and protection of various information systems processes with
an insight on emerging technologies and IT Act, 2000. These case scenarios
and Multiple Choice Questions reflect the changes in business on account of
plethora of laws, borderless economies consequent to giant leap in e-
commerce, business continuity planning and disaster recovery planning and
auditing of information systems.
Information Systems Control and Audit, as a subject at Final(old) level helps
you inculcate the requisite IT skill-sets necessary for achieving the desired
professional competence. The issues under information technology in
the prevailing scenario can be better understood through the related
case scenarios. The Board of Studies, through this release of booklet
wishes to create awareness amongst the students about the various
significant strategies and techniques relating to information technology. As
part of its continuous endeavor towards enrichment of knowledge, Board of
Studies, had decided to bring out a booklet on Case Scenarios and Multiple
Choice Questions under Paper 6: Information Systems Control and Audit of
Final(old) Course. Being the part of examination, this initiative will lead to
understanding of above on the interpretational, application and analysis
of information technology techniques therein. This publication contains
the summarized version of the facts of the fundamental concepts of
Information systems – their acquisition, development, implementation,
protection and auditing.
This booklet is relevant for May 2021 Examination and onwards.
∗
Students are requested to take a note of change in option (c) of Question No. 92 on page 27 of
the Booklet
(c) Availability
(d) Reliability
47. XYZ Bank has implemented a strict password policy whereby every
user has minimum 8 characters’ alpha-numeric login password and
that password must be reset after 30 days to get access to Core
Banking Solution (CBS). As per classification of IS Controls, which type
of control is this?
(a) Preventative Control
(b) Detective Control
(c) Corrective Control
(d) Compensatory Control
48. ABC Ltd. carries out Fire drills in its company every 6 months whereby
fire like situation is simulated and the preparedness of its organisation
and its personnel for facing disaster is verified. This is ____ under the
Business Continuity Management.
(a) Emergency Plan
(b) Test Plan
(c) Back-up Plan
(d) Recovery Plan
49. PQR Ltd. is a software development company. One of its employee,
Mr. Rajesh has the responsibility to interact with users of the computer
system and understand their requirements from the system. Which
role is performed by Mr. Rajesh in the company?
(a) Project Manager
(b) Project Leader
(c) Business Analyst
(d) Programmer
50. ABC Company has implemented an ERP and the Sales Team requested
to provide access to Accounts / Finance Module which was denied by
the IT Team. Which of the Application Security control was tested
here?
(a) Confidentiality
(b) Integrity
(c) Availability
(d) Timeliness
51. PQR Ltd. is a BPO managing the health records for a renowned
hospital in Mumbai. It was observed that one of the employee Mr. X
was sharing the confidential health records of the patients with an
Insurance Company. Who will be held responsible under the IT Act for
this offence?
(a) Only Mr. X who was sharing records
(b) Mr. X and Directors
(c) Mr. X, Directors and Shareholders
(d) Only Directors
52. ABC Ltd. is engaged in providing Data Processing services. It has
received a big contract from insurance company for policy processing.
ABC Ltd. has limited PCs at their office so it approached Amazon Web
Services to access Virtual Machines for data processing. ABC Ltd. is
using which Cloud Computing Service Model?
(a) Software as a Service (SaaS)
(b) Platform as a Service (PaaS)
(c) Infrastructure as a Service (IaaS)
(d) Network as a Service (NaaS)
53. Which of the following statement is incorrect?
(a) IT Steering Committee is ideally led by a member of the Board
of Directors and comprises of functional heads from all key
departments of the enterprise. including the audit and IT
department.
(b) The role and responsibility of the IT Steering Committee and its
members must be documented and approved by senior
management.
(b) The Mirror backup is clean and does not contain old and
obsolete files.
(c) With differential backups, one full backup is done first and
subsequent backup runs are the changes made since the last
full backup.
(d) Incremental Backup consumes the most storage space as
compared to full and differential backups.
57. Which of the following activity is not involved in Database Designing
during System Designing phase of System Development Life Cycle
(SDLC)?
(a) Storage Structure Design
(b) Cost Analysis
(c) Physical Layout Design
(d) Conceptual Modeling
58. The audit trail of _______________ maintains the chronology of
events from the time data is received from the input or communication
subsystem to the time data is dispatched to the database,
communication, or output subsystems.
(a) Database Controls
(b) Output Controls
(c) Processing Controls
(d) Communication Controls
59. In Information Technology Act 2000; __________ is defined as a
person in whose name the Electronic Signature Certificate is issued.
(a) Controller
(b) Intermediary
(c) Originator
(d) Subscriber
99. ABC Ltd. and XYZ Ltd. signed a reciprocal agreement to provide
backup facilities to each other in the event of one suffering a disaster.
Sooner, both the parties realized that reciprocal agreement is not a
suitable alternative for offsite backup because of the following reason.
(a) Very expensive.
(b) Slow response to requests to recover operations.
(c) Network Incompatibilities.
(d) Difficulties in maintaining sufficient capacity to operate
another’s critical system.
100. Softtech, a software development company that has clients in many
fields like pharmaceuticals, educational institutes, health industry etc.
The company follows an approach to develop the software by
releasing multiple versions, wherein each new version has something
more added to it than its previous version. Identify the System
development approach adopted by Softtech.
(a) The Waterfall Model
(b) The Prototyping Model
(c) The Spiral Model
(d) The Incremental Model
Answer Key
Question Answer
No.
1. (d) A statement that the registered private
accounting firm that audited the financial
statements included in the monthly report has
issued an attestation report on management’s
assessment of the company’s internal control
over financial reporting.
2. (c) Explicit knowledge is personal, experimental
and context - specific.
3. (a) Identification, Authentication, Authorization
4. (a) With Incremental backups, one full backup is
done first and subsequent backup runs are the
changes made since the last full backup only.
auditor reached.
73. (b) Addressee means a person including
intermediary who is intended by the originator to
receive the electronic record.
74. (a) As the complete cloud is being shared by several
organizations or community, it becomes highly
expensive.
75. (d) The GRC framework which has been a regulatory
requirement not only for listed enterprises but
also for all types of enterprises stands for
Governance, Risk and Control.
76. (b) MIS cannot be implemented without using a
computer.
77. (a) The surprise check of raw materials stock by a
supervisor in a manufacturing company is an
example of Corrective Control.
78. (c) Likelihood, Consequences
79. (d) Alpha Testing
80. (d) Scoping, Planning, Fieldwork, Analysis,
Reporting, Close
81. (b) Office Automation System
82. (c) Understanding of system development
methodologies.
83. (b) The levels of management are fixed to three
irrespective of its size and structure.
84. (b) (iv)-(i)-(v)-(ii)-(vi)-(iii)
85. (c) Evaluate and Direct Risk Management
86. (c) Behavioral Feasibility
87. (d) Electronic Document Management System
88. (b) The DSS is intended to make decisions for
managers in solving semi-structured and
unstructured problems in their own.
89. (d) To select the programming techniques and
languages to be used for system development.
90. (b) One of the audit techniques named Integrated
Test Facility (ITF) is used to trap exceptions
whenever the application system uses a DBMS.
CASE SCENARIOS
The Company has been advised to adopt ISO 27001 for achieving the
same. Top management has felt that the time is appropriate for them
to convert its existing information system into a new one to integrate
all its current activities. One of the main objectives of taking this
exercise is to maintain continuity of business plans even while
continuing the progress towards e-governance.
Based on the facts of the case scenario given above, choose
the most appropriate answer to Q. Nos. 3.1 to 3.7.
3.1 To retain e-documents of the company for specified period,
there are certain conditions that are laid down in Section 7,
Chapter III of the Information Technology Act, 2000 that are as
follows:
(i) Accessible so as to be usable for a subsequent
reference.
(ii) Manner and format in which such electronic-record shall
be generated sent or received.
(iii) Facilitate the identification of the origin; destination,
date and time of dispatch or receipt of such electronic
record are available in the electronic record.
(iv) The specifications of the Government on the scale of
service charges to be collected by Government itself for
retaining e-records.
Which of the following combination is required to be satisfied
under Section 7 of IT Act, 2000?
(A) (i), (ii), (iv)
(B) (ii), (iii), (iv)
(C) (i), (iii), (iv)
(D) (i), (ii), (iii)
3.2 ABC International Global Company has been advised to adopt
ISO 27001 for achieving its objectives for the following reasons.
(i) If Company is certified once, it is accepted globally.
4. M/s XTC LTD., a FMCG company dealing home care, human care,
health care and stomach care products. The company has been seeing
drop in sales over past few years. Company has traditional distribution
channels which include wholesale dealers, retailers and agents.
Company has been using a legacy integrated system since 2004. To
get better understanding for the reasons for such decline in sales, XTZ
decides to appoint a consultant. XTC appoints Ms. Venus Andromida
(Ms. VA) a business consultant.
Ms. VA has more than a decade of experience and is a MBA from IIMA
plus qualified CISA, CISM expert. Ms.VA has been given in six months
to submit the report. Ms.VA, submits her reports in two parts. Part one
deals with identification of key reasons for business decline. Part two
is solutions to identified problems.
Answer Key
Question Answer
No.
4.1 (C) Risk Sharing
4.2 (C) Automated, Open
4.3 (C) Quality Assurance Person
4.4 (A) System Development Life Cycle
4.5 (A) Security Risk
that daily data transfer was made in a secure mode that ensures
messages integrity and confidentiality. ‘
Based on the facts of the case scenario given above, choose
the most appropriate answer to Q. Nos. 5.1 to 5.6.
5.1 “Worm” likes Trojans and Virus are malicious programs. Each of
these has features making them distinct from each other. Tick
the feature NOT associated with a WORM.
(A) Self propagating. They do not need a host program.
(B) Worm can copy itself and send itself to another machine
on its own.
(C) They are not stand alone.
(D) They are of two types, Existential Worm and Alarm Clock
Worm.
5.2 Customers of ABC Limited wish to bring law-suit against the
company for wrongful loss of their data. Identify the section of
Information Technology Act, 2000 under which such damages
can be claimed.
(A) Section 72A
(B) Section 43A
(C) Section 66A
(D) Section 7A
5.3 ABC Limited is a large data processing company. As per the
definition of various information systems, the nature of services
being provided by ABC Limited would make it a ______.
(A) Transaction Processing Systems Company
(B) Management Information Systems Company
(C) Decisions Support Systems Company
(D) An Enterprise Resource Planning Software Company
5.4 ABC Ltd. has many banks as its customers. A table is being
given for the daily transactions done by few of banking
customers preceding the day when the company was hit by
(A) B Ltd.
(B) A Ltd.
(C) N Ltd.
(D) K Ltd.
5.5 The change in back up strategy of ABC Limited shall be best
identified as ___________.
(A) Incremental Backup to Differential Backup
(B) Differential Backup to Full Backup
(C) Incremental Backup to Full Backup
(D) Incremental Backup to Differential Backup
5.6 ABC Limited is now going to share its clients (banks and
financial institutions) data with a third party SASL. Whether
ABC Limited needs to inform its customers about this? Identify
the most appropriate statement.
(A) No need to inform, as the customers are old.
(B) Need to inform.
(C) Need to inform and update in the Service Level
Agreement and get positive concurrence from
customers.
(D) Need to inform and update in the Service Level
Agreement.
Answer Key
Question Answer
No.
5.1 (C) They are not stand alone.
5.2 (B) Section 43A
5.3 (A) Transaction Processing Systems Company
5.4 (D) K Ltd.
5.5 (C) Incremental Backup to Full Backup
5.6 (C) Need to inform and update in the Service Level
Agreement and get positive concurrence from
customers.
(ii) Implement
(iii) Maintenance and Review
(iv) Requirements Analysis
(v) Design
Arrange them in correct order.
(A) (i), (ii), (iii), (iv), (v)
(B) (ii), (iii), (i), (iv), (v)
(C) (iii), (iv), (i), (ii), (v)
(D) (i), (iv), (v), (ii), (iii)
8.5 In the given case scenario, under which of the following Section
of Information Technology Act, 2000; the IT Manager shall be
punishable if he initiated that attack on university’s system?
(A) Section 66
(B) Section 67C
(C) Section 68
(D) Shall not be punishable under IT Act, 2000
8.6 In the given case scenario, the name of the damaging act that
uses a computer program to trigger an unauthorized malicious
activity when some predefined condition occurs:
(A) Computer viruses
(B) Worm
(C) Nak attack
(D) Logic Bombs
8.7 If the IT manager, plans for a Denial of Service Attack, what is
the purpose of a Denial of Service Attack you will understand?
(A) Exploit a weakness in the TCP/IP stack
(B) To execute a Trojan on a system
(C) To overload a system so that it is no longer operational
(D) To shutdown services by turning them off
Answer Key
Question Answer
No.
8.1 (C) Availability
8.2 (C) Behavioral feasibility
8.3 (C) Constitution members of Vendor
8.4 (D) (i), (iv), (v), (ii), (iii)
8.5 (A) Section 66
8.6 (D) Logic Bombs
8.7 (C) To overload a system so that it is no longer
operational
9. Bharat Mera Mahan Bank is a private sector Bank. There are various
branches of the Bank located all over Gujarat state. One of its
branches is situated near Vadodara Railway Station and just outside
the branch, there is one ATM machine installed by Bank for 24x7
operations. The fact related to ATM room is as follows:
♦ The ATM room has glass partition, so that, inside view is visible
from outside.
♦ ATM room has a split AC just above the machine for maximum
cooling.
♦ There is no register inside the room.
♦ The ATM machine is of front-loading type from where the cash
is loaded inside the ATM machine.
♦ There are two people responsible for cash loading – one cashier
and the other main cashier. If main cashier is absent, an officer
helps the clerk to load the cash. Physical cash is tallied once in
a week.
♦ Many-a-times the machine is down due to on-availability of
cash or connectivity problems, but no log is available.
♦ There is a smoke detector installed in ATM room but there is no
fire extinguisher. Security guards are available only during 8 AM
to 8 PM and CCTV surveillance.
(B) Section 46
(C) Section 66D
(D) Section 75
10.4 Suppose you are appointed as an IS auditor of SMS Limited for
auditing the Information System. You are determining what
controls are exercised to maintain data integrity. You might
also interview database users to determine their level of
awareness of these controls. Which of the following Control are
you working on?
(A) Data Resource Management Control
(B) Security Management Control
(C) Operation Management Control
(D) Quality Assurance Control
10.5 SMS Limited is also planning to take various types of insurance
coverage for safeguarding of their assets and to avoid
unexpected future liabilities due to uninterrupted event or
disaster. Under which type of a specific risk mitigation strategy
do these Insurance Coverage fall?
(A) Terminate/Eliminate the Risk
(B) Treat/Mitigate the Risk
(C) Tolerate/Accept the Risk
(D) Transfer/Share the Risk
10.6 Due to virus attack and phishing attack on Information System
of SMS Limited, in order to protect its critical data from virus
attack; it is decided that in future the access to the social
networking site to its employees need to be limited. What type
of risk response has the SMS Limited exercised?
(A) Terminate/Eliminate the Risk
(B) Treat/Mitigate the Risk
(C) Tolerate/Accept the Risk
(D) Transfer/Share the Risk
10.7 Identify which of the following systems are very useful for a
management of SMS Limited to remotely access
documents/internal communication?
(A) Electronic Message Communication System
(B) Text Processing System
(C) Teleconferencing and Videoconferencing System
(D) Electronic Document Management System
10.8 Suppose you are an IT consultant of SMS Limited and advice to
Board of Directors of Company to use Hot Site as a data backup
alternative. Identify which of the following is your best
explanation to Board of Directors?
(A) The costs related with hot site are low.
(B) The hot site can be used for a long amount of time.
(C) That hot site does not require the equipment and
systems software to be compatible with the primary
installation being backed up.
(D) That hot site can be made ready for operation within a
short span of time.
Answer Key
Question Answer
No.
10.1 (C) Restoring from last full backup and then the
differential backup
10.2 (D) Integrity of Data
10.3 (A) Section 43A
10.4 (A) Data Resource Management Control
10.5 (D) Transfer/Share the Risk
10.6 (B) Treat/Mitigate the Risk
10.7 (D) Electronic Document Management System
10.8 (D) That hot site can be made ready for operation within
a short span of time.
Segregation of Duties are built in the software in such a way that the
operators have permission only to enter data. Any editing or
modification can be done only by the manager. The retail store across
India collecting customer data for loyalty programs consolidated into
one database and accessible in from centralized IT server anytime
anywhere and also Company maintained a separate fully equipped
facility where the company can move immediately after disaster and
resume business. Company Data Centre Housing about 350 employees
are involved in handling business processes of the Company and for
security reasons, Management decides to shift its network server and
mail server to a secluded room with restricted entry.
On the recommendation of Chief Information Officer of the Company,
existing system of the company is being extensively enhanced by
extracting and reusing design and program components.
Based on the facts of the case scenario given above, choose
the most appropriate answer to Q. Nos. 12.1 to 12.8.
12.1 In the given case scenario, the manager quits his employment
and the store elevates the position of one of its existing
operators to that of a manager. Who do you think is
responsible for removing the permission of the existing
manager and changing that of new manager?
(Assume there are no distributed systems).
(A) Vice President of GSWIL
(B) New Manager
(C) System Administrator
(D) Information Owner
12.2 Gold Silver Watch India Limited (GSWIL) decides to control the
access to a software application by segregating entry level and
updating level duties. What type of Internal Control does this
amount to?
(A) Physical Implementation of a Control
(B) Corrective Control
13. ABC Capital Finance Limited (‘the Company or ‘ACFL’) was inaugurated
on 21st July 2019. The Company is registered with the Reserve Bank of
India (RBI) as a Non-Banking Financial Company vide. Certificate No.
N-13.14.2019, Head Office/Corporate Office of the Company situated
at Mumbai. The Company is primarily engaged in Lending Business.
There are 10 Regional offices and 255 branches located all over the
country that use various types of remote access information systems
for smooth and fast processing of different types of loan applications
all over branches & regional offices.
Company has adopted an internal control work in line with Section
134(5) (e) of the Companies Act, 2013 and as per Clause 49 V (C) and
(D) of SEBI, Equity Listing Agreement ensuring the orderly and
efficient conduct of its business, including adherence to the Company’s
policies, safeguarding of its assets and prevention and detection of
frauds and errors, accuracy and completeness of Information to
various stakeholders. Company is hosted on a robust Data Centre (DR)
and Disaster Recovery Centre has designed on fundamental principles
– data security, data integrity, data availability and data scalability and
has strict information security procedures. Company also entered into
a reciprocal agreement with TBJ Capital Finance Limited (i.e., Internal
Business Group Company) as one of its strategist in Disaster Recovery
Planning. The Management of Company appointed a reputed Mumbai-
based Chartered Accountancy Firm called as DKT specialized in IS
audit for conducting Information System Audit of the Company.
Further, the Company is now gearing up to enhance its technology
capabilities across other areas such as mobile computing, cloud
computing, BYOD and adoption of COBIT 5 framework.
Based on the facts of the case scenario given above, choose
the most appropriate answer to Q. Nos. 13.1 to 13.8.
13.1 In the given case scenario, Provisions as per Clause 49 V (C)
and (D) of SEBI Equity Listing Agreement issued by SEBI in
India is on similar lines of SOX regulation that has made a
(C) 54321
(D) ppRqs$W
13.5 IS auditor requires to check whether the Application System is
calculating correct interest on loan provided by ABC Capital
Finance Limited using creation of a dummy entity in the
application system. Identify which of the following auditing
technique is this process referring to so that authenticity and
accuracy of the processes can be verified?
(A) Snapshot
(B) Integrated Test Facility (ITF)
(C) Audit Hooks
(D) Audit Trail
13.6 ABC Capital Finance Limited entered into a reciprocal
agreement with TBJ Capital Finance Limited (i.e., Internal
Business Group Company) as one of the strategies of Disaster
Recovery Planning. Identify which of the following risk
treatment approach does it indicate?
(A) Transfer/Share the risk or Risk Transfer
(B) Terminate/Eliminate the risk or Risk Avoidance
(C) Treat/Mitigate the risk or Risk Mitigation
(D) Tolerate/Accept the Risk or Risk Acceptance
13.7 XYZ Limited is engaged in providing Data Processing Service. It
received a big contract from ABC Capital Finance Limited (Non-
Banking Financial Company) for its various loan processing
activities. XYZ Limited has limited Personal Computers at their
office, so it approached Amazon Web Service to provide them
access to Virtual Machines for data processing. XYZ Limited is
using which Cloud Computing Service Model?
(A) Software as a Service (SaaS)
(B) Platform as a Service (PaaS)
(C) Infrastructure as a Service (IaaS)
(D) Network as a Service (NaaS)
There was only one ATM machine near Bank Premises which had
deposits as well as withdrawal facility. Its maintenance was
outsourced through at third party. The service level agreement
was not renewed since last three years and also there is no
security guard since last six month.
During the inspection, it was observed that while refilling cash in
ATM machine, the presence of security guard was not mandatory.
Illegal and unauthorized software were installed on few computer
systems of the Bank.
Antivirus software was not updated on few computers of the
bank’s branches.
Disaster Recovery Plan existed but was not tested by the
employees.
During inspection, Inspection and Supervision team observed a
fraud where an employee had transferred a small amount of
money from various account holders to his own account while
rounding off in computerized banking system. That fraud turned
around to be of ₹ 2,49,587/-.
After review report, the NABARD instructed the Great India Gramin Co-
Operative Society Bank Limited to sort out the security control
weakness and demanded a reasonable assurance for better security
control in future in effective and efficient manner.
Subsequently, Bank worked on all the observation made by NABARD
and established the following controls:
Highly qualified IT personnel were appointed in every branch.
Strict follow up and compliance of Information Security and
Password Policy for all users.
Fulfilled the mandatory requirement of two personnel for
accessing and refilling cash in the ATM machine.
Predefined role and responsibility of each employee.
Regular training on risk awareness was to be given to every
employee on periodically basis.
Answer Key
Question Answer
No.
14.1 (C) Dual Control
14.2 (A) Turning ₹ 102.02 To ₹ 102.00
14.3 (A) Lack of appropriate Segregation of Duties
14.4 (B) Segregation of Duties
14.5 (C) Vulnerability
14.6 (A) Preventive control
15. In the recent past, Indian Private Sector has invested heavily in the IT
infrastructure. However, the concept of cyber terrorism, theft of data,
hacking and DoS attacks on any company’s web site are alarming.
There is huge increase in attacks on websites and theft of data. The
information related to these attacks is usually kept under “Strict” policy
to avoid embarrassment from business partners, investors, media and
customers. Huge losses sometimes remain un-audited and the only
solution the companies have found is to develop a model where one
can see a long-run business led approach to Information Security
Management. The companies are adopting the approach to build their
Security Infrastructure. One of the model that helps companies to
maintain IT security through ongoing, integrated management of
policies and procedures, personal training, selecting and implementing
effective controls, reviewing their effectiveness and improvement is
Information Security Management System (ISMS). The other benefits
of ISMS are improving customer confidence, a competitive edge,
better personnel motivation and involvement, and reduced incident
impact. Ultimately these benefits increase profitability of companies.
There is an international profession association that provides
management of companies about Information Technology
management, control and security and IS auditors with guidance on
various Information Technology associated risks and recommended
practices. Many Indian Companies have taken various international
certifications to achieve clients’ assurance. It controls the dependency
of any individual and put reliance on the processes. It certifies the
companies which mean that an independent certification body
Answer Key
Question Answer
No.
16.1 (B) Section 43A
16.2 (A) Cloud Computing
16.3 (B) Salami Technique
16.4 (D) The frequency for which the site provider agrees to
make itself available for a particular time period.
17. XYZ University was established in the year 1965 in India and is now
one of the premier universities in India. At present, there are 30
affiliated colleges under its umbrella. These colleges operate
independently with XYZ University having some level of control or
influence over their academic policies, standards or programs. In the
recent past, the XYZ University proposes that irrespective of the fact
whether the affiliated colleges have their own Library Management
System or not, each college must have a commonly shared Online
Library Management System (LMS) under its brand name. The
management of XYZ University envisaged that –
♦ The shared LMS can streamline working practices allowing all
the affiliated colleges to share their e- learning resources with
each other. These resource files are provided as a service
through different networks using Cloud Computing.
♦ Students and researchers will be provided a common platform
so that all stakeholders like students and faculties of these
affiliated colleges can search e-library collections in a consistent
way and accordingly access and share their e-learning
resources such as e-books, e-lectures, webinars, videos and
powerpoint presentations etc.
♦ The e-learning resource pool is continuously enhanced with
many lectures, webinars and powerpoint presentations of
experts, faculties and motivational speakers getting added into
it on regular basis.
(C) Risk
(D) Likelihood
17.2 The online Library Management System (LMS) of XYZ university
possesses the characteristics of _______, ______, ______ and
______ systems.
(A) Manual, Deterministic, Open, Abstract
(B) Automated, Probabilistic, Closed, Physical
(C) Automated, Deterministic, Closed, Abstract
(D) Automated, Deterministic, Open, Physical
17.3 To achieve an objective of restricting the individual access
privileges to online LMS and data of XYZ university to only
authorized users of different affiliated colleges including
librarians, faculties, students and IT Support Team members;
the Logical Access Controls are required to be well
implemented. Which of the following factor will not play any
considerable role while defining Logical Access Controls for
online LMS?
(A) Confidentiality and Authorization of User
(B) Virus prevention and detection to the LMS
(C) Controlled visitors’ access to the library
(D) User training and tools for monitoring compliance
17.4 Let us assume that the IT Team members of KIO Ltd. runs a
data backup software on online LMS of XYZ University on first
Monday of every month to perform a complete backup of all the
resource files containing audio, video and powerpoint files. On
Tuesday, the backup software scans the backup selection and
sends only new files and changes of existing files. You would
now have a second version of the changed files and this
process continues. Which type of data backup is this
methodology referring to?
(A) Incremental Backup
(B) Differential Backup
(D) Section 45
17.8 The e-resource files are accessible to stakeholders of each
affiliated college of XYZ university on pay-as-per-usage basis.
Which type of Cloud Computing Service Model provides such
facility?
(A) Platform as a Service
(B) Data as a Service
(C) Software as a Service
(D) Infrastructure as a Service
Answer Key
Question Answer
No.
17.1 (B) Vulnerability
17.2 (D) Automated, Deterministic, Open, Physical
17.3 (C) Controlled visitors’ access to the library
17.4 (B) Differential Backup
17.5 (C) The programming languages used in the
development of source code.
17.6 (A) Environmental
17.7 (B) Section 43
17.8 (B) Data as a Service
18. ABC is a Domestic Airlines having its Reservation System that runs in a
real-time environment maintaining their records in electronic form so
that it becomes usable for subsequent reference. The details of
electronic records are also maintained to facilitate the identification of
the origin, destination, date and time of dispatch or receipt of such
electronic records.
The ABC Airlines has well implemented COBIT 5 business framework
for the governance and management of enterprise Information
Technology. The nature of transactions being online, cyber security is
a must. To address such security issues like Confidentiality, Integrity