You are on page 1of 508

Certified Information Systems Auditor

Version 3.0

Ultimate CISA Study Guide in Easy FAQs

Disclaimer: 1. CISA is the registered trademark of ISACA.org 2. Pacific Information Security Consulting (PacificIS.com) is an independent company. It is neither an affiliate nor a representative of ISACA.org. 3. This material has been developed independently by PacificIS.com for the CISA exam as an additional resource. It is NOT endorsed by ISACA.org 4. Due care has been taken to ensure that this material is correct and up-to-date. However, there is no implicit or explicit warranty of the correctness of the material. All of the answers given in this manual are suggested answers and they should NOT be considered as the only correct answers. There might be other correct answers as well.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs

Table of Contents
INTRODUCTION ...................................................................................................................................... 30 DOMAIN 1: THE INFORMATION SYSTEM AUDIT PROCESS ...................................................... 31 ORGANIZATION OF THE IS AUDIT FUNCTION ........................................................................................... 31 How will you establish the role of the IS audit function? ..................................................................... 31 What are the five (5) components of the Audit Charter? ...................................................................... 31 Who approves the Audit Charter? ........................................................................................................ 31 IS RESOURCE MANAGEMENT .................................................................................................................... 31 How should an audit begin?................................................................................................................. 31 What if the proper skills are not available for the audit? Is it acceptable to ask the auditee to help?. 31 AUDIT PLANNING ...................................................................................................................................... 32 What are the two (2) types of Audit Planning?..................................................................................... 32 How often should the Audit Planning be reviewed?............................................................................. 32 What are the five (5) factors that should be considered in an Audit Plan? .......................................... 32 What five (5) step strategy should an IS Auditor use to draw up an Audit Plan?................................. 32 What are the six (6) common methods the auditor can use to understand the auditees business? ..... 32 What is the biggest challenge for the IS auditor in terms of planning the audit?................................. 33 EFFECT OF LAWS AND REGULATIONS ON THE AUDIT PLAN ....................................................................... 33 What are the four (4) common types of laws and regulations an IS auditor should know about the auditees business?............................................................................................................................... 33 ISACA IS AUDITING STANDARDS ............................................................................................................ 33 What are the objectives of the ISACA IS auditing standards?.............................................................. 33 RISK, RISK ANALYSIS AND RISK MANAGEMENT ....................................................................................... 34 What is risk?......................................................................................................................................... 34 What is a Business Risk? ...................................................................................................................... 34 What is Risk Management? .................................................................................................................. 34 What is the primary role of Risk Management? ................................................................................... 34 What steps are required in a typical Risk Management project? ......................................................... 35 How can an event that may result in loss be identified?....................................................................... 35 What is the nature of the threat? .......................................................................................................... 36 What are the four (4) basic questions that should be asked during the Risk Analysis?........................ 36 What are the two (2) main purposes of the Risk Assessment? .............................................................. 36 What is the end result of the Risk Assessment? .................................................................................... 36 What is the difference between Risk Assessment and Risk Analysis? ................................................... 36 What is the Risk Management Triple?.................................................................................................. 37 What are the four (4) key components of Risk Assessment? ................................................................. 37 What types of items are included as assets? ......................................................................................... 37 How is an asset valued? ....................................................................................................................... 37 What is a Threat? ................................................................................................................................. 38 What is a Vulnerability (VA)? .............................................................................................................. 38 What is a Safeguard?............................................................................................................................ 38 What is an Exposure Factor? ............................................................................................................... 38 What is an ARO? .................................................................................................................................. 38 What is an ALE?................................................................................................................................... 39 What are the key equations for Risk Assessment? ................................................................................ 39 How is the value of the ALE useful to the organization?...................................................................... 39 Points to remember: ............................................................................................................................. 39 What is the Quantitative Risk Assessment? .......................................................................................... 39 How do is a Qualitative Risk Assessment Analysis performed? ........................................................... 40 What is the role of the Delphi Technique in Qualitative Risk Analysis? .............................................. 40 How do the Quantitative and Qualitative Risk Assessments compare?................................................ 40 Sold as Single Copy 2 Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


What is a PSE? ..................................................................................................................................... 40 What are the components of a PSE?..................................................................................................... 40 What is the difference between a Risk Analysis and BIA?.................................................................... 41 In technical terms, what are the three steps of a Risk Analysis? .......................................................... 41 How is the Risk Analysis carried out?.................................................................................................. 41 What is the checklist of threat sources? ............................................................................................... 42 What is the checklist for compiling the Risk Analysis?......................................................................... 42 How do you estimate Potential Losses? ............................................................................................... 42 Once the risk is defined, how it is handled? ......................................................................................... 42 What is the most difficult part of Risk Assessment?.............................................................................. 43 How is the Asset Valuation carried out? .............................................................................................. 43 Why is Asset Valuation so important? .................................................................................................. 43 What happens if the Information Asset Valuation is not done properly? ............................................. 43 What is a prerequisite for applying the security controls?................................................................... 43 What is Risk Mitigation? ...................................................................................................................... 44 What is the Total Risk?......................................................................................................................... 44 What is the Residual Risk? ................................................................................................................... 44 SAFEGUARDS: ........................................................................................................................................... 44 What to look for when selecting a safeguard: ...................................................................................... 44 What is the most important factor to be considered before a safeguard is implemented? ................... 44 What should be the default of a safeguard? ......................................................................................... 44 SELECTION OF SAFEGUARDS ..................................................................................................................... 45 On what basis are safeguards selected?............................................................................................... 45 RISK ANALYSIS AND AUDITING ................................................................................................................ 47 Why is risk analysis part of Audit Planning? ....................................................................................... 47 INTERNAL CONTROLS ................................................................................................................................ 47 What is the purpose of using internal controls? ................................................................................... 47 What are some examples of internal controls?..................................................................................... 47 What is the relationship between control and the control objectives? ................................................. 47 Who has the ultimate responsibility for the control?............................................................................ 47 How is the strength of the control measured? ...................................................................................... 48 When evaluating the strength of the controls, what factors should be considered?............................. 48 INTERNAL CONTROL OBJECTIVE ............................................................................................................... 49 What is an Internal Control Objective?................................................................................................ 49 What are the main objectives of implementing internal control?......................................................... 49 What are the three (3) major controls in the Internal Control System? ............................................... 49 What are some examples of Information System Control objectives? .................................................. 49 INFORMATION SYSTEMS CONTROL PROCEDURES ...................................................................................... 50 What do the control procedures include?............................................................................................. 50 What are some examples of control procedures? ................................................................................. 50 What is the relationship between General Control Procures and IS-Specific procedures? ................. 50 What are the six Information Control procedures?.............................................................................. 50 Does the Internal Control Objective apply only to the manual system? .......................................... 50 NO; IT APPLIES TO ALL AREAS, MANUAL OR AUTOMATED. HOWEVER, THE CONTROL IMPLEMENTATION FEATURES ARE DIFFERENT.COBIT............................................................................................................ 50 COBIT...................................................................................................................................................... 51 What is COBIT? ................................................................................................................................... 51 What does COBIT provide?.................................................................................................................. 51 How many hi-Level and detail control objectives are there in COBIT?............................................... 51 How many standards does COBIT relate to? ....................................................................................... 51 What are the six (6) components of COBIT?........................................................................................ 51 What are the three major classifications of controls? .......................................................................... 51 What are some examples of preventative controls?.............................................................................. 52 What are some examples of detective controls? ................................................................................... 52 What are the examples of corrective controls? .................................................................................... 52 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


PERFORMING AN INFORMATION SYSTEM AUDIT ....................................................................................... 53 What is Auditing? ................................................................................................................................. 53 What does the audit program consist of? ............................................................................................. 53 What is required from an IS auditor during the audit process? ........................................................... 53 What are the five (5) types of audits? ................................................................................................... 53 What is the major difference between an IS audit and other types of audit?........................................ 54 What are the General Audit Procedures in a typical audit? ............................................................ 54 What should the IS auditor be aware of regarding the testing and evaluation of the Information System control? ................................................................................................................................................ 54 AUDIT METHODOLOGY ............................................................................................................................. 55 What is the Audit Strategy or Methodology?........................................................................................ 55 What are the components of an Audit Strategy?................................................................................... 55 What are the eight (8) steps in a typical audit? .................................................................................... 55 What is the difference between an Audit Objective and an Audit Scope? ............................................ 55 What are the two major components needed in pre-audit planning? ................................................... 55 What sources of Information can be used in the pre-audit planning phase, in order to get a better understanding of the auditee? .............................................................................................................. 56 What information is included in a typical audit report?....................................................................... 56 What is the Audit Program? ................................................................................................................. 56 What does the Audit Program provide? ............................................................................................... 56 AUDIT RISK AND MATERIALITY ................................................................................................................ 57 What is the new trend in the auditing approach? ................................................................................. 57 What are the different tests in risk-based auditing? ............................................................................. 57 What are the five steps in risk-based auditing?.................................................................................... 57 How can the IS auditor gather information?........................................................................................ 57 How can the internal control be understood? ...................................................................................... 57 What does the compliance test evaluate? ............................................................................................. 57 What is a substantive test?.................................................................................................................... 58 What is the audit risk? .......................................................................................................................... 58 What is the material risk?..................................................................................................................... 58 How can a threat be identified as significant or not? ...................................................................... 58 Is the significance of non-compliance absolute or relative? ................................................................ 58 How can audit risk be avoided? ........................................................................................................... 58 What role do inherent risk in detection risk or control risk in risk-based auditing play?....... 58 On what bases do IS auditors rely?...................................................................................................... 58 What are the three (3) areas of business risk? ..................................................................................... 59 Why is it necessary for IS auditors to understand the nature of the business?.................................... 59 What is a Risk Model Assessment?....................................................................................................... 59 RISK ASSESSMENT TECHNIQUES ............................................................................................................... 60 Which business should be audited first?............................................................................................... 60 How are the high-risk areas determined? ............................................................................................ 60 How does the risk assessment help to determine which areas should be audited? .............................. 60 What are the different methods for carrying out Risk Assessments? .................................................... 60 What does the scoring system do? ........................................................................................................ 60 What variables are considered in the scoring system?......................................................................... 60 Are the variable always weighted?....................................................................................................... 60 How do scoring systems help in auditing? ........................................................................................... 61 With regard to selecting the area to be audited, what is the judgmental method?............................... 61 Will the risk assessment methods remain the same in the future? ........................................................ 61 AUDIT OBJECTIVES ................................................................................................................................... 62 What is the difference between Control Objectives and Audit Objectives?.......................................... 62 With regard to access, what should the audit include? ........................................................................ 62 Is it possible that management will give the IS Auditor some General objectives?.............................. 62 What is the key element in planning the Information System audit? .................................................... 62 What is the basic purpose of an IS Audit? ............................................................................................ 62 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


What should the IS auditor identify in the initial review? .................................................................... 63 What does the IS auditor specify in the initial review? ........................................................................ 63 How are the controls tested? ................................................................................................................ 63 What is the difference between Compliance and Substantive Testing? ................................................ 63 What is the correlation between the level of internal control and the amount of substantive testing required? .............................................................................................................................................. 63 What are the four (4) steps for checking control in an environment? .................................................. 64 What are the two (2) types of substantive test? .................................................................................... 64 EVIDENCE ................................................................................................................................................. 65 What is the definition of evidence?....................................................................................................... 65 What is the importance of evidence? .................................................................................................... 65 What are the five (5) forms of evidence that the IS Auditor can use?................................................... 65 What are the three (3) factors showing the reliability of the evidence? ............................................... 65 Should the IS auditor only look for good evidence?......................................................................... 65 How does the quality and quantity of the evidence map to IFAC (International Federation of Accountants)? ....................................................................................................................................... 65 What is ISCA number stands for auditing? .......................................................................................... 66 What techniques are used to gather evidence?..................................................................................... 66 Is traditional documentation required for CASE or prototyping?........................................................ 66 What documentation is relevant for CASE and prototyping?............................................................... 66 SAMPLING ................................................................................................................................................. 66 When is sampling used? ....................................................................................................................... 66 What is the meaning of population with respect to sampling? ............................................................. 67 What is a sample?................................................................................................................................. 67 What is a sample used for?................................................................................................................... 67 SAMPLING BASICS - CONFIDENCE COEFFICIENT & LEVEL OF RISK ........................................................... 68 What is the confidence coefficient? ...................................................................................................... 68 How is the confidence coefficient represented? ................................................................................... 68 At what confidence coefficient level should the IS auditor feel comfortable? ...................................... 68 What is the relationship between the confidence coefficient and sample size? .................................... 68 What is the difference between the "Confidence Coefficient", "Confidence Level" and "Reliability Factor"? ............................................................................................................................................... 68 What is the level of risk?....................................................................................................................... 68 SAMPLING BASICS - PRECISION ................................................................................................................. 69 What does the term sampling precision refer to? .............................................................................. 69 What is the difference between Precision and Confidence Level? ....................................................... 69 Which is better: a higher or lower precision level? ............................................................................. 69 What is the relationship between Precision and Sample Size?............................................................. 69 What is the difference between "Attribute Sampling" and Variable Sampling?............................... 69 What is the difference between "Precision range and "Precision Mean"? ........................................ 69 SAMPLING BASICS - EXPECTED ERROR RATE & TOLERABLE ERROR RATE .............................................. 70 What is the Expected Error Rate (EER)? ............................................................................................. 70 What is the effect of EER on Sample Size? ........................................................................................... 70 How is the EER applied to the variable sampling formula?................................................................. 70 What is the tolerable error rate? .......................................................................................................... 70 How are tolerable error rates used in sampling?................................................................................. 70 How is the tolerable error rate represented? ....................................................................................... 70 SAMPLING BASICS - STANDARD DEVIATION AND VARIANCE .................................................................... 71 What is the prerequisite of Standard Deviation?.................................................................................. 71 What is the sample mean? .................................................................................................................... 71 What does the sample mean indicate?.................................................................................................. 71 What is Standard Deviation?................................................................................................................ 71 What is Variance? ................................................................................................................................ 71 What is the Standard Deviation?.......................................................................................................... 72 What is the Sample Standard Deviation? ............................................................................................. 72 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


What is the Population Standard Deviation? ....................................................................................... 72 What is the relationship between the standard deviation and sample size? ......................................... 72 How can a populations standard deviation be applied to the attribute sampling formula? ............... 72 OTHER SAMPLING ISSUES.......................................................................................................................... 73 What are the two approaches for auditing? ......................................................................................... 73 What is the difference between Statistical Sampling and Non-Statistical Sampling?........................... 73 In statistical sampling, how can the closeness of sample size be determined? ................................ 73 How does one know that the sample is reliable?.................................................................................. 73 How is the final assessment represented in Statistical Sampling? ....................................................... 73 What is Sample Risk? ........................................................................................................................... 73 What is the confidence coefficient? .................................................................................................. 73 What is the ideal statistical sample? .................................................................................................... 74 What are the two general approaches? ................................................................................................ 74 What are the differences between attribute sampling and variable sampling? .................................... 74 ATTRIBUTE SAMPLING .............................................................................................................................. 75 What are the three different methods of proportional attribute sampling? .......................................... 75 What is the difference between Attribute Sampling, Fixed Sample Size Attribute Sampling and Frequency-estimating Sampling?..................................................................................................... 75 What are the main features of Fixed Sample Size? .......................................................................... 75 What are the features of stop-or-go sampling?................................................................................ 75 What are the features of Discovery Sampling? .................................................................................... 75 VARIABLE SAMPLING ................................................................................................................................ 76 What is the difference between variable sampling, mean estimation sampling and dollar estimation? ......................................................................................................................................... 76 What is the variable sampling used for? .............................................................................................. 76 What are the seven (7) items the auditor should consider while evaluating the sample? .................... 76 CAAT ....................................................................................................................................................... 77 What is CAAT? ..................................................................................................................................... 77 How can CAAT assist auditors? ........................................................................................................... 77 Why is CAAT important for the IS auditor? ......................................................................................... 77 What are the five (5) Functional Capabilities of CAAT? ..................................................................... 77 What are some examples of CAAT software?....................................................................................... 77 What is GAS?........................................................................................................................................ 78 What are the sources of input for GAS? ............................................................................................... 78 What does GAS do? .............................................................................................................................. 78 What are the IS auditors concerns regarding CAAT?......................................................................... 78 What does the CAAT program record and retain?............................................................................... 79 What types of accesses are recommended for the CAAT programs?.................................................... 79 What are the limitations of CAAT?....................................................................................................... 79 EVALUATING THE AUDIT'S STRENGTHS AND WEAKNESS .......................................................................... 80 What is the next step after the information and evidence for the audit have been gathered? .............. 80 What does the IS auditor do in order to develop an opinion? .............................................................. 80 How should the control be evaluated? ................................................................................................. 80 How is the proper level of control assessed? ....................................................................................... 80 How is the control Matrix constructed? ............................................................................................... 80 What are the compensating controls? .................................................................................................. 80 What is the difference between a compensating control and an overlapping controls?....................... 80 What should an auditor do regarding a compensating control and overlapping controls?................. 81 MATERIALITY OF THE FINDING .................................................................................................................. 82 What is the concept of the materiality of the finding? .......................................................................... 82 To whom are IS auditors responsible? ................................................................................................. 82 Why should the IS auditor discuss a matter with the management staff before communicating it to senior management?............................................................................................................................. 82 What is the end result of the IS audit work? ......................................................................................... 82 What is the structure of the Audit Report? ........................................................................................... 82 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


Should the audit report only mention the negative points? .................................................................. 82 Should the IS auditor insist that his/her recommendations be implemented immediately?.................. 83 Should the IS Auditor mention some of his/her findings in the report, even if modifications are made prior to the report being given to the top management? ...................................................................... 83 What should the auditor do prior to the releasing the reports? ........................................................... 83 What is the main sprit behind the audit? .............................................................................................. 83 Do corrective actions resolve all of the problems? .............................................................................. 83 What happens just prior to the end of the auditing assignment?.......................................................... 83 What is discussed in the Exit Interview? .............................................................................................. 84 What is the IS audit documentation? .................................................................................................... 84 CSA- CONTROL SELF-ASSESSMENT .......................................................................................................... 85 What is the CSA? .................................................................................................................................. 85 What are the two methods of self-assessment?..................................................................................... 85 Is it possible to include outsiders in the CSA?...................................................................................... 85 What is the primary objective of an internal audit? ............................................................................. 85 Does a CSA replace the responsibility of the internal audit?............................................................... 85 Who is responsible for the controls? .................................................................................................... 85 What are the additional benefits of using a CSA? ................................................................................ 85 What are the three phases of a CSA? ................................................................................................... 86 What is the role of the auditor in a CSA? ............................................................................................. 86 How could an auditor understand the business before starting the audit? .......................................... 86 What is the first step in a CSA project?................................................................................................ 86 What are the tools used in a CSA? ....................................................................................................... 86 What development techniques are needed for the CSA program?........................................................ 86 What is the main advantage of a workshop-based CSA? ..................................................................... 87 How would you differentiate between the traditional approach and the CSA approach?.................... 87 CORPORATE GOVERNANCE ....................................................................................................................... 88 What is corporate governance?............................................................................................................ 88 What are the advantages to proper corporate governance? ................................................................ 88 DOMAIN 2: MANAGEMENT, PLANNING AND ORGANIZATION OF THE IS ........................... 89 GENERAL .................................................................................................................................................. 89 What are the five (5) tasks with regard to management, planning and organization?......................... 89 STRATEGIC PLANNING .............................................................................................................................. 89 What is strategic planning all about?................................................................................................... 89 What is the nature of strategic planning?............................................................................................. 89 What are the two types of plans?.......................................................................................................... 89 STEERING COMMITTEE .............................................................................................................................. 90 What is the purpose of the steering committee? ................................................................................... 90 What is the prerequisite for the person who chairs the steering committee? ....................................... 90 Who should be in the steering committee? ........................................................................................... 90 Where are the committee's duties and responsibilities defined? .......................................................... 90 What authority should each member of the committee have? .............................................................. 90 What does the committee do? ............................................................................................................... 90 What are the sources of Information for the IS committee? ................................................................. 91 POLICIES AND PROCEDURES ...................................................................................................................... 92 What is the advantage of having policies and procedures in place?.................................................... 92 How many levels does a policy have? .................................................................................................. 92 How can consistency in the policies be developed? ............................................................................. 92 What is the difference between the top-down and bottom-up approaches to policy development?...... 92 What are the procedures?..................................................................................................................... 93 Are the procedures independent? ......................................................................................................... 93 Which one is more dynamic, polices or procedure?............................................................................. 93 Why does an IS auditor review the procedures documents? ................................................................ 93 What if the procedures documented are not relevant? ......................................................................... 93 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


What are the five (5) major types of policies? ...................................................................................... 93 What are the six (6) minimum items that HR policies should address?................................................ 94 What are the three (3) major risks regarding hiring? .......................................................................... 94 What are the minimum ten (10) must-have areas in the Employee Handbook?............................... 94 What are the three (3) classifications regarding training? .................................................................. 95 What are the three (3) ways employees can be rewarded for performance?........................................ 95 What are the two (2) methods by which management can avoid improper and illegal acts on the part of employees? ....................................................................................................................................... 95 What are four (4) common reasons for outsourcing work?.................................................................. 95 What should an IS Auditor audit with respect to the outsourcing? ...................................................... 96 What are the areas five (5) most common areas for outsourcing? ....................................................... 96 What are the seven (7) major disadvantages of outsourcing?.............................................................. 96 What are the (7) common ways of handling the risks associated with outsourcing? ........................... 97 Is the outsourcing only a cost decision?............................................................................................... 97 What are the seventeen (17) most common components of the outsourced contract?......................... 97 How can the company ensure that the other party is providing high quality assurance? .................... 98 What is the US legislation for monitoring the vendor? ........................................................................ 98 INFORMATION SYSTEM MANAGEMENT PRACTICES ................................................................................... 99 What are the five (5) most common key challenges of the IS department?........................................... 99 IS ORGANIZATION STRUCTURE AND RESPONSIBILITY ............................................................................. 100 What are the four (4) most common organizational and management controls?............................... 100 With special reference to IPF, what three(3) Organizational or Management controls can one have? ............................................................................................................................................................ 100 Why are organizational charts important?......................................................................................... 100 Why do the job description and organization structure change quickly?........................................... 100 What are the three (3) common components that an IS auditor looks for in the Job Description?.... 100 Why is separation of duties important? .............................................................................................. 100 How can the IS auditor check whether the job description and structure are in place? .................... 101 MANAGEMENT STRUCTURE .................................................................................................................... 102 What are the two types of management structure in a typical IT environment?................................. 102 What is the difference between Line Management and Project Management? .................................. 102 Who should head the Information Systems Department? ................................................................... 102 What are the different positions within the IS department?................................................................ 102 What is the difference between a Data Administrator and a Database Administrator?..................... 103 What is the difference between a System Administrator and a Sys Admin? ....................................... 103 From an auditing point of view, which IS function should be completely separated?........................ 103 What if no segregation of duties is possible? ..................................................................................... 103 PROJECT MANAGEMENT.......................................................................................................................... 104 Ideally, who should initiate and prioritize the project?...................................................................... 104 For IS projects, is it necessary that the project manager should be a member of the IS staff? .......... 104 What types of authority and resources does the Project Manager need?........................................... 104 What should be the role of the IS auditor in the project?................................................................... 104 What are the two main areas of the IT Department?.......................................................................... 104 What does the IP Facility include?..................................................................................................... 104 What is the difference between Operations and the IPF? .................................................................. 104 What are the controls of Operations and the IPF?............................................................................. 105 What is included in the IPF? .............................................................................................................. 105 What are the controls of the Computer Operations Department?...................................................... 105 With respect to the IPF, what area needs the most critical management control? ............................ 105 DATA SECURITY.DATA SECURITY ........................................................................................................... 105 DATA SECURITY ...................................................................................................................................... 106 What should Data Security encompass?............................................................................................. 106 What are the two typical control groups that have Processing control?............................................ 106 What are the differences between the Data Control Group and the Production Control Group? ..... 106 How can the efficiency of the production environment be optimized? ............................................... 106 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


DATA ENTRY........................................................................................................................................... 107 What are the two types of Data Entry?............................................................................................... 107 Who is responsible for the batch data entry? ..................................................................................... 107 What tasks do the Data Control Department/ Data Control perform? .............................................. 107 To whom should the Data Control Supervisor report? ...................................................................... 107 What are the advantages of online entry? .......................................................................................... 107 Who is responsible for the accuracy and completeness of the data entered during online data entry? ............................................................................................................................................................ 107 What are the controls that should be applied to the transactions which are re-entered into the system? ............................................................................................................................................................ 108 Who is responsible for ensuring the separation of duties in data entry?............................................ 108 LIBRARIAN .............................................................................................................................................. 109 What is the responsibility of the librarian? ........................................................................................ 109 Should be the librarian be full-time or part-time? ............................................................................. 109 How can a librarian be assisted? ....................................................................................................... 109 SECURITY ADMINISTRATION ................................................................................................................... 110 Where should the Security Administration begin?.............................................................................. 110 What should be the role of management regarding proper security administration? ........................ 110 What if it is only a small shop that cannot dedicate a full-time person? ............................................ 110 Who should be responsible for day-to-day Security Monitoring and coordination?.......................... 110 What is the Security Administration supposed to do? ........................................................................ 110 QUALITY ASSURANCE ............................................................................................................................. 111 What are the two major (2) tasks of the Quality Assurance Exercise?............................................... 111 What is the difference between Quality Assurance and Quality Control?.......................................... 111 What are the four (4) items that the quality assurance person should check? .................................. 111 What does the quality assurance program achieve? .......................................................................... 111 Is it the responsibility of the QA to check accuracy and authenticity?............................................... 112 Can the Quality Group be part of the programming group?.............................................................. 112 DATABASE ADMINISTRATOR ................................................................................................................... 113 What are the eight (8) most common responsibilities of the DBA? .................................................... 113 To whom does the DBA report? ......................................................................................................... 113 What risks are associated with the DBA?........................................................................................... 113 How can the risk associated with the DBA be addressed? ................................................................. 113 SYSTEM ANALYSTS & APPLICATION PROGRAMMERS ............................................................................. 114 What are the responsibilities of System Analysts?.............................................................................. 114 What are Application Programmers responsible for?........................................................................ 114 What risks are related to Application Programmers and what can be done about them? ................. 114 What is the difference between application programming and system programming? ...................... 114 What controls should be put in place related to System Programmers? ............................................ 114 What are the two types of networks? .................................................................................................. 114 SEGREGATION OF DUTIES ........................................................................................................................ 115 What are some of the critical jobs that should be segregated? .......................................................... 115 What are compensating controls? ...................................................................................................... 115 KEY RESPONSIBILITIES............................................................................................................................ 115 Who is responsible for the Transaction Authorization? ..................................................................... 115 Who is responsible for reconciliation?............................................................................................... 115 Who determines the authorization level of the data?.......................................................................... 115 Who should implement and enforce the security system?................................................................... 115 MISCELLANEOUS ISSUES ......................................................................................................................... 116 What are the three ways of implementing data controls?................................................................... 116 What controls are provided by the User Department manager?........................................................ 116 What must the authorization forms show?.......................................................................................... 116 In large organizations, how should the authorization be confirmed as authentic?........................ 116 How are the "User Authorization Tables created? .......................................................................... 116 What is the level of authorization provided in a typical authorization table?.................................... 116 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs


What is a typical authorization table called? ..................................................................................... 116 What security should be maintained for the Authorization Tables? ................................................... 117 What are the requirements for reporting exceptions? ........................................................................ 117 What is the advantage of an audit trail? ............................................................................................ 117 What information does a typical audit trail contain?......................................................................... 117 Who should perform the proper checks in order to confirm that there is no mismanagement in the system? ............................................................................................................................................... 117 What is the typical checklist for auditing management, planning and the organization? .................. 118 What are the nine (9) most common documents reviewed by IS Auditors while assessing an organizations management and planning of? ................................................................................... 118 Why is Security Policy documentation necessary?............................................................................. 119 What should a Security Policy identify? ............................................................................................. 119 What are the three (3) common advantages of job description? ........................................................ 119 Which document provides information regarding new projects?....................................................... 119 What is the best way to test that individuals are doing what they are supposed to do? ..................... 119 How can the auditor know if the policies and procedures are understood and practiced?................ 119 How can the auditor know if people have understanding of the security awareness in a particular area?................................................................................................................................................... 119 What areas should be looked into when reviewed with respect to contractual commitment? ............ 120 DOMAIN 3: TECHNICAL INFRASTRUCTURE AND OPERATIONAL PRACTICES ............... 121 INFORMATION SYSTEM HARDWARE ........................................................................................................ 121 What are the five (5) basic components of computer systems?........................................................... 121 What are the five (5) different types of general-purpose computers?................................................. 121 What are the components of a CPU? ................................................................................................. 121 How do a computers internal components communicate with each other? ...................................... 121 How many types of buses are there? .................................................................................................. 122 What is the Address Bus? ................................................................................................................... 122 What is the Data Bus? ........................................................................................................................ 122 What is the Control Bus?.................................................................................................................... 122 What is the Register?.......................................................................................................................... 122 What are the seven (7) most common types of computer-related memory?........................................ 123 What are the characteristics of RAM?................................................................................................ 123 What are the two types of RAM? ........................................................................................................ 123 What is PLD? ..................................................................................................................................... 123 What are four (4) common examples of PLDs?.................................................................................. 123 How is the programming of a PLD carried out?................................................................................ 123 What is ROM? .................................................................................................................................... 124 What are the types of ROM?............................................................................................................... 124 What are the stored ROM programs called?...................................................................................... 124 What is Real Memory? ....................................................................................................................... 124 What is Sequential Memory?.............................................................................................................. 124 What is Virtual Memory? ................................................................................................................... 124 What are the characteristics of cache? .............................................................................................. 124 What is Cache Logic?......................................................................................................................... 124 ADDRESSING ........................................................................................................................................... 125 What are the six (6) most common types of addressing?................................................................... 125 INSTRUCTION EXECUTION CYCLE ........................................................................................................... 126 What are the two basic phases in a machine cycle?........................................................................... 126 Why are multi-phase clock signals needed?................................................................................... 126 When are multi-phase signals required?........................................................................................ 126 What is a machine cycle?............................................................................................................... 126 What is the Machine cycle matched with?.......................................................................................... 126 What are the four (4) states in a computer system?............................................................................ 126 How can the performance of the system be improved? ...................................................................... 127 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

10

CISA Study Guide in EasyFAQs


What is the difference between a Process and a Thread? .................................................................. 127 What are the Pipelines?...................................................................................................................... 127 INPUT AND OUTPUT ................................................................................................................................. 128 How does the processor communicate with outside devices?............................................................. 128 What do the Interface adapters provide? ........................................................................................... 128 What is Mapped Memory?.................................................................................................................. 128 What are the other advantages of memory mapping? ........................................................................ 128 What is the Isolated I/O?................................................................................................................ 128 What is the significance of an isolated IO and a special signal? .............................................. 128 What are the advantages of isolated I/Os? .................................................................................... 129 What is the disadvantage of isolated I/Os? .................................................................................... 129 What are the Programmed I/Os?........................................................................................................ 129 How are multiple interrupts handled?................................................................................................ 129 What if the CPU does not want to be interrupted?............................................................................. 129 What are the two ways of moving data in and out of the memory? .................................................... 129 What are the Interrupts?..................................................................................................................... 129 BASIC LANGUAGES ................................................................................................................................. 130 What is Machine Language? .............................................................................................................. 130 What is the assembly language?......................................................................................................... 130 How do you obtain the Object code?.................................................................................................. 130 What is the difference between a Resident Assembler and a Cross Assembler? ................................ 130 What is a dissembler?......................................................................................................................... 130 What is a Macro? ............................................................................................................................... 130 What is the difference between Interpreted and Compiled programs?............................................... 130 What is better from a security point of view: an interpreter or a compiler? ...................................... 131 What are the different levels or generations of languages? ............................................................... 131 How does the OS communicate with I/O devices?.............................................................................. 131 What is the difference between open and closed systems? ................................................................. 131 What is the major problem in a distributed architecture?.................................................................. 131 What are the major problems with desktop computers?..................................................................... 131 What is the difference between multi-tasking, multi-processing and multi-users?............................. 132 HARDWARE ACQUISITION ....................................................................................................................... 133 What is ITT? ....................................................................................................................................... 133 What is contained in an ITT? ............................................................................................................. 133 What are the typical steps in an acquisition? ..................................................................................... 134 What criteria should typically be used for the vendor proposal?....................................................... 134 On what should a hardware maintenance program focus?................................................................ 135 What should be the hardware monitoring procedures? ..................................................................... 135 What are the typical criteria for over- and under-utilization? ........................................................... 135 What is Data Management? ............................................................................................................... 135 What is the difference between Data Management and Database Management system? .................. 135 CAPACITY MANAGEMENT ....................................................................................................................... 136 Who should develop the capacity plan? ............................................................................................. 136 How often should the capacity plan be reviewed?.............................................................................. 136 What are the eight (8) typical components of capacity management? ............................................... 136 INFORMATION SYSTEM ARCHITECTURE AND SOFTWARE ........................................................................ 137 What are the three (3) main components of hierarchical architectures in computer systems? .......... 137 What are the basic nucleus functions? ............................................................................................... 137 How important is the nucleus or kernel?............................................................................................ 137 What are the seven (7) typical software applications that run on the top of the operating system? .. 137 What are the ten (10) common functions provided by the Operating System? ................................... 138 How should the performance of the Operating system be optimized?................................................ 138 What is the advantage of firmware?................................................................................................... 138 What are four (4) integrity issues related to the operating system? ................................................... 138 What are the two major operating states of the system? .................................................................... 139 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

11

CISA Study Guide in EasyFAQs


How does the IBM OS/390 start? ....................................................................................................... 139 What are the system configuration files called in the Windows environment?................................... 139 ACTIVITY LOGGING AND REPORTING OPTIONS ....................................................................................... 140 What are the four (4) most common areas in a system log?............................................................... 140 What are the four (4) typical items to check in database monitoring?............................................... 140 What items should be checked for access control?............................................................................. 140 What are the three (3) basic data communication transmission standards?...................................... 140 DBMS..................................................................................................................................................... 141 What is DBMS? .................................................................................................................................. 141 What are the ten (10) primary functions of databases?...................................................................... 141 What are the different levels at which users can be controlled regarding DBMS?............................ 141 What are the three (3) different types of DBMS? ............................................................................... 142 What are the five (5) common limitations of a hierarchical DB?...................................................... 142 What are three (3) common limitations of the Network/Mesh DB?.................................................... 143 What are the key issues with DBMS? ................................................................................................. 143 What is aggregation? ......................................................................................................................... 143 What is inference? .............................................................................................................................. 143 What does data normalization mean? ................................................................................................ 143 What is the Data Dictionary?............................................................................................................. 143 Do the data dictionaries contain actual data? ................................................................................... 144 Should the data dictionary be shared among the databases?............................................................. 144 What does the data dictionary do? ..................................................................................................... 144 What is the role of the data dictionary in DBMS?.............................................................................. 144 What is the difference between an active data dictionary and a passive data dictionary? ................ 144 What does the data dictionary contain? ............................................................................................. 144 What are the three (3) types of application controls? ........................................................................ 145 What are eight (8) typical components that the SLA should mention? ............................................... 145 What are the six (6) security concerns regarding distributed systems? ............................................. 145 What is meta-data?............................................................................................................................. 145 What are the three (3) types of meta-data? ........................................................................................ 146 What is data mining?.......................................................................................................................... 146 What is normalization?....................................................................................................................... 146 How is normalization performed? ...................................................................................................... 146 What are the main objectives of normalization? ................................................................................ 146 What are the three (3) major normalization rules? ........................................................................... 147 How is normalization applicable to the network and hierarchical databases?.................................. 147 What are the eight (8) typical database controls that an IS auditor should look for?........................ 147 What is TMS/DMS? ............................................................................................................................ 147 What are the six (6) types of Information stored in TMS/DMS? ........................................................ 147 JOB SCHEDULING .................................................................................................................................... 148 Why is job scheduling used?.............................................................................................................. 148 What are the advantages of job scheduling? ...................................................................................... 148 UTILITY PROGRAMS ................................................................................................................................ 149 How are utility programs classified? ................................................................................................. 149 What are the five types of Utility Program? ....................................................................................... 149 What should be the auditors main concern regarding a utility program? ........................................ 149 What are the ten (10) most common concerns for selecting a new "system software solution"? ....... 150 CHANGE CONTROL & SOFTWARE LICENSING ISSUES .............................................................................. 151 What are the needs for a change control procedure?......................................................................... 151 What should an IS auditor do regarding software licensing? ............................................................ 151 How can software license misuse be prevented?................................................................................ 151 INFORMATION SYSTEMS NETWORK ARCHITECTURE AND TELECOM ....................................................... 152 What are the different types of networks? .......................................................................................... 152 What are the six (6) different types of network services? ................................................................... 152 What is the communication method that uses Unstructured Messaging? ...................................... 152 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

12

CISA Study Guide in EasyFAQs


What are the Directory Services?....................................................................................................... 152 What are the functions of the network management software? .......................................................... 153 What is the purpose of standards and protocols?............................................................................... 153 What are the three major standard organizations?............................................................................ 153 ISO LAYER.............................................................................................................................................. 154 What is the ISO/OSI Model? .............................................................................................................. 154 What is the objective of the ISO/OSI model?...................................................................................... 154 How many layers are there in the ISO/OSI model?............................................................................ 154 What data is communicated to other system?..................................................................................... 154 Is it correct that there are protocols that correspond to each of the seven layers?............................ 155 What is the most common phrase used to remember the seven layers?.............................................. 155 What are the seven layers of the OSI model and what are their functions? ....................................... 155 What is the most crucial layer when connecting the networks? ......................................................... 162 How does layer 3 work? ..................................................................................................................... 162 What is the data called as it travels across the different layers of OSI? ............................................ 163 What are some common issues regarding OSI? ................................................................................. 163 Which layer is responsible for security? ............................................................................................ 163 What are the differences between Layers 2 and Layer 3 devices? ..................................................... 163 What is the difference between a Hub and a Layer 2 Switch?............................................................ 164 What is the difference between a switch and a router? ...................................................................... 164 What is the difference between a Layer 2 Switch and a Layer 3 Switch?........................................... 164 INTERNET AND TCP/IP............................................................................................................................ 165 What are the different speeds for connecting to the Internet?............................................................ 165 What is a NAP? .................................................................................................................................. 165 What are the four layers of the TCP/IP protocol suite? ..................................................................... 165 What is the difference between the application layer and the process layer? .................................... 165 What is the main task of the host-to-host layer?................................................................................. 165 What is the function of the Internet layer? ......................................................................................... 165 What are the protocols of the Internet layer?..................................................................................... 165 What does the network layer do?........................................................................................................ 166 How would you map the 4-layered TCP/IP model to the OSI Layers? .............................................. 166 What other protocol beside TCP can be used at Layer 4? ................................................................. 166 Why is TCP so reliable? ..................................................................................................................... 166 What is the major difference between TCP and UDP? ...................................................................... 167 Is it only TCP that uses the port number? .......................................................................................... 167 What is the purpose of the port number?............................................................................................ 167 What are the four most common types of addresses and port numbers?............................................ 167 What are some common port numbers of applications?..................................................................... 167 What are some common Protocol Numbers? ..................................................................................... 168 What is a Socket?................................................................................................................................ 168 What is the role of the IP address and the Port Number? .................................................................. 168 What is the difference between numbering and sequencing? ............................................................. 168 What are the features of an IP address? ............................................................................................ 168 NETWORK INFRASTRUCTURE COMPONENTS ........................................................................................... 169 What is a Switch? ............................................................................................................................... 169 What is a Router? ............................................................................................................................... 169 What is the Autonomous System (AS)? ............................................................................................... 169 What is a Brouter?.............................................................................................................................. 169 What is a Gateway?............................................................................................................................ 169 What is a Multiplexer? ....................................................................................................................... 169 What are the four methods of multiplexing?....................................................................................... 170 What is a WAN Switch? ...................................................................................................................... 170 What is the FECP? ............................................................................................................................. 170 What is a Protocol Converter? ........................................................................................................... 170 What are Access Servers?................................................................................................................... 170 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

13

CISA Study Guide in EasyFAQs


What are CSU and DSU? ................................................................................................................... 170 What is the difference between a CSU and DSU? .............................................................................. 171 What are some common channels for remote access?........................................................................ 171 What are the problems with a cable modem?..................................................................................... 171 How can remote dial-in access be made secure? ............................................................................... 171 MESSAGE TRANSMISSION TECHNIQUES .................................................................................................. 172 What are the three types of WAN connection? ................................................................................... 172 How do a dedicated line, circuit switching and packet switching compare? ..................................... 172 What are the other two types of switching techniques available besides circuit and packet switching? ............................................................................................................................................................ 172 TRANSMISSION MEDIA ............................................................................................................................ 173 What are the different types of Transmission Media? ........................................................................ 173 What is the limitation of the CAT 5 Cable? ........................................................................................ 173 What is the difference between a Baseboard and Broadband? .......................................................... 173 What does attenuation mean?............................................................................................................. 173 What does delay distortion mean?...................................................................................................... 174 What is Noise?.................................................................................................................................... 174 ERROR DETECTION AND CORRECTION METHODS ................................................................................... 175 How are transmission controls implemented?.................................................................................... 175 TOPOLOGY .............................................................................................................................................. 177 What are the top three topologies?..................................................................................................... 177 What are the current trends in LAN technology? ............................................................................... 177 What is the ATM with respect to data communication? ..................................................................... 178 WAN WIDE AREA NETWORK .............................................................................................................. 179 What are the three methods of dataflow? ........................................................................................... 179 What are the two types of communication line? ................................................................................. 179 What are the two types of circuit structure?....................................................................................... 179 What is the difference between Baseboard and Broadband? ............................................................. 179 What is the difference between a circuit switch and a packet switch? ............................................... 179 What are the six (6) common types of Packet Switching Networks? .................................................. 180 What is X.25? ..................................................................................................................................... 180 What is LAPB? ................................................................................................................................... 180 What is Frame Relay? ........................................................................................................................ 180 What are the steps for Frame Relay communication between two sites? ........................................... 181 How do Frame Relay and X.25 compare?.......................................................................................... 181 What is SMDS?................................................................................................................................... 181 What are the key features of ATM? .................................................................................................... 181 How is ATM better than Frame Relay?.............................................................................................. 182 OTHER WAN TECHNOLOGIES ................................................................................................................. 183 What are the features of VoIP? .......................................................................................................... 183 What is H.323? ................................................................................................................................... 183 What is SDLC? ................................................................................................................................... 183 What is HDLC? .................................................................................................................................. 183 What are the salient features of HDCL? ............................................................................................ 184 What are the different HDLC modes? ................................................................................................ 184 How do SDLC and HDLC compare? ................................................................................................. 184 What is HSSI?..................................................................................................................................... 184 What are the salient features of HSSI?............................................................................................... 184 What is SONET?................................................................................................................................. 185 ISDN....................................................................................................................................................... 186 What is ISDN? .................................................................................................................................... 186 What is ISDN used for? ...................................................................................................................... 186 Can analog phones and fax machines be used over ISDN lines? ....................................................... 186 What are the two channels for ISDN? ................................................................................................ 186 What encapsulation method is used for ISDN? .................................................................................. 187 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

14

CISA Study Guide in EasyFAQs


What are the two types of ISDN?........................................................................................................ 187 What are the private options for connecting a Network? ................................................................... 187 What does the PPP provide? .............................................................................................................. 187 XDSL (DIGITAL SUBSCRIBER LINE) ........................................................................................................ 189 What are the four major xDSLs? ........................................................................................................ 189 What is the advantage of DSL lines?.................................................................................................. 189 VPN........................................................................................................................................................ 189 What exactly is VPN? ......................................................................................................................... 189 What are the three (3) most common protocols for VPN?.................................................................. 189 What is PPTP? ................................................................................................................................... 189 What is L2F? ...................................................................................................................................... 189 What is L2TP? .................................................................................................................................... 190 What is IPSEC? .................................................................................................................................. 190 How is IPSEC unique? ....................................................................................................................... 190 How many types of VPN Devices are there? ...................................................................................... 190 COMMUNICATION BASICS - WIRELESS .................................................................................................... 192 What are the carriers for Wireless communications? ........................................................................ 192 How fast can a Wireless carrier travel?............................................................................................. 192 What is the difference between Wireless and Cordless?............................................................ 192 What is EMS? ..................................................................................................................................... 192 What are the ten- (10) common categories of waves?........................................................................ 192 What are the three methods of measuring EMS?................................................................................ 193 What is the difference between FM AND AM?................................................................................... 193 Where KHz, MHz and GHz are are used?.......................................................................................... 194 What are the different Electromagnetic Spectrum Frequencies? ....................................................... 194 Why do wireless devices have problems working near microwave oven?.......................................... 194 MOBILE PHONE COMMUNICATION AMPS (1G) ................................................................................... 195 What is AMPS?................................................................................................................................... 195 What are the disadvantages of AMPS? .............................................................................................. 195 What is NAMPS? ................................................................................................................................ 195 MOBILE PHONE COMMUNICATION GSM (2G)...................................................................................... 196 What is GSM?..................................................................................................................................... 196 What are the advantages of GSM? ..................................................................................................... 196 MOBILE PHONE COMMUNICATION CDMA/PCS (2G) .......................................................................... 197 What is CDMA?.................................................................................................................................. 197 What are the advantages of CDMA? .................................................................................................. 197 How CDMA is different from GSM? .................................................................................................. 197 Where is CDMA used? ..................................................................................................................... 197 What is the difference between CDMA and TDMA? .......................................................................... 197 What is PCS?...................................................................................................................................... 198 What is the difference between PCS and CDMA? .............................................................................. 198 Is the PCS standard only related to CDMA?...................................................................................... 198 Does PCS mean Digital Cellular?...................................................................................................... 198 Does the frequency of 800 MHz means analog phone?...................................................................... 198 Is the Analog phones obsolete after CDMA/PCS? ............................................................................. 198 Why to choose PCS?........................................................................................................................... 199 MOBILE PHONE COMMUNICATION BASICS GPRS (2.5G)..................................................................... 200 What is GPRS? ................................................................................................................................... 200 How does GPRS work?....................................................................................................................... 200 What is the prerequisite for GPRS?.................................................................................................... 200 What is the theoretical maximum speed of the GPRS network? ......................................................... 200 How fast is the GPRS network compared to other technologies? ...................................................... 200 How does GPRS compare to the SMS service? .................................................................................. 201 What services are supported by GPRS? ............................................................................................. 201 SMS and MMS .................................................................................................................................... 201 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

15

CISA Study Guide in EasyFAQs


MOBILE PHONE COMMUNICATION BASICS EDGE (2.5G) .................................................................... 202 What is EDGE? .................................................................................................................................. 202 What are the advantages of EDGE?................................................................................................... 202 MOBILE PHONES COMMUNICATION BASICS 3G.................................................................................... 203 What does 3G refer to?....................................................................................................................... 203 What bandwidth is allocated for 3G?................................................................................................. 203 What data rates are supported by 3G?............................................................................................... 203 What types of backbone network are supported? ............................................................................... 203 What types of applications are supported?......................................................................................... 203 BEYOND 3G ............................................................................................................................................ 204 What would be characteristics of 4G?................................................................................................ 204 When would the development on 4G starts?....................................................................................... 204 When is 4G expected to come to the market? ..................................................................................... 204 HSCSD ................................................................................................................................................... 205 What is HSCSD?................................................................................................................................. 205 What data rate is supported on HSCSD? ........................................................................................... 205 How popular is HSCSD?.................................................................................................................... 205 How is the HSCSD service used? ....................................................................................................... 205 BLUETOOTH ............................................................................................................................................ 206 What is Bluetooth? ............................................................................................................................. 206 What is new in Bluetooth Ver 1.2? ..................................................................................................... 206 What speeds does Bluetooth support? ................................................................................................ 206 What are the uses of Bluetooth? ......................................................................................................... 206 What is the limitation of Bluetooth? ................................................................................................... 207 RFID....................................................................................................................................................... 208 What is RFID?.................................................................................................................................... 208 What are the advantages of RFID over bar code? ............................................................................ 208 How does the RFID work? ................................................................................................................. 208 SATELLITE COMMUNICATIONS ..................................................................................................... 209 SATELLITE BASICS .................................................................................................................................. 209 What is the role of the Satellite in communication? ........................................................................... 209 How are satellites controlled?............................................................................................................ 209 What are transponders? ..................................................................................................................... 209 What is COMSAT? ............................................................................................................................. 209 What is DBS?...................................................................................................................................... 209 How are the five (5) basic satellites classified with respect to their orbits? ...................................... 210 What happens at the outer edge of the footprint?............................................................................... 211 GPS......................................................................................................................................................... 212 What is GPS?...................................................................................................................................... 212 What are NAVSTARs? ........................................................................................................................ 212 How does the GPS system work?........................................................................................................ 212 How does the GPS project compare with the Iridium Project?.......................................................... 213 Why are satellite phones bulkier than cell phones?............................................................................ 213 MAJOR SATELLITE PROJECTS .................................................................................................................. 214 What are some of the major satellite projects? .................................................................................. 214 What is the function of IRAS?............................................................................................................. 216 How are Infrared pictures seen? ........................................................................................................ 216 What are the limitations of satellites? ................................................................................................ 216 WIRELESS BASICS ................................................................................................................................... 217 What are the three major terms used for a group of wireless technologies? ..................................... 217 What are the fiver major Wireless Technologies?.............................................................................. 217 What are the different wireless frequencies?...................................................................................... 218 What are the different Wireless Standards? ....................................................................................... 218 How can 802.11a interoperate with a 802.11b device? ..................................................................... 219 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

16

CISA Study Guide in EasyFAQs


What is the difference between 802.11g and 54g? ............................................................................. 219 What are the dual-band and triple-band AP? .................................................................................... 219 Why are 900 Mhz, 2.5 GHz and 5 GHz used most of the time? .......................................................... 219 What is a Network Stumbler? ............................................................................................................. 219 802.11 WIRELESS .................................................................................................................................... 220 What does the 802.11 specify? ........................................................................................................... 220 What does the 802.11 standard define?.............................................................................................. 220 What are uses of the physical layer? .................................................................................................. 220 What is the speed supported by 802.11? ............................................................................................ 220 What is the frequency range? ............................................................................................................. 220 Why is infra-red more secure? ........................................................................................................... 220 What does the PHY MAC address resemble?..................................................................................... 220 What is the data transfer mode for WEP? .......................................................................................... 220 What is the association? ..................................................................................................................... 220 What does re-association refer to?..................................................................................................... 221 What is the relationship between 802.11 and WEP?.......................................................................... 221 WAP ....................................................................................................................................................... 222 What is WAP?..................................................................................................................................... 222 What are the limitations of WAP? ...................................................................................................... 222 How do WAP applications work?....................................................................................................... 222 WEP ....................................................................................................................................................... 223 What is WEP?..................................................................................................................................... 223 How does WEP work? ........................................................................................................................ 223 How do the key components of WEP compare with those of legacy?................................................. 223 WPA ....................................................................................................................................................... 224 What is WPA?..................................................................................................................................... 224 What are the differences between WEP, WPA and WAP?.................................................................. 224 OTHER WIRELESS TECHNOLOGIES .......................................................................................................... 225 What is 802.1x? .................................................................................................................................. 225 What is the difference between WEP and 802.1x? ............................................................................. 225 What is EAP's role in 802.1x? How does EAP link to PPP?.............................................................. 225 What is the difference between Legacy EAP and 802.1x EAP?.......................................................... 225 What are the three components of EAP Authentication?.................................................................... 225 What is the recommended method of providing authentication?........................................................ 225 What is EAPOL?................................................................................................................................. 225 What is LEAP? ................................................................................................................................... 225 WIRELESS SECURITY ............................................................................................................................... 227 What are the two devices that have problems with this implementation? .......................................... 227 What exactly is the problem?.............................................................................................................. 227 What are the issues related to Wireless security? .............................................................................. 227 What is WAP?..................................................................................................................................... 227 What are the limitations of WAP? ...................................................................................................... 227 What are the applications of WAP?.................................................................................................... 227 Where does WAP map to the OSI Layers? ......................................................................................... 228 How would you compare the components of WAP with the conventional world?.............................. 228 What is the Security protocol for WAP?............................................................................................. 228 What are the three classes of WTLS? ................................................................................................. 228 How is the authentication performed? ............................................................................................... 228 What is the WAP gateway?................................................................................................................. 228 What are the solutions for fixing the WAP gateway? ......................................................................... 229 What is the problem at the WAP Gateway?........................................................................................ 229 What are the alternatives to WML?.................................................................................................... 229 What is the problem with C-HTML? .................................................................................................. 229 What is the issue with "Mobile PKI"? ................................................................................................ 229 What is "Dead Time"? ........................................................................................................................ 229 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

17

CISA Study Guide in EasyFAQs


VOICE PROTECTION................................................................................................................................. 230 What is a PBX and what does it stand for? ........................................................................................ 230 How old are PBXs? ............................................................................................................................ 230 How is a PBX secured? ...................................................................................................................... 230 How can a Fax Transmission be secured? ......................................................................................... 230 What are the ISO-defined five (5) major tasks related to Network Management? ............................. 230 How are WAN communications monitored? ...................................................................................... 230 Recap Major Points to remember regarding WANs ........................................................................ 231 CLIENT/SERVER ENVIRONMENT .............................................................................................................. 232 What is the Client/Server environment? ............................................................................................. 232 What are two- and three-tier architectures? ...................................................................................... 232 What are the major differences between two-tier and three-tier Architectures?................................ 232 MIDDLEWARE ......................................................................................................................................... 233 What is the role of middleware in the client server? .......................................................................... 233 What are the functions of middleware? .............................................................................................. 233 Where can middleware be used? ........................................................................................................ 233 What are the risks of middleware? ..................................................................................................... 233 INFORMATION SYSTEMS OPERATIONS ..................................................................................................... 234 What are lights-out operations?..................................................................................................... 234 What are the major types of lights-out operations?............................................................................ 234 DATA VERIFICATIONS ............................................................................................................................. 234 What are the major data entry controls?............................................................................................ 234 What are the two major IS management responsibilities regarding IS department operations? ....... 234 What are the typical control functions for managing operations? ..................................................... 234 What does job accounting refer to?.................................................................................................... 235 What are the major steps in problem management? .......................................................................... 235 What are the five (5) major types of error log?.................................................................................. 235 What are the ten (10) common items contained in the error log report? ........................................... 235 What is the segregation of duties regarding the error log?................................................................ 236 What is PCC? ..................................................................................................................................... 236 DOMAIN 4: PROTECTION OF INFORMATION ASSETS .............................................................. 237 BASICS .................................................................................................................................................... 237 What is the most important factor in Information Security Protection?............................................. 237 What is a must for the basic protection of information assets? .......................................................... 237 What are the key elements of security management? ......................................................................... 237 What are the various classifications of responsibility, from top to bottom? ...................................... 237 DATA CLASSIFICATION ........................................................................................................................... 239 How is data classified?....................................................................................................................... 239 Why is data classification performed? ............................................................................................... 239 What type of information should be classified?.................................................................................. 239 What are the common information classifications in business? ......................................................... 239 What are the common military classifications?.................................................................................. 239 What is the difference between military and commercial applications? ............................................ 240 What is the rule of thumb for the security acronym?.......................................................................... 240 What are the five (5) bases of information classification? ................................................................. 240 Who has the power to enforce information disclosure? ..................................................................... 240 What are the basic controls for data classification? .......................................................................... 241 SYSTEM ACCESS ..................................................................................................................................... 242 What are the two types of system access?........................................................................................... 242 What is the checklist for the controls?................................................................................................ 242 What is the "Access Path"? ................................................................................................................ 242 What are the four (4) IT layers of Security to be taken care of for system access control? ............... 242 How should the authorization be delivered? ...................................................................................... 242 Who should implement the access capability? ................................................................................... 243 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

18

CISA Study Guide in EasyFAQs


Who should review the access controls? ............................................................................................ 243 SECURITY AWARENESS ........................................................................................................................... 244 What are the three main channels for security awareness? ............................................................... 244 What does the term 'securityware' refer to? ....................................................................................... 244 What are the objectives of security awareness? ................................................................................. 244 What are some of the key components of Security Programs? ........................................................... 244 Who should the security training be aimed at? .................................................................................. 244 What is the purpose of an awareness program?................................................................................. 245 What is the weakness of an awareness program? .............................................................................. 245 INCIDENT HANDLING AND RESPONSE...................................................................................................... 246 What is the difference between a security problem and a security Incident? ..................................... 246 What is a computer security incident?................................................................................................ 246 What are the phases of a security incident? ....................................................................................... 246 What are the roles and responsibilities regarding incident response?............................................... 246 INFORMATION SECURITY MANAGEMENT STANDARD .............................................................................. 247 What is a Privacy Impact Analysis - PIA?.......................................................................................... 247 What are the five (5) key elements of a PIA?...................................................................................... 247 What are the situations when a PIA should be given special consideration?..................................... 247 What are the critical factors in implementing an information security management program?........ 247 COMPUTER CRIME ................................................................................................................................... 248 What is so unique about computer crime?.......................................................................................... 248 What are the issues resulting from computer crime? ......................................................................... 248 Who commonly commits computer crimes?........................................................................................ 248 LOGICAL ACCESS EXPOSURE AND CONTROLS ......................................................................................... 249 What is the primary means of managing and protecting controls?.................................................... 249 What should IS auditor do first when auditing the Logical Access Control? ..................................... 249 How will the mapping of logical access control to policies and procedures help the IS auditor? ..... 249 What is the difference between rounding-down and the Salami Technique? ..................................... 249 OTHER LOGICAL EXPOSURES .................................................................................................................. 250 How is integrity compromised and how can it be protected?............................................................. 250 What is the difference between a virus and a Trojan horse?.............................................................. 250 How do a Virus and a Worm compare? ............................................................................................. 250 What are the four parts of computer generally attacked by viruses attack?....................................... 251 What are asynchronous attacks? ........................................................................................................ 251 What are the two major ways of controlling a virus?......................................................................... 251 What is the problem with Integrity CRC checker programs?............................................................. 251 What is the problem with immunization? ........................................................................................... 251 What is the "Virus Wall"?................................................................................................................... 252 What is the checklist of the items to be reviewed for Information Security management?................. 252 What is the first step in controlling logical security? ......................................................................... 252 What is the general division of the access points? ............................................................................. 252 What are the logical entry points for the system? .............................................................................. 252 How can the layer type provide the greatest degree of protection? ................................................... 253 What is the checklist for Operating System controls? ........................................................................ 253 What is the checklist for Database and Application-Level Access Control?...................................... 253 What layer provides the granularity of protection and segregation of duties? .................................. 253 What is the first line of defense for access control? ........................................................................... 254 What are the major vulnerabilities for system access? ...................................................................... 254 What are the three (3) types of Authentication? ................................................................................. 254 What is two-factor authentication? .................................................................................................... 254 What is the ideal password?............................................................................................................... 254 What is a cognitive password? ........................................................................................................... 254 How many types of passwords are there? .......................................................................................... 255 What is a Passphrase?........................................................................................................................ 255 How many common types of cards are there? .................................................................................... 255 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

19

CISA Study Guide in EasyFAQs


SMART CARDS......................................................................................................................................... 256 What is the difference between a Memory Card and a Smart Card? ................................................. 256 What are the four types of smart card? .............................................................................................. 256 What is the difference between a Smart Synchronous Dynamic Password and one with a Challenge Response?........................................................................................................................................... 257 What is an alternative use of password authentication? .................................................................... 257 In terms of effectiveness and low ERR, what are the top five types of Biometric techniques? ........... 257 Biometrics options summary .............................................................................................................. 258 What are the other behavior-oriented systems for authentication?.................................................... 259 What are the major limitations of the biometrics techniques? ........................................................... 259 What are the two types of errors related to biometrics applications?................................................ 259 What is the Crossover rate? ............................................................................................................... 260 What is the yardstick for checking the performance of the authentication system? ........................... 260 Points to remember regarding authentication and authorization ...................................................... 261 MISCELLANEOUS............................................................................................................................... 263 Who implements the system access capabilities? ............................................................................... 263 What is the role of naming conventions in access control?................................................................ 263 Who sets up the naming convention?.................................................................................................. 263 Why are naming conventions important? ........................................................................................... 263 SINGLE SIGN-ON ..................................................................................................................................... 264 What is a Single Sign-On (SSO)? ....................................................................................................... 264 What are the security concerns regarding a Single Sign-On?............................................................ 264 How can the concerns about a SSO be addressed?............................................................................ 264 What is the concept of Primary Domain and Secondary Domain with respect to SSO? .................... 264 What are the disadvantages for SSO? ................................................................................................ 264 What are some examples of SSOs?..................................................................................................... 264 ENCRYPTION ........................................................................................................................................... 265 What is encryption?............................................................................................................................ 265 Is it true that cipher text cannot be decrypted? .................................................................................. 265 What is Clustering? ............................................................................................................................ 265 What is the ESP? ................................................................................................................................ 265 What are the codes? ........................................................................................................................... 265 What are the two branches of cryptology? ......................................................................................... 265 BASICS OF CRYPTOGRAPHIC MATHEMATICAL OPERATIONS ................................................................... 266 What is XOR? ..................................................................................................................................... 266 What is a One-Time Pad?................................................................................................................... 267 What is Stenography?......................................................................................................................... 267 What is a Work Function? .................................................................................................................. 267 HISTORY OF CRYPTOGRAPHY .................................................................................................................. 268 What is a brief history of Cryptography? ........................................................................................... 268 What was a Purple Machine?............................................................................................................. 268 What was Enigma? ............................................................................................................................. 268 What was Bombe? .............................................................................................................................. 268 What is Simba? ................................................................................................................................... 268 What is the difference between Caesar Cipher and Substitution?...................................................... 268 What is a Scytale Cipher? .................................................................................................................. 268 What is the "Key Space"? ................................................................................................................... 269 EXAMPLE OF ENCRYPTION AND DECRYPTION ......................................................................................... 270 Give a simple example of encryption and decryption?....................................................................... 270 What is MOD 26 and MOD 256? ....................................................................................................... 271 What is the Poly-alphabetic Cipher?.................................................................................................. 271 What is transposition? ........................................................................................................................ 271 What is the problem with transposition? ............................................................................................ 271 What is the Vernam Cipher? .............................................................................................................. 272 What is the Book Cipher?................................................................................................................... 272 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

20

CISA Study Guide in EasyFAQs


What are codes? ................................................................................................................................. 272 What is the secret key? ....................................................................................................................... 272 How do Link and End-to-End Encryption compare? ......................................................................... 272 How do hardware and software encryption compare?....................................................................... 272 What is a Public Key? ........................................................................................................................ 273 What is a Private Key? ....................................................................................................................... 273 Things to remember:........................................................................................................................... 273 How many Private Keys does a person have?.................................................................................... 273 What is the biggest challenge with a Private Key?............................................................................. 273 What is a secret key? .......................................................................................................................... 273 When is an asymmetric key used and when is a symmetric key used?................................................ 274 What are the limitations of symmetric keys? ...................................................................................... 274 How do symmetric and asymmetric keys compare? ........................................................................... 274 What is the nature of a Session Key?.................................................................................................. 274 What type of Encryption method does UNIX use?.............................................................................. 274 What is a Digital Envelope?............................................................................................................... 274 What is the difference between a Digital Envelope and a Cryptolope? ............................................. 275 How do a Block Cipher and a Stream Cipher compare? ................................................................... 275 DES ........................................................................................................................................................ 276 What is DES?...................................................................................................................................... 276 What are the sixteen (16) rounds of DES ........................................................................................... 276 Who is Shannon and what is his role in encryption?.......................................................................... 276 What is confusion? ............................................................................................................................. 277 What is the S-Box?.............................................................................................................................. 277 What is Diffusion? .............................................................................................................................. 277 How do confusion and diffusion compare? ....................................................................................... 277 What is a Key Schedule? .................................................................................................................... 277 How is diffusion implemented?........................................................................................................... 277 What are the 4 modes of DES? ........................................................................................................... 277 What is ECB? ..................................................................................................................................... 278 What is the objective of CBC?............................................................................................................ 278 What is CFB (Cipher Feed Back) mode? ........................................................................................... 279 What is Output Feedback (OFB) Mode? ............................................................................................ 279 TRIPLE DES ............................................................................................................................................ 281 What is a Triple DES? ........................................................................................................................ 281 What is the need for the triple DES? .................................................................................................. 281 How is the Triple DES performed? .................................................................................................... 281 How are the keys used in the triple DES? .......................................................................................... 281 AES ........................................................................................................................................................ 282 What is AES? ...................................................................................................................................... 282 What are the features of the Rijndael Cipher? ................................................................................... 282 RIJNDAEL ALGORITHM ............................................................................................................................ 283 Why is the Rijndael Algorithm so important?..................................................................................... 283 What are the key lengths for the Rijndael Block Cipher?................................................................... 283 What is the concept of State in a Rijndael Block?.......................................................................... 283 What are the 3-layered Round Transformation steps of a Rijndael Block Cipher (RBC)? ................ 283 What is the Round Key?...................................................................................................................... 283 Solve the following problem ............................................................................................................... 283 What are the applications of the Rijndael Block? .............................................................................. 284 TWO FISH ALGORITHM............................................................................................................................ 285 What is the Two Fish algorithm?........................................................................................................ 285 What algorithm does the Two Fish use?............................................................................................. 285 What do Pre-Whitening and Post-Whitening refer to in the Two Fish method? ................................ 285 What is the purpose of Pre- and Post-Whitening?.............................................................................. 285 What are the three ways of providing diffusion in the Two Fish algorithm?...................................... 285 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

21

CISA Study Guide in EasyFAQs


IDEA ...................................................................................................................................................... 286 What is IDEA?.................................................................................................................................... 286 Why is IDEA considered to be more secure? ..................................................................................... 286 What is the most common implementation of IDEA? ......................................................................... 286 RC5......................................................................................................................................................... 287 What are the important features of RC-5?.......................................................................................... 287 ASYMMETRIC KEY .................................................................................................................................. 288 What is an Asymmetric Key? .............................................................................................................. 288 Why is the Public Key slower? ........................................................................................................... 288 What is a hybrid system? .................................................................................................................... 288 Be Careful........................................................................................................................................... 288 To what do the following terms refer? Secure Message Format, Open Message Format, Secure Signed Format and Digital Signature ............................................................................................................ 288 What are the top five public key encryption algorithms? ................................................................... 288 RSA ........................................................................................................................................................ 290 What is RSA? ...................................................................................................................................... 290 What are the applications of RSA?..................................................................................................... 290 DIFFIE-HELLMAN KEY EXCHANGE ......................................................................................................... 291 What is the Diffie-Hellman method used for? .................................................................................... 291 What are the limitations of the Diffie-Hellman System? .................................................................... 291 EL-GAMAL .............................................................................................................................................. 292 What is the El-Gamal Algorithm? ...................................................................................................... 292 What would be a simple example of Al-Gamal?................................................................................. 292 MERKLE-HELLMAN KNAPSACK .............................................................................................................. 293 What is the Merkle-Hellman Knapsack Algorithm? ........................................................................... 293 What is a super-exceeding number?................................................................................................... 293 ELLIPTIC CURVE CRYPTO SYSTEM .......................................................................................................... 294 What is the Elliptic Curve Crypto System?......................................................................................... 294 What are the applications of the Elliptic Curve Crypto system?........................................................ 294 PUBLIC KEY ALGORITHM ........................................................................................................................ 295 What are the two ways of carrying out the Public Key Algorithm?.................................................... 295 What is a Digital Signature? .............................................................................................................. 295 What are the advantages of a Digital Signature?............................................................................... 295 What is the difference between a Session Key and a Secret Key? ...................................................... 295 ONE WAY HASH...................................................................................................................................... 297 What is a One-way Hash? .................................................................................................................. 297 What are Fingerprints and Cryptographic Checksums? .................................................................... 297 What is the hash function used for?.................................................................................................... 297 MESSAGE DIGEST .................................................................................................................................... 298 What is a Message Digest?................................................................................................................. 298 How is the Message Digest interpreted? ............................................................................................ 298 What are the common Hash functions available? .............................................................................. 298 What is the Message Digest used for?................................................................................................ 298 What is SHA-1? .................................................................................................................................. 298 What are the properties of SHA-1? .................................................................................................... 298 MD2 ....................................................................................................................................................... 299 What are the salient features of MD2?............................................................................................... 299 What are the limitations of MD2? ...................................................................................................... 299 MD4 ....................................................................................................................................................... 300 What are the prominent features of MD4? ......................................................................................... 300 MD5 ....................................................................................................................................................... 301 What are the prominent features of MD5? ......................................................................................... 301 What is the length of the message digest? .......................................................................................... 301 What is the block size? ....................................................................................................................... 301 What is MAC?..................................................................................................................................... 301 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

22

CISA Study Guide in EasyFAQs


What is HMAC?.................................................................................................................................. 301 How does HMAC work? ..................................................................................................................... 302 What is HAVAL?................................................................................................................................. 302 DSS......................................................................................................................................................... 303 What is DSS? ...................................................................................................................................... 303 TYPES OF CRYPTOGRAPHIC ATTACK ....................................................................................................... 304 What is a Know Plain Text attack?..................................................................................................... 304 What is a Chosen Plain Text attack?.................................................................................................. 304 What is Adaptive Plain Text attack?................................................................................................... 304 What is Known Cipher Text Only attack? .......................................................................................... 304 What is a Chosen Cipher Text attack? ............................................................................................... 304 What is Adaptive Chosen Cipher attack? ........................................................................................... 304 What is a 'Meet in the Middle'? .......................................................................................................... 305 What is a 'Man in the Middle'?........................................................................................................... 305 What is a Replay attack? .................................................................................................................... 305 What is a Dictionary attack? .............................................................................................................. 305 CRYPTO ANALYSIS .................................................................................................................................. 306 What is Differential Crypto-analysis? ................................................................................................ 306 What is Linear Crypto-analysis? ........................................................................................................ 306 What is Differential Liner Crypto analysis?....................................................................................... 306 PKI ......................................................................................................................................................... 307 What are the components of PKI? ...................................................................................................... 307 Why do we need CA? .......................................................................................................................... 307 How does a CA work? ........................................................................................................................ 307 What is the Problem with CA? ........................................................................................................... 307 What infrastructure is recommended for PKI?................................................................................... 308 What are the maintenance components of PKI?................................................................................. 308 What is the role of LDAP in CA?........................................................................................................ 308 How do the X.500 and X.509 standards differ?.................................................................................. 308 What are the security concerns relating to LDAP servers?................................................................ 308 ESCROW ARRANGEMENTS ....................................................................................................................... 309 What are the escrow arrangements for Cryptography? ..................................................................... 309 How is the escrow arrangement for Cryptography addressed? ......................................................... 309 What is the Clipper chip method? ...................................................................................................... 309 How does the Clipper chip method work?.......................................................................................... 309 FAIR CRYPTO-SYSTEM ............................................................................................................................ 310 What is the Fair Crypto-system? ........................................................................................................ 310 KEY MANAGEMENT ................................................................................................................................ 311 What measures should be adopted in order to manage the key?........................................................ 311 EMAIL SECURITY..................................................................................................................................... 311 What are the issues regarding e-mail security? ................................................................................. 311 What is S/MIME? ............................................................................................................................... 311 What standard does S/MIME follow?................................................................................................. 311 MOSS ..................................................................................................................................................... 312 What is MOSS?................................................................................................................................... 312 What technology does MOSS use? ..................................................................................................... 312 How does MOSS differ from S/MIME? .............................................................................................. 312 PEM........................................................................................................................................................ 313 What is PEM?..................................................................................................................................... 313 What does PEM support? ................................................................................................................... 313 What does PEM use for encryption? .................................................................................................. 313 What does PEM use for Digital Signature?........................................................................................ 313 What is MSP? ..................................................................................................................................... 313 What is PKCS? ................................................................................................................................... 313 PGP......................................................................................................................................................... 314 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

23

CISA Study Guide in EasyFAQs


What is PGP? ..................................................................................................................................... 314 What does PGP use? .......................................................................................................................... 314 INTERNET SECURITY APPLICATIONS ....................................................................................................... 315 What is a MAC?.................................................................................................................................. 315 What is the problem with MAC?......................................................................................................... 315 SET SECURE EVALUATION TRANSACTION .............................................................................................. 316 What is a SET? ................................................................................................................................... 316 Why is SET not used very often?......................................................................................................... 316 Rule of Thumb: ................................................................................................................................... 316 SSL ......................................................................................................................................................... 317 What is SSL?....................................................................................................................................... 317 What are the two types of authentication supported by SSL?............................................................. 317 What are the protocols supported by SSL?......................................................................................... 317 How would you know if a web page supports SSL?............................................................................ 317 How does SSL function? ..................................................................................................................... 317 What is the limitation of SSL? ............................................................................................................ 318 What is the difference between https (SSL) and shttp? ....................................................................... 318 TLS......................................................................................................................................................... 319 What is TLS? ...................................................................................................................................... 319 What are the problems with TSL? ...................................................................................................... 319 Where does the TLS reside? ............................................................................................................... 319 What is the similarity between SSL and TLS? .................................................................................... 319 What is IOTP? .................................................................................................................................... 319 What is MONDEX? ............................................................................................................................ 319 What is the limitation of MONDEX? .................................................................................................. 320 IPSEC ..................................................................................................................................................... 321 What is IPSEC? .................................................................................................................................. 321 What are the two main protocols for IPSEC? .................................................................................... 321 What does AH provide?...................................................................................................................... 321 What does ESP provide? .................................................................................................................... 321 What is SA? ........................................................................................................................................ 321 What does SA contain? ....................................................................................................................... 322 What are the components of SA? ........................................................................................................ 322 What are the limitations of SA? .......................................................................................................... 322 What are the additional benefits of IPSEC?....................................................................................... 322 What is SPI? ....................................................................................................................................... 322 Rule of Thumb..................................................................................................................................... 322 What are the two modes of IPSEC?.................................................................................................... 323 What is the additional overhead of the tunnel? .................................................................................. 323 What hashing algorithm is used in VPN?........................................................................................... 323 Rule of thumb...................................................................................................................................... 323 What is the role of SA? ....................................................................................................................... 323 How is the SA bundle used? ............................................................................................................... 323 Who steps up and manages SA on the Internet? ................................................................................. 323 What is ISAKMP?............................................................................................................................... 323 Which Protocols does ISAKMP use?.................................................................................................. 324 How does the key management of IPSEC take place?........................................................................ 324 What is S/WAN? ................................................................................................................................. 324 OTHER APPLICATIONS ............................................................................................................................. 325 What is SSH-2?................................................................................................................................... 325 What is SSH2 composed of? ............................................................................................................... 325 Remember:.......................................................................................................................................... 325 SET......................................................................................................................................................... 326 What is SET? ...................................................................................................................................... 326 What does SET do?............................................................................................................................. 326 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

24

CISA Study Guide in EasyFAQs


What is the future of SET?.................................................................................................................. 326 What is the difference between SHTTP and HTTPS?......................................................................... 326 What are the two protocols inside SSL? ............................................................................................. 326 What type of encryption is done by SSL?............................................................................................ 326 What is SKIP?..................................................................................................................................... 326 What does SKIP do?........................................................................................................................... 326 How does the authentication of SKIP differ from that of SSL? .......................................................... 327 What is SSH-2?................................................................................................................................... 327 What does SSH-2 provide? ................................................................................................................. 327 What are the two components of SSH?............................................................................................... 327 Encryption - Points to Remember! ..................................................................................................... 328 Traditional Connection vs IPSEC ...................................................................................................... 333 How strong is 40 bit key? .................................................................................................................. 333 FIREWALLS.............................................................................................................................................. 334 What are the different kinds of firewall? ............................................................................................ 334 What is the difference between a packet-filtering firewall and a screening router? .......................... 334 What are the main features of a packet-filtering firewall?................................................................. 334 What are the limitations of a packet-filtering firewall?...................................................................... 334 APPLICATION LEVEL FIREWALL .............................................................................................................. 335 What is an application level firewall? ................................................................................................ 335 What are the limitations of an Application Level Firewall?............................................................... 335 STATEFUL INSPECTION ............................................................................................................................ 335 What is a stateful inspection?............................................................................................................. 335 What is a Dynamic Packet-filtering Firewall? ................................................................................... 335 KERNEL LEVEL FIREWALL ...................................................................................................................... 336 What is a Kernel Level Firewall?....................................................................................................... 336 What is a Screened Host?................................................................................................................... 336 CIRCUIT LEVEL FIREWALL ...................................................................................................................... 336 What is a Circuit-Level Firewall and how is it positioned? ............................................................... 336 What are the limitations of firewalls? ................................................................................................ 336 What are the most transparent and most annoying firewall implementations for users?................... 337 What is the Bastion Host? .................................................................................................................. 337 What is a dual-homed device/firewall? .............................................................................................. 337 What is the SOCKS server? ................................................................................................................ 337 What is the difference between a Screened Host and a Screened Subnet? ......................................... 337 What is the difference between a NAT (Network Address Translation) and a Proxy? ...................... 338 What are the five (5) types of firewall? .............................................................................................. 338 INTRUSION DETECTION SYSTEMS ............................................................................................................ 340 What is an Intrusion Detection System (IDS)? ................................................................................... 340 What are the four (4) types of IDS Implementation?.......................................................................... 340 NETWORK-BASED IDSS ........................................................................................................................... 340 What do Network-based IDSs do?...................................................................................................... 340 What are the limitations of a network-based IDS?............................................................................. 340 HOST-BASED IDSS .................................................................................................................................. 341 What is a host-based IDS?.................................................................................................................. 341 What are the limitations of a host-based IDS? ................................................................................... 341 DATABASE-BASED IDSS .......................................................................................................................... 341 What is a Database-based IDS? ......................................................................................................... 341 What are the limitations of database-level IDSs? .............................................................................. 341 TYPES OF IMPLEMENTATION OF IDSS...................................................................................................... 342 How many types of IDSs are there? ................................................................................................... 342 What is a signature-based intrusion detection? ................................................................................. 342 What are the problems with signature-based attacks? ....................................................................... 342 What is a statistical anomaly-based IDS? .......................................................................................... 342 What are the limitations of an anomaly-based IDS? .......................................................................... 342 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

25

CISA Study Guide in EasyFAQs


CIRT/CERT............................................................................................................................................ 343 What is CIRT and why it is considered to be a follow-up for the IDS system?................................... 343 What is the main responsibility of the CIRT team? ............................................................................ 343 COMMON CONTROLS TO BE AUDITED BY THE AUDITOR .......................................................................... 344 What are the ten (10) common Technical Controls that the IS auditor should audit?................... 344 What are the fifteen common physical access controls that the IS auditor should audit? ............. 344 What are the four (4) common laptop security controls? ................................................................... 345 DOMAIN 5: DISASTER RECOVERY PLANNING/BUSINESS CONTINUITY PLANNING....... 346 GENERAL ................................................................................................................................................ 346 What is the focus of BCP? .................................................................................................................. 346 How far away should the recovery site be?........................................................................................ 346 What are the two priorities in the case of a disaster? ........................................................................ 346 What are the components of a BCP?.................................................................................................. 346 What is the difference between a Disaster Recovery Plan and a Contingency Plan? ........................ 347 DISASTER RECOVERY PLANNING ............................................................................................................ 348 What does the DRP document contain? ............................................................................................. 348 What is included in the DRP Planning Process? ............................................................................... 348 What do the DRP and BCP involve? .................................................................................................. 349 What items are included in the Recovery Plan Document?................................................................ 349 What does the vital record program address?.................................................................................... 350 What is the difference between the BCP and the DRP? ..................................................................... 350 BCP: ................................................................................................................................................... 350 DRP:................................................................................................................................................... 350 What is the purpose of the BCP?........................................................................................................ 350 What does the BCP look for? ............................................................................................................. 350 What are the five phases for BCP?..................................................................................................... 351 BUSINESS IMPACT ANALYSIS .................................................................................................................. 352 What a What is a BIA? ....................................................................................................................... 352 What are the two approaches for BIA? .............................................................................................. 352 Points to Remember............................................................................................................................ 352 What are the objectives of BIA? ......................................................................................................... 352 What is the relationship between a Business Impact Analysis and a Risk Assessment?..................... 352 TESTING OF PLAN .................................................................................................................................... 353 How is the DRP/BCP tested? ............................................................................................................. 353 What is a critical survey? ................................................................................................................... 353 RECOVERY TIME CALCULATION ............................................................................................................. 354 How is the acceptable recovery time calculated?............................................................................... 354 What back-up recovery site option is the best with respect to recovery time? ................................... 354 SYSTEM CLASSIFICATION ........................................................................................................................ 355 What are the four classifications of the systems? ............................................................................... 355 RAID ...................................................................................................................................................... 356 What does RAID stand for? ................................................................................................................ 356 When data is distributed across a disk, what is this process called? ................................................. 356 What are the three classes of RAID?.................................................................................................. 356 What does FRDS actually provide?.................................................................................................... 356 What are the additional features in FRDS Plus? ............................................................................... 356 How many levels of RAID are defined?.............................................................................................. 356 What are the two types of RAID Implementation?.............................................................................. 358 Why do RAID 0 and RAID 1 run faster on software?......................................................................... 358 MISC ...................................................................................................................................................... 359 What are the different types of tests that are performed?................................................................... 359 What are three types of tests?............................................................................................................. 359 What is the electronic vault? Is it something related to e-payment? .................................................. 359 What is a Remote Journal?................................................................................................................. 359 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

26

CISA Study Guide in EasyFAQs


What is database shadowing? ............................................................................................................ 359 Summary of DRP/BCP ....................................................................................................................... 360 DOMAIN 6: BUSINESS APPLICATION DEVELOPMENT ............................................................. 363 BASICS .................................................................................................................................................... 363 What is SDLC? ................................................................................................................................... 363 What is the Spiral Model? .................................................................................................................. 363 What is the Simplistic Model? ............................................................................................................ 363 What is the checklist for testing a system? ......................................................................................... 363 What are the different roles in Application Development?................................................................. 364 What are the different types of testing? .............................................................................................. 365 What are the three common tools to debug the applications?............................................................ 366 What are the other terminologies for testing? .................................................................................... 366 What is the difference between Bottom-up and Top-down approach? ...................................... 367 OBJECT-ORIENTED DATABASE................................................................................................................ 368 When most people are using Relational Databases, what is the need for Object-Oriented Databases (OODB)? ............................................................................................................................................ 368 How does one decide whether a Relational or an Object-Oriented Database is better for you?....... 368 What are the problems with OODBs? ................................................................................................ 368 What are some examples of Object Relational Databases? ............................................................... 368 COMPONENT-BASED DEVELOPMENT ...................................................................................................... 369 What is an alternative way of making the object available? .............................................................. 369 What is the other name for an ORB?.................................................................................................. 369 What has the OMG (Object Management Group) developed?........................................................... 369 What is CORBA? ................................................................................................................................ 369 How do ORB and CORBA compare? ................................................................................................. 369 What does CORBA define?................................................................................................................. 369 What is required for CORBA at the user end? ................................................................................... 369 What does the IDL file do? ................................................................................................................. 369 What is a common example of CORBA? ............................................................................................ 370 What is a COM? ................................................................................................................................. 370 What is the relationship between OLE and COM?............................................................................. 370 What is OLE (Object Library Embedding)? ....................................................................................... 370 What is DCOM? ................................................................................................................................. 370 What is an example of OOP? ............................................................................................................. 370 What are the advantages of C++? ..................................................................................................... 370 How do Cohesion and Coupling compare?........................................................................................ 370 XML ....................................................................................................................................................... 371 What is XML? ..................................................................................................................................... 371 What are the two common types of XML Implementations?............................................................... 371 What is UDDI? ................................................................................................................................... 371 PROTOTYPING ......................................................................................................................................... 372 What is prototyping? .......................................................................................................................... 372 What are the two approaches to prototyping?.................................................................................... 372 What are the problems with prototyping approach? .......................................................................... 372 RAD ....................................................................................................................................................... 373 What is RAD? ..................................................................................................................................... 373 What techniques are used in RAD? .................................................................................................... 373 What does RAD support? ................................................................................................................... 373 What RAD does not support? ............................................................................................................. 373 What are the four stages of RAD? ...................................................................................................... 373 What is Agile Development?............................................................................................................... 374 What is Reverse Engineering?............................................................................................................ 374 What is Change Control? ................................................................................................................... 374 What is Configuration management? ................................................................................................. 375 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

27

CISA Study Guide in EasyFAQs


How the production is separated from the test? ................................................................................. 375 On what basses are the program moved from test to production? ..................................................... 375 How many version of source code should be present in the production environment?...................... 375 What is the difference between SLOC and FPA? ............................................................................... 375 How is the Productivity computed in FPA?....................................................................................... 376 How is Quality computed in FPA? ..................................................................................................... 376 How is the cost calculated in FPA?.................................................................................................... 376 What are the two common ways to compute the task efforts? ............................................................ 376 What is scheduling?............................................................................................................................ 376 What are the constraints for Software Cost Estimation?.................................................................... 376 PROJECT MANAGEMENT.......................................................................................................................... 377 What is CPM?..................................................................................................................................... 377 What is the Critical Path? .................................................................................................................. 377 What is Gantt Chart?.......................................................................................................................... 377 What is PERT? ................................................................................................................................... 377 What are the two-(2) basic components of PERT?............................................................................. 377 What is the first thing to do in PERT?................................................................................................ 378 What are the three kinds of estimates in PERT? ................................................................................ 378 How is the PERT duration Calculated? ............................................................................................. 378 What is the significance of the Critical Path in duration management? ............................................ 378 What is the Timebox Management?.................................................................................................... 378 CASE...................................................................................................................................................... 379 What is CASE? ................................................................................................................................... 379 What are the Three types of CASE? ................................................................................................... 379 ISO - 9126............................................................................................................................................... 380 What is the significance ISO-9126 for software development? .......................................................... 380 CMM/SEI ............................................................................................................................................... 381 What is CMM/SEI?............................................................................................................................. 381 What is the SEI and CMM relationship? Is SEI a different model? ................................................... 381 What are the 5 SEI Maturity Levels?.................................................................................................. 381 What are the details of 5 SEI Maturity Levels? .................................................................................. 382 What is CMMI? .................................................................................................................................. 383 Points to Remember: .......................................................................................................................... 384 DOMAIN 7: BUSINESS PROCESS EVALUATION AND RISK MANAGEMENT........................ 395 BPR ........................................................................................................................................................ 395 What is BPR and why it is initiated? .................................................................................................. 395 What goals are achieved through BPR?............................................................................................. 395 What are the six steps of BPR?........................................................................................................... 395 What are the three keywords for understanding BPR? ...................................................................... 395 What are the different steps for BPR? ................................................................................................ 396 What is benchmarking and how it is used in BPR? ............................................................................ 396 RISK MANAGEMENT ................................................................................................................................ 398 Why is Risk Management undertaken?............................................................................................... 398 What is the Total Risk Formula? ........................................................................................................ 398 What are the four (4) things can be done regarding Risk Assessment?.............................................. 398 How is the Risk Management Process handled? ................................................................................ 398 IT GOVERNANCE ..................................................................................................................................... 401 What does IT governance cover? ....................................................................................................... 401 What is the main objective of IT governance?.................................................................................... 401 What is a balanced IT scorecard? ...................................................................................................... 401 APPLICATION CONTROLS ........................................................................................................................ 402 What is a Batch Control? ................................................................................................................... 402 What are the four (4) ways of processing input errors?..................................................................... 402 What are the seven (7) input control techniques? .............................................................................. 402 Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

28

CISA Study Guide in EasyFAQs


What are the six (6) Processing Controls?......................................................................................... 402 DATA VALIDATION EDIT CONTROLS ....................................................................................................... 404 What are the twelve (12) types of Data Validation Edit Controls? .................................................... 404 What are the seven (7) output controls?............................................................................................. 404 What are the eleven (11) Data File Controls? ................................................................................... 405 What are the four (4) Data Integrity controls?................................................................................... 407 What are the four-(4) controls for OTPS?.......................................................................................... 408 What are the five (5) testing computer application controls? ............................................................ 409 SYSTEM DOCUMENTATION ...................................................................................................................... 410 What are the six (6) types of Applications System documentation? ................................................... 410 BUSINESS APPLICATION SYSTEMS ........................................................................................................... 411 What are the six (6) common E-commerce models?........................................................................... 411 What are the five (5) common risks in e-commerce?.......................................................................... 411 EDI ......................................................................................................................................................... 412 What is the Electronic Data Interchange? ......................................................................................... 412 What are the components of EDI?...................................................................................................... 412 What are the risks for EDI?................................................................................................................ 413 ARTIFICIAL INTELLIGENCE ...................................................................................................................... 414 What are the major AI systems? ......................................................................................................... 414 How do the Conventional and Expert Systems compare? .................................................................. 414 What does the Knowledge Base contain? ........................................................................................... 414 What is Salience? ........................................................................................................................... 414 How does an expert system operate?.................................................................................................. 414 What is the difference between forward and backward chaining? ..................................................... 414 What is Fuzzy Logic?.......................................................................................................................... 414 DATA WAREHOUSING ............................................................................................................................. 415 What is a data warehouse?................................................................................................................. 415 What is Metadata?.............................................................................................................................. 415 What are the concerns regarding Data Warehouses?........................................................................ 415 Points to Remember: .......................................................................................................................... 416 APPENDIX LAST DAY SUMMARY ................................................................................................. 436 DOMAIN 1: IS AUDIT PROCESS ................................................................................................................ 437 DOMAIN 2: MANAGEMENT PLANNING AND ORGANIZATION OF IS ......................................................... 445 DOMAIN 3: TECHNICAL INFRASTRUCTURE AND OPERATIONS ................................................................ 451 DOMAIN 4: PROTECTION OF INFORMATION ASSETS ................................................................................ 456 DOMAIN 5: DRP...................................................................................................................................... 468 DOMAIN 6: APPLICATION DEVELOPMENT ............................................................................................... 473 DOMAIN 7: BUSINESS PROCESS EVALUATION AND RISK MANAGEMENT ................................................ 486

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

29

CISA Study Guide in EasyFAQs

Introduction
Certified Information Security Auditor (CISA) is a very well-respected certification. It is considered to be one of the most difficult certificates to obtain in the industry. Beside the official documentation there are not many third-party books and manuals available. This CISA Study Guide in EasyFAQs has been developed as a result of our extensive experience in teaching and years of interaction with students at all levels. We believe that every complex topic can be broken down into simple questions and answers; the proof is this CISA study guide. In this guide, all the major information related to CISA domains is broken down into simple FAQs so that it can be understood easily. Those who use this guide should keep in mind that the actual questions in the CISA exam are followed by multiple-choice answers. The CISA Study Guide in EasyFAQs will help one prepare for the test and get a good grasp on the subject. With a clear understanding of the concepts, it will be easy to exclude those answers that are not relevant and to select the most appropriate choice. Good luck! Note: To bring the material up-to-date, we asked for help from the experts; this year our communication experts were asked to focus on Wireless communication. They prepared some very good Q&As regarding mobile phones, satellites and wireless communication. Some of the areas, such as those dealing with mobile phones and satellite communication, were NOT very relevant to the CISA exam, but this information was very interesting, even for the layman. We therefore decided not to edit it out.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

30

CISA Study Guide in EasyFAQs

Domain 1: The Information System Audit Process


Organization of the IS AUDIT function
How will you establish the role of the IS audit function? The role of the audit function is described in the Audit Charter. What are the five (5) components of the Audit Charter? 1. Scope of the audit 2. Responsibility of the audit function 3. Managements responsibility 4. Objective and delegation 5. Delegation of authority

Who approves the Audit Charter? Senior management or the top-level management

IS Resource Management
How should an audit begin? 1. Audit charter 2. Project plan for the audit 3. Availability of the proper skills

What if the proper skills are not available for the audit? Is it acceptable to ask the auditee to help? Auditors should obtain the appropriate skills. If the auditee provides help during the auditing process, the audit might not be very objective, so it should be avoided.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

31

CISA Study Guide in EasyFAQs

Audit Planning
What are the two (2) types of Audit Planning? 1. Short term (less than a year) 2. Long term (more than a year) How often should the Audit Planning be reviewed? At least once a year. What are the five (5) factors that should be considered in an Audit Plan? 1. Risk assessment 2. Local and international regulatory requirements 3. Corporate deadlines 4. Future technologies 5. Limitation of information subsystems What five (5) step strategy should an IS Auditor use to draw up an Audit Plan? 1. In-depth understanding of the business and its a. Mission statement b. Business objective c. Process involved d. Technology 2. Risk assessment 3. Internal control 4. Setting the scope and objective of the audit 5. Development of the audit strategy. What are the six (6) common methods the auditor can use to understand the auditees business? 1. Acquire domain knowledge 2. Annual reports, reading on web, industry publications
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

32

CISA Study Guide in EasyFAQs 3. Review the short-term and long-term plans 4. Meet the key managers 5. Review the previous audit reports 6. Tour the organization What is the biggest challenge for the IS auditor in terms of planning the audit? Matching the available resources with the audit plan.

Effect of laws and regulations on the Audit Plan


What are the four (4) common types of laws and regulations an IS auditor should know about the auditees business? 1. Federal law regarding the business 2. State law applicable (if any) 3. Industry-specific law; for example, banking industry has its own set of rules and regulation 4. International law (where applicable)

ISACA IS Auditing Standards


What are the objectives of the ISACA IS auditing standards? 1. Minimum level of acceptable performance, as per the Code of Professional Ethics 2. Should meet the professionals expectations.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

33

CISA Study Guide in EasyFAQs

Risk, Risk Analysis and Risk Management


What is risk? Risk: The possibility of something harmful or damaging occurring is known as risk. In technical terms, risk is the probability of a threat or a threatening agent exploiting the system's vulnerability. The ISOs guidelines for the Management of IT Security defines risk as: "The potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat."

What is a Business Risk? This is a risk that may have an impact on the following: 1. Asset 2. Process 3. Objective of organization or business

What is Risk Management? Risk Management: The process of identifying, assessing and minimizing the risk to an acceptable level and, later, maintaining that level. What is the primary role of Risk Management? 1. To identify the threat 2. To estimate how often threats occur

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

34

CISA Study Guide in EasyFAQs What steps are required in a typical Risk Management project? 1. Identify the business objectives 2. Carry out a Risk Analysis (quantitative or qualitative), which has three components: i. Asset-related: (includes hardware, software, processes and any resource valuable to the organization) 1. Asset identification 2. Valuation of asset ii. Threat 1. Identification of threat 2. Probability determination of each threat iii. Vulnerability 1. Likelihood and/or 2. Probability of occurrence 3. Assess the risk 4. Risk Control and Treatment: avoidance or mitigation with the help of i. Safeguards ii. Counter-measures 5. Delegate or accept risk Important Note: In the classical methodology, first the critical assets are identified and then the threats. However, some organizations start with identifying the threats rather than the assets, which is perfectly acceptable. How can an event that may result in loss be identified? 1. Actual threat 2. Threat probability 3. Threat has already materialized and the organization is facing the consequences.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

35

CISA Study Guide in EasyFAQs

What is the nature of the threat? It can be one of the following: 1. Financial 2. Regulatory 3. Operational What are the four (4) basic questions that should be asked during the Risk Analysis? 1. What is the value of the asset? 2. What is the threat? 3. What are the vulnerabilities? 4. What is the likelihood of occurrence? What are the two (2) main purposes of the Risk Assessment? 1. Quantifying the impact of the threat 2. Putting a price tag or price value on the risk or the impact on the business What is the end result of the Risk Assessment? 1. Identification of the risk 2. Recommendations regarding safeguards and countermeasures with cost/benefit justifications What is the difference between Risk Assessment and Risk Analysis? Sometimes the terms are used interchangeably; however, when they are differentiated, it is on the following terms: Risk Analysis Initial stage Initial step The identification of assets, related threats, VA and probability of occurrence Risk Assessment More advanced stage In a way, a Risk Analysis is the prerequisite for a Risk Assessment Once the threat is identified, Risk Assessment deals with quantifying the
36

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs impact and putting a price tag on the risk.

What is the Risk Management Triple? 1. Asset 2. Vulnerability 3. Threat What are the four (4) key components of Risk Assessment? 1. Asset 2. Vulnerability 3. Threat 4. Safeguards What types of items are included as assets? 1. 2. 3. Products Resources Processes

How is an asset valued? An asset is valued on the basis of: 1. Cost incurred in terms of a. Creation b. Development c. Support 2. Plus the cost when it is a. Replaced b. Refurbished/overhauled 3. Plus the actual market cost 4. Plus the goodwill cost

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

37

CISA Study Guide in EasyFAQs What is a Threat? A threat is an event that might cause harm or have an undesirable impact on the system. A threat can be natural or man-made. What is a Vulnerability (VA)? A vulnerability can be defined as a security loophole or an open door. It is basically a weakness in the system, or in the infrastructure. Threats exploit vulnerabilities. What is a Safeguard? A safeguard is also known as a "counter-measure". The main objective of a safeguard or counter-measure is to overcome the threat, resulting in the reduction of risk. Rule of Thumb: If you are confused as to whether something is a threat or a vulnerability, put yourself in the situation. For Example: You can say to yourself, I can be threat to an organization but vulnerability, I cant.

What is an Exposure Factor? The Exposure Factor (EF) provides the percentage of loss if a certain adverse event takes place. Take the case of an electrical surge in the power supply to a key component, for example. If the component burns out, this might represent 25% of the entire exposure. The EF will then be 25%. What is an ARO? ARO is the Annual Rate of Occurrence. 1. It is an estimation of the frequency of a threat occurrence in a year. 2. If a hard disk crash occurs once in five years, the ARO will be 1/5 = .20. 3. The ARO can be a whole number or a fraction.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

38

CISA Study Guide in EasyFAQs

What is an ALE? ALE is the Annual Loss Expectancy, representing the loss in terms of the dollar value. What are the key equations for Risk Assessment? Single Loss Exposure ($) = Asset Value ($) x Exposure Factor (%) Annual Rate of Occurrence = Number of occurrences Number of years Annual Loss Expectancy ($) = SLE ($) x ARO How is the value of the ALE useful to the organization? If the ALE is $5000 and the safeguard cost is $100,000 over five years, the per year safeguard cost will be 100,000/5 = $20,000/year. It is obviously not feasible to spend $20,000/per year for an Annual Loss Expectancy of $5000. Points to remember: 1. The value of all assets should be known 2. The auditor should be aware of the Exposure Factor (EF) percentage. 3. Management concerns itself only with the ALE 4. The EF is always given as a percentage 5. The EF provides the possible degree of destruction to an asset 6. The EF represents the percentage of loss, not the percentage chance of occurrence 7. The EF is the percentage of loss, irrespective of the frequency of occurrence. It might occur once in three years or three times in one year. What is the Quantitative Risk Assessment? 1. Measurement of the potential loss (EF and SLE) 2. Establish rate of occurrence (ARO) 3. Calculate value (ALE)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

39

CISA Study Guide in EasyFAQs

How do is a Qualitative Risk Assessment Analysis performed? 1. 2.


3.

No hard and fast rule Scenario-oriented Based on the same assets and threat scenarios as in the Quantitative Analysis

What is the role of the Delphi Technique in Qualitative Risk Analysis? The Delphi Technique is simply a group discussion method, where each member has a vote. 1. Group members are asked to write down their responses 2. All responses are compiled and distributed to members 3. Their comments are written down, and are again compiled and redistributed 4. The process continues until consensus is reached How do the Quantitative and Qualitative Risk Assessments compare? Quantitative Qualitative Objective Dollar value is assigned to risk Cost Benefit Analyses Automated (how?) and complex Less guess work Result easy to communicate What is a PSE? PSE stands for Preliminary Security Examination. Top management reviews the PSE prior to launching a Risk Assessment assignment. What are the components of a PSE? 1. Asset cost/value 2. Listing of threats
3.

Subjective No dollar value is assigned No No automation; less complex More guess work Result difficult to communicate

Documentation of existing security measures.


Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

40

CISA Study Guide in EasyFAQs What is the difference between a Risk Analysis and BIA? Risk Analysis More complex Business Impact Analysis Less complex

Most companies need to perform a Risk Undertaken once the Risk Analysis has Analysis exercise when they start out been performed. Later, if small magnitude changes are needed, a BIA is performed. 3-Step Process Same 3-Step Process In technical terms, what are the three steps of a Risk Analysis? 1. Estimate possible losses 2. Analyze the threat 3. Define ALE How is the Risk Analysis carried out? The Risk Analysis is carried out by a simple three-step process: Step 1: Estimate Potential Losses a. Valuation of the Asset b. Calculation of SLE Step 2: Analyze the threat potential a. Probability of threat occurring b. Find the asset VA c. Estimate ARO Step 3: Calculate ALE a. ALE = SLE x ARO

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

41

CISA Study Guide in EasyFAQs

What is the checklist of threat sources? 1. Internal users 2. Hackers 3. International or regional conflict 4. Badly-defined Operational Procedures 5. Poorly written applications 6. Environmental hazards 7. Weak computer infrastructure 8. Misplaced priorities What is the checklist for compiling the Risk Analysis? 1. 2. 3. 4. 5. 6. List of critical assets Critical asset costs List of threats Probability that threat will occur Potential losses Remedial measures

How do you estimate Potential Losses? 1. Valuation of assets 2. Calculate SLE Once the risk is defined, how it is handled? 1. Risk Reduced: With the help of safeguards 2. Risk Transferred: With the help of insurance and other instruments 3. Risk Accepted: Management is aware of the risk, but there are not sufficient funds available to reduce or transfer the risk 4. Risk Rejected: Management does not accept the risk in the first place

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

42

CISA Study Guide in EasyFAQs What is the most difficult part of Risk Assessment? Asset Valuation is the most difficult part of RA. How is the Asset Valuation carried out? 1. Take the initial cost 2. Establish the cost of testing 3. Estimate the cost of roll-out 4. Estimate the cost of maintenance 5. Lastly, establish the value in the open market (external to the company) Why is Asset Valuation so important? Asset valuation is a prerequisite for the following activities: 1. Risk Assessment 2. Business Impact Analysis 3. Selecting the correct safeguard 4. Cost Benefit Analysis 5. Security audit 6. Security control What happens if the Information Asset Valuation is not done properly? This could result in the following: 1. Improper controls 2. Protection of the incorrect assets 3. Acquisition of the wrong safeguard What is a prerequisite for applying the security controls? You must define the value of the information.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

43

CISA Study Guide in EasyFAQs

What is Risk Mitigation? 1. 2. 3. Selecting a counter-measure / safeguard Accepting the residual risk Implementation of control and monitoring mechanisms

What is the Total Risk? Total Risk = Threat x Vulnerability x Asset Value What is the Residual Risk? It is a well-known fact that it is impossible to ensure 100% security. If you have implemented safeguards against 95% of threats, then the Residual Risk is 5%. Residual Risk = Total Risk - Safeguards

Safeguards:
What is the next step, once the Risk Assessment has been completed? Search for the counter-measures and safeguards How are safeguards selected? The threats are matched against the appropriate safeguards. What to look for when selecting a safeguard: 1. Functionality 2. Cost 3. Cost Benefit What is the most important factor to be considered before a safeguard is implemented? A Cost Benefit Analysis is essential before a safeguard is implemented. What should be the default of a safeguard?
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

44

CISA Study Guide in EasyFAQs The default should be a fail-safe, with the fewest possible privileges

Selection of Safeguards
On what basis are safeguards selected? The safeguard selection criteria can be divided into two categories: I. Primary Criteria i. Cost/Benefit a. ALE before safeguard b. ALE after safeguard c. Reduction in ALE (a-b) d. Cost of safeguard per year e. Benefit from safeguard (c-d) ii. Minimal Manual Intervention a. Operations should be simple b. Most operations should be automated iii. Recovery from Failure a. Recovery should be safe b. No asset destruction c. No rights violation II. Secondary Criteria i. Easy to Audit a. b. ii. a. b. iii. Must provide an audit of logs Viewer for log is preferred Local vendor or local support Proven solution US$ 20,000 2,000 18,000 5,000 13,000

Vendor Support

Easy to Maintain

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

45

CISA Study Guide in EasyFAQs a. b. Average person should be able to maintain it with formal training Simple operations and troubleshooting

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

46

CISA Study Guide in EasyFAQs

Risk Analysis and Auditing


Why is risk analysis part of Audit Planning? A risk analysis helps to identify the following: 1. Risk 2. Vulnerability
Once the risk and vulnerability have been defined, it is easier for the auditor to determine the controls.

Internal Controls
What is the purpose of using internal controls? Internal controls provide the following: 1. Assurance that the organizations objectives are met 2. Prevention or mitigation of risk of undesired events What are some examples of internal controls? 1. Policies 2. Standards 3. Procedures and Practices. What is the relationship between control and the control objectives? Control is way in which the control objectives are met. Who has the ultimate responsibility for the control? Senior Management

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

47

CISA Study Guide in EasyFAQs

How is the strength of the control measured? The strength of the control is measured in the following terms: 1. Design strength 2. Effectiveness When evaluating the strength of the controls, what factors should be considered? 1. Preventive or detective 2. Formal or ad hoc 3. Manual or Automated/Programmed

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

48

CISA Study Guide in EasyFAQs

Internal Control Objective


What is an Internal Control Objective? This is a statement used to implement a particular "control procedure for a certain activity. Or A statement of the desired result achieved by implementing certain control procedures for a particular activity. What are the main objectives of implementing internal control? 1. Protecting and safeguarding the asset 2. Assuring integrity for the resources 3. Ensuring effectiveness and efficiency of the options 4. Complying with growth polices and procedures 5. Providing business continuity and disaster recovery capability. What are the three (3) major controls in the Internal Control System? 1. Internal accounting control: Related to the accounting function. 2. Operational controls: Related to day-to-day operations 3. Administrative controls: Compliance with management polices and operation efficiency in the functional areas. (Administrative controls also support the operational controls, to some extent) What are some examples of Information System Control objectives? To ensure: 1. Information is up-to-date and secure 2. Data entered in the system is relevant 3. All of the rejected logins are reported 4. Duplicate records are recorded and reported for securitization 5. Data is backed up 6. Changes follow the change control procedures
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

49

CISA Study Guide in EasyFAQs

Information Systems Control Procedures


What do the control procedures include? 1. Policies 2. Practices What are some examples of control procedures? 1. Strategy and direction 2. System administration and change control management 3. Data processing controls 4. Quality Assurance procedures 5. Physical controls 6. DRP/BCP 7. Database administration controls. What is the relationship between General Control Procures and IS-Specific procedures? Normally general control procedures can be mapped to Information System procedures What are the six Information Control procedures? 1. General organization control procedures 2. Control of access to data and programs 3. System development controls 4. Data processing operations 5. Technical support controls 6. Processing of Quality Assurance control Does the Internal Control Objective apply only to the manual system? No; it applies to all areas, manual or automated. However, the control implementation features are different.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

50

CISA Study Guide in EasyFAQs

COBIT
What is COBIT? COBIT stands for the Control Objectives for Information and related Technology. What does COBIT provide? 1. Framework for Information System control 2. Good practices for IT governance 3. Control and assurance for effective use of IT How many hi-Level and detail control objectives are there in COBIT? Hi-level objectives: 34 Detail objectives: 300 plus How many standards does COBIT relate to? 36 plus. What are the six (6) components of COBIT? 1. Executive Summary 2. Framework 3. Control objectives 4. Management guidelines 5. Audit guidelines 6. Implementation toolset What are the three major classifications of controls? 1. Preventive 2. Detective 3. Corrective

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

51

CISA Study Guide in EasyFAQs

What are some examples of preventative controls? 1. Employing well-qualified people 2. Segregating duties 3. Well-designed documents 4. Implementing proper procedures 5. Edit Checks 6. Controlling access What are some examples of detective controls? 1. Hash Totals 2. Check points 3. Error Message 4. Performance Review 5. Double checking of calculations What are the examples of corrective controls? 1. Recovery Procedures 2. Disaster Recovery Planning

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

52

CISA Study Guide in EasyFAQs

Performing an Information System Audit


What is Auditing? A structured process by which an independent, competent person obtains relevant evidence to ascertain an opinion regarding an event or economic entity, and reports conformance to a pre-defined set of standards. What does the audit program consist of? 1. Objectives 2. Audit Procedures What is required from an IS auditor during the audit process? 1. Ascertain the objectives 2. Gather evidence 3. Evaluate the control strength 4. Prepare the report 5. Present to management What are the five (5) types of audits? 1. Financial Audit: Focuses on the integrity and reliability of the financial statement 2. Operational Audit: Evaluates the internal controls of a given area 3. Integrated Audit: Financial audit + Operational audit 4. Administrative Audit: Evaluates the efficiency of an organizations operational activity 5. Information Systems Audit: Evaluates Information Systems and related resources. The main emphasis is on the following: a. Safety of assets b. Integrity of data c. Confidentiality of information d. Presence of appropriate internal controls
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

53

CISA Study Guide in EasyFAQs

What is the major difference between an IS audit and other types of audit? As all audits are based on objectives and scopes, the IS auditor sees things from a different aspect , such as confidentiality, availability, quality, efficiency, service and reliability. What are the General Audit Procedures in a typical audit? 1. Understanding of the audit area 2. Risk assessment and audit schedule and plan 3. Preliminary review 4. Evaluations 5. Control test 6. Further testing, i.e. substantive testing 7. Communication of result and preparation of report 8. Follow-up What should the IS auditor be aware of regarding the testing and evaluation of the Information System control? 1. Third party generalized audit software used to survey contents, e.g. the data file 2. Flow-charging technique 3. Specialized software used at the Operating System level in order to understand vulnerabilities. 4. Use of previous audit report

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

54

CISA Study Guide in EasyFAQs

Audit Methodology
What is the Audit Strategy or Methodology? This is a set of audit procedures (documented) used to achieve the audit objective. What are the components of an Audit Strategy? 1. SOS (Statement of Scope) 2. Statement of Audit Objectives 3. Statement of Work Program What are the eight (8) steps in a typical audit? 1. Identify the area to be audited. 2. Audit Objective 3. Audit Scope 4. Pre-Audit Planning 5. Data-gathering and audit procedure 6. Review the result 7. Methods of communications to communicate result to the senior management 8. Audit report What is the difference between an Audit Objective and an Audit Scope? Audit Objective: Purpose of audit, e.g. in e-banking, whether proper controls are there or not. Audit Scope: Specify the function, system or unit to the included in audit

What are the two major components needed in pre-audit planning? 1. Identification of technical skills 2. Resources needed.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

55

CISA Study Guide in EasyFAQs What sources of Information can be used in the pre-audit planning phase, in order to get a better understanding of the auditee? 1. Polices and procedures 2. Standards and guidelines 3. Previous audit work What information is included in a typical audit report? 1. Follow-up procedure of the last audit 2. Process to evaluate 3. Procedure to test the controls 4. Evaluations of policies, procedures and documentation What is the Audit Program? It is a product of the audit process. What does the Audit Program provide? 1. Guide for recording and documenting the steps of the audit 2. Type and extent of the matter reviewed 3. Accountability of the performance

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

56

CISA Study Guide in EasyFAQs

Audit Risk and Materiality


What is the new trend in the auditing approach? Risk-based auditing What are the different tests in risk-based auditing? Auditor to decide between two types of testing, i.e. 1. Compliance Testing or 2. Substantive Testing What are the five steps in risk-based auditing? 1. Gather the information and do the planning 2. Understand the internal controls 3. Perform the compliance test 4. Perform the substantive test 5. Write the reports and recommendations How can the IS auditor gather information? 1. Review the businesss and industrys products 2. Previous years audit report 3. Financial information 4. Web site of the company 5. Web site of the competition How can the internal control be understood? The internal control can be understood through an examination of the control environment, carrying out a Risk Assessment, control procedures, etc. What does the compliance test evaluate? Mainly it tests the policies, procedures and segregation of duties.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

57

CISA Study Guide in EasyFAQs What is a substantive test? This is a detailed test. What is the audit risk? This refers to the risk of having an incorrect assumption about the subject under audit. What is the material risk? This term refers to errors or non-compliance or a weakness in the internal control, which can be a significant threat to the organization. How can a threat be identified as significant or not? Through the use of a risk-based audit report. Is the significance of non-compliance absolute or relative? It is relative. Something that is significant at the operations level might not be significant for top management. How can audit risk be avoided? If the sample is chosen scientifically, the audit risk is minimized. What role do inherent risk in detection risk or control risk in riskbased auditing play? They play no role; they are not assessed. On what bases do IS auditors rely? IS auditors rely on the risks inherent in 1. Internal Control 2. External Controls

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

58

CISA Study Guide in EasyFAQs

What are the three (3) areas of business risk? 1. Financial 2. Regulatory 3. Operations Why is it necessary for IS auditors to understand the nature of the business? If the IS auditor understands the business, he is in a better position to identify the risk and categorize it accordingly. What is a Risk Model Assessment? This specifies the weights for the different types of risks associated with a particular business.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

59

CISA Study Guide in EasyFAQs

Risk Assessment Techniques


Which business should be audited first? A business with high risk. How are the high-risk areas determined? Through the use of a risk Assessment. How does the risk assessment help to determine which areas should be audited? 1. Limited auditing resources are effectively allocated for high-risk area auditing 2. A Risk Assessment helps the auditor focus on the relevant critical business information for top management 3. Improves efficiency What are the different methods for carrying out Risk Assessments? 1. Scoring System 2. Judgmental What does the scoring system do? The scoring system makes use of the risk factor to prioritize the audits. What variables are considered in the scoring system? 1. Technical Complexity 2. Financial loss (if any) 3. Level of control procedures

Are the variable always weighted? No, these are not always weighted.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

60

CISA Study Guide in EasyFAQs How do scoring systems help in auditing? Audits are scheduled for those areas with higher risk values. With regard to selecting the area to be audited, what is the judgmental method? When the judgmental method is used, decisions are made based on following: 1. Business insight 2. Senior management directives 3. Business goals 4. Results of earlier audit Will the risk assessment methods remain the same in the future? No, the methods might change based on the needs of the organization.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

61

CISA Study Guide in EasyFAQs

Audit Objectives
What is the difference between Control Objectives and Audit Objectives? Control Objectives Focus is on the functioning of the internal control. Audit Objective Focus is on the "specific goals" that the audit should achieve

With regard to access, what should the audit include? 1. Compliance with regulatory and legal requirements 2. Assessment of the confidentiality, integrity and availability of information. Is it possible that management will give the IS Auditor some General objectives? Yes, the IS auditor may be given some general objectives. For example, the auditor might be asked to: 1. Audit the internal control of application development 2. Audit the integrity of the core business application.

What is the key element in planning the Information System audit? It is the mapping, or the translation of: Basic audit objectives Information System objectives. So, the IS auditor should have the skills to understand that the basic objective of an audit can be mapped to the IS control objectives. What is the basic purpose of an IS Audit? 1. Identify control objectives 2. Establish Related controls for addressing objectives

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

62

CISA Study Guide in EasyFAQs

What should the IS auditor identify in the initial review? Firstly the IS auditor should identify the initial controls. What does the IS auditor specify in the initial review? The key controls How are the controls tested? Through the use of the following: 1. Compliance 2. Substantive Testing What is the difference between Compliance and Substantive Testing? Compliance Testing The compliance testing is done initially to check whether the key controls are working Testing of the control (for compliance) Check compliance against policies and procedures Mostly dependent on the availability of trail documentation Once the documentation is available for a particular issue, the compliance test is positive Substantive Testing Substantive testing usually follows compliance testing Testing of integrity Used for monetary transactions or places where there is little structure. Not very dependent on the documentation. Availability of documentation is not enough. The validity and integrity of the documentation are challenged in the testing

What is the correlation between the level of internal control and the amount of substantive testing required? 1. The more adequate the controls, the fewer substantive tests are needed. 2. The weaker the Internal Control, the more substantive tests are needed.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

63

CISA Study Guide in EasyFAQs

What are the four (4) steps for checking control in an environment? 1. Preview: The system is previewed so that the controls can be checked 2. Compliance test: Confirms the functionality of the controls 3. Control evaluation: Evaluates the scope and size of the substantive test 4. Substantive test: Evaluates the validity of the data What are the two (2) types of substantive test? 1. Test for balances and transactions (more financially related) 2. Test for analytical procedure review

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

64

CISA Study Guide in EasyFAQs

Evidence
What is the definition of evidence? This is proof, in the form of information or documents, that the organization is following certain audit criteria or objectives. What is the importance of evidence? The auditors opinion is based on the evidence gathered. What are the five (5) forms of evidence that the IS Auditor can use? 1. Auditor observation 2. Interview notes 3. Correspondence extracts 4. Internal documentation 5. Results of the audit tests What are the three (3) factors showing the reliability of the evidence? 1. Provider of the evidence must be independent. 2. Provider of the evidence is qualified. 3. Evidence is more of an objective nature rather than subjective. Should the IS auditor only look for good evidence? No, the auditor should focus on evidence that supports the objective, not on whether the evidence is good or bad. How does the quality and quantity of the evidence map to IFAC (International Federation of Accountants)? ISACA Quality of the evidence Quantity of the evidence IFAC Competency, i.e. validity and relevancy Sufficient The auditor decides whether the evidence is sufficient

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

65

CISA Study Guide in EasyFAQs What is ISCA number stands for auditing? 060.020 What techniques are used to gather evidence? 1. Review of IS Organization Structure 2. Review of policies, standards and procedures 3. Baseline documentation for a. Input validity b. Information processing c. Integrity of the process d. Validity of the output e. SDLC DOCUMENTATION f. User manual g. Operation manual h. Log files i. Quality Assurance Reports Is traditional documentation required for CASE or prototyping? No, traditional documentation is only required for SDLC and related methodology, but not for CASE and prototyping. What documentation is relevant for CASE and prototyping? 1. Initial requirement and justification of the project 2. Database specification 3. File layout and others.

Sampling
When is sampling used? Sampling is used when time and cost are the constraints and verification of the total policy is not possible.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

66

CISA Study Guide in EasyFAQs What is the meaning of population with respect to sampling? Population refers to all the members of a group which need to be examined. What is a sample? A sample is the subset of the population. What is a sample used for? Often it is used to draw an inference about the characteristics of the population.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

67

CISA Study Guide in EasyFAQs

Sampling Basics - Confidence Coefficient & Level of Risk


What is the confidence coefficient? The confidence coefficient is the probability that the sample is truly representative of the population. How is the confidence coefficient represented? It is represented as a percentage. At what confidence coefficient level should the IS auditor feel comfortable? 95% What is the relationship between the confidence coefficient and sample size? The higher the confidence coefficient, the greater the sample size. For greater confidence a bigger sample size is needed; e.g., if the confidence coefficient is 100% (which it can't be), 100% of the population would have to be used. What is the difference between the "Confidence Coefficient", "Confidence Level" and "Reliability Factor"? No difference; they all refer to the same thing. What is the level of risk? Level of Risk = 1 - Confidence Coefficient

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

68

CISA Study Guide in EasyFAQs

Sampling Basics - Precision


What does the term sampling precision refer to? Precision is the acceptable range of difference between the actual population and the sample. What is the difference between Precision and Confidence Level? 1. Precision is the opposite of Confidence Level 2. When the precision level is low, the confidence level is high Which is better: a higher or lower precision level? 1. If the required precision is 0%, this means that there would is no difference between my sample and the population, i.e. Sample Size = Population. Even with a precision of 5%, the sample is almost as big as the population. 2. Similarly, if the precision is 100%, this means that Actual - Sample = 100% difference is acceptable 3. The precision level should be decided by the IS Auditor. What is the relationship between Precision and Sample Size? The relationship is inversely proportional. What is the difference between "Attribute Sampling" and Variable Sampling? Attribute Sampling: Represented as a percentage Variable Sampling: Represented in numbers, or the monetary amount. What is the difference between "Precision range and "Precision Mean"? There is no difference; they mean the same thing. (Substantive testing.)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

69

CISA Study Guide in EasyFAQs

Sampling Basics - Expected Error Rate & Tolerable Error Rate


What is the Expected Error Rate (EER)? As the name indicates, this refers to the expected errors, represented as a percentage of the error. What is the effect of EER on Sample Size? It is directly proportional, i.e. if the EER is high it means that more errors are foreseen. Smaller the sample size, there is possibility of bigger EER. How is the EER applied to the variable sampling formula? The EER is not applied to the variable sampling formula; it is only used with the "Attribute Sampling" formulas. What is the tolerable error rate? This is the number of errors or mis-statements that can exist without the result being materially mis-stated. How are tolerable error rates used in sampling? They are used to plan the upper limit of the "precision range" for testing compliance. How is the tolerable error rate represented? It is represented as a percentage.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

70

CISA Study Guide in EasyFAQs

Sampling Basics - Standard Deviation and Variance


What is the prerequisite of Standard Deviation? The sample mean. What is the sample mean? Sample Mean = Sum of Sample Value/ Sample Size The mean of a random sample is an unbiased estimate of the mean of the population from which it was drawn. Another way to say this is to assert that regardless of the size of the population and the size of the random sample, it can be shown (through the Central Limit Theorem) that if random samples of the same size were repeatedly taken from the same population, the sample means would cluster around the exact value of the population mean. What does the sample mean indicate? The average size of the sample. What is Standard Deviation? To calculate the standard deviation of a population it is first necessary to calculate that population's variance. Numerically, the standard deviation is the square root of the variance. Unlike the variance, which is a somewhat abstract measure of variability, the standard deviation can be readily conceptualized as a distance along the scale of measurement. What is Variance? Variance calculates variability that characterizes the dispersion among the measures in a population. Numerically, the variance is the average of the squared deviations from the mean. To calculate the variance of a given population: 1. First calculate the mean of the scores 2. Measure how much each score deviates from the mean 3. Square that deviation (by multiplying it by itself).
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

71

CISA Study Guide in EasyFAQs What is the Standard Deviation? Standard deviation is the square root of the variance. What is the Sample Standard Deviation? This refers to the variance of the sample from the sample mean. What is the Population Standard Deviation? Measures the deviation from the Normal Distribution. What is the relationship between the standard deviation and sample size? The relationship is directly proportional. As with any of the error measurement tools, the higher the standard deviation or EER, the larger the error / deviation can be expected. In order to minimize these effects, the sample size must be increased. How can a populations standard deviation be applied to the attribute sampling formula? It cant; it can be only applied to the "Variable Sampling Formula".

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

72

CISA Study Guide in EasyFAQs

Other Sampling Issues


What are the two approaches for auditing? 1. Statistical Sampling 2. Non-Statistical Sampling (also known as Judgmental Sampling)

What is the difference between Statistical Sampling and Non-Statistical Sampling? Statistical Sampling Objective in nature. Used for determining the following: a. Sample Size b. Selection Criteria Quantitative decision Quantifiable result Non Statistical Sampling Subjective; uses auditors judgment to determine the following: a. Sample Size b. Selection Criteria Qualitative decision Non-quantifiable result

In statistical sampling, how can the closeness of sample size be determined? The closeness is represented by the samples precision How does one know that the sample is reliable? The reliability or the confidence level is presented by a number between 1 and 100. How is the final assessment represented in Statistical Sampling? It is represented as a percentage. What is Sample Risk? Sample size is not a true representative of the population and the conclusion drawn from the sample is wrong. What is the confidence coefficient? This quantifies the probability of error in the sample.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

73

CISA Study Guide in EasyFAQs What is the ideal statistical sample? Each item in the population should have an equal opportunity to be selected. What are the two general approaches? 1. Attribute Sampling 2. Variable Sampling What are the differences between attribute sampling and variable sampling? Attribute Sampling Used in compliance testing situations Focuses on whether the attribute is present or absent Output/conclusion is in the form of Rate of Incidence "Yes or No" check Variable Sampling More commonly used in substantive testing Focuses on the characteristics of the population e.g. weight, dollar, etc Output/conclusion is in the form of Deviation from the norm Checks for Yes, but also how much 'YES' has deviated from the normal

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

74

CISA Study Guide in EasyFAQs

Attribute Sampling
What are the three different methods of proportional attribute sampling? 1. Fixed sample-size attribute sampling 2. Discovery sampling 3. Stop-or-go sampling What is the difference between Attribute Sampling, Fixed Sample Size Attribute Sampling and Frequency-estimating Sampling? None; they are all the same. What are the main features of Fixed Sample Size? 1. Look for the percentage of occurrence of attribute 2. Questions regarding how many questions are addressed What are the features of stop-or-go sampling? 1. Avoids excess sampling. 2. Useful when expected occurrences are low. What are the features of Discovery Sampling? 1. Used when the objective is to discover fraud or irregularities 2. Useful when expected occurrences of events are extremely low

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

75

CISA Study Guide in EasyFAQs

Variable Sampling
What is the difference between variable sampling, mean estimation sampling and dollar estimation? There is no difference; they are all the same. What is the variable sampling used for? To estimate the quantitative value, e.g. dollar, weight. What are the seven (7) items the auditor should consider while evaluating the sample? 1. Determine the test objective of the test 2. Define the populations 3. Determine the sampling method 4. Determine the sample size 5. Select the sample 6. Evaluate the sample 7. Confirm that the sample is representative of the population

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

76

CISA Study Guide in EasyFAQs

CAAT
What is CAAT? CAAT stands for Computer-Assisted Audit Technique. These are tools for auditors. How can CAAT assist auditors? CAAT assists the IS auditor in the following ways: 1. Access relevant data and information 2. Analyze the data as per the objective of the audit 3. Report findings. Why is CAAT important for the IS auditor? Today most of the evidence required by IS auditors is not in hard copy format; rather it is spread over different media across different platforms. The only way of collecting all these pieces of evidence efficiently is by using CAAT. What are the five (5) Functional Capabilities of CAAT? 1. The ability to access files across different platforms 2. File manipulation and reorganization, e.g. indexing, sorting, linking and merging 3. Data selection on the basis of criteria and filtering conditions 4. Performs statistical functions, e.g. sampling, frequency analyses 5. Has an arithmetical function What are some examples of CAAT software? 1. IDEA 2. ACL 3. SQL Command 4. Third party software 5. Other utility software
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

77

CISA Study Guide in EasyFAQs a. Database auditing software b. Integrity testing software What is GAS? GAS stands for Generalized Audit Software. What are the sources of input for GAS? GAS can read and access the following: 1. Different databases 2. Flat files 3. ASCII files What does GAS do? 1. Collects data 2. Organizes information and sequencing 3. Mathematical computation 4. Stratification 5. Duplicate checks 6. Statistical analysis What are the IS auditors concerns regarding CAAT? Prior to selecting the CAAT software, the IS auditor should check that it does the following: 1. Provides reliable results 2. Does not compromise the integrity of the system 3. Maintain the confidentiality of the client.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

78

CISA Study Guide in EasyFAQs

What does the CAAT program record and retain? 1. Critical online reports 2. Comments on programs 3. Sample reports 4. Flow charts 5. File layouts 6. Recorded and filed definitions 7. Operating instructions

What types of accesses are recommended for the CAAT programs? Read-only access. What are the limitations of CAAT? 1. Might require more resources to install 2. IS auditor may need extensive training on the software 3. Integration with existing applications might be challenging.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

79

CISA Study Guide in EasyFAQs

Evaluating the Audit's Strengths and Weakness


What is the next step after the information and evidence for the audit have been gathered? Develop an auditing opinion. What does the IS auditor do in order to develop an opinion? 1. The auditor uses his/her experience 2. Assesses the results of the evidence. 3. With regard to compliance, he checks that the controls match the control objectives. How should the control be evaluated? Controls should match the control objective and should minimize or remove risk or perceived risk. How is the proper level of control assessed? Most of the time the Control Matrix is used for this. How is the control Matrix constructed? 1. Error types (top axis) 2. Control (side axis) 3. Matrix is filled using the ranking method 4. Once completed, the matrix shows the areas where the controls are lacking. What are the compensating controls? A strong control in one area can compensate for a weak control in another area. This type of control is known as a compensating control. What is the difference between a compensating control and an overlapping controls?
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

80

CISA Study Guide in EasyFAQs 1. A compensating control is when a strong control takes care of (supports) a weaker control 2. An overlapping control is when two strong controls cover the same area.

What should an auditor do regarding a compensating control and overlapping controls? Prior to reporting the control weakness, the auditor should see whether there are any compensating controls for the weak control area. The auditor should report an overlapping control, as it might not be needed.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

81

CISA Study Guide in EasyFAQs

Materiality of the finding


What is the concept of the materiality of the finding? This refers to the decision whether to mention a particular finding in an audit report, based on its significance to the audience of the report. If the IS auditor concludes that the it is a "material error" and may lead to a larger problem regarding control, it should be reported. To whom are IS auditors responsible? 1. Senior management 2. The Audit Committee of the Board of Directors. Why should the IS auditor discuss a matter with the management staff before communicating it to senior management? For two reasons: 1. Get consensus 2. Develop a corrective action plan What is the end result of the IS audit work? An Audit Report. What is the structure of the Audit Report? 1. Introduction a. b. c. 2. 3. 4. Audit Objective and Scope Audit Period Coverage Nature and Extent of the audit

Auditor conclusion Auditor reservations Detailed findings and recommendations

Should the audit report only mention the negative points? No; the audit report should report both negative and positive (constructive) points.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

82

CISA Study Guide in EasyFAQs Should the IS auditor insist that his/her recommendations be implemented immediately? No. Immediate implication might not be possible due to constraints in resources. However, the IS auditor can agree to planned implementation dates, and later the progress of the implementation should be monitored. Should the IS Auditor mention some of his/her findings in the report, even if modifications are made prior to the report being given to the top management? Yes, the IS auditor should mention all of the findings, as they were at the start of the audit. However, he should mention that the issues are being addressed. What should the auditor do prior to the releasing the reports? 1. Discuss the recommendations 2. Establish the planned implementation dates/ time of implementation 3. Review and follow up on plans What is the main sprit behind the audit? 1. Presence of control based on the risk assessment 2. In the case where controls are missing, there should be some corrective action plan. 3. Once the report has been presented, there should be a follow-up to the corrective action Do corrective actions resolve all of the problems? No, the corrective action may result in its own risks and problems. What happens just prior to the end of the auditing assignment? An exit interview is conducted.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

83

CISA Study Guide in EasyFAQs

What is discussed in the Exit Interview? 1. Findings and recommendations 2. Implementation dates 3. Justification of recommendations in terms of realistic approach and cost 4. Discussion of alternative and compensating controls What is the IS audit documentation? This refers to the record and evidence of the audit work performed. It contains complete interview questionnaires, notes, system flowcharts, narratives and work papers.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

84

CISA Study Guide in EasyFAQs

CSA- Control Self-Assessment


What is the CSA? This is a formal method of examining the existing controls of the system in a professional way. What are the two methods of self-assessment? 1. Structured questionnaire 2. Automated tools

Is it possible to include outsiders in the CSA? Yes, if the skills are not available, it can be done. What is the primary objective of an internal audit? To shift some of the responsibility from an internal audit to the functional areas. Does a CSA replace the responsibility of the internal audit? No, it actually enhances it. Who is responsible for the controls? Functional managers, e.g. the line managers. What are the additional benefits of using a CSA? 1. Education 2. Empowerment of the worker to assess the asset 3. Atmosphere to enhance the control environment

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

85

CISA Study Guide in EasyFAQs

What are the three phases of a CSA? 1. Planning 2. Implementation 3. Monitoring What is the role of the auditor in a CSA? 1. Assessment facilitator 2. Internal control specialist/professional 3. Leading and guiding the functional people to do a CSA.

How could an auditor understand the business before starting the audit? 1. Preliminary survey 2. Walk-through What is the first step in a CSA project? Conduct a meeting with the business unit manager to determine the scope and objective of the CSA. What are the tools used in a CSA? 1. Management meeting 2. Worksheet 3. Workshops 4. Questionnaire What development techniques are needed for the CSA program? 1. Information gathering 2. Empowerment 3. Decision-making.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

86

CISA Study Guide in EasyFAQs What is the main advantage of a workshop-based CSA? 1. Group decision-making 2. Empowerment of the employee. How would you differentiate between the traditional approach and the CSA approach? Traditional Approach Primary responsibility is on the IS auditor CSA Approach Primary responsibility is shared between the management and the IS auditor Management and other staff are not directly Management and other staff are responsible for the audit empowered to have more responsibility Duties are assigned Empowerment is carried out Rule and policy-driven Ongoing process of learning and improvement IS auditor involvement is maximum. Employee participation is extensive. IS Employee participation is limited. auditor involvement is limited. Narrow focus Broader focus Only auditors and special consultants are Staff members at different levels are involved involved.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

87

CISA Study Guide in EasyFAQs

Corporate Governance
What is corporate governance? This refers to the ethical corporate behavior of top management with regard to supervising, monitoring, controlling and directing the business entity, in order to safeguard the corporate assets and minimize the potential risk. The Organization of Economic Co-operation and Development (OECD) defines it as: "The distribution of rights and responsibilities among different participants in the corporation, such as the Board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure through which the company objectives are set and the means of attaining those objectives and monitoring performance". What are the advantages to proper corporate governance? 1. A framework is formed to manage and report risk. 2. It is an internal method of monitoring, addressing and minimizing risk.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

88

CISA Study Guide in EasyFAQs

Domain 2: Management, Planning and Organization of the IS


General
What are the five (5) tasks with regard to management, planning and organization? 1. Evaluation of IS Strategy 2. Evaluation of policies and standard procedures 3. Evaluation of management practices 4. Evaluation of organizational structure 5. Evaluation of third party services

Strategic Planning
What is strategic planning all about? It is concerned with setting objectives, mostly at two levels: 1. Corporate level 2. Departmental level. What is the nature of strategic planning? 1. Time- and project-oriented. 2. Determines the priority of the business need. What are the two types of plans? 1. Short-term (i.e. 1 year) 2. Long-term (i.e. 2 years)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

89

CISA Study Guide in EasyFAQs

Steering Committee
What is the purpose of the steering committee? Ensure the IS department is in-sync with the corporate mission and objectives. What is the prerequisite for the person who chairs the steering committee? 1. Understanding of the IS 2. Understanding of the risks and issues of the IS Who should be in the steering committee? 1. The Senior Manager 2. Business Area Representatives Where are the committee's duties and responsibilities defined? The committees duties and responsibilities are defined in the formal charter. What authority should each member of the committee have? He/she must have the authority to make a decision in the area that he/she represents on the committee. What does the committee do? 1. Reviews the short-term and long-term plans 2. Reviews the acquisition of hardware and software regarding substantial investments. 3. Monitors the major projects 4. Monitors the IS plans and budget 5. Establishes priorities 6. Approves the policies, standards and procedures 7. Reviews the overall IS performance
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

90

CISA Study Guide in EasyFAQs 8. In some cases provides liaison between the IS and user department 9. Monitors the availability of the correct resources in terms of time, equipment and staff 10. Monitors and improves the outsourced activities and plans

What are the sources of Information for the IS committee? 1. IS department 2. User department 3. Audit department

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

91

CISA Study Guide in EasyFAQs

Policies and Procedures


What is the advantage of having policies and procedures in place? Shows the managements commitment, direction and guidance in developing the IS controls. How many levels does a policy have? It differs from organization to organization. However, typically there should be the following levels: 1. Corporate Policy / Policies 2. Policies Department or Division. How can consistency in the policies be developed? Consistency with regard to policies is achieved by following a top-down approach. The departmental policies should be drawn from the corporate policies. Sometimes there are exceptions at the lower level; policies may be needed to address some immediate issues or as a result of risk assessment. What is the difference between the top-down and bottom-up approaches to policy development? Top-Down Approach Result of a directive from higher management Shows the strategic direction Expensive Sometimes can be a bit abstract Consistency is maintained Bottom-up Approach Result of an immediate issues/risk assessment More reactive approach: the operational policies are developed first and corporate policies second, to explain them Less expensive More practical Inconsistent, and occasionally there may be conflicts.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

92

CISA Study Guide in EasyFAQs

What are the procedures? The procedures are the detailed documents containing step-by-step explanations of how to do a particular job. Are the procedures independent? No. The procedures are derived from the policy and must implement the intent of the policy. It is preferred that the procedures documents are drawn up on a one-to-one basis. Which one is more dynamic, polices or procedure? Procedures are more dynamic, and require frequent reviews and updates. Why does an IS auditor review the procedures documents? 1. To identify whether the controls exist 2. To evaluate the controls

What if the procedures documented are not relevant? The procedures are part of the documentation. There is the old clich: "Document what you Do, Do what you document". If the operational practice is not what is mentioned in the documented procedures, then there is a discrepancy. What are the five (5) major types of policies? 1. Business-related policies 2. HR policies 3. Information Security policies 4. Quality management policies 5. Outsourcing policies

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

93

CISA Study Guide in EasyFAQs

What are the six (6) minimum items that HR policies should address? Hiring policies must address the following, at minimum: 1. Minimum qualification 2. Background checks 3. Confidentiality and Non-Disclosure Agreements 4. Bonding to protect against malicious activity and theft 5. Non-complete agreement (if any) 6. Conflicts of interest

What are the three (3) major risks regarding hiring? 1. Employee is not qualified for the position but is hired. 2. Reference checks were not carried out properly. 3. Lack of awareness of the NDA and Confidentiality Agreement.

What are the minimum ten (10) must-have areas in the Employee Handbook? 1. Security policies and procedures 2. Company mission statement 3. Company culture and expectations 4. Employee benefits 5. Holiday policies 6. Overtime rules (if any) 7. Other employment 8. Evaluation of performance 9. Emergency procedures 10. Disciplinary action in related areas: a. Non-compliance with Information Security policies. b. Excessive absence
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

94

CISA Study Guide in EasyFAQs c. Communication of false information What are the four (4) ways of obtaining promotions, which the promotions policy document should address? The four ways of obtaining a promotion are as follows: 1. Performance 2. Education 3. Experience 4. Responsibility level What are the three (3) classifications regarding training? 1. Management training 2. Project handling training 3. Technical training

What are the three (3) ways employees can be rewarded for performance? 1. Salary increment 2. Bonus 3. Promotion

What are the two (2) methods by which management can avoid improper and illegal acts on the part of employees? 1. Mandatory vacation (once a year at least) 2. Job rotation

What are four (4) common reasons for outsourcing work? 1. To take advantage of the outsourced core competency 2. To reduce the costs and increase profit margins 3. To enhance productivity
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

95

CISA Study Guide in EasyFAQs 4. Flexibility What should an IS Auditor audit with respect to the outsourcing? 1. Outsourcing contract 2. Service Level Agreement or related document 3. Quality of the service 4. Assurance of the continuity of the services 5. Core Skill competency and technical knowledge 6. Control procedures 7. Right to audit the facility.

What are the areas five (5) most common areas for outsourcing? 1. Data entry 2. Application development 3. Software maintenance 4. Application migration 5. Call center What are the seven (7) major disadvantages of outsourcing? 1. Lost of control 2. Loss of internal skills 3. Possibility that skills gained by the vendor can be marketed to the competition (in cases where no agreement is in place) 4. Migrating from one outsource company to another is difficult 5. Vendor goes out of business 6. Hidden costs 7. High turnover of the vendor

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

96

CISA Study Guide in EasyFAQs

What are the (7) common ways of handling the risks associated with outsourcing? 1. Utilize multiple suppliers who have the scalability to take on more tasks. 2. Retain a portion of the money as incentive 3. Have a cross-functional contract 4. Use a quantitative performance measurement with the help of metrics. 5. Period review 6. Benchmarking 7. Long-term contract broken down into several short-term contracts.

Is the outsourcing only a cost decision? No, it isnt; its more of a strategic decision. What are the seventeen (17) most common components of the outsourced contract? 1. Methodology 2. Process 3. Internal structure 4. Quality control 5. Continuity of the business 6. Escalation procedures 7. Audit rights 8. Security clauses for confidentiality, integrity and availability 9. Non-Disclosure Agreement 10. End-to-End Agreement with vendor employees and further outsourcing (if done by the vendor) 11. Security admission 12. Incident reporting and violation reporting 13. Change control
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

97

CISA Study Guide in EasyFAQs 14. Access to the network 15. Performance appraisal 16. Legal clause 17. Exit clause How can the company ensure that the other party is providing high quality assurance? Availability of the third party audit report. What is the US legislation for monitoring the vendor? SAS 70

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

98

CISA Study Guide in EasyFAQs

Information System Management Practices


What are the five (5) most common key challenges of the IS department? Below are the five major challenges of the IS Department: 1. People Management: IT staff is highly qualified and are in high demand, and hence they switch jobs frequently. One cannot hold the employee longer by means of "normal perks" or via managerial titles, so effective people management is important. 2. Management of Change: In large organizations the IS is split into several subdepartments, e.g. Information Security, Technical Support, Help Desk, and so on . The staff might go from one department to another. Managing internal changes such as these can be a challenge. 3. Keeping the process current: Due to the high rate of change in staff, environment and technology, the process needs to be updated. 4. Security: Maintaining the confidentiality, integrity and availability of the everchanging department. 5. Third Party: Managing third parties is another of the major challenges.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

99

CISA Study Guide in EasyFAQs

IS Organization Structure and Responsibility


What are the four (4) most common organizational and management controls? These are the controls that provide the following protections: 1. Tangible or physical environment 2. Proper staffing of the Information Processing Facility (IPF) 3. Proper operation of the IPF 4. Responsibility Allocation at the IPF With special reference to IPF, what three(3) Organizational or Management controls can one have? 1. HR-related Policies and Management Practices 2. Separation of Duties 3. Control for efficiency and effectiveness Why are organizational charts important? They provide a clear definition of the job responsibility. Why do the job description and organization structure change quickly? This is because the nature of Information Technology is very dynamic. What are the three (3) common components that an IS auditor looks for in the Job Description? 1. Job Functions 2. Responsibility 3. Separation of duties Why is separation of duties important? To prevent the following: 1. Fraudulent Transactions
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

100

CISA Study Guide in EasyFAQs 2. Malicious acts How can the IS auditor check whether the job description and structure are in place? 1. Observation 2. Spending some time in the auditee offices

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

101

CISA Study Guide in EasyFAQs

Management Structure
What are the two types of management structure in a typical IT environment? 1. Line Management 2. Project Management What is the difference between Line Management and Project Management? Line Management Project Management Day-to-day routine job One-time effort Might/might not have a specific Specific deliverables or objectives deliverable No start and end date Start and end date are specified No explicit phases are defined Explicit phase definition is a must Headed by Line Manager Headed by Project Manager Who should head the Information Systems Department? 1. Information Technology Director or 2. Chief Information Officer in a large Organization What are the different positions within the IS department? 1. Control group 2. System Development Manager 3. Help Desk Manager/Supervisor 4. User Service Manager, also Known as the End User Support Manager 5. Data Management 6. Database Administrator 7. Technical Support Manager 8. Security Administrator 9. LAN/Network Administrator 10. System Administrator 11. Operations Manager 12. Quality Assurance Manager
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

102

CISA Study Guide in EasyFAQs What is the difference between a Data Administrator and a Database Administrator? Data Administrator Only found in very large organization Responsible for data architecture Database Administrator Found in every organization maintaining a database Responsible for integrity, availability and maintenance of the database

What is the difference between a System Administrator and a Sys Admin? No difference; they are the same. From an auditing point of view, which IS function should be completely separated? 1. Operations 2. Programming What if no segregation of duties is possible? In the case where no separation of duties is possible, there should be a very strong compensating control, such as the following: 1. Robust Computer Security 2. Reconciliation of reports

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

103

CISA Study Guide in EasyFAQs

Project Management
Ideally, who should initiate and prioritize the project? The IS Steering Committee. For IS projects, is it necessary that the project manager should be a member of the IS staff? No, there is no such need. What types of authority and resources does the Project Manager need? 1. Full Operational Control of the Project 2. Appropriate resources regarding IS and User staff What should be the role of the IS auditor in the project? 1. Control advisor and expert 2. Reviewer What are the two main areas of the IT Department? 1. Information Processing (IP) and Information Processing Facility (IPF) 2. Application and systems development and enhancement What does the IP Facility include? 1. Computer operations 2. Telecommunications 3. System programming 4. Librarian functions What is the difference between Operations and the IPF? They are the same.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

104

CISA Study Guide in EasyFAQs What are the controls of Operations and the IPF? 1. Physical Security 2. Data Security 3. Processing Controls What is included in the IPF? 1. Computer hardware 2. Software 3. Peripherals 4. Magnetic media 5. Data What are the controls of the Computer Operations Department? 1. Physical security 2. Data security 3. Processing controls With respect to the IPF, what area needs the most critical management control? Data security.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

105

CISA Study Guide in EasyFAQs

Data Security
What should Data Security encompass? 1. Physical and Logical security (Logical Security is related to the access to the computer system and security within the software) 2. Employee education regarding data security as well as privacy What are the two typical control groups that have Processing control? 1. Data Control Group 2. Production Control Group What are the differences between the Data Control Group and the Production Control Group? Data Control Group Responsible for: 1. Checking all data 2. Validity of input 3. Accuracy of output 4. Control manual Production Control Group Responsible for: 1. Job submission 2. Job Scheduling 3. Media Management

How can the efficiency of the production environment be optimized? Effective scheduling

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

106

CISA Study Guide in EasyFAQs

Data Entry
What are the two types of Data Entry? 1. Batch 2. Online Who is responsible for the batch data entry? Data Control Department What tasks do the Data Control Department/ Data Control perform? 1. Receive all source documents, i.e. collection 2. Makes conversions, if any 3. Makes batches and controls input 4. Schedules jobs 5. Verifies the process and output 6. Distributes related information to the respective departments with extreme care. To whom should the Data Control Supervisor report? The IPF Operations Manager. What are the advantages of online entry? 1. End user is more effective 2. More online checks a. From b. Range/Limit c. Alphabetic or numeric d. Specific values Who is responsible for the accuracy and completeness of the data entered during online data entry? The Department Manager is responsible.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

107

CISA Study Guide in EasyFAQs What are the controls that should be applied to the transactions which are re-entered into the system? There arent any; even when the transaction is re-entered, it should be treated as if it is being entered for the first time. Who is responsible for ensuring the separation of duties in data entry? Again it is the department managers responsibility.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

108

CISA Study Guide in EasyFAQs

Librarian
What is the responsibility of the librarian? 1. Record all the programs 2. Issue programs 3. Receive and safeguard the programs Should be the librarian be full-time or part-time? It depends upon the size of the organization. How can a librarian be assisted? 1. Back-up person 2. Library control software

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

109

CISA Study Guide in EasyFAQs

Security Administration
Where should the Security Administration begin? With a commitment from management.. What should be the role of management regarding proper security administration? Management should do the following: 1. Take due care 2. Understand and evaluate the risk 3. Develop Security Policy for Standards and Practices 4. Enforce the Security Policy 5. Ensure the development of proper roles and responsibilities 6. Ensure the proper segregation of duties 7. Ensure that the compliance to the policy is there. What if it is only a small shop that cannot dedicate a full-time person? Rule of thumb: Common sense should prevail. Who should be responsible for day-to-day Security Monitoring and coordination? The Security Administrator. What is the Security Administration supposed to do? 1. Maintain the access rule 2. Ensure the confidentiality and integrity regarding the issuance of user IDs and passwords 3. Monitor security incidents and violations 4. Review the Security Policy 5. Conduct and Monitor the Security Awareness Program 6. Regularly test the Security Architecture
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

110

CISA Study Guide in EasyFAQs

Quality Assurance
What are the two major (2) tasks of the Quality Assurance Exercise? 1. QA Quality Assurance 2. QC Quality Control What is the difference between Quality Assurance and Quality Control? Quality Assurance Ensures that quality processes are being followed Ensures that documentation adhere to standards Quality Control Performs compliance tests and carries out reviews. Tests whether the documentation really adheres to the standards

What are the four (4) items that the quality assurance person should check? The QA should verify that system changes are 1. Authorized 2. Tested 3. Implemented. 4. He/she should also oversee the proper maintenance of the program. What does the quality assurance program achieve? 1. Active and well coordinated efforts by the relevant parties 2. Following up on the agreed System Development methodology and cycle 3. Stable, controlled enforcement for Operations and Production 4. Review and Evaluation of large projects 5. Presence of standards, policies and procedures 6. Proper reporting to management

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

111

CISA Study Guide in EasyFAQs

Is it the responsibility of the QA to check accuracy and authenticity? Yes! Can the Quality Group be part of the programming group? No; either it should be independent, or part of the control group.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

112

CISA Study Guide in EasyFAQs

Database Administrator
What are the eight (8) most common responsibilities of the DBA? 1. Organization Database custodian 2. Design, define and maintain data structure 3. Optimize performance 4. Educate programmers regarding Database structure 5. Implement access controls, confidentiality controls and integrity controls 6. Make sure the database is available 7. Perform backup recovery 8. Update patches when required

To whom does the DBA report? Director of IPF/Operations. What risks are associated with the DBA? Has access to tools that s/he can use to retrieve all the data How can the risk associated with the DBA be addressed? 1. Segregate duties 2. DBA should only perform management-approved activities 3. Supervisor should review the access log 4. Detection controls for database tools

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

113

CISA Study Guide in EasyFAQs

System Analysts & Application Programmers


What are the responsibilities of System Analysts? 1. Cater to needs of users 2. Develop requirements 3. Define the functional specifications 4. Design the system What are Application Programmers responsible for? Developing the system to run into production. What risks are related to Application Programmers and what can be done about them? Application Programmers should only work in test environments and should not have access to production. What is the difference between application programming and system programming? Application Programming Develop the program for the business need System Programming Develop the program for the systems needs, e.g. the operating system.

What controls should be put in place related to System Programmers? 1. Should have restricted access 2. The activities log must be monitored 3. Should only have access to the libraries they maintain What are the two types of networks? 1. LAN Local Area Network 2. WAN Wide Area Network

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

114

CISA Study Guide in EasyFAQs

Segregation of Duties
What are some of the critical jobs that should be segregated? 1. Access to computer 2. Production Data Library 3. Production Program 4. Application Development What are compensating controls? These are internal controls that hold a potential risk for weakness.

Key Responsibilities
Who is responsible for the Transaction Authorization? Transaction authorization is the responsibility of the User Department Who is responsible for reconciliation? The ultimate responsibility for the reconciliation lies with the user. In some cases, the data control group (if present) can also be responsible. Who determines the authorization level of the data? The data owner determines the authorization level. Who should implement and enforce the security system? Most of the time the administration group is responsible for implementing security.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

115

CISA Study Guide in EasyFAQs

Miscellaneous Issues
What are the three ways of implementing data controls? 1. Physical control 2. System control 3. Application control What controls are provided by the User Department manager? They are provided with the help of the user authorization forms. What must the authorization forms show? Evidence of managements approval of the system. In large organizations, how should the authorization be confirmed as authentic? Normally, the signature should be compared with the signature in the log register. How are the "User Authorization Tables created? With the help of the authorization forms. What is the level of authorization provided in a typical authorization table? 1. System authorization 2. Transaction authorization 3. Field Level authorization What is a typical authorization table called? Some timetables are also referred to as User Access Control Lists.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

116

CISA Study Guide in EasyFAQs

What security should be maintained for the Authorization Tables? 1. Secured against unauthorized access 2. Protected by password 3. Preferably encrypted. 4. Control log should be reviewed for user activity 5. Any exceptions must be investigated. What are the requirements for reporting exceptions? 1. Handled at the supervisory level 2. Must have evidence What is the advantage of an audit trail? 1. Tracks the flow of the transaction 2. Acceptable compensatory control if there is no segregation of duty What information does a typical audit trail contain? In the case of a typical transaction, the transaction log should contain: 1. The name of the person who initiated the transaction 2. Date 3. Time 4. Transaction type 5. What files changed 6. What fields were affected Who should perform the proper checks in order to confirm that there is no mismanagement in the system? 1. Management 2. Auditor

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

117

CISA Study Guide in EasyFAQs What is the typical checklist for auditing management, planning and the organization? Checklist for auditing departmental problems in the IPF/Operations 1. Slow computer response 2. Unfavorable end user attitude 3. Cost/budget overrun 4. High turnover 5. Too many junior and inexperienced staff 6. Frequent hardware failures 7. Aborted or suspended projects 8. Unsupported hardware 9. Frequent hardware upgrade 10. Generation of many escalation reports 11. Poor motivation and unfavorable end-user attitudes 12. Lack of succession plans 13. Reliance on one or two key people 14. No segregation of duties and compensatory controls

What are the nine (9) most common documents reviewed by IS Auditors while assessing an organizations management and planning of? 1. IT Strategy 2. IT plans and budget 3. Security Policy documentation 4. Functional charts 5. Job description 6. Steering Committee report 7. System development and change procedures 8. Operation procedures 9. HR Manuals

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

118

CISA Study Guide in EasyFAQs Why is Security Policy documentation necessary? It provides a standard for compliance What should a Security Policy identify? 1. Commitment of the organization to implementing security 2. Organizations position regarding security risks 3. Who is responsible for assets 4. Preventive measures 5. Action on violation What are the three (3) common advantages of job description? 1. Group similar jobs 2. Segregation of duties is identified 3. Possible job duty conflict is identified Which document provides information regarding new projects? The Steering Committee reports/minutes of meetings What is the best way to test that individuals are doing what they are supposed to do? Observation is the best way to ensure that individuals are doing what they are supposed to do. How can the auditor know if the policies and procedures are understood and practiced? Observation How can the auditor know if people have understanding of the security awareness in a particular area? Observation

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

119

CISA Study Guide in EasyFAQs What areas should be looked into when reviewed with respect to contractual commitment? 1. Requirement document/contract 2. Bidding document/contract 3. Selection process document/contract 4. Acceptance process document/contract 5. Maintenance process document/contract 6. Compliance document/contract There should be active management participation in the contract, and the IS auditor should perform independent compliance of each.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

120

CISA Study Guide in EasyFAQs

Domain 3: Technical Infrastructure and Operational Practices


Information System Hardware
What are the five (5) basic components of computer systems? 1. Input devices 2. Central Processing Unit 3. Output devices 4. Primary memory 5. Secondary storage devices

What are the five (5) different types of general-purpose computers? 1. Mainframes: Support thousands of users and many applications 2. Mini-computers: Support about 200 users 3. Micro-computers: Entire CPU is on a chip 4. Notebooks and laptops: Lightweight personal computers, weighing 3 to 10 pounds 5. Personal Digital Assistant PDA: Handheld devices

What are the components of a CPU? 1. ALU (Arithmetic Logical Unit) 2. Control 3. Others a. Register, e.g. Instruction Register b. Counter How do a computers internal components communicate with each other? With the help of a high-speed communication line called a bus.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

121

CISA Study Guide in EasyFAQs How many types of buses are there? 1. Address bus 2. Data bus 3. Control bus What is the Address Bus? A bus that connects the CPU and the main memory. The number of wires indicates how many memory locations are addressable. A PC with an address bus of 36 lines can access a main memory of 64 Gigabytes. What is the Data Bus? The data bus is used for the actual data that is being processed within the computer What is the Control Bus? The control bus is used to carry signals to report on the status of devices within a computer. What is the Register? The register consists of very high-speed memory within the microprocessor. The two most common forms are: 1. AX - contains the results of arithmetic operations 2. SP - contains the memory address

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

122

CISA Study Guide in EasyFAQs

Memory
What are the seven (7) most common types of computer-related memory? 1. RAM 2. ROM 3. CACHE 4. Virtual 5. Real 6. PLD 7. Sequential What are the characteristics of RAM? It is susceptible to power loss and is therefore volatile. What are the two types of RAM? 1. Dynamic RAM: no need to refresh 2. Static RAM: needs to be refreshed What is PLD? Programmable Logic Device. An IC with logic. What are four (4) common examples of PLDs? 1. Spell out (ROM) 2. Programmable Array Logic (PAL) 3. Computer Programmable Logic Device (CPLD) 4. Field Programmable Gate Array (FPGA) How is the programming of a PLD carried out? 1. Programming is done through an interface to the chip 2. The circuit is on MOS (Metal Oxide Semiconductor) 3. MOS has transistors. 4. Transistors on MOS are either turned on or off for programming
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

123

CISA Study Guide in EasyFAQs What is ROM? ROM, or Read Only Memory, refers to the non-volatile memory, in which the alteration of content is not possible. It is implemented with the help of one-way fusible links What are the types of ROM? 1. EPROM: Erasable Programmable ROM 2. EAROM: Electronically Alterable ROM 3. EEPROM: Electrical EPROM What are the stored ROM programs called? Firmware is the name given to the programs stored in the ROM. What is Real Memory? It is the portion of the memory where the processed data is stored. What is Sequential Memory? This is data stored on a tape. What is Virtual Memory? A portion of the hard disk that is treated like a memory. It is used to store the least used data from the primary memory, which can be called back when needed. What are the characteristics of cache? 1. Very high-speed 2. Very limited 3. Managed by cache logic What is Cache Logic? Indicates which cache memory should be brought into cache.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

124

CISA Study Guide in EasyFAQs

Addressing
What are the six (6) most common types of addressing? 1. Register Addressing AX Register: Contains the results from the microprocessor SP Register: Contains the Memory Address 2. Direct Addressing This is the actual address of the Memory. The components that can be called are as follows: Memory page Extensions Pages 3. Absolute Addressing Refers to the precise memory location in any program 4. Indexed Addressing Memory addressing is done on the basis of an index register For referencing memory the value of the index register is incremented. 5. Implied Address Some operations may result in a call for memory, which is part of the operation. In such a case there no need to provide the address. 6. Indirect address Certain addresses in turn address other addresses.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

125

CISA Study Guide in EasyFAQs

Instruction Execution Cycle


What are the two basic phases in a machine cycle? 1. Fetch a. Retrieves instructions in memory 2. Execute b. Instruction is executed Why are multi-phase clock signals needed? These signals are needed in order to update the Dynamic RAM. When are multi-phase signals required? 1. Static RAM: A single-phase clock is needed for static RAM 2. Dynamic RAM: Dynamic RAM requires a multi-phase clock What is a machine cycle? Machine Cycle = Fetching Instructions + Decoding + Executing What is the Machine cycle matched with? Machine cycles are matched with Clock periods. They are also known as single instructions. What are the four (4) states in a computer system? 1. Ready State/Run State/Operating State The system is ready for processing 2. Application Problem-solving State The system enters this state when it is polling an application problem 3. Supervisory State Executing a privileged instruction 4. Wait State Instructions are waiting to be executed.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

126

CISA Study Guide in EasyFAQs How can the performance of the system be improved? It can be improved by overlapping the fetch and execute processes. What is the difference between a Process and a Thread? A process is a combination of multiple threads. Processes are normally called by applications. If an application wants to print a document, for example, it will call the printing process. What are the Pipelines? These are the overlapping steps of fetch-decode and execute.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

127

CISA Study Guide in EasyFAQs

Input and Output


How does the processor communicate with outside devices? Interface adapters are used to communicate with the outside world. What do the Interface adapters provide? 1. Data buffering 2. Tunneling 3. Interrupted call What is Mapped Memory? Mapped memory is that which the adapter claims. The advantage of mapped memory is that the CPU sees no difference in the instructions from the memory and the I/O adapter. What are the other advantages of memory mapping? For security reasons, only the CPU can access the memory directly. Application programs access the memory mapper, which in turn addresses the memory. What is the Isolated I/O? 1. A special signal that is sent on the bus 2. Shows an I/O is being executed What is the significance of an isolated IO and a special signal? The difference is in 1. I/O operations 2. Memory addresses

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

128

CISA Study Guide in EasyFAQs

What are the advantages of isolated I/Os? 1. Do not use address space 2. More memory is available. What is the disadvantage of isolated I/Os? Data access and manipulation is only possible for a small number of I/O instructions. What are the Programmed I/Os? 1. Memory mapped 2. Isolated I/O How are multiple interrupts handled? One of the techniques for handling multiple requests is to nest the Interrupts. What if the CPU does not want to be interrupted? The CPU can turn off the Interrupt. What are the two ways of moving data in and out of the memory? 1. I/O Interface adapters 2. Interrupts What are the Interrupts? These are electronic signals to get the attention of the CPU. When they are generated, normal processing stops and the computer responds to the request. The steps are as follows: 1. As soon as the interrupt is received, the computer will stop processing 2. Preserves the current state 3. Jumps to the Interrupt program 4. Finishes the program 5. Starts the processing again
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

129

CISA Study Guide in EasyFAQs

Basic Languages
What is Machine Language? It is a language expressed in terms of 0 and 1, i.e. the presence or absence of an electric signal. These are the lowest level instructions that a computer can understand. What is the assembly language? This refers to a set of mnemonics or abbreviations. Each statement is changed into a single machine-level instruction. How do you obtain the Object code? Using assembly language as an example: 1. Start with the assembly language program, which is called source code 2. Use an assembler, which is a kind of interpreter 3. The Assembler generates a code that is understandable to the computer. This code is known as the object code, also known as machine language. What is the difference between a Resident Assembler and a Cross Assembler? 1. A resident assembler is on the same machine 2. A cross assembler is on another machine What is a dissembler? This changes the machine code into an assembler What is a Macro? This is a group of assembly language statements; also called a sub-routine. What is the difference between Interpreted and Compiled programs? Compiled programs are translated into the machine language in a single process. Once compiled, they are ready-to-run. Interpreted programs are processed statement-by-statement. Sometimes they are kept in the original source code format, and at other times in a somewhat precompiled format. Example: Java is an interpreter language
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

130

CISA Study Guide in EasyFAQs What is better from a security point of view: an interpreter or a compiler? An interpreter is better because when a compiler is used, a single error might spoil the whole program. It is difficult to debug compiled programs. What are the different levels or generations of languages? 1. First generation: machine language 2. Second generation: assembly language 3. Third generation: FORTRAN and C 4. Fourth generation: Focus 5. Fifth generation: Prolog and LISP How does the OS communicate with I/O devices? With the help of the controller, e.g. the disk controller What is the difference between open and closed systems? An open system is inter-operable and vendor-independent; closed systems are not. What is the major problem in a distributed architecture? Desktop computers are the main problem. What are the major problems with desktop computers? 1. Sensitive information 2. Modem 3. Viruses 4. Lack of back-up 5. Games and Trojan horses

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

131

CISA Study Guide in EasyFAQs

What is the difference between multi-tasking, multi-processing and multiusers? 1. Multitasking: Two or more programs are run at the same time. Each program has a certain amount of processing time 2. Multiprocessing: More than one processor sharing the same memory 3. Multi-user: More than one user sharing the same computer

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

132

CISA Study Guide in EasyFAQs

Hardware Acquisition
What is ITT? Invitation to Tender What is contained in an ITT? 1. Description of the organization 2. Requirement a. Major application b. Systems type: online/ client server 3. Hardware Specifications a. Type of CPU b. CPU speed c. Peripherals d. Additional data entry devices e. Additional storage devices f. Networking capability 4. System Software a. OS TYPE b. OS version c. Compiler d. Program library e. DBMS f. Networking software g. Security and access control software 5. Support Needs Specifications a. SLAs for system maintenance b. Training c. Backup and recovery options 6. Constraints, if any a. Availability of the hardware with all options
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

133

CISA Study Guide in EasyFAQs b. Delivery date c. Staff d. Existing Capacity 7. Adaptability Requirement a. Hardware upgrade b. Software upgrade c. Openness/ compatibility with third-party hardware/software 8. Conversion Requirements a. Conversion of existing data and programs b. Risk factor of the conversion c. Cost/price schedule What are the typical steps in an acquisition? Once the ITT has been issued and bids are received, the next steps are as follows: 1. Analysis and comparison of the bids 2. Analysis of the vendors financial position 3. Vendors technical capability 4. Analysis of the delivery schedule 5. Analysis of the upgrade capability 6. Product security control review 7. Visit to other customers 8. Compiling information on all the vendors 9. Price negotiation 10. Contract review 11. Formal report summarizing the analysis of each alternative and its justification What criteria should typically be used for the vendor proposal? 1. Response/turn-around time 2. Capacity, workload utilization and throughput

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

134

CISA Study Guide in EasyFAQs On what should a hardware maintenance program focus? 1. Maintenance should be regular, as per the vendors specification 2. Deviations from the maintenance contract should be monitored and reported 3. Maintenance cost should not exceed budgeted cost What should be the hardware monitoring procedures? 1. Hardware error reports 2. Availability report 3. Utilization reports What are the typical criteria for over- and under-utilization? There is no general rule-of-thumb; however, if 95 percent or more of the hardware is utilized, it definitely means its time to free up space or ask for an upgrade. If the utilization is less than 80 to 85%, it means it is under-utilized. Note: In real life, the vendors of the hardware and software should be consulted. What is Data Management? The process of controlling file management, I/O operations and data buffering. What is the difference between Data Management and Database Management system? Data Management Falls under category of System Software Meant for the system Part of the operating system Deals with data buffering, I/O operations and file management Major types of data management regarding files are sequential, indexed sequential and Direct Random Access Commercially available products: ISAM; VSAM from IBM Database Management System Falls under category of Application Software Meant for the business user Sits on top of the operating system Deals with data definitions and data manipulation in tables Major types of database management are hierarchical, network and relational management Commercially available products: Oracle, DB2, SQL Server, Informix
135

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs

Capacity Management
Who should develop the capacity plan? Should be based on inputs from user and IS management How often should the capacity plan be reviewed? At least annually. What are the eight (8) typical components of capacity management? 1. Utilization of CPU 2. I/O channel utilization 3. Storage utilization 4. Bandwidth utilization 5. Terminal utilization 6. Number of users 7. Application 8. SLA

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

136

CISA Study Guide in EasyFAQs

Information System Architecture and Software


What are the three (3) main components of hierarchical architectures in computer systems? 1. Hardware 2. Firmware 3. Operating System All three form nucleus functions. What are the basic nucleus functions? 1. Handling interrupts 2. Handling processing a. Creation b. Destruction c. Switching d. Synchronization e. Inter-process communication f. Input process 3. Memory management, allocation and reallocation How important is the nucleus or kernel? It is very important, and is a privileged area of critical activity What are the seven (7) typical software applications that run on the top of the operating system? 1. DBMS 2. Access control software 3. Network and communication software 4. Program library management system
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

137

CISA Study Guide in EasyFAQs 5. Disk management 6. Job scheduling 7. Utility programs What are the ten (10) common functions provided by the Operating System? 1. User interface 2. Sharing of data and hardware 3. Scheduling 4. Error reporting 5. Communication 6. File Management 7. Management of all computer resources and processes 8. I/O Management 9. CPU and memory management 10. Network management How should the performance of the Operating system be optimized? By setting up parameters What is the advantage of firmware? Firmware is located in the hardware and provides a very quick response. What are four (4) integrity issues related to the operating system? 1. Proper interfacing of the hardware and software 2. Protection of the allocated memory space 3. Process isolation 4. Enforcement of the least security measures

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

138

CISA Study Guide in EasyFAQs

What are the two major operating states of the system? 1. Supervisor state (most privileged state) 2. General user state (most restricted state) How does the IBM OS/390 start? With initial program load (IPL) file SYS1. PARMLIB. What are the system configuration files called in the Windows environment? The registry

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

139

CISA Study Guide in EasyFAQs

Activity Logging and Reporting Options


What are the four (4) most common areas in a system log? 1. Data file version 2. Access to sensitive data 3. Program schedule log 4. Utility usage What are the four (4) typical items to check in database monitoring? 1. Error-log the database 2. Access to database 3. Valid documentation 4. Presence of standards

What items should be checked for access control? 1. Control of access to critical files 2. Control of critical databases and others What are the three (3) basic data communication transmission standards? 1. Extended Binary-coded for Decimal Interchange Code (EBCDIC): Uses 8 Bits and represents 256 characters 2. American Standard code for Information Interchange (ASCII): Uses 7 bits and represents 128 characters. Some variations do allow 8 bits. 3. Unicode: Uses 16 bits and represents 65,000 characters. Standard for representing characters as integers.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

140

CISA Study Guide in EasyFAQs

DBMS
What is DBMS? DBMS stands for Database Management System. It is classified as system software that helps to organize, control and distribute data. What are the ten (10) primary functions of databases? 1. Reduce Data Redundancy 2. Decrease time of access 3. Data consistency 4. Improve integrity 5. Improve security 6. Data independence 7. Increased interoperability and usability 8. Enforcement of standards 9. Easy maintenance 10. AD-hoc reporting

What are the different levels at which users can be controlled regarding DBMS? 1. User level 2. Program level 3. Transaction level 4. File level 5. Record level 6. Filed level

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

141

CISA Study Guide in EasyFAQs

What are the three (3) different types of DBMS? 1. Hierarchical: a. Parent-child relationship, b. Parent can have many children but each child has one partner c. Difficult to express relationship beside parent d. Easy only if the relationship is hierarchical 2. Network a. One-to-many relationship b. Children can relate to more than one parent. c. Good where inter-relationship is complex but well-defined. d. Data records are related through the relationship called SET e. SET can have only one owner but many member records f. Allow for the possibility of a reverse pointer (Note: In a case where there is a one-to-one relationship with all the nodes in a network it would be a mesh) 3. Relationship a. In tabular format, with row (tuple) and columns (attribute/domain) b. Based on set theory and relation calculation c. Easy to maintain and modify d. Data is independent of the application What are the five (5) common limitations of a hierarchical DB? 1. May have data redundancy 2. No reverse pointers are allowed 3. Pointer can only be for nodes at lower levels 4. Difficult to relate one child to more than one parent 5. Data is defined by its relationship to application

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

142

CISA Study Guide in EasyFAQs

What are three (3) common limitations of the Network/Mesh DB? 1. Difficult to understand 2. Difficult to modify and maintain 3. Data is defined by its relationship to the application What are the key issues with DBMS? 1. Aggregation 2. Inference What is aggregation? It is the process of combining information from many sources. This may result in new Information, which can be very sensitive. What is inference? In layman's terms, it means reading between the lines. It means to infer information that is not explicitly mentioned. What does data normalization mean? Removing redundancy What is the Data Dictionary? This is a file that contains the organization of the database. It holds the following: 1. A list of all the files in the database 2. The number of records in each file 3. Field names
4.

Type of each field

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

143

CISA Study Guide in EasyFAQs Do the data dictionaries contain actual data? No, there is no actual data in the database dictionaries. It is more of a system for managing the database. Should the data dictionary be shared among the databases? Yes, the data dictionary can be shared; it results in management having to expend less effort. What does the data dictionary do? Interacts with the following: 1. Program library 2. Application 3. Front system What is the role of the data dictionary in DBMS? The data dictionary is an integral part of most DBMS, and provides the following functions: 1. Identifies the Fields, i.e. data elements 2. Identifies the characteristics of the data field. What is the difference between an active data dictionary and a passive data dictionary? Active Data Dictionary Repository of data elements Assists in application processing, e.g. validation Passive Data Dictionary Same No assistance is provided for application processing

What does the data dictionary contain? 1. Index of the items 2. Description of all items

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

144

CISA Study Guide in EasyFAQs

What are the three (3) types of application controls? 1. Proactive 2. Detective 3. Corrective What are eight (8) typical components that the SLA should mention? 1. Basic assumptions and prerequisites 2. Turn-around time 3. Resource utilization 4. Average response time 5. System uptime 6. System set-up time 7. Number of transitions 8. Handling of emergencies What are the six (6) security concerns regarding distributed systems? 1. Access control 2. Identification 3. Authentication 4. IDS 5. Emergency response 6. Audit trail What is meta-data? It is a data element that defines a database. It is most commonly referred to as data about data.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

145

CISA Study Guide in EasyFAQs

What are the three (3) types of meta-data? 1. Conceptual schema meta-data 2. External schema meta-data 3. Internal schema meta-data What is data mining? Finding previously unidentified relationships in the data. The data mining tools can find the following in the data: 1. Trends 2. Anomalies 3. Deviation 4. Co-Relation What is normalization? This is the process of organizing data to minimize redundancy. How is normalization performed? 1. Normalization is usually performed by dividing specific table into one or more logical tables 2. Defining relationships between the tables. What are the main objectives of normalization? 1. To isolate data for amendments, additions and deletions 2. Modifications of a particular field are performed on just a single table 3. Modifications are propagated with the help of defined relationships

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

146

CISA Study Guide in EasyFAQs

What are the three (3) major normalization rules? 1. There should be only one value in the attribute 2. There should be an internal structure in the attribute 3. Each row should have a primary key, which should be unique and cannot be empty How is normalization applicable to the network and hierarchical databases? Normalization is only applicable to the relational database What are the eight (8) typical database controls that an IS auditor should look for? 1. Definition standards 2. Backup and recovery 3. Access controls 4. People authorization 5. Concurrent access 6. Database performance 7. Performance monitoring 8. Response time during peak hours What is TMS/DMS? This refers to the Tape Management System/Disk Management System What are the six (6) types of Information stored in TMS/DMS? 1. Name of the dataset 2. Disk drive name 3. Creation date 4. Expiry date 5. Retention period 6. Effective date
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

147

CISA Study Guide in EasyFAQs

Job Scheduling
Why is job scheduling used? For large amounts of batch job processing What are the advantages of job scheduling? 1. Job set-up is one-time 2. Job failure will not affect the remaining jobs 3. A log of job success and failure is maintained 4. Operator negligence and errors are reduced

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

148

CISA Study Guide in EasyFAQs

Utility Programs
How are utility programs classified? Utility programs are classified as system software What are the five types of Utility Program? 1. Logic map per application understanding a. Flow chart b. Data Dictionary c. Transaction flow analyzer 2. Data Quality Tester a. Data manipulation program b. Comparison and query program 3. Data integrity tester a. Online debugging tools b. Output analyzer c. Network analyzer / simulator 4. Rapid program development tools a. Online coding program b. Report generator 5. Operation efficiency program a. CPU / memory utilization monitor b. Telecom analyzer What should be the auditors main concern regarding a utility program? Some of the utility programs bypass the audit trail, so they can be a security concern.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

149

CISA Study Guide in EasyFAQs

What are the ten (10) most common concerns for selecting a new "system software solution"? 1. Functional need specifications 2. Technical need specifications 3. Business need specifications 4. Cost/benefits 5. Compatibility 6. Obsolescence 7. Security features 8. Training requirements 9. Scalability 10. Impact on existing system and environment

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

150

CISA Study Guide in EasyFAQs

Change Control & Software Licensing Issues


What are the needs for a change control procedure? To ensure that: 1. Changes do not disrupt or interfere with smooth processing 2. Changes are authorized 3. Changes are assessed against negative impacts 4. Proper rollback and recovery procedures are in place 5. No unauthorized changes are being performed What should an IS auditor do regarding software licensing? 1. Review the policies and procedures for unauthorized software 2. Do a random sampling to check if the licenses are really there How can software license misuse be prevented? 1. Acquire a site license 2. Centralize control, management and distribution of the software 3. Use a diskless computer, if possible 4. Scan PCs at regular intervals 5. Use concurrent licenses

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

151

CISA Study Guide in EasyFAQs

Information Systems Network Architecture and Telecom


What are the different types of networks? 1. Local Area Network (LAN): Private switched network. 2. Wide Area Network (WAN): Geographically dispersed, connecting nodes; network across country or world 3. Metropolitan Area Network: Bigger than LAN, smaller than WAN 4. Intranet: LAN on TCP/IP protocol and web services 5. Extranet: Portion of Intranet/special network that is accessible to business partners and others from outside 6. Virtual Private Network (VPN): Secure Network communication over the public network. What are the six (6) different types of network services? 1. File sharing 2. Email 3. Remote login 4. Terminal emulation 5. Directory services 6. Network management. What is the communication method that uses Unstructured Messaging? Email What are the Directory Services? Directory services hold the following information: 1. Network resources 2. Who can access them

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

152

CISA Study Guide in EasyFAQs

What are the functions of the network management software? They provide the following: 1. Status of the network components 2. Live nodes 3. Active nodes 4. Error rate on communication line 5. Traffic overload 6. Message lengths 7. Others What is the purpose of standards and protocols? They provide the following: 1. Open system 2. Agreed-upon procedures 3. Inter-operability 4. Improve productivity What are the three major standard organizations? 1. ISO- International Organization of Standards 2. IEEE-American Institute of Electrical and Electronic Engineer (IEEE). This defines standards for computer manufacture. 3. ITU-T/CCITT: International Telecommunication Union - Telecommunication Sector. (Previously it was known as the CCITT (Consultative Committee for International Telegraph and Telephone). It defines standards for public networks.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

153

CISA Study Guide in EasyFAQs

ISO Layer
What is the ISO/OSI Model? OSI (Open System connection model) is a de jure standard. De jure implies a standard accepted as legal by a certain organization. In this case, the standards body is called International Organization for Standardization (ISO). What is the objective of the ISO/OSI model? The objectives are as follows: 1. Provide an open standard for equipment manufacturers 2. Provide a benchmark 3. Provide a structured approach for data communication How many layers are there in the ISO/OSI model? There are seven layers, three upper layers and four layers. What data is communicated to other system? Encapsulation in the OSI model occurs at all layers of the source. There are five steps of encapsulation: 1. User information is changed into data 2. Data is changed into segments 3. Segments are changed into packets/datagrams 4. Datagrams are changed into frames 5. Frames are changed into bits (Datalink not on physical layer)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

154

CISA Study Guide in EasyFAQs

Is it correct that there are protocols that correspond to each of the seven layers? Each of the seven layers do not necessarily describe a protocol. In other words, the seven layers are functions, not protocols. The following points should be noted: 1. Sometimes a protocol communciates with more than one layer 2. Other times more than one protocol is found on a single layer 3. The definition of a layer is logical, not physical What is the most common phrase used to remember the seven layers? All People Seem To Need Data Processing What are the seven layers of the OSI model and what are their functions? The following are the seven layers of the OSI model and their related functions: 1. Physical Layer a. The protocols implmented at this layer are EIA/TIA 232/449/530, V24, V34, X.21, G.703,HSSI; High Speed Serial Interface token ring; X.21bis are the standards which are implemented) b. Keywords: "Synchronization of network timing," dependent c. No addressing schemes at this layer d. Moves bit between the devices e. Specifes voltage, wire speed and pin-out cables f. Twisted pairs, power lines, radio frequency, infrared, fiber optics and co-axial cable g. The physical and data link layers are usually implemented together in hardware/software combination solutions. h. Examples include hubs, switches and network adapters, and their applicable software drivers, as well as the media or cables used to connect the network nodes.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

physical topology-

155

CISA Study Guide in EasyFAQs i. The remaining layers are usually implemented in the software only. j. Keywords: think of signals and media 2. Data Link a. Protocol Implemented at this layer are HDLC, SDLC, LAPB, X.25,SLIP,PPP, Token Ring, ISDN,FRAME RELAY, FDDI, SIP; SMDS Interface Protocol) b. Generic A.K.A flat address, MAC address Performs physcal addressing, determiantion of network topology, error notification and flow control Adds four things: MAC address, frame header, and CRC, plus changes data into bits Performs physical hardware addressing Generates error notification MAC address is also known as "Physical Address" or the Burned-inAdddress (BIA), or the Hardware Address Relibility of data across physical link Deals with: Physical (as opposed to logical) addressing Network topology Network access Error notification, Ordered delivery of frames, and Flow control. 6 bytes long, i.e. 48 bits; represented by 12 hexidecimal numbers Adds physical address to the header MAC (limited to LAN) address is also called the physical address First six digits of the MAC are called OUI (Organizational Unique Indentifier (OUI)) Key words: flow control, error detection and physical address
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

156

CISA Study Guide in EasyFAQs Error detection takes place in the dataLink and the error correction in the transport layer Key role: forming the Frame; encapsulates the data into the Frame (Frame=Mac Address+ Frame header) Devices are uniquely identified in the Datalink Layer by the MAC address Combines bits into bytes and bytes into frames Combines packets into bytes and bytes into frames Frames sent with appropriate synchronization Bit Error detection / Correction and error control MAC level encryption is possible 2 layers within Logical Link Control (LLC) more software related tasks Media Access Protocol (MAC) more hardware related tasks Keywords: Think of frame and MAC. Provides access to media by MAC Access layer Hardware addresses are actually MAC addresses in the data link layer Performs error detection, not error correction When Frames are rebuilt, CRC is run and the answers are checked using the FCS field. Adds 4 things: the MAC Address, Frame Header, and CRC, plus changes data into bits CDP: Displays summary information about the directly connected devices that operate at the datalink layer. The "Show CDP Neighbors" command displays the ID, local and remote port, holdtime, platform and capability information. "Show cdp entry <device id>" displays information, including all 3 layer addresses and the IOP version In the WAN, here the encapsulation is defined as either PPP, HDLC, LAPB or CISCO/IETF
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

157

CISA Study Guide in EasyFAQs

3. Network Layer The protocols implemented at this layer are IP, IPX, ARP, RARP, ICMP, RIP, BGP, and OSPF Generic Network address, a.k.a logical address or protocol address or hierarchical address The key function of the network layer is logical address and path selection (path selection is accomplished by RIP, OSPF, IPX, and DDP) Keywords: "Path Determination and Packet Switching" Routing + logical hierarchy of the address Responsible for devices not attached locally If the packet is not for the LAN, it looks in the routing table. If addres is not even there, it is dropped. Provides end-to-end path Performs network connections, logical channels, segmenting, sequencing and data flow control Breaks the broadcast and breaks the collision domain Keywords: Think of path selection, routing and addressing

Specific 2 types of packets are handled a. Data packet: IP and IPX b. Route update packet: RIP, EIGRP, OSPF a. Network Address: The network address table is protocol-specific one for each protcol if you are running IP and IPX. The router is bilingual; it has signboards in both lanagues. b. Interface: Where to send the packet c. Metric: How far away is the promised land! It can be determined via Hop Count
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

Three basic types of information are found in the routing table

158

CISA Study Guide in EasyFAQs Bandwidth Line delay Tick (1/18th) of second

4. The Transport Layer Protocols implemented at this layer are TCP , SPX, NBP (Name Binding Protocol). Generic Flow Control + Windowing + Multiplexing + Acknowledgment + Connection-Oriented Management! Keywords: "Connection-Oriented Service," "End-to-End Communication/ Data Transport" Data going down: Segmented at this layer Data going up: Reassembles in data streams End-to-end error recovery, not error reporting ! Four Functions: a. Segments upper-layer applications b. Establishes an end-to-end connection c. Sends segments from one end host to another d. Ensures reliable data transport Performs segment/reassemble tasks Segment sequencing; out-of-sequence packets are sequenced here. Error handling takes place on the transport layer - error notification is on the datalink layer Establishes, maintains and terminates virtual circuits Fault detection and recovery Responsible for multiplexing upper-layer applications and establishing sessions. Responsible for flow control Reliability of the data is provided
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

Service (SYN) + Parallelization + Virtual Circuit

159

CISA Study Guide in EasyFAQs Flow control or overflow is controlled at this layer Regarding flow control, it does following: Segments delivered are acknowledged Any segments not acknowledged are re-transmitted Sequence on arrival at destination Data flow rate is maintained Example is like a Kindergarden teacher managing the student on a site visit. Same three-way syn connection concept The same signals are used: buffer, buffer full and ready to send. Three basic functions: flow control (Windowing, source-quench, buffering), multiplexing, connection-oriented service Windowing: The quantity of data segments that the sending machine is allowed to send without waiting for an acknowledgment is known as a window. Windowing is measured in numbers of bytes A window of size 1 means that one byte is sent before waiting for an acknowledgement; for 3, the sending machine will send 3 and then wait. For example, at an airport check-in counter there are 3 clerks processing passengers. If an acknowledgment is not received, the sending machine will send it out again after the timeout period. Keywords: Think of quality of service and reliability.

5. Session Layer Protocols implemented at this layer are NFS, SQL, RPC, Xwindows, ASP, ZIP and DNA SCP Generic Responsible for session. Establishes, manages, maintains and terminates "Communication session" or Dialogue Session between applications
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

160

CISA Study Guide in EasyFAQs Other keywords beside session are "Communication between the nodes", "Service requests and responses", communication" A session layer keeps the data separate Dialog between devices The session layer offers: a. Provisions for efficient data transfer, b. Class of service, c. Exception reporting of problems in the session layer, presentation layer, and application layer Keywords: Think of dialogues and conversations. Specific Example: NFS, SQL, RPC, Xwindows, Zone Information Protocol, ASP and DNA SCP (Session Control Protocol) Offers simplex, half-duplex and full-duplex modes and "Creating, maintaining and ending

6. Presentation Layer Protocols related to this layer are PICT, TIFF, JPEG, MIDI, MPEG, QuickTime, EBCDIC and ASCII) Presents data to the application Level Responsible for data formatting Keywords: Translator for layer 7. Acts as ASN1 (Abstract Syntax Notation) to negotiate data transfer. Encrypts data Three Keywords: Data Encryption + Data Presentation + Data Compression Generic Ensures the data is readable Formats and structures data Negotiates data transfer syntax Has a coding and conversion function Compression/decompression; encryption/decryption Keywords: Think of Common data format.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

161

CISA Study Guide in EasyFAQs Specific Graphic Image presentation: PICT (Apple image format), TIFF (Tag Image File format, JPEG (Joint Photographic Expert Group), MIDI (Musical Instrument Digital Interface), MPEG (Motion Picture Expert Group), QuickTime 7. Application Layer Provides network services to user applications The application layer establishes the following: a. Availability of intended communication partners, b. Synchronizes and establishes agreements on the procedures for error recovery c. Control of data integrity. Verifies identity of the destination computer Keywords: Think of browser. Acts as a window to the program. EMAIL Gateway, EDI, Mail Gateway. Application layer is different from application software FTP, SMTP, FTAM (File Transfer Access Management), VTP (Virtual Terminal Protcol), Common Management Information Protocol (CMIP). What is the most crucial layer when connecting the networks? Layer 3, i.e. the network layer. How does layer 3 work? It works on the basis of the network address and the service address.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

162

CISA Study Guide in EasyFAQs

What is the data called as it travels across the different layers of OSI? Data at layers Layer 1 Physical Layer 2 Data Link Layer 3 Network Layer 4 Transport Layer 5 to 7 Form of data on particular layer Bits Frame Packet Segment Data stream

What are some common issues regarding OSI? 1. Authentication: Proper authentication needs to be done at the application level 2. Authorization: Authorization of the operating system and access of the application, as per the rights 3. Log Monitoring and Auditing: Auditing from Layer 2 to Layer 7, especially on layers 4 and 7. 4. Encapsulation: Issue of proper encapsulation at Layer 6 5. Traffic Analysis: Traffic analysis at Layer 2 to avoid problems such as APR poisoning, and at Layer 3 to avoid IP spoofing. 6. Routing Control: Proper address of routing management at Layer 4, e.g. route poisoning. 7. Other Issues: Data integrity and digital signatures. Which layer is responsible for security? Layer 5, i.e. the session layer, as it manages the sessions and deals with the initiation of new tasks What are the differences between Layers 2 and Layer 3 devices?
Layer 2 Cares only about local network segments Cares where hosts are located on local network Uses hardware address - the MAC address - to reach a destination Keeps a table, called a Filter table, of MAC addresses Layer 3 Also caters to other network segments Cares where networks are located Uses the Logical Address Keeps a table called a routing table, one for each protocol 163

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs What is the difference between a Hub and a Layer 2 Switch?
Hub Works on Layer 1 Also known as a multi-port repeater Uses a simple hardware address - the MAC address Reads each frame it passes through Amplifies the signal Frame is propagated on the same segment Single Collision Domain Layer 2 Switch Works on Layer 2 Also known as a multi-port bridge Uses an Application-Specific Integrated Circuit (ASIC) In addition, puts the source hardware address in the filter table. Keeps track of the part of the packet that it has received. Amplifies the signal as well as acts as a bridge Frame is not propagated on the same segment Each Port has its own collision domain

What is the difference between a switch and a router?


Switch Layer 2 device Faster Single broadcast domain but multiple collision domains Forwards broadcasts to all segments (also called flat network) Different network (VLAN) is identified by frame tagging Router Layer 3 device. The higher the layer, the more intelligent the device Slower than switch Multiple broadcast domains and multiple collision domains Broadcasts only within the originating network Different networks are identified by Network number calculated from default subnet mask.

What is the difference between a Layer 2 Switch and a Layer 3 Switch?


Layer 2 Switch Reads Frames - forwards all broadcasts unless on different VLAN Layer 3 Switch Looks at the network layer - Restricts broadcasts to the required segment

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

164

CISA Study Guide in EasyFAQs

Internet and TCP/IP What are the different speeds for connecting to the Internet? 1. Dial-up: 56 Kbps 2. T1: 1.544 Mbps 3. T3: 44.749 Mbps What is a NAP? 1. Network Access Point (NAP) refers to the points between regional networks. 2. A NAP routes data to the High Speed BNS (Backbone Network Services), up to 155 MBPS. What are the four layers of the TCP/IP protocol suite? 1. Application layer 2. Host-to-Host layer 3. Internet layer 4. Network layer What is the difference between the application layer and the process layer? They are one and the same. What is the main task of the host-to-host layer? 1. Provides a reliable host-to-host connection 2. Provides a reliable connection 3. Ensures proper sequencing What is the function of the Internet layer? 1. Assigns the IP ADDRESS 2. Routing

What are the protocols of the Internet layer? 1. IP


Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

165

CISA Study Guide in EasyFAQs 2. ARP 3. RAPR 4. ICMP What does the network layer do? It handles and monitors the data exchange. How would you map the 4-layered TCP/IP model to the OSI Layers?
TCP/IP Layers 4. Application Layer Protocol is defined User interface is maintained Example: Telent, ftp, SMPT,LPD, SNMP, TFTP, SMTP, NFS. Xwindows, DNS 3. Transport (Host-to-Host) Layer Ensures reliable and error-free transmission Maintains data Integrity and sequencing Example, TCP/UDP Protocols 2. Internet Layer Maintains routing Communcation flow between two protocols Example: IP, ICMP, BOOTP 1. Network Access Layer Monitors exchange of data between the host and the network layer. Corresponding OSI Layers 7. Application Layer 6. Presentation Layer 5. Session Layer

4. Transport Layer

3. Network Layer

2. Data Link Layer 1. Physical Layer

What other protocol beside TCP can be used at Layer 4? UDP is the rival of TCP. Instead of TCP/IP, UDP/IP can be used; it is faster but not as reliable. Why is TCP so reliable? 1. Connection-oriented 2. Full duplex 3. Creates a virtual circuit.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

166

CISA Study Guide in EasyFAQs What is the major difference between TCP and UDP?
TCP Establishes connection Numbering and sequencing Acknowledgement Windowing Virtual circuit More reliable Similar to a phone connection: a. Communication established. b. Conversation c. Occasional "Are you there" d. Goodbye UDP Does not establish connection No sequencing No acknowledgement No windowing No VC Faster Postcard. a. Write in the address b. Send c. I have done my job; others will do theirs.

Is it only TCP that uses the port number? No, UDP and TCP both use the port numbers. What is the purpose of the port number? It is used to keep track of simulated traffic from the same IP address. Remember 1. Originating ports are dynamically assigned and are above 1023 2. 3. 4. Target host's port is the specific (also called the well-known) port. UDP has no connection, no error detection, and no sequence. With UDP, although no sequencing is performed, numbering is done.

What are the four most common types of addresses and port numbers?
Port/Addresses Port Number Protocol Number IP address MAC Address Used For Applications between the application layer and the transport layer Between tranport layer and Internet layer Network layer/Internet Layer Hardware address Layer II

What are some common port numbers of applications?


Port No. 21 20 23 53 69 110 144 Transport Layer TCP TCP TCP TCP/UDP UDP UDP UDP Application FTP Control FTP Data Telent DNS TFTP POP3 News Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

167

CISA Study Guide in EasyFAQs What are some common Protocol Numbers?
Protocol Numbers 1 6 9 17 41 46 111 115 Protcols ICMP TCP IGRP UDP IPV6 GRE IPX in IP Layer 2 Tunnel

What is a Socket? With reference to a TCP or UDP packet: Socket = Source Address + Destination Address + Source Port + Destination Port What is the role of the IP address and the Port Number? IP Address: Port Number: Identifies the computer. Identifies the service within a computer

What is the difference between numbering and sequencing? Numbering is done at the source host prior to the packets being sent out. Sequencing is done at the target after the packets have been received Note: Numbering is done for TCP and UDP, but sequencing is only done for TCP communication. What are the features of an IP address? 1. IP address is logical 2. 32 bits 3. IPV6 will be 128 bits

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

168

CISA Study Guide in EasyFAQs

Network Infrastructure Components


What is a Switch? 1. Layer 2 Switch: A combination of a repeater and a bridge 2. Layer 3 Switch: Switch plus routing function 3. Layer 4 Switch: Additional function of traffic prioritization AND quality of service. What is a Router? Device connecting two networks over layer 3 of the OSI layers. This is different to a bridge, which looks at layer two only. What is the Autonomous System (AS)? AS is never found between a corporation and an ISP. It is almost always part of the backbone component between major service providers. An AS implements its own routing. Routing within AS is performed mostly by OSPF and RIP protocol Routing between AS is performed by BGP protocol. Most of the ISP on Internet communicates with BGP. What is a Brouter? This is a combination of a router and a bridge. First it tries to route the packet. If it is unsuccessful, it will act as a bridge. What is a Gateway? This is more of protocol converter, e.g. a SNA Gateway converts SNA traffic to TCP/IP or NetBIOS What is a Multiplexer? 1. This aggregates multiple communications on a single line. Also know as a MUX. 2. One physical circuit is carrying more than one signal. This happens when the bandwidth of the circuit is more than required by a single circuit. 3. It can also aggregate many low-speed lines into one high speed line.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

169

CISA Study Guide in EasyFAQs 4. Multiplexing is done four standards What are the four methods of multiplexing? 1. TDM (Time Division Multiplexing): Pre-assigned time slot, irrespective of the availability of data for transmission. More of a round-robin pattern 2. ATDM (Asynchronous Time Division Multiplexing): Channels are allocated on-demand, dynamically, when needed. 3. FDM (Frequency Division Multiplexing): Bandwidth is allocated based on signal frequency 4. Statistical Multiplexing: Bandwidth is allocated to any channel that has data to transmit. It is more like ATDM i.e. on Demand but ATDM has only one channel What is a WAN Switch? Like any LAN Switch, the WAN switch works at the Datalink Layer for WAN connections such as Frame Relay, X.25 and SMDS. It connects a corporate network, i.e. the private data network, with the public network. What is the FECP? FECP stands for Front End Combination Processor. It is a hardware device that frees the mainframe from having to process network functions What is a Protocol Converter? Protocol converters are types of gateways that convert traffic from one protocol to another, e.g. asynchronous to synchronous. What are Access Servers? 1. Provide Dial-in and dial-out 2. Also work as asynchronous servers 3. Make async. connections 4. Connect servers to LAN What are CSU and DSU? Just as modems are a must for analog lines, CSU/DSU are needed for digital lines.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

170

CISA Study Guide in EasyFAQs What is the difference between a CSU and DSU? CSU: Connects the network to the local phone company DSU: DSU changes signals from devices like routers into signals that are transmitted over the digital lines of local phone companies. Note: Most of the time a CSU and a DSU is the same device What are some common channels for remote access? 1. Asynchronous line 2. ISDN 3. xDSL 4. Cable modem 5. Wireless What are the problems with a cable modem? There is a single coaxial media, which does not provide any security, filtration or firewall capability. 1. Links with a speed of up to 50 MBPS 2. All users share the same media 3. Use of a personal firewall is highly recommended How can remote dial-in access be made secure? Three common methods are: 1. Restricted IP address 2. Caller ID 3. Call Back

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

171

CISA Study Guide in EasyFAQs

Message Transmission Techniques


What are the three types of WAN connection? 1. Leased line 2. Packet switching 3. Circuit switching How do a dedicated line, circuit switching and packet switching compare?
Dedicated Uses synchronous serial Example: Leased Line American President's Hot line to Russian President Pre-established end-to-end connection Communication or no communicationconnection is there. Normally not shareable, have point-to-point or dedicated path. "Point-to-Point" or "Dedicated Path" Goes up to 45 MBPS When should which be used? Constant high traffic data Circuit Switch Uses asynchronous serial Example: Typical phone & ISDN Alice calling Bob; dial-up connection to ISP Call-based. Circuit is established prior to communication When communication ends, there is no connection. Not shareable, dedicated during connection Dedicated Path during the communication Low bandwidth data tranfer ISDN 128 KBPS Mom and Pop shop Packet Switch Synchronous serial Example: X.25 and Frame Relay Party line Connection is logical and virtual. Virtual connections. Media are shared

Share bandwidth 56 KBPS to 2.048 MBPS

Erratic traffic

What are the other two types of switching techniques available besides circuit and packet switching? 1. Line Switching: A temporary connection is established when input channels exceed output channels. 2. Message Switching: Complete message is sent to the concentration point

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

172

CISA Study Guide in EasyFAQs

Transmission Media
What are the different types of Transmission Media?
Media type 10Base2 10Base5 10BaaseT 100BaseT 100BaseTX 100BaseT4 100BaseFX 100VGAnlyLAN 1000BaseCX 1000BaseT 1000BaseSX 1000BaseLX Radio Systems Microwave Satellite Radio Link Descritpion Copper coaxial cable, 50-ohms, 185 meter, 30 hosts/segment 50-ohm, 500meters, 208 hosts/segment Max: 2500 meters with 1024 users in total Cat 3,4 or 5, 2 Pair, 100 meter, 1 user/segment, Star Cat 5, Four pair wire, 100 meters, Star Cat5,6 or 7, 2 pair UTP, 100 meters, 1 user/segment, Star 4 Pair Ethernet for Fast Ethernet Fiber Cable 62.5/125 Micron, 400 meters, wavelength used 1.2 micrometer. Uses ST or SC, Full Duplex Two strand fiber optics; Full Duplex, Point to Point Incompatible with Ethernet signaling technique - Dead Copper shielded, 25 meters Cat 5, Four pair wire, 100 meters MMF 62.5 and 50 micron, uses 780 nano laser and up to 260 meters Single Mode Fiber, 9 micron core, 1300 nanometer 3 KM to 10 KM Broadcasts and receives electromagnetic singals, low-powered system at either side Needs line of sight, carries voice and data, affected by atmospheric conditions and solid objects, e.g. sandstorms Operates with transponder (Tranponder = Reciver + amplifer+ Transmitter). Each transponder has a different frequency. Bandwidth used by transponder is 36 MHz. Communication is via a narrow-beam microwave signal. Affected by weather conditions.

What is the limitation of the CAT 5 Cable? 1. Not immune to EMI (Electromagnetic Interference) 2. It cannot support Gigabyte transmission. What is the difference between a Baseboard and Broadband? Baseband: Half-duplex one signal at a time one channel frequency Broadband: Full-duplex multi-signal multi-frequency What does attenuation mean? 1. When the signal gets weaker it is known as attenuation 2. Technically speaking, it is a decrease in the amplitude of the wave. To boast the amplitude of the wave, amplifiers are used in analog communication and repeaters are used in digital communication.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

173

CISA Study Guide in EasyFAQs

What does delay distortion mean? Signals arriving late and in different sequences may lead to delay distortion or have intersymbol interference, which results in misinterpretation. What is Noise? In the case where there is no signal, the electric current should be zero. In some cases this is not so; this indicates that there is noise. It also occurs because of NEXT (Near-End Crosstalk).

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

174

CISA Study Guide in EasyFAQs

Error Detection and Correction Methods


What are the two general methods of controlling transmission errors? As in digital communication, it is quite common that 0 is changed with 1 and vice versa. In order to avoid this situation, the following controls are recommended: 1. Forward Error Control a. Additional information is sent with each frame or character b. Helps the receiver in two ways: i. The receiver knows WHEN the error took place ii. The receiver knows WHERE the error has taken place. It might correct itself. c. Information sent by sender checked by receiver extra workload d. Assume the network infrastructure is poor 2. Feedback Control a. Minimum additional information is sent b. Receiver just identifies that an error has occurred c. Self-correction is not possible; another copy is requested How are transmission controls implemented? 1. Parity Check a. This requires an additional bit per character b. The problem is identified at the receiver end 2. Block Sum Check a. This is an extension of parity checking b. Not only checks the character but also the character block c. Additional set of parity for the block d. A.K.A Block (sum) check character

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

175

CISA Study Guide in EasyFAQs 3. Frame Check Sequence (FCS) or Cyclic Redundancy Check (CRC) a. This is one step more advanced than the Parity and Block implementations b. A parity check cannot check errors at the block level c. A block sum check cannot check errors at the frame level d. In order to ensure the frames integrity, an additional bit is appended to the end of the frame. In summary, errors can be checked at three levels, in ascending order, i.e. character (parity check), block sum and frame sequence.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

176

CISA Study Guide in EasyFAQs

Topology
What are the top three topologies? 1. Bus Ethernet (traditional with coaxial cable) a. All devices on a single cable b. Easy to expand c. Heavy network 2. Star a. Easy to add more stations b. Failure in one network does not affect others c. Central bus is the single point of failure 3. Token Ring a. Token ring with two rings b. One ring is the backup ring c. Second ring can be used for faster connections 4. MESH a. Greatest amount of flexibility but also redundancy b. Easier to diagnose c. High maintenance cost d. Not very practical Note: Today most implementations are of the Ethernet bus type, but the implementation is similar to that of the star. Logically it is an Ethernet bus and physically it is a star type. What are the current trends in LAN technology? 1. 10 Megabit technology 10Base2, 10BaseT and 10Base5 is almost obsolete. 2. Fast Ethernet 100 Megabit networks are used in workstations 3. Once ATM was promising to replace the 100BaseT, which is now a dying breed with the advent of the Gigabit network 4. The CAT 5 cabling, which was installed earlier with a 15 year warranty to support ATM, can no longer support the Gigabit network.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

177

CISA Study Guide in EasyFAQs 5. 100VGAnyLAN, once a promising technology to combine Token ring and Ethernet, is almost dead 6. Servers need Gigabit and Clients need the 100 MBPS 7. Cost of a typical switch port is $100/port 8. SNMP and RMON2 are used for management needs.

What is the ATM with respect to data communication? 1. Asynchronous Transfer Mode 2. Cell Relay Standard 3. Cell length is fixed, 53 characters 4. Works at the data link layer 5. Disappearing with the advent of the Gigabit network

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

178

CISA Study Guide in EasyFAQs

WAN Wide Area Network


What are the three methods of dataflow? 1. Simplex one way 2. Half duplex Either way, but one way at a time 3. Full duplex Either way, any time What are the two types of communication line? 1. Switched line 2. Dedicated Line What are the two types of circuit structure? 1. Point-to-Point 2. Multi-point

What is the difference between Baseboard and Broadband? Baseboard Half Duplex Single Channel Single Transmission at a time Mostly digital, e.g. Local Area Network Broadband Full Duplex Multi Channel Multi Transmission at a time Mostly analog: Air around you is media, and it is broadband.

What is the difference between a circuit switch and a packet switch? Circuit Switch Connection-oriented, i.e. connection is a pre-requisite in the shape of a virtual connection Originally meant for Voice Consistent traffic Traffic path is constant and predictable Fixed delay Packet Switch Connectionless. No permanent connection needed. Dynamic. Meant for data transfer Erratic traffic Traffic path is dynamic Variable delay

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

179

CISA Study Guide in EasyFAQs

What are the six (6) common types of Packet Switching Networks? 1. X.25 2. LAPB 3. Frame rely 4. SMDS (Switched Multi-Data systems) 5. ATM 6. VoIP What is X.25? 1. Packet Switching Technology 2. Data is divided into 128 bytes and encapsulated in HDLC frames 3. It is a point-to-point connection 4. DTE and DCE are involved 5. Supports SVC and PVC What is LAPB? 1. Stands for Link Access Procedure Balanced 2. Supplements X.25 What is Frame Relay? 1. Follow-up of X.25 2. Faster than X.25, with less overhead 3. Works on PVC (Private Virtual Connection) or SVC 4. Most services use PVC 5. Operates at data link layer 6. Fastest WAN protocol so far 7. Uses DLCI for connection identification Limitation: Not desirable for carrying voice or video as flow is not steady
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

180

CISA Study Guide in EasyFAQs

What are the steps for Frame Relay communication between two sites? Steps for Frame Relay PVC communication between two sites are as follows: 1. PC 2. Router 3. CSU/DSU 4. Demarc (service provider first point) 5. CO (Central Office - the cloud) 6. Demarc (service provider last point) 7. CSU/DSU 8. Router 9. PC How do Frame Relay and X.25 compare?
Frame Relay Less overhead Assumes infrastructure is less prone to errors 64 to 1.544 MBPS Relies on DLCI for multiple circuits Fast X. 25 More overhead Assumes infrastructure is not good. 64 Kbps Relies on X.121 Slow

What is SMDS? Used for Public Switch network 1. Switched Multi-megabit Data Service 2. Packet switch technology 3. Connectionless 4. Provides bandwidth on demand What are the key features of ATM? 1. Used for switching and multiplexing 2. Technology is cell-Switching rather than packet-switching 3. 53 Byte fixed cells are used. 4. Sets up virtual circuit
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

181

CISA Study Guide in EasyFAQs 5. Can provide guaranteed bandwidth and quality of service 6. Has the ability to allocate bandwidth as and when required (on demand) 7. Can be used in LAN and WAN. How is ATM better than Frame Relay? ATM guarantees delivery, which Frame Relay does not. However, both Frame Relay and ATM have error checking and flow control.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

182

CISA Study Guide in EasyFAQs

Other WAN Technologies


What are the features of VoIP? 1. Voice over IP 2. Follows H.3232 standard; supports Data+voice What is H.323? 1. H.323 can connect a wide variety of systems 2. Supports audiovisual conferencing 3. Inter-operability standard for different video-conferencing applications 4. Must ensure video-conferencing solution is H.323 compliant. What is SDLC? 1. An IBM protocol 2. Successor of BSC (Binary Synchronous) protocol 3. Concept of primary station (which gives permission); others are secondary 4. Each station has its own address 5. Single line that goes to multiple stations; called a multi-point or multi-drop arrangement. 6. Uses polling media access 7. Can be implemented on any of the following: a. Dedicated line b. Leased line c. Permanent connection. 8. SDLC is followed by LAPB and HDLC What is HDLC? High Level Data Link Control

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

183

CISA Study Guide in EasyFAQs

What are the salient features of HDCL? 1. Layer 2 Protocol 2. Group of inter-related protocols 3. Data is organized in units called frames 4. Bit-oriented protocol 5. Encapsulation method for synchronous line 6. It supports a. Point-to-Point b. Multi-point connections 7. For each communication line there is a different variation What are the different HDLC modes? Implementations SDLC (Multi-point network) X. 25 (Old Implementation) X.25 (NEW) ISDN/Frame Relay Modem (V.42) How do SDLC and HDLC compare? SDLC IBM Standard Private closed network Works on dedicated lines Mainframe environment Modem (V.42) What is HSSI? 1. High Speed Serial Interface What are the salient features of HSSI? 1. Developed by Cisco and T3plus technology 2. Acts as multiplexer between devices, such as the router and ATM or FR 3. Compatible with RS 232
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

HDLC Mode NRM (Normal Response Mode) LAP (Link Access Procedure) LAPB (Link Access Procedure, Balanced) LAPD (LAP for the ISDN D Channel) LAPM (LAP for Modem)

HDLC ISO Standard Open network Works on a wide variety of lines On almost all environments LAPM (LAP for Modem)

184

CISA Study Guide in EasyFAQs What is SONET? 1. Stands for Synchronous Optical Network. 2. It is the standard for transmission over fiber optic lines. 3. When there is a problem it automatically switches to an alternative path; thats why it is referred to as 'self healing'. 4. Forms an Information Highway for traffic from ATMs and other such devices

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

185

CISA Study Guide in EasyFAQs

ISDN
What is ISDN? Stands for Integrated Services Digital Network. It is a standard for providing a digital service from the customer's premises to the dial-up telephone network. ISDN deals only with digital transmission. What is ISDN used for? ISDN can be used for: 1. Adding bandwidth for telecommuting 2. Improving Internet reopens 3. Carrying Multiple Network Layer Protocols 4. Encapsulating other WAN services Can analog phones and fax machines be used over ISDN lines? Analog telephones and fax machines can be used over ISDN lines, but their signals are converted into digital signals by the ISDN modem What are the two channels for ISDN? ISDN uses 64 KBPS circuit-switched channels, called "B channels" (bearer channels), to carry voice and data. It uses a separate D channel (delta channel) for control signals. 1. The D channel signals the carrier's voice switch to make calls, puts them on hold and activates features such as conference calling and call forwarding. 2. It also receives information about incoming calls, such as the identity of the caller. 3. As the D channel connects directly to the telephone system's SS7 signaling network, ISDN calls are dialed much faster than regular telephone calls. 4. Bonding means adding 2 Bs together to get 128 bit

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

186

CISA Study Guide in EasyFAQs What encapsulation method is used for ISDN? 1. Normally, PPP is used to provide encapsulation. \ 2. For bonding, MPPP (Multilink, PPP) is used. However, ISDN supports all of the upper protocols like PPP, HDLC and LAPD. What are the two types of ISDN? BRI BRI (Basic Rate Interface) Two 64 Kbps B Channels for Data One D channel for control PRI PRI (Primary Rate Interface) Twenty-three (23) 64 Kbps B channels for data. In Europe, there are thirty (30) 64 Kbps channels One D Channel

What are the private options for connecting a Network? 1. Dial-up a. SLIP, PPP, ISDN, XDSL 2. Dedicated a. Leased line - American Standard i. Ds0: 64KB ii. Ds1 for T1: 1.544 MBPS iii. DS3 for T3: 44.73 MBPS b. Leased Line European i. E1: 2.048 ii. E3: 34.348 What does the PPP provide? PPP provides the following: 1. Data Link Protocol 2. FULL Duplex - Bi-directional 3. Supports PAP and CHAP 4. Implements compression
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

187

CISA Study Guide in EasyFAQs 5. Supports different authentication methods 6. Supports many protocols besides IP 7. Login AND password 8. Error correction 9. Supports synchronous, asynchronous, ISDSN, Frame Relay and SONET

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

188

CISA Study Guide in EasyFAQs

xDSL (Digital Subscriber Line)


What are the four major xDSLs? Criteria ADSL SDSL Down Link 1.5 to 9 MBPS 1.544 MBPS Up link 16 to 640 KBU 1.544 MPBS Distance 18,000 feet 10,000 feet What is the advantage of DSL lines? Uses static IP; user is always connected. HDSL 1,544 MBPS 1.544 MBPS 12,000 feet VDSL 13 to 52 MBPS 1.5 to 23 MPBS 1,00O to 45,000 feet

VPN
What exactly is VPN? It is the secure channel between two nodes and two networks What are the three (3) most common protocols for VPN? 1. PPTP 2. L2TP 3. IPSEC What is PPTP? This stands for the Point-to-Point Tunneling Protocol. Its key features are as follows: 1. Works at the data link layer 2. Provides a point-to-point connection 3. Uses an asynchronous link 4. Uses PPP for authentication and encapsulation. 5. Only supports IP. What is L2F? 1. Layer 2 Forwarding protocol 2. Has limited capability 3. No authentication
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

189

CISA Study Guide in EasyFAQs What is L2TP? L2TP is a Layer 2 Tunneling Protocol L2TP = PPTP + L2F 1. Point-to-Point connection 2. Works on IP and other protocols 3. Datalink protocol 4. L2TP is normally used for support dial-up VPN What is IPSEC? This refers to Internet Protocol Security, which specifies the security architecture and set of protocols that provide the security services for Internet traffic. One of the services it provides is the VPN, i.e. Virtual Private Network. How is IPSEC unique? 1. IPSEC is a layer 3 protocol; the others are layer 2 protocols 2. Provides the option for multiple tunnels 3. IPV6-ready 4. Used for network-to-network tunneling How many types of VPN Devices are there? 1. IPSEC-Compliant a. Tunnel Mode i. Everything is encrypted b. Transport mode. i. Payload is encrypted; IP header is not encrypted. 2. Non-IPSEC Compatible a. Firewall-based VPN i. Part of firewall or provided as add-ons ii. Available from 3rd generation onwards iii. Operates at the application level, mostly in tunnel mode iv. The performance of the firewall is a major issue
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

190

CISA Study Guide in EasyFAQs b. SOCKS-based i. Used for VPN and firewall ii. Enabled from outside to inside network iii. Strictly speaking not VPN protocol, but provides almost the same functionality iv. Provides encryption and authentication. v. Operates on Layer 7 c. PPTP i. Used more with WIN 9X and NT servers ii. Supports multi-protocol iii. Uses PAP and CHP to compress data d. SSH i. Although not classified as a true VPN, some perform almost the same function. ii. Gives an encrypted shell at the command line

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

191

CISA Study Guide in EasyFAQs

Communication Basics - Wireless


What are the carriers for Wireless communications? 3. Radio waves 4. Light waves How fast can a Wireless carrier travel? 1. 186,000 miles per second (300,000 KM/Sec) 2. They can travel around the world in 1/7th of a second What is the difference between Wireless and Cordless? Wireless: Wireless Devices use radio-based technologies such as WiFi and Bluetooth and dont require LOS Line of sight Cordless: Cordless devices such as the Infrared for notebooks and remote controller for TVs do require LOS. What is EMS? EMS- Electromagnetic Spectrum (range of the wave) It includes the following: 1. Radio waves 2. Ultraviolet rays 3. Infra-red rays 4. X-Rays 5. Gamma rays. EMS differs regarding the size of the wavelength. What are the ten- (10) common categories of waves? 1. Sound Waves: Audible waves 2. Radio Waves: Used for radio, television, plane radar, apace communication with earth. Mobile and cordless phones, walkie-talkies and CB (Citizen Band) 3. Microwaves: Used for cooking and communication. Waves range from 1 to 100 centimeters long
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

192

CISA Study Guide in EasyFAQs 4. Infrared Waves: Heating effect used in medical equipment. Weak infrared waves are used in TV and hi-fi remote controls. Waves are slightly longer than visible red light. 5. Light Waves: Waves that can be seen. Have seven colors 6. Ultraviolet Rays: Used for killing germs and sterilizing food. Skin tans in summer because of ultraviolet rays. 7. X-Rays: Used in Medical Science for taking X-Rays and also killing cancer cells. They can pass through soft substances, e.g. flesh, but not dense substances such as bone and metals. 8. Laser Rays: One pure color and all waves are of exactly the same length. 9. Gamma Rays: Used in Radiation to break up atoms. The presence of Gamma Rays shows the presence of radioactive elements of nuclear reaction. 10. Cosmic Rays: Rays in outer space. They may come from massive exploding stars. What are the three methods of measuring EMS? 1. Amplitude: Height of the wave 2. Wavelength: Distance from a certain position on one wave to the same position on the next wave 3. Frequency: Number of waves passing a fixed point each second. These are measured in Hertz (Hz) Note: Most of the wavelengths are measured in terms of Hz. What is the difference between FM AND AM? 1. FM: Frequency Modulation a. Measured in Megahertz (MHz) b. FM100 means it is sending 100 million radio waves each second c. Higher quality of Sound d. Stereo Voice e. Less prone to weather conditions f. Fades quickly g. Each city has its own FM 100
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

193

CISA Study Guide in EasyFAQs 2. AM: Amplitude a. Provides greater range b. More susceptible to bad weather. Where KHz, MHz and GHz are are used? Audible Range: measured in Kilohertz (KHz) Radio Waves: measured in Megahertz (MHz) Radio Waves for Wireless and Microwave: measured in Gigahertz (GHz) What are the different Electromagnetic Spectrum Frequencies? Frequency N - 1KHz plus 1.2 KHz to 7GHZ 900 Mhz 2.4 GHz 5 GHz 2.5 GHz: 1 THz to 1014 1015 1018 h 1021 1024 Explanation Audible Range Radio Wave Wireless Range Microwave Infrared Visible Light X-Ray Light Gamma Rays Cosmic Rays

Why do wireless devices have problems working near microwave oven? 80.211b shares the same EMS wavelength, i.e. 2.5

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

194

CISA Study Guide in EasyFAQs

Mobile Phone Communication AMPS (1G)


What is AMPS? a. AMPS - Advanced Mobile Phone Service b. Analog Mobile Phone System for non-digital cellular phones. c. 1G ( First Generation) standard which operates in the 800-900MHzfrequency band radio spectrum d. Mainly in the US and also Latin America, Australia, New Zealand, certain parts of Russia and Asia-Pacific e. Uses a frequency-modulated transmission and f. Uses frequency spacing to separate user transmission uses the FDMA transmission technology. g. One of the originals cellular phones services, relying on frequencydivision multiplexing. What are the disadvantages of AMPS? 1. More energy is needed to make and monitor for calls 2. Sound quality is not good What is NAMPS? 1. NAMPS stands for Narrowband Advanced Mobile Phone Service 2. Considered to be and is the "next generation" analog version of the AMPS system 3. It uses some digital technology 4. Allows network to carry three times the number of conversations 5. Provides enhanced user features such as Short Message Service (SMS) and Voice Mail notification. 6. It automatically switches to the AMPS mode when the user moves to an area where NAMPS systems are not available.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

195

CISA Study Guide in EasyFAQs

Mobile Phone Communication GSM (2G)


What is GSM? i. GSM - Global System for Mobile Communications. (GSM, originally "Groupe de travail Spciale pour les services Mobiles".) ii. GSM is used for digital cellular radio communications system. iii. Standard used by second generation (2G) mobile phones (including WAP phones) iv. Developed in the 1980s v. GSM was first deployed in seven European countries in 1992. Now adopted by over 85 countries. vi. The GSM standard is currently used in the 900 MHz and 1800 MHz band. vii. GSM networks will be built as an alternative to current AMPS systems viii. The SIM (Subscriber Identification Module) card is a vital component in GSM operation. SIM can be plugged into any GSM compatible phone to y personalized to the user. GSM uses narrow band TDMA, which allows eight simultaneous calls on the same radio frequency. ix. It provides digital voice and a low-speed (c.9.6Kbs) data services. x. It is not main stream in the USA. What are the advantages of GSM? i. Narrow band TDMA allows eight simultaneous communications ii. GSM also is the only technology that provides incoming and outgoing data services, such as email, fax, and Internet surfing.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

196

CISA Study Guide in EasyFAQs

Mobile Phone Communication CDMA/PCS (2G)


What is CDMA? 1. 2. 3. 4. 5. 6. 7. 8. 9. CDMA - Code Division Multiple Access It is one of several digital wireless transmission methods Originally developed for military use over 30 years ago A 2G digital wireless standard current implementation is developed by Qualcomm compete with GSM. CDMA Offers speeds of about 14.4K baud. Available in either 800 or 1900 MHz frequencies In CDMA signals are encoded using a pseudo-random sequence - Corresponding to different communication channel CDMA is a "spread spectrum" techniques. The CDMA standards used for second-generation mobile telephony are the IS-95 standards

What are the advantages of CDMA? 1. 2. 3. 4. 5. CDMA offers improvements over analogue transmission Reduced call dropping, Battery power conservation Secure transmission More service option

How CDMA is different from GSM? 1. GSM, uses time-division multiplexing (TDM) 2. CDMA does not assign any specific frequency to each user. 3. Every channel in CDSM uses the full available spectrum. Where is CDMA used? 1. CDMA is mostly used in United States, while Europe and Asia prefer the GSM. 2. Also used in Canada, the US, Australia, and some south-eastern Asian countries i.e. South Korea and Hong Kong. What is the difference between CDMA and TDMA? CDMA: Code Division Multiple Access is digital technology, works on spread spectrum by digitizing multiple conversations, attaching a code known only to the sender and receiver, and then dicing the signals into bits and re-assembling them. Most commonly used in PCS TDMA: for Time Division Multiple Access is also a digital technology works on time
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

197

CISA Study Guide in EasyFAQs division multiplexing to allow multiple users to share the same voice channel. Each conversation transmitted alternately over short lengths of time. Most commonly used in GSM. What is PCS? PCS stands for Personal Communications Service, it is more of A USA generic term for a mass-market mobile phone service. In other words it is American mobile telephone services in the 1900 MHz frequency band What is the difference between PCS and CDMA? In a way, PCS is service which uses CDMA 1900 technology. Is the PCS standard only related to CDMA? In most of the implementation CDMA 1900 = PCS. However PCS also support digital cellular technologies as GSM 1900 and North American TDMA (also called IS-136) air interfaces. Does PCS mean Digital Cellular? Again strictly speaking, "PCS" is often used in place of "digital cellular," but Actually PCS means that other services like callerID, paging, and Email ALL bundled into the service. Rule of thumb: 1. PCS is Digital 2. PCS Works in 1900MHz Does the frequency of 800 MHz means analog phone? No, 800 MHz is available for Analog i.e. AMPS as well as for CDMA. Is the Analog phones obsolete after CDMA/PCS? No they are not, because of following reasons: 1. The higher frequencies of PCS do not allow signals to travel as far as cellular signals. Cells are smaller and more relay stations are required. 2. In mountain areas analog phone have better service. However, quality of sound in a PCS and Digital Cellular Networks are better. Rule of thumb:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

198

CISA Study Guide in EasyFAQs

1. If you live in Metropolitan areas CDMA/PCS is better choice 2. If you frequently travel to mountain areas, PCS might give you better service. Note: Check with your local service provider for more details before making final decision. Why to choose PCS? 1. Greater data throughput, 2. Greater reliability 3. Better clarity of voice

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

199

CISA Study Guide in EasyFAQs

Mobile Phone Communication Basics GPRS (2.5G)


What is GPRS? GPRS, which stands for General Packet Radio Services, create wireless connections to data networks over an IP- (Internet Protocol) based network. The user must have GPRS-supported equipment, e.g. a mobile, and the service provider should support this service. GPRS users are always connected. Considered as 2.5G (2.5 Generation), stepping stone for 3G

How does GPRS work? 1. GPRS uses the existing GSM network 2. It overlays additional information over the GSM network What is the prerequisite for GPRS? On the service provider side: The service provider needs to add additional resources to the infrastructure node and do a software upgrade to an enhanced network that will support packet-switching as well as circuit-switching. On the user side: 1. A GPRS-enabled device is required 2. Register and configure the service with the Service Provider What is the theoretical maximum speed of the GPRS network? The maximum speed is up to 171.2 kbps using all 8 time slots. How fast is the GPRS network compared to other technologies? 1. It is three times faster than traditional data transmission speed available in fixed telecom networks. 2. It is ten times faster than circuit-switched data service on a GSM network 3. GSM has a limitation of 9.6 regarding circuit-switched data and the message length of an SMS is 160 characters. GPRS provides fully enabled Internet applications, from web browsing to chat.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

200

CISA Study Guide in EasyFAQs How does GPRS compare to the SMS service? GPRS is relatively less expensive than SMS. What services are supported by GPRS? 1. File transfer 2. Remote home management 3. Later, it can used to provide full Internet access on a mobile. Even some of the Service Providers will become Wireless Internet Service Provider SMS and MMS 1. SMS: is part of the GSM phase 1 Network. Has the ability to send up to 160 Latin alphabets and up to 70 Chinese or Arabic alphabets. a. Does not allow the sending of color pictures 2. MMS: Multimedia Messaging Service. MMS can be sent to devices or to email addresses. a. MMS messages wait in a queue even if the mobile is switched off. b. MMS has multiple pages, similar to a PowerPoint slide show.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

201

CISA Study Guide in EasyFAQs

Mobile Phone Communication Basics EDGE (2.5G)


What is EDGE? EDGE- Stand for Enhanced Data for GSM Evolution Built on existing GSM Standard, a faster version of GSM Promises faster Data speed than GRPS i.e. 384 Kbps

What are the advantages of EDGE? Enable the delivery of multimedia and broadband applications to mobile users i.e phone and computer users. Regarded as an evolutionary standard on the way to Universal Mobile Telecommunications Service (UMTS).

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

202

CISA Study Guide in EasyFAQs

Mobile Phones Communication Basics 3G


What does 3G refer to? 1. 3G - Third Generation Wireless technology. 2. It deals with voice, video and data What bandwidth is allocated for 3G? The World Administrative Conference assigned 230 megahertz of spectrum at 2 GHz for multimedia 3G networks. What data rates are supported by 3G?

If a person is moving at 120km/h, the speed may be 144 Kbps. For pedestrian users, the speed can reach 384 kbps. And 2 megabits per second in fixed locations

What types of backbone network are supported? 1. ATM/IP 2. IP only 3. IP over SONET/SDH (Fiber) What types of applications are supported? 1. Audio 2. Video 3. MP3 files 4. VoIP Voice over IP

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

203

CISA Study Guide in EasyFAQs

Beyond 3G
What would be characteristics of 4G? Proposed features include 20 to 100 Mbps speed Location sensing, Self-tailoring to user needs. High-resolution movies and television. When would the development on 4G starts? Initial deployments are anticipated in 2006-2010 When is 4G expected to come to the market? 4G, supposed to appear ~2011

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

204

CISA Study Guide in EasyFAQs

HSCSD
What is HSCSD? 1. HSCSD refers to the High Speed Circuit Switched Service 2. It is offered by the existing GSM network 3. Helps to access non-voice services at a speed three times faster than existing networks What data rate is supported on HSCSD? The date rate can vary from 28.8 kbps to 43.2 kbps. How popular is HSCSD? It is used by 90 million subscribers in 25 countries around the world. An international roaming agreement between all HSCSD operators will make life easier for roaming users. How is the HSCSD service used? 1. The device must support HSCSD 2. PC Card in built into the GSM phone.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

205

CISA Study Guide in EasyFAQs

Bluetooth
What is Bluetooth? 1. Bluetooth is a short-range radio technology for wireless communication 2. Connects devices using radio waves, so no line of sight is required. 3. 1.2 is a newer, better version. What is new in Bluetooth Ver 1.2? 1. Compatible with version 1.1 2. Allows multiple devices to connect to a single device 3. Version 1.2 will provide improve frequency sharing with 802.11 technologies 4. Better security through anonymity mode. What speeds does Bluetooth support? 1. Currently it is 720 Kbps, which is 10 to 12 times faster than a modem connection but over 100 times slower than a typical LAN connection. 2. MDR (Medium Data Rate) standard may double or even triple Bluetooths data speed. What are the uses of Bluetooth? 1. Mobile handset to PDA 2. PC to Printer 3. Can be used to exchange images between handset and computer 4. Number on handset can be backed up onto hard disk of computer 5. Diaries can be exchanged between two compatible Bluetooth handsets. 6. Mobile phone can be used as a wireless modem for a PDA. Connection can be GPRS or standard (9.6 Kbps). Handset and PDA must have correct setting for GPRS/HSCSD.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

206

CISA Study Guide in EasyFAQs What is the limitation of Bluetooth? Devices have to be within a radius of 10 meters of the modem (device to connect to the phone network)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

207

CISA Study Guide in EasyFAQs

RFID
What is RFID? 1. 2. 3. 4. RFID - Radio frequency identification (RFID) tags. Wireless version of UPC bar code stickers Transmit data to an RFID receiver The tag and RFID receiver (reader) communicate over an RF channel.

What are the advantages of RFID over bar code? 1. They have ability to hold more data, 2. The ability to change the stored data as processing occurs, 3. No requirment of line-of-sight to transfer data How does the RFID work? 1. 2. 3. 4. RFID are scanned at close range by an electronic reader, Don't need batteries. RFID units to make inventory easier. Italian appliance maker Merloni has built a prototype refrigerator that scans any RFID tags on packages inside it.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

208

CISA Study Guide in EasyFAQs

Satellite Communications
Satellite Basics
What is the role of the Satellite in communication? More than 2000 satellites are orbiting the earth and more than 500 are involved in communication. Since 1962, with the launch of Telstar, more than 4000 satellites have been launched. (Around 15,000 objects are orbiting the earth, including old satellites, bits of old rockets and meteorites). The typical cost of a satellite is more than $100 million. How are satellites controlled? Satellites are controlled by radio waves from a ground station called an up-link. When a satellite contacts an earth station it is referred to as a downlink. What are transponders? When a satellite acts as a repeater, it is known as a transponder. It receives signals from the uplink, makes the signal stronger and sends it to another ground station as a downlink. What is COMSAT? 500 of the satellites orbiting earth are involved in communication and are known as COMSATs. Modern COMSATs can handle more than 30,000 calls at a time. Famous COMSATS include Etelsat, AsiaSet, INSAT, and Hot Bird. What is DBS? Direct Broadcast by Satellite. This is a TV program that you receive on your dish as a downlink connection.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

209

CISA Study Guide in EasyFAQs

How are the five (5) basic satellites classified with respect to their orbits? 1. LEO a. Low Earth Orbit b. Orbit varies from 400 to 1,000 KM c. Orbit is almost circular d. Used for scientific and weather data and manned spacecraft 2. HEO a. High Earth Orbit b. Varies from 10,000 to 20.000 KM c. Orbit is almost circular d. Used for navigational purposes 3. GEO a. Geostationary Orbit b. 35,787 KM above the Equator c. Speed is 11,700 km/hour d. Takes 24 hours to go round the earth e. Most of the Comsats are GEOs f. Seems to be at the same place all time, i.e. seems to hang or hover g. Most of the TV channels go through GEO 4. PEO a. Polar Earth Orbit (also known as PO- Polar Orbit) b. Over North and South Pole c. Orbit is low d. Used for navigation and surveillance 5. EEO a. Elliptical Earth Orbit (a.k.a. EO) b. Orbit is 40,000 to 200 KM HIHG c. Goes the farthest and come the closet to earth. d. Used for military and surveillance purposes

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

210

CISA Study Guide in EasyFAQs What happens at the outer edge of the footprint? On the outer edge of the footprint the signals are weak. A bigger dish is required.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

211

CISA Study Guide in EasyFAQs

GPS
What is GPS? GPS Global Positioning System. This provides map references on earth regarding position, with an accuracy of +/- 50 meters. GPS devices depend upon NAVSTARs What are NAVSTARs? 1. NAVSTAR stands for NAVigation Satellites for Time And Ranging. 2. There are six groups, with four satellites in each group, i.e. 6 x 4 = 24 satellites 3. Four members of each group follow each other in one orbit 4. The six groups are at angle to each other, covering the whole world 5. The orbit is 20,180 KM high, therefore classifying it as an HEO How does the GPS system work? 1. At any time there are 6 to 11 satellites overhead 2. The GPS receiver detects the signals 3. The receiver decrypts the signal to ascertain a. Satellite Code name b. Exact time (to the millionth of a second) 4. The signal from the furthest satellite will arrive last 5. Device computes this information and tells user exactly where he/she is on the map.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

212

CISA Study Guide in EasyFAQs

How does the GPS project compare with the Iridium Project? GPS Project Main focus is on navigation It has 24 satellites in 6 orbits, 4 satellites in each orbit HEO: High Orbit satellite. One of the reason why 24 satellites cover the whole earth HEO orbit is practical, as the ground instrument has to receive the signal from the satellite. Iridium Project Main Focus is on communication Has 66 Satellites LEO: Low Orbit, so more satellites are needed. LEO is practical because the ground equipment, e.g. a satellite phone, not only has to receive the signal but also transmit to a satellite. An HEO requires an even stronger signal. The trade-off is between needing more satellites (LEO) and smaller ground receiver/transmitters, or fewer satellites (HEO) but bigger and stronger ground receiver/transmitters.

Why are satellite phones bulkier than cell phones? A cell phone only has to transmit a signal to a nearby pole in its cell. A satellite phone has to transmit a signal to reach a low-orbiting satellite above the earth.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

213

CISA Study Guide in EasyFAQs

Major Satellite Projects


What are some of the major satellite projects? SARSAT 1. Planes and boats carry SARSAT transmitters. 2. In case of emergency, they can send radio signals to SARSATs. LANDSAT 1. This project started in 1972 with LANDSAT 1. 2. Today LANDSATs 4 and 5 are in orbit. 3. Has a path of 186 KM 4. Picks an object of 33 meter width 5. Buildings and ships are visible 6. Detects light rays and infra-red rays 7. Orbits earth 15 times a day SPOT 1. These are European survey satellites 2. Altitude is 830 KM. 3. Orbits earth in 26 days.

TIROS 1. Famous weather satellite project in the 1960s 2. Television and infra-red observation satellite 3. Records cloud cover and gives early warnings of storms

TOMS-Meteor-3 1. Satellite launched to monitor hole in ozone 2. Measures effect of Ultraviolet rays. NOAA Satellites 1. NOAA National Oceanographic and Atmospheric Administration sends satellite to monitor north and south poles
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

214

CISA Study Guide in EasyFAQs 2. Monitors clouds, snow and icebergs 3. Orbits the earth twice every day. COBE 1. Stands for Cosmic Background Explorer. 2. Launched in 1989 to detect leftover waves (microwave rays) of the Big Bang (the Big Bang occurred 14 billion years ago) Hubble Telescope 1. Launched in 1990 by space shuttle Discovery 2. 13 meter long 3. 4.3 meters wide 4. Orbit is 813 KM high

Compton GRO 1. Compton GRO stands for Gamma Ray Observatory 2. Found nurseries of baby stars 3. Measures clouds of interstellar dust, forming stars EUE 1. EUE- Extreme Ultraviolet Explorer 2. Observes hot stars (hot stars can explode as supernovas stars which become big and bright like giant fireballs; they may or may not explode) and Quasars (bright, huge, powerful objects in space, the centers of newly forming galaxies) ISS 1. International Space Station 2. Would be biggest satellite 3. Covers area as large as 14 tennis courts 4. 30 to 40 rockets will send it to space, where it will be re-assembled.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

215

CISA Study Guide in EasyFAQs Special Purpose Satellite 1. Military Satellite: Not much known about them. They are mostly believed to be in LEO, to observe and listen, or in EEO. Equipped with powerful telescopes. 2. Satellites that are sending signals for SETI (Search for Extra-Terrestrial Intelligence) What is the function of IRAS? 1. Infrared Astronomy Satellites mapping infrared levels from space. 2. Stars that have formed but are not very bright emit infrared rays, but are not warm enough to send visible light. How are Infrared pictures seen? 1. Infra-red shows the warmth of an object 2. Plants show as red 3. Seas are almost black What are the limitations of satellites? They cannot see properly below the water surface

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

216

CISA Study Guide in EasyFAQs

Wireless Basics
What are the three major terms used for a group of wireless technologies? 1. Narrowband: A license is required and it operates at a low data rate. The unlicensed frequencies available are 900 MHZ, 2.4 GHZ OR 5 GHZ. Provide a low data rate at a shorter distance 2. Broadband: Falls under the heading of PCS - Personal Communication Service. Companies like Sprint can provide solutions. Provide low data rates but large coverage area. 3. Circuit/Packet Data: Based on cellular technology. What are the fiver major Wireless Technologies? 1. Wi-Fi Wireless Fidelity a. Generally referred to as 802.11 b. Preferred technology c. Used to network computers 2. Bluetooth: a. Allows individuals to communicate with each other. b. Not generally used to network computers 3. Infrared: a. Allows computers to communicate using infrared light. b. Requires line of sight c. More reliable at shorter distance 4. Cellular a. Normally used with mobile phones b. A laptop can use a cellar phone as a modem to provide dial-up access 5. Microwave a. A microwave dish is used b. Can connect the networks of two buildings c. Bit expensive
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

217

CISA Study Guide in EasyFAQs What are the different wireless frequencies? Wireless frequencies range from 2 to 24 GHz. This covers microwave, radar, satellites and others. The wireless WAN ranges from 2.4 and 5 GHz. The frequencies are unlicensed. What are the different Wireless Standards? 1. IEEE 802.16 standard is for the Wireless MAN 2. IEEE 802.11 is for Wireless WAN, or Wi Fi 3. IEEE 802.11 operates on 2.4 GHz at speeds of 1 to 2 MBPS 4. IEEE 802.11a a. Operates on 5 GHz b. Speed of 54 MBPS c. Typical range is 25 to 75 feet. (Theoretically goes to 255 feet) d. Less popular e. Good for a high bandwidth network in close proximity, such as in a room. f. 802.11a is incompatible with 802.11b 5. IEEE 802.11b operates on a. 2.4 GHz b. Speed of 11 MBPS c. Typical range is 100 to 150 feet. (Theoretically up to 300 feet.) d. Most popular Wi-Fi standard. e. Can penetrate walls to a reasonable extent, as wavelength is smaller f. Susceptible to interference from following: i. Cordless phones ii. Microwave ovens iii. Baby monitors 6. IEEE 802.11G a. 2.4GHz b. Speed 54Mbps c. Newest Wi-Fi Standard d. Range is same as 802.11b
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

218

CISA Study Guide in EasyFAQs e. Interoperable with 802.11b f. Interference problems are same as 802.11b 7. IEEE 802.11i a. Emerging standard b. Needs time to mature 8. IEEE 802.15.3a (UWB Ultra Wide Band) a. Provides instant connection between similar wireless devices b. Speed is up to 480 Mbps (i.e. entire CD can be transferred in less then 2 seconds) c. Again, need time to mature.

How can 802.11a interoperate with a 802.11b device? They are not compatible. A dual-banked router is required to connect them together. What is the difference between 802.11g and 54g? 802.11g is nick named as 54g What are the dual-band and triple-band AP? A dual Band Access Point supports 802.11a and 802.11b A triple-Band Access Point supports 802.11a, 802.11b and 802.11g Why are 900 Mhz, 2.5 GHz and 5 GHz used most of the time? Because they are unlicensed frequencies; anyone can use them. What is a Network Stumbler? 1. A network stumbler measures the wireless signal strength-to-noise ratio 2. Ratio is measured in decibels 3. The higher the decibels, the stronger the signal 4. Can be used to secure the system by checking the reach of a wireless network 5. Can be downloaded from www.Netstumbler.com

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

219

CISA Study Guide in EasyFAQs

802.11 Wireless
What does the 802.11 specify? 802.11 is a solution for a wireless client and a base station, or between two wireless clients. What does the 802.11 standard define? 1. PHY (Physical Layer) 2. MAC (MAC layer) What are uses of the physical layer? 1. DS - Direct spread Spectrum 2. FH - Frequency spread Spectrum 3. IR - Infra-red What is the speed supported by 802.11? 1 MBPS - 2 MBPS What is the frequency range? 2.4 - 2.4835 GHz Spread Spectrum Transmission 300 - 428000 GHz for Infrared Why is infra-red more secure? It requires a line of sight. Anyone who is not in the line of sight cannot receive the signal. What does the PHY MAC address resemble? It resembles the CSMA/CD. What is the data transfer mode for WEP? CSMA/CD What is the association?
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

220

CISA Study Guide in EasyFAQs Links the WAP Client and Server. What does re-association refer to? When a mobile client moves from one cell to another. What is the relationship between 802.11 and WEP? 802.11 authenticates WEP "Wired Equipment Privacy"

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

221

CISA Study Guide in EasyFAQs

WAP
What is WAP? 1. WAP Wireless Application Protocol 2. Developed by Nokia, Ericsson and Motorola 3. Helps to develop applications for mobile phones. What are the limitations of WAP? 1. Difficult to configure a new service 2. 20 or so parameters are configured for a typical application. 3. In future it might be replaced with the SIM Application Toolkit 4. MexE Mobile Station Application Execution Environment (MexE) may supercede WAP.
5.

Using WAP services is expensive.

How do WAP applications work? 1. WAP is a client/server application. 2. There is a simple micro-browser in the phone system, requiring limited resources 3. Intelligence is built into WAP gateway 4. Micro-browser services and applications reside temporarily on servers. 5. Once processed, the results are shown on the micro-browser.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

222

CISA Study Guide in EasyFAQs

WEP
What is WEP? 1. WEP stands for Wired Equivalent Privacy 2. Protocol for Wireless Local Area Networks (WLANs), as per the 802.11b standard. 3. Available in 64-bit and 128-bit encryption modes 4. It is supposed to provide the same security as LANs. 5. Presently considered weak and will probably be replaced by WPA. How does WEP work? WLANs, which work on radio waves, are vulnerable. WEP provides encryption of radio waves. Works on the datalink and physical layer of the OSI model. How do the key components of WEP compare with those of legacy? Legacy World Link Authentication Encryption WEP World Association WEP, RC4 with 40 bits of encryption WTLS

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

223

CISA Study Guide in EasyFAQs

WPA
What is WPA? 1. WPA stands for Wi-Fi Protected Access. 2. Replacing WEP 3. Developed by the Wi-Fi Alliance 4. Provides a. Better encryption b. User authentication 5. Supports a special home network mode called a Pre-Shared Key 6. Computer with matching password can join the Wireless network. 7. Windows XP can be upgraded for WPA. What are the differences between WEP, WPA and WAP? WEP: Wired Equivalent Privacy; a security protocol WAP: Wireless Access Protocol; a language used to write web pages with lower overhead WPA: Wi-Fi Protected Access; new protocol replacing WEP.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

224

CISA Study Guide in EasyFAQs

Other Wireless Technologies


What is 802.1x? 802.1X is a protocol that defines the Extensible Authentication Protocol (EAP) over LANs (EAPOL). It encapsulates EAP, which was defined for dial-up authentication with Point-to-Point. What is the difference between WEP and 802.1x? WEP Old standard Wireless only Standard separate protocol 802.1x New standard Wireless and wired networks Modification of PPPs EAP for wireless and wired networks

What is EAP's role in 802.1x? How does EAP link to PPP? EAP (Extensible Authentication Protocol) was originally part of PPP. 802.1x is simply a standard for wired and wireless LAN to pass EAP for authentication. What is the difference between Legacy EAP and 802.1x EAP? Legacy EAP uses PPP, while 802.1x EAP uses Ethernet frames. What are the three components of EAP Authentication? 1. Supplicant: The user or client that needs to be authenticated. 2. Authentication server: This may be any server, e.g. RADIUS server 3. Authenticator: The device in between the above two, e.g. Wireless Access point. The main logic of the authentication is either in the supplicant or in the authentication server. The authenticator acts as a dumb relay. What is the recommended method of providing authentication? 802.1x/EAP What is EAPOL? It stands for 802.1x with EAP encapsulation Over LANs. What is LEAP? 1. LEAP- Lightweight EAP. Standard developed by CISCO.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

225

CISA Study Guide in EasyFAQs 2. Centralized both authentication and key distribution for encryption.
3.

Provides scalability for large networks

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

226

CISA Study Guide in EasyFAQs

Wireless Security
What are the two devices that have problems with this implementation? 1. PDAs 2. Cellular phones What exactly is the problem? Information is broadcasted just like a radio transmission. What are the issues related to Wireless security? 1. Multi-platform 2. Many OS 3. Physical security 4. Limited memory 5. Limited CPU capability 6. Lack of security standards What is WAP? WAP stands for Wireless Application Protocols What are the limitations of WAP? 1. Runs on mobile devices 2. Small display 3. Limited bandwidth What are the applications of WAP? 1. Limited bandwidth devices 2. TV display 3. Cellular phones

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

227

CISA Study Guide in EasyFAQs Where does WAP map to the OSI Layers? Layer 3 to Layer 7. How would you compare the components of WAP with the conventional world? Wireless World 1. Wireless Mark-up Language 2. WAE Wireless Environment 3. Wireless Session Protocol 4. Wireless Transport Protocol 5. Wireless Transport Layer Secure Protocol (WTLS) 6. Wireless Datagram Protocol Conventional World X ML Layer 7 Session Layer Layer 4 SSL Layer 2

What is the Security protocol for WAP? WTLS (Wireless Transport Layer Security) What are the three classes of WTLS? Class 1 1. Anonymous authentication a. Clients logs on to server b. No-one knows who is who Class 2 1. Server authentication a. Server is authenticated b. Client is not Class 3 1. Server is authenticated 2. Client is authenticated. How is the authentication performed? Authentication is performed in a number of ways. One method is to use a smart card with PKI implementation. What is the WAP gateway?
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

228

CISA Study Guide in EasyFAQs This is the place where WTLS is changed to SSL or TLS, and where the data is temporarily in clear text What are the solutions for fixing the WAP gateway? 1. The WAP Gateway should be physically and logically secure 2. All of the data should be encrypted at the application layer What is the problem at the WAP Gateway? 1. Clear text 2. Inclusion of applets and scripts What are the alternatives to WML? 1. HDML (Hand Held Mobile Language) 2. C-HTML (Compact HTML) What is the problem with C-HTML? There is minimum security. What is the issue with "Mobile PKI"? There is a lag time between the expiry of the Public Key and the reissuing of the key. What is "Dead Time"? There is one time key for each transmission.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

229

CISA Study Guide in EasyFAQs

Voice Protection
What is a PBX and what does it stand for? PBX stands for Private Branch Exchange. It is a phone switch on the company premises. Newer PBXs have an interface to different devices, such as an analog voice, digital voice and data interface. How old are PBXs? They have been in use since the 1920s How is a PBX secured? Most PBXs have a default system password, which is rarely changed. Phreakers (phone hackers) can access the PBX with the default password. Once a phreaker has entered the system, he or she can reconfigure or reroute calls. How can a Fax Transmission be secured? Preventive Measure: Fax can be secured by fax encryption. Detective Measure: An audit log of all communications can be maintained. What are the ISO-defined five (5) major tasks related to Network Management? 1. Fault management 2. Configuration management 3. Accounting resources 4. Performance management 5. Security management How are WAN communications monitored? 1. Response time reports 2. Down-time reports 3. Online monitors 4. Protocol analysis 5. Help desk report 6. SNMP (Simple Network Management Protocol) traffic
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

230

CISA Study Guide in EasyFAQs Recap Major Points to remember regarding WANs 1. Frame relay handles multiple virtual circuits 2. Frame relay encapsulation method HDLC for synchronous serial link 3. ATM makes time slot available on demand. 4. Most commonly used serial encapsulation is PPP 5. PPP uses two protocols, LCP and NCP 6. NSP is the local service provider to which the WAN is connected 7. 3 categories of VPN are: a. Remote Access VPN b. Intranet VPN c. Extranet VPN 8. WML is XML for Wireless 9. WMLscript is JavaScript for Wireless 10. Storage capacity for mobile devices is 2 MB to 64 MB 11. Major limitation of WEP is that all clients should use the same encryption key 12. 64 bit keys can be broken for mobile units, while 128 bits can have a 20% effect on performance 13. VLANs can be created for Wireless LAN for extra security. 14. Translation point is the point where SSL changes to WTLS 15. In metropolitan area networks, IEEE 802.6 is used, which might be the network for cable television. 16. When a PBX is used, the following NEED to be controlled: a. DID Direct Inward Dial b. Long distance calls c. 800 and 900 numbers blocked d. Phone calls should be logged

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

231

CISA Study Guide in EasyFAQs

Client/Server Environment
What is the Client/Server environment? Client/server is a distributed environment where the workload is distributed among separate, intelligent workstations, called clients. What are two- and three-tier architectures? A two-tier architecture is as follows: 1. Client 2. Database Server A three-tier architecture has the following components: 1. A thin client, usually a browser 2. An application server with the application logic 3. A database server

What are the major differences between two-tier and three-tier Architectures? Two Tier Architecture Fat client Business Logic is at the client side Less scalable Three Tier Architecture Thin client Business logic is in the application server More scalable

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

232

CISA Study Guide in EasyFAQs

Middleware
What is the role of middleware in the client server? Middleware is normally related to the client server. It is a bridge between two distinct applications. What are the functions of middleware? 1. Identification /Authentication 2. Authorization 3. Directory services 4. Security services Where can middleware be used? 1. TP Transaction Processing 2. RPC Remote Procedure Calls 3. ORB Object Request Broker 4. Messaging Server

What are the risks of middleware? 1. Difficulty in maintenance 2. Change control management

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

233

CISA Study Guide in EasyFAQs

Information Systems Operations


What are lights-out operations? These are unattended, automated operations. What are the major types of lights-out operations? 1. Console operation 2. Report generation 3. Job scheduling 4. System run and rerun facilities

Data Verifications
What are the major data entry controls? 1. Key Verification: one-to-one verification 2. Segregation of duties 3. Log and record of time

What are the two major IS management responsibilities regarding IS department operations? 1. Resource allocation 2. Standards and procedures

What are the typical control functions for managing operations? 1. Review of the detailed schedule 2. Efficient use of resources 3. Monitoring compliance 4. Reviewing the console log 5. Operator log review
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

234

CISA Study Guide in EasyFAQs 6. System performance review 7. Audit of job accounting 8. Abnormal job terminal report 9. Operational work schedule review What does job accounting refer to? Applications that do the following: 1. Monitor IS Resource Usage 2. Record and log the activities What are the major steps in problem management? 1. Detect 2. Document 3. Control 4. Resolve 5. Report 6. Review

What are the five (5) major types of error log? 1. System error log 2. Program error log 3. Operator error log 4. Telecom error log 5. Hardware error log What are the ten (10) common items contained in the error log report? 1. Error date 2. Error resolution date 3. Error code 4. Error description
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

235

CISA Study Guide in EasyFAQs 5. Source of error 6. Reporting time 7. Escalation time 8. Who initiated it 9. Status code 10. How it can be resolved in the future. What is the segregation of duties regarding the error log? The person who records and the person who closes the issue should be different What is PCC? PCC stands for Program Change Control, related to a change in management. Defines all of the steps required to move from testing to a production environment, with related responsibility.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

236

CISA Study Guide in EasyFAQs

Domain 4: Protection of Information Assets


Basics
What is the most important factor in Information Security Protection? Effective information security management. What is a must for the basic protection of information assets? 1. Confidentiality 2. Integrity 3. Availability 4. Compliance with local and international law. What are the key elements of security management? 1. Managements commitment 2. Polices and procedures 3. Organizations roles and responsibility What are the various classifications of responsibility, from top to bottom? 1. Executive Management: Overall responsibility 2. Security Committee: Representatives from different departments look at the security guidelines and implement them at a higher level 3. Data Owner: They are also referred to as "Business Owners" in most cases. They are the people who determine what level of data classification is required to maintain confidentiality, integrity, availability and compliance with the law. Key responsibilities include authorizing access, and ensuring that access rules are correct and updated regularly. 4. Process Owner/System Custodian/Data Custodian: These are also referred to as "Process or System Custodian". They make sure that the policy is being

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

237

CISA Study Guide in EasyFAQs implemented. When it is related to data, the person is a "Data Custodian". Typically they are IS personnel. 5. Security Administrator: Responsible for physical and logical control of equipment, programs and data. Work as per the guidelines in the Information Security Policy 6. Users/Data Users/End Users: These are the people for whom most of the policies and procedures are written. The level to access the data is awarded by the "Data Owner" and implemented and monitored by the "Security Administrator." They are also expected to be watchful and vigilant regarding unauthorized persons in their work areas. Other Roles: The above shows the hierarchy of the roles. However, there are other roles as well: 7. IT Developers: They implement and designing the system as per the guidelines of the Process Owner. 8. Security Specialist and Advisor: Expert in the field. Assists with design and implementation management and review. 9. IS Auditor: Provides independent assurance that data is being properly protected

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

238

CISA Study Guide in EasyFAQs

Data Classification
How is data classified? Data is classified into classes or levels, based on its sensitivity and importance Why is data classification performed? 1. Reduces the risk 2. Due diligence 3. Reduces the cost of protection
4.

Minimizes the cost of overprotection

What type of information should be classified? The following types of information should be classified: 1. Received information 2. Produced information 3. Processed information 4. Recovered information What are the common information classifications in business? 1. Public 2. Internal use /sensitive 3. Private 4. Confidential What are the common military classifications? 1. Unclassified 2. Sensitive but Unclassified (SBU) 3. Confidential 4. Secret 5. Top Secret

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

239

CISA Study Guide in EasyFAQs Note: Many companies have their own classification systems. One can mix and match between business and military classifications, as per the need. What is the difference between military and commercial applications? For Military applications, confidentiality is the most important out of the CIA (Confidentiality, Integrity and Availability) For Business applications, Availability and Integrity are the primary concerns. Though confidentiality has its importance, it cannot be compared with the level of confidentiality required by the military. What is the rule of thumb for the security acronym? For the military it is CIA For business it is AIC What are the five (5) bases of information classification? 1. Information Value: Valuable to business, business domain or competition 2. Useful Life/Age: How long information should be protected 3. Relevancy: Due to changes in circumstances or the availability of new information, the information in question may no longer be relevant 4. Relationship: If the information relates to a relationship or personal association, e.g. a medical record, it should be protected. 5. Time-association: As time passes, old information is no longer useful.

Who has the power to enforce information disclosure? 1. International treaty 2. Government contracts 3. Court order 4. Agreement with third party

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

240

CISA Study Guide in EasyFAQs What are the basic controls for data classification? 1. Who has the access rights 2. Who determines the access rights/levels 3. What kind of approval is required for access

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

241

CISA Study Guide in EasyFAQs

System Access
What are the two types of system access? 1. Logical: Technical aspect mostly related to the operating system, database and network 2. Physical: Related to placement of the critical machine in a safe place, with exit and entry of the related authorized personnel controlled. What is the checklist for the controls? 1. Access control should be documented 2. On a need-to-know basis 3. Least privileged 4. Segregation of duties What is the "Access Path"? This is the logical path/route which a user takes to access information resources. Typically it starts at a PC and ends with the data that needs to be accessed. What are the four (4) IT layers of Security to be taken care of for system access control? 1. Networks 2. Platforms (OS) 3. Databases 4. Applications How should the authorization be delivered? Authorization should always be written, or part of the approved automated workflow program.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

242

CISA Study Guide in EasyFAQs

Who should implement the access capability? The System Administrator. Who should review the access controls? The Information Owner.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

243

CISA Study Guide in EasyFAQs

Security Awareness
What are the three main channels for security awareness? 1. General awareness 2. Education 3. Training What does the term 'securityware' refer to? People are considered to be Securityware. What are the objectives of security awareness? To communicate the following: 1. Security requirements 2. Legal responsibility 3. Business control What are some of the key components of Security Programs? 1. Presentations 2. Publications 3. Incentives 4. Reminders Who should the security training be aimed at? General security training: 1. Operations 2. IT support staff 3. Senior managers In-depth security training: 1. Systems personnel 2. Security professional 2. Auditors

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

244

CISA Study Guide in EasyFAQs What is the purpose of an awareness program? To educate users about security policy What is the weakness of an awareness program? Security policies cannot be enforced.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

245

CISA Study Guide in EasyFAQs

Incident Handling and Response


What is the difference between a security problem and a security Incident? Security problem: A security issue that occurs repeatedly. Security incident: Unique and one-of-a-kind. Once handled, the issue is closed. What is a computer security incident? An adverse event that affects some aspect of the organizations security. What are the phases of a security incident? 1. Planning and preparation 2. Detection 3. Initiation 4. Response 5. Recovery 6. Closure 7. Normalization of operations What are the roles and responsibilities regarding incident response? 1. Director: Responsible for overall incident-handling operations 2. Coordinator: Acts as liaison between IT and business owner 3. Manager: Handles all of the incidents 4. Security Specialist: Handles the technical side of the incident 5. Others: Non-security technical staff for assistance; business unit liaison officer

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

246

CISA Study Guide in EasyFAQs

Information Security Management Standard


What is a Privacy Impact Analysis - PIA? Information on individuals needs to be protected within the company. If personal information is disclosed it may lead to legal problems. A PIA, or Privacy Impact Analysis, is performed by people who are experts in legal laws, operations and risk. A PIA ensures that privacy is maintained through the business cycle. What are the five (5) key elements of a PIA? 1. Identify the personal information in the business process 2. Document the handling procedure a. Collections b. Use c. Disclosure d. Destruction 3. Reviewing operations 4. Employee awareness 5. Generating reports for compliance What are the situations when a PIA should be given special consideration? 1. Major change or upgrade in the program 2. Change in the platform or technology 3. Enhanced services 4. Data warehousing 5. Re-engineering process 6. New delivery channel initiation 7. New system linkages What are the critical factors in implementing an information security management program? 1. Support and commitment of top-level management 2. Development and implementation of policies and procedures
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

247

CISA Study Guide in EasyFAQs

Computer Crime
What is so unique about computer crime? Computer crime can be committed without anything being stolen physically. What are the issues resulting from computer crime? 1. Financial loss 2. Legal repercussions 3. Sabotage 4. Loss of competitive advantage 5. Blackmail 6. Espionage 7. Disclosure of sensitive information Who commonly commits computer crimes? 1. Hackers 2. Employees 3. IS personnel 4. End users 5. Former employees 6. Educated outsiders

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

248

CISA Study Guide in EasyFAQs

Logical Access Exposure and Controls


What is the primary means of managing and protecting controls? Logical Access Control What should IS auditor do first when auditing the Logical Access Control? He/she should understand how the logical access is mapped to the policies and procedures and what is the relationship between them. How will the mapping of logical access control to policies and procedures help the IS auditor? He/she will be in a better position to do the following regarding logical access: 1. Analyze 2. Evaluate 3. See the effectiveness What is the difference between rounding-down and the Salami Technique? Rounding Down Culprit transfers a small amount into his/her own account from a valid transaction Rounds down Example $1000.39 is rounded down to 1000.35. Culprit gets $0.04 Salami Same Truncates Example: $1000.39 is truncated to $1000.30. Culprit gets $ 0.09 (Last truncated digit)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

249

CISA Study Guide in EasyFAQs

Other Logical Exposures


How is integrity compromised and how can it be protected? Some of the common ways in which integrity is compromised are: 1. Back doors to a corporate network 2. Viruses 3. Worms 4. Logic bombs 5. Trap doors 6. Negligence during updating or data entry 7. Malicious programs 8. Asynchronous attack 9. Data leaking 10. Wire tapping Prevention: Breaches of integrity can be prevented by proper access control, implementation of policies and procedures, quality assurance of the production system, encryption and intrusion detection. What is the difference between a virus and a Trojan horse? Virus Trojan Horse Self-replicates Does not replicate Infects other -programs and files No infection Dependent on other programs Independent Hidden Not hidden but disguised as a useful utility, game or application. Does something harmful when executed. How do a Virus and a Worm compare? Virus Worm Self-Replicates Does not self-replicate Dependent on other programs Independently travels from one machine to another Infects other programs May infect other programs Normally does not have other May have payload payloads

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

250

CISA Study Guide in EasyFAQs What are the four parts of computer generally attacked by viruses attack? 1. Executable program files 2. File directory system and allocation table 3. System and boot areas 4. Data files What are asynchronous attacks? 1. These are operating system-based attacks 2. Violate the "job isolation" principles of Operating Systems 3. In a multi-tasking environment, each program has to stop at a certain point, called a "Checkpoint," and give a turn to another program, then restart 4. The intruder takes control at the checkpoint and can run the program at a higher privilege level, to access more resources. 5. This way the intruder takes advantage of asynchronous switching between the tasks. What are the two major ways of controlling a virus? 1. Management Control policies and procedures 2. Technical Control anti-viral software and scanners What is the problem with Integrity CRC checker programs? 1. They are detective tools, not preventative tools 2. They assume that the first time they check a file it is clean, which is not necessarily the case. What is the problem with immunization? Immunization adds a small segment that tells the virus it is already infected; practically you cannot immunize all of the files.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

251

CISA Study Guide in EasyFAQs

What is the "Virus Wall"? 1. In cases where the anti-viral is part of the firewall, it is called a virus wall. 2. Prevents viruses coming from the Internet 3. Most of the time they are automatically updated. What is the checklist of the items to be reviewed for Information Security management? 1. Review of written policies, procedures and standards 2. Logical Access Security Policies all access is on a need-to-know basis 3. Formal security awareness and training 4. Classification of assets 5. Ownership of the data - roles and responsibilities What is the first step in controlling logical security? Know the access points of the system. What is the general division of the access points? 1. Network 2. Platform or Operating System 3. Database 4. Application program What are the logical entry points for the system? 1. Network Connectivity a. Network Domain Controller b. Routers Firewall 2. Remote Access a. VPN b. Dial-IN 3. Operator console (in a mainframe environment)
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

252

CISA Study Guide in EasyFAQs 4. Online workstation or terminal (Client/Server environment) 5. Non-traditional Web access and KIOSK How can the layer type provide the greatest degree of protection? Access control in the network Platform controls/operating system What is the checklist for Operating System controls? 1. Identification and authentication 2. Terminal restriction 3. Time restriction 4. Access restrictions for a particular area 5. Enable accounting information 6. Log of event generation 7. Log of user activity What is the checklist for Database and Application-Level Access Control? 1. Database profile 2. Authorization depending upon the sensitivity, for the following: a. Applications b. File c. Database d. Transaction e. Record f. Field 3. Log maintenance and monitoring What layer provides the granularity of protection and segregation of duties? The application layer.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

253

CISA Study Guide in EasyFAQs What is the first line of defense for access control? Identification and authentication. What are the major vulnerabilities for system access? 1. Less robust authentication method 2. Bypassing of the authentication on routine mechanisms 3. Disclosure or compromise of the stored authenticator information 4. Encrypted transmission of the sensitive authentication information What are the three (3) types of Authentication? Type I: Something that you know Type II: Something that you have Type III: Something that you are Note: Some authors recommend a Type IV, although it is not yet fully developed. Type IV: Something that you do, e.g. the way you writeyour pen strokes are unique. What is two-factor authentication? This requires two factors for authentication. An excellent example is an ATM card. Factor 1: Type 1, i.e. Something you know PIN Factor 2: Type II, i.e. Something you have the ATM card What is the ideal password? A one-time password is the ideal password. It is classified as a dynamic password. What is a cognitive password? This type of password is related to a persons identity or opinion. e.g. what is your mother's maiden name, or what color do you like most?

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

254

CISA Study Guide in EasyFAQs How many types of passwords are there? 1. Static Password: Remains the same until manually changed 2. Dynamic Password: Keeps changing at regular intervals. What is a Passphrase? A Passphrase is a collection of meaningful words, which are changed into a meaningless password by the system. It is easy to remember but difficult to crack. How many common types of cards are there? 1. Memory card 2. Token 3. Smart card

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

255

CISA Study Guide in EasyFAQs

Smart Cards
What is the difference between a Memory Card and a Smart Card? Memory Card: Merely stores information. Might consist of just a magnetic strip Smart Card: Not only stores information but also processes it. What are the four types of smart card? 1. Smart Card with token generation option i. ii. You authenticate to the token The token authenticates to the system

2. Smart Card with Synchronous and Dynamic Password Token It has three components: a. Token b. Workstation c. Server The process is carried out in the following steps: i. The token generates a unique string ii. The string is entered into a specific workstation iii. The workstation generates the following: a. b. c. Output Value Pin Time Stamp

All of the above values are sent to the server, which checks the validity. If it is accepted by the server, access is granted. 3 Smart card with asynchronous password token (This is similar to the Synchronous Password Token, the only difference being that there is no time stamp. Rather, it searches for a challenge response.) 4 Smart Card with Challenge Response i. Based on the same three components: a. Server
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

256

CISA Study Guide in EasyFAQs b. Workstation c. Token ii. iii. iv. v. The server sends a challenge string to the workstation The string is entered into the token, which generates a response The response is entered into the workstation Sent to the server

What is the difference between a Smart Synchronous Dynamic Password and one with a Challenge Response? Smart Synchronous Dynamic Password: The token itself generates a password Challenge Response: The token generates a password based on the challenge string. What is an alternative use of password authentication? Biometrics Type III, i.e. Something you are Biometrics Key Numbers 256 KB is the size of the biometrics fingerprint 0.5 KB is the extract of the print that is saved A throughput of 10 persons per minute is acceptable

In terms of effectiveness and low ERR, what are the top five types of Biometric techniques? 1. Palm scan (most effective) 2. Hand geometry 3. Iris scan 4. Retina scan 5. Fingerprint 6. Voice (least effective)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

257

CISA Study Guide in EasyFAQs

Biometrics options summary Palm: Analyses ridges,valleys and minutiae Response time: 2 to 3 seconds ERR: 0 Hand Geometry: 3 Dimension Analysis Hand is placed with five finger spread in guidance peg. Typical characteristics recorded: 90 plus Storage required: 10-20 bytes Limitation: Hand injury ERR=0.1 % IRIS: User is asked to center his eyes so the iris can be seen by the device and photographed Typical characteristics recorded: 400; 260 are used for the template Storage required: 512 bytes Response time: 3 to 5 Seconds Limitation: High cost and high amount of storage ERR=0.5 % Retina: Image of the pupil is taken, one of lowest false-acceptance Typical characteristics recorded: 400 Storage required: 96 bytes Response time: 3 to 5 Seconds Limitation: High cost and high amount of storage ERR=1.5 % Fingerprint: Image generated by fingerprint is called "minutiae"; contains a subset of data Typical characteristics recorded: 400 Storage required: 250 to 1,000 bytes (the more is used, the less errors are made) Response time: 5 to 7 seconds Limitation: Injured finger ERR= 1.5%

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

258

CISA Study Guide in EasyFAQs

What are the other behavior-oriented systems for authentication? Signature Recognition This is also known as signature dynamics Typical characteristics recorded: Pen speed, pressure, stroke length and angle Storage required: 256 bytes Response time: 4 to 6 Seconds Limitation: Poor accuracy; not reliable. Voice Recognition "Passphrase" is said Typical characteristics recorded: Pitch, dynamics, wave forms Storage required: 1,500 to 3,500 bytes Response time: 4 to 6 Seconds Limitation: Poor accuracy; not reliable. Phrase might be mis-spoken if the person has a cold, etc. What are the major limitations of the biometrics techniques? 1. A cut on the finger might change the fingerprint. However, there are options for multiple finger scans. 2. A diabetic client might have problems in the case of a retina scan, as the eyesight and retinal structure may be altered. 3. Some biometrics techniques may violate personal privacy by revealing a personal problem that might otherwise have remained unknown. What are the two types of errors related to biometrics applications? Type I Error: Valid user is rejected. Calculated in terms of False Rejection Rate (FRR) Type II Error: Invalid user is allowed. Calculated in terms of False Acceptance Rate (FAR) Tip: At airport metal detector security checks, FRRs are experienced. From the point of view of strict security, an FRR is acceptable, but an FAR is not. However, an FRR can lead to the shepherd phenomenon i.e. shouting for wolf where there is not any.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

259

CISA Study Guide in EasyFAQs

Tips to remember regarding Type I & II Error:


Type I: Saint is rejected Type II: Devil is welcomed. What is the Crossover rate? FRR = FAR What is the yardstick for checking the performance of the authentication system? With FRR = FAR representing the crossover rate, the performance of a typical biometric technique is checked with reference to the crossover rate.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

260

CISA Study Guide in EasyFAQs

Points to remember regarding authentication and authorization 1. Token card is a two-factor authentication 2. The minimum level is the login and password 3. The initial password should be randomly generated and safely communicated to the user 4. A group password should never be used. 5. Before changing the password, the following should be checked, depending on the sensitivity of the operations: i. ii. iii. Mothers maiden name Returning the phone call on a users extension Calling the supervisor for verification

6. Password should be one-way encrypted, i.e. hashed. 7. Password should be changed by the user at regular interval 8. It should consist of 5 to eight characters. 9. No password used previously should be re-used 10. Privileged users should be more closely monitored 11. Token generates a one-time password 12. Access rules are part of the authorization 13. Access should be on a need-to-know and need-to-do basis 14. Least dangerous access are inquiries or reading non-sensitive information. 15. The IS auditor should have access to these lists: i. ii. iii. List of the critical assets List of the remote access points List of the communication links to the outside would

16. A log should be maintained on a write-once device 17. A proper audit trail should be analyzed with the help of tools 18. It is recommended that the executive management should be noted to contact enforcement official.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

261

CISA Study Guide in EasyFAQs 19. Three major problems regarding system access are: i. ii. iii. Bypassing Label Processing (BLP) System Exit Special System ID

20. If controls are inadequate, look for compensating controls.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

262

CISA Study Guide in EasyFAQs

MISCELLANEOUS
Who implements the system access capabilities? The implementation of system access capabilities is done by security administrator. What is the role of naming conventions in access control? A naming convention provides structure and effective management Who sets up the naming convention? The owner of the data, with the help of the security officer. Why are naming conventions important? They are used as a pre-requisite for security controls

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

263

CISA Study Guide in EasyFAQs

Single Sign-On
What is a Single Sign-On (SSO)? A Single Sign-On provides a facility for having a single login for multiple servers. A SSO has the following three criteria: a. Single user b. Single account name c. Single password What are the security concerns regarding a Single Sign-On? If the single sign-on is compromised, the attacker has access to all of the systems. How can the concerns about a SSO be addressed? It is preferable that biometrics devices are used, so that one is not dependent only on the password What is the concept of Primary Domain and Secondary Domain with respect to SSO? Primary Domain: Where the user first enters his or her information Secondary Domain: All other platforms or applications that use the information use it in the primary domain. What are the disadvantages for SSO? Single point of failure Interface development SSO-compatible software

What are some examples of SSOs? Kerberos is one example

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

264

CISA Study Guide in EasyFAQs

Encryption
What is encryption? Encryption is the process of transforming plain text into CryptoText. CryptoText is also known as Ciphertext. Is it true that cipher text cannot be decrypted? This is false. Theoretically all messages can be decrypted, provided there is no restriction on time and resources. What is Clustering? When two different keys encrypt the same message and give the same cipher test. What is the ESP? Encapsulated Secure Payload What are the codes? When cryptographic transformation works at a higher level, i.e. at the word or phrase level, it is called a code. What are the two branches of cryptology? 1. Cryptography a. Encryption and decryption of the message. 2. Crypto analysis a. Trying to decipher or break the encryption.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

265

CISA Study Guide in EasyFAQs

Basics of Cryptographic Mathematical Operations


What is XOR? This is a mathematical function. Many of the cryptography algorithms use Exclusive OR or XOR. The basic XOR operations are as follows: Basic XOR Operations 0 XOR 0 XOR 1 XOR 1 XOR 0 1 0 1 = = = = 0 1 1 1

Rule of Thumb: In XOR operations, if the bits are the same (0,0 or 1,1,), the result is 0. When bits are different (i.e. 1,0 or 0,1), the result is 1. Example: Suppose there are two inputs: Input A is the Plain Text Input B is the Key Output C is the Result. The table below shows the product of two bits. Input A (Data) Input B (Key) 0 0 0 1 1 0 1 1 Result (Cipher Text) 0 1 1 0

If you are given any two columns you can find the result of the third column on the basis of an XOR operation. Therefore, if you have the key, you can go from data (plain text) to the result (cipher text), and vice versa. Suppose a Message "M" travels from location A to B and then to C. 1. At location A, encryption will take place using key K1. 2. At hop B, decryption takes place using the same key K1. 3. At the same location, re-encryption is performed prior to forwarding with a new key, K2 4. The process continues until the data reaches its destination.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

266

CISA Study Guide in EasyFAQs

What is a One-Time Pad? The key used in a One-time pad is a truly random bit sequence. It is of the same length as the message itself. Normally the message is XORed with the key. It is almost impossible to break this message. The salient features of a one-time pad are as follows: 1. 2. 3. 4. One Key/character Key is used only once. Implemented in stream cipher XOR function is used

What is Stenography? This is a technique where the message is hidden in such a way that it looks like something else. For example, a picture is sent that seems to be simply a picture but has a hidden message. What is a Work Function? A Work Function is the length of time required to break the encrypted message.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

267

CISA Study Guide in EasyFAQs

History of Cryptography
What is a brief history of Cryptography? 1. The Egyptians first used cryptography in hieroglyphics, in 3000 BC 2. Julius Caesar made use of simple substitution 3. In 815 AD, Caliph Al-Mamun Al-Khandi made a contribution called "Manuscript on Deciphering the Cryptographic Message," which was rediscovered in 1987 4. In 1790, Thomas Jefferson introduced the 26 Rotation Disks 5. Boris Hagelin invented a machine called Hagelin U.K. M-209 in 1920. 6. Also in 1920, Herbert Yardley used a machine called the "Black Chamber" for MI-8 What was a Purple Machine? A Japanese machine used for encoding during WW-II What was Enigma? A German machine which used poly-alphabetic substitution. What was Bombe? A French machine used to break the Enigma code. What is Simba? It is the American Router Machine What is the difference between Caesar Cipher and Substitution? They are the same. Normally words are moved 3 positions to the right What is a Scytale Cipher? A paper tape is wrapped spirally around a cylinder and the message is written on it. Later the tape is un-wrapped and sent. To decipher the tape, it is again wrapped around a cylinder of the same diameter.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

268

CISA Study Guide in EasyFAQs What is the "Key Space"? This refers to the range of values from which the key is constructed.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

269

CISA Study Guide in EasyFAQs

Example of Encryption and Decryption


Give a simple example of encryption and decryption? Steps for Encryption Step 1: Write the message-corresponding number Step 2. Write the Key-Corresponding number Step 3. Add the numbers Step 4. Apply MOD 26 Step 5: You have the Ciphertext Steps for Decryption Step 1: Write the Ciphertext Step 2: Add MOD 26 Step 4 Write the key Step 5. Subtract the numbers Step 6. You've got the original text. "CISA" Plain Text C = 3, I = 9, S= 19, S = 19, P= 16 Word "FUNNY" is the key F = 6, U= 21, N= 14, N= 14, Y = 25 Components for the Encryption Plain Text "CISA" Corresponding Numbers Key "Funny" Corresponding Numbers Add MOD 26 (Subtract) Cipher Text Component for the Decryption Cipher Text MOD 26 Add Result Key "Funny" Corresponding Numbers Plain Text number corresponding to "CISA" 3 6 9 26 - 17 9 21 30 26 4 19 14 33 26 7 19 14 33 26 7 16 25 41 26 15

- 17 26 9 6 3

4 26 30 21 9

7 26 33 14 19

7 26 33 14 19

15 26 41 25 16

C = (P + f) Mod N C= Cipher Text P = Plan Text F = Fix Integer (Example is the value of the key "Funny") N = is the Value 26
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

270

CISA Study Guide in EasyFAQs What is MOD 26 and MOD 256? MOD 26: MOD is just a mathematical function used in encryption. MOD 26 means that the manipulation is limited to the 26 alphabet characters. MOD 256: means that it is not limited to only the alphabet or the numbers, but also includes all the special characters. In the computer field, the complete list of characters is 256. What is the Poly-alphabetic Cipher? In a mono-alphabetic cipher, one character corresponds to one cipher character. In this way, to cipher text, you need twenty-six characters. This can easily be decrypted by an attacker with the help of frequency analysis. In a poly-alphabetic cipher, one character may correspond to more than one cipher character. This makes frequency analysis more difficult. What is transposition? 1. This is a kind of permutation 2. It has a columnar disposition 3. Written top to bottom 4. Read left to write To Encrypt using Transposition 1. Write the letters of words in columns, as is written in Chinese (top to bottom) 2. Send it by reading left to write To Decrypt a Transposed Message 1. Write it left to right 2. Read it top to bottom What is the problem with transposition? Frequency analysis is possible.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

271

CISA Study Guide in EasyFAQs What is the Vernam Cipher? 1. 2. 3. 4. A type of one-time pad Key is used only once Length of the key = Length of the message Uses XOR operations

What is the Book Cipher? Any book is selected as a reference for the cipher. Encrypting and decrypting parties have the same book. Frequency analysis is not possible.

What are codes? Certain numbers mean something, for example: 666: Take Immediate Action 725: Save our life What is the secret key? The key that is used for encryption and decryption How do Link and End-to-End Encryption compare? Link Encryption Data is encrypted at every hop All data is encrypted, including header, trailer and routing Information More processing power is required Encryption is at a lower layer in the OSI model Transparent to user. Less choice for user More secure End-to-End Encryption Done at sending and receiving end Header, trailer and routing information are not encrypted Less processing power is required Encryption is at a higher layer in the OSI model User has more choice; user can choose his own key. Less secure

How do hardware and software encryption compare? Hardware Encryption Fast More expensive More secure Less flexible Software Encryption Slow Less expensive Less secure More flexible
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

272

CISA Study Guide in EasyFAQs What is a Public Key? 1. 2. 3. 4. Key generated for asymmetric cryptography Known to everyone Plain text Has corresponding private key a. Used to encrypt outgoing messages b. Used to read incoming digitally-signed messages What is a Private Key? 1. Key generated for asymmetric cryptography 2. Not known to anyone except the owner 3. Has a corresponding Public Key 4. Used for the following: a. To decrypt incoming messages b. Digitally sign outgoing messages Things to remember: 1. For encryption use the other party's Public Key 2. For signing you use your own Private Key 3. You have a number of Public Keys, such as other people's mailing addresses How many Private Keys does a person have? Normally a person has only one Private Key, such as a corporate email address. What is the biggest challenge with a Private Key? Keeping the Private Key private and secure What is a secret key? 1. Symmetric key 2. Used to encrypt a volume of data

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

273

CISA Study Guide in EasyFAQs When is an asymmetric key used and when is a symmetric key used? If you want to transfer a volume of data, use the symmetric key. However, if communicating the symmetric key is a problem, the asymmetric key can be used. What are the limitations of symmetric keys? 1. No authentication 2. Does not help in non-repudiation 3. Key distribution is a problem 4. Scalability: Two users need a pair of unique keys. It becomes difficult if the number of users is very large. How do symmetric and asymmetric keys compare? Symmetric Sender and receiver has the same key, called the Secret Key Processing is fast Key length is fixed Used in bulk data encryption Addresses confidentiality and integrity What is the nature of a Session Key? A Session Key is symmetric. A Session Key will normally have an algorithm of DES, DES3 and AES What type of Encryption method does UNIX use? ROT 13: Alphabets are rotated at 13 positions What is a Digital Envelope? A Digital Envelope is a message encrypted with a Secret Key; the Secret Key is encrypted with a Public Key. The following are the steps: The plain message is encrypted with a Secret Key. The same "Secret" Key is encrypted with the sender's Public Key. The resulting message is called a Digital Envelope.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

Asymmetric Two keys are used; one is a public key, and the other is a private key Processing is slow Key length may be variable Used for e-mail, key distribution. Addresses confidentiality, integrity and non-repudiation

274

CISA Study Guide in EasyFAQs In short, a Digital Envelope = Encrypted Data + Corresponding Encrypted Key What is the difference between a Digital Envelope and a Cryptolope? They are the same. In most of its documentation, IBM refers to a Cryptolope. How do a Block Cipher and a Stream Cipher compare? Block Cipher Implemented at software level Message is divided into blocks of bits. Processing is done in blocks. Stream Cipher Implemented at hardware level Message is not divided into blocks, but treated as bits or bytes

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

275

CISA Study Guide in EasyFAQs

DES
What is DES? 1. Developed by IBM in 1972 2. Endorsed by U.S. Government in 1977 3. DES is a secret-key, symmetric, crypto-system 4. Based on FIPS 46-1 5. Uses DEA (Data Encryption Algorithm) 6. Sender and receiver should have the same secret key 7. There must be a secure way of exchanging the Secret Key 8. Deigned to be implemented in hardware 9. Operates relatively quickly 10. Works on 64-bit blocks with 56-bit keys 11. 56-bit key (also known as the Active Key) 12. 16 rounds of Cryptosystem 13. More efficient in bulk encryption 14. In case of brute force attack, number of options needed are 2256 15. Certified for 5 years by the USA Government 16. Last re-certified in 1993. Stated to be the last re-certification 17. Followed by Triple DES

What are the sixteen (16) rounds of DES 1. Transposition 2. Substitution Who is Shannon and what is his role in encryption? 1. Father of Information Security 2. His techniques are known as confusion and diffusion

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

276

CISA Study Guide in EasyFAQs

What is confusion? It is the concealment of the statistical relationship between plain and cipher text What is the S-Box? This is a substitution algorithm that provides the following: Non-liner substitution Input is 6 Bit Output is 4 bit Used to implement concealment

What is Diffusion? This means dispersing the influence of the plain text, so it is difficult to guess. How do confusion and diffusion compare? Confusion Inputting different unknown values. Values are injected. What is a Key Schedule? A Key Schedule is a process that mixes up 48-bits out of a 56-bit key so that each one of the rounds forms a unique and different key of 48 bits. How is diffusion implemented? Diffusion is implemented using a P-Box, which is permutation. Remember: S-Box is Substitution - confusion P-Box is Permutation - diffusion What are the 4 modes of DES? 1. ECB Electronic Code Book Mode (Native Mode) 2. CBC Cipher Block Chaining
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

Diffusion Values are dispersed. Their location is changed.

277

CISA Study Guide in EasyFAQs 3. CFB Cipher Feed Back 4. OFB Output Feed Back What is ECB? Taken from another book 1. Native mode for ECB; this is a block cipher 2. Works well with small amounts of data 3. Encrypts 64 bits of plain text under 56 bits of DES keyLeast secure 5. Works by means of a Code Book: The code book contains a set of instructions for permutation on substitution for plain text block. 6. Every key has its own code book 7. Used to encrypt the initial vector or Encryption Key 8. Given that the Key and Plain text are the same, the same cipher code will be produced 9. Input is in the form of a 64-bit plain text 10. Output is again in 64 bits; if less, it is padded to make it a 64 bit 11. 64 bits of input are divided into two portions 12. 32-bit right block 13. 32-bit left block 14. Later, bits are re-copied to form two 48-bit blocks 15. 48 bits are XOR with 48-bit encryption 16. Resultant number is taken from the Code Book 17. The only mode of DES that is independent of prior text block encryption. 18. Ideal for database encryption. What is the objective of CBC? 1. Unlike ECB, CBC never reveals a pattern 2. 64 bits of a plain text block is XORed with the previous cipher text block 3. A part of the result of one block is fed into the next block 4. Any block in encryption is dependent on not only the last block, but all of the blocks before it. That is why it is called chaining.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

278

CISA Study Guide in EasyFAQs 5. Block cipher

What is CFB (Cipher Feed Back) mode? 1. Stream cipher 2. Dependent on the last block 3. Allows DES with block lengths less than 64 bits. Uses previously generated 4. A part of the cipher text of each round is fed into the next round. 5. However it takes just 8 bits out of the 64 bits a) Phase I i) Take plain text ii) Perform the encryption processing b) Phase II i) Take 8 bits of cipher text ii) Add to 64 bits iii) Perform the Key processing iv) Discard 64 Bits v) Insert 8 bits into new Key vi) Ready to go to next round with new text. What is Output Feedback (OFB) Mode? 1. This is the only DES that works in a stream of data rather than a block. 2. Same as CFB, except that it does not re-encrypt the cipher block before using it as a randomizer. 3. OFB is not as secure as CFB 4. Dependent on the previous bits. Phase I Take the plain text Perform the processing to get the cipher text Take the 8 bit key Add to 4 bit
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

Phase II

279

CISA Study Guide in EasyFAQs Perform the processing Discard 64 bit Insert the 8 bit into the new key Ready for processing for next round with new text

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

280

CISA Study Guide in EasyFAQs

Triple DES
What is a Triple DES? This is a block cipher based on DES. It applies an algorithm three times in succession. What is the need for the triple DES? The need for the triple DES arises because the double DES is no different to the single DES. If it takes 2 n to decrypt the single DES, it will take 2 n+1 to decrypt the double DES. How is the Triple DES performed? 1. Uses 48 rounds 2. 2 256 times stronger than DES 3. Encryption is performed from one end 4. Decrypted from the other end 5. Result is compared to the result in the middle How are the keys used in the triple DES? Two-Key method: There are just two keys, K1 and K2 Method 1 (Start with inner bracket) EDE2 Method: Two encryption and one decryption, all with two keys Encrypt with Key1(Decrypt with Key2(Message, Encrypt with Key1))) Method 2 EE2 Method: Three encryption with two keys Encrypt with Key1(Encrypt with Key2(Message, Encrypt with Key1))) Three Key method There are three keys, K1, K2 and K3 EEE3 Method: Three encryption with three keys Encrypt with Key3(Encrypt with Key2(Message, Encrypt with Key1)))

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

281

CISA Study Guide in EasyFAQs

AES
What is AES? AES is the Advanced Encryption Standard. It is based on the Rijndael Block Cipher What are the features of the Rijndael Cipher? 1. Difficult to attack 2. Compact in size

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

282

CISA Study Guide in EasyFAQs

Rijndael Algorithm
Why is the Rijndael Algorithm so important? Most of the hardware encryptions are DES or Triple DES. AES is soon going to replace DES and triple DES. AES uses the Rijndael algorithm What are the key lengths for the Rijndael Block Cipher? 128 192 256

What is the concept of State in a Rijndael Block? It is the Intermediate Cipher result that is transformed into another form. What are the 3-layered Round Transformation steps of a Rijndael Block Cipher (RBC)? 1. Non Linear Layer: an S-Box operation 2. Linear Layer: the P-Box Diffusion Operation 3. Key Addition Layer: provides the Round Key What is the Round Key? This is the key that is derived from the cipher-Key through a Key schedule. Round Key = Key Expansion + Round Key Selection. Solve the following problem Given: Block Length = 128 Bits Round = 10 Round Key =? Round Key = Block Length * (Round +1) Round key = 128 x (10+1) Round Key = 1408
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

283

CISA Study Guide in EasyFAQs What are the applications of the Rijndael Block? 1. ATM cards 2. HDTV (High Definition) TV 3. Smart card 4. Super speed chip 5. ISDN lines

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

284

CISA Study Guide in EasyFAQs

Two Fish Algorithm


What is the Two Fish algorithm? 1. It is symmetric 2. Block Cipher of 128 bits 3. Operates on 128 bits 4. Works on 16 rounds 5. Key Length is 256 What algorithm does the Two Fish use? It uses the Feistel Network; F-Functions. What do Pre-Whitening and Post-Whitening refer to in the Two Fish method? This is a process where text is XORed with the addition of a sub-key: Pre-Whitening is the process prior to the 1st round Post-Whitening is the process after the 16th round.

What is the purpose of Pre- and Post-Whitening? It makes the crypt-analysis more difficult. What are the three ways of providing diffusion in the Two Fish algorithm? 1. MDS Matrix 2. PHT 3. Additional Key.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

285

CISA Study Guide in EasyFAQs

IDEA
What is IDEA? This stands for International Data Encryption Algorithms. 1. Based on the Secret Key 2. Block Encryption Algorithm 3. Operates on 64 bit plain text 4. 128 bit key 5. Uses both confusion and diffusion 6. Performs 8 rounds on 16-bit sub-blocks 7. Uses algebraic calculations for each sub-block Why is IDEA considered to be more secure? IDEA uses 128-bit encryption. What is the most common implementation of IDEA? PGP spell-out

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

286

CISA Study Guide in EasyFAQs

RC5
What are the important features of RC-5? 1. Invented by Ronald River in 1996 2. Block cipher 3. Variable length 4. Encryption is done through a. Integer Addition b. Bit-wise XOR c. Valuable Rotation (Do you mean Variable?) d. Block size varies i) 32 ii) 64 iii) 128 e. Rounds are variable from 0 to 255 f. Key size is variable from 0 to 2048 g. Patented by RSA in 1997

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

287

CISA Study Guide in EasyFAQs

Asymmetric Key
What is an Asymmetric Key? Comprised of a pair of keys Public and Private Key It is difficult to decipher unless you know a trap door. Y = f(x): if you know X, you can compute Y, but you cannot compute X from Y. (If you have grass you can get milk. From milk you cannot get the grass.).

Why is the Public Key slower? It is 800 to 8,000 times slower than Symmetric Encryption because it has to attempt to compute the factors of huge prime numbers. What is a hybrid system? 1. Uses a Public Key for distribution 2. Symmetric Key for encryption Be Careful Whenever you read about a Private Key, try to find out which Private Key is being referred to. The Symmetric Key Encryption is sometimes referred to as a Private Key! An Asymmetric Key, which has a pair of keys, has one Public and one Private Key. To what do the following terms refer? Secure Message Format, Open Message Format, Secure Signed Format and Digital Signature Secure Message Format: File is encrypted with receiver's Public Key Open Message Format: File is encrypted with sender's Private Key Secure Signed Format: Sender encrypted the message with his/her own private key, then with the receiver's Public Key Digital Signature: Hash of the message is calculated, which is encrypted with sender's private key. What are the top five public key encryption algorithms? 1. RSA 2. Diffie-Hellman
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

288

CISA Study Guide in EasyFAQs 3. El-Gamal 4. Markle-Hellman Knapsack 5. Elliptic Curve

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

289

CISA Study Guide in EasyFAQs

RSA
What is RSA? 1. RSA stands for Rivest, Shamir and Adleman 2. RSA is a public-key cryptosystem 3. Private Key and Public Key are huge numbers that are mathematically related 4. Based on a trap-door, one-way function a. Easy to perform in one direction Encrypt b. Difficult to perform in reverse direction Decrypt c. Unless you have Trap Door or the Second Key 5. Key size varies from 768 to 2048 bits. 6. Based on the factors of a logical number 7. Underlying assumption is that it is impossible to factorize the product of two very large prime numbers 8. Number may be as big as 300 digits What are the applications of RSA? 1. Encryption 2. Key exchange 3. Digital signature

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

290

CISA Study Guide in EasyFAQs

Diffie-Hellman Key Exchange


What is the Diffie-Hellman method used for? It is a method used where the secret key of the user (subject) is exchanged over a nonsecure medium. It is based on a simple equation: K ba mod p = K ab mod p The values "a" and "b" are known only to parties X and Y. They substitute the values and get the key. No one else can obtain the key, because they have to find two variables. What are the limitations of the Diffie-Hellman System? 1. Diffie-Hellman is only for key distribution; it cannot be used for encryption and decryption. 2. Vulnerable to man-in-the-middle attack. Attacker can get someones value and send it as their own public value to the recipient. The solution might be to use a digital signature.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

291

CISA Study Guide in EasyFAQs

El-Gamal
What is the El-Gamal Algorithm? 1. It is based on the Discrete algorithm 2. Used for both Encryption and Digital Signature 3. It is the only non-patented public key cryptography Given p = Prime Number x = Any Integer for Private key a = To compute the public key y = x a mod p What would be a simple example of Al-Gamal? The following example shows the simple steps of this algorithm: 1. Alice writes a message 2. Alice generates a random number "b"; so that "b" is less than prime number "p" 3. Compute y b = x b mod p 4. Alice y alice = M mod y b 5. Alice sends the message to Bob 6. Bob computes the following: y b alice b = x ab mod p Note: Al-Gamal is a prime number and MOD function calculation.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

292

CISA Study Guide in EasyFAQs

Merkle-Hellman Knapsack
What is the Merkle-Hellman Knapsack Algorithm? 1. It deals with items of a fixed weight 2. Based on a super-exceeding number 3. Number is given and its factors are obtained What is a super-exceeding number? The succeeding number is greater than the sum of the previous numbers.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

293

CISA Study Guide in EasyFAQs

Elliptic Curve Crypto system


What is the Elliptic Curve Crypto System? 1. This is the area under the curve, based on an equation 2. Used for Digital Signature, Encryption and Key management 3. Very difficult to compute elliptic curves 4. Reasonably high security is obtained with a smaller key 5. 160 bit Elliptic curve = 1024 Bit RSA 6. Requires fewer resources in terms of memory and processing power 7. y 2 = x 3+ ax + b 8. Curve is based on P = CR a. Where P and R are two points on a curve b. C is a very-hard-to-find algorithm What are the applications of the Elliptic Curve Crypto system? 1. Smart Card 2. Wireless Devices

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

294

CISA Study Guide in EasyFAQs

Public Key Algorithm


What are the two ways of carrying out the Public Key Algorithm? 1. Factoring a Large Prime Number RSA El Gamal Elliptic Curve Diffie-Hellman 2. Discreet Logarithm

What is a Digital Signature? A Digital Signature is a result obtained in the following way: 1. The message that needs to be sent is inputted in Plain Text 2. A one-way hash is applied to get a "message digest" 3. The "message digest" is encrypted using the senders Private Key 4. The result is a smaller, scrambled text, called a Digital Signature. 5. This is sent as an attachment to the original message 6. On receiving it, the senders Public Key decrypts it. What are the advantages of a Digital Signature? 1. 2. Authentication, i.e. the message is not tampered with (or the message digest will change) Sender cannot say he wasnt the one who sent it

What is the difference between a Session Key and a Secret Key? Both are used for Symmetric encryption. A Session key is just like a Secret key, but is only valid for a single session.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

295

CISA Study Guide in EasyFAQs Points to remember: Encryption is for confidentiality Hashing is for integrity Digital Signature is for integrity and authentication

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

296

CISA Study Guide in EasyFAQs

One Way Hash


What is a One-way Hash? This is a mathematical function that is applied to a message. It is easy to compute in one direction and almost impossible to compute in the reverse direction. Example: You can say milk is the hash of grass! You cannot get back to the grassy state, no matter what you do with the milk. What are Fingerprints and Cryptographic Checksums? The fixed string that is the output of a hash function is sometimes referred to as the "fingerprint" of the message, or the "cryptographic checksum" of the message. What is the hash function used for? 1. 2. 3. To condense a message which is of arbitrary length to a message digest of fixed length. Hash is calculated for the complete message Two messages with the same hash are called a birthday attack. The hash function should not produce two messages with the same hash value.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

297

CISA Study Guide in EasyFAQs

Message Digest
What is a Message Digest? It is a unique pattern of bits for any given input. It uses the one-way hash function to convert a message of any length into a fixed-length digest. How is the Message Digest interpreted? If the message is sent over an unsecured medium and the value of the hash is the same before and after transmission, it means that the message has not been tampered with. What are the common Hash functions available? 1. SHA 2. MD2, MD4, MD5

What is the Message Digest used for? It is used to create a Digital Signature. What is SHA-1? It is a Secure Hash Algorithm. It does the following: 1. Takes the plain text 2. Creates 512-bit blocks (might perform padding if block size is less than 512 bits) 3. Creates a 160-bit message digest 4. DSA is applied to the "Message Digest" 5. A Digital Signature is created in the message digest What are the properties of SHA-1? 1. It is almost impossible to find the original message from the message digest 2. No two messages will have the same digest

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

298

CISA Study Guide in EasyFAQs

MD2
What are the salient features of MD2? 1. Invented by Ron Rivert of RSA 2. Initially it was used for PEM (Privacy Enhanced E-mail) 3. Produces 128 bits of hash value 4. Byte-oriented Checksum values 5. Requests input in multiples of 16 bytes 6. Pads the input message if it is not of the required length. What are the limitations of MD2? It has been broken by a cryptanalyst. Does not have much value other than its historical and academic value.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

299

CISA Study Guide in EasyFAQs

MD4
What are the prominent features of MD4? 1. MD4 was developed by Rivest in 1990 Produces 128-bit hash value Calculations are optimized for a 32-bit register Requires padding in multiples of 512 bits Padding always includes a 64-bit value that indicates the length of the unpadded message 6. Difficult to produce two messages with the same 128-bit hash values 7. Faster than MD2 What are the limitations of MD4? Some parts of the encoding have been cracked,but not yet completely 2. 3. 4. 5.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

300

CISA Study Guide in EasyFAQs

MD5
What are the prominent features of MD5? 1. Replacement of MD4 2. Takes as input a message of arbitrary length 3. Produces output as - 128-bit "fingerprint" or "message digest" of the input. 4. With MD5 it is not possible to produce two messages that have the same message digest, or 5. To produce any message with a given, pre-specified target message digest 6. MD5 algorithm is intended for Digital Signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a Private (Secret) Key under a public-key cryptosystem, such as RSA. 7. Addresses specific weaknesses of MD4 8. Slightly slower What is the length of the message digest? 128 bits What is the block size? 512 bits What is MAC? A MAC (Message Authentication Code) is a function that processes the variable length data input into a fixed-length output through the application of a key. It is a type of checksum for the message. What is HMAC? This is a MAC that uses a hash algorithm to produce the fixed-length output.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

301

CISA Study Guide in EasyFAQs How does HMAC work? 1. Message is written 2. MAC is generated 3. Appended to the message 4. Message and MAC are both sent 5. After receiving the Message, a MAC is generated from the message 6. MAC is computed 7. Once it matches, the result is accepted.

What is HAVAL? 1. A one-way hash function 2. Variable length 3. Processing block size is 1024 (double that of MD5)

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

302

CISA Study Guide in EasyFAQs

DSS
What is DSS? 1. Digital Signature Standard 2. Based on DSA (Digital Signature Algorithm) 3. DSA is a modified version of the El-Gamal Algorithm 4. DSA uses SHA-1 a. SHA-1 does the pre-processing for DSA by creating a message digest b. SHA-1 message digest is 160 bits c. DSA takes the output of SHA-1 (which is the message digest) and processes it. d. End result is the digital signature.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

303

CISA Study Guide in EasyFAQs

Types of Cryptographic Attack


Remember: The main objective is the find the key. If known, there is no need to launch any attack. Main components are Key, Plain Text and Cipher test. What is a Know Plain Text attack? Plain Text is available Cipher Text is available Key is Unknown What is a Chosen Plain Text attack? Selected Plain Text is available (choice to select any plain text and get the cipher text) Cipher Text is available Key is Unknown What is Adaptive Plain Text attack? Select Plain Text is available Alternation of Plain text for different result is possible Try and learn. Try gain Corresponding Cipher Text is available! Key is Unknown

What is Known Cipher Text Only attack? Plain Text is not available Cipher Text is available (of many messages) Key is not available Cracking the encrypted password file is an example of this type of attack The most common cryptographic attack What is a Chosen Cipher Text attack? Plain Text is available (decrypted) Selected Cipher Text is available. (Attacker chooses any cipher text and has option to decrypt and see the plain text) Key is not available What is Adaptive Chosen Cipher attack? Plain Text not available Cipher text available Choice of Cipher text is available Key is not available.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

304

CISA Study Guide in EasyFAQs What is a 'Meet in the Middle'? 1. 2. 3. Double encryption schemes are susceptible to this attack. Plain text is encrypted from one side with a possible key The result is checked and compared in the middle

What is a 'Man in the Middle'? 1. Someone, between the correspondents, interrupts the message. 2. Once forwarded, it is in a modified format. 3. It is mostly Public Key communications that are vulnerable to this type of attack. 4. Person in the middle might send his own public key rather than the actual public key of the senders. What is a Replay attack? Attacker can snoop all the login names, passwords and other information in the format of a bit stream. Later, he runs the same stream of bits from his own computer. Server thinks it is communicating with the right computer. Kerberos is especially exposed to this type of attack. A time stamp is one of the ways of countermeasuring this attack What is a Dictionary attack? A Dictionary attack is a kind of brute force attack where a dictionary is used against the file of an encrypted password. If the word is found in the dictionary, it can be broken.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

305

CISA Study Guide in EasyFAQs

Crypto analysis
What is Differential Crypto-analysis? 1. Used in Private Key cryptography 2. Cipher text and plain text are compared 3. Differences are pointed out 4. Try to find out the Key by the difference What is Linear Crypto-analysis? 1. Uses cipher and plain text 2. Linear relationship is worked out and plotted on graph 3. Result is inferred 4. Try to find out the key through linear analysis. What is Differential Liner Crypto analysis? Combination of the above two.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

306

CISA Study Guide in EasyFAQs

PKI
What are the components of PKI? 1. Digital Certificate 2. CA 3. RA 4. Cross Certification Why do we need CA? For the management and distribution of Digital Certificates. How does a CA work? 1. Mr. Right asks for the Certificate. 2. CA will do the necessary homework to be sure that Mr. Right is really Mr. Right 3. Once it is done, a certificate will be issued to Mr. Right, which will be signed by the CAs Private Key 4. Mr. Friend wants to send a message to Mr. Right 5. Mr. Friend wants to know if he is really Mr. Right 6. Mr. Friend will contact CA 7. CA sends Mr. Right's certificate to Mr. Friend, encrypted with CA private Key. 8. The Certificate will have at a minimum the following information: a. Mr. Right's Name b. Mr. Right's Public Key c. CA Name d. Validity of Certificate.

What is the Problem with CA? Before you trust CA, you must verify the CA Public Key. This is a paradox. The only solution is to ask some other CA to verify it.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

307

CISA Study Guide in EasyFAQs What infrastructure is recommended for PKI? 1. Highly secure site 2. Trained people 3. LDAP server 4. Secured application 5. Support for non-repudiation

What are the maintenance components of PKI? 1. Policies and Procedures 2. Certificate issues 3. Certificate revocations 4. Time stamping 5. Security of the site What is the role of LDAP in CA? It provides a format for accessing the Certificate on the basis of X.509 standard. How do the X.500 and X.509 standards differ? X. 500 is the Directory Management Standard for LDAP itself X.509 is the Standard for the Certificate What are the security concerns relating to LDAP servers? 1. Availability 2. Integrity For example, what happens if the LDAP is compromised or comes under DOS attack? In such cases a new certificate might not be issued and a revoked certificate confirmation might not be given to the requester, which may lead to the revoked certificate being used.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

308

CISA Study Guide in EasyFAQs

Escrow Arrangements
What are the escrow arrangements for Cryptography? In the case where the government wants to know the content of an encrypted message, technically and legally it should be able to do so. How is the escrow arrangement for Cryptography addressed? With the help of the following: 1. Hardware-based solution Clipper chip with a Skip Jack Algorithm Fair Crypto System 2. Software-based Solution

What is the Clipper chip method? The following are the salient features of Clipper Chip 1. Uses a symmetric key algorithm 2. Chip has following information: a. Serial Number b. Escrow No. 1 and Escrow No. 2 c. 80-Bit Family key d. Skip Jack Algorithm How does the Clipper chip method work? 1. In all communications, the Chip Serial number and LEAF (Law Enforcing Access Field) are sent. With the help of the LEAF, the key serial number and escrow information can be accessed. 2. If the Government wants to decrypt a certain message, it will use a court order and get the key portion of Escrow 1 and Escrow 2 and decode the message.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

309

CISA Study Guide in EasyFAQs

Fair Crypto-System
What is the Fair Crypto-system? 1. It is a software-based solution 2. The Private Key and Public Key are broken down into many parts. 3. Each part is distributed to different assigned authorities and the trustee. 4. The Key can only be constructed by combining all the components with the trustee, or even the majority of the trustee. 5. Less relevant to government; more relevant to business.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

310

CISA Study Guide in EasyFAQs

Key Management
What measures should be adopted in order to manage the key? 1. Key generation 2. Key maintenance 3. Key storage 4. Key revocation 5. Key change 6. Key theft

Email Security
What are the issues regarding e-mail security? 1. Confidentiality 2. Integrity 3. Non-repudiation 4. Authentication 5. Verification What is S/MIME? Secure Multipurpose Internet Mail Extension. MIME is a way of sending multimedia information through e-mail. It dictates how certain non-e-mail files will be handled. S/MIME provides the following two features: 1. Encryption 2. Digital Signature What standard does S/MIME follow? 1. PKCS (Public Key Cryptographic System) 2. X.509 Digital Certificate

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

311

CISA Study Guide in EasyFAQs

MOSS
What is MOSS? 1. MOSS stands for MIME Object Security Service provider 2. Helps to provide CIA and non-repudiation What technology does MOSS use? 1. MD2/MD5 2. RSA Public Key 3. DES How does MOSS differ from S/MIME? MOSS is better because it provides: 1. Better flexibility 2. More function and support than just x.509

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

312

CISA Study Guide in EasyFAQs

PEM
What is PEM? Privacy Enriched Mail. It uses the following: 1. PKCS 2. DES (in CBC mode) for encryption 3. RSA is used for Key Management 4. MD5 is used for Authentication 5. Hierarchical authentication framework that is compatible with X.509 What does PEM support? Encryption and authentication What does PEM use for encryption? Triple DES (EDE) What does PEM use for Digital Signature? 1. MD5 to create a Message Digest 2. RSA to sign What is MSP? This stands for Message Security Protocol, usually referred to as Military PEM. It can sign, perform hashing and encrypt. It is X.400 compatible. What is PKCS? This is the Public Key Cryptography Standard Developed by: Microsoft Novell Sun
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

313

CISA Study Guide in EasyFAQs

PGP
What is PGP? PGP - Pretty Good Privacy What does PGP use? 1. Uses a Symmetric Key 2. Uses a passphrase instead of a password 3. Uses RSA algorithm key management 4. IDEA algorithm is used for encryption (confidentiality) 5. Uses MD5 for hashing to ensure integrity 6. Signed message guarantees non-repudiation 7. Uses "Web of Trust" rather than CA to authenticate users.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

314

CISA Study Guide in EasyFAQs

Internet Security Applications


What is a MAC? A MAC is a Message Authentication Code, based on ANSI X9.9. It is derived from the message. In simple terms it can be understood as the CRC of the message. Normally it is appended to the end of the message. What is the problem with MAC? It is based on a secret key that must be distributed secretly.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

315

CISA Study Guide in EasyFAQs

SET Secure Evaluation Transaction


What is a SET? It is the electronic wallet standard developed by MasterCard and Visa, to provide end-to end encryption. It uses the following: 1. DES for encryption 2. RSA for Symmetric Key and Digital Signature.

Why is SET not used very often? Due to the popularity of SSL, acceptance of SET has been a bit slow. However, it is a robust protocol for handling secure transactions. Rule of Thumb: Symmetric Algorithm Public Key Hash Functions DES & Triple DES RSA/DS MD 5

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

316

CISA Study Guide in EasyFAQs

SSL
What is SSL? SSL stands for the Secure Socket Layer. It was developed in 1994. It works on the Session Layer and authenticates the server to the client. Supports PK Cryptography and Digital Certificate. It works on port number 443. What are the two types of authentication supported by SSL? The following authentication is supported: 1. Third Party Authentication 2. Client/Server Authentication What are the protocols supported by SSL? SSL supports the following protocols: 1. RSA Public Key algorithm 2. IDEA 3. DES 4. Triple DES 5. Private Key Triple DES How would you know if a web page supports SSL? The URL starts with https:// and there is a padlock or key icon at the bottom of the browser window. How does SSL function? 1. The client accesses a server requiring SSL 2. The server sends the client a message saying that a secure session is needed 3. The client will send the Public Key and other related information to the server 4. The Server will send the Digital Certificate to the client 5. If the client trusts the server on the basis of the Digital Certificate, it will send a "Pre-Session" encrypted with a Server Public Key.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

317

CISA Study Guide in EasyFAQs 6. The server creates a "Session Key" from the information sent by the client in the "Pre-session Key". 7. Communication begins on the basis of this secret key. 8. The session remains open until one of the parties asks for it to be closed. What is the limitation of SSL? SSL secures both ends of the communication line. However, if a client is working on a compromised PC, SSL will provide no security. It is also exposed to a man-in-the-middle attack. If the attacker is present at the initial authentication phase, s/he can get the public key of both and see the messages. What is the difference between https (SSL) and shttp? HTTPS HTTPS is not a protocol. HTTPS means one is using SSL over HTTP Works on Session creating a secure circuit between two computers Supports CIA + non-repudiation Supports verity of encryption S-HTTP S-http is a protocol Secure HTTP, replaces http Works on a document/message that needs to be encrypted. Same Same

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

318

CISA Study Guide in EasyFAQs

TLS
What is TLS? This is the successor of SSL, called a Transport Layer Protocol What are the problems with TSL? 1. It does not prove the end-to-end encryption 2. CIA is supported above the transport level Where does the TLS reside? 1. Transport Layer 2. Application Layer What is the similarity between SSL and TLS? Uses a certificate for PK based on X.509 and IOTP. What is IOTP? This stands for Internet Open Trading Protocol. It has the following features: 1. Aimed at C2B 2. Method of payment options is given to the user 3. Uses Digital Certificate 4. Supports various payment methods. What is MONDEX? This is the payment method supported by MONDEX Corp. 1. More like cash 2. Smart cards 3. Proprietary encryption method 4. Mondex Smart Card = Cash

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

319

CISA Study Guide in EasyFAQs What is the limitation of MONDEX? Although it is a safe smart card, if you lose the card anyone who finds the card can use it as cash.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

320

CISA Study Guide in EasyFAQs

IPSEC
What is IPSEC? IPSEC is a layer-2 tunneling protocol to provide VPN among different sites. It provides the following functions: 1. Encryption 2. Access Control 3. Non-repudiation 4. Authentication What are the two main protocols for IPSEC? 1. Authentication Header (AH) 2. Encapsulation Security Payload (ESP) What does AH provide? 1. Integration 2. Authentication 3. Non-repudiation What does ESP provide? 1. Encryption 2. Limited Authentication What is SA? SA stands for Security Association. It is considered to be the heart of IPSEC. It is a must for connections between WANs. It provides simplex, i.e. one-way connections. SA can provide the following services: 1. Authentication 2. Confidentiality 3. Layered Communication
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

321

CISA Study Guide in EasyFAQs What does SA contain? Encryption and authentication keys Algorithm for communications Source IP address

What are the components of SA? 1. SPI 2. Destination IP 3. Identification of Protocol a. AH b. ESP What are the limitations of SA? 1. SA provides one-way communication only, so 2 SAs are required in order to establish a bi-directional communication. 2. Two SAs are needed per protocol 3. If AH and SPI are both used, 4 SAs are needed. What are the additional benefits of IPSEC? IPSEC uses many symmetric key algorithms. What is SPI? SPI is the Security Parameter Index. It identifies a VPN. It is a 32-bit number and is used to distinguish between the various SAs that terminate at the receiving station. Rule of Thumb 1. IP address identifies unique computer 2. DLCI identifies unique Frame Relay connection 3. SPID identifies unique ISDN line 4. SPI identifies unique VPN Channel

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

322

CISA Study Guide in EasyFAQs What are the two modes of IPSEC? 1. Transport mode 2. Tunnel mode What is the additional overhead of the tunnel? The header has the address of the VPN Gateway, not the address of the internal HOST. What hashing algorithm is used in VPN? HMAC - MD5 and HMAC SHA-1 Rule of thumb Eighty percent of the time, when you see Hash, it has to do with the DS or HMAC What is the role of SA? 1. Provides authentication and confidentiality 2. When a packet is received, the SA acts like a "front desk receptionist" and tells the packet what to do How is the SA bundle used? 1. Transport Adjacency: Communication using the transport mode 2. Iterated Tunneling: Tunneling within tunneling, i.e. encryption at multiple levels Who steps up and manages SA on the Internet? ISAKMP is used to manage SA by providing 1. Secure Key Exchange 2. Data Encryption. What is ISAKMP? The Internet Security Association and Key Management Protocol. It provides a framework for key exchange and authentication.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

323

CISA Study Guide in EasyFAQs Which Protocols does ISAKMP use? 1. Authentication Protocol 2. Security Protocol 3. Encryption Algorithm How does the key management of IPSEC take place? Key management is done by IKE (Internet Key Exchange protocol), which takes note of the following: 1. ISAKMP (Internet Security Association and Key Management Protocol) Used to define the Relationship Describes the security mechanism Address issue of modes of operation to establish the connection 2. SKEME (Secure Key Exchange Mechanism) 3. Oaklay

What is S/WAN? This is the implementation of VPN for the Internet.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

324

CISA Study Guide in EasyFAQs

Other Applications
What is SSH-2? This is a secure shell that provides the following: 1. Remote Client /server 2. Encrypted Tunnel

What is SSH2 composed of? 1. Transport layer protocol 2. User Authentication 3. Connection Protocol

Remember: The encryption algorithm only provides: 1. Authentication 2. Confidentiality 3. Integrity Only the third party provides non-repudiation

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

325

CISA Study Guide in EasyFAQs

SET
What is SET? SET stands for Secure Electronic Transaction, and was developed by VISA and MasterCard What does SET do? Authenticates the sender and receiver. What is the future of SET? Not clear. At present most transactions are done thorough SSL (Secure Socket Layer) Remember: Today the trend is towards SSL and SSH (Secure Shell) What is the difference between SHTTP and HTTPS? SHTTP Secure HTTP Early standard Applied to the document Application level protocol HTTPS Secure Socket Layer Today's standard Applied more to the session Transport layer protocol

What are the two protocols inside SSL? 1. SSL Record Protocol 2. SSL Handshake Protocol What type of encryption is done by SSL? 1. Peer Authentication: Asymmetric 2. Private encryption: Symmetric What is SKIP? SKIP is a Simple Key management for IP What does SKIP do? Supports the encryption session in a high-availability environment.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

326

CISA Study Guide in EasyFAQs How does the authentication of SKIP differ from that of SSL? In SSL, there is prior communication to establish a connection or exchange a key. In SKIP there is no such thing. SSL is to TCP what SKIP is to UDP What is SSH-2? It is a secured Shell-2 What does SSH-2 provide? It provides the following 1. Confidentiality 2. Integrity 3. Authentication 4. Compression What are the two components of SSH? 1. RSA Certificate Exchange: This is used for authentication. It is asymmetric. 2. Triple DES: Used for the Session Key

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

327

CISA Study Guide in EasyFAQs

Encryption - Points to Remember! 1. The encryption and decryption passwords are known as Keys. 2. Most encryption processes use one of the following: a. Private key / Public Key b. Secret Key c. Hash Function d. Digital Certificates e. Private Key encryption is a symmetric encryption and should not be confused with the Private Key of PKI f. The most common private key encryption is DES i. DES uses 64 bits, 56 bits for encryptions and 8 for parity ii. DES operates on 64 bits block of data 1. First, it performs the transposing, i.e. scrambling of data 2. Second, it splits the block into two 32-bit blocks 3. Third, it iterates the result 16 times using substitution, transposition and exclusive OR (XOR) 4. Fourth, the two halves are rejoined after the 16th iteration 5. Fifth, there is a final transposition (which is the inverse of the initial transposition) g. DES is not reliable. 56-bit can already be cracked within 56 hours by checking only 24.8 percent of the Key space. 3. Moore's Law of 1965: The number of transistors per square inch doubles every 18 months 4. Key space is decreased by a factor of ten every five years. 5. DES is replaced by AES, which supports from 128 to 256 bits 6. PKI Keys are larger than 1024 bits. 7. A common form of encryption is RSA 8. The result of two large prime numbers is called a modulus 9. Non-repudiation and authentication is achieved by the senders Private Key 10. Confidentiality is archived by encrypting using the receivers public key.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

328

CISA Study Guide in EasyFAQs 11. ECC is for Public Key cryptography. a. PKI is more complex not because of encryption but because it takes more time to find the key. b. ECC solves the problem of processing power c. 160 bit of ECC = 1024 bit or RSA. d. ECC is based on a discreet logarithm. 12. Quantum Cryptography is the next generation a. b. Works on quantum uncertainty principle. Key generation is based on polarization matrices

c. A light photon is randomly generated by the sender. d. The receiver records the light direction i. Horizontal ii. Vertical iii. Left Diagonal iv. Right Diagonal e. As per the prearranged algorithm code, the polarization metrics are changed into bits, e.g. i. Vertical and Right Diagonal =1 ii. Horizontal and Left Diagonal = 0 f. Since Quantum Cryptography is based on the uncertainty principle, the receiver can predict 50% of the time that other 50% need to be present or known. 13. Hash is normally 128 bits. 14. Normally MD2, MD4 and MD5 is used
15. MD2 is very different and is meant for 8 bit machines.

16. MD4 and MD5 are meant for 32-bit machines. 17. Sender authentication = Non-repudiation. 18. Public Key encryptions are VA to man-in-the middle. 19. CA is required to protect the Public Key from a man-in-the-middle attack. 20. How do you know that a Public Key is coming from who it says it is coming from? With a Digital Certificate.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

329

CISA Study Guide in EasyFAQs 21. Why a digital is certificate secure? Because it is signed by the Certificate Authority (CA). 22. How do you know that a certificate coming from a digital authority is really coming from them? Because their web site is trusted, or they have sent it to you through an out-of-band channel. 23. Working with Digital Certificates: a. When a person signs the certificate the certificate is added to the document b. He sends the Public Key, which is signed by a third party, for example Verisign. c. The person who receives it assumes that it is a valid certificate and can be dismissed d. Person receiving it will check whether the certificate is valid i. The receiver uses the Public Key of the third party and crosschecks it with the third party, e.g.Verisign, to see if it is really a valid certificate ii. It will then decrypted using the Private Key 24. Kerberos: a. Authenticates the server and client b. Used in distributed environments. 25. First the message is signed and then it is encrypted. 26. Signed by the Private Key, encrypted with another persons public key 27. Before using anyones public key, you must confirm it using CA 28. It is possible to encrypt the message using a session key and send the session key encrypted with the senders Public Key. 29. Encryption is now done with the Secret Key, not the senders Public Key. The Public Key is used to send the Secret Key as the Public Key is very long and the Secret Key can be very small. 30. CA a. CA tests Public/Private Key pairs for the owner b. It issues a certificate after due diligence c. It signs the certificate with its private key.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

330

CISA Study Guide in EasyFAQs i. Two types of CA: 1. Organization Empowered Closed CA 2. Liability Empowered Open CA Verisign, Certco and Cybertrust d. When a sender sends a digital certificate, it is like any certificate:it is issued in the senders name by some authority and signed by the authority. This can be reconfirmed even if the message isnt sent: just check with an authorized Public Key. e. My Digital Certificate tells the other party that my Public Key is valid because it has been verified by the certifying body. f. Digital Certificate = My Public Key + CA Signature (using CA private Key) g. Two most important parts of PKI are CA (Certification Authority) and RA (Registation Authority) 31. RA a. Manages the directory of the certificate b. Maintains the life cycle c. Certificates revocation list d. If RA is concerned with authorization, the CA is concerned with registration and revocation e. RA is a one-time job, whereas CA is more transition-oriented. f. RA is optional, whereas CA is a must g. CRL is closely related to RA 32. Use of encryption in the OSI Model a. All layers can be encrypted except the physical layer b. Scope of the encryption can almost be tailored at the application layer c. If you want to make the encryption transparent to the user, it should be on the Network Layer and the Transport Layer d. For the most part the Network and Transport layer encryption is not used, as it is very expensive. All of the components at the same peer should support the same encryption
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

331

CISA Study Guide in EasyFAQs e. Datalink encryption is the encryption of local traffic 33. SSH a. Similar to IPSEC b. IPSEC takes place on the Network Layer (Layer 3), while this one works on the application layer 34. SSL a. Uses both Symmetric and Asymmetric Keys 35. S-HTTP is for individual messages, not for the session. 36. IPSEC a. More of a framework rather than a protocol b. Three components: Header, Payload, Encryption Key c. Maps to AH, ESP, IKE d. In order to implement IKE, the Public Key should be shared. e. In order to share the Public Key securely, ISAKMP (Internet Security Association Key Management protocol) is used f. Key is obtained using a digital certificate g. IPSEC is independent of security algorithm. h. Two main concepts: i. Security association ii. Tunneling i. Security Association j. AH is responsible for integrity and authentication of the IP datagram k. ESP provides integrity, authentication and confidentiality (encryption) l. AH is used for transport mode and tunnel mode m. Tunnel mode AH is encrypted. n. Encryption in IPSEC is optional; however, integrity and authentication must go together.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

332

CISA Study Guide in EasyFAQs

Traditional Connection vs IPSEC Traditional Connection Connection is on IP IP operates at layer 3 Traffic has two components, the header and the payload IP connections IP connection needs one IP address for bidirection Application is identified by IP and port number IP is 32 bit Address is address Payload is payload

IPSEC IPSEC sits on top of IP IPSEC operates at layer 3 Traffic has three components: header, encrypted payload and IKE Security associations Two security associations are needed for bi-directional setup Application is identified by SPI Security Index Parameter. SPI is 32-bit In tunneling Address becomes the payload

How strong is 40 bit key? If we use Key Exhaustion method: Using a Pentium III 400 MHZ and a 40 bit key, o All alphanumeric passwords can be exhausted in 5.5 hours o Plus some common symbol: 45 hours o Every possible keyboard password: 480 hours

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

333

CISA Study Guide in EasyFAQs

Firewalls
What are the different kinds of firewall? 1. First Generation: Packet Filtering 2. Second Generation: Application Level 3. Third Generation: Stateful Inspection 4. Fourth Generation: Dynamic Packet Filtering Firewall 5. Fifth Generation: Kernel Level

What is the difference between a packet-filtering firewall and a screening router? Nothing; they are the same thing What are the main features of a packet-filtering firewall? 1. Based on the following components: Source IP address Destination IP address Protocol (e.g. TCP, UDP or ICMP)

2. Operates on the Network and Transport layers 3. Screening is done by the access control list 4. Pretty fast 5. CISCO-Extended ACL is more like a Packet Filtering Firewall Implementation

What are the limitations of a packet-filtering firewall? 1. Looks at header information only 2. It does not know whether the packet passing through has a malicious intention 3. No track for state of inspection 4. It does not differentiate between a good user and a bad user.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

334

CISA Study Guide in EasyFAQs

Application Level Firewall


What is an application level firewall? 1. Also called a Proxy server or an Application Layer Gateway 2. Operates on Layer 7, the application layer 3. Most of the time it requires a separate proxy for each service, e.g. for http it will require a phttp (proxy http) service to be running 4. Sometimes supplemented with a circuit-level firewall. What are the limitations of an Application Level Firewall? 1. Slow 2. The new service requires much more effort to implement

Stateful Inspection
What is a stateful inspection? 1. Works between the Datalink layer and the Network layer 2. Maintains a state table and analyzes every communication channel 3. Packet states and contexts are stored and maintained. 4. Packets are queued and analyzed by the proprietary "Inspection Engine" 5. It is said that the inspection engine" checks the security of all of the layers prior to sending the packet to the network layer 6. It is faster than the application layer as it is performing at a lower layer 7. Can track connectionless protocols, e.g. UDP and TCP What is a Dynamic Packet-filtering Firewall? 1. It is a fourth generation firewall 2. Remembers UDP packets for a reasonable period of time 3. Much more efficient

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

335

CISA Study Guide in EasyFAQs

Kernel Level Firewall


What is a Kernel Level Firewall? These are based on a kernel of NT or Linux More secure Has a special TCP/IP stack which has inspection capabilities What is a Screened Host? Screened Host = Packet filtering router + Bastion Host It provides the following: 1. Network Filters 2. Proxy Service

Circuit Level Firewall


What is a Circuit-Level Firewall and how is it positioned? A circuit-level Firewall is an extension of a packet-filtering firewall. Some say it is an extension of the application level firewall, as it performs a proxy function. A packet-filtering firewall does not provide the additional things provided by a circuitlevel firewall 1. Think of a Circuit level firewall as a tunneling mechanism between two computer systems across the Firewall. 2. Supports more protocols and services than an application layer firewall 3. User authentication 4. Channel between the user and systems across the firewall 5. Pre-request for SOCKSImplemened on a client (i.e. Socksified Clients) What are the limitations of firewalls? 1. Often the source of a single point of failure; bottleneck for traffic 2. No help for a connection not going through the firewall

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

336

CISA Study Guide in EasyFAQs 3. If a packet is fragmented, the firewall sees just part of the picture. Firewalls must make decisions based on the complete packet, not just part of it. (New firewalls assemble and then analyze the packet. Make sure your firewall does this.)

What are the most transparent and most annoying firewall implementations for users? Most transparent firewall implementation: Packet filtering is the most transparent. User does not know that the firewall is present. Most annoying firewall implementation: An application-level gateway firewall is the most annoying. Many of them ask for the firewall to be signed on prior to forwarding the connection.

What is the Bastion Host? This is the host that is at the perimeter of the network. The highly exposed area is called the Bastion Host (BH). The BH is usually hardened. It may or may not be protected by a firewall. It is also known as the Sacrificial Host or Sacrificial Lamb. What is a dual-homed device/firewall? A device with two interfaces. Typically a PC running a firewall that has two network adapter cards and connects to two networks. What is the SOCKS server? 1. A circuit-level proxy 2. Requires a SOCKS client on each workstation What is the difference between a Screened Host and a Screened Subnet? Screened host: Might be a device like a firewall sitting behind a screening router. Screened subnet: There are different implementation possibilities. The most simple to understand is the case where there are two routers: an exterior router and an interior
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

337

CISA Study Guide in EasyFAQs router. The public access server is placed between the exterior and interior routers. This area is known as the screened subnet. What is the difference between a NAT (Network Address Translation) and a Proxy? Proxy Hides Internal Address Limited ability to check and filter traffic Performs a caching function What are the five (5) types of firewall? 1. Packet Filtering Firewall a. First kind of firewall is the packet filtering router b. Examines the header IP and Port number c. Filtering rules are at the network layer d. Hacker can tunnel for allowed service, e.g. Port 80 e. If router is compromised, the network is compromised. f. Problems with packet filtering: i. IP spoofing ii. Source routing specifications iii. Miniature fragment attack: IP is fragmented. The first one is stopped but later ones may go through. 2. Application Firewall Divided into two: application- and circuit-level a. Packet filtering router works on packets; application firewall works on information. i. Application-level firewall analyzes the system with the help of proxies ii. May affect performance iii. Requires a separate proxy for each application b. Circuit-level firewall operates at the application level i. Validates TCP and UDP session prior to establishing connection ii. Very few commercially available circuit-level firewalls on the market.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

NAT Same None None

338

CISA Study Guide in EasyFAQs iii. Does not require a special proxy for each application. 3. Stateful Inspection a. Keeps track of inside requests and only allows those packet to come inside which are responding to an inside network request b. Works at the transport layer and applies the rule there. 4. Screened Host a. Combination of the screen router (router screening the traffic based on predefined criteria), and the Bastion host. Bastion host is a hardened server, which is not in fully secure areas. A bastion host is also referred to as a sacrificial lamb b. Screened Host = Screening Router + Bastion Host 5. Screened Subnet Firewall (DMZ) a. Can be a two-packet-filtering router or one firewall with a different DMZ card b. Considered to be more secure

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

339

CISA Study Guide in EasyFAQs

Intrusion Detection Systems


What is an Intrusion Detection System (IDS)? A typical IDS listens passively for an attack. It is used for monitoring network traffic, and in some cases also monitors the host log. Its main purpose is to report any violation of the implemented security policy, initiate alerts and take pre-defined appropriate actions. What are the four (4) types of IDS Implementation? 1. Network-based, a.k.a. passive IDS 2. Host-based 3. Database 4. Application-based (in trial)

Network-based IDSs
What do Network-based IDSs do? The adapter card of a machine running an IDS is in promiscuous mode, i.e. it listens to all of the traffic. It performs the following tasks: 1. Reviews the packet (most commonly the header) 2. Checks for attacks/irregularities (e.g. denial of service) 3. Takes predefined appropriate action in real time What are the limitations of a network-based IDS? If a hacker has a legitimate host connection, the Network IDS cannot take any action.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

340

CISA Study Guide in EasyFAQs

Host-based IDSs
What is a host-based IDS? Host-based IDS agents run on each of the critical hosts. A Host-based IDS performs the following tasks: 1. Checks the configuration of the Operating System 2. Reviews the event logs 3. Reviews the system logs 4. Takes pre-defined, appropriate action What are the limitations of a host-based IDS? Most host-based IDSs depend on the OS-level system logs. If the OS logs are good, the IDSs are good. Unix is one of the systems with a rather poor logging facility.

Database-based IDSs
What is a Database-based IDS? Database-specific agents are installed on the server that is running. These agents monitor the database and report any abnormalities to the console. What are the limitations of database-level IDSs? 1. Database-specific agents are needed for each database. 2. Agents for limited databases are available. 3. Not all IDS vendors support database-level agents.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

341

CISA Study Guide in EasyFAQs

Types of Implementation of IDSs


How many types of IDSs are there? 1. Signature-based/Knowledge-based 2. Statistical Anomaly/Behavior-based 3. Neural-Based (in initial stages) What is a signature-based intrusion detection? In a typical signature-based system, 1. Signatures are stored 2. Data is compared against the signatures 3. In the case of a match, an appropriate response is generated. What are the problems with signature-based attacks? 1. Only those attacks that are known can be identified 2. There is time lag between new attacks and the updating of the signature file. Most of the organizations remain vulnerable, even for a short period, until they have updated the signature file. What is a statistical anomaly-based IDS? There is an "acceptable usage pattern" for the hosts and the network that is considered to be normal. It may be the profile for the memory, the CPU and other component utilizations. Any deviation from this is reported by the IDS. What are the limitations of an anomaly-based IDS? 1. If the attack is well planned, using minimum resources, the attack undetected. 2. There is quite a high rate of false alarms. will go

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

342

CISA Study Guide in EasyFAQs

CIRT/CERT
What is CIRT and why it is considered to be a follow-up for the IDS system? CIRT stands for Computer Incident Response Team, and is a vital supplement to the IDS. Without a CIRT, an IDS is not of much use. Note: CERT, Computer Emergency Response Team, is a registered name, so CIRT should be used when referring to your organization's team. What is the main responsibility of the CIRT team? 1. Preparation, i.e. to have the resources ready to fight any threat. 2. In case of a threat a. Detect b. Evaluate c. Notify, co-ordinate and delegate d. Contain e. Mitigate and eradicate f. Restore 3. Later, to plan how to handle future threats, it should a. Collect b. Review c. Analyze the log 4. To prevent future threats, it should a. Redefine the safeguards b. Put counter-measures in place.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

343

CISA Study Guide in EasyFAQs

Common Controls to be audited by the Auditor


What are the ten (10) common Technical Controls that the IS auditor should audit? 1. Review of network diagram 2. Remote connectivity 3. Infrastructure management review 4. Change control for network and perimeter 5. Logical security 6. Environmental exposures 7. Blackout total failure 8. Brownout 9. SAGS 10. Spikes

What are the fifteen common physical access controls that the IS auditor should audit? 1. Traditional locks 2. Cipher locks 3. Biometric locks 4. Electronic door locks 5. Manual logging 6. Triple Gs: Gates, Guards & Guns 7. Identification photo ID badges 8. Video cameras 9. Visitor access control 10. Bonded special service contract personnel 11. Deadman doors 12. Non-advertised locations 13. Workstation locks
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

344

CISA Study Guide in EasyFAQs 14. Single point of entry 15. Alarm system

What are the four (4) common laptop security controls? 1. Engraved company name, serial number 2. Cable locks 3. Encryption of data 4. Theft response team

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

345

CISA Study Guide in EasyFAQs

Domain 5: Disaster Recovery Planning/Business Continuity Planning


General
What is the focus of BCP? 1. Time-critical business process 2. Related and supporting resources How far away should the recovery site be? There is no hard and fast rule. The rule-of-thumb is that it should not be too close to be affected by the same disaster, but close enough to become operational as soon as possible. For example, one of the companies in the World Trade Center in New York had its DRP site in the other tower; on Sept 11, you know what happened! What are the two priorities in the case of a disaster? 1. Save human life first. No compromise. Life is the most important 2. Save the business system. What are the components of a BCP? 1. Scope and Plan a. Scope needs to be identified b. Elements of the system need to defined c. Roles and reasonability assignment i. BCP Control: Does the following: 1. Creates 2. Implements 3. Tests the plan ii. Senior Manager 1. Ultimate Responsibility 2. Provides resources
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

346

CISA Study Guide in EasyFAQs 3. Due diligence 2. Business Impact Analysis a. Gathering information b. Vulnerability assessment c. Analyses d. Documentation 3. Recovery Strategy Development a. Define and document continuity strategy i. Composition HW ii. Facility iii. People iv. Supply 4. Recovery Plan Development 5. Recovery Plan Testing, Maintenance and Review Note: Remember BCP plan is useless unless management approves it What is the difference between a Disaster Recovery Plan and a Contingency Plan? Disaster Recovery Plan Starts immediately after disaster Disaster might be in progress panic mode Example: "Oh, no! Its Doomsday!" Contingency Plan Starts a bit later and continues longer Panic might have subsided Example: "Well, Doomsday is over; lets get back to business."

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

347

CISA Study Guide in EasyFAQs

Disaster Recovery Planning


What does the DRP document contain? 1. IT DRP Scope, approach and assumptions 2. DRP team structure 3. Detailed activities a. Recovery tasks b. Network operations 4. EOC location 5. Structure of reporting 6. Information asset inventory 7. Vital record program

What is included in the DRP Planning Process? 1. DRP Process a. Data Process Continuity Plan i. Planning 1. Mutual Aid 2. Subscription service a. HOT b. Warm c. Cold 3. Multiple sites 4. Service bureau 5. Others ii. Redundancy 1. Electronic vaulting 2. Remote journalizing 3. Database shadowing b. Data Recovery Planning
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

348

CISA Study Guide in EasyFAQs 2. Testing a. Creating the test document b. Testing i. Checklist ii. Structured walk-through iii. Simulation test iv. Parallel test v. Full interruption 3. DRP Procedure a. Team member i. Recovery team ii. Salvage team iii. Operation team b. Others i. Employee relationship ii. Fraud and crime iii. Media relationship.

What do the DRP and BCP involve? 1. Preparation 2. Testing 3. Updating the action Plan What items are included in the Recovery Plan Document? 1. Plan Scope, assumptions and approach 2. Recovery team structure 3. Recovery team's roles and responsibility 4. Task of each member 5. Identification and establishment of WAR/EOC (WAR: Work Area Recovery; EOC: Emergency Operation Center).
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

349

CISA Study Guide in EasyFAQs 6. Identification of business- and time-critical component of operations 7. Inventory requirements 8. Action plan

What does the vital record program address? This includes the identification, back-up, storage and maintenance of critical information. What is the difference between the BCP and the DRP? Most of the time there is not any difference. Many authors use these terms interchangeably. It is a very controversial topic. However, some who do differentiate between them make the following divisions: BCP: DRP: Major focus is on IT and communication Very high impact Plan is normally tested Old term - still in use. Superset of DRP, Major focus on business operations Low to high impact on business Rely on BIA New term - very much in use You dont need disaster to happen for a BCP to be active.

What is the purpose of the BCP? 1. Reduces risk 2. Places company in better position to handle the situation. What does the BCP look for? 1. LAN and WAN connections 2. Workstations 3. Application software 4. Media 5. Records
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

350

CISA Study Guide in EasyFAQs 6. Staff duties What are the five phases for BCP? 1. BIA
2. 3. 4. 5.

Development of the BCP strategy Detailed plan Implementation Plan Test plan

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

351

CISA Study Guide in EasyFAQs

Business Impact Analysis


What a What is a BIA? 1. Identifies various events that can affect the continuity of operations
2. 3. 4.

Understanding of the organization is required. Management support is required Requires co-operation of IT and end-user personnel.

What are the two approaches for BIA? 1. Questionnaire approach a. Questionnaire developed b. Asked c. Results tabulated and analyzed.
2.

Interviews with the key personnel.

Points to Remember 1. BIA is just the starting point 2. It is for the critical support area What are the objectives of BIA? 1. Identify the mission-critical processes 2. Prioritize them 3. Ascertain the recovery-time objectives What is the relationship between a Business Impact Analysis and a Risk Assessment? Most of the time BIA has a bigger focus. It is the first thing that is carried out for a DRP/BCP. Risk assessment is part of the BIA.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

352

CISA Study Guide in EasyFAQs

Testing of Plan
How is the DRP/BCP tested? Checklist o Review by Senior Manager Structured walk-through o Review by business unit Simulation o Private session Parallel session/preparedness test o Alternate site runs critical system Full interruption test o System is shut down and moves to alternate site o For Senior Manager o Checklist What is a critical survey? A critical survey is used for sites: Hot site: 100% ready; Full equipment in place Warm site: 40 % ready; Hardware, yes; software, no Cold site: 20 % ready; only the location, electrical cabling and HVAC installed

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

353

CISA Study Guide in EasyFAQs

Recovery Time Calculation


How is the acceptable recovery time calculated? Recovery time is the break-even spot, where: "Cost of Impact " = "Cost of Recovery" Assumption: Example, an online bookstore X- Axis: Recovery time Y Axis: "Cost of impact" & "Cost of Recovery" "Cost of Recovery" with respect to "Recovery Time" 1. It decreases as the "Business" allows more time to recover 2. If the business asks for a recovery time of 00:00:30, it will be highest 3. If the business can live with a recovery time of 48:00:00, it will be substantially less 4. Cost of recovery curve: starts pretty high and slides down at a decreasing rate "Cost of Impact" with respect to "Recovery Time" 1. It drastically increases as the business takes more time to recover 2. If the business asks for a recovery time of 00:00:30, it will be lowest 3. If an entity is out of business for 48:00:00, it will be substantially higher, depending on the nature of business 4. Cost of impact curve: starts pretty low and climbs at an increasing rate Therefore the "Recovery Time" is the place where "Cost of Impact" = "Cost of Recovery" What back-up recovery site option is the best with respect to recovery time? It depends on the needs of the business. There is no hard and fast rule. However, based on experience, we can say: Recovery Time Less than 24 hours Up to 72 hours Up to 120 hours or more Options Hot site Reciprocal agreement Warm site

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

354

CISA Study Guide in EasyFAQs

System Classification
What are the four classifications of the systems? 1. Critical System a. Necessity: Absolute must to perform the function b. Alternate manual process: Not possible c. Tolerance to interruptions: low d. Cost of interruptions: High 2. Vital System a. Necessity: Required, but brief interruption is acceptable b. Alternate manual process: Possible for short period c. Tolerance to interruptions: Medium (5 days or less) d. Cost of interruptions: High/medium 3. Sensitive a. Necessity: Important; business can survive with manual process b. Alternate manual process: Possible for extended period (more staff) c. Tolerance to interruptions: Medium/high d. Cost of interruptions: Medium/low 4. Non Critical a. Necessity: Less important; no catch-up required when restored b. Alternate manual process: Not necessary c. Tolerance to interruptions: High; extended period is acceptable d. Cost of interruptions: Low or no cost

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

355

CISA Study Guide in EasyFAQs

RAID
What does RAID stand for? Redundant Array of Inexpensive Disks When data is distributed across a disk, what is this process called? Stripping What are the three classes of RAID? 1. Failure Resistant Disk System (FRDS) 2. Failure Tolerant Disk System (FTDS) 3. Disaster Tolerant Disk System (DTDS) Note: At the time of writing this book, only FRDS was implemented. The rest are pending. What does FRDS actually provide? It provides protection against: 1. Data loss 2. Loss of availability of disks

What are the additional features in FRDS Plus? FRDS Plus is a newer version that provides: 1. Protection against the environment 2. A hot-swap feature 3. Alert alarms

How many levels of RAID are defined? Seven levels are defined - 0 to 7 (Six is missing) RAID 0: Features
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

356

CISA Study Guide in EasyFAQs a. Makes one large disk out of several disks b. Provides stripping only c. Maximizes the space d. Best performance for read and write, as multiple heads fetch the data RAID 0 Problem: If one disk fails, all of the disks fail. No redundancy. RAID 1: Features a. Provides mirroring only b. Data is written to two drives simultaneously c. 2 x 20GB hard disk; you have only 20 GB instead of 40 GB. d. Disk ratio is one-to-one Raid 1: Problem: Too expensive to implement RAID 2: Features a. Bit interleaved data b. Parity-based c. Hamming code is used for parity information Q. What is a hamming code? a. It is an error-detecting algorithm for the hard drive. b. It defines a unique ratio of disk 39:32 c. Seventh disk is for error recovery RAID 2 Problems: Hamming code implementation is not really practical, so it is not widely implemented. RAID 3 and 4: Features a. Normally RAID 3 and 4 are described together as they are closely related b. Dedicated hard disk for parity c. Need for one extra hard disk Problems with RAID 3 and RAID 4: a. Performance is the issue with each case. Parity has to be written to a hard disk that is physically separate b. The parity hard disk also has a problem of 'single point of failure'
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

357

CISA Study Guide in EasyFAQs Q. What is the level difference between 3 and 4? Raid 3 is implemented at the byte level while Raid 4 is implemented at the block level. RAID 5: Features a. Block Level Implementation like RAID 4 b. Most widely used c. No dedicated parity disk d. Parity information is written on very next disk e. XOR algorithm is used to calculate parity. f. Works on "interleaved" parity g. No 'single point of failure', as parity is spread across drive h. Relatively fast i. Most vendors provide the hot swappable feature (FRAD plus) RAID 6: Features a. RAID plus additional features of second set of parity data RAID 7: Features Combination of RAID 5 and RAID 0 (Author's view) RAID 10: Features Combination of RAID 0 and RAID 1 RAID 15: Combination of RAID 1 and RAID 5 What are the two types of RAID Implementation? 1. Software-based 2. Hardware-based Software-Based Part of the Operating System Better for RAID 0, 1 & 10 Hardware-Based Part of the hardware RAID 3 and 5

Why do RAID 0 and RAID 1 run faster on software? RAID 0 and RAID 1 run faster on software because they use stripping technology. Running stripping on hardware has no advantages.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

358

CISA Study Guide in EasyFAQs

MISC
What are the different types of tests that are performed? 1. Pretest: Transporting and installing backup 2. Test: Real action for business continuity 3. Post Test: Clean-up activity, disconnecting equipment, deleting data, Evaluating the plan What are three types of tests? 1. Paper Test: Walk-through of entire plan or section 2. Preparedness Test: Localize full test. Before full-blown operations begin, a preparedness test should be performed. 3. Full Operational Test: Completely shut down operations

What is the electronic vault? Is it something related to e-payment? The electronic vault refers to the off-site back-up What is a Remote Journal? Remote Journal: Parallel processing of transactions at multiple sites through high-speed links What is database shadowing? Remote Journaling + Multiple Sites

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

359

CISA Study Guide in EasyFAQs

Summary of DRP/BCP 1. BCP is designed to reduce the risk. 2. Planning is the responsibility of senior management 3. BCP = DRP + Plan of Continuity of Business Operations 4. Short-term and long-term strategies are required. 5. Hot site becomes operational within a few hours 6. Hot site is intended as an emergency option for a limited time period 7. Hot site is designed for several weeks, not several months 8. Warm site are partially ready, without the mainframe. 9. The assumption with a warm site is that it is possible to have an emergency installation. 10. Cold Site - Site with HVAC takes several weeks to get ready 11. Ideal Site is "Duplicate Information Processing Facilities" a. Dedicated b. Self-developed recovery c. Standby sites (some of the cases reciprocal) 12. Problems with reciprocal: a. Subject to same disaster b. Resource availability c. Not enforceable d. Staff assistance e. Confidentiality 13. Detailed disaster recovery plan is based on recovery strategy 14. Checklist of the team: a. Emergency Action Team First response: Evacuation of personnel. b. Damage Assessment Team c. Emergency Management Team d. Offsite Storage Team e. Software Team f. Application Team
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

360

CISA Study Guide in EasyFAQs g. Security Team h. Emergency Operation Team i. Network Recovery Team j. Communication Team k. Transport Team l. User Hardware Team m. Data Preparation and Record Team n. Administrative Support Team o. Supplies Team p. Salvage Team q. Relation Team. 15. Major services which are required are as follows: a. Support services b. Business operations c. Information processing 16. Infrastructure management. 17. Copies of the business plan would be offsite possibly at the home of the decision-maker. 18. Notification directory of key decision-maker is a must 19. All necessary supplies should be there 20. List of printed and pre-printed forms. 21. Telephone line safe from hackers and phreakers 22. Who will bring data? 23. Multiple access to the site 24. Difference between alternate routing and diverse routing: a. Alternate routing: Media is different, e.g. dial-up line for a leased line; cellular phone for a normal phone. b. Diverse routing is done via a duplicate cable facility. Media is the same and can go with the same cable 25. Long-haul network diversity: long distance network availability 26. Separate or redundant last-mile circuit protection
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

361

CISA Study Guide in EasyFAQs 27. Voice recovery 28. RAID Levels: a. Level 0 = Disk Stripping, better performance on software b. Level 1 = Mirroring, better performance on software c. Level 2 = Hamming code is the hash algorithm i. One recovery disk is required for every hour of disk d. Level 3 = Dedicated drive for byte-level parity strip data i. Enhanced form of Level 0 ii. Dedicated parity drive iii. Better performance on hardware-based solution e. Level 4 = Same as 3 but has block level parity Specific disk is dedicated to parity information f. Level 5 = Strips data with parity data written all over disk; better performance for hardware-based solution g. Level 6= One virtual disk 29. Responsibility of maintaining the BCP falls on the BCP coordinator 30. You must have an off-site library for media and rotation of media 31. Automation of the back-up prevent erroneous or missed back-ups 32. Real time files require special back-up procedures 33. Backup is needed of the object code as well as the source code.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

362

CISA Study Guide in EasyFAQs

Domain 6: Business Application Development


Basics
What is SDLC? The System Development Life Cycle (SDLC) consists of the following phases: 1. Feasibility: Strategic benefits of the system are analyzed. 2. Requirement Investigation: Different techniques are used for the investigation, from interviews to questionnaires. The end result is the requirement specification. 3. Requirement Analysis: Once the investigation is complete, an analysis is done of the requirement specification 4. General Design: General design is the high level design. 5. Detailed Design: This design is performed in-depth. 6. Implementation: Software development and code review. 7. Installation: Prototyping and experimentation. Start of certification process. 8. Review: This is the last phase and is followed by maintenance.

What is the Spiral Model? This is a combination of many software models. It shows a logical spiral ring that expands as the project progresses. As each circle is completed, a corresponding software model is referred to. Later the spiral is divided into four quadrants. The spiral initiates from the top-left quadrant. What is the Simplistic Model? Prior to commencing a new step, the last step must be completed. What is the checklist for testing a system? 1. A proper test plan should be developed 2. Testing staff should not overlap with developers 3. Security controls of the program should be listed and checked
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

363

CISA Study Guide in EasyFAQs 4. Systems design should be checked.


5.

Data is checked using normal inputs

What are the different roles in Application Development? 1. Senior Management: Commitment Resources 2. User management consists of the following: a. Ownership of the project. (Ownership is not by senior management but user management) b. Ownership of the resulting system c. Allocation of the qualified people d. Participation in definition of requirements e. Acceptance Test f. Training of User g. Functionality, effectiveness, efficiency, ease of use is a problem of the user management. h. Most important; key role. 3. Project Steering Committee: a. Ultimately responsible for all costs and timetables b. Senior representative from each of the functional areas. c. Project Manager is a member of the team d. Committee has the authority to stop the project. 4. Project Sponsor: a. Person who provides the funds b. Data and application ownership are assigned to the Project Sponsor c. Person who is in senior position and heads the business function for which the application is written 5. Project Manager: a. Day-to-day management b. Makes sure project adheres to the local standard 6. System Development Manager: a. Makes sure the system is as per corporate strategic directions
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

364

CISA Study Guide in EasyFAQs b. Meets the local standards c. Quality is ensured 7. System Deployment Project Teams: a. Looks for the system development and programming tasks b. Looks for assigned tasks c. Communicates with the user 8. User Project Team: a. Communicates with system developers b. Works as per the local standards. 9. Security Officer: a. Ensures the controls of systems and processes b. Ensures proper data classification as per the security policy c. Looks after implementation d. Monitors the systems security throughout its lifecycle. 10. Quality Assurance: a. Ensures compliance with standards and requirements b. Monitors the Progress What are the different types of testing? Unit Testing: a. Individual program is the focus b. Uses sets of tests Interface or Integration Testing: a. Can be hardware or software b. Evaluates the interface System Testing: a. Focuses on MODIFIED program database schema and objects b. Ensures that MODIFIED programs are working properly c. Can be divided into the following: i. Recovery Testing ii. Security Testing
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

365

CISA Study Guide in EasyFAQs iii. Stress/Volume Testing iv. Performance Testing Final Acceptance Test: a. Only carried out after Unit and System tests have been performed b. QA methodology can be used in this testing What are the three common tools to debug the applications? Tools to debug: a. Logic Path Monitor Reports the sequence followed by the program and helps to trace errors b. Output Analyzer Checks actual result against expected results c. Memory Dump Gives a picture of internal memory What are the other terminologies for testing? Alpha Test: By the user within the organization Beta test: Type of user-acceptance test involves external user Pilot Test: Preliminary test on some specific aspects Not to replace any other test White Box: Looks for the procedural details of the program Logical paths are tested Black Box: Looks for the output of the systems. Internal logical path is ignored Used in UAT. Some aspects are tested. Most of the time testing is at the interface. Validation/Function Test Like system testing Regression Testing: Run with the original test data on modified programs to ensure that no new errors are being introduced Sociability Testing: Not related to "Social Engineering." Ensures new system can operate in new environment and platforms. Multiple applications are run on PC to ensure that they do not have a negative impact.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

366

CISA Study Guide in EasyFAQs

What is the difference between Bottom-up and Top-down approach? a. Bottom-up: Begins with smallest possible unit, called an "atomic unit" i. No need for subs and drivers ii. Critical errors of the modules are identified early b. Top-down: i. Focus on either of the following: 1. Major functions are verified first 2. Major interface errors are known ii. Top-down approach has the liberty to take any of the following approaches: 1. Breadth-first 2. Depth-first Rule of thumb: If you feel that the problem is in the interface, go for the bottom-up approach. However, if the problem is in the functionality or the interface is expected, you should go for the top-down approach. There is no need for stubs and the interface for the bottom-up approach; they are only required for the top-down approach. Large systems are always bottom-up.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

367

CISA Study Guide in EasyFAQs

Object-Oriented Database
When most people are using Relational Databases, what is the need for Object-Oriented Databases (OODB)? An OODB is used for the following reasons: 1. It has no restriction on a. Type of object b. Size of the data elements 2. It provides the convenience of code re-use 3. It requires less maintenance 4. Easier transition How does one decide whether a Relational or an Object-Oriented Database is better for you? Remember the following rule of thumb: Relational Database: Best for typical business applications Object-Oriented Database: More suited to expert systems or multi-media type applications. What are the problems with OODBs? 1. Difficult to understand. 2. Resource-intensive in terms of software and hardware What are some examples of Object Relational Databases? 1. AllBase 2. OpenODB 3. UniSQL/X

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

368

CISA Study Guide in EasyFAQs

Component-Based Development
What is an alternative way of making the object available? An Object Request broker (ORB), which is platform-independent. What is the other name for an ORB? Middleware What has the OMG (Object Management Group) developed? CORBA What is CORBA? Common Object Request Broker Architecture How do ORB and CORBA compare? ORB System-oriented component Enables system to communicate What does CORBA define? It is an industry standard that supports 1. Multiple Languages 2. Different Platforms 3. Multiple OS interfaces What is required for CORBA at the user end? An IDL (Interface Definition Language) file What does the IDL file do? It identifies the following: 1. Method 2. Classes 3. Object
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CORBA Application-oriented component Enables application to communicate

369

CISA Study Guide in EasyFAQs What is a common example of CORBA? Java Code What is a COM? 1. Common Object Model 2. Supports Object management and exchange What is the relationship between OLE and COM? OLE makes it possible to share objects. COM is used as a foundation for the same. What is OLE (Object Library Embedding)? This allows one program to call another program. It allows objects to be embedded in the document. What is DCOM? Distributed COM for the network, extension of COM. Mainly supported by Microsoft. What is an example of OOP? 1. C ++ 2. Smalltalk What are the advantages of C++? 1. Supports multiple platforms 2. Supports multiple classes How do Cohesion and Coupling compare? Cohesion Module works with very little help from other modules Performs single function Easier to manage and modify The more cohesive the module, the better the application Coupling Interconnection among modules Performs multiple functions Difficult to manage The less the coupling, the better the application
370

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

CISA Study Guide in EasyFAQs

XML
What is XML? XML, Extensible Markup Language is a new platform independent programming language. What are the two common types of XML Implementations? There are two types of XML implementation SOAP and WSDL a. SOAP stands for Simple Object Access Protocol. i. SOAP = XML + API ii. SOAP can be compared to RPC b. WSDL stands for Web Services Description Language i. Used to identify the specifications of SOAP to be used for API ii. Defines the format of a SOAP message What is UDDI? UDDI stands for Universal Discovery and Integration iii. Used for Web Yellow Pages iv. Entry is made in a UDDI directory

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

371

CISA Study Guide in EasyFAQs

Prototyping
What is prototyping? a. Prototyping is also knows as heuristic/evolutionary development. b. Prototyping is a controlled trial and error method for developing programs c. Prototyping is a kind of risk-reduction mechanism d. Prototyping = Classic SDLC + Iterative Framework e. In most cases user are provided with an input and report screen a. Good for user developer focuses on what the user wants and what the user sees b. Cost-efficient. What are the two approaches to prototyping? Two approaches to Prototyping: 1. Develop model first, then the system a. User expectations are high. They think the system is already there b. What needs to be added are i. Checks and controls ii. Transition volume iii. Connectivity routines iv. Adaptability 2. Build the actual system a. Use of 4GL b. Quick and dirty approach What are the problems with prototyping approach? a. Not efficient b. Poor controls; c. Poor change controls; d. Changes are so quick and easy that they are hardly documented.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

372

CISA Study Guide in EasyFAQs

RAD
What is RAD? Rapid Application Development, RAD reduces cost and increases quality. The main emphasis is on reusing existing components What techniques are used in RAD? Techniques used in RAD: i. Evolutionary prototype ii. Central repository iii. Interactive requirements and design workshop iv. Powerful tool for 1. Modeling 2. Prototyping 3. Component reusability What does RAD support? i. Analysis ii. Design iii. Development iv. Implementation What RAD does not support? Analysis & planning for organizational as a whole What are the four stages of RAD? Four major stages of RAD: i. Definition Business factions and relevant data ii. Functional Design Workshop to model procedures and data Prototype of the critical components iii. Development Stage Everything in traditional model; composing database, application program, conversion
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

373

CISA Study Guide in EasyFAQs iv. Deployment Stage UAT, training and data conversion What is Agile Development? a. Method for quickly deploying complex systems in a flexible way to handle changes. b. Small timeframe c. Project is replanted after each iteration d. Small and qualified team from business and technical e. Strict time limit for meetings f. Pair-wise programming 2 people and 1 program: QA and knowledge sharing g. Only look at planning next phase h. No need to focus on adaptive baseline. i. No repeatable process; rather adjustment after frequent reviews and inspections. What is Reverse Engineering? a. Decomposing executable code or object b. More black-box testing c. Faster development and improved product reduces SDLC d. Sometimes considered to be unethical e. Risk of being taken to court if software agreement prohibits reverse engineering. What is Change Control? a. Should have all relevant information b. Programmer should not have any access to the production machine, not even Read Access. c. Approval for the change request comes from the User Management d. Something that should be under change management: i. Access to program library
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

374

CISA Study Guide in EasyFAQs ii. Supervisory review iii. Change request approval e. Auditor should select a change to do the audit trail or should follow a valid change request f. Emergency IDs is an area of concern. g. Who should move the system from test to production? Operations or QA or some other control group. h. Special care should be taken of emergency passwords What is Configuration management? a. Maintenance request are monitored by the change control group b. Controls are reviews, checkpoints and sign-off practices and procedures How the production is separated from the test? With the help of library control software On what basses are the program moved from test to production? On the basis of authorization the program can be moved from test to production How many version of source code should be present in the production environment? Production should have one corresponding source code. Once the program has been modified, it should be moved to the "Production Source Code Library" What is the difference between SLOC and FPA? d. Earlier projects were evaluated on the basis of SLOC (Single Line of Code) count. e. Later they were evaluated on FPA( Functional Point Analysis) i. FPA depends upon number of complexity of 1. Inputs 2. Outputs 3. Files 4. Inquiries
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

375

CISA Study Guide in EasyFAQs 5. Total Count How is the Productivity computed in FPA? Productivity = FP/Person-month Note: FP is the functional point How is Quality computed in FPA? Quality = Defects/FP How is the cost calculated in FPA? Cost = $ Amount/FP What are the two common ways to compute the task efforts? Task can be computed in people hours or machine hours What is scheduling? Sequential relationships among the tasks What are the constraints for Software Cost Estimation? a. Language to be used b. Main storage c. Data storage d. Execution time e. Computer access f. Security environment g. Target machine h. Staff practices

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

376

CISA Study Guide in EasyFAQs

Project Management
What is CPM? CPM stands for Critical Path Method. CPM is Project Management tools used to align the activity and to calculate the time the time required to complete the project. What is the Critical Path? a. The critical path is the path where the sum of activity time is longest b. On the critical path, Slack Time = 0 c. Activities with Slack Time 0 are on the critical path What is Gantt Chart? a. Shows an activity or task when it should begin and when it should end b. Shows which activities should progress concurrently What is PERT? PERT Program Evaluation Review Technique. a. Used in construction industry and army b. Can be used project planning and controls c. Assume project is collection of Task/Activities i. Activities can be started and stopped independently of each other ii. Activities might have preceding constraints or relationships What are the two-(2) basic components of PERT? Components of a PERT chart are as follows: i. Circles represent events. All of the activities before the event are assumed to be completed: 1. End point of activity (milestone, in Gantt terms) 2. Spend no time 3. Consume no resources ii. Lines and arrows represent activities.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

377

CISA Study Guide in EasyFAQs 1. Process = Activity 2. Activity requires time and resources 3. Each activity begins and ends with an event What is the first thing to do in PERT? First thing to do is to "identify activities" and the sequence of each. Be careful not to overlook any activity What are the three kinds of estimates in PERT? To determine task completion, three estimates are used: 1. Optimistic 2. Pessimistic 3. Most likely How is the PERT duration Calculated? Once the Critical path has been defined, the PERT duration can be calculated Critical Path = (Optimistic +4Most Likely+ Pessimistic)/6 What is the significance of the Critical Path in duration management? If you want to complete a project early, shorten the critical path, i.e. accelerate the activities on the CP. However, if any activity on the CP is delayed, the project will be delayed. What is the Timebox Management? a. Used for definition and deployment of software deliverables b. Absolute time is allocated for each deliverable c. Provide balance between software quality vs. timebox d. Flexibility in scooping requirement e. No flexibility in quality f. Good for prototyping and RAD g. Not recommended for SDLC
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

378

CISA Study Guide in EasyFAQs

CASE
What is CASE? CASE stand for Computer-aided Software Engineering. It is Automated tools for software development. a. Provide uniform approach to development b. Produce DFD Dataflow diagrams as well as data elements c. Even CASE requires an application design d. CASE maintains the repository of items What are the Three types of CASE? 1. Upper CASE - Used for business and application requirement definitions. It has: a. Data objects definition & relationship b. Processes definition & relationship 2. Middle CASE Used for detailed design. It has: a. Screen layout b. Reports layout c. Process flow d. Object organization e. Editing of criteria 3. Lower CASE: Used to aid/replace programming a. Generate program code b. Generate database definitions c. Uses the following i. Design information ii. Database rules for system iii. Programming rules etc.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

379

CISA Study Guide in EasyFAQs

ISO - 9126
What is the significance ISO-9126 for software development? 1. Standard for quality software 2. Look at the following: a. Functionality b. Reliability c. Usability d. Efficiency e. Maintainability f. Portability

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

380

CISA Study Guide in EasyFAQs

CMM/SEI
What is CMM/SEI? CMM stands for (Software) Capability Maturity Model. It provides structure for the following: 1. Quality software development 2. Quality software maintenance What is the SEI and CMM relationship? Is SEI a different model? This is often misunderstood. SEI is the abbreviation of Software Engineering Institute of Carnegie Mellon University. In connection with CMM, they have developed a set of: 1. Activities 2. Policies 3. Methods 4. Transformations (For more information, please refer to "The Capability Maturity Model: Guidelines for improving the software process", Addison Wesley, 1995) What are the 5 SEI Maturity Levels? Level 1: Initiation: Initially the process is not very structured. Everything is ad-hoc. However, the people who are involved are very competent. Level 2: Repeatable: At this level the project processes are more formalized. Level 3: Defined: A type of re-engineering of the process is done.

Level 4: Managed: Process are being managed properly Level 5: Optimized: On-going improvement of the processes.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

381

CISA Study Guide in EasyFAQs

What are the details of 5 SEI Maturity Levels? 1. Level 1: Initiation: Initially the process is not very structured. i. Everything is ad-hoc. ii. However, the people who are involved are really competent. iii. Poor system, excellent people 2. Level 2: Repeatable: At this level the project processes are more matured. i. Disciplined management of process ii. Planning and tracking of functionality, cost and scheduling is done iii. Learning environment is present iv. Process can be repeated in other project of similar nature and size 3. Level 3: Defined: A type of re-engineering of the process is done. i. Standard process across the organization for 1. Software management 2. Software engineering 3. Software integration 4. Documentation ii. Almost everything is institutionalized 4. Level 4: Managed: Processes are being managed properly i. Everything is already well-defined and institutionalized ii. This is the time for Quantitative Managed Control iii. More degree or precision iv. Better control v. Organization reaches zero-defect goal 5. Level 5: Optimized: Ongoing improvement of the processes. i. Everything is already controlled quantitatively ii. Continued process of improvement

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

382

CISA Study Guide in EasyFAQs

What is CMMI? CMMI (Capability Maturity Model Integration) a. CMMI is the integration of CMM for i. Software ii. System engineering iii. Integrated product development b. All CMM combined in one c. Describes five maturity models which are different from original CMM d. Considered as more aligned with traditional waterfall approach and contemporary software development.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

383

CISA Study Guide in EasyFAQs

Points to Remember: 2. SDLC is also referred to as the waterfall technique 3. SDLC is the oldest technique 4. Payback of the project is related to its feasibility 5. A security plan is drawn up in the design phase of the SDLC 6. The change control process is stabilized in the design phase 7. Certifications and accreditation of the system take place in the implementation phase 8. The phases of the DSLC vary according to the situation, whether the developed or the acquired solution is chosen a. ROI is in the feasibility study 9. The IS Auditor must make sure that the adequate requirements are there 10. Software acquisition is not a phase in SDLC 11. Users are not normally involved in the design phase 12. Test plans are developed in the design phase 13. Test plans are for following: a. Unit Program b. Subsystem Module c. Integration - system 14. Software baseline means the cut-off point 15. This is the last point to have the software base-lining 16. A typical project has 25% of the increased cost. 17. IS Auditor involvement in business system development: a. Proper controls b. Tests plans c. Checks effectiveness of design 18. Program Coding Standards are a must for any organization 19. IDE Integrated Development Environment = Online Programming Facility 20. Programming can be compiled and edited online IDE. It saves time. 21. Tools to debug:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

384

CISA Study Guide in EasyFAQs a. Logic Path Monitor Reports the sequence followed by the program and helps to trace errors b. Output Analyzer Checks actual result against expected results c. Memory Dump Gives a picture of internal memory 22. Two types of test: a. Bottom-up: Begins with smallest possible unit, called an "atomic unit" i. No need for subs and drivers ii. Critical errors of the modules are identified early b. Top-down: i. Focus on either of the following: 1. Major functions are verified first 2. Major interface errors are known ii. Top-down approach has the liberty to take any of the following approaches: 1. Breadth-first 2. Depth-first 23. Rule of thumb: If you feel that the problem is in the interface, go for the bottomup approach. However, if the problem is in the functionality or the interface is expected, you should go for the top-down approach. 24. There is no need for stubs and the interface for the bottom up approach; they are only required for the top-down approach 25. Large systems are always bottom-up. 26. Remember, the final UAT and Accreditation and certifications take place in the implementation phase. 27. UAT should be performed in a secured testing or staging library. 28. You will go for accreditation and certification once UAT is complete. 29. 1967: First object-oriented language, Simula67 30. 1970s: Smalltalk 31. 1990s: Java 32. OOSD treats Data and Procedures together traditional method. Data is data, but procedures are the programs, which are treated separately.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

385

CISA Study Guide in EasyFAQs 33. OOSD claims it mirrors the real life: in real life people look at the objects that are data and functionality combined. 34. Key words in OSSD are Object, Attribute, Method, Class, Template 35. Classes are the basis for most design work of OBJECT 36. Classes are two superclasses or the sub-class 37. A class may get an attribute or method from the super-class! 38. A class can aggregate or share data 39. CASE can be used in Web applications, E-business, CASE, AI, CAM 40. OOSD Equations: a. Object = Data + Procedure b. Attribute = Object's Data c. Method = Object's Functionality d. Class = Template used to create objects e. Temple= Collection of characteristics of class Data f. Object = Template + Data g. Message = Request of service/Interaction between classes h. Polymorphism = Same message but different interpretation or executions. (Depends which class is calling home and what is the inheritance) 41. COM/DCOM are standards, not products 42. CORBA and COM uses the RPC 43. XML a. New XML, Extensible Markup Language b. There are two types of XML implementation SOAP and WSDL c. SOAP stands for Simple Object Access Protocol. i. SOAP = XML + API ii. SOAP can be compared to RPC d. WSDL stands for Web Services Description Language i. Used to identify the specifications of SOAP to be used for API ii. Defines the format of a SOAP message e. UDDI stands for Universal Discovery and Integration i. Used for Web Yellow Pages
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

386

CISA Study Guide in EasyFAQs ii. Entry is made in a UDDI directory 44. Prototyping a. Prototyping is also knows as heuristic/evolutionary development. b. Prototyping is a controlled trial and error method for developing programs c. Prototyping is a kind of risk-reduction mechanism d. Prototyping = Classic SDLC + Iterative Framework e. In most cases user are provided with an input and report screen f. Two approaches to Prototyping: i. Develop model first, then the system 1. User expectations are high. They think the system is already there 2. What needs to be added are a. Checks and controls b. Transition volume c. Connectivity routines d. Adaptability ii. Build the actual system 1. Use of 4GL 2. Quick and dirty approach g. Problem with prototyping many goodies and extras, but not efficient h. Potential risks of prototype system: poor controls; poor change controls; changes are so quick and easy that they are hardly documented. i. Good for user developer focuses on what the user wants and what the user sees j. Cost-efficient.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

387

CISA Study Guide in EasyFAQs

45. RAD Rapid Application Development a. Techniques used in RAD: i. Evolutionary prototype ii. Central repository iii. Interactive requirements and design workshop iv. Powerful tool for 1. Modeling 2. Prototyping 3. Component reusability b. What RAD supports: i. Analysis ii. Design iii. Development iv. Implementation c. What RAD does not support: i. Analysis & planning for organizational as a whole d. RAD reduces cost and increases quality e. Main emphasis is on reusing existing components f. Four major stages of RAD: i. Definition Business factions and relevant data ii. Functional Design Workshop to model procedures and data Prototype of the critical components iii. Development Stage Everything in traditional model; composing database, application program, conversion iv. Deployment Stage UAT, training and data conversion 46. Agile Development a. Method for quickly deploying complex systems in a flexible way to handle changes. b. Small timeframe c. Project is replanted after each iteration
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

388

CISA Study Guide in EasyFAQs d. Small and qualified team from business and technical e. Strict time limit for meetings f. Pair-wise programming 2 people and 1 program: QA and knowledge sharing g. Only look at planning next phase h. No need to focus on adaptive baseline. i. No repeatable process; rather adjustment after frequent reviews and inspections. 47. Reverse Engineering a. Decomposing executable code or object b. More black-box testing c. Faster development and improved product reduces SDLC d. Sometimes considered to be unethical e. Risk of being taken to court if software agreement prohibits reverse engineering. 48. Change Control a. Should have all relevant information b. Programmer should not have any access to the production machine, not even Read Access. c. Approval for the change request comes from the User Management d. Something that should be under change management: i. Access to program library ii. Supervisory review iii. Change request approval e. Auditor should select a change to do the audit trail or should follow a valid change request f. Emergency IDs is an area of concern. g. Who should move the system from test to production? Operations or QA or some other control group. h. Special care should be taken of emergency passwords 49. Configuration management
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

389

CISA Study Guide in EasyFAQs a. Maintenance request are monitored by the change control group b. Controls are reviews, checkpoints and sign-off practices and procedures 50. How the production is separated from the test: library control software 51. On the basis of authorization the program can be changed from test to production 52. Production should have one corresponding source code 53. Once the program has been modified, it should be moved to the "Production Source Code Library" 54. Manual review of the source code is not effective 55. Project management practices a. Earlier projects were evaluated on the basis of SLOC (Single Line of Control) b. Later became known as Functional Point Analysis i. Depends upon number of complexity of 1. Inputs 2. Outputs 3. Files 4. Inquiries 5. Total Count ii. Productivity is computed = FP/Person-month iii. Quality is computed = Defects/FP and cost. 56. Task can be computed in people hours or machine hours 57. Budgeting = Estimation of Human Efforts + Estimation of Machine Efforts 58. Scheduling = Sequential relationships among the tasks 59. Software Cost Estimation Constraint: a. Language to be used b. Main storage c. Data storage d. Execution time e. Computer access f. Security environment g. Target machine
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

390

CISA Study Guide in EasyFAQs h. Staff practices 60. Critical Path Method a. The critical path is the path where the sum of activity time is longest b. On the critical path, Slack Time = 0 c. Activities with Slack Time 0 are on the critical path 61. Gantt Chart a. Shows an activity or task when it should begin and when it should end b. Shows which activities should progress concurrently 62. PERT Program Evaluation Review Technique a. Used in construction industry and army b. Can be used project planning and controls c. Assume project is collection of Task/Activities i. Activities can be started and stopped independently of each other ii. Activities might have preceding constraints or relationships d. Components of a PERT chart are as follows: i. Events are represented by circles. All of the activities before the event are assumed to be completed: 1. End point of activity (milestone, in Gantt terms) 2. Spend no time 3. Consume no resources ii. Activities are represented by lines and arrows. 1. Process = Activity 2. Activity requires time and resources 3. Each activity begins and ends with an event e. First thing to do is to "identify activities" and the sequence of each f. Be careful not to overlook any activity g. There is an inherent uncertainty in the PERT h. To determine task completion, three estimates are used: i. Optimistic ii. Pessimistic iii. Most likely
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

391

CISA Study Guide in EasyFAQs i. Once the Critical path has been defined, the PERT duration can be calculated j. Critical Path = (Optimistic +4Most Likely+ Pessimistic)/6 k. If you want to complete a project early, shorten the critical path, i.e. accelerate the activities on the CP. However, if any activity on the CP is delayed, the project will be delayed. 63. Time box Management a. Used for definition and deployment of software deliverables b. Absolute time is allocated for each deliverable c. Provide balance between software quality vs. time box d. Flexibility in scoping requirement e. No flexibility in quality f. Good for prototyping and RAD g. Not recommended for SDLC 64. CASE Automated tools for software development a. Provide uniform approach to development b. Produce DFD Dataflow diagrams as well as data elements c. Even CASE requires an application design d. CASE maintains the repository of items e. Three types of CASE: i. Upper CASE - Used for business and application requirement definition 1. Data objects definition & relationship 2. Processes definition & relationship ii. Middle CASE Used for detailed design 1. Screen layout 2. Reports layout 3. Process flow 4. Object organization 5. Editing of criteria iii. Lower CASE: Used to aid/replace programming
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

392

CISA Study Guide in EasyFAQs 1. Generate program code 2. Generate database definitions 3. Uses the following a. Design information b. Database rules for system c. Programming rules etc. 65. ISO-9126 a. Standard for quality software b. Look at the following: i. Functionality ii. Reliability iii. Usability iv. Efficiency v. Maintainability vi. Portability 66. CMM a. Developed by Carnegie Melon's Software Engineering Institute b. Maturity model, means a framework c. Improve and enhance the software life cycle d. Reduces the delay e. Minimize the cost over-run f. Five (5) Levels g. Level 1: Initiation: Initially the process is not very structured. i. Everything is ad-hoc. ii. However, the people who are involved are really competent. iii. Poor system, excellent people h. Level 2: Repeatable: At this level the project processes are more matured. i. Disciplined management of process ii. Planning and tracking of functionality, cost and scheduling is done iii. Learning environment is present
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

393

CISA Study Guide in EasyFAQs iv. Process can be repeated in other project of similar nature and size i. Level 3: Defined: A type of re-engineering of the process is done. i. Standard process across the organization for 1. Software management 2. Software engineering 3. Software integration 4. Documentation ii. Almost everything is institutionalized j. Level 4: Managed: Processes are being managed properly i. Everything is already well-defined and institutionalized ii. This is the time for Quantitative Managed Control iii. More degree or precision iv. Better control v. Organization reaches zero-defect goal k. Level 5: Optimized: Ongoing improvement of the processes. i. Everything is already controlled quantitatively ii. Continued process of improvement 67. CMMI (Capability Maturity Model Integration) a. CMMI is the integration of CMM for i. Software ii. System engineering iii. Integrated product development b. All CMM combined in one c. Describes five maturity models which are different from original CMM d. Not allied with the waterfall approach to any great extent i. Iterative development ii. Early architecture definition iii. Modes-based design iv. Component base development v. Assessment of intermediate
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

394

CISA Study Guide in EasyFAQs

Domain 7: Business Process Evaluation and Risk Management


BPR
What is BPR and why it is initiated? 1. BPR is Business Process Re-Engineering a. Initiated because of i. Economic pressures ii. Competitive factors iii. Customer demands b. Most of the time it is automated with minimal manual controls interventions What goals are achieved through BPR? Goals achieved through BPR: a. Cost-saving b. Streamline of the operations What are the six steps of BPR? Six steps of BPR: i. Define areas to be reviewed ii. Project Plan iii. Process understanding and review iv. Redesign and streamline the process v. Implement and monitor new process vi. Continuous improvement

What are the three keywords for understanding BPR? The three keywords for BPR are Process Process Process

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

395

CISA Study Guide in EasyFAQs

What are the different steps for BPR? o First step is to identify the process o Then The process customer The process-based manager/owner o The baseline process should be documented o The key concern in BPR is that major controls can be dropped during the re-engineering process o Role of benchmarking in BPR: Improve business process Continuous improvement of Products Services Process

What is benchmarking and how it is used in BPR? Steps for benchmarking: 1. Plan: a. Identification of critical process to be benchmarked b. Identify the measurement criteria c. Identify what data is to be collected d. Identify how data will be collected 2. Research a. Collection of baseline data about own processes b. Collect the same relevant data on others from Quality Award winners, magazines and newspapers 3. Observer a. Collect data on other parties through i. ii. Visits Observation
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

396

CISA Study Guide in EasyFAQs b. Sharing documented resources 4. Analyze a. Summarize and interpret the collected data b. Analyses the gaps between your benchmarking and others c. Change the findings into operations goals 5. Adapt a. Translate the findings into some core rules and principles b. Change high-level objectives and strategies into action plan 6. Improve a. Continuous process
b.

Process is linked to improvement strategy to companys goal risk management

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

397

CISA Study Guide in EasyFAQs

Risk Management
Why is Risk Management undertaken? 1. RM is the process of making decisions 2. Basic policy decision in RM is: a. Impact of the negative effect/successful attack b. Level of acceptable risk c. Challenge of risk management is balancing between impact and countermeasure 4. RM starts with risk analysis 5. Risk Analysis means identifying threat, vulnerability, threat, and impact 6. RM = RA + Discussion about the Acceptable Risk Level + Risk Treatment What is the Total Risk Formula? Total Risk = Threat x Vulnerability x Asset Value What are the four (4) things can be done regarding Risk Assessment? Four (4) things can be done regarding risk: 1. Transferred 2. Rejected, ignored (dangerous) 3. Reduced by counter-measures 4. Accept (if the cost of control exceed the benefits) How is the Risk Management Process handled? Risk Management Process 1. Identification of Assets a. Example of assets i. Information ii. Services
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

398

CISA Study Guide in EasyFAQs iii. Hardware/Software iv. Personnel 2. Identification of Threat i. Errors ii. Fraud iii. Theft iv. Software failure v. Equipment failure vi. Malicious attacks 3. Identifying Vulnerability: Poorly designed system/process may have a lot of vulnerability. Some example are as follows: i. Poor passwords ii. Un-patched systems iii. Poorly trained staff iv. New, beta technology v. Communication over un-trusted line vi. Lack of security functionality 4. Calculate the Impact in the situations where the threat has used vulnerability. Impacts may be following: i. Loss of money ii. Loss of goodwill/ reputation iii. Legal breach iv. Loss of business v. Business interruption vi. Exposure of customer 5. Countermeasures: Once the risk has been identified it can be controlled i. Controls for risk are known as counter-measures /safeguards ii. Controls can take the form of one of the following: 1. Devices 2. Actions 3. Procedures
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

399

CISA Study Guide in EasyFAQs 4. Techniques iii. Controls can take any form: 1. Detective 2. Preventative 3. Automated 4. Manual 5. Formal 6. Ad-hoc 6. Residual Risk: Even if the controls are applied, the risk will not be zero. The remaining risk is known as residual risk i. Further controls might be required in this area ii. Process should go on until acceptable risk is reached 7. Acceptable Risk: Management should define the level of acceptable risk. i. If the ratio Residual Risk: Acceptable Risk is 1. More, then further controls should be applied to reduce the risk 2. Less, then some controls should be removed as excessive controls are being applied ii. Factors effecting the acceptable risk level are as follows: 1. Corporate policy 2. Risk identifications and measurement methods 3. Methodology of risk assessment 4. Cost of the controls 5. Effectiveness of control 6. Nature of business

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

400

CISA Study Guide in EasyFAQs

IT Governance
What does IT governance cover? IT Governance = Information Systems + Communication Technology + Business + Directors + Stockholders + Process owner + Senior Manager What is the main objective of IT governance? 1. Main objective of governance IT alignment with enterprises strategies and objectives 2. Controls in organizations are guaranteed by following best practices 3. Good IT governance will ensure: a. IT is supporting the business objectives b. Resources of the organization are being used responsibly c. Due care is taken to manage the risk appropriately 4. IT is no longer an enabler of the company strategy it is part of it. 5. Proper coordination is required between senior management and IT Management/the IT Specialist What is a balanced IT scorecard? Balanced IT scorecard 1. Can be applied to IT Governance 2. Scorecard focuses on: a. User satisfaction (Customer) b. Operational/internal processes c. Innovation for improvement 3. Typical 4 perspectives of a scorecard: a. To become/remain preferred supplier of IT services and applications b. To be efficient and effective in Information Systems c. To give proper business contribution for IT investment d. Get ready for future business and technological challenges.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

401

CISA Study Guide in EasyFAQs

Application Controls
What is a Batch Control? A Batch Control is used for offline processing of applications What are the four (4) ways of processing input errors? There are four (4) ways of handling input errors 1. Reject the faulty transaction 2. Reject the whole batch if it has even a single faulty transaction 3. Batch is accepted but suspended 4. Batch is accepted and processed but the faulty transactions are flagged What are the seven (7) input control techniques? There are seven ways of controlling inputs: 1. Logging all Transactions Log is reconciled to source documents 2. Log + Reconciliation Routine Data is only processed when reconciled 3. Error Correction Routines and Procedures Most of it is automated 4. Log of Transmission Logs all transactions 5. Anticipation Proactive measures 6. Documentation Written procedures for handling different situations 7. Marking Source Document Marking the source document as it is processed

What are the six (6) Processing Controls? 1. Total of six Processing Controls: a. Recalculations (Manual): Recalculations are done of sample transactions only b. Editing: Routine or plug to ensure the data is valid c. Run-to-run totals: Key word to remember is Stages of Application Controls are applied to all stages of application. In cases where controls are, applied it tells us two things:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

402

CISA Study Guide in EasyFAQs i. Data was accepted ii. Data was applied d. Automated controls/programmed controls: These are the programmed controls, which not only detect but also initiate the corrective actions. e. Reasonable checks of calculated amounts: e.g. Salary cant be 1,000,0000 i. Limit checks: To check pre-determined limits.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

403

CISA Study Guide in EasyFAQs

Data Validation Edit Controls


What are the twelve (12) types of Data Validation Edit Controls? 1. Total of 12 Data Validation Edit and Controls a. Sequence/Serial Number Check: Out of sequence or duplicate numbers are rejected b. Limit Checks: Predetermined limits are checked c. Range Checks: Values should be between two limits d. Validity Check: Sex Code can only be M or F e. Reasonableness check: Salary cant be 1 million dollars f. Existence Check: Check-printing program should check if the invoices exist against which checks are prepared g. Table Check/Lookup: Zip code is checked against the table for validity h. Key Check/Verification: Same data is entered by another employee and keys verify whether the data entered was correct i. Completeness Check: Check for a Null value in the primary field or check for minimum characters required for a password j. Duplicate Checks: No duplicate in fields such as check number and invoice number k. Logical Checks: Date of marriage should be at least 18 years after date of birth l. Check Digits: Following should be noted regarding check digits: Numeric value a. b. Valid for TRANSPOSITION AND TRANSCRIPTION Normally in bank account number last digit is the

What are the seven (7) output controls? Total of seven (7) output controls: 1. Logging of sensitive information
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

404

CISA Study Guide in EasyFAQs a. Sensitive output should be logged and traced, until they can be filed properly or shredded. b. Reconciliation of logs at regular interval should be carried out 2. Critical Forms Generation a. Critical forms, such as checks and other, should be logged b. Inventory should be kept c. All exceptions should be recorded and accounted for (such as with check printing, for example) 3. Report Distribution a. Authorized controlled distribution is a must b. Reports must be delivered as per the schedule c. The printer spool must be protected against accidental deletion d. Reports distributed electronically should be controlled as well 4. Reconciling and Balancing a. A proper audit trail should provide the reconciliation of the data b. Output should be balanced to controls 5. Retention Period a. Reports should be retained as per the legal requirements b. After the retention period it should be destroyed as per the policy of the company 6. Error Handling in Reports a. Error repots should be promptly delivered to the dept concerned b. Error reports should be reviewed and errors corrected 7. Receipt Report Verification a. Sensitive reports should be signed for on delivery b. Receipts should be kept on record What are the eleven (11) Data File Controls? Total of 11 Data File Controls 1. Prior and Later Image Reporting a. Also knows as before-and-after image reporting
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

405

CISA Study Guide in EasyFAQs b. Word "image" is pretty misleading. Here it only means a snapshot of data before and after any transactions 2. Error Reporting Follow-up and Handling a. All of the error reports should be followed up properly b. Segregation of duties is a must or error reports might be ignored. c. Error correction should be reviewed by a person other than the one who initiated the process 3. Media Labeling (Internal/External) a. External Labeling is a must to ensure proper media are used b. Internal labeling, like tape headers, reconfirms if the media used is correct 4. Source Documentation Preservation and Retention a. Preservation and Retention is required for i. Verification ii. Troubleshooting iii. Restructuring of the data b. Source documentation should be maintained as per the policy of the organization 5. One-for-One Checking a. Each and every source document must agree with the computer-processed document b. Follow-ups should be maintained 6. Security of Data File a. Ensure that unauthorized people dont have access 1. Data file access must be as per the authorization level 7. Preprinted/Pre-recorded Inputs a. Certain information, e.g. company name and branch name, can be preprinted b. Avoid input errors 8. Version Control a. Proper versions of the files should be controlled b. Critical for correct file processing
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

406

CISA Study Guide in EasyFAQs 9. Transaction Logging a. A transaction log is a must for an audit trail b. Posting and processing of the transaction can be traced c. Helps in troubleshooting 10. Proper authorization for updating and maintenance a. Proper authentication and authorization is must i. Most systems just rely on operating system authentication ii. Application should have its own authorization and authentication mechanism iii. File and data integrity is a must, as well as making sure authorized updating and maintenance is done 11. Check Digit/Parity Check a. Concepts of check digit and parity check are often confused iv. Check Digit is a digit added to the end of an Account number or critical field. Can be seen, can be manual v. Parity Check Internal to the computer. Applied on the data stored or transmitted by computer. b. Parity checks are commonly divided into the following: i. Vertical Check/Column Check: Applied on a single character ii. Horizontal/Row/ longitudinal Check: Applied on multiple characters on all the equivalent bits. What are the four (4) Data Integrity controls? Four (4) Data Integrity Testing 1. Domain Integrity a. Objective: Data Validation and check edit routines are working b. Test Level: Field Level c. Ensure: i. Data is as per the definitions ii. Field has legitimate value 2. Relational Integrity
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

407

CISA Study Guide in EasyFAQs a. Objective: Data validation through routines and program b. Test Level: Record-Based c. Ensure the data is correct using either of the following: i. Data validation program inside the applications ii. Cross-checking data legitimacy as per the table definition 3. Entity Integrity a. No null value in the primary key b. Value in the primary key must be unique 4. Referential Integrity a. Relationship between items (entities) in the database b. Consistent relationship between the primary key and the foreign key c. You cannot delete the primary key if there is a foreign key

What are the four-(4) controls for OTPS? Four (4) Data Integrity Test for OTPS Online Transaction Processing ACID (Atomicity, Consistency, Isolation, Durability) 1. Atomicity: a. Either the transaction is complete or not b. More like all-or-nothing: either it is there, complete, or not at all 2. Consistency: a. Database is always consistent b. Moves from one consistent state of another c. Whatever state it is in, it is consistent 3. Isolation a. Each and every transaction is isolated from the others b. There is no dependency on transactions 4. Durability: a. If the transaction is communicated as complete, then it is complete, no matter what disasters happen to hardware or software.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

408

CISA Study Guide in EasyFAQs What are the five (5) testing computer application controls? Five ways to Test Computer Application Controls: 1. Test Data/ Test Check a. A dummy/simulated transaction is placed, which is run through the real program b. Used for a specific program c. Not many resources are required. d. Limitations: i. Might not check all transitions ii. Permanent files, master file or history file cannot be checked. 2. Base Case System Evaluations a. Uses Data-sets (developed as Base Case) b. Data-sets come as part of the testing program c. Mostly used for periodic validations d. Difficult to maintain dataset 3. Parallel Operations a. First Actual production data is scrambled b. Second Processes new and existing systems c. Problem is scrambling the data, and cost 4. Parallel Simulation a. First Actual production data is scrambled b. Second It is processed using a simulation program c. Different from parallel operations as a simulation program is used 5. Integrated Testing Facility a. Create dummy/fictitious file using test data b. Transaction proceeds with the live data c. Cost-effective d. Effort should be well planned and management should accept the risk

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

409

CISA Study Guide in EasyFAQs

System Documentation
What are the six (6) types of Applications System documentation? 1. Feasibility study document 2. System Development Methodology Document a. Overall methodology b. User requirements 3. Functional Design Detail and Specification Document a. Explains the application in detail b. Key control of the applications 4. Program changes document a. Change or modification to program b. Authorization of changes 5. User manual a. Helps to understand the system from the users perspective b. Weaknesses in the program can usually be noted from this document 6. Technical Reference a. Vendor-supplied manual b. Necessary for in-depth understanding and troubleshooting

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

410

CISA Study Guide in EasyFAQs

Business Application Systems


What are the six (6) common E-commerce models? The six models of e-commerce are 1. B-to-C: Business to Customer 2. B-to-B: Business to Business 3. B-to-E: Business to Employee 4. B-to-G: Business to Government Emerging 5. C-to-G: Consumer to Government Emerging 6. X to-X: Exchange to Exchange Multiple B-to- B

What are the five (5) common risks in e-commerce? The main risks in e-commerce are CIA + NA: 1. Confidentiality 2. Integrity 3. Availability 4. Non-Repudiation 5. Authentication

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

411

CISA Study Guide in EasyFAQs

EDI
What is the Electronic Data Interchange? This is the traditional way of carrying out e-commerce through a Valued Added Network - VAN What are the components of EDI? EDI components: 1. System Software a. Transmission/communication Handler i. Connections between organizations could be via one of the following: 1. Dial-up 2. Public Switched Network 3. VAN ii. VAN (Value Added Network) 1. VAN receives and forwards all messages 2. Provides the following a. Switching and storage b. Electronic Mailboxes c. Sorting of message d. Delivery to recipients b. EDI Interface: Routes data between application and interface i. EDI Translator 1. Translates between a. EDI Format X12 b. Vendor Format Proprietary ii. Application Interface 2. Performs data mapping c. Extracts data from EDI d. Sends to company applications
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

412

CISA Study Guide in EasyFAQs 3. Sends and receives functional acknowledgment c. Storage of the Message/Transactions 6. Applications Systems a. Processes and sends data to the partner b. New controls may be required beside what is offered by EDI What are the risks for EDI? Major Risks in EDI system are: 1. Web Interface to EDI 2. Transaction authorization 3. Manipulation of transitions before or after the application controls 4. Deletion or duplications of message

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

413

CISA Study Guide in EasyFAQs

Artificial Intelligence
What are the major AI systems? Expert System Neural Network How do the Conventional and Expert Systems compare? Conventional System Algorithm + Structure of Data = Program Expert System Inference System + Knowledge Base = Expert system

What does the Knowledge Base contain? It contains the following: 1. Facts and Figures 2. Rules of thumb 3. If /then /else statements 4. Inference engine. What is Salience? Salience = Priority Certain rules have a higher priority than others. In the case of a match, items with higher salience will be executed first. How does an expert system operate? Forward and backward chaining What is the difference between forward and backward chaining? Forward Chaining: System reaches a conclusion Backward Chaining: System tests whether certain hypotheses are true. What is Fuzzy Logic? This is used when there is uncertainty about any event. It uses probability on a scale from 0 to 1. Good for insurance and financial risk assessment
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

414

CISA Study Guide in EasyFAQs

Data Warehousing
What is a data warehouse? This term refers to finding relationships in the data that were not previously identified. It can find the following in data: 1. Trends 2. Anomalies 3. Deviation 4. Co-Relation It can be used in decision support systems. What is Metadata? Metadata means data about data in a warehouse. This facilitates data mining. What are the concerns regarding Data Warehouses? 1. Data quality 2. Access to data 3. Confidentiality of the data

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

415

CISA Study Guide in EasyFAQs

Points to Remember: 1. BPR stands for Business Process Re-Engineering a. Initiated because of i. Economic pressure ii. Competitive enforcement net iii. Customer demands b. Most of the time it is automated with minimal manual controls as interventions c. Goals achieved through BPR i. Cost saving ii. Streamlined operations d. Six steps of BPR: i. Definition of areas to be reviewed ii. Project plan iii. Process understanding and review iv. Re-design and streamlining of the process v. Implementation and monitoring of new processes vi. Continuous improvement e. Three Keywords for BPR: Process Process Process f. First step is to identify the process g. Then i. The process customer ii. The process-based manager/owner h. Baseline Process should be documented i. The Key concern with BPR is that major controls can be dropped during the re-engineering process j. Role of Benchmarking in BPR i. Improve business process ii. Continuous improvement of 1. Products
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

416

CISA Study Guide in EasyFAQs 2. Services 3. Process iii. Steps for the benchmarking 1. Plan: a. Identification of critical process to be benchmarked b. Identify the measurement criteria c. Identify what data needs to be collected d. Identify how data will be collected 2. Research a. Collection of baseline data about own processes b. Collect the same relevant data for other Quality Award winners, from magazines and newspapers 3. Observer a. Collect data on other parties through i. Visit ii. Observation b. Sharing documented resources 4. Analyze a. Summarize and interpret the collected data b. Analyses the gaps between your company and others c. Change the findings into operational goals 5. Adapt a. Translate the findings into core rules and principles b. Change high-level objectives and strategies into an action plan 6. Improve a. Continuous process b. Process is linked to improvement strategy in companys goal 2. Risk Management
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

417

CISA Study Guide in EasyFAQs a. RM is the process used for making decisions b. Basic policy decision in RM is i. Impact of negative effects/successful attacks ii. Level of the acceptable risk iii. Challenge of risk management is finding balance between impact and counter-measures c. RM starts with Risk Analysis d. Risk Analysis is to identify threat, vulnerability, threat, impact e. RM = RA + decisions concerning Acceptable Risk Level + Risk Treatment f. Total Risk = Threat x Vulnerability x Asset Value g. Four (4) things can be done regarding risk: i. Transferred ii. Rejected, ignored (dangerous) iii. Reduced by counter-measures iv. Accept (if the cost of control exceeds the benefits) h. Two things are needed for the risk management program: i. Purpose of the Risk Management Program 1. "Purpose" sets the tone of risk management a. Reduces risk from hackers b. Reduces the cost of insurance ii. Assignment of responsibility for Risk Management 1. People are assigned responsibility to a. Manage b. Implement the Risk Management Program 2. Team sets up the Risk Management Plan i. Risk Management Process: i. Identification of assets 1. Examples of assets: a. Information b. Services
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

418

CISA Study Guide in EasyFAQs c. Hardware/software d. Personnel 2. Identification of threats: a. Errors b. Fraud c. Theft d. Software failure e. Equipment failure f. Malicious attacks 3. Identifying Vulnerability: Poorly designed system/process may have a lot of vulnerability. Some examples are as follows: a. Poor passwords b. Un-patched systems c. Badly trained staff d. New, Beta technology e. Communication over un-trusted line f. Lack of security functionality 4. Calculate the Impact in situations where threats have used vulnerabilities. Impact may be the following: a. Loss of money b. Loss of goodwill/ reputation c. Legal breach d. Loss of business e. Business interruption f. Customer exposure 5. Counter-measures, once the risk is identified it can be controlled a. Risk controls are known as countermeasures/safeguards b. Controls can be one of the following:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

419

CISA Study Guide in EasyFAQs i. Devices ii. Actions iii. Procedures iv. Techniques c. Controls can take several forms: i. Detective ii. Preventative iii. Automated iv. Manual v. Formal vi. Ad-hoc 6. Residual Risk: Even if the controls are applied, the risk will not be zero. The remaining risk is called residual risk. a. Further controls might be required in this area b. Process should go on until a level of acceptable risk is reached. 7. Acceptable Risk: Management should define the level of acceptable risk. a. If the ratio of residual risk to acceptable risk" is i. More then further controls should be applied in order to reduce the risk ii. Less Some controls should be removed because excessive controls are being applied b. Factors affecting the acceptable risk level are as follows: i. Corporate policy ii. Risk identifications and measurement methods iii. Methodology of risk assessment iv. Cost of the controls v. Effectiveness of control
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

420

CISA Study Guide in EasyFAQs vi. Nature of business 3. IT Governance a. IT Governance = Information Systems + Communication Technology + Business + Directors + Stakeholders + Process owner + Sr. Manager b. Main objective of Governance IT alignment with Enterprise strategies and objectives c. Controls in organizations are guaranteed by following best practices d. Good IT Governance will ensure: i. IT is supporting the Business Objectives ii. Resources of the organization are responsibly used iii. Due Care is taken to manage the risk appropriately e. IT is no longer an enabler of the Company strategy it is part of it. f. Proper coordination is required between senior management and IT management/IT Specialist g. Balance IT Scorecard i. Can be applied to IT Governance ii. Scorecard focuses on: 1. User Satisfaction (Customer) 2. Operational/Internal processes 3. Innovation for improvement iii. Typical 4 perspectives of scorecard: 1. To become/remain preferred supplier of IT services and applications 2. To be efficient and effective in Information Systems 3. To give proper business contribution to IT investment 4. Get ready for future business and technological challenges. 4. Application Controls a. Preprinted forms provide i. Consistency ii. Accuracy iii. Liability b. Batch control groups
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

421

CISA Study Guide in EasyFAQs i. Batch Control can be: 1. Total amount monetary Total Items processed = Total Value of Batch 2. Items 3. Document 4. Hash c. Batch Header is the preparatory control d. Batch balancing can be manual or automated e. Batch totaling should followed by follow-up procedure f. There are three types of batch balancing: i. Batch Register: Used for manual recording ii. Computer Agreement: For batch totals uses header slips iii. Control Accounts: Initial (Edit) File vs. Master File g. There are four (4) ways of handling input errors i. Reject the faulty transaction ii. Reject the whole batch if there is even a single faulty transaction iii. Batch accepted, but suspended iv. Batch accepted and processed, but the faulty transactions are flagged h. There are seven ways to control inputs: i. Logging all transactions Log is reconciled to source documents ii. Log + Reconciliation Routine Data is only processed when reconciled iii. Error Correction Routines and Procedures Most of it is automated iv. Log of Transmission Logs all of the transactions v. Anticipation Proactive measures vi. Documentation Written procedures to handle different situations vii. Marking Source Document Marking the source document when it is processed
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

422

CISA Study Guide in EasyFAQs i. Total of 12 Data Validation Edit and Controls: i. Sequence/Serial Number Check: Out of sequence or duplicate numbers are rejected ii. Limit Checks: Predetermined limits are checked iii. Range Checks: Values should be between two limits iv. Validity Check: Sex Code can only be M or F v. Reasonableness check: Salary cant be 1-million dollars vi. Existence Check: Check-printing program should check that the invoices exist against which checks are prepared vii. Table Check/Lookup: Zip code is checked against the table for validity viii. Key Check/Verification: Same data is entered by another employee and keys verify whether the data entered was correct ix. Completeness Check: Check of Null value in primary field or check of minimum characters required for password x. Duplicate Checks: No duplicates in fields like check numbers and invoice numbers xi. Logical Checks: Date of marriage should be at least 18 years after date of birth xii. Check Digits: Following should be noted regarding check digits: a. Numeric value b. Valid for TRANSPOSITION AND TRANSCRIPTION c. Normally, in a bank account number, the last digit is the check digit j. Total of SIX Processing Controls i. Recalculations (Manual): Recalculations are done only for sample transactions ii. Editing: Routine or Plug to ensure the data is valid

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

423

CISA Study Guide in EasyFAQs iii. Run-to-Run Totals: Keywords to remember are Stages of Application Controls are applied at all stages of the application. In cases where the control is applied, this indicates two things: 1. Data was accepted 2. Data was applied iv. Automated Controls/Programmed Controls: These are the programmed controls that not only detect but also initiate corrective actions. v. Reasonable checks of the calculated amount: E.g. Salary cant be 1,000,0000 vi. Limit checks: To check predetermined limits. k. Total of five (5) Output controls i. Logging of the sensitive Information 1. Sensitive output should be logged and traced, until they can be filed properly or shredded. 2. The log should be reconciled at regular intervals ii. Critical Forms Generation 1. Critical forms, such as checks, should be logged 2. Inventory should be kept 3. Using the example of check printing, all exceptions should be recorded and accounted for iii. Report Distribution 1. Authorized controlled distribution is a must 2. Reports must be delivered as per the schedule 3. The print spool should be controlled against accident deletion 4. Reports distributed electronically should be controlled as well iv. Reconciling and Balancing 1. A proper audit train should provide the reconciliation of the data
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

424

CISA Study Guide in EasyFAQs 2. Output should be balanced to controls v. Retention Period 1. Report should be retained as per the legal requirements 2. After the retention period it should be destroyed as per the policy of the company vi. Error Handling in Reports 1. Error repots should be delivered promptly to the department concerned 2. Error reports should be reviewed and errors corrected vii. Receipt Report Verification 1. Sensitive Reports should be signed for on delivery 2. Receipts should be kept on record l. Total 11 Data File Controls i. Prior and Later Image Reporting 1. Also knows as before-and-after image reporting 2. Word "image" is pretty misleading. Here it simply means a snapshot of the data before and after any transaction ii. Error Reporting Follow-up and Handling 1. All of the error reports should be followed up properly 2. Segregation of duties is a must or error reports might be ignored. 3. Error correction should be reviewed by a person other than the one who initiated the process iii. Media Labeling (Internal/External) 1. External labeling is a must to ensure proper media is used 2. Internal labeling, such as tape headers, reconfirms that the media used is correct iv. Source Documentation Preservation and Retention 1. Preservation and retention is required for a. Verification b. Troubleshooting
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

425

CISA Study Guide in EasyFAQs c. Restructure of the data 2. Source documentation should be maintained as per the policy of organization v. One-for-One Checking 1. Each and every source document must agree with computer processed document 2. Follow-ups should be maintained vi. Security of Data Files 1. Ensure that unauthorized people dont have access 2. Data file access must be as per the authorization level vii. Pre-printed/Pre-recorded Inputs 1. Certain information, e.g. company name and branch name, can be pre-printed 2. Avoids input errors viii. Version Control 1. Proper versions of the files should be controlled 2. Critical for correct file processing ix. Transaction Logging 1. Transaction log is a must for audit trail 2. Posting and processing of the transaction can be traced 3. Helps in troubleshooting x. Proper Authorization for Updating and Maintenance 1. Proper authentication and authorization is a must 2. Most systems rely just on operating system authentication 3. Application should have its own authorization and authentication mechanism 4. A must also for file and data integrity and to make sure authorized updating and maintenance is done xi. Check Digit/Parity Check 1. Check digit and parity checks concepts are often confused
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

426

CISA Study Guide in EasyFAQs a. Check digit means a digit is added to the end of the account number or critical field; can be seen; can be done manually b. Parity Check Internal to the computer. Applied on the data stored or transmitted by the computer 2. Most commonly, a parity check is divided into the following: a. Vertical Check/Column Check: Applied to a single character b. Horizontal/Row/ longitudinal Check: Applied to multiple characters on all the equivalent bits. m. A minimum of six (6) pieces of documentation are required to review the system development. These are as follows: 1. Feasibility Study document 2. System development methodology document a. Overall methodology b. User requirements 3. Functional design detail and specification document a. Explains the application in detail b. Key control of the applications 4. Program changes document a. Changes or modifications to program b. Authorization of changes 5. User manual a. Helps to understand the system from the users perspective b. Weaknesses in the program can be picked up from this document 6. Technical Reference a. Vendor-supplied manual
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

427

CISA Study Guide in EasyFAQs b. Necessary for in-depth understanding and troubleshooting 7. Major Risk for Applications a. Frequency of audit b. Operation complexity c. Change management d. Stuff turnover e. Impact of the environment n. Key processes during "Separation of Duties compliance" a. Organization b. Authorization c. Verification d. Distribution e. Usage f. Destructions o. Four (4) Data Integrity Testing i. Domain Integrity 1. Objective: Data validation and edit routines are working 2. Test Level: Field Level 3. Ensure a. Data is as per the Definitions b. Field has legitimate value ii. Relational Integrity 1. Objective is data validation through routines and programs 2. Test level: Record-based 3. Ensure the data is correct using either of the following: a. Data validation program inside the applications b. Cross-checking data legitimacy as per the table definition iii. Entity Integrity 1. No null value in the primary key
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

428

CISA Study Guide in EasyFAQs 2. Value in the primary key must be unique iv. Referential Integrity 1. Relationship between items (entities) in database 2. Consistent relationship between primary key and foreign key 3. Primary key cannot be deleted if there is a foreign key p. Four (4) Data Integrity Test for OTPS Online Transaction Processing i. ACID (Atomicity, Consistency, Isolation, Durability) 1. Atomicity: a. Either the transaction is complete or not b. More like all-or-none; either it would be there completely or not at all 2. Consistency: a. Database is always consistent b. Moves from one consistent state to another c. Whatever state it is in, it is consistent 3. Isolation a. Each and every transaction is isolated from others b. There is no dependency on transactions 4. Durability: a. If the transaction is communicated as being complete, then it is complete, no matter what disaster happens to hardware or software. q. Three (3) ways to analyze the computer application program: i. Snapshot 1. Good for verifying programs logic 2. Dependent upon the flow of transaction 3. Good knowledge of the system is a prerequisite ii. Mapping 1. First Identify that program logic has been checked
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

429

CISA Study Guide in EasyFAQs 2. Second Execute the program and check that it follows the logic 3. Used to enhanced efficiency and control by a. Identifying the unused code b. Potential exposure, if any c. However, this process is very costly iii. Tagging & Tracing 1. First Tags are placed within the program 2. Second Program is run and traced. Tracing means recording (trail) the instructions executed 3. Give the details of the logic that is being executed. 4. Drawback is that this is a resource-hungry exercise r. Five ways of testing computer application controls: i. Test Data/ Test Check 1. Dummy/simulated transition is placed, which run through the real program 2. Used for specific program 3. Not many resources are required. 4. Limitation a. Might not check all of the transitions b. Permanent files, master files or history files cannot be checked. ii. Base Case System Evaluations 1. Uses Datasets (developed as base case) 2. Dataset s come as part of the testing program 3. Mostly used for periodic validations 4. Difficult to maintain dataset iii. Parallel Operations 1. First Actual production data is scrambled 2. Second It is processed on a new and existing system 3. Problem is scrambling the data, and cost
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

430

CISA Study Guide in EasyFAQs iv. Parallel Simulation 1. First Actual production data is scrambled 2. Second It is processed using a simulation program 3. Different from parallel operations, as a simulation program is used v. Integrated Testing Facility 1. Create dummy/fictitious file containing test data 2. Transaction is processed with live data 3. Cost-effective 4. Effort should be well planned and management should accept the risk s. Three ways of selecting and monitoring data processing: i. Transaction selection 1. Program filters transactions to another program 2. Production system is untouched 3. Difficult and costly to maintain ii. Hard-coded (embedded) audit data collection 1. Audit software is hard-coded into computer applications 2. There are two types a. SCARF System Control Audit Review i. Relatively comprehensive ii. Auditor selects what to test b. SARE Sample Audit Review File i. Not as comprehensive as SCARF ii. Transaction is selected randomly iii. Sample is assumed to be true representative of population 3. Costly to maintain. iii. Extended Records 1. Original record + test record 2. Data is gathered and put into one file
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

431

CISA Study Guide in EasyFAQs 3. Storage-hungry 5. Continuous Online Auditing a. More of an online transaction Less papers to be audited b. This system does monitoring on a continuous basis c. Selective data is collected for audit file d. No disruption of the organizations work e. No paperwork f. Less costly g. Online alerts for violation and suspicious transactions 6. Online Auditing Techniques a. EAM/SCARF (Embedded Audit Module/System Control Audit Module): As described earlier b. Audit Hooks: i. Similar to maintenance hooks ii. Auditors are alerted on suspicious transaction c. Integrated Test Facilities 1. Create dummy/fictitious file containing test data 2. Transaction proceeds with the live data 3. Result is compared to the independent calculations 4. Cost effective 5. Efforts should be well planned and management should accept the risk d. Snapshots i. Snapshot is taken from input to output ii. Inputs are tags, monitored throughout the processing e. Continuous and Intermittent Simulations (CIS) i. Simulator is a program which continuously looks for transactions meeting certain criteria ii. If the criteria are met, the transaction is taken for auditing 7. Audit Tools - rule of thumb a. Most complex audit tools are SCARF/EAM
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

432

CISA Study Guide in EasyFAQs b. Least complex audit tools are audit hooks c. ITF is not beneficial for test data d. If regular processing cannot be interrupted, best choice is SCARF/EAM e. If comprehensive audit trail is required, the best choice is snapshot f. If audit transactions based on criteria are required, the best choice is CIS g. If auditor only wants to select suspicious transactions, should use audit hooks 8. Business Application Review a. Six models of e-commerce are i. B-to-C: Business to Customer ii. B-to-B: Business to Business iii. B-to-E: Business to Employee iv. B-to-G: Business to Government Emerging v. C-to-G: Consumer to Government Emerging vi. X to-X: Exchange to Exchange Multiple B-to- B 9. Commercially available Some components models commercially available are: a. Microsoft COM b. Sun Enterprises Java Beans 10. Three-tier model has the following components a. Browser b. Application Server, e.g. Microsoft Transaction Server c. Database Server 11. Main risks for e-commerce are CIA + NA a. Confidentiality b. Integrity c. Availability d. Non-Repudiation e. Authentication 12. One of the challenges with connecting legacy applications is mostly solved either by a. Middleware MQ-Series
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

433

CISA Study Guide in EasyFAQs b. XML Interfaces SOAP 13. EDI (Electronic Data Interchange) a. Used for standard documents like i. Invoices ii. Purchase Orders b. EDI components i. System Software 1. Transmission/communication Handler a. |Connection between organization could be via one of the following: i. Dial-up ii. Public Switched Network iii. VAN b. VAN (Value Added Network) i. VAN receives and forwards all messages ii. Provides following: 1. Switching and storage 2. Electronic Mailboxes 3. Sorting of messages 4. Delivery to recipients 2. EDI Interface: Routes data between application and interface a. EDI Translator i. Translates between 1. EDI Format X12 2. Vendor Format Proprietary b. Application Interface i. Performs data-mapping 1. Extracts data from EDI 2. Sends to company applications
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

434

CISA Study Guide in EasyFAQs ii. Sends and receives functional acknowledgment 3. Storage of Messages/Transactions ii. Applications Systems 1. Processes and sends data to the partner 2. New controls may be required in addition to what is offered by EDI c. Major risks with the EDI system are i. Web interface to EDI ii. Transaction authorization iii. Manipulation of transitions before or after the application controls iv. Deletion or duplications of message d. To control the risks with EDI, proper authentication, encryption batch total checking, run-to-run, record count and others should be applied e. Establishment of Trading Partner Agreement among EDI parties

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

435

CISA Study Guide in EasyFAQs

Appendix Last Day Summary

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

436

CISA Study Guide in EasyFAQs

Last Day - CISA Notes Summmary


Domain 1: IS Audit Process
1. Audit starts with audit charter 2. Auditor should first understand the business 3. Auditor should have appropriate skills; if not it should be asked for. 4. Auditor starts the audit by first coming to an understanding of the business 5. Audit Charter = Audit Objectives + Delegation of Authority + Responsibility+ Accountability+ Internal Control Review 6. Audit Program = Step by Step Audit Instructions + Procedures 7. When planning an audit, there should be assurance that the audit will cover the material items 8. Biggest challenge for auditor is matching the available resources with the audit plan 9. Risk assessment starts with an identification of the assets, but it could start with an identification of the threat as well 10. Total Risk = Threat x Vulnerability x Asset Value 11. Residual Risk = Total Risk Safeguards 12. Risk-based audit considers risks, internal controls and operational controls 13. Risk-based audit focuses on business process first, rather than jumping to an application audit that the operator says is a high risk application 14. Audit Risk Auditor giving incorrect opinion, or being unable to find and report material errors. 15. Inherent Risk Risk that exists because of technology, or nature of business/industry e.g. trapdoor 16. Detection Risk - Inadequate test procedures are used and errors are not found. Solution is to use statistical sampling 17. Sampling Risk Sample is not a true representative of the population 18. Statistical sampling can do nothing regarding control risk or inherent risk 19. Management structure, job responsibilities do not affect risk-based auditing
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

437

CISA Study Guide in EasyFAQs 20. The key element in risk analysis is vulnerability, not control control is for risk management. 21. Control Objective: To implement certain controls 22. Control objectives provide a minimum set of controls to make sure efficiency and effectiveness are achieved 23. Control procedures are for due care provide reasonable proof and assurance that control objectives can be achieved. 24. Three major controls: a. Internal Accounting Control b. Operational Control c. Administrative Control 25. Control procedures: Polices, Practices, Strategy Direction, QA,DRP, Sysadmin Controls 26. COBIT has 34 high level objectives and 300 detailed objectives 27. Preventative Controls: Qualified people, separation of duties, edit checks and access control 28. Detective: Hash total, checkpoints, double-checking, error messages 29. Detective Control: Detection + Reporting (for errors, violation, omission) 30. Corrective controls: Minimize the threat or remedy the problem, provided the threat has already taken place 31. Corrective Controls: Recovery procedures, DRP 32. Operational Controls focus on day-to-day operations 33. Auditor should track the controls with the flow of data into the computer system 34. Audit Program = Audit Objectives + Audit Procedures 35. Difference between other types of audit and an IS audit is that it sees things differently e.g. confidentiality, availability, quality, efficiency, service and reliability. 36. First step in typical audit is understanding the business 37. Last step is following-up the results 38. Audit Strategy = Set of audit procedures to achieve audit objective
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

438

CISA Study Guide in EasyFAQs 39. Audit Objectives: Purpose of audit, e.g. In e-banking, proper controls are there or not. 40. Audit Scope: Specify the function, system or unit to the included in the audit 41. Risk-based auditing can use two tests: a. Compliance Testing b. Substantive Testing 42. Risk-based auditing: first inherent risk is evaluated, then the internal risk 43. Compliance testing is performed before substantive testing 44. Key to understanding internal control is to see the control environment, review the Risk Assessment Report and see the control procedures 45. Compliance testing means testing the policies, procedures and separation of duties 46. Substantive testing is detailed testing 47. "Test of Controls" means compliance testing 48. Inherent risk cannot be detected via the test of controls" 49. Audit Risk Incorrect assumptions made about the subject 50. Audit risk can be minimized if sample is scientifically chosen 51. Material risk Non-compliance with the internal controls, which is a significant threat to the organization. 52. The three areas of business risk are financial, regulatory, operations 53. The area which are audited first is the area with the highest risk 54. Two methods mostly used for risk assessment: scoring and judgmental 55. Scoring system uses risk factors to prioritize the audit 56. Judgmental use experience and business insight 57. Difference between Control Objectives and Audit Objective: a. Control Objectives focus on the functioning of the internal control b. The Audit Objective focuses on specific goals for which the audit is initiated. 58. The objective of the audit is to a. Identify the Controls Objective b. See if controls are in place 59. The more comprehensive the internal control, the less the substantive testing is required
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

439

CISA Study Guide in EasyFAQs 60. The weaker the internal control, the more comprehensive the substantive testing 61. Four steps for checking the controls: i. Preview: of the system to ascertain the controls ii. Compliance test: to confirm the functionality of the controls iii. Control Evaluation: to ascertain the scope and size of the substantive testing iv. Substantive test: to evaluate the datas validity 62. The three key things to remember about the evidence is it should be independent, qualified and objective 63. The auditor should focus on evidence that supports the objective, not on what evidence is good or bad 64. The confidence coefficient is the percentage representing the probability that the sample is truly representative of the population 65. If internal controls are strong, the confidence coefficient may be lowered 66. The higher the confidence coefficient, the greater the sample size. For greater confidence a bigger sample size is needed; e.g. if the confidence coefficient is 100% (which it can't be), the auditor will have to take a sample size of 100% of the population 67. The terms confidence coefficient", "confidence level" and "reliability factor" all refer to the same thing. 68. Level of Risk = 1 - Confidence Coefficient 69. Precision is the acceptable range of difference between the actual population and the sample. 70. Precision and sample size are inversely proportional 71. The higher the precision, the lower the sample size; the lower the precision, the higher the sample size If the precision needs to be 0%, this means that there will be no difference between the sample and the population: i.e. Sample Size = Population. Even with 5% precision the sample is almost as big as the population. Similarly, if the precision is set at 100%, this means that the Actual - Sample = an acceptable difference of 100%
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

440

CISA Study Guide in EasyFAQs The precision level is in between, decided by the IS Auditor.

72. Attribute Sampling: Represented as a percentage 73. Variable Sampling: Represented in numbers or the monetary amount. 74. Discovery Sampling: a type of Attribute Sampling. "Tell me even one occurrence" 75. "Precision range and "Precision Mean are the same thing 76. If the ERR (Expected Error Rate) is higher, it means that more errors are foreseen. To reduce the errors the sample size must be bigger 77. ERR is not applied to the variable sampling formulas; it is only for the attribute sampling formulas. 78. Sample Mean is the prerequisite for Variance 79. Variance is the prerequisite for Standard Deviation 80. Standard Deviation is the square root of Variance 81. Standard Deviation is the Variance of the Sample from the "Sample Mean" 82. A Population Standard deviation can be only applied to the Variable Sampling formula. 83. Sample Error - Sample size is not truly representative of the population and conclusions drawn from the sample are wrong. 84. CAAT stands for Computer-Assisted Audit Technique. Sample Mean = Sum of Sample value/ Sample Size 85. CAAT should have read-only access 86. GAS is Generalized Audit Software. 87. GAS is a type of CAAT 88. GAS is for Statistical Sampling 89. The Auditor can use GAS to find out duplicate names or IDs 90. Controls in the organization should match the control objectives 91. Controls are assessed by control matrix Error type (top axis) Control on (side axis) 92. A compensating control is when one strong control take care of (supports) a weaker control
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

441

CISA Study Guide in EasyFAQs 93. An overlapping control is when two strong controls cover the same area. 94. The auditor should not insist on an immediate implementation of his recommendation, but should ask for a plan 95. If something is fixed during the audit, the IS auditor should mention all of the findings as they were at the start of the audit. However, he should mention that they are being addressed. 96. CSA stands for Control Self-Assessment. This can be done through a questionnaire or an automated tool 97. Functional area people are more involved in CSA 98. CSA can identify high risk areas 99. CSA cannot replace a traditional audit 100. In CSA - Functional Areas Managers or Line Managers are responsible for control 101. Role of internal auditor in CSA is as a facilitator, and an internal control specialist 102. The best time for CSA is during compliance testing 103. The involvement of the IS auditor in acquisition, design, development, implementation, operation responsibilities and decision-making can impair the independence of the IS auditor. The auditor should report to the head of the department being audited (ideally he should report one level above the auditee/auditee department) 104. Review and recommendations, consulting advice, application team member, design of audit module for application (but not the application itself) does not impair the independence 105. Go for words like independent independent review and opinion are always the best 106. Removing the or reducing the effect or error are compensating controls 107. Separation of duties can be evaluated by interview and observation. 108. Observation is the best way to evaluate the separation of duties. 109. Audit trail is for responsibility and accountability 110. Integrated Test Facility test the output with independently calculated data
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

442

CISA Study Guide in EasyFAQs 111. ITF allows auditor to test transitions through the production system NOT the Test System 112. ITF is fictitious data in production 113. If the auditor want to confirm some finding, s/he will not go to the test data; either s/he will go to the GAS or the substantive testing 114. Prior audit reports are useful but of least importance they are historical. 115. The auditors responsibility is not only to review but also give recommendations as per the scope of the audit. However, the auditor is not supposed to go into the details beyond the scope. Comparison Charts Compliance Testing The initial testing is the Compliance Testing, to see if the key controls are working Testing of the control (for compliance) To check compliance against policies and procedures. Mostly dependent on the availability of trail documentation Once the documentation is available for a particular issue, the compliance test is positive Compliance Testing "Rate of Occurrence" "If it exists or not", "If these two are the same", "works as intended to work," or "if they exist, are they applied as per the documentation and managements intent?" More yes or no! Attribute sampling method is normally used Substantive Testing Substantive testing usually follows up the compliance testing is the Testing of integrity More of a quantitative review More used in for the monetary transaction or places where things not structured. Not very dependent on the documentation. Availability of the documentation is not enough; the validity and integrity of the documentation will be challenged during substantive testing "Detailed testing of transactions and procedures"

Various methods can be used.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

443

CISA Study Guide in EasyFAQs

Attribute Sampling Used for compliance testing situations Focus is if the attribute is present or absent Output/conclusion is rate of incidence "Yes or No" check. "If yes, how much". Question of "compliance" or "rate of occurrence"

Variable Sampling More commonly used in substantive testing Focuses on characteristics of the population e.g. weight, dollar etc Output/conclusion is in the form of deviation from the norm Checks for yes, but "how much 'YES' has deviated from the norm or how much it varies

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

444

CISA Study Guide in EasyFAQs

Domain 2: Management Planning and Organization of IS


Management Planning 1. Direction for the company comes from Strategic Planning 2. Strategic plan is future business-oriented. Planning for hardware project dates and budgetary targets for IS are not strategic 3. The IT strategic plan should focus on three things: goals, technological advancement, and regulatory controls 4. The steering committee consists of the Senior Manager and the Business Areas representatives 5. The steering committee is the liaison between Users and IS 6. The committees duties and responsibilities are set out in the formal charter 7. The Committee reviews and monitors the project and approves the project, but does not go into the details 8. The committees minutes of the meeting will give an idea of the effectiveness of controls 9. The ultimate responsibility regarding Policy Development lies with the Board of Directors. 10. The IS Assessment method checks for deviations in planned vs. actual 11. Project initialization and prioritization is done by the steering committee 12. Quality Management controls and improves the process 13. Prior to reviewing the IT Plan, the Business Plan should be reviewed 14. Benchmarking is used for assessing level of performance, not for assessing the deviation of planned vs. expected items 15. The data or system owner takes responsibility for the classification and who is supposed to access what. 16. Two management structures: Line Management, Project Management 17. Regarding violations, the IS auditor should inform the top management.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

445

CISA Study Guide in EasyFAQs Policies and Procedures 18. Policies are management directions 19. Security policies do not mention who is supposed to access what, but do specify those the auditor is authorized to grant access to and on what basis they will grant the access. 20. Policies should be written by the business unit manager with the help of IS 21. A top-down approach is obviously strategic, sometimes abstract, and expensive 22. Bottom-up approach more practical, less expensive. Reactive; result of some incident/issues 23. Five major policies: Business-Related Policies; HR Policies; Information Security Policies, Quality Management Policies, Outsourcing Policies 24. Most important thing about the Information Security Policy: once it is written, it has to be circulated. 25. If there are no formal procedures to accept the project, the first thing is to have the procedures rather than changing the job description of someone who takes the decision. Job Description and segregation of duties 26. Three (3) items to be looked at regarding Job Description: job function, responsibility and segregation of duties. 27. To avoid illegal acts, mandatory vacation or job rotation is a must 28. Job description helps to group similar jobs and identifies the segregation of duties. 29. Organizational chart helps to ensure responsibility and authority 30. If the organization is small and cannot separate the duties, it should have robust security and reports and other things should be reconciled exhaustively 31. The compensating controls, if duties are not being segregated, are as follows: a. Batch Control Reconciliation b. Transaction log c. Independent Review d. Reasonableness e. Audit trial of console
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

446

CISA Study Guide in EasyFAQs f. Library audit log 32. Remember that the following are not compensating controls for the segregation of duties: a. Check digit b. Sequence check c. Retention of document (all three are control file controls) 33. An audit Trail is the acceptable compensatory control if segregation of duties cannot be implemented 34. Database Definition Control is the responsibility of the Database Administrator, not the Data Administrator 35. Granting access rights and security of data is the responsibly of the Data Owner and Security Administer 36. The Security Administrator, not the Security Officer, is responsible for the day-today Security Operations.. 37. Responsibility is difficult to establish if there are shared resources 38. Application Programmers should never have access to the production data, programs and the System Program Library 39. It is the Security Administrator responsibility that policies and procedures are executed. The ultimate responsibility for the development may reside with the top management, but execution is the responsibility of the Security Administrator 40. The rules of integrity and security are the responsibility of the Security Administrator, not of the Data Administrator or the Database Administrator. 41. The DBA should not report to the Operations Manager or the System Development manager, but to the IS manager 42. A developer joining the Internal Audit department might impair its independence. 43. A Systems Analyst cant be a QA IPF and Authorizations 44. IPF (Information Processing Facility) is different from Computer Operations, telecom, system programming and Librarian functions 45. The Data Control Department is responsible for data entry
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

447

CISA Study Guide in EasyFAQs 46. If the business is very small and cannot have a dedicated person, the rule of thumb is "common sense should prevail" 47. Transaction Authorization is the responsibility of the users department 48. Authorization forms should have managements approval. 49. The ultimate responsibility for reconciliation lies with the user. In some cases, the data control group can also be responsible. 50. The data owner determines the authorization level 51. The administration group is responsible for implementing security most of the time 52. A typical authorization table is called the User Access Control List 53. Security Administration and QA job can be combined Outsourcing 54. The most important thing with outsourcing is to monitor the vendors performance 55. Before awarding the Outsourcing, make sure the service is as per the business requirement of the company. 56. Outsourcing is not only done to save costs, but should also be a strategic decision 57. Review the business continuity plan of the outsourcing company before you outsource. 58. Ownership of the intellectual property must be finalized 59. Outsourcing is not a technological issue Others 60. ISO9126 is the standard for software development 61. Key Verification = One-to-One Verifications 62. The best data entry control is that of key verification 63. For information on the service level, the Availability Reports should be consulted 64. The first thing that should be done when an employee is terminated is his logical access should be disabled. 65. Benchmarking: to evaluate performance, check the performance of other systems

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

448

CISA Study Guide in EasyFAQs 66. Control Group: part of the operations. Collects input from various user departments. Collects, logs, submits the forms and other inputs 67. IPF = Computer Room + Support Area

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

449

CISA Study Guide in EasyFAQs

Important Comparison Charts


Data Administrator Found only in very large organizations Database Administrator Found in every organization maintaining a database Responsible for Data Architecture, defining Responsible for integrity, availability and data elements, data names and relationships maintenance of the database, maintaining the database system, developing physical and Logical Database structure (but not the architecture) Makes operational standards for Data Develops database dictionary as per the Dictionary (with IS management) standard set by the Data Administrator Data Control Group Responsible for: 1. Checking all data 2. Validity of input 3. Accuracy of output 4. Control Manual Quality Assurance Ensures that quality process are being followed Ensures that documentation adheres to standards Application Programming Develops the program for the business need Production Control Group Responsible for: 1. Job submission 2. Job scheduling 3. Media management Quality Control Performs compliance tests and carries out reviews. Tests if the documentation really adheres to standards System Programming Develops the program for system needs, e.g. Operating System.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

450

CISA Study Guide in EasyFAQs

Domain 3: Technical Infrastructure and Operations


1. ITT stands for Invitation to Tender 2. Under-utilization refers to less than 80 to 85% of resources used 3. Aggregation w.r.t. database: this is the process of combining information from many sources. This may result in new information that may be very sensitive. 4. Inference w.r.t database: in layman's terms, this means reading between the lines. It means to infer information that is not explicitly mentioned 5. Frame relay handles multiple virtual circuits 6. Frame relay has variable packet length 7. ATM makes time slots available on demand. 8. The most commonly used serial encapsulation is PPP 9. PPP uses two protocol LCP and NCP 10. NSP is the local service provider, to which you connect for a WAN 11. The three categories of VPN are: a. Remote Access VPN b. Intranet VPN c. Extranet VPN 12. WML is XML for Wireless 13. WMLscripts is JavaScript for Wireless 14. The storage capacity of mobile devices is 2 MB TO 64 MB 15. A major limitation of WEP is that all clients use the same encryption key. 16. A 64-bit key can be broken for mobile units, while 128 bit can have a 20% detrimental effect on performance 17. A VLAN can be created for Wireless LAN for extra security. 18. A translation point is the point where SSL changes to WTLS 19. In metropolitan area networks, IEEE 802.6 is used, which might also be the network for cable television. 20. PBX must control: a. DID Direct Inward Dial
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

451

CISA Study Guide in EasyFAQs b. Long distance call c. Blocking 800 and 900 numbers d. Log of the phone calls 21. Lights-out operations: a. Console operation b. Report generation c. Job scheduling d. System run and re-run facility 22. 23. Data entry controls 1. Key Verification: One-to-One verification 2. Segregation of Duties 23. Job accounting applications do the following: a. Monitor IS Resource Usage b. Record and log the activities 24. To judge the effectiveness of the SLA, look at the "down time" or "availability reports 25. ISACA takes the Ring that is most available. However, other documents will tell you if star is more applicable. 26. Data reliability is on the Transport layer 27. Congestion control is also on the Transport Layer 28. No network functionality is found on the Session or data link layer. 29. Capacity monitoring helps to support large numbers of concurrent users on the system 30. The most critical component in network management is configuration management 31. Retention data control is parent data overwritten before its expiry 32. Network diagnostic tools are protocol analyzers 33. TCP handles network congestion and error handling 34. E-Cash once used it cant be reused. 35. A firewall at the connection going to the Internet and the remote connection is recommended 36. An intelligent hub should be required to close the non active connections
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

452

CISA Study Guide in EasyFAQs 37. There is not much risk of an outside hacker threat with a hub 38. A hub decreases network performance. 39. Batch-balancing verifies the outgoing result with control totals 40. System errors can be found in the console log 41. Whenever there is a question of "finding a pattern," look for neural networks or AI 42. To check security, observation is the best test 43. A screened subnet firewall is the best firewall 44. The most common error w.r.t. firewalls is mis-configuring the interface. 45. An application gateway firewall has the greatest degree of granularity 46. The port is checked at layer 4 TCP/UDP port 47. An application gateway is even better than a circuit gateway 48. A frame can be stored in a bridge Store-Forward Implementation 49. Try to put error logs on write-once CDs 50. Satellite communication and microwaves both use electromagnetic radiation. 51. Users with access to supervisory privilege can be seen via System Control configuration for control options 52. With respect to services, if the question asks about performance, the answer has to do with performance management. If it is asking about user management, its the User manual. 53. If a LAN cable has to extend a great distance, there may be a problem with attenuation. 54. There are no cross-talks in UTP cable. 55. PING is used to see latency, not delay distortion 56. Use capacity planning for efficient use of resources 57. Parity Check, a.k.a. vertical redundancy check: a. An additional bit per character b. Problem is identified at the receiver end 58. Block Sum Check a. Extension of parity checking b. Not only checks the character but also the block of the character c. Additional set of parity for the block
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

453

CISA Study Guide in EasyFAQs d. A.K.A block (sum) check character 59. Frame Check Sequence (FCS) or Cyclic Redundancy Check (CRC) a. This is one step more advanced than the parity and block checks b. Parity Checks cannot check errors at the block level c. Block Sum Checks cannot check errors at the frame level d. In order to ensure the frame integrity, an additional bit is appended at the end of the frame. 60. Echo Check a. Transmits all of the data to the source b. Very high load on the network c. Not practical 61. In summary, errors can be checked at three levels, in ascending order: Character (Parity Check), Block Sum and Frame Sequence, i.e. CRC. 62. The most effective check is CRC 63. Checksum is for errors during transmission 64. Conduits for data and electricity should be different. 65. BLP Bypass label Processing: Used while reading a file. It could compromise security 66. Line of sight transmission = Microwave Transmission 67. RJE Remote Job Entry transmission of JCL Job Control Language and transaction batches for remote terminal 68. SPOOL Simultaneous Peripheral Operation Online Automated function. Storage areas for communication; normally used with printers 69. Database is normalized to ensure integrity. Avoid duplicate records and save storage space 70. Database is de-normalized to increase efficiency

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

454

CISA Study Guide in EasyFAQs

Important Comparison Charts


Data Management Category of System Software Meant for the system Part of the operating system Deals with data, buffering, I/O operations and file management Major types of data management regarding files are sequential, indexed sequential and Direct Random Access Commercially available products: ISAM, VSAM from IBM Active Data Dictionary Repository of data elements Assist application processing, e.g. Validation Database Management System Category of Application Software Meant for the business user Sits on top of the operating system Deals with data definition and data manipulation in the tables Major types of database management are hierarchical, network and relational management Commercially available products: Oracle, DB2, SQL Server, Informix Passive Data Dictionary Same No assistance is provided for application processing

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

455

CISA Study Guide in EasyFAQs

Domain 4: Protection of Information Assets


1. An encryption and decryption password is known as a KEY. 2. Most encryption processes use one of the following: a. Private key/Public Key b. Secret Key c. Hash Function d. Digital Certificates e. Private key encryption is a symmetric encryption and should not be confused with the Private Key of PKI f. Most common type of Private Key encryption is DES i. DES uses 64 bits: 56 bits for encryptions and 8 for Parity ii. DES operates on 64 bits of block of data 1. First it does the transposing, i.e. scrambling data 2. Second, it splits the block into two 32 bit blocks 3. Third, it iterates the result 16 times, using substitution, transposition and exclusive OR (XOR) 4. Fourth, two halves are rejoined after the 16th iteration 5. Fifth, there is a final transposition (which is the inverse of the initial transposition) g. DES is not reliable. 56-bits are already being cracked in 56 hours by checking 24.8 percent of key space. 3. Moore's Law 1965: Number of transistor per square inch doubles every 18 months 4. Key space is decreased by a factor of ten every five years. 5. DES is replaced by AES, which supports between 128 and 256 bits 6. PKI Keys are larger than 1024 bits. 7. A common form of encryption is RSA 8. The result of two large prime numbers is called a modulus 9. Non-repudiation and authentication is carried out by the senders Private Key
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

456

CISA Study Guide in EasyFAQs 10. Confidentiality is achieved by encrypting with the receivers Public Key. 11. ECC is used for Public Key cryptography. a. PKI is more complex not because of encryption but because it takes more time to find the key. b. ECC solves the problem of processing power c. 160 bits of ECC = 1024 bits or RSA. d. ECC is based on discreet logarithm. 12. Quantum Cryptography is the next generation a. Works on the quantum uncertainty principle. b. Key generation is based on polarization matrices c. A light photon is randomly generated by the sender. d. The receiver records the direction of the light : i. Horizontal ii. Vertical iii. Left Diagonal iv. Right Diagonal e. As per the prearranged algorithm code, polarization metrics are changed into bits e.g. i. Vertical and Right Diagonal =1 ii. Horizontal and Left Diagonal = 0 13. Hash is normally 128 bits. 14. Normally MD2, MD4 and MD5 is used 15. MD2 is very different; it is for 8-bit machines. 16. MD4 and MD5 are meant for 32-bit machines. 17. Sender Authentication = Non-Repudiation. 18. Public Key encryptions are VA to man-in-the middle. 19. CA is required to protect the Public Key man-in-the-middle attack. PKI and CA 20. A Digital Certificate confirms that the Public Key is really coming from who it says its coming from.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

457

CISA Study Guide in EasyFAQs 21. How the Digital Certificate is made secure? It is signed by a Certificating authority. 22. How does the receiver know that the certificate is really coming from the digital authority? Their web site might be trusted, or they have send it through an out-ofband channel. 23. Working with Digital Certificates: a. When a person signs the certificate, he adds it to the document b. He sends his Public Key, signed by a third party, such as Verisign c. Person who receives it assumes that it is a valid certificate and can be dismissed d. Person receiving will check if the certificate is valid i. Uses the Public Key of the third party and cross checks with third party, such as Verisign, that it is really a valid certificate ii. It will then be decrypted using the Private Key 24. Kerberos: a. Authenticates the server and client b. Used in a distributed environment. 25. First the message is signed and then it is encrypted. 26. Signed by the Private Key, and encrypted with the other persons Public Key 27. These days the trend is to sign with a Secret Key and encrypt the Security Key with the receivers Public Key. This way the size of the message remains small. 28. Before using anyones Public Key, it should be confirmed by the CA 29. It is possible to encrypt the message with a Session Key and send the Session Key encrypted with the Public Key of the sender. 30. Encryption is now done with the Secret Key, not the senders Public Key. A Public Key is used to send the Secret Key, as the Public Key is very long and the Secret Key can be very small. PKI Components 31. CA a. CA assigns public/private key pairs to the owner
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

458

CISA Study Guide in EasyFAQs b. Issues a certificate after due diligence c. Signs the certificate with its Private Key. i. Two types of CA: 1. Organization Empowered Closed CA 2. Liability Empowered Open CA, such as Verisign, Certco and Cybertrust d. When a sender sends the Digital Certificate, it is like any certificate: it is issued in the senders name by some authority and signed by the authority. This can be reconfirmed; the certificate just needs to be checked with the authoritys Public Key. e. The senders Digital Certificate tells the other party that the Public Key is valid because it is verified by the certifying body. f. Digital Certificate = Senders Public Key + CA Signature (by CA private Key) 32. RA a. Manages the directory of the certificate b. Maintain the lifecycle c. Certificate Revocation List d. RA is concerned with authorization, while CA deals with registration and revocation e. RA is a one-time job; CA is more transition-oriented. f. RA is optional; CA is a must g. CRL is closely related to RA 33. Use of encryption in OSI Model: a. All layers can be encrypted, except the physical layer b. Scope of the encryption can be tailored at the application layer c. If it is desired that encryption is transparent to the user, this should be at the Network Layer and Transport Layer d. Encryption at the Network and Transport layers is not generally used, as it is very expensive. All of the components at the same peer should support the same encryption
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

459

CISA Study Guide in EasyFAQs e. Datalink encryption is encryption of the local traffic 34. SSH a. Similar to IPSEC b. IPSEC is at Network Layer (Layer 3); this one works at the application layer 35. SSL a. Uses both symmetric and asymmetric keys 36. S-HTTP is for the individual messages, not for the session. 37. IPSEC a. More of a framework rather than a protocol b. Three components: Header, Payload, Encryption Key c. Maps to AH, ESP, IKE d. In implementing IKE, the Public Key should be shared. e. To share the Public Key securely, ISAKMP (Internet Security Association Key Management Protocol) is used f. The key is obtained using a Digital Certificate g. IPSEC is independent of security algorithms h. Two main concepts: i. Security Association ii. Tunneling i. Security Association j. AH is responsible for the Integrity and authentication of the IP datagram k. ESP provides integrity, authentication AND confidentiality (encryption) l. AH is used for transport mode and tunnel mode m. In the tunnel mode AH is encrypted. n. Encryption in IPSEC is optional; however, integrity and authentication must go together. Firewall Summary of Points 38. Packet Filtering Firewall a. The first kind of firewall is the packet filtering router. b. Examine the header IP and Port number
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

460

CISA Study Guide in EasyFAQs c. Filtering rules are at the network layer d. Hacker can tunnel for allowed service, e.g. Port 80 e. If the router is compromised, the network is compromised. f. Problems with packet filtering: i. IP spoofing ii. Source routing specifications iii. Miniature fragment attack: IP is fragmented. First one is stopped, but later ones may go through. 39. Application Firewall: Divided into two, the application and circuit level a. Packet filtering router works on packets b. Application firewall works on information. i. Application level firewall analyzes the system with the help of proxies ii. May affect performance iii. Requires a separate proxy for each application c. Circuit Level Firewall operates at the application level: i. Validates TCP and UDP sessions prior to establishing a connection ii. Very few circuit-level firewalls are available commercially in the market. iii. Does not require special proxy for each application. 40. Stateful Inspection a. Keeps track of inside requests and only allows those packets to come in that are in response to inside network requests b. Works at the transport layer and applies the rule there. 41. Screened Host = Screening Router + Bastion Host 42. DMZ = Screened Subnet Firewall 43. Can be two packets filtering router or one firewall with different DMZ network cards. MISC 44. Data owner = Business Owner 45. Process Owner/System Owner = Custodian
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

461

CISA Study Guide in EasyFAQs 46. Confidentiality = Encryption 47. W.r.t. controlling viruses, the software comes first, then the policy 48. Best authentication method is Biometrics 49. Most effective method for stopping unauthorized use of data is access control software 50. Best way to ensure the master file is updated is before and after a maintenance report 51. For small businesses: "Supervision is the best" 52. Data diddling means manipulating data before it enters the computer 53. The primary safeguard for protecting online data is the logical access 54. In an online system, the sequence is a. Authentication b. Verification c. Authorization 55. The security established FIRST in OSI model is the Session Layer 56. Encryption is normally at the presentation layer 57. The Security Administrator should assign the initial password 58. The name of the Public Key holder is not necessarily in the Digital Certificate; it is with the CA 59. The biggest concern with remote access is authorization and authentication 60. Most important objective of data protection for a business organization is INTEGRITY 61. Naming convention reduces the number of rules required 62. In telecommunication monitoring, the most important report is the Online Monitor Report tracks the availability of the circuits. 63. Most effective type of virus check is an integrity checker 64. VPN is secured by encapsulation not be encryption - encryption comes later 65. Availability is the first casualty of network monitoring 66. Greatest assurance regarding database integrity comes from Table Link/Reference checks. 67. Best way to protect PC data is through ENCRYPTION.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

462

CISA Study Guide in EasyFAQs 68. Most environmental friendly way is via a dry-pipe sprinkler 69. Identification tags provide the least control 70. The security Log file should have read-only access 71. Greatest security for Internet communication is provided by VPN Tunnel mode 72. Digital Certificate issued by third parties are the most reliable 73. The first step in data classification is DATA OWNERNSHIP 74. Unmanned computer centers can opt for Carbon Dioxide against fire. 75. Information security provides a framework for logical access 76. An effective Security Policy requires a framework 77. Network audit the auditor will see the network diagram and focus on entry points. 78. For Biometrics, the least ERR the better 79. Penetration tests exploit vulnerabilities 80. A smart card is considered to be two factor authentication some consider it three-factor 81. A time stamp is required to avoid duplicate online duplicate transactions 82. A Registration Authority maintains the certificates lifecycle. Maintains the directory. 83. CRL is also managed by RA it is a critical liability point 84. CA focuses on attesting the certificate 85. To fight against DOS, inbound and outbound filters are needed 86. Gathering Data streams and replying to it is called the replay 87. A sensor collects data for IDS 88. A PIA- Privacy Impact Analysis is performed by people who are expert in legal laws, operations and risk. A PIA ensures the privacy is maintained through the business cycle. 89. The effectiveness or proper utilization of the asset is not included in the audit 90. Applets recording key strokes pose the greatest risks to the organization 91. Token card is a two-factor authentication 92. Minimum level is the login and password

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

463

CISA Study Guide in EasyFAQs 93. Initial password should be randomly generated and safely communicated to the user 94. A group password shell is never used. 95. Before changing the password, the following things should be checked depending about the sensitivity of the operations: a. Mothers maiden name b. Returning the phone call on users extension c. Calling the supervisor for verification d. Password should one-way encrypted, i.e. hashed. e. Password should be changed by the user to a password of his own f. It should 5 to eight figures g. No previous password should be used h. Privileged users should be more closely monitored 96. A token generates a one-time password 97. Access rules are a part of authorization 98. Access should be on a need-to-know and need-to-do basis 99. Least dangerous access is the inquiry or reading of non-sensitive information. 100. IS auditor should have the list of three things: a. List of the Critical Assets b. List of the Remote Access Points c. List of the communication link to the outside would 101. Logs should be maintained on write-once devices 102. A proper audit trail should be analyzed with the help of tools 103. It is recommended that the executive management should be noted to contact enforcement officials. 104. Three major problems regarding system access are: a. Bypassing Label Processing (BLP) b. System Exit c. Special System ID 105. If controls are inadequate, look for compensating controls 106. MOSS stands for MIME Object Security Service provider
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

464

CISA Study Guide in EasyFAQs 107. Helps to provide CIA and non-repudiation 108. SSL stands for Secure Socket Layer. It was developed in 1994. It works on the Session Layer and authenticates the server to the client. Supports PK Cryptography and Digital Certificate. It works on port number 443. 109. Essence Attacks a. These are the operating system-based attacks b. Violate the "Job Isolation" principles of operating systems c. In a multitasking environment, each program has to stop at a certain point known as a "Checkpoint." It gives a turn to other programs and then restarts. d. The intruder takes control at the checkpoint and can run the program at a higher privilege level to access more resources. e. This way the intruder takes advantage of asynchronous switching between tasks. 110. CRC detective tools are not preventive tools. They assume that the first time they checked the file, it was clean, which is not necessarily the case.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

465

CISA Study Guide in EasyFAQs

Biometrics Options Summary


Palm: Analyses ridges, valleys and minutiae Response time: 2 to 3 Seconds ERR: 0 Hand Geometry: 3 Dimension analysis Hand is placed with five fingers spread inside guidance peg. Typical Characteristics recorded: 90 plus Storage Required: 10-20 bytes Limitation: Hand injury ERR=0.1 % IRIS: User is asked to center his eyes so the iris can be seen by a device and photographed Typical Characteristics recorded: 400; 260 are used for template Storage Required: 512 bytes Response Time: 3 to 5 seconds Limitation: High cost and high amount of storage ERR=0.5 % Retina: Image of the pupil is taken, one of lowest false-acceptance Typical Characteristics recorded: 400 Storage Required: 96 bytes Response Time: 3 to 5 seconds Limitation: High cost and high amount of storage ERR=1.5 % Fingerprint: Image generated by fingerprint is called "minutiae", contain subset of data Typical Characteristics recorded: 400 Storage Required: 250 to 1,000 bytes (the more storage, the fewer errors) Response Time: 5 to 7 seconds Limitation: Injured finger ERR= 1.5%

Other Behavior-Oriented Systems


Signature Recognition Also known as signature dynamics Typical Characteristics recorded: Pen speed, pressure, stroke length and angle Storage Required: 256 bytes Response Time: 4 to 6 Seconds
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

466

CISA Study Guide in EasyFAQs Limitation: Poor accuracy and not reliable. Voice Recognition Depends on saying "passphrase" Typical Characteristics recorded: Pitch, dynamics, waveforms Storage Required: 1,500 to 3,500 bytes Response Time: 4 to 6 seconds Limitation: Poor accuracy, not reliable. Mis-spoken phases person with cold, etc.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

467

CISA Study Guide in EasyFAQs

Domain 5: DRP
1. The objective of BCP is to reduce the risk. 2. Planning is the responsibility of senior management 3. BCP = DRP + Plan of Continuity of Business Operations 4. Short-term and long-term strategies are required. 5. Hot sites become operational within a few hours 6. Hot sites are intended as an emergency option, over a limited time period 7. Hot site intended for several weeks, not months 8. Warm sites are partially ready, without the mainframe. 9. Assumption with warm site is that it is possible to have emergency installation. 10. Cold site - Site with HVAC only. Takes several weeks to set up. 11. Ideal site is "Duplicate Information Processing Facilities" a. Dedicated b. Self-developed recovery c. Standby sites (some of the cases reciprocal) 12. Problems with reciprocal: a. Subject to same disaster b. Availability of resources c. Not enforceable d. Staff assistance e. Confidentiality 13. Detailed disaster recovery plan is based on recovery strategy 14. Checklist of Teams: a. Emergency Action Team First response: evacuation of personnel. b. Damage Assessment Team c. Emergency Management Team d. Offsite Storage Team e. Software Team f. Application Team g. Security Team
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

468

CISA Study Guide in EasyFAQs h. Emergency Operation Team i. Network Recovery Team j. Communication Team k. Transport Team l. User Hardware Team m. Data Preparation and Record Team n. Administrative Support Team o. Supplies Team p. Salvage Team q. Relation Team. 15. Major services required are as follows: a. Support services b. Business operations c. Information processing 16. Copies of the business plan must be offsite possibly at the home of the decisionmaker. 17. Notification directory of key decision-maker is a must 18. All necessary supplies should be there 19. List of printed and re-Printed forms. 20. Telephone line safe from hackers and phreakers 21. Who will bring data 22. Multiple access to the site 23. Difference between alternate routing and diverse routing a. Alternate routing: Media is different e.g. dial-up line for leased line, cellular phone for normal phone. b. Diverse routing is done by duplicate cable facility. Media is the same and can go with the same cable 24. Long-haul network diversity: Long Distance Network Availability 25. Separate or redundant last-mile circuit protection 26. Voice Recovery 27. RAID Levels:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

469

CISA Study Guide in EasyFAQs a. Level 0 = Disk Stripping, better performance on software b. Level 1 = Mirroring, better performance on software c. Level 2 = Hamming code is the hash algorithm i. One Recovery Disk is required for every hour of disk d. Level 3 = Dedicated drive for byte-level parity Strip data i. Enhanced form of Level 0 ii. Dedicated parity drive iii. Better performance on hardware-based solution e. Level 4 = Same as 3 but has block level parity specific disk is dedicated for parity information f. Level 5 = Strips data with parity data written all over the disks- better performance on hardware-based solution g. Level 6= One virtual disk 28. Responsibility of maintaining the BCP falls on the BCP Coordinator 29. There must be an off-site library for media and rotation of media 30. Automation of backups prevents erroneous or missed backup 31. Real time files require special backup procedures 32. Backup is needed of the object code as well as the source code. 33. If a "before-image" dump is taken, restoration will be "before the last image" 34. The problem with the reciprocal arrangement is that it will be difficult to maintain if either of the parties upgrades the hardware or software. 35. The back-up site should have the same controls as the production site 36. Hot sites are up within hours 37. The back-up site should have object codes, source codes and patches 38. Insurance is not that important. 39. The main objective is a workable plan FAST! 40. A similar but not identical hardware configuration is needed 41. Diverse routing is via split cable 42. Alternate routing is done using different media 43. Long haul network diversity uses an alternate line of long distance
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

470

CISA Study Guide in EasyFAQs 44. In short, what is needed is an offsite media back-up site, with a workable, tested plan and resource availability 45. Simulation of crash in cost-effective way: preparedness test 46. Method of recovery a. Shadow File Processing Airlines b. Electronic vaulting and hot site Banks 47. First the Recovery Manager takes an asset inventory 48. The threat of a sudden halt in banking updates is addressed by the database commitment and rollback. 49. ISACA recognizes three tests: the paper test, the preparedness test and the fullblown test. 50. Critical System a. Necessity: Absolute must that the function be performed b. Alternate Manual Process: Not possible c. Tolerance to Interruptions: low d. Cost of Interruptions: High 51. Vital System a. Necessity: Required but brief interruption is acceptable b. Alternate Manual Process: Possible for short period c. Tolerance to Interruptions: Medium (5 Days or less) d. Cost of Interruptions: High/medium 52. Sensitive a. Necessity: Important, but business can live with manual process b. Alternate Manual Process: Possible for extended period (more staff) c. Tolerance to Interruptions: Medium/high d. Cost of Interruptions: Medium/low 53. Non-Critical a. Necessity: Less important; no catch-up required when restored b. Alternate Manual Process: Not necessary c. Tolerance to Interruptions: High; extended period is acceptable d. Cost of Interruptions: Low or no cost
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

471

CISA Study Guide in EasyFAQs

54. Remote Journal = Parallel processing of transactions at multiple sites through high-speed links 55. Database Shadowing Remote Journaling + Multiple Sites 56. Paper Test: Walk-through of entire plan or section 57. Preparedness Test: Localized full test. Should be performed before full-blown operation preparedness test. 58. Full Operational Test: Complete shut-down of operations

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

472

CISA Study Guide in EasyFAQs

Domain 6: Application Development


1. SDLC is also referred to as the Waterfall technique 2. SDLC is the oldest technique 3. Payback of the project is related to feasibility 4. Security Plan is drawn up during the design phase of SDLC 5. Change control process is stabled during the Design Phase 6. Certifications and accreditation of the system is in the implementation phase 7. Phases of the DSLC vary on the situation, if the developed or the acquired solution is chosen a. ROI is in the feasibility study 8. IS Auditor makes sure that adequate requirements are there 9. Software acquisition is not a phase in SDLC 10. Users are not normally involved in the design phase 11. Test Plans are developed in the Design Phase 12. Test Plans are for the following: a. Unit Program b. Subsystem Module c. Integration System 13. This is the last point where you can have the software baseline 14. Typical project has 25% of the increased cost. 15. IS Auditor involvement in business system development: a. Proper controls b. Test plans c. Effectiveness of design 16. Program Coding Standards are a must for any organization 17. IDE Integrated Development Environment = Online Programming Facility 18. Programming can be compiled and edited online with IDE, which saves time. 19. Debugging tools: a. Logic Path Monitor Reports the sequence followed by the program and helps to trace errors
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

473

CISA Study Guide in EasyFAQs b. Output Analyzer Checks actual result with expected result c. Memory Dump Gives a picture of internal memory 20. Two types of test: a. Bottom-up: Begins with smallest possible unit, called an "Atomic Unit" i. No need for subs and drivers ii. Critical errors of the modules are identified early b. Top-down: i. Focus on either of the following: 1. Major functions are verified first 2. Major interface errors are known ii. Top-down approach has the liberty to take any of the following approaches: 1. Breadth-first 2. Depth-first 21. Rule of thumb: If you feel that the problem is in the interface, go for the bottomup approach; however, if the problem is in the functionality, or the interface is expected, go for the top-down approach. 22. There is no need for Stubs and the interface in the bottom-up approach; they are only required for the top-down approach 23. Large systems are always bottom-up 24. Remember, it is in the implementation phase where the final UAT and accreditations and certifications take place. 25. UAT should be performed during secured testing of the staging library. 26. You pursue for accreditation and certification once UAT is complete. 27. 1967: First object-oriented language, Simula67 28. 1970s: Smalltalk 29. 1990s: Java 30. OOSD treats data and procedures together traditional method data is data, but procedures are the programs, which are treated separately. 31. OOSD claims it mirrors real life in real life people look at the objects that are data and functionality combined.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

474

CISA Study Guide in EasyFAQs 32. Keywords regarding OSSD are Object, Attribute, Method, Class, Template 33. Classes form the basis for most of the design work of objects 34. Classes form two super-classes or the sub-class 35. Classes may get their attributes or methods from the super-class. 36. Classes can aggregate or share data 37. CASE can be used in Web applications, E-Business, CASE, AI, CAM 38. OOSD Equations a. Object = Data + Procedure b. Attribute = Object's data c. Method = Object's functionality d. Class = Template used to create objects e. Template collection of characteristics of class data f. Object = Template + Data g. Message = Request of service/Interaction between classes h. Polymorphism = Same message but different interpretation or executions (depends which class is calling home and what is the inheritance) 39. COM/DCOM are standards, not products 40. CORBA and COM use the RPC 42. XML a. New XML, Extensible Markup Language b. There are two types of XML implementation SOAP and WSDL c. SOAP stands for Simple Object Access Protocol. i. SOAP = XML + API ii. SOAP can be compared to RPC d. WSDL stands for Web Services Description Language i. Used to identify the specifications of SOAP to be used for API ii. Defines the format of SOAP messages e. UDDI stands for Universal Discovery and Integration i. Used for Web Yellow Pages ii. An entry is made in the UDDI directory 41. Prototyping
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

475

CISA Study Guide in EasyFAQs a. Prototyping is also known as heuristic/evolutionary development. b. Prototyping is a controlled trial and error method for developing programs c. Prototyping is a kind of risk reduction mechanism d. Prototyping = Classic SDLC + Iterative Framework e. User is provided with 4th generation technique f. In most cases the user is provided with an input and report screen g. Two approaches to prototyping: i. Develop the model first, then the system 1. User expectations are high. They think the system is already there 2. What must be added are: a. Checks and controls b. Transition volume c. Connectivity routines d. Adaptability ii. Build the actual system: 1. Use of 4GL 2. Quick and dirty approach h. Problem with prototyping many goodies and extras, but not efficient i. Potential risks with prototyping system: poor Controls; poor change controls; changes are so quick and so easy to do that they are hardly documented. j. Good for user: developers focus on what user wants and what user sees k. Cost-efficient. 43. RAD Rapid Application Development l. Techniques used in RAD: i. Evolutionary prototype ii. Central repository iii. Interactive requirements and design workshop iv. Powerful tool for 1. Modeling
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

476

CISA Study Guide in EasyFAQs 2. Prototyping 3. Component reusability m. What RAD supports: i. Analysis ii. Design iii. Development iv. Implementation n. What RAD does not support: i. Analysis & planning for organizational as a whole o. RAD reduces cost and increases quality p. Main emphasis is on re-using existing components q. Four major stages of RAD: i. Definition Business factions and relevant data ii. Functional design Workshop of model processes and data; prototype of the critical components iii. Development stage Everything in traditional model; composing databases, application programs, conversion iv. Deployment Stage UAT, training and data conversion 42. Agile Development a. Method for quickly deploying complex systems in a flexible way to handle changes. b. Small time frame c. Project is replanted after each iteration d. Small, qualified team from Business and Technical e. Strict time limit for meetings f. Pair-wise Programming 2 people and 1 program; Q&A and knowledge sharing g. Only look at planning next phase h. No need to focus on adaptive baseline. i. No repeatable process, rather adjustment after frequent review and inspections.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

477

CISA Study Guide in EasyFAQs 43. Reverse Engineering a. Decomposing executable codes or objects b. More a black-box testing type of process c. Faster development and improved product with reduced SDLC d. Sometimes considered to be un-ethical e. Risk of being taken to court if the software agreement prohibits reverse engineering. 44. Change Control a. Should have all relevant information b. Programmer should not have any access to the production machine, not even read-only access. c. Approval for change requests comes from the User Management d. Something that fall be under change management: i. Access to program library ii. Supervisory review iii. Change request approval e. Emergency IDs are areas of concern. f. Who should move the system from test to production? Operations or QA or some other control group. g. Special care should be taken with emergency passwords 45. Configuration Management a. Maintenance requests are monitored by the change control group b. Controls are reviews, checkpoints and sign-off practices and procedures 46. How is production separated from the test? With library control software 47. Change the program from test to production mode on the basis of authorization 48. Production should have one corresponding source code 49. Once the program has been modified, it should be moved to the production source code library 50. A manual review of the source code is not effective 51. Project management practices:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

478

CISA Study Guide in EasyFAQs a. Earlier projects were evaluated on the basis of SLOC Single Line of Control b. Later it is was Functional Point Analysis: i. Depends upon the number and complexity of 1. Input 2. Output 3. Files 4. Inquiries 5. Total Count ii. Productivity is computed = FP/Person-month iii. Quality is computed = Defects/FP and cost. 52. Tasks can be computed in People hours or Machine hours 53. Budgeting = Estimation of Human Efforts + Estimation of Machine Effort 54. Scheduling = Sequential relation among the task 55. Software Cost Estimation Constraint: a. Language to be used b. Main storage c. Data storage d. Execution time e. Computer access f. Security environment g. Target machine h. Staff practices 56. Critical Path Method: a. Critical path is the path where the sum of activity time is the longest b. On the critical path, slack time = 0 c. Activities with slack time 0 are on the critical path 57. Gantt Chart a. Shows activity or task when it begins and when it should end b. Which activities progress concurrently 58. PERT (Program Evaluation Review Technique)
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

479

CISA Study Guide in EasyFAQs a. Used in construction industry and army b. Can be used for planning and controls of the project c. Assume project is a collection of Tasks/activities i. Activities can be started and stopped independently of each other ii. Activities might have the precedent constraints or relationships d. Components of PERT charts are as follows: i. Events are represented by circles. All of the activities before the event are assumed to be completed. 1. End point of activity (milestone in Gantt terms) 2. Spend no time 3. Consume no resources ii. Activities are represented by lines and arrows. 1. Process = activity 2. Activity requires time and resources 3. Each activity begins and ends with an event e. First thing to do is to "identify activities" and the sequence for each f. Be careful not to overlook any activity g. There is inherent uncertainty in the PERT h. In order to determine the completion of a task, three estimates are used: i. Optimistic ii. Pessimistic iii. Most likely i. Once the critical path has been defined, the PERTs duration can be calculated j. Critical Path = (Optimistic + 4 x Most Likely + Pessimistic)/6 k. If you want to complete the project early, shorten the critical path, i.e. accelerate the activities on the CP. However, if any activity on the CP is delayed, the project will be delayed. 59. Time box Management a. Used for defining and deploying software deliverables b. Absolute time is allocated for each deliverable
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

480

CISA Study Guide in EasyFAQs c. Provides balance between software quality Vs. Time box d. Flexibility in scoping requirement e. No flexibility in quality f. Good for prototyping and RAD g. Not recommended for SDLC 60. CASE Automated tools for software development a. Provides uniform approach to development b. Produce DFDs Data Flow Diagrams as well as data elements c. Even CASE requires an application design d. CASE maintains the repository of the items e. Three types of CASE: i. Upper CASE - Used for defining business and application requirements 1. Data Objects definition & relationship 2. Processes definition & relationship ii. Middle CASE Used for detailed design 1. Screen layout 2. Reports layout 3. Process flow 4. Object organization 5. Editing of criteria iii. Lower CASE: Used to aid/replace programming 1. Generates program code 2. Generates database definitions 3. Uses the following: a. Design information b. Database rules for system c. Programming rules etc. 61. ISO-9126 a. Standard for the quality software b. Looks at following: i. Functionality ii. Reliability
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

481

CISA Study Guide in EasyFAQs iii. Usability iv. Efficiency v. Maintainability vi. Portability 62. CMM a. Developed by Carnegie Melon's Software Engineering Institute b. Maturity model means a framework c. Improves and enhances the software life cycle d. Reduces the delay e. Minimizes the cost overrun f. Five (5) Levels g. Level 1: Initiation: Initially the process is not very structured. i. Everything is ad-hoc. ii. However, the people who are involved are really competent. iii. Poor system excellent people h. Level 2: Repeatable: At this level the project processes are more from matured. i. Disciplined management of process ii. Planning and tracking of functionality, cost and scheduling is done iii. Learning environment is present iv. Process can be repeated in other projects of similar nature and size i. Level 3: Defined: A type of re-engineering of the process is done i. Standard process across the organization for 1. Software management 2. Software engineering 3. Software integration 4. Documentation ii. Almost everything is institutionalized j. Level 4: Managed: Processes are being managed properly i. Everything is already well-defined and institutionalized ii. This is the stage for Quantitative Managed Control
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

482

CISA Study Guide in EasyFAQs iii. More degree or precision iv. Better control v. Organization reaches goal of zero defects k. Level 5: Optimized: On-going improvement of the processes. i. Everything is already controlled quantitatively ii. Continued process improvement 63. CMMI Capability Maturity Model Integration a. CMMI is the integration of CMM for i. Software ii. System engineering iii. Integrated product development b. All CMMs combined in one c. Describes five maturity models that are different from the original CMM d. Not allied with the Waterfall approach to any great extent i. Iterative development ii. Early architecture definition iii. Modes-based design iv. Component-based development v. Assessment of intermediate MISC 64. If there is a backlog of applications, move to prototyping. The only thing that is left untouched is the user requirement and system analysis. 65. Stress-testing is in a test environment using live data 66. Prototype = Screens + Reports + Interactive Edit 67. Object-oriented and security -> Encapsulation 68. The dynamic analysis tool is the Black Box 69. Owner of the project is the user management 70. If the IS auditor is part of the SDLC, s/he should make sure that proper documentation of the system is done 71. Initial phase of SDLC is to define the deliverables 72. RAD is a management technique
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

483

CISA Study Guide in EasyFAQs 73. Incorrectly set parameters is a major risk with application software is 74. If the auditor fast-tracks some of the processes, its OK to inform the Steering Committee or Project Owner 75. Correct sequence of testing unit, module and regression testing 76. Size of the project or task use functional point analysis 77. System testing is not OS testing 78. System testing is an interface test 79. The date and timestamp gives information on the Production Source code = Object Source code 80. Hangman - > The Project Steering committee is responsible for the cost and timetable of the project 81. Most challenging aspect of the project how much time will each task take. People have taken different approaches, such as SLOC, functional point analysis and others 82. Post-implementation review: IS auditor checks the controls 83. Greatest risk is if the requirements are not managed -> Scope creep 84. Peer Review = Structured Walk through 85. Functional Specification is before design 86. IS auditor should raise the issue during the function design 87. Acceptance testing is conducted by the user before signing off 88. The best technique for estimating the size of the project to use functional point analysis. 89. The best technique for estimating the duration of a project is PERT. 90. Coding standards make maintenance easy 91. User acceptance plans are prepared during the requirement phase 92. IF every changing user need is a matter of concern, go for RAD! 93. IF there are no formal standards, the IS auditor will document the undocumented standards and then test them 94. Prototyping a is top-down approach 95. Applets improve the performance of browsers and servers 96. The requirement phase takes place even before the other feasibility phase!
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

484

CISA Study Guide in EasyFAQs 97. You must ask for user approval before change an application! 98. The log is checked for authorization 99. Ideally you need more cohesive and loosely coupled 100. Cohesive -> single function program 101. Coupling - > interconnectivity between software 102. Unit testing = white box testing 103. Functional requirement testing = black box testing 104. An important component of a data warehouse is Metadata 105. The change control procedure is the main concern regarding outsourcing 106. Data-oriented development is for ad-hoc reporting 107. Incremental testing is the testing of added functions only 108. Coding standards start with file naming conventions, which help with regard to program maintenance.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

485

CISA Study Guide in EasyFAQs

Domain 7: Business Process Evaluation and Risk Management


1. BPR stands for Business Process Re-Engineering a. Initiated because of i. Economic pressure ii. Competitive enforcement iii. Customer demands b. Most of the time it is automated, with minimal manual controls and interventions c. Goals achieved through BPR: i. Cost saving ii. Operations streamlined d. Six steps of BPR i. Definition of areas to be reviewed ii. Project plan iii. Understanding and review of process iv. Redesign and streamline the process v. Implement and monitor the new process vi. Continuous improvement e. Three Keywords for BPR: Process Process Process f. First step is identify the process g. Then i. The process customer ii. The process-based Manager/Owner h. Baseline process should be documented i. The key concern in BPR is that major controls can be dropped during the re-engineering process j. Role of benchmarking in BPR i. Improve the business process ii. Continuous improvement of 1. Products
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

486

CISA Study Guide in EasyFAQs 2. Services 3. Process iii. Steps for benchmarking: 1. Plan: a. Identify critical processes to be benchmarked b. Identify the measurement criteria c. Identify what data is to be collected d. Identify how data will be collected 2. Research a. Collection of Baseline Data about own processes b. Collect the same relevant data for other firms from Quality Award winners, magazines and newspapers 3. Observer a. Collect the data of other party i. Visit ii. Observation b. Sharing the documented resources 4. Analyze a. Summarize and interpret the collected data b. Analyze the gaps between your company and others c. Change the findings into operational goals 5. Adapt a. Translate the findings into some core rules and principles b. Change high-level objectives and strategies into action plans 6. Improve a. Continuous process b. Process is linked to companys improvement strategy 2. Risk Management a. RM refers to the process of making decisions
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

487

CISA Study Guide in EasyFAQs b. Basic policy decision in RM is i. Impact of the negative effect/successful attack ii. Level of acceptable risk iii. Challenge of risk management is balancing impact with countermeasures c. RM starts with Risk Analysis d. Risk Analysis is done to identify Threat Vulnerability and Threat Impact e. RM = RA + Decisions concerning the acceptable risk level + risk treatment f. Total Risk = Threat x Vulnerability x Asset Value g. Four (4) actions related to risk: i. Transferred ii. Rejected, ignored (dangerous) iii. Reduced using counter-measures iv. Accepted (if the cost of control exceeds the benefits) h. For the Risk Management program, two things are needed: i. Purpose of the Risk Management Program 1. "Purpose" sets the tone for the Risk Management a. Reduces the risk from hackers b. Reduces the cost of insurance ii. Assignment of responsibility for Risk Management 1. People are assigned responsibility to a. Manage b. Implement the Risk Management Program 2. Team draws up a Risk Management Plan i. Risk Management Process i. Identification of assets 1. Examples of assets: a. Information b. Services c. Hardware/Software
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

488

CISA Study Guide in EasyFAQs d. Personnel 2. Identification of threats: a. Errors b. Fraud c. Theft d. Software failure e. Equipment failure f. Malicious attacks 3. Identifying Vulnerability: Poorly designed systems/processes may have a lot of vulnerability. Some examples are as follows: a. Poor passwords b. Un-patched systems c. Poorly trained staff d. New, beta technology e. Communication over un-trusted line f. Lack of security functionality 4. Calculate the impact in situations where the threat has made of a vulnerability. Impact may be on the following: a. Loss of money b. Loss of goodwill/ reputation c. Legal breach d. Loss of business e. Business interruption f. Exposure of customer 5. Countermeasures; once the risk has been identified, it can be controlled a. Controls for risk are known as countermeasures/safeguards b. A control can be one of the following: i. Device
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

489

CISA Study Guide in EasyFAQs ii. Action iii. Procedure iv. Technique c. Control can take one of the following forms: i. Detective ii. Preventative iii. Automated iv. Manual v. Formal vi. Ad-hoc 6. Residual Risk: Even if the controls are applied, the risk will not be zero. The remaining risk is known as residual risk a. Further controls might be required in this area b. Process should go on until an acceptable level of risk is reached 7. Acceptable Risk: Management should define the level of acceptable risk. a. If the ratio of Residual Risk: Acceptable Risk is i. More, then further controls should be applied to reduce the risk ii. Less, then some controls should be removed, as excessive controls are being applied b. Factors affecting the acceptable risk level are as follows: i. Corporate policy ii. Risk identifications and measurement methods iii. Methodology of Risk Assessment iv. Cost of the controls v. Effectiveness of controls vi. Nature of business
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

490

CISA Study Guide in EasyFAQs 3. IT Governance a. IT Governance = Information Systems + Communication Technology + Business + Directors + Stakeholders + Process Owner + Senior Manager b. Main objective of Governance IT alignment with enterprises strategies and objectives c. Controls in organizations are guaranteed by following best practices d. Good IT governance will ensure: i. IT is supporting the business objectives ii. Resources of the organization are being used responsibly iii. Due care is taken to manage the risk appropriately e. IT is no longer just an enabler of the company strategy it is part of it. f. Proper coordination is required of senior management and the IT management/IT Specialists g. Balance IT Scorecard i. Can be applied to IT Governance ii. Scorecard focuses on: 1. User Satisfaction (Customer) 2. Operational/Internal Processes 3. Innovation for improvement iii. Typical four perspectives of scorecard: 1. To become/remain preferred supplier of IT services and applications 2. To be efficient and effective in information systems 3. To give proper business contributions to IT investment 4. Get ready for future business and technological challenges. 4. Application controls a. Pre-printed forms provide i. Consistency ii. Accuracy iii. Liability b. Batch control groups
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

491

CISA Study Guide in EasyFAQs i. Batch controls can be 1. Total amount monetary Total Items processed = Total value of batch 2. Items 3. Document 4. Hash c. Batch Header is a preparatory control d. Batch balancing can be manual or automated e. Batch totaling should be followed by a follow-up procedure f. There are three types of batch balancing: i. Batch Register: Used for manual recording ii. Computer Agreement: For batch totals uses header slips iii. Control Accounts: Initial (edit) file vs. master file g. There are four (4) ways of handling input errors: i. Reject the faulty transaction ii. Reject the whole batch if there is even a single faulty transaction iii. Accept batch, but put it in suspense iv. Accepted and process batch, but the faulty transactions are flagged h. There are seven ways to control inputs: i. Log all transactions Log is reconciled to source documents ii. Log + Reconciliation Routine Data is only processed when reconciled iii. Error Correction Routines and Procedures Most of it is automated iv. Transmission log Logs all transactions v. Anticipation Proactive measures vi. Documentation Written procedures to handle different situations vii. Marking Source Document Marking the source document when it is processed i. Total of12 Data Validation Edit and Controls:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

492

CISA Study Guide in EasyFAQs i. Sequence/Serial Number Check: Out of sequence or duplicate numbers are rejected ii. Limit Checks: Predetermined limits are checked iii. Range Checks: Values should be between two limits iv. Validity Check: Sex Code can only be M or F v. Reasonableness check: Salary cant be 1 million dollars vi. Existence Check: Check-printing program should check that the invoices against which check is prepared exist vii. Table Check/Lookup: Zip code is checked against a table for validity viii. Key Check/Verification: Same data is entered by another employee and keys verify whether the data entered was correct ix. Completeness Check: Check of Null value in primary field or check of minimum characters required for password x. Duplicate Checks: No duplicates in fields like check numbers and invoice numbers xi. Logical Checks: Date of marriage should be at least 18 years after date of birth xii. Check Digits: The following should be noted in relation to check digits: a. Numeric value b. Valid for transposition and transcription c. Normally, in a bank account number, the last digit is the check digit j. Total of six Processing Controls: i. Recalculations (manual): Recalculations are done of sample transactions only ii. Editing: Routine or plug to ensure the data is valid iii. Run-to-Run Totals: Keyword to remember is stages of application. Controls are applied to all stages of the application. In the case where the control is applied, it tells us two things:
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

493

CISA Study Guide in EasyFAQs 1. Data was accepted 2. Data was applied iv. Automated controls/programmed controls: These are the programmed controls that not only detect but also initiate corrective actions. v. Reasonable Checks of calculated amounts: E.g. Salary cant be $1,000,0000 vi. Limit checks: To check pre-determined limits. k. Total of five (5) output controls: i. Logging of sensitive information 1. Sensitive output should be logged and traced, until it can be properly filed or shredded. 2. Log should be reconciled at regular intervals ii. Critical Forms Generation 1. Critical forms, like checks and others, should be logged 2. An inventory should be kept 3. Using the example of check printing, all exceptions should be recorded and accounted for iii. Report Distribution 1. Authorized, controlled distribution is a must 2. Reports must be delivered as per the schedule 3. Print spool should be protected from accidental deletion 4. Reports distributed electronically should be controlled as well iv. Reconciling and Balancing 1. A proper audit trail should provide a reconciliation of the data 2. Output should be balanced to controls v. Retention Period 1. Reports should be retained as per the legal requirements
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

494

CISA Study Guide in EasyFAQs 2. After the retention period, they should be destroyed as per the policy of the company vi. Error Handling in Reports 1. Error repots should be promptly delivered to the department concerned 2. Error reports should be reviewed and the errors corrected vii. Receipt Report Verification 1. Sensitive reports should be signed for on delivery 2. Receipts should be kept on record l. Total of 11 data file controls i. Earlier and later image reporting 1. Also known as before and after image reporting 2. Word "image" is pretty misleading. Here it only means a snapshot of the data before and after any transaction ii. Error Reporting Follow-up and Handling 1. All of the error reports should be followed-up on properly 2. Segregation of duties is a must, or else error reports might be ignored. 3. Error corrections should be reviewed by a person other than the one who initiated the process iii. Media Labeling (Internal/External) 1. External labeling is a must to ensure proper media is used 2. Internal labeling, like tape headers, reconfirms that the media used is correct iv. Source Documentation Preservation and Retention 1. Preservation and retention is required for a. Verification b. Troubleshooting c. Restructuring of the data 2. Source documentation should be maintained as per the policy of organization
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

495

CISA Study Guide in EasyFAQs v. One-for-One Checking 1. Each and every source document must agree with the computer-processed document 2. Follow-ups should be maintained vi. Security of Data File 1. Ensures that unauthorized people dont have access 2. Data file access must be as per the authorization level vii. Preprinted/Pre-recorded inputs 1. Certain information, e.g. company name and branch name, can be preprinted 2. Avoids input errors viii. Version control 1. Proper versions of the files should be controlled 2. Critical for correct file processing ix. Transaction Logging 1. A transaction log is a must for an audit trail 2. Posting and processing of transactions can be traced 3. Helps in troubleshooting x. Proper authorization for updating and maintenance 1. Proper authentication and authorization is a must 2. Most systems rely just on operating system authentication 3. Applications should have their own authorization and authentication mechanisms 4. Must for file and data integrity and to make sure that authorized updating and maintenance is done xi. Check Digit/Parity Check 1. Check Digit and Parity Check concepts are often confused a. Check Digit is a digit added to the end of an account number or critical field. Can be seen; can be manual
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

496

CISA Study Guide in EasyFAQs b. Parity Check Internal to the computer. Applied to the data stored or transmitted by computer 2. Most commonly, a parity check is divided into the following: a. Vertical Check/Column Check: Applied on a single character b. Horizontal/Row/ longitudinal Check: Applied on multiple characters on all the equivalent bits. m. A minimum of six (6) pieces of documentation is required to review the system development. These are as follows: 1. Feasibility Study document 2. System Development Methodology document a. Overall methodology b. User Requirements 3. Functional Design Detail and Specification document a. Explains the application in detail b. Key control of the applications 4. Program Changes document a. Changes or modifications to programs b. Authorization of changes 5. User Manual a. Helps to understand the system from users perspective b. Most weaknesses in the program can be ascertained from this document 6. Technical Reference a. Vendor-supplied manual b. Necessary for in-depth understanding and troubleshooting 7. Major risk for Applications: a. Frequency of audit
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

497

CISA Study Guide in EasyFAQs b. Operation complexity c. Change management d. Stuff turnover e. Impact of the environment n. Key processes during Separation of Duties compliance checks: a. Organization b. Authorization c. Verification d. Distribution e. Usage f. Destruction o. Four (4) types of data integrity testing: i. Domain Integrity 1. Objective: Data validation and edit routines are working 2. Test Level: Field Level 3. Ensure a. Data is as per the definitions b. Field has legitimate value ii. Relational Integrity 1. Objective is data validation through routines and programs 2. Test Level: Record-Based 3. Ensure the data is correct via either of the following: a. Data validation program inside the applications b. Cross-checking data legitimacy, as per the table definitions iii. Entity Integrity 1. No null value in the primary key 2. Value in the primary key must be unique iv. Referential Integrity 1. Relationship between items (entities) in database
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

498

CISA Study Guide in EasyFAQs 2. Consistent relationship between primary key and foreign key 3. You cannot delete a primary key if there is a foreign key p. Four (4) Data Integrity Tests for OTPS Online Transaction Processing: i. ACID (Atomicity, Consistency, Isolation, Durability) 1. Atomicity: a. Either the transaction is complete or not b. More like all-or-none; either it is there complete or not at all 2. Consistency: a. Database is always consistent b. Moves from one consistent state to another c. Whatever state it is in, it is consistent 3. Isolation a. Each and every transaction is isolated from others b. There is no dependency on transactions 4. Durability: a. If the transaction is communicated as being complete, then it is complete, no matter what disaster happens to the hardware or software. q. Three (3) ways to analyze the computer application program: i. Snapshot 1. Good for verifying a programs logic 2. Dependent upon the flow of transactions 3. Good knowledge of the system is a pre-requisite ii. Mapping 1. First: Identify program logic is checked 2. Second: Execute the program and check if it follows the logic 3. Used to enhance efficiency and control by a. Identifying unused code
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

499

CISA Study Guide in EasyFAQs b. Identifying potential exposure, if any c. However, this process is very costly iii. Tagging & Tracing 1. First Tags are placed within the program 2. Second Program is run and traced. Tracing means recording (a trail) of the instructions executed 3. Give the details of the logic that is being executed. 4. Drawback is that this is a resource-hungry exercise r. Five ways to test computer application controls: i. Test Data / Test Check 1. A dummy/simulated transition is placed, which runs through the real program 2. Used for a specific program 3. Not many resources are required. 4. Limitation a. Might not check all of the transitions b. Permanent files, master files or history files cannot be checked. ii. Base Case System Evaluations 1. Uses datasets (developed as base case) 2. Dataset come as part of the testing program 3. Mostly used for periodic validations 4. Difficult to maintain datasets iii. Parallel Operations 1. First Actual production data is scrambled 2. Second It is processed in a new and existing system 3. Problem is scrambling the data and the cost iv. Parallel Simulation 1. First Actual production data is scrambled 2. Second It is processed using a simulation program
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

500

CISA Study Guide in EasyFAQs 3. Different from Parallel Operations, as simulation program is used v. Integrated Testing Facility 1. Create dummy/fictitious file containing test data 2. Transaction proceeds with the live data 3. Cost-effective 4. Effort should be well-planned and management should accept the risk s. Three ways to select and monitor data processing i. Transaction selection 1. Program filters transactions to another program 2. Production system is untouched 3. Difficult and costly to maintain ii. Hard-coded (embedded) audit data collection 1. Audit software is hard-coded in computer applications 2. There are two types a. SCARF System Control Audit Review i. Relatively comprehensive ii. Auditor selects what to test b. SARE Sample Audit Review File i. Not as comprehensive as SCARF ii. Transaction is selected randomly iii. Sample is assumed to be truly representative of population 3. Costly to maintain. iii. Extended Records 1. Original Record + Test Record 2. Data is gathered and put into one file 3. Storage-hungry 5. Continuous Online Auditing a. More of an online transaction less paper to be audited
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

501

CISA Study Guide in EasyFAQs b. This system does the monitoring on a continuous basis c. Selective data is collected for the audit file d. No disruption of the organizations work e. No paperwork f. Less costly g. Online alerts regarding violations and suspicious transactions 6. Online auditing techniques a. EAM/SCARF (Embedded Audit Module/System Control Audit Module): As described earlier b. Audit Hooks: i. Like the maintenance hooks ii. Auditors are alerted to suspicious transactions c. Integrated Test Facilities 1. Creates a dummy/fictitious file containing test data 2. Transaction proceeds with the live data 3. Result is compared with the independent calculations 4. Cost-effective 5. Effort should be well-planned and management should accept the risk d. Snapshots i. A snapshot is taken from input to output ii. Inputs are tags and monitored through the processing e. Continuous and Intermittent Simulations (CIS) i. A simulator is a program that continuously looks for transactions meeting certain criteria ii. If the criteria are met, the transaction is used for auditing 7. Audit Tools - Rules of thumb: a. The most complex audit tools are SCARF/EAM b. The least complex audit tools are audit hooks c. ITF is not beneficial for test data
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

502

CISA Study Guide in EasyFAQs d. If regular processing cannot be interrupted, the best choice is to use SCARF/EAM e. If a comprehensive audit trail is required, the best choice is snapshot f. If an audit transaction based on criteria is required, the best choice is CIS g. If the auditor wants to only select suspicious transactions, s/he should go for audit hooks 8. Business Application Review a. Six model of e-commerce are i. B-to-C: Business to Customer ii. B-to-B: Business to Business iii. B-to-E: Business to Employee iv. B-to-G: Business to Government Emerging v. C-to-G: Consumer to Government Emerging vi. X to-X: Exchange to Exchange Multiple B-to- B 9. Commercially Available Components models commercially available are a. Microsoft COM b. Sun Enterprises Java Beans 10. The three-tier model has the following components: a. Browser b. Application Server, e.g. Microsoft Transaction Server c. Database Server 11. Main risks for e-commerce are CIA + NA: a. Confidentiality b. Integrity c. Availability d. Non-Repudiation e. Authentication 12. One of the challenges of connecting to legacy applications is mostly solved either by a. Middleware MQ-Series b. XML Interfaces SOAP
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

503

CISA Study Guide in EasyFAQs 13. EDI (Electronic Data Interchange) a. Used for standard documents like i. Invoices ii. Purchase Orders b. EDI components i. System Software 1. Transmission/communication handler a. Connection between organizations could be via one of the following: i. Dial-up ii. Public Switched Network iii. VAN b. VAN (Value Added Network) i. VAN receives and forwards all messages ii. Provides following 1. Switching and storage 2. Electronic mailboxes 3. Sorting of messages 4. Delivery to recipients 2. EDI Interface: Routes data between Applications and Interface a. EDI Translator i. Translates between 1. EDI Format X12 2. Vendor Format Proprietary b. Application interface i. Performs data mapping 1. Extracts data from EDI 2. Sends to company applications ii. Sends and receives functional acknowledgments
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

504

CISA Study Guide in EasyFAQs 3. Storage of Messages/Transactions ii. Applications Systems 1. Process and send data to the partner 2. New controls may be required in addition to what is offered by EDI c. Major risks in the EDI system are i. Web Interface to EDI ii. Transaction authorization iii. Manipulation of transitions before or after the application controls iv. Deletions or duplications of messages d. To control the risk of EDI, proper authentication, encryption batch total checking, run-to-run, record count and others should be applied e. Trading Partner Agreement should be established among EDI parties MISC BPR 1. FIRST step in BPR is which areas need to be reviewed 2. BPR lets more people use the technology 3. BPR increases the complexity 4. Most important thing in BPR is the effect of the removed controls 5. Once BPR is finished, the Auditor checks for post-BPR process flow Communication Checks 6. Parity bit is for communication at bit level 7. Block sum is for communication at block level 8. CRC is for communication at the frame level 9. Hash is used at the field level 10. Hash total is for accurate order transfer 11. Loss of data or duplication during transaction Hash total 12. All the above are added by the computer itself but, if you add something through you own program, it will be a redundancy check
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

505

CISA Study Guide in EasyFAQs

Editing Checks 13. Check Digits is not a control for communication, but to check if the data is entered correctly or not. 14. Checking for a null value is known as a completeness test 15. Check data is as per criteria validation check 16. Trace change -> Before and after image 17. Table lookup is for validation 18. Two people entering same data is referred to as Key Verification Input Controls 19. To track the input from the terminal youre using Transaction Journal 20. Data Edit is a Preventative Control 21. If incorrect data is entered, it should be neither accepted nor processed. 22. Data entered at the remote site should be edited and validated prior to transmission. 23. The first point of data controls is far before the inputting stage it is when data is being prepared. 24. Self-verification by individuals is one of the biggest flaws 25. For after-office-hour changes, the transaction log should be reviewed 26. Once a credit card number is entered, check if the number is valid and check the database Processing Controls 27. The objective of the processing controls is checking that the data is accurate and complete with the help of the authorized controls 28. If there is any problem in the calculation, further investigation is needed to confirm 29. Data is valid through Stages -> Run-to-Run checks 30. If data is deleted accidentally during the process, go for Run-to-Run 31. Unaltered total during posting -> Run to run 32. One-for-one is the best way, but not practical.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

506

CISA Study Guide in EasyFAQs 33. The best thing to check the processing is to enter a simulated transaction and check the result with manually calculated results. 34. Real-time online applications have transaction logs 35. To prevent lost transactions, an automated balancing system is needed 36. To review unauthorized changes, see the transaction log 37. Checks should be matched with invoices 38. For price change a second-level password is needed Data File Control 39. Internal and external labeling Output controls 40. The best way to ensure payroll is correct is to compare the output report with the input forms. EDI 41. Functional acknowledgements are related to EDI 42. The communication handler recovers and sends the document 43. If there is an unauthorized transaction in EDI, revise the authentication control and techniques. 44. An audit trail for EDI is the functional acknowledgement 45. The greatest risk to EDI is the transaction processing 46. Inbound transaction is OK the segment count is built into the transaction SET trailer Others 47. The first thing to do regarding response to an incident is to stop people from causing more harm 48. Strongest protection confirmation that specific transaction has occurred is nonrepudiation; proof that the transaction has already taken place 49. Digital signatures are for non-repudiation 50. A data warehouse is subject-oriented 51. Scheduling project task GANTT Charts 52. Best way to effect change control is first to identify the change which has taken place and then look for approval.
Sold as Single Copy Unauthorized Circulation Strictly Prohibited
Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

507

CISA Study Guide in EasyFAQs 53. A DSS would be a disaster if you dont know what you are looking for 54. Base Case System Evaluation uses test data as part of the comprehensive testing program 55. Parallel simulation uses production data but a different program 56. Audit trail -> Snap shot 57. Access control is in technical documentation 58. Data warehouse source accuracy is more important than credibility. 59. The first step in Risk Management is an inventory of assets 60. Statistical Sampling refers to minimizing the detection risk, not the sampling risk.

Sold as Single Copy Unauthorized Circulation Strictly Prohibited


Copyright 2004 Pacific Information Security Consulting www.PacificIS.com

508