Gestão de Informação e Auditoria CISA - Auditoria de Tecnologia da Informação (2025)

Prévia do material em texto

<p>Information Management and Auditing CISA 2019</p><p>1 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>CISA NOTES</p><p>Powered by madunix</p><p>V1.0</p><p>https://www.experts-exchange.com/members/madunix</p><p>https://www.linkedin.com/in/madunix</p><p>https://www.experts-exchange.com/members/madunix</p><p>https://www.linkedin.com/in/madunix</p><p>Information Management and Auditing CISA 2019</p><p>2 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Best control would be provided by having the production control group copy the source program to the production libraries and</p><p>then compile the program.</p><p>Decision Support will be enhanced by using a data warehouse and data marts.</p><p>Primary objective of value delivery is to: optimize security investments in support of business objectives.</p><p>The MOST robust method for disposing of magnetic media = Destroying</p><p>Data warehousing involves data cleaning, data integration, and data consolidations.</p><p>When drawing up a contract with a cloud service provider, the ideal practice is to remove the customer lock-in clause. It may be</p><p>important for the client to secure portability of their system assets, i.e., the right to transfer from one vendor to another</p><p>Fault=ST LOSS POWER Spike=ST HIGH Volt Sag=ST LOW Volt</p><p>Brownout=LT LOW Volt Surge=LT HIGH Volt Blackout= LT LOSS POWER</p><p>The GREATEST challenge of performing a quantitative risk analysis; Obtaining accurate figures on the frequency of specific</p><p>threats</p><p>IDS cannot detect attacks within encrypted traffic and it would be a concern if someone were misinformed and thought that the IDS</p><p>could detect attacks in encrypted traffic.</p><p>Standard establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc.</p><p>Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of</p><p>a process.</p><p>The board of directors and executive officers are accountable for the functionality, reliability, and security within IT Governance.</p><p>Web application attack facilitates unauthorized access to a database= SQLI</p><p>Regression testing is undertaken PRIMARILY to ensure that: applied changes have not introduced new errors.</p><p>Capacity monitoring the primary objective is to ensure compliance with the internal SLA between the business and IT, helps in</p><p>arriving at expected future capacity based on usage patterns, helps in initiating procurement based on the current usage and</p><p>expected future capacity.</p><p>Cryptographic hash is a primary defense against alteration attacks.</p><p>Variable sampling would be the best sampling technique to review an organization’s balance sheet for material transactions. It is</p><p>also known as dollar estimation.</p><p>Integrity of data = information are changed only in a specified and authorized manner</p><p>CSA highlight noncompliance to the current policy</p><p>Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties</p><p>RFID = Any RFID signal you can read can be duplicated = Issues of privacy</p><p>Concurrency control manages simultaneous access to a database. It prevents two users from editing the same record at the same</p><p>time and also serializes transactions for backup and recovery.</p><p>The first criteria must be to ensure that there is no ambiguity in the procedures and that, from a security perspective, they meet</p><p>the applicable standards and, therefore, comply with policy.</p><p>The information security manager is responsible for developing a security strategy based on business objectives with help of</p><p>business process owners.</p><p>Load balancing best ensures uninterrupted system availability by distributing traffic across multiple servers. Load balancing helps</p><p>ensure consistent response time for web applications</p><p>The IS Auditor's main responsibility during the test of the plan is to act as an observer to the success of being able to resume timely</p><p>business processing.</p><p>The IS Auditor's observations should be documented, analyzed with appropriate recommendations brought forth to management.</p><p>The level of effectiveness of employees will be determined by their existing knowledge and capabilities, in other words, their</p><p>proficiencies.</p><p>Reviewing the access control configuration would be the first task performed to determine whether security has been appropriately</p><p>mapped in the system (During a postimplementation)</p><p>Information Management and Auditing CISA 2019</p><p>3 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Supports the prioritization of new IT projects = Investment portfolio analysis</p><p>Information security is not only a technical issue, but also a business and governance challenge that involves risk management,</p><p>reporting and accountability. Effective security requires the active engagement of executive management.</p><p>The warm site is acceptable to the business when the downtime is acceptable without breaching any legal requirements. Making a</p><p>profit is not the reason for using a warm site.</p><p>The main function of QoS is to optimize network performance by assigning priority to business applications and end users, through</p><p>the allocation of dedicated parts of the bandwidth to specific traffic.</p><p>One of the features of referential integrity checking occurs when a record is deleted and all other referenced records are</p><p>automatically deleted.</p><p>RFID RISKS = Business process risk + Business intelligence risk + Privacy risk + Externality risk</p><p>Re-engineering = reusing design and program components</p><p>Real-time application system = transaction log</p><p>RACI chart = responsibility assignment Matrix</p><p>Information systems security policies are used as the framework for developing logical access controls.</p><p>One way to remove data remanence is with a degausser</p><p>Proactive management means anticipating problems in advance and readying with solutions, and providing automation plans for</p><p>the help desk.</p><p>Audit program— A step-by-step set of audit procedures and instructions that should be performed to complete an audit</p><p>Cloud bursting is an application deployment model in which an application runs in a private cloud or data center and bursts into a</p><p>public cloud when the demand for computing capacity spikes</p><p>Ordering of biometric devices with the best response times and lowest EERs are palm, hand, iris, retina, fingerprint and voice,</p><p>respectively. (PH-I-RF-V)</p><p>Cloud bursting for load balancing between clouds</p><p>To detect lost transactions – automated systems balancing could be used.</p><p>Cloud bursting is an application deployment model in which an application runs in a private cloud or data center and bursts into a</p><p>public cloud when the demand for computing capacity spikes</p><p>Relative humidity (RH) is defined as the amount of moisture in the air at a given temperature in relation to the maximum amount of</p><p>moisture the air could hold at the same temperature. In a data center or computer room, maintaining ambient relative humidity</p><p>levels between 45% and 55% is recommended for optimal performance and reliability.</p><p>It is a generally agreed upon standard in the computer industry</p><p>DS: The signature on the digest can be used to authenticate the sender. Digitally signing an email message does not prevent access</p><p>to its content and, therefore, does not assure confidentiality.</p><p>A matrix organizational structure combines functional and product departmentalization, creates a dual reporting structure, and is</p><p>optimal where product groups are necessary</p><p>Commitment and rollback controls = integrity</p><p>Compliance test is done to check if an organization is complying with the control procedures. It helps to determine whether the</p><p>applied controls are aligned with the organization’s policy and procedures and operating the way it should be. Compliance tests</p><p>ensure that the controls exist and the processes are effective. An example of a compliance test is to test whether the changes to the</p><p>production programs are being authorized properly.</p><p>Substantive test checks the integrity and validity of processing such as transaction in financial statements. An auditor can use this</p><p>test to find monetary errors or other errors in the data. It can also be used to find the accuracy of an inventory.</p><p>If a database is restored using before-image dumps, where should the process begin following an interruption? Before the last</p><p>transaction</p><p>All performance by a third party under the service-level agreement should be compared to the service levels that the provider and</p><p>the user of the service agreed on. (Reviewed by management)</p><p>Without an information classification scheme, the users and custodians will not know how to handle information. It would be</p><p>impossible to control leaks, prevent inappropriate destruction, sanction personnel, or survive investigations. Both privileged and</p><p>public information would become a confused mess, resulting in the wrong information being lost or breached via accidental</p><p>disclosure.</p><p>Which of the following is the MOST efficient way to test the design effectiveness of a change control process? Perform an end-to-</p><p>end walk-through of the process</p><p>Information Management and Auditing CISA 2019</p><p>18 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Table lookups are preventive controls; data are checked against predefined tables, which prevent any undefined data to be entered</p><p>An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that</p><p>periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from</p><p>production data.</p><p>In risk-based audit, inherent risk assessment is completed first</p><p>BPR is the thorough analysis and significant redesign of business processes and management systems to establish a better</p><p>performing structure, more responsive to the customer base and market conditions, while yielding material cost savings</p><p>A KPI is a measure that determines how well the process is performing in enabling the goal to be reached.</p><p>BPI</p><p>• Six Sigma</p><p>• IT balanced scorecard (BSC)</p><p>• Key performance indicators (KPIs)</p><p>• Benchmarking</p><p>• Business process reengineering (BPR)</p><p>• Root cause analysis</p><p>• Life cycle cost-benefit analysis</p><p>Transport Layer Implement Congestion control using TCP window Flow Control Mechanism and congestion avoidance</p><p>Turnaround time — The time that the help desk or vendor takes to fix a problem from the moment it is logged in</p><p>Implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP</p><p>(communicated to appropriate personnel)</p><p>Warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking, but is normally</p><p>lacking computing equipment. Therefore, the availability of hardware becomes a primary concern.</p><p>Formal inspections are a primary bug prevention method</p><p>A logic bomb is hidden code that will activate when certain conditions are met; after a certain period of time.</p><p>Programming languages, software compilers, and software testing are error detection methods due to their discovery of problems</p><p>Compensating controls may be used when segregation of duties is not practical for a small staff. Procedures must exist to verify</p><p>that only approved program changes are implemented.</p><p>GREATEST risk in EDI = Lack of transaction authorizations</p><p>During Post implementation; Following implementation, a cost-benefit analysis or return on investment (ROI) should be re-</p><p>performed to verify that the original business case benefits are delivered.</p><p>Financial controls and financial audits are based on following the COSO controls</p><p>An SOA relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might</p><p>be deliberately combined to depict real-world business processes.</p><p>GAS is not used to identify unauthorized access to data if this information is not stored in the audit log file</p><p>SOAP Used in XML programming to define the application programming interface (API) being used; Originally known as Simple</p><p>Object Access Protocol.</p><p>Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence</p><p>between the information and established criteria. Auditing should be done by a competent, independent person.</p><p>Extensible Business Reporting Language (XBRL) is a language for the electronic communication of business and financial data</p><p>developed by a non-profit consortium of companies and government agencies to enhance the usability of financial information. XBRL</p><p>is used to encode financial statements using data tags so that the financial information can be read automatically by XBRL-enabled</p><p>software and more easily sorted and compared.</p><p>Emergency changes should still undergo the formal change management process after the fact.</p><p>Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link.</p><p>Digital signature is an electronic identification of a person, created by using a public key algorithm, to verify to a recipient the</p><p>identity of the source of a transaction and the integrity of its content. Since they are a “shared secret” between the user and the</p><p>system itself, passwords are considered a weaker means of authentication.</p><p>Encrypting the transaction with the recipient's public key will provide confidentiality for the information.</p><p>Information Management and Auditing CISA 2019</p><p>19 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Using a PDF will probe the integrity of the content but not necessarily authorship.</p><p>The risk level or exposure without taking into account the actions that management has taken or might take is inherent risk</p><p>A risk-based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize</p><p>risk. Business risks impact the long-term viability of a specific business.</p><p>Information risk reflects the possibility that the information upon which the business risk decision was made was inaccurate. A</p><p>likely cause of the information risk is the possibility of inaccurate financial statements.</p><p>Assessing risk; Considering both monetary value and likelihood of loss</p><p>Risk analysis should take into account the potential financial impact and likelihood of a loss. It should not weigh all potential losses</p><p>evenly, nor should it focus primarily on recent losses or losses experienced by similar firms. Although this</p><p>is important</p><p>supplementary information, it does not reflect the organization's real situation.</p><p>Once the business process is identified, the IS auditor should first identify the control objectives and activities that should be</p><p>validated in the audit</p><p>Standing data should be purged from the equipment prior to disposal.</p><p>SLA is a guarantee that the provider will deliver the services according to the contract.</p><p>Latency, which is measured using a Ping command, represents the delay that a message/packet will have in traveling from source</p><p>to destination. A decrease in amplitude as a signal propagates through a transmission medium is called attenuation. Throughput,</p><p>which is the quantity of work per unit of time, is measured in bytes per second. Delay distortion represents delay in transmission</p><p>because the rate of propagation of a signal along a transmission line varies with the frequency.</p><p>Audit charter should state management’s objectives for the delegation of authority to IS audit.</p><p>The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a</p><p>large number of transactions.</p><p>To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.</p><p>Enabling audit trials helps in establishing the accountability and responsibility of processed transactions by tracing transactions</p><p>through the system.</p><p>Mirroring of critical elements is a tool that facilitates immediate recoverability. Daily backup implies that it is reasonable for</p><p>restoration to take place within a number of hours but not immediately. Offsite storage and periodic testing of systems do not, of</p><p>themselves, support continuous availability.</p><p>When designing an audit plan, it is important to identity the areas of highest risk to determine the areas to be audited.</p><p>Preventive — Designed to lower amount and impact of unintentional errors entering the system and to prevent unauthorized</p><p>intruders from internally or externally accessing the system — actions to reduce risk Data validation, pre-numbered forms, and</p><p>review for duplications</p><p>Segmenting a highly sensitive database results in: reduced exposure</p><p>Detective — Identify and react to security violations Track unauthorized transactions and lessen errors by detecting quickly.</p><p>Corrective — React to an attack and take corrective action Data recovery</p><p>Recovery — Restore the operating state to normal after an attack or system failure</p><p>The primary objective of the initiation meeting with an audit client is to help define the scope of the audit.</p><p>Control Self Assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or a more</p><p>thorough review at a later date. CSA is the review of business objectives and internal controls in a formal and documented</p><p>collaborative process. The primary objective of a control selfassessment program is to leverage the internal audit function by shifting</p><p>some of the control monitoring responsibilities to the functional area line manager. The success of a CSA program depends on the</p><p>degree to which line managers assume responsibility for controls.</p><p>The attributes of CSA include: empowered employees, continuous improvement, extensive employee participation and training.</p><p>The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s by the auditor’s</p><p>familiarity with the area being audited.</p><p>An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the</p><p>audit work.</p><p>Information Management and Auditing CISA 2019</p><p>20 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Audit risk is the combination of detection, control and inherent risks for a given audit assignment.</p><p>Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of</p><p>internal controls.</p><p>Inherent risk is the risk that an error exists in the absence of any compensating controls.</p><p>The primary objective of forensic software is to preserve electronic evidence to meet the rules of evidence.</p><p>Process owner involvement is a critical part of the business impact analysis (BIA), which is used to create DRP</p><p>Generalized audit software GAS feature include mathematical computations, stratification, statistical analysis, sequence checking,</p><p>duplicate checking and recompilations. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an</p><p>opportunity for management to agree on corrective action.</p><p>Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination,</p><p>highlighting the paths and storage of data. An independent test performed by an IS auditor should always be considered a more</p><p>reliable source of evidence than an confirmation letter from a third party since a letter does not conform to audit standards and is</p><p>subjective.</p><p>In many instances, the reasons given for failure of the CASE technology include organizational issues, cultural factors, and poor</p><p>implementation efforts, not the tools, not financial investments, not training, not lower return on investment, not inadequate testing,</p><p>not lack of ongoing support.</p><p>IDS cannot detect attacks within encrypted traffic and it would be a concern if someone were misinformed and thought that</p><p>the IDS could detect attacks in encrypted traffic.</p><p>Hash totals is an effective method to reliably detect errors in data processing.</p><p>Firmware: Memory chips with embedded program code that holds their content when power is turned off</p><p>Foreign key: A value that represents a reference to a tuple (a row in a table) containing the matching candidate key value.</p><p>Ensures the availability of transactions in the event of a disaster; the only way to ensure availability of all transactions is to perform</p><p>a real-time transmission to an offsite facility.</p><p>Frame relay: A packet-switched wide-area-network (WAN) technology that provides faster performance than older packet-</p><p>switched WAN technologies</p><p>IDS is to warn you of suspicious activity taking place − not prevent them.</p><p>Advanced persistent threat (APT) refers to stealthy attacks not easily discovered without detailed analysis of behavior and traffic</p><p>flows. Security information and event management (SIEM) solutions analyze network traffic over long periods of time to identify</p><p>variances in behavior that may reveal APTs.</p><p>Stateful inspection is a function of some firewalls, but is not part of a security information and event management (SIEM) solution.</p><p>A stateful inspection firewall keeps track of the destination IP address of each packet that leaves the organization's internal network.</p><p>Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the incoming message is in</p><p>response to the request that went out from the organization.</p><p>Zero-day attacks are not advanced persistent threats (APTs) because they are unknown until they manifest for the first time and</p><p>cannot be proactively detected by security information and event management (SIEM) solutions.</p><p>Vulnerability assessment identifies areas that may potentially be exploited, but does not detect attempts at exploitation, so it is</p><p>not related to advanced persistent threat (APT).</p><p>Integrated test Facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input.</p><p>Its advantage is that periodic testing does not require separate test processes.</p><p>In developing a risk-based audit strategy, it is critical that the</p><p>risks and vulnerabilities be understood. This will determine the areas</p><p>to be audited and the extent of coverage.</p><p>Understanding the business process is the first step an IS auditor needs to perform.</p><p>Operational audit — a review of any part of an organization’s operating procedures and methods for the purpose of evaluating</p><p>efficiency and effectiveness</p><p>Misstatement in the financial statements can be considered material if knowledge of the misstatement will affect a decision of a</p><p>reasonable user of the statements</p><p>IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed.</p><p>Information Management and Auditing CISA 2019</p><p>21 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the</p><p>enterprise.</p><p>ISDN internet service is basically a telephone-based network system that operates by a circuit switch, or dedicated line.</p><p>Exception report is a processing control that should be generated when transactions appear to be incorrect.</p><p>Audit committee is a selected number of members of a company’s board of directors whose responsibilities include helping auditors</p><p>remain independent of management. Most audit committees are made up of three to five or sometimes as many as seven directors</p><p>who are not a part of company management.</p><p>IT governance is the management system used by directors; the responsibility of the board of directors and executive management</p><p>IT resources should be used responsibly, and IT-related risks should be managed appropriately.</p><p>This high-value goal can be achieved by aligning IT governance framework with best practices.</p><p>Unapproved policies may present a potential risk to the organization; IS auditor must report the finding</p><p>IT Governance: Strategic alignment, Value delivery, Risk management, Resource management, Performance measurement. Board</p><p>of directors & executive management can use the information security governance maturity model to establish rankings for security</p><p>in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized.</p><p>When the responsibilities for IT security in an organization are clearly assigned and enforce, and an IT security risk and impact</p><p>analysis is consistently performed, it is said to be “managed & measurable”</p><p>Compensating controls are internal controls that are intended to reduce the risk of an existing potential control weakness that</p><p>may arise when duties can’t be appropriately segregated.</p><p>Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls can’t be achieved</p><p>when duties can’t or are not appropriately segregated, it is difficult to install overlapping controls.</p><p>Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are</p><p>individual-based, not role-based, controls.</p><p>In the influence project management style, the project manager has no real authority and the functional manager remains in</p><p>charge.</p><p>Access controls for resources are based on individuals and not on roles.</p><p>Identification of the applications required across the network should be identified first; Firewall Policy</p><p>IT Baseline Protection catalogs: Detecting and combating security weak points in the IT environment.</p><p>Substantive Testing: this type of testing is used to substantiate the integrity of the actual processing. It is used to ensure that</p><p>processes, not controls, are working as designed and give reliable results.</p><p>Compliance Testing: A compliance test determines if controls are working as designed; as policies and procedures are created,</p><p>documented compliance testing looks for compliance to these management directives.</p><p>Audit Classification: Financial, operational, integrated, administrative, information systems, specialized (SAS 70), forensic</p><p>auditing.</p><p>The IT balanced scorecard (BSC) is a process management evaluation technique that can be applied to the IT governance process</p><p>in assessing IT functions and processes. BSC provides the bridge between IT objectives and business objectives by supplementing</p><p>the traditional financial evaluation with measures of evaluate customer satisfaction.</p><p>Exception reporting is a processing control used to capture input errors before processing occurs. The exception may be held</p><p>in suspension until the errors are corrected or rejected.</p><p>Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described.</p><p>Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk.</p><p>Transference is the strategy that provides for sharing risk with partners or taking insurance coverage.</p><p>Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitor of that risk.</p><p>To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.</p><p>Vulnerabilities represent characteristics of information resources that may be exploited by a threat.</p><p>Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood</p><p>of the occurrence of a threat. Impacts represent the outcome of result of a threat exploiting vulnerability.</p><p>Information Management and Auditing CISA 2019</p><p>22 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Nonce: A value used in security protocols that is never repeated with the same key. For example, challenges used in challenge-</p><p>response authentication protocols generally must not be repeated until authentication keys are changed, or there is a possibility of a</p><p>replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not</p><p>necessarily unpredictable.</p><p>Enterprise architecture (EA) involves documenting the organization’s IT assets and processes in a structured manner to facilitate</p><p>understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized</p><p>future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a</p><p>business process perspective.</p><p>Nonrepudiation: The assurance that a party cannot later deny originating data; that is, it is the provision of proof of the integrity</p><p>and origin of the data and can be verified by a third party.</p><p>DS = nonrepudiation.</p><p>In a public key infrastructure (PKI), to prove that an online transaction was authorized by a specific customer = Nonrepudiation</p><p>SLM = service level management is to: maintain and improve customer satisfaction and to improve the service delivered to the</p><p>customer.</p><p>Internet banking application to mitigate the risk of internal fraud; Transactions should be processed only if they are signed</p><p>with the customer private key issued by a third-party certificate authority.</p><p>The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory</p><p>compliance. The key practice in support of these goals is the strategic alignment of IT with the business.</p><p>IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is</p><p>different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise.</p><p>The IS auditor should first check the configuration settings for the current network layout and connectivity and then,</p><p>based on this, decide whether the security requirements are adequate.</p><p>Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable,</p><p>risks are properly addressed and organizational resources are properly utilized. Hence the primary objective of corporate governance</p><p>is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.</p><p>The risk that could be most likely encountered in a SaaS environment is speed and availability issues, due to the fact that SaaS</p><p>relies on the Internet for connectivity.</p><p>Validated digital Signatures in an email detect spam</p><p>A sender encrypting a message using his / her private key provides non repudiation but not confidentiality</p><p>A sender encrypting a message using receiver’s public key provides confidentiality but not non-repudiation</p><p>Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver</p><p>(process outcome) and how they deliver it (process capability and performance).</p><p>Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value</p><p>proposition throughout the delivery cycle.</p><p>Resource management is about the optimal investment in and proper management of critical IT resources.</p><p>Waterfall life cycle; requirements are well understood and are expected to remain stable, as is the business environment in</p><p>which the system will operate.</p><p>Through-the-computer auditing refers to the whole information processing cycle from input through output of information. It</p><p>usually includes the manual procedures associated with processing of input and verification of the output.</p><p>Critical path diagrams are used to determine the critical path for the project that represents the shortest possible time</p><p>required for completing the project.</p><p>PERT diagrams are a critical path method (CPM) technique in which three estimates (as opposed to one) of timelines required to</p><p>complete activities are used to determine the critical path.</p><p>Attributes sampling: A sampling plan enabling the auditors to estimate the rate of deviation (occurrence) in a population.</p><p>Deviation rate: A defined rate of departure from prescribed controls; Also referred to as occurrence rate or exception rate.</p><p>Difference estimation:A sampling pln that uses the difference between the audited (correct) values and book values of items in a</p><p>sample to calculate the estimated total audited value of the population. Difference estimation is used in lieu of ratio estimation when</p><p>the differences are not nearly proportional to book values.</p><p>Information Management and Auditing CISA 2019</p><p>23 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>An IS auditor performing an independent classification of systems should consider a situation where functions could be performed</p><p>manually at a tolerable cost for an extended period of time as: SENSITIVE</p><p>Discovery sampling: A sampling plan for locating at least 1 deviation, providing that the deviation occurs in the population with a</p><p>specified frequency.</p><p>Dual-purpose test: A test designed to test a control and to substantiate the dollar amount of an account using the same sample.</p><p>FPA is a technique used to determine the size of a development task, based on the number of function points.</p><p>Gantt charts help to identify activities that have been completed early or late through comparison to a baseline.</p><p>Progress of the entire project can be read from the Gantt chart to determine whether the project is behind, ahead of or on schedule.</p><p>SLAs are binding legal agreements between the service provider and the client. To guard the interests of the two parties involved,</p><p>they must be reviewed by legal experts.</p><p>The shorter RPO and RTO, the more costly a CDP implementation.</p><p>Characteristic of structured programming is smaller, workable units. Structured programming has evolved because smaller,</p><p>workable units are easier to maintain. Structured programming is a style of programming which restricts the kinds of control</p><p>structures.</p><p>The appropriate recommendation is to review the results of stress tests during user acceptance testing (UAT) that demonstrated</p><p>the performance issues</p><p>hash totals is an effective method to reliably detect errors in data processing, indicate an error in data integrity.</p><p>PERT = (P + 4M + O )/ 6</p><p>Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how</p><p>well the enterprise is performing when compared to objectives.</p><p>Project Manager cannot be a lead negotiator</p><p>Work performance measurements will ALWAYS compare actual progress vs planned progress. Work</p><p>Performance Information is information and data without any benchmark comparison.</p><p>Sponsor provides resources and support for the project and is accountable for enabling success.</p><p>Business partners are ALWAYS external organizations.</p><p>Brainstorming is also a Meeting.</p><p>Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access</p><p>authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users</p><p>from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of</p><p>the OS.</p><p>Authenticity, encrypt with sender's private key and decrypt with sender's public key</p><p>Confidentiality, encrypt with receiver’s public key and decrypt with receiver’s private key</p><p>Certification Authority = responsible for "maintenance" of certificates in PKI</p><p>PKI: Web based applications which need authentication ... e.g. banks ....</p><p>Generic scenario -> A and B dont know each other and don’t trust each other.... Both trust C ... Using PKI A and B can do business if</p><p>C validates their identities to each other</p><p>SSL to encrypt the session data = Symmetric</p><p>SSL to share the session key = Asymmetric</p><p>Hashes can't be used to work backward</p><p>To ensure authenticity and confidentiality, a message must be encrypted twice: first with the sender's private key, and then</p><p>with the receiver's public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the</p><p>decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the</p><p>message with the sender's private key enables anyone to decrypt it.</p><p>Email Confidentiality Encrypting the hash of the message with the sender's private key and thereafter encrypting the message</p><p>with the receiver's public key; Message is encrypted with public key of recipient and then decrypted by recipient private key</p><p>Information Management and Auditing CISA 2019</p><p>24 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>XML: Used to describe the capabilities of a web service as collections of communication endpoints capable of exchanging messages;</p><p>WSDL is the language used by Universal Description, Discovery and Integration (UDDI). See also Universal Description, Discovery</p><p>and Integration (UDDI).</p><p>Mapping: Diagramming</p><p>data that are to be exchanged electronically, including how they are to be used and what business</p><p>management systems need them.</p><p>Unit testing: A testing technique that is used to test program logic within a particular program or module.</p><p>Corporate management's responsibility to safeguard the company assets. This includes providing for contingency operations.</p><p>Therefore, corporate management should supply the manpower and financial resources to develop and maintain the plan</p><p>Performing an exhaustive review of the recovery tasks would be appropriate to identify the way these tasks were</p><p>performed, identify the time allocated to each of the steps required to accomplish recovery, and determine where adjustments can</p><p>be made.</p><p>Trend analysis examines project performance over time to determine whether performance is improving or deteriorating.</p><p>Encrypting the client-server communication will not prevent internal fraud because encryption can be done at the application level</p><p>The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings.</p><p>Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data.</p><p>Retina scan uses optical technology to map the capillary pattern of an eye's retina. This is highly reliable and has the lowest false-</p><p>acceptance rate (FAR) among the current biometric methods.</p><p>The certificate authority maintains a directory of digital certificates for the reference of those receiving them. It manages</p><p>the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication.</p><p>When transmitting data; a sequence number and/or time stamp built into the message to make it unique can be checked by</p><p>the recipient to ensure that the message was not intercepted and replayed.</p><p>The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a</p><p>certificate and to confirm the integrity of any certificate it issued. Providing a communication infrastructure is not a CA activity. The</p><p>secret keys belonging to the certificates would not be archived at the CA. The CA can contribute to authenticating the communicating</p><p>partners to each other, but the CA is not involved in the communication stream itself.</p><p>Online monitors – measure telecommunications transmissions and their accuracy</p><p>Protocol analyzer – network diagnostic tool that monitors and records network information.</p><p>Access control software – designed to prevent unauthorized access to data and objects, unauthorized use of system functions or</p><p>programs, unauthorized modification of data or unauthorized attempts to access computer resources.</p><p>Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best</p><p>source for driving the prioritization of IT projects.</p><p>It is critical that an independent security review of an outsourcing vendor be obtained.</p><p>Performance indicators defenitaion is required before implementing an IT balanced scorecard BSC</p><p>Accountability cannot be transferred to external parties.</p><p>Why is self-signed didital certificate a security concern? Because the essence of PKI is for an independent third party to sign</p><p>the certificate so that the party dealing with the website can have reasonable assurance that it is dealing with a genuine entity</p><p>The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a</p><p>definition of those authorized to grant access and the basis for granting the access.</p><p>Risks are mitigated by implementing appropriate security and control practices.</p><p>To ensure that noncompliance to information security standards is resolved = Regular reports to executive management.</p><p>Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and contracts and SLAs</p><p>are mechanisms of risk allocation.</p><p>Internal accounting controls used to safeguard financial records..</p><p>Strategic planning sets corporate or departmental objectives into motion.</p><p>Information Management and Auditing CISA 2019</p><p>25 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Audit risk represents the possibility that the auditor concludes after conducting an adequate audit that the financial statements</p><p>were fairly stated when, in fact, they were materially misstated. Audit risk is unavoidable, because auditors gather evidence only on</p><p>a test basis and because well-concealed frauds are extremely difficult to detect. An auditor may fully comply with auditing standards</p><p>and still fail to uncover a material misstatement due to fraud.</p><p>Audit failure occurs when the auditor issues an incorrect audit opinion because it failed to comply with the requirements of auditing</p><p>standards. An example is a firm assigning unqualified assistants to perform certain audit tasks where they failed to notice material</p><p>misstatements in the client’s records that a qualified auditor would have found.</p><p>Legal liability — the professional’s obligation under the law to provide a reasonable level of care while performing work for those</p><p>served</p><p>Code signing = the software has not been subsequently modified.</p><p>Errors Versus Fraud Auditing standards distinguish between two types of misstatements: errors and fraud. Either type of</p><p>misstatement can be material or immaterial. An error is an unintentional misstatement of the financial statements, whereas fraud is</p><p>intentional. Two examples of errors are: a mistake in extending price times quantity on a sales invoice and overlooking older raw</p><p>materials in determining the lower of cost or market for inventory</p><p>Strategies are approaches followed by the entity to achieve organizational objectives. Auditors should understand client objectives</p><p>related to: Reliability; Effectiveness and efficiency of operations; Compliance with laws and regulations</p><p>EER: equal error rate or crossover error rate (EER or CER): the rate at which both acceptance and rejection errors are equal. The</p><p>value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with</p><p>different ROC curves. In general, the device with the lowest EER is the most accurate.</p><p>Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but</p><p>also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the</p><p>organization’s broader plans for attaining their goals.</p><p>Parameters that are not set correctly would be the greatest concern when implementing an application software package.</p><p>Risk assessment and business impact assessment are tools for understanding business-for-business continuity planning.</p><p>Business continuity self-audit is a tool for evaluating the adequacy of the BCP, resource recovery analysis is a tool for identifying</p><p>a business resumption strategy.</p><p>Gap analysis can play in business continuity planning is to identify deficiencies in a plan. Neither of these is used for gaining an</p><p>understanding of the business.</p><p>Abrupt changeover: a changeover approach where the newer system is changed over from the older system on a cutoff date and</p><p>time, and the older system is discontinued once the changeover to the new system takes place</p><p>DAC logical access protection that may be activated or modified by the data owner at his/her discretion; act as an additional filter,</p><p>but cannot override MACs</p><p>Lack of sufficient security controls is ulnerability, not a threat</p><p>DBA cannot delete</p><p>activity logs. Activity log is a strong detective control for DBA activities.</p><p>Code signing ensures that the executable code came from a reputable source and has not been modified after being signed.</p><p>CMM has 5 maturity levels. Maturity level 3 (defined) is the lowest level at which balanced score card (BSC) Exists.</p><p>Depending on the complexity of an organization, there could be more than one plan to address various aspects of business</p><p>continuity and disaster recovery. These do not necessarily have to be integrated into one single plan.</p><p>In BCP; each plan has to be consistent with other plans to have a viable business continuity planning strategy. It may not be</p><p>possible to define a sequence in which plans have to be implemented, as it may be dependent on the nature of disaster, criticality,</p><p>recovery time, etc.</p><p>Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also</p><p>documenting and validating them. Complying with regulatory requirements, ensuring coverage and the execution of audit are all</p><p>relevant to an audit but are not the reason why sufficient and relevant evidence is required.</p><p>Initiating and subsequently approving a change request violates the principle of segregation of duties.</p><p>One of the strong compensating controls for DBA activity is ensure that DBA cannot delete activity logs. Activity log is a strong</p><p>detective control for DBA activities.</p><p>The MOST efficient way to test the design effectiveness of a change control process => Perform an end-to-end walk-through of</p><p>the process</p><p>Information Management and Auditing CISA 2019</p><p>26 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Detect errors in data processing = Hash totals</p><p>Table-top testing in BCP: a walk through test on paper by major staff across the company, but no simulation; also to ensure that</p><p>all the functional departments aware of their roles and responsibilities. Also to read and review the plan</p><p>Mandatory one-week vacation in financial institutions is a detective control to find out illegal acts or improprieties if any.</p><p>Control Risk; manual reviews of computer logs can be high because activities requiring investigation are often easily missed due to</p><p>the volume of logged information.</p><p>Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and</p><p>reperformance of controls. A walk-through of the manual log review process follows from start to finish gaining a thorough</p><p>understanding of the overall process and identifying potential control weaknesses</p><p>Audit Risk: It is the risk that Information may contain material error that may go undetected during the course of audit.</p><p>One of the first steps in creating a firewall policy is to identify network applications which need to be externally accessed</p><p>Risk management is all about protecting assets. Therefore the first step in a risk management program is to take inventory of</p><p>assets.</p><p>IT strategy committee takes into account future business direction, future technological innovations, and regulatory compliance</p><p>considerations</p><p>The risk of not using the results of the business impact analysis for disaster recovery planning means that the DRP may not be</p><p>designed to recover the most critical assets in the correct order. As a result, the plan may not be adequate to allow the organization</p><p>to recover from a disaster.</p><p>Minimize decision during crisis = BCP</p><p>The concerns in BCP include natural disasters, missed targets, and loss of profit. The goal of continuity is to ensure that important</p><p>targets are not missed and revenue is not interrupted.</p><p>BCP should be reviewed after Risk-Assement is completed</p><p>Mandatory vacation = detective Control</p><p>Systems usability is measured by the end-user perception of the system</p><p>IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of</p><p>accountability rules to ensure that all responsibilities are defined within the organization.</p><p>Performing more frequent IS audits or recommending the creation of a new role (CRO) is not helpful if the accountability rules are</p><p>not clearly defined and implemented.</p><p>IT steering committee: approving IT project plans and budgets</p><p>Non repudiation can only be possible with private key encryption</p><p>System owners are responsible for access rights and access levels</p><p>People is the weakest link in the information security chain</p><p>Main benefit of integrating TQM total quality management in the software development project is for end-user satisfaction and</p><p>not cost controls or meeting delivery dates or proper documentation</p><p>Steering committee performs the financial evaluation of a project.</p><p>Waterfall lifecycle model in software development is best suitable when application system development requirements are well</p><p>understood and expect to remain stable</p><p>If you do not know the requirements baseline, the best method for development would be agile, because agile development</p><p>follows an adaptive approach</p><p>Senior management approves project and the resources it needs.</p><p>Project steering committee monitors costs and timelines and provides overall direction.</p><p>Technical project manager provides technical support</p><p>Quality of metadata = important factor in the design of a data warehouse.</p><p>Information Management and Auditing CISA 2019</p><p>27 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>While donating or disposing off used computers, organization must ensure that confidentiality is not being compromised. Tapes must</p><p>be degaussed and magnetic disks must be demagnetized. It is also known as media sanitization.</p><p>Run-to-run totals will provide assurance that data converted from an old system to a new file system contains all the important</p><p>elements</p><p>Bottom up software development and testing ensures that errors in critical modules are detected early on in the process</p><p>A top down software development and testing approach ensures that interface errors are detected and that critical functions are</p><p>tested early on.</p><p>Media Sanitization Methods = Disposal + Clearing + Purging + Destroying</p><p>While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to</p><p>another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern should be that the:</p><p>requirement for protecting confidentiality of information could be compromised.</p><p>The incident location may be a technical crime scene. The response should be preplanned and structured to ensure that the value</p><p>of evidence is not diminished and confidentiality is maintained.</p><p>Regression testing is used to ensure that an application change has not altered the system functionality that was not</p><p>intended. Data used in regression test is the same as was used to perform the test before the change was enacted.</p><p>An auditor assigned to audit a reorganized BPR project should get the old process flow and the new process flow and ensure</p><p>adequate controls in the new process.</p><p>Encryption of data is the most secure method of protecting confidential data from exposure.</p><p>Program reverse engineering usually involves reversing machine code into source code to understand its logic. It is usually done</p><p>to understand a program whose source code has been lost.</p><p>EVA (earned value analysis) is an industry standard for measuring progress</p><p>of a project at any stage. It compares planned</p><p>amount of work with completed amount of work.</p><p>Prototyping always starts with high-level functions first; so effective testing for such functions is top down. RAD uses prototyping</p><p>as its core strategy</p><p>Detection Risk is the risk that the auditor will not detect a misstatement that exists in an assertion that could be material, either</p><p>individually or when aggregated with other misstatements</p><p>RAP = Risk Assessment Process = BO – IA – RA – RM – RT => Periodic Reevaluation</p><p>Controls Development Life Cycle: Design - Implementation - Operational effectiveness - Monitoring</p><p>The first person on the scene is the incident commander, regardless of rank or position. The incident commander may be relieved</p><p>by a person with more experience or less experience, according to the situation. The incident commander will change throughout the</p><p>crisis.</p><p>Inspection of policies and procedures can provide some information as to whether monitoring exists. The IT auditor</p><p>needs to make inquiries of management and/or key employees to determine if this piece of CDLC is in place.</p><p>Benchmarking:determining the level of performance provided by similar information-processing-facility environments.</p><p>Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a</p><p>physical token, such as a card, and the other of which is typically something memorized, such as a security code.</p><p>Population Value (PV): the book value or monetary value of the population.</p><p>Tolerable Misstatement (TM): the tolerable margin of error or precision of the sample estimate of the population value (i.e.</p><p>precision limit).</p><p>Expected Misstatement (EM): Expected amount of misstatement in the population value.</p><p>Confidence Level (CL): Level of reliability or assurance required (i.e. complement of risk of incorrect acceptance)</p><p>Internal Audit or External Auditors should be able to work independently and report to the highest management level or</p><p>audit committee or BOD.</p><p>Audit committee or IS Audit management should ensure the skill enhancements of the audit staff and also provide tools,</p><p>methodology and work programs to auditors to help them conduct audits of specialized nature.</p><p>Short term audit planning covers audit issues on annual or yearly basis</p><p>Information Management and Auditing CISA 2019</p><p>28 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Audit planning process should be reviewed on periodic basis, typically at least annually, to evaluate new control requirements</p><p>based on changes in risk environment, technologies and business processes and enhanced audit evaluation techniques.</p><p>Management Controls modify processing systems to minimize the repeat occurrence of the problem</p><p>Detective Controls: help in detection and reporting of problems as they occur during a business process</p><p>Patches; Antivirus; Badges/ID's and Smart cards are is preventive control (help to prevent the problems before they happen)</p><p>Backups are a corrective control (helps to minimize the impact of a problem or risk)</p><p>A website certificate is used to provide authentication of the website and can also be used to successfully authenticate keys used</p><p>for data encryption.</p><p>The strength of a secret key within a symmetric key cryptosystem is determined by a combination of key length, initial input</p><p>vectors, and the complexity of the data-encryption algorithm that uses the key.</p><p>IS auditors should review access-control lists (ACL) to determine user permissions that have been granted for a particular</p><p>resource.</p><p>A major IS audit concern is users' ability to directly modify the database</p><p>The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of</p><p>a business interruption or disaster. Total elimination of risk is impossible.</p><p>If a database is restored from information backed up before the last system image, the system should be restarted before the last</p><p>transaction because the final transaction must be reprocessed.</p><p>It depends. If IS audit is done proactively to identify the potential risks and address security early-on, then it is proactive and if it is</p><p>done due to some major incident or some other business trigger to react to some event and to find specific weaknesses, then it can</p><p>be reactive.</p><p>During BCP testing, the IS Auditor should act as: Observer</p><p>BCP phases: Project initiation – BIA – Recovery strategies – Plan design – Testing and training</p><p>The primary business objective of BCP and DRP is to mitigate the risk and impact of a business interruption, the dominating</p><p>objective remains the protection of human life.</p><p>Financial results have traditionally been the sole overall performance metric.</p><p>Configuration management accounts for all IT components, including software. Project management is about scheduling,</p><p>resource management and progress tracking of software development. Problem management records and monitors incidents.</p><p>Risk management involves risk identification, impact analysis, an action plan, etc.</p><p>The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators</p><p>other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and</p><p>processing.</p><p>Often, mail filters will quarantine zip files that are password-protected since the filter (or the firewall) is unable to determine if the</p><p>file contains malicious code. Many zip file products are capable of using strong encryption. Such files are not normally corrupted by</p><p>the sending mail server.</p><p>The WEP design has been broken and is considered insecure under all conditions.</p><p>Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have</p><p>poor internal controls, change control becomes much more complicated, and it often leads to functions or extras being added to the</p><p>system that were not originally intended.</p><p>Credit card transaction: verify the format of the number entered then locate it on the database.</p><p>Data owner formally authorizes access and an administrator implements the user authorization tables.</p><p>Consistency—Transactions are processed only if they meet system-defined integrity constraints.</p><p>Isolation—the results of a transaction are invisible to all other transactions until the original transaction is complete.</p><p>Durability—Once complete, the results of the transaction are permanent.</p><p>Preventive Controls - These are controls that prevent the loss or harm from occurring. For example, a control that enforces</p><p>segregation of responsibilities (one person can submit a payment request, but a second person must authorize it), minimizes the</p><p>chance an employee can issue fraudulent payments.</p><p>Atomicity guarantees that either the entire transaction is processed or none of it is.</p><p>Information Management and Auditing CISA 2019</p><p>29 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Consistency ensures that the database is in a legal state when the transaction begins and ends.</p><p>Isolation means that, while in an intermediate state, the transaction data are invisible to external operations.</p><p>Durability guarantees that a successful transaction will persist, and cannot be undone.</p><p>COMPENSATING controls are internal controls that are intended to reduce the risk</p><p>of an existing or potential control weakness</p><p>that may arise when duties cannot be appropriately segregated.</p><p>Discovery sampling: Purpose is to detect at least one deviation, with a predetermined risk of assessing control risk too low if the</p><p>deviation rate in population is greater than specified tolerable deviation rate Useful in suspected fraud.</p><p>Sequential (Stop-or-Go) Sampling: Audit sample taken in several stages</p><p>Sampling risk: risk that the auditors’ conclusions based on a sample may be different from the conclusion they would reach if they</p><p>examined every item in the population</p><p>Nonsampling risk: risk pertaining to non- sampling errors; can be reduced to low levels through effective planning and</p><p>supervisions of audit engagements</p><p>Stratification: Technique of dividing population into relatively homogeneous subgroups</p><p>Role-based access control defines roles for a group of users. Users are assigned to the various roles and access is granted</p><p>based on the user’s role.</p><p>Load testing evaluates the performance of the software under normal and peak conditions.</p><p>Stress testing determines the capacity of the software to cope with an abnormal number of users or simultaneous operations.</p><p>Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing.</p><p>Recovery testing evaluates the ability of a system to recover after a failure.</p><p>Volume testing evaluates the impact of incremental volume of records (not users) on a system.</p><p>IS Control Objectives: Safeguarding Assets //Ensuring integrity of operating systems, applications, data//Ensuring appropriate</p><p>identification and authentication // Ensuring availability of services</p><p>Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is</p><p>called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program</p><p>about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change</p><p>in the program has occurred.</p><p>Risk should be addressed as early as possible in the development cycle. Risk should also be considered in the specification phase</p><p>where the controls are designed, but this would still be based on the assessment carried out in the feasibility study.</p><p>Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they</p><p>generated and sent the message. Encryption may protect the data transmitted over the Internet, but may not prove that the</p><p>transactions were made.</p><p>The recovery time objective (RTO) is the requirement for how quickly a business process or an IT service must be restored after a</p><p>disaster. This affects the disaster recovery plan (DRP), but is dependent on the business impact analysis (BIA).</p><p>The BIA identifies the financial, operational and service impacts that may result from a disruption in a business process or IT service</p><p>and therefore the BIA is the primary driver for all the recovery plans including the technology recovery strategy.</p><p>The message digest is calculated and included in a digital signature to prove that the message has not been altered. The</p><p>message digest sent with the message should have the same value as the recalculation of the digest of the received message.</p><p>Audit Risk is a combination of detection, control and inheretant risks</p><p>Standard methodologies will provide consistency for all systems utilized in the company.</p><p>In a small organization, developers may release emergency changes directly to production. BEST control the risk in this situation:</p><p>Approve and document the change the next business day.</p><p>Information security policy is management's formal declaration of security goals and objectives. Also the basis for access control</p><p>authorization</p><p>Atomicity requires that a transaction be completed in its entirety or not at all = data integrity</p><p>Escorting visitors will provide the best assurance that visitors have permission to access defined areas within the data processing</p><p>facility.</p><p>Information Management and Auditing CISA 2019</p><p>30 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Tape backup = preventative control</p><p>ITAF = General standards + Performance standards + Reporting standards</p><p>The verify function (Backup) is a detective control intended to detect any discrepancies between the tape and the hard disk. It’s a</p><p>detective control because it still requires the operator to manually fix the problem after it is found.</p><p>An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent</p><p>transactions inherently.</p><p>Process owner involvement is a critical part of the business impact analysis (BIA), which is used to create the disaster</p><p>recovery plan (DRP). If the IS auditor determined that process owners were not involved, this would be a significant concern.</p><p>Suspense file: A computer file used to maintain information (transactions, payments or other events) until the proper disposition of</p><p>that information can be determined</p><p>Switches: reducing collision domains.</p><p>Synchronous transmission: Block-at-a-time data transmission</p><p>System exit: Special system software features and utilities that allow the user to perform complex system maintenance.</p><p>System flowchart: Graphic representations of the sequence of operations in an information system or program.</p><p>It is not possible to create business continuity plans BCP without a current business impact analysis (BIA). The BIA identifies</p><p>critical processes and their dependencies.</p><p>Consistency ensures that all integrity conditions in the database be maintained with each transaction.</p><p>Data center consolidation is the process of reducing the volume of physical IT assets through highly efficient and scalable</p><p>technologies,(reduce operating costs)</p><p>Block data compression reduces the size of data on disk, increasing available capacity up to 50 percent. Compression can be</p><p>enabled automatically and operates in the background to avoid performance degradation.</p><p>Prototyping – creating system through controlled trial and error. Can lead to poor controls in finished system because focused on</p><p>what user wants and what user sees. Change control complicated also – changes happen so quickly, they are rarely documented or</p><p>approved. Also called evolutionary development. Reduces risk associated with not understanding user requirements. Just include</p><p>screens, interactive edits and reports (no real process programs)</p><p>Pooling compute resources allows for simplified management, increased visibility of application workloads and cost transparency,</p><p>ultimately accelerating business processes and cutting costs.</p><p>Infrastructure-as-a-Service (IaaS) is a complete IT infrastructure consumed as a service. Each user or tenant accesses a portion</p><p>of a consolidated pool of federated resources to create and use their own compute infrastructure as needed, when needed, and how</p><p>needed.</p><p>PaaS is used to develop and run software as an alternative to designing, building, and installing an in-house development and</p><p>production environment.</p><p>Replication is the process of copying data within an array to another space within the same array, to a separate local array, or to a</p><p>distant array. The purpose may be to relocate the data, to safeguard the data at a second location, or to locate the data at a</p><p>secondary processing site so that operations may resume from there.</p><p>Deduplication is a data algorithm that breaks a file system into subfile, variable-length data segments to determine unique and</p><p>repetitive segments. This</p><p>dramatically reduces backup storage during the backup and recovery process.</p><p>Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database</p><p>will survive subsequent hardware or software failures</p><p>Creating a provision to allow local policies to take precedence where required by local authorities allows the organization to</p><p>implement the optimal level of control subject to legal limitations.</p><p>The RBAC model, if implemented in the health care industry, for example, will assist in improving the protection of individuals’</p><p>private health records and prevent identity theft.</p><p>Protecting people's lives should always be of highest priority in fire suppression activities. CO2 and halon both reduce the oxygen</p><p>ratio in the atmosphere, which can induce serious personal hazards</p><p>Verification will ensure that production orders match customer orders.</p><p>Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing.</p><p>Hash totals will ensure accurate order transmission, but not accurate processing centrally</p><p>Information Management and Auditing CISA 2019</p><p>31 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Mirroring of critical elements is a tool that facilitates immediate recoverability.</p><p>Daily backup implies that it is reasonable for restoration to take place within a number of hours but not immediately.</p><p>Risk is the combination of the probability of an event and its consequence.</p><p>Risk Analysis is a part of audit planning; identify risk and vulnerabilities; in order to determine the controls to mitigate those risks.</p><p>Secure WLAN: Disabling SSID broadcasting adds security by making it more difficult for unauthorized users.</p><p>The risk of not using the results of the BIA for disaster recovery planning means that the DRP may not be designed to recover the</p><p>most critical assets in the correct order.</p><p>The initiation of input transactions is always the function of the particular user area. The data base administrator is</p><p>responsible for the data base management system environment and the data that resides in it.</p><p>Security procedures are usually detailed as step-by-step actions to ensure that activities meet a given standard.</p><p>Recovery time objective (RTO) is based on the acceptable down time in case of a disruption of operations. The lower the RTO, the</p><p>higher the cost of recovery strategies</p><p>IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has</p><p>found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure; Expand</p><p>the sample of logs reviewed.</p><p>Access control model allows the system owner to establish access privileges to the system - Discretionary access control</p><p>(DAC)</p><p>Crossover Error Rate (CER): This is also called the equal error rate and is the point, generally stated as a percentage, at which the</p><p>false rejection rate and the false acceptance rate are equal. This has become the most important measure of biometric</p><p>system accuracy.</p><p>The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a CRC</p><p>DBA != control of data elements</p><p>Contradictory Evidence Let the evidence tell the story. Contradictory evidence suggests that either the auditor is doing</p><p>something wrong or you have discovered evidence proving a problem actually exists (nonconformity). The auditor needs to</p><p>perform additional quality assurance checks and recheck the test results to determine the reason that this nonconformity has been</p><p>detected.</p><p>Rapid elasticity is a cloud computing term for scalable provisioning, or the ability to provide scalable services. Experts point to this</p><p>kind of scalable model as one of five fundamental aspects of cloud computing.</p><p>GRC is an effort to integrate assurance activities across an organization to achieve greater efficiency and effectiveness; align</p><p>organization assurance functions.</p><p>Scope creep may indicate a lack of focus, poor communication, lack of discipline, or an attempt to distract the user from the project</p><p>team’s inability to deliver to the original project requirements.</p><p>Uncontrolled changes are often referred to as project scope creep; should be considered in the design phase.</p><p>PERT chart: will help determine project duration once all the activities and the work involved with those activities are known.</p><p>PERT = task interdependencies</p><p>BEST backup strategy for a large database with data supporting online sales; Mirrored hard disks will ensure that all data</p><p>are backed up to more than one disk so that a failure of one disk will not result in loss of data.</p><p>Function point analysis : is a technique for determining the size of a development task based on the number of function points.</p><p>Function points are factors such as inputs, outputs, inquiries, logical internal files.</p><p>The critical path method calculates the theoretical early start and finishes dates, and late start and finish dates, for all activities</p><p>without regard for any resource limitations, by performing a forward and backward pass analysis through the schedule network.</p><p>Rapid Application Development : is a methodology that enables organizations to develop strategically important systems faster</p><p>while reducing development costs and maintaining quality.</p><p>Completeness check: is used to determine if a field contains data and not zeros or blanks.</p><p>If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor</p><p>should expand the scope of testing the controls and include additional substantive tests.</p><p>Information Management and Auditing CISA 2019</p><p>32 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Ensuring that the project meets the intended business requirements is the primary objective of a post-implementation review.</p><p>PIR should be scheduled some time after the solution has been deployed. Typical periods range from 6 weeks to 6 months,</p><p>depending on the type of solution and its environment.</p><p>The PIR is intended to be an assessment and review of the final working solution. There should have been at least one full</p><p>processing and reporting cycle completed.</p><p>80/20 rule, Quality is fitness for use, Top Management involvement required.</p><p>Check digit: is a digit calculated mathematically to ensure original data where not altered.</p><p>Existence check: checks entered data for agreement to predetermined criteria.</p><p>Reasonableness check : matches input to predetermined reasonable limits or occurrence rates.</p><p>Functional acknowledgements are standard electronic data interchange (EDI) transactions that tell trading partners that their</p><p>electronic documents are received.</p><p>Base case system evaluation: uses test data sets developed as part of comprehensive testing programs. It is used to verify</p><p>correct systems operations before acceptance as well as periodic validation.</p><p>Redundancy check: detects transmission errors by appending calculated bits onto the end of each segment of data.</p><p>Reasonableness check : compare data to predefined reasonability limits or occurrence rates established for the data.</p><p>The PMO provides governance to coordinate and oversee all projects across the organization. This provides historical data for</p><p>estimating, and success and failure criteria. PMO provides maturity to the process of</p><p>managing projects</p><p>BEST help an IS auditor gain reasonable assurance that a project can meet its target date; Extrapolation of the overall end date</p><p>based on completed work packages and current resources</p><p>Parity check: hardware control that detects data errors when data are read from one computer to another.</p><p>Check digits: detect transposition and transcription errors.</p><p>Business continuity plans span department boundaries.</p><p>Change management: Process of controlling changes to the infrastructure or any aspect of services, in a controlled manner,</p><p>enabling approved changes with minimum disruption; ensure that a good change management process is in place.</p><p>During audit, if there are material issues that are of concern, they need to be reported immediately.</p><p>Prototype system : provide significant time and cost savings. Also have several disadvantages like poor internal controls, change</p><p>control becomes much more complicated and it often leads to functions or extras being added.</p><p>Decision support system (DSS): emphasizes flexibility in the decision making approach of users. Advancements in computer</p><p>programming technology and databases have led to the creation of decision support systems</p><p>RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not determine</p><p>acceptable data loss; greatest influence for information processing facility</p><p>RPO has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in</p><p>case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption.</p><p>MTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not have a</p><p>direct influence on data recovery.</p><p>Authorization should be separated from all</p><p>Reconciliation is ultimately the responsibility of the user department, In some organizations limited reconciliation of applications</p><p>may be performed by the data control group with the use of control totals and balance sheets.</p><p>EOC is the Emergency Operations Center, staffed by the emergency management team during a crisis.</p><p>System development and system maintenance SAME TASK</p><p>Data security officer organization is recommending and monitoring data security policies</p><p>Effective Bio: An overall metric that demonstrates that FAR and FRR rates are equal</p><p>COMPENSATING CONTROLS FOR LACK OF SEGREGATION OF DUTIES: Reconciliation, Audit trails, Exception reporting,</p><p>Transaction logs, Supervisory reviews, Independent reviews</p><p>Information Management and Auditing CISA 2019</p><p>33 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Noise: Data or interference that can trigger a false positive</p><p>Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other</p><p>malicious activities.</p><p>Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain</p><p>unauthorized access.</p><p>A brute force attack involves feeding the biometric capture device numerous different biometric samples.</p><p>A cryptographic attack targets the algorithm or the encrypted data</p><p>Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They</p><p>are generally outside users.</p><p>Misfeasor: They are commonly internal users and can be of two types:</p><p>An authorized user with limited permissions // A user with full permissions and who misuses their powers.</p><p>Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.</p><p>Black Boxing Tests the functionality of software by comparing the input and output, without understanding the internal process that</p><p>creates the output. The internal logic is hidden from the tester</p><p>SOD: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification</p><p>Variance report is the best example of a detective control. Detective controls attempt to detect problems</p><p>Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability</p><p>Sanitized live transaction: test data will be representative of live processing.</p><p>Timebox management: by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and rapid</p><p>application development (RAD) and integrates system and user acceptance testining.</p><p>Activities / roles must be segregated: Authorization//Custody of Assets//Reconciliation//Record Keeping</p><p>Balanced scorecard: A management tool that aligns individual activities to the higher-level business objectives</p><p>Residual Risks comprise of: 1. Risk that remain after applying risk response strategies, and 2. Risks that we simply ACCEPT ‐ if it</p><p>happens, it happens, we have a plan to deal with it.</p><p>Contingency Plans deal with the outcome of Residual Risks on project.</p><p>Table-top testing is to practice proper coordination since it involves all or some of the crisis team members and is focused more on</p><p>coordination and communications issues than on technical process details.</p><p>Functional testing involves mobilization of personnel and resources at various geographic sites. Full-scale testing involves</p><p>enterprise wide participation and full involvement of external organizations.</p><p>Walk-through testing requires the least effort of the options given. Its aim is to promote familiarity of the BCP to critical personnel</p><p>from all areas.</p><p>Contingency Reserve covers the outcome of Residual Risk, and account for the "Known Unknowns".</p><p>Fallback Plans are employed for Residual Risks when the Contingency Plans fail.</p><p>Secondary Risks are new risks that emerge as a result of Risk Response Plan.</p><p>Throughput: volume of work or information flowing through a system. Particularly meaningful in information storage and retrieval</p><p>systems, in which throughput is measured in units such as accesses per hour.</p><p>Scope Creep - Poor initial requirements definition, Failure to involve users in early stages, missing Scope Baseline, Poor Change</p><p>Control, Weak Management, Failure to manage user expectations.</p><p>Flow Chart shows how processes interrelate.</p><p>Statistical Sampling is a powerful tool where a RANDOM sample is selected instead of measuring the entire population.</p><p>Attribute Sampling is binary, it either conforms to quality or it doesn’t (YES or NO).</p><p>Variable Sampling measures how well something conforms to quality (RANGES).</p><p>Information Management and Auditing CISA 2019</p><p>34 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Waterfall life cycle model: best suited to the stable conditions where requirements are well understood and are expected to</p><p>remain stable, as is the business environment in which the system will operate.</p><p>Top-down approach to testing ensures that interface errors are detected early and that testing of major function is conducted</p><p>early.</p><p>Bottom-up approach to testing begins with atomic units, such as programs and module and works upward until complete system</p><p>test taken place.</p><p>Database view allows the database administrator to control what a specific user at a specific level of access can see. For example,</p><p>an HR employee may be able to see department payroll totals but not individual employee salaries</p><p>Sociability testing and system tests</p><p>that expensive IT equipment should not be operated in a computer</p><p>room or data center where the ambient room temperature has exceeded 85°F (30°C).</p><p>Information gathering techniques – Brainstorming, Delphi technique, Interviewing, Root cause analysis</p><p>Quality Assurance is also a root-cause analysis process. Fishbone diagram/Ishikawa: Determines how various factors linked to</p><p>potential problems or effects, it’s majorly referred as “root cause” analysis.</p><p>Network slow = use a protocol analyzer to perform network analysis and review error logs of local area network (LAN) equipment.</p><p>Threat is not vulnerability. A threat exploits a vulnerability e.g. weak password (vulnerability) is exploited by a dishonest</p><p>employee (threat) to commit fraud leading to financial losses</p><p>Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit</p><p>period</p><p>Batch controls: total menetary amount, total items, total documents, hash totals</p><p>Matrix organizational structure combines functional and product departmentalization, creates a dual reporting structure, and is</p><p>optimal where product groups are necessary.</p><p>Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are</p><p>directed and managed. Information security governance is a subset of an organization’s overall governance program. Risk</p><p>management, reporting, and accountability are central features of these policies and internal controls</p><p>Information Management and Auditing CISA 2019</p><p>4 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Prototyping: The process of quickly putting together a working model (a prototype) in order to test various aspects of a design,</p><p>illustrate ideas or features and gather early user feedback.</p><p>Unsuccessful logon = monitored by the security administrator.</p><p>The majority of project risk can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in</p><p>place to deal with this risk.</p><p>Frame Relay is more efficient than X.25</p><p>ATM is asynchronous, time slots are available on demand with information identifying the source of the transmission contained in</p><p>the header of each ATM cell</p><p>Hash totals: Verification that the total in a batch agrees with the total calculated by the system.</p><p>The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management</p><p>practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing</p><p>risk management.</p><p>Race conditions occur due to interferences caused by the following conditions: Sequence or nonatomic + Deadlock, live lock, or</p><p>locking failure.</p><p>Prior to implementing new technology, an organization should perform a risk assessment, which would then be presented to</p><p>business unit management for review and acceptance</p><p>Configuration management accounts for all IT components, including software. Project management is about scheduling, resource</p><p>management and progress tracking of software development. Problem management records and monitors incidents. Risk</p><p>management involves risk identification, impact analysis, an action plan, etc.</p><p>Penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially.</p><p>What is the difference between the false acceptance rate and false rejection rate?</p><p>False acceptance means unauthorized user is permitted access= FAR-UP</p><p>False rejection is when authorized person is denied access= FRR- AD</p><p>IaaS: company is trying to reduce it's sever environment footprint, so the in-house application servers were moved to another</p><p>location, hosted by a 3rd party. So the application software, application servers were being moved and supported by another</p><p>company which is IaaS.</p><p>Having access to the database could provide access to database utilities, which can update the database without an audit trail</p><p>and without using the application. Using SQL only provides read access to information.</p><p>VPN = data confidentiality</p><p>An Audit charter should state management’s objectives for and delegation of authority to IS auditors.</p><p>Provisioning access to data on a need-to-know basis PRIMARILY ensures Data confidentiality</p><p>face to face communications are an example of informal methods of monitoring and controlling a system development life cycle</p><p>project since it is hard to document the communication all the time. Evidence is hard in informal methods</p><p>LOG can be maintained in a manual or automated form where activities are logged with a sequential control number for tracking</p><p>purposes.</p><p>ESCROW: The client is entitled to the benefit of only using the software and not owning it, unless they pay more money. Escrow</p><p>may provide some protection if the vendor goes out of business, but does not prevent software from being discontinued.</p><p>4GL provides screen-authoring and report-writing utilities that automate database access.</p><p>4GL tools do not create the business logic necessary for data transformation.</p><p>Flowchart is used to document internal program logic.</p><p>Feasibility study = should be the basis for management’s decision to buy available software or to build a custom software</p><p>application</p><p>Recovery managers should be rotated to ensure the experience of the recovery plan DRP is spread among the managers.</p><p>Entity-relationship diagram (ERD) is used to help define the database schema.</p><p>Function point analysis is used for estimation of work during the feasibility study.</p><p>Information Management and Auditing CISA 2019</p><p>5 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Parallel migration increases support requirements but lowers the overall risk. The old and new systems are run in parallel to verify</p><p>integrity while building user familiarity with the new system.</p><p>Phased Changeover In larger systems, converting to the new system in small steps or phases may be possible. This may take an</p><p>extended period of time. The concept is best suited to either an upgrade of an existing system, or to the conversion of one</p><p>department at a time. The phased approach creates a support burden similar to that of parallel operation. A well-managed phased</p><p>changeover presents a moderate level of risk.</p><p>Data-oriented databases (DODBs) are designed for predictable data that has a consistent structure and a known or fixed length.</p><p>Object-oriented databases (OODBs) are designed for data that has a variety of possible data formats.</p><p>Hard Changeover In certain environments, executing an abrupt change to the new system may be necessary. This is known as a</p><p>hard changeover, a full change occurring at a particular cutoff date and time. The purpose is to force migration of all the users at</p><p>once. A hard changeover may be used after successful parallel operation or in times of emergency</p><p>Checklists are an example of a formal method of communication between the affected parties. A checklist provides guidelines for</p><p>reviewing functions and activities for assurance and evaluative purposes. Checklists can detect whether activities were performed</p><p>according to plans, policies, and procedures</p><p>Agile method places greater reliance on the undocumented knowledge contained in a person’s head. Agile is the direct opposite of</p><p>capturing knowledge through project documentation.</p><p>in the SDLC, Approval by management</p><p>take place at a later stage in the development process.</p><p>Utilization: use of computer equipment and can be used by management to predict how/where/when resources are required.</p><p>Alternatives to SoD: Mandatory rotation of duties// Mandatory vacation //Analytical review</p><p>Segregation of Duties is a Preventive Control. In absence of this, compensating controls need to be identified to reduce or</p><p>eliminate the business risks; Some of the compensating controls for Lack of Segregation of Duties are: Audit</p><p>Trails//Reconciliation//Exception //Reporting//Transaction Logs//Supervisory Reviews//Independent Reviews</p><p>Hardware error: provide information to aid in detecting hardware failures and initiating corrective action.</p><p>Availability report: time periods during which the computer was available for utilization by uses or other processes.</p><p>Identifying illegal software packages loaded to the network can be checked by checking hard drives.</p><p>Warm site: A facility with basic utility services installed in some computer equipment but lacking all of the computer equipment</p><p>necessary for recovery. The site will need to be built out before it can be used. This site can be ready in days or weeks.</p><p>Hot site: An alternate processing facility that is fully equipped with all the necessary computer equipment and capable of</p><p>commencing operation as soon as the latest data files have been loaded. Capable of being in full operation within minutes or</p><p>hours.</p><p>Keyboard remapping: Changing the normal function of keys to execute different commands</p><p>Line grabbing will enable eavesdropping, thus allowing unauthorized data access. It will not necessarily cause attacking machine</p><p>dysfunction or excessive CPU usage or lockout of terminal polling.</p><p>PKI is a framework, used to ensure CIA concept, an efficient use of public key infrastructure (PKI) should encrypt the: symmetric</p><p>session key.</p><p>Eavesdropping is the act of secretly listening to the private conversation of others without their consent.</p><p>Network Eavesdropping or network sniffing is a network layer attack consisting of capturing packets from the network transmitted</p><p>by others' computers and reading the data content in search of sensitive information like passwords, session tokens, or any kind of</p><p>confidential information.</p><p>Agile is an iterative process where each iteration or “sprint” produces functional code. If a development team was producing code</p><p>for demonstration purposes, this would be an issue because the following iterations of the project build on the code developed in the</p><p>prior sprint.</p><p>Corrective action: when an intervention is required to stop modifies or fix failures as they occur; Solving problem rather than</p><p>covering it by hiding the truth.</p><p>The business process owner should be consulted for any changes to the application. The head of operations is ultimately</p><p>accountable; in a privately owned enterprise, that would include the enterprise owner.</p><p>Corrective controls may also be relevant because they allow an error or problem to be corrected. Corrective controls remove or</p><p>reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls.</p><p>The business process owner should be consulted for any changes to the application. The head of operations is ultimately</p><p>accountable; in a privately owned enterprise, that would include the enterprise owner.</p><p>When contracting with a service provider, it is a best practice to enter into an SLA with the provider. An SLA is a guarantee that</p><p>the provider will deliver the services according to the contract. The IS auditor will want to ensure that performance and security</p><p>requirements are clearly stated in the SLA.</p><p>PPP provides user authentication through PAP, CHAP, or EAP-TLS, whereas IPSec provides system authentication.</p><p>Due diligence = do check = investigate.</p><p>Information Management and Auditing CISA 2019</p><p>35 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Due care = do act</p><p>Managing risk does not deal with future decisions, but the future of present decisions</p><p>A database designed so that knowledge of the format and structure of data is not required. Very flexible and may be quite complex;</p><p>Object-oriented database (OODB)</p><p>Data diddling is the changing of data before or during entry into the computer system. Examples include forging or counterfeiting</p><p>documents used for data entry and exchanging valid disks and tapes with modified replacements</p><p>Database renormalizing: increased redundancy.</p><p>Normalization is optimization process for a relational database that minimizes redundancy</p><p>Control group— Members of the operations area that are responsible for the collection, logging and submission of input for the</p><p>various user groups</p><p>MTTR is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed</p><p>component or device. (higher MTBF and a lower MTTR)</p><p>MTBF that are first reported represents flaws in the software that are reported by users in the production environment. This</p><p>information helps the IS auditor in evaluating the quality of the software that is developed and implemented.( higher MTBF and a</p><p>lower MTTR)</p><p>SYN flood: Sends a flood of TCP/SYN packets with forged sender address, causing half-open connections and saturates available</p><p>connection capacity of the target machine</p><p>Referential integrity: it ensures that a foreign key in one table will equal null or the value of a primary in the other table.</p><p>Cyclical checking: It is the control technique for the regular checking of accumulated data on a file against authorized source</p><p>documentation.</p><p>Domain integrity: data item has a legitimate value in the correct range or set.</p><p>Relational integrity: performed at the record level and is ensured by calculating and verifying specific fields.</p><p>Concurrency controls prevent data integrity problems.</p><p>Access control: restrict updating of the database to authorized users.</p><p>Quality controls: such as edits ensures the accuracy, completeness and consistency of data maintained in the database.</p><p>Database integrity => Table link/reference checks.</p><p>Audit logs: enable recording of all events that have been identified and help in tracing the events.</p><p>Querying /Monitoring: access time checks helps designers improve database performance.</p><p>Rollback and roll forward: ensure recovery from an abnormal disruption.</p><p>Kiting—using float to create cash by using multiple sources of funds and taking advantage of check clearing times = A proof of</p><p>cash.</p><p>Configuration management is widely accepted as one of the key components of any network.</p><p>CRC: check for a block of transmitted data. CRC can detect all single-bit and bubble-bit errors.</p><p>Parity Check: Vertical redundancy check</p><p>Echo checks: detect line errors</p><p>Screening router / Packet filter: work at the protocol, service and port level. It analyzes from layers 3 and 4.</p><p>DAC: The creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most</p><p>common implementation is through access control lists.</p><p>Mandatory (MAC): Much more structured. Based on security labels and categories. Access decisions are based on clearance</p><p>level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the</p><p>administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level.</p><p>Information Management and Auditing CISA</p><p>2019</p><p>36 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Role-Based (RBAC): (nondiscretionary access control) continually administered set of controls by role within organization. Roles</p><p>are tighter controlled than groups. A user can only have one role. RBAC is best suited for companies with a high turnover rate. Used</p><p>to handle inappropriate access to private and sensitive information through a business application</p><p>Automatic logoff is a method of preventing access on inactive terminals and is not a detective control.</p><p>Unsuccessful attempts to log on are a method for preventing intrusion, not detecting.</p><p>Circuit gateway: program that acts as an intermediary between external and internal accesses.</p><p>Managing risk steps: identification and classification of critical information > Identification of threats, vulnerabilities > calculation</p><p>of potential damages.</p><p>Screened-subnet firewall : used as a demilitarized zone; Utilizes two packet filtering routes and a bastion host.</p><p>Screened-host firewall: utilizes a packet filtering router and a bastion host.</p><p>Atomicity: Guarantees that either the entire transaction is processed or none of it is.</p><p>Consistency: ensures that the database is in a legal state when the transaction begins and ends.</p><p>Normalization: The elimination of redundant data</p><p>Isolation: means that, while in a intermediate state, the transaction data are invisible to external operations.</p><p>Durability Guarantees that a successful transaction will persist, and cannot be undone.</p><p>Hardware maintenance program should be validated against vendor specifications.</p><p>Maintenance schedules normally are not approved by the steering committee. Unplanned maintenance can’t be scheduled.</p><p>Audit committee: A committee of the board of directors composed of financially literate executives. The purpose of the committee</p><p>is to challenge the assertions of management by using internal and external auditors.</p><p>Library control software should be used to separate test from production libraries in mainframe and / or client server</p><p>environments. The main objective of library control software is to provide assurance that program changes have been authorized.</p><p>White hat: An honest software tester working in the software development or audit department under a formal structured test</p><p>procedure to determine system vulnerabilities by using known hacker techniques.</p><p>Library control software is concerned with authorized program changes and would not automatically move modified</p><p>programs into production and can’t determine whether programs have been thoroughly tested.</p><p>Referential integrity is provided by foreign key.</p><p>Post-incident review PIR = improve internal control procedures.</p><p>Cryptography: science of codes</p><p>Cryptanalysis is science of breaking codes</p><p>Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used</p><p>efficiently and effectively. Determine unauthorized changes made to production code the auditor examine object code to find</p><p>instances of changes and trace them back to change control records.</p><p>Normalization: is the removal of redundant data elements from the database structure. Disabling normalization in relational</p><p>databases will create redundancy and risk of not maintaining consistency of data, with the consequent loss of data integrity.</p><p>Coordinated release management across projects and systems is a suitable strategy to employ in a complicated, dynamic system</p><p>environment.</p><p>Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate</p><p>approval.</p><p>Variable sampling is used in substantive testing situations and deals with population characteristics that vary, such as monetary</p><p>values and weights.</p><p>Continuous auditing techniques SCARF/ EAM very complex method the application must contain embedded audit software to act as</p><p>MONITORING AGENT cannot be used to interrupt regular processing</p><p>Stop-or-go sampling is used when the expected occurrence rate is extremely low.</p><p>Judgment sampling It refers to a subjective approach of determining sample size and selection criteria of elements of the sample.</p><p>Information Management and Auditing CISA 2019</p><p>37 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Certification Authority (CA): A Certification Authority is a trusted third party that issues digital certificates and validates the</p><p>identity of the holder of a digital certificate.</p><p>Certificate Policy (CP) Description of the rules governing the use of a public key certificate in a particular environment.</p><p>Certificate Revocation List (CRL): A list of revoked certificates that is created and signed by the same CA that issued the</p><p>certificates. A certificate is added to the list if it is revoked (e.g. because of suspected key compromise, DN change) and then</p><p>removed from it when it reaches the end of the certificate's validity period.</p><p>Mandatory access controls MAC are filters that cannot be altered by normal users and data owners, and they act by default to</p><p>enforce a base level of security.</p><p>Digital signature is a mathematical technique used to validate the authenticity</p><p>Digital certificate is an electronic "passport" allowing people, computers or organizations to exchange secure information over</p><p>network.</p><p>DAC will provide full access to a subject for an object so it does not help to ensure 100% confidentiality.</p><p>To ensure confidentiality, authentication, and integrity of a message, the sender should encrypt the hash of the message with the</p><p>sender's: Private key and then encrypt the message with the receiver's public key.</p><p>One sample system-generated exception report for the review period with follow-up actions noted by the reviewer shows the</p><p>best possible evidence as the effectiveness of the control can be evaluated.</p><p>FPA does not examine the number of expected users.</p><p>In order to accept the risk, management must first be made aware of the risk and its consequences. This includes a formal</p><p>acceptance of the risk, which is usually evidenced by a sign-off.</p><p>Discretionary access controls DAC are filters that can be altered or modified by users or data owners and are used to further</p><p>restrict access. Discretionary access controls cannot overwrite mandatory access controls.</p><p>Least privilege access control several individuals currently have local administrator rights on specific servers</p><p>Role-based access controls are filters created within an application to allow only certain functionality and processing abilities to</p><p>specific roles</p><p>Cryptography: Transforming clear, meaningful information into an enciphered, unintelligible form using an algorithm and a key.</p><p>Decryption: The act of restoring an encrypted file to its original state through the use of a key.</p><p>Encryption: The act of disguising information through the use of a key so that it cannot be understood by an unauthorized person.</p><p>Migrating from a legacy system to an enterprise resource planning (ERP) system; correlation of semantic characteristics of the</p><p>data migrated between the two systems.</p><p>IPSEC: A developing standard for security at the network or packet processing layer of network communication; Especially useful for</p><p>implementing virtual private networks and remote user access through dial-up connections.</p><p>Attribute: In computer programming, it is equivalent to a column in a database table; Refers to a specific characteristic of a</p><p>database entry.</p><p>Phishing A social engineering technique called phishing (pronounced fishing) utilizes fake emails sent to unsuspecting victims, which</p><p>contain a link to the criminal’s</p><p>counterfeit website. Anyone can copy the images and format of a legitimate website by using their</p><p>Internet browser.</p><p>Screened subnet A subnet of multiple computer hosts protected by a firewall and accessible by both internal and external users. A</p><p>screened subnet is also known as a demilitarized zone (DMZ). War veterans will tell you that you can still get killed in a demilitarized</p><p>zone.</p><p>Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every</p><p>time a single bit of the document changes; thus, a signed document cannot be altered. Depending on the mechanism chosen to</p><p>implement a digital signature, the mechanism might be able to ensure data confidentiality or even timeliness, but this is not assured.</p><p>Availability is not related to digital signatures.</p><p>To secure email communication: Establish public key/private key pairs with clients to encrypt email.</p><p>Firewall: The best method screened subnet, or DMZ design.</p><p>Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate</p><p>whether program statements have been executed.</p><p>Information Management and Auditing CISA 2019</p><p>38 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>A snapshot records the flow of designated transactions through logic paths within programs.</p><p>Tracing and tagging shows the trail of instructions executed during an application. Logging is the activity of recording specific</p><p>tasks for future review.</p><p>The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy</p><p>would be Regular audit exercise</p><p>Data owner holds the privilege and responsibility for formally establishing the access rights.</p><p>Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to</p><p>the number of users or business areas affected.</p><p>Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be</p><p>impacted by the number of users and business areas affected.</p><p>Substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual</p><p>transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test.</p><p>Checking whether receipts and issues of tapes are accurately recorded is a compliance test.</p><p>Sniffing is an attack that can be illegally applied to capture sensitive pieces of information (password), passing through the network.</p><p>Encryption is a method of scrambling information to prevent unauthorized individuals from understanding the transmission.</p><p>Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication.</p><p>Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or</p><p>exposure without taking into account the actions that management has taken or might take.</p><p>Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or</p><p>business areas affected.</p><p>Computer logs will record the activities of individuals during their access to a computer system or data file and will record any</p><p>abnormal activities, such as the modification or deletion of financial data.</p><p>Developing a risk-based audit program, focus on Business processes</p><p>A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network; traffic</p><p>analysis</p><p>Neural network based IDS: monitors the general patterns of activity traffic on network and creates a database.</p><p>Tornado diagram is a special type of bar chart used in sensitivity analysis (analyzing risk-taking scenarios)</p><p>When conducting a penetration test of an IT system; most important task is to be able to restore all systems to their original state</p><p>Signature-based IDS: Intrusive patterns identified are stored in the form of signatures.</p><p>Lack of performance measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided</p><p>should be included in SLA</p><p>The need-to-know basis is the best approach to assigning privileges during the authorization process.</p><p>A service-level agreement (SLA) is a part of a service contract where a service is formally defined. In practice, the term SLA is</p><p>sometimes used to refer to the contracted delivery time (of the service or performance).</p><p>An IS auditor should expect References from other customers (an item) to be included in the request for proposal (RFP) when</p><p>IS is procuring services from an independent service provider (ISP).</p><p>SLA is a part of a service contract where a service is formally defined. In practice, the term SLA is sometimes used to refer to the</p><p>contracted delivery time (of the service or performance).</p><p>Steganography: digital right management (DRM)</p><p>Physiological: Fingerprint, Hand, Iris, Face, DNA</p><p>Behavioral: keystroke, signature, voice</p><p>Main objectives of an audit are to identify potential risk; the most proactive approach would be to identify and evaluate the</p><p>existing security practices being followed by the organization.</p><p>Remote booting is a method of preventing viruses, and can be implemented through hardware.</p><p>Information Management and Auditing CISA 2019</p><p>39 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Hashing is irreversible.</p><p>Encryption is reversible.</p><p>Gantt chart is a visual representation of a project where individual tasks occupy rows on a worksheet, and horizontal time bars</p><p>depict the time required to complete each task relative to other tasks in the project.</p><p>Gantt chart can also show schedule dependencies and percent completion of each task</p><p>Not used in the quality control process; Control charts; Pareto charts; Statistical sampling.</p><p>A flowchart is used to document internal program logic. An entity-relationship diagram (ERD) is used to help define the</p><p>database schema. Function point analysis is used for estimation of work during the feasibility study.</p><p>Hashing creates an output that is smaller than the original message and Encryption creates an output of the same length as the</p><p>original message.</p><p>Asymmetric algorithm requires more processing time than symmetric algorithms</p><p>Neural network: large number; type of decision making system; IDS</p><p>Immunizers defend against viruses by appending sections of themselves to files.</p><p>Accounting Policy should be kept in the organization; no outsourcing</p><p>Outsourcing: The contractual arrangement to transfer ongoing operations to an external service provider.</p><p>Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record.</p><p>A Gantt chart illustrates task duration, schedule dependencies, and percent completion. Gantt charts are basically Bar Charts to</p><p>show progress to Team about the project work.</p><p>Cyclical redundancy checkers (CRC) compute a binary number on an known virus-free program that is then stored in a database</p><p>file.’</p><p>Computation speed: elliptic curve encryption over RSA encryption. It use encryption methods support digital signatures, used for</p><p>public key encryption and distribution and are of similar strength; Mobile devices</p><p>PKI: cryptography provides for encryption,</p><p>digital signatures and no repudiation controls for confidentiality and reliability.</p><p>SSL: confidentiality</p><p>IDS: detective control</p><p>VPN : confidentiality and authentication (reliability), based on encapsulation</p><p>Passive attack: traffic analysis</p><p>Active attack: brute force, masquerading, packet reply, message modification, unauthorized access through the internet or web</p><p>based services, denial-of-service attacks, dial-in penetration attacks, email bombing and spamming and email spoofing.</p><p>CSF Critical success factor is also known as a showstopper. Critical success factors must go right every time in order for recovery</p><p>to be successful.</p><p>KPI is a numerical score.</p><p>Hashing is a method used for index partitioning.</p><p>System downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance</p><p>programs.</p><p>Steering committee provides direction and control over projects to ensure that the company is making appropriate investments.</p><p>Without approval, the project may or may not be working toward the company’s goals.</p><p>Key: When used in the context of cryptography, a series of random numbers used by a cryptographic algorithm to transform</p><p>plaintext data into encrypted data, and vice versa.</p><p>Private Key: A cryptographic key known only to the user, employed in public key cryptography in decrypting or signing information;</p><p>one half of a key pair.</p><p>Supervisor state allows the execution of all instructions, including privileged instructions.</p><p>Information Management and Auditing CISA 2019</p><p>40 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>DES: block cipher — symmetric key — 56 bit key, plus 8 parity bits — 16 rounds of transpositions and substitutions</p><p>End-to-end encryption – encryption of data from source system to end system</p><p>Authorization for changes should be separated from other work if separation of duties cannot be achieved. Additional</p><p>compensating controls would be required.</p><p>A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it: can identify high-</p><p>risk areas that might need a detailed review later.</p><p>Qualified certificate: High level personal/professional digital identity assurance supporting legally valid digital signatures.</p><p>Registration Authority (RA): A person or organization responsible for the identification and authentication of an applicant for a</p><p>digital certificate. An RA does not issue or sign certificates.</p><p>Smart Card: A device that is often the same size as a credit card but that is “smart” enough to hold its own data and applications</p><p>and do its own processing. Smart cards can be used to store personal information, hold digital cash or prove identity.</p><p>Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for</p><p>confirming the accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective</p><p>methods, and monthly totals would not address the accuracy of individual tax calculations.</p><p>Advanced Encryption Standard (AES): symmetric — variable block and key length (128, 192, 256)</p><p>Block sum check – error detection only</p><p>CRC – error detection only</p><p>Evidence • Identify • Preserve • Analyze • Present</p><p>Forward error control involves transmitting additional redundant information with each character</p><p>Provides short-term backup power from batteries for a computer system when the electrical power fails or drops to an unacceptable</p><p>voltage level; UPS</p><p>Vaccine: A program designed to detect computer viruses.</p><p>Write access to audit logs should be disabled.</p><p>Data center should be positive pressure; air flows out.</p><p>Humidity – too much and get corrosion/condensation, too little and get static electricity.</p><p>Microwave transmission: A high-capacity line-of-sight transmission of data signals</p><p>Post Project Review (PPR) is to review the completed proj. and find lessons learnt on what went well, what could be done better.</p><p>The purpose of the Post Implementation Review (PIR) is to ensure that the project meets the intended business requirements.</p><p>PIR should be scheduled some time after the solution has been deployed; Typical periods (6 weeks - 6 months) depending on the</p><p>type of solution and its environment.</p><p>Weekly full backup and daily incremental backup is the best backup strategy; it ensures the ability to recover the database</p><p>and yet reduces the daily backup time requirements. A full backup normally requires a couple of hours, and therefore it can be</p><p>impractical to conduct a full backup every day.</p><p>Clustered servers provide a redundant processing capability, but are not a backup. Mirrored hard disks will not help in case of</p><p>disaster.</p><p>The data custodian is responsible for Maintaining the data in proper condition</p><p>User security awareness: Best control to mitigate the risk of pharming attacks to an Internet banking application</p><p>Pharming (pronounced 'farming') is a form of online fraud very similar to phishing as pharmers rely upon the same bogus websites</p><p>and theft of confidential information.</p><p>Systems control audit review file (SCARF): is the MOST effective tool for monitoring transactions that exceed predetermined</p><p>thresholds.</p><p>Understand the continuous auditing methods. Continuous audit methods such as audit hooks or SCARF with embedded audit</p><p>modules (SCARF/EAM) are used in environments where it is not possible to interrupt production.</p><p>Matching of hash keys over time would allow detection of changes to files.</p><p>Information Management and Auditing CISA 2019</p><p>41 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Having a log is not a control, reviewing the log is a control.</p><p>Tracing: an audit procedure in which the auditor selects a basic source document and follows its processing path FORWARD to find</p><p>its final recording in a summary journal or ledger, or BACKWARD to find its origin.</p><p>Vouching an audit procedure in which an auditor selects an item of financial information, usually from a journal or ledger, and</p><p>follows its bath back through the processing steps to its origin (the source documents)</p><p>In BCP, resumption of critical processes has the highest priority because it enables business processes to begin immediately after</p><p>the interruption and not later than the maximum tolerable period of disruption (MTPD) or maximum tolerable downtime (MTD).</p><p>Combining real and test data during an audit is known as: Integrated testing facilities</p><p>Logical access controls: securing software and data within an information processing facility.</p><p>Call back features: hooks into the access control software and logs all authorized and unauthorized access attempts, permitting</p><p>the follow-up and further review of potential breaches.</p><p>Call forwarding: bypassing callback control.</p><p>Logical access security: unencrypted password is the greatest concern.</p><p>Logical access control review: to determine whether access is granted per the organization’s authorities.</p><p>Line grabbing: enable eavesdropping, thus allowing unauthorized data access.</p><p>First step of data classification is establish ownership of the data.</p><p>CSA is a management technique that can be used to assure key stakeholders, both internal and external, that an organization’s</p><p>internal controls system is reliable</p><p>Role of internal audit is to evaluate Risk Control Governance.</p><p>When developing a security architecture, which of the following</p><p>steps should be executed FIRST => Defining a security policy</p><p>Batch balancing is used to verify output results and control totals by matching them against the input data and control totals.</p><p>Batch header forms control data preparation; data conversion error corrections correct errors that occur due to duplication of</p><p>transactions and inaccurate data entry; and access controls over print spools prevent reports from being accidentally deleted from</p><p>print spools or directed to a different printer. (Batch register, Control account, Computer Agreement)</p><p>System generation parameters determine how a system runs, the physical configuration and its interaction with the workload</p><p>Proxy server does not normally perform controls relating to data integrity.</p><p>If the IS auditor is granted direct access to the data => Greater assurance of data validity.</p><p>Special or unusual flags are input controls.</p><p>The use of automated tools to support real-time and after-the-fact monitoring; these are the best tools to achieve timelines</p><p>from the information security point of view</p><p>CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes testing</p><p>the design of automated application controls. Exception reporting only looks at what has not been achieved. Manager involvement is</p><p>important, but may not be a consistent or well-defined process compared to CSA. CSA MOST important to ensure that effective</p><p>application controls are maintained</p><p>Critical: can’t be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods.</p><p>When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fitting the entire system</p><p>together. This will provide greater assurance of quality results. The other choices are riskier approaches.</p><p>Hash is used for establishing integrity</p><p>Hashing is an algorithm; it is irreversible (credit card transactions)</p><p>Vital: can be performed manually but only for a brief period of time</p><p>Non critical: may be interrupted for an extended period of time at little or no cost to the company, require little time or cost to</p><p>restore.</p><p>Physical security can meet the needs of data owners by making the information available for viewing and confidential from not</p><p>allowing unauthorized access. The candidate must realize that in this answer the information is in hardcopy format and not softcopy.</p><p>Information Management and Auditing CISA 2019</p><p>42 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first</p><p>need to familiarize themselves with the business plan.</p><p>Defense-in-depth: Firewall as well as logical access control on the hosts to control incoming network traffic.</p><p>DIGITAL CERTIFICATE => DIGITAL SIGNATURE</p><p>Functions of digital signature (Integrity, Non repudiation)</p><p>PKI uses a combination of public-key cryptography and digital certificates to provide some of the strongest overall control over data</p><p>confidentiality, reliability, and integrity for Internet transactions.</p><p>The primary purpose of digital signatures is to provide authentication and integrity of data.</p><p>UAT plans normally be prepared=> Requirements definition</p><p>FIRST generation DES - data encryption standard - 64 bits (56 bits are used for encryption and 8 bits parity check)</p><p>SECOND Generation 3DES - 3* 64 bits - 192 bits (56*3 = 168 bits for encryption)</p><p>Third generation AES - 128 BITS/ 192/ 256 BITS</p><p>Web application system displays specific database error messages = hijacking an administrator session</p><p>DSS: emphasizes flexibility in the decision making approach of users.</p><p>Sanitized live transaction: test data will be representative of live processing.</p><p>IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority,</p><p>scope, and responsibilities of the audit function</p><p>CSA approach emphasizes management and accountability over developing and monitoring internal controls of an organization’s</p><p>sensitive and critical business processes.</p><p>CIA: to ensure confidentiality, authentication, and integrity of a message, the sender should encrypt the hash of the message with</p><p>the sender's: Private key and then encrypt the message with the receiver's public key..</p><p>Timebox management: by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and rapid</p><p>application development (RAD) and integrates system and user acceptance testing.</p><p>The CSA process can generate benefits by empowering the staff to take ownership and accountability.</p><p>GAP analysis is used to determine the difference between the current environment and the proposed system; notice annual GAP</p><p>analysis focus attention on areas in need of improvement</p><p>Digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash</p><p>value, or message digest, from the entire message contents. Upon receiving the data, the recipient can independently create its own</p><p>message digest from the data for comparison and data integrity validation. Public and private keys are used to enforce</p><p>confidentiality. Hashing algorithms are used to enforce integrity.</p><p>Manual controls include separation of duties or responsibilities, which force collusion among employees to perpetrate fraudulent</p><p>acts. In addition, batch control totals can be manually calculated and compared with matching computer-produced batch control</p><p>totals.</p><p>Sequence numbers and time of arrival can be associated with data and checked to ensure that data has not been lost or reordered.</p><p>Large volumes of data can be checked with utility or special-purpose programs.</p><p>Unit testing is testing of individual subprograms, subroutines, or procedures in a program. Its purpose is to check if the module</p><p>code complies with the system internal specifications.</p><p>Integration testing (interface, incremental, string testing) is testing of program modules to see if they can work correctly as a</p><p>whole without contradicting the system's internal and external specifications.</p><p>Waterfall life cycle model best suited to the stable conditions where requirements are well understood and are expected to remain</p><p>stable, as is the business environment in which the system will operate.</p><p>Top-down approach to testing ensures that interface errors are detected early and that testing of major function is conducted</p><p>early.</p><p>Bottom-up approach to testing begins with atomic units, such as programs and module and works upward until a complete system</p><p>test taken place.</p><p>Information Management and Auditing CISA 2019</p><p>43 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that</p><p>organizational policies are aligned with legal requirements.</p><p>System internal specifications define processing logic, file structures, module interfaces, and system architecture, which is most</p><p>useful in unit/integration testing</p><p>Rapid Application Development RAD approach is an: incremental and iterative development approach.</p><p>Sociability testing and system tests take place at a later stage in the development process.</p><p>Diversity-in-defense: Using two firewalls of different vendors to consecutively</p><p>check the incoming network traffic.</p><p>Piggybacking: unauthorized persons following, either physically or virtually, authorized persons into restricted areas.</p><p>Impersonation: someone acting as an employee in an attempt to retrieve desired information.</p><p>Dumpster diving: Looking through an organization’s trash for valuable information.</p><p>Data diddling: Changing data before they are entered into the computer.</p><p>The best control would be provided by having the production control group copy the source program to the production libraries</p><p>and then compile the program.</p><p>Software quality can be expressed in two ways: defect rate and reliability. Software quality means conformance to requirements. If</p><p>the software contains too many functional defects, the basic requirement of providing the desired function is not met. Defect rate is</p><p>the number of defects per million lines of source code or per function point. Reliability is expressed as number of failures per 'n'</p><p>hours of operation, mean time to failure, or the probability of failure free operation in a specified time</p><p>Alternative routing provides two different cables from the local exchange to your site, so you can protect against cable failure</p><p>as your service will be maintained on the alternative route.</p><p>With diverse routing, you can protect not only against cable failure but also against local exchange failure as there are two</p><p>separate routes from two exchanges to your site</p><p>Diverse routing is the method of routing traffic through split-cable facilities or duplicate-cable facilities, which can be accomplished</p><p>with different/duplicate cable sheaths.</p><p>Alternative routing is the method of routing information via an alternative medium, such as copper cable or fiber optics.</p><p>Alternative routing provides two different cables from the local exchange to your site, so you can protect against cable failure as</p><p>your service will be maintained on the alternative route. Furthermore, with diverse routing, you can protect not only against cable</p><p>failure but also against local exchange failure as there are two separate routes from two exchanges to your site.</p><p>Software quality program should reduce defects, cut service costs, increase customer satisfaction, and increase productivity and</p><p>revenues. To achieve these goals, commitment by all parties involved is the most important factor.</p><p>Circular routing is the logical path of a message in a communication network based on a series of gates at the physical network</p><p>layer in the open system interconnection</p><p>The incremental approach - A service is designed bit by bit. Parts are developed separately and are delivered individually. Each</p><p>piece supports one of the business functions that the entire service needs. The big advantage in this approach is its shorter delivery</p><p>time. The development of each part, however, requires that all phases of the lifecycle are traversal.</p><p>The iterative approach - The development lifecycle is repeated several times. Techniques like prototyping are used in order to</p><p>understand the customer-specific requirements better.</p><p>The application gateway is similar to a circuit gateway, but it has specific proxies for each service. (layer 7)</p><p>Screening router and packet filter basically work at the protocol, service and/or port level. This means that they analyze packets</p><p>from layers 3 and 4 (not from higher levels).</p><p>The importance of the network devices in the topology.</p><p>Reasonableness checks A type of programmed edit check that tests whether the contents (e.g., values) of the data entered fall</p><p>within predetermined limits.</p><p>A circuit gateway is based on a proxy or program that acts as an intermediary between external and internal accesses. This means</p><p>that, during an external access, instead of opening a single connection to the internal server, two connections are established—one</p><p>from the external server to the proxy (which conforms the circuit-gateway) and one from the proxy to the internal server. Layers 3</p><p>and 4 (IP and TCP) and some general features from higher protocols are used to perform these tasks.</p><p>Initiating and subsequently approving a change request violates the principle of segregation of duties. A person should not be</p><p>able to approve their own requests.</p><p>Information Management and Auditing CISA 2019</p><p>44 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Ineffective accounting of production tape volumes could have serious implications such as loss of tape volumes containing critical</p><p>information, improper disclosure of confidential data, and destruction of data caused by the improper use of tapes as scratch tapes.</p><p>Evidence must support the stated objectives of the organization. Software that is built or purchased should be carefully researched to</p><p>ensure that it fulfills the organization’s objectives. Each phase of the life cycle should be reviewed and approved by</p><p>management before progressing to the next phase.</p><p>Operations documentation should contain recovery/restart procedures so that operations can return to normal processing, in a</p><p>timely manner.</p><p>Forward error control: transmitting additional redundant information with each character or frame to facilitate detection and</p><p>correction of errors.</p><p>User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and</p><p>actively participates in business process redesign, system requirements definition, test case development, acceptance testing and</p><p>user training.</p><p>Feedback error control: additional information is transmitted so the receiver can identify that an error has occurred.</p><p>CRC: a single set of check digits is generated, based on the contents of the frame for each frame transmitted.</p><p>Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis on each work within the message</p><p>and then evaluating the massage as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal</p><p>bounds.</p><p>Use of audit software merely refers to a technique that can be used in performing an audit. It has no relevance to the development</p><p>of the annual audit plan.</p><p>Bayesian filtering; the filter spam based on probabilities and a score</p><p>Biometric solution accuracy: False Rejection Rate (FRR), Cross Error Rate(CER): When the false-rejection rate equals the false-</p><p>acceptance rate and False Acceptance Rate</p><p>False Acceptance Rate (FAR): accepting an unauthorized person as authorized.</p><p>False Rejection Rate (FRR): deny access to an authorized individual.</p><p>A common weakness in microcomputers is the = Default booting from Drive = may bypass installed security features.</p><p>Equal Error Rate (ERR): point where FAR equal the FRR</p><p>A quality plan is an essential element of all projects</p><p>Segregating the Voice-over Internet Protocol (VoIP) traffic using virtual local area networks (VLANs) would best protect the</p><p>VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure</p><p>uptime).</p><p>Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily</p><p>weighted spam keyword from being labeled as spam = Bayesian (statistical)</p><p>Code correction is a responsibility of the programming staff not the scheduling and operations personnel</p><p>Originating department to ensure that individual data elements are accurate != DBA</p><p>False Identification Rate (FIR): probability that an authorized person is identified but is assigned a false ID.</p><p>Data may be permanently destroyed on a hard disk by a wiping utility, which uses random values to overwrite portions of the</p><p>media. Security professionals</p><p>use wiping utilities to clear hard disks for redeployment. Hackers use wiping utilities to destroy</p><p>evidence, thereby covering their tracks.</p><p>Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library</p><p>EDI the communication's interface stage requires routing verification procedures</p><p>EER is the measure of the more effective biometrics control device.</p><p>CER: adjusting sensitivity of system</p><p>Data classification is the process of organizing data into categories for its most effective and efficient use. A well-planned data</p><p>classification system makes essential data easy to find and retrieve = Reduced risk of inappropriate system access.</p><p>Degaussing is a popular technique for destroying data on magnetic storage tapes. By changing the magnetic field on the tape with</p><p>a box-like device known as a degausser, the data on the tape can effectively be destroyed.</p><p>Information Management and Auditing CISA 2019</p><p>45 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Degaussing the tapes is the process of magnetic tapes disposal.</p><p>Message digests in digital signature show if the message has been altered after transmission.</p><p>CA (Certificate Authority) maintains a directory of digital certificates for the reference of those receiving them. It manages the</p><p>certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication.</p><p>Registration Authority (RA): responsible for the administrative tasks associated with registering the end entity that is the subject</p><p>of the certificate issued by the CA.</p><p>Certificate Relocation List (CRL): instrument for checking the continued validity of the certificates.</p><p>Certification practice statement: is a detailed set of rules governing the certificate authority’s operations.</p><p>Evaluating logical access controls should FIRST: obtain an understanding of the security risk to information processing.</p><p>Digital signature provides integrity and nonrepudiation. If we add hash it will provide confidentiality.</p><p>Digital signature features: Data Integrity, Authentication, Nonrepudiation, Replay Protection.</p><p>Digital signature: authenticity of the sender</p><p>Nonrepudiation: claimed sender can’t later deny generating the sending the message.</p><p>Data Integrity: changes in the plaintext message that would result in the recipient failing to compute the same message hash.</p><p>Authentication: ensure that the message has been sent by the claimed sender.</p><p>Replay protection: method that a recipient can use to check that the message was not intercepted and replayed.</p><p>Spoofing: enable one party to act as if they are another party</p><p>Repudiation of transactions: cause major problems with billing systems and transaction processing agreements.</p><p>Digital Certificates: sender authentication method</p><p>Digital Signature: authentication and confidentiality, but the identity of the sender would still be confirmed by the digital</p><p>certificate.</p><p>Embezzlement: a type of fraud involving employees or nonemployees wrongfully taking money or property entrusted to their care,</p><p>custody, and control, often accompanied by false accounting entries and other forms of lying and cover-up</p><p>RAID:</p><p>RAID 0 = striping, no parity or mirroring</p><p>RAID 1 = mirroring</p><p>RAID 5 = striping with parity, supports drive failures, access speed depends on controller cache</p><p>RAID 6 = striping with double parity, supports faster access than RAID 5 (best price point and speed/redundancy)</p><p>RAID 10 = is a hybrid nested RAID configuration, has the fastest speeds and best redundancy but requires more drives</p><p>A read-only restriction= integrity of stored data</p><p>An SLA provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed-on service.</p><p>Message authentication: used for message integrity verification</p><p>Authenticity: pre-hash code using the sender’s private key.</p><p>Integrity: Mathematically deriving the pre-hash code</p><p>Asset classification = determining the appropriate levels of information resource protection</p><p>Confidentiality = Encrypting the prehash code and message using the secret key</p><p>SSL provides data encryption, server authentication, message integrity and optional client authentication.</p><p>SSL use symmetric key for message encryption; use authentication code for data integrity; use hash function for generating</p><p>message digest; use digital signature certificates for server authentication.</p><p>Compensating controls are an important part of a control structure. They are considered adequate if they help to achieve the</p><p>control objective and are cost-effective. In this situation the IS auditor is most likely to conclude that staging and job setup</p><p>procedures compensate for the tape label control weakness.</p><p>Information Management and Auditing CISA 2019</p><p>46 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Double-blind testing: users are not aware about the penetration testing.</p><p>Asymmetric Algorithms</p><p>• RSA – factoring the product of two large prime numbers</p><p>• Diffie–Hellmann Algorithm – mathematical function based first on finding the primitive root of a prime number</p><p>• El Gamal – discrete logs</p><p>• Elliptic Curve Cryptography (ECC) - ECC implementations provides savings on computational power and bandwidth</p><p>Targeted testing: IT team is aware of the testing and penetration testers are provided with information related to target and</p><p>network design.</p><p>The Code calls for informing appropriate parties of audit results, not interested parties = ISCAF</p><p>RAID level 7 several high-speed disks (disk array) to be configured as one large virtual drive partition using asynchronous transfer</p><p>mode</p><p>Termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of</p><p>company property issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by</p><p>a disgruntled former employee. While the other choices are best practices, they do not present a significant risk to the organization.</p><p>The IS auditor should perform additional testing to ensure that it is a finding. An auditor can lose credibility if it is later discovered</p><p>that the finding was not justified.</p><p>Gateway operates at application layer 7 in the OSI model. The function of the gateway is to convert data contained in one protocol</p><p>into data used by a different protocol. An example is a PC-to-mainframe gateway converting ASCII to mainframe Extended Binary</p><p>Coded Decimal Interchange Code (EBCDIC).</p><p>Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and RAD, and</p><p>integrates system and user acceptance testing, but does not eliminate the need for a quality process (Prevents cost overruns and</p><p>delivery delays)</p><p>Confidentiality - assurance that only owners of a shared secret key can decrypt a computer file that has been encrypted with the</p><p>shared secret key.</p><p>DFDs = product of upper and middle CASE tools</p><p>PBX Risks: Theft of service - Disclosure of information - Data modification - Unauthorized access - Denial of service - Traffic</p><p>analysis</p><p>Unless updated periodically, anti-malware software will not be an effective tool against malware</p><p>Application software package GREATEST risk = Incorrectly set parameters</p><p>RA - is an authority in a network that verifies user requests for</p><p>a digital certificate and tells the certificate authority (CA) to issue it.</p><p>TQM purpose is end user satisfaction</p><p>BCP takes into consideration: •Those critical operations that are necessary to the survival of the organization •The</p><p>human/material resources supporting them</p><p>Data warehouse = a repository of information of heterogeneous database</p><p>BPR = Envision, initiate, diagnose, redesign, reconstruct, evaluate</p><p>System migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risk.</p><p>Primary risk of BPR is that controls are eliminated as part of the reengineering effort.</p><p>An application-level edit check to verify availability of funds should be completed at the electronic funds transfer (EFT) interface</p><p>before an EFT is initiated.</p><p>The recovery point objective (RPO) indicates the fallback position and duration of loss that has occurred. A valid RPO example is</p><p>to recover by using backup data from last night’s backup tape, meaning that the more recent transactions would be lost.</p><p>Recovery time objective (RTO) indicates a point in time that the restored data should be available for the user to access.</p><p>Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome, main</p><p>concern for IS Auditor.</p><p>Power Total failure = blackout</p><p>Database views are used to implement least privilege and restrict the data that can be viewed by the user.</p><p>Information Management and Auditing CISA 2019</p><p>47 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not</p><p>be documented by the responsible party. An automated log, found usually in library management products, and not a change log</p><p>would most likely contain date information for the source and executable modules.</p><p>Accreditation A formal approval by management based on perceived fitness of use. Approval may be granted for a system, site</p><p>location, or function. Accreditation occurs after system certification for a period of 90 days, 180 days, or one year. Systems must be</p><p>reaccredited prior to expiration of their current accreditation period.</p><p>Foreign key Data in the database is stored in separate tables to improve speed. A foreign key is the link between data in different</p><p>database tables. When the links are valid, the database has referential integrity.</p><p>Referential integrity When information contained in two or more data tables is valid across the links inside the database (foreign-</p><p>key relationship). A failure of referential integrity indicates a failed program or corrupt database.</p><p>Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user</p><p>may be indiscreet regarding their or someone else's personal data.</p><p>DAC allows data owners to modify access, which is a normal procedure and is a characteristic of DAC.</p><p>Best DRP: Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center</p><p>Post-Implementation Review (PIR) is an assessment and review of the completed working solution. It will be performed after a</p><p>period of live running; sometime after the project is completed.</p><p>PIR: to examine the efficacy of all elements of the working business solution to see if further improvements can be made to optimize</p><p>the benefit delivered. To learn lessons from this project, lessons which can be used by the team members and by the organization to</p><p>improve future project work and solutions.</p><p>PIR should be scheduled some time after the solution has been deployed. Typical periods range from 6 weeks to 6 months,</p><p>depending on the type of solution and its environment. The PIR is intended to be an assessment and review of the final working</p><p>solution. There should have been at least one full processing and reporting cycle completed.</p><p>PIR should be timed to allow the final improvements to be made in order to generate optimum benefit from the solution. There is no</p><p>point in waiting too long as the results are intended to generate that final benefit for the organization and team.</p><p>Script-based software is human readable and therefore can be crystal-box tested.</p><p>Black-Box Testing Intended to test the basic integrity of system processing. This is the most common type of test. The process is</p><p>to put data through the system to see whether the results come out as expected. You do not get to see the internal logic structures;</p><p>all you get is the output. Commercial software is compiled into a form that is nonreadable by humans.</p><p>Black-box testing is the standard test process to run when you buy commercial software. Black-box testing is often used for user</p><p>acceptance tests.</p><p>File layout: Specifies the length of the file record and the sequence and size of its fields.</p><p>White = Crystal = Scripting</p><p>Black = Pre-Compiled</p><p>SM = Senior Management = ultimately responsible for information security within an organization</p><p>Black Box is to put data through the system to see whether the results come out as expected</p><p>Guideline: These are intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a</p><p>standard.</p><p>The IDE integrated development environment automates program code generation and provides online debugging for certain</p><p>types of errors. It does not replace the traditional planning process. IDE does not alter the testing requirements in SDLC phase 4.</p><p>Full testing must still occur.</p><p>Certification is a technical testing process. Accreditation is a management process of granting approval based on fitness of use.</p><p>Policy: Is an executive mandate to identify a topic containing particular risks to avoid or prevent. Policies are high-level documents</p><p>signed by a person of significant authority with the power to force cooperation</p><p>Procedures: These are ‘cookbook’ recipes providing a workflow of specific tasks necessary to achieve minimum compliance to a</p><p>standard. Details are written in step-by-step format from the very beginning to the end.</p><p>Internal testing: attacks and control circumvention attempts on the target from within the perimeter.</p><p>Information Management and Auditing CISA 2019</p><p>48 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>External testing: generic term that refers to attacks and control circumvention attempts on the target from outside that target</p><p>system.</p><p>Quality tools = flow charts, Pareto chart, cause and effect (fishbone) diagram, Scatter diagram</p><p>Formal acceptance of an evaluated system by management = Accreditation</p><p>Application software tracing and mapping: Specialized tools that can be used to analyze the flow of data through the processing</p><p>logic of the application software and document the logic, paths, control conditions and processing sequences.</p><p>Agile method places greater reliance on the undocumented knowledge contained in a person’s head. Agile is the direct opposite of</p><p>capturing knowledge through project documentation.</p><p>Benefit of implementing an expert system is the: capturing of the knowledge and experience of individuals in an organization</p><p>Session border controllers enhance the security in the access network and in the core.</p><p>Digital Signature: used to detect unauthorized modifications and authenticate sender — provides non-repudiation — private key</p><p>signs and public key verifies</p><p>— used to authenticate software, data images, users, machines</p><p>Key distribution center: distribution method suitable for internal communication for a large group within an institution and it will</p><p>distribute symmetric keys for each session.</p><p>CA: is a trusted third party that ensures the authenticity of the owner of the certificate.</p><p>Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography</p><p>during certain phases of authentication. Kerberos uses UDP port 88 by default.</p><p>Retaining audit documentation:In most cases, the archive of the integrated audit may need to be kept for seven years. Each type</p><p>of audit may have a longer or shorter retention period, depending on the regulations identified during audit planning.</p><p>L2-SW: The purpose is to reduce network congestion by eliminating traffic that does not involve the specific station</p><p>Replay attack: residual biometric characteristics, such as fingerprints left on a biometric capture device may be reused to gain</p><p>access.</p><p>The basis for continuous quality improvement is the Plan-do-check-act (PDCA) cycle.</p><p>ITAF includes three categories of standards-general, performance and reporting-as well as guidelines and tools and techniques</p><p>Critical path diagrams are used to determine the critical path for the project that represents the shortest possible time required for</p><p>completing the project.</p><p>Cold Site: Backup site that can be up and operational in a relatively short time span, such as a day or two. Provision of services,</p><p>such as telephone lines and power, is taken care of, and the basic office furniture might be in place, but there is unlikely to be any</p><p>computer equipment, even though the building might well have a network infrastructure and a room ready to act as a server room.</p><p>In most cases, cold sites provide the physical location and basic services.</p><p>Compartmentalization: A nonhierarchical grouping of sensitive information used to control access to data more finely than with</p><p>hierarchical security classification alone.</p><p>The IPF should be visited on regular intervals to determine if temperature and humidity are adequate.</p><p>Preventing the leakage of confidential information in a laptop computer = DLP (Encrypt the hard disk)</p><p>A fire-suppression system with water stored in the pipes at all times; this type of system is susceptible to corrosion and freezing;</p><p>Wet pipe system</p><p>PERT diagrams are a critical path method (CPM) technique in which three estimates (as opposed to one) of timelines required to</p><p>complete activities are used to determine the critical path.</p><p>FPA is a technique used to determine the size of a development task, based on the number of function points.</p><p>Gantt charts help to identify activities that have been completed early or late through comparison to a baseline. Progress of the</p><p>entire project can be read from the Gantt chart to determine whether the project is behind, ahead of or on schedule; important for</p><p>IS Auditor in order to monitor the progress of the project.</p><p>Escrow: The client is entitled to the benefit of only using the software and not owning it, unless they pay more money. Escrow may</p><p>provide some protection if the vendor goes out of business, but does not prevent software from being discontinued. The client is</p><p>entitled to the benefit of only using the software, not the right of ownership. Software escrow may be requested by the client to gain</p><p>full rights to the software if the vendor goes out of business</p><p>Cryptographic attack: Targets the algorithm or the encrypted data</p><p>Information Management and Auditing CISA 2019</p><p>49 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Mimic Attack: reproduce characteristics similar to those of the enrolled user such as forging a signature or imitating a voice.</p><p>Preparedness test involve simulation of the entire environment and help the team to better understand and prepare for the</p><p>actual test scenario.</p><p>Preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This</p><p>test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the</p><p>plan’s effectiveness.</p><p>Walkthrough is a test involving a simulated disaster situation that test the preparedness and understanding of management</p><p>and staff rather than the actual resources.</p><p>Paper Test (structured walk through) > Preparedness Test > Full Operational Test</p><p>In cost benefit analysis, the total expected purchase and operational/support cost and qualitative value for all actions are weighted</p><p>against the total expected benefits in order to choose the best technical, most profitable, least expensive, or acceptable risk option.</p><p>A GPS receiver reports on where the user is.</p><p>The most difficult part of a quantitative risk analysis is a determination of the probability that a threat will actually be realized. It</p><p>is relatively easy to determine the value of an asset and the impact of a threat event.</p><p>IT governance is the mechanism through which IT strategy is established, controlled, and monitored through the balanced</p><p>scorecard.</p><p>Problem management = processes is concerned with not only identifying the root cause but also addressing the underlying issue</p><p>Mitigate the risk of internal fraud = dealing with customers over the internet a trusted 3rd party should handle the CA.</p><p>Hardware is protected against power surges=voltage regulator</p><p>One of the advantages of outsourcing is: focus on core competencies.</p><p>It’s a problem if you don't know when to declare a crisis</p><p>The use of an ID and password (what the user knows) is a single-factor user authentication.</p><p>The PRIMARY benefit organizations derive from effective information security governance is: ensuring acceptable levels of</p><p>disruption.</p><p>The purpose of a balanced scorecard is: To measure organizational performance and effectiveness against strategic</p><p>The project sponsor is the owner of the project and therefore the most appropriate person to discuss whether the business</p><p>requirements defined as part of the project objectives have been met.</p><p>The MOST important consideration in developing security policies is that: they are based on a threat profile.</p><p>Checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications.</p><p>Authenticity and authorization cannot be established by a checksum alone and need other controls.</p><p>Nonrepudiation can be ensured by using digital signatures.</p><p>Potential business impact is only one part of the cost-benefit analysis.</p><p>Integrity of transaction process is ensured by database commits and rollbacks.</p><p>A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking; but is normally</p><p>lacking computing equipment.</p><p>BIA will identify the diverse events that could impact the continuity of the operations of an organization. Recovery managers should</p><p>be rotated to ensure the experience of the recovery plan is spread among the managers.</p><p>DRP is the technological aspect of business continuity planning (BCP). Business resumption planning addresses the operational part</p><p>of BCP.</p><p>Risk The likelihood that an unfortunate event will occur and cause a loss of assets.</p><p>Threat A potential danger that, if realized, will have a negative effect on assets.</p><p>The default login ID used for maintenance accounts is frequently well known and commercially published.</p><p>Information Management and Auditing CISA</p><p>2019</p><p>50 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>RTO is an important parameter used when creating prioritization plans during the business continuity management process and is</p><p>derived as a result of a business impact analysis (BIA). RTO is best utilized to determine recovery prioritization.</p><p>Last mile circuit protection Providing telecommunication continuity through providing redundant combinations of local carrier T1’s,</p><p>microwave and or local cable to access the local communication loop is the event of a disaster.</p><p>Long haul network diversity Providing diverse long distance network availability utilizing T-1 circuits among major long distance</p><p>carriers.</p><p>Diverse Routing: Routing traffic through split-cable facilities or duplicate-cable facilities is called diverse routing.</p><p>Alternate routing: method of routing information via an alternative medium such as copper cable or fiber optics.</p><p>Mitigation: Schedule file and system backup</p><p>The use of an automated password management tool is a preventive control measure.</p><p>Deterrence : Installation of firewalls for information systems.</p><p>Recovery : hot site to restore normal business operations.</p><p>BCP Process: BIA => develop recovery strategy => developed, tested and implemented specific plans.</p><p>Shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are</p><p>processed concurrently.</p><p>Calculating cryptographic hashes for wireless communications allows the device receiving the communications to verify that the</p><p>received communications have not been altered in transit.</p><p>Electronic vaulting electronically transmits data either to direct access storage, an optical disk or another storage medium; this is a</p><p>method used by banks.</p><p>A server running a DLP software application uses predefined criteria to check whether any confidential documents or data are</p><p>leaving the internal network.</p><p>The integrated development environment IDE automates program code generation and provides online debugging for certain</p><p>types of errors. It does not replace the traditional planning process.</p><p>IDE does not alter the testing requirements in SDLC phase 4. Full testing must still occur.</p><p>IDE = Debugging</p><p>Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard</p><p>disks in the same server.</p><p>The best way to handle obsolete magnetic tapes is to degauss them</p><p>The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate</p><p>level of risk, and the monitoring of the remaining residual risk.</p><p>Electronic vaulting A process of transmitting data to a remote backup site. This ensures that the most recent files are available in</p><p>the event of a disaster. A common implementation is to transmit live data files to a remote server.</p><p>The IS auditor should make the final decision about what to include or exclude from the audit report.</p><p>An ITF is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in</p><p>the application system, but it would be difficult to find the overlap in key controls.</p><p>By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls;</p><p>however, the process of implementing an automated auditing solution would better identify overlapping controls.</p><p>Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies because any</p><p>violations discovered would lead to a financial liability for the service provider =NDA</p><p>Recovery controls restore lost computing resources or capabilities and help the organization to return to normal operations and</p><p>recover monetary losses caused by a security violation or incident.</p><p>Compensating controls reinforce or replace normal controls that are unavailable for any reason. These are typically backup</p><p>controls and usually involve higher levels of supervision and/or contingency plans.</p><p>Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to</p><p>avoid damaging the production environment. Hence, testing should never take place in a production environment</p><p>Information Management and Auditing CISA 2019</p><p>51 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a</p><p>method for backing up data.</p><p>Indemnity - protection against future loss</p><p>Black-box test is a dynamic analysis tool for testing software modules</p><p>A callback feature hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the</p><p>follow-up and further review of potential breaches = Provide an audit trail</p><p>Employee access to information systems should be promptly terminated. The accounts for contractors no longer employed</p><p>by the organization should be suspended. All accounts should be reviewed before the account is deleted.</p><p>Stress testing should be carried out in a: test environment using live workloads.</p><p>The adequacy of security awareness content can best be assessed by determining whether it isperiodically reviewed and compared</p><p>to industry best practices.</p><p>Change an organization's culture to one that is more security conscious; Security awareness campaigns</p><p>The recovery point objective (RPO) is the earliest point in time at which it is acceptable to recover the data. A high RPO means</p><p>that the process can wait for a longer time.</p><p>A high recovery time objective (RTO) means that additional time would be available for the recovery strategy, thus making</p><p>other recovery alternatives.</p><p>The ratio of false positives to false negatives will indicate whether an intrusion detection system (IDS) is properly tuned to</p><p>minimize the number of false alarms while, at the same time, minimizing the number of omissions. The number of attacks detected,</p><p>successful attacks or the ratio of successful to unsuccessful attacks would not indicate whether the IDS is properly configured.</p><p>Calculating the value of the information or asset is the first step in a risk analysis process to determine the impact to the</p><p>organization, which is the ultimate goal.</p><p>When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss => Calculate</p><p>the value of the information or asset</p><p>The lower the RTO the lower the disaster tolerance</p><p>NDMP data service, tape service, Network Storage, translator service</p><p>IT governance: A clearly stated process of leadership to lead and control the performance expected from the IT function. The focus</p><p>of IT governance is control over the technology environment.</p><p>Periodic review of the access list by the business owner should determine whether errors in granting access have</p><p>occurred</p><p>Business continuity self audit is a tool for evaluating the adequacy of the business continuity plan.</p><p>hashing algorithm can be used to mathematically ensure that data haven't been changed by hashing a file and comparing the</p><p>hashes after a suspected change.</p><p>Resource recovery analysis is a tool for identifying a business resumption strategy.</p><p>The main advantage of elliptic curve encryption over RSA encryption is its computation speed.</p><p>Structural testing != Stress testing</p><p>Performance testing: Spike testing; Volume testing; Endurance testing</p><p>Performance testing: eliminate bottlenecks and establish a baseline for future regression testing.</p><p>to proceed to the next phase or possibly kill the project; i.e. The review at the end</p><p>of every SDLC phase is intended to prevent the project from proceeding unless it receives management’s approval.</p><p>The ACID principle of database transaction refers to atomicity (all or nothing), consistency, isolation (transactions operate</p><p>independently), and durability (data is maintained).</p><p>Major activities in software quality assurance include project management, software verification and validation, software</p><p>configuration management, and software quality assurance. These activities become a baseline and any subsequent changes require</p><p>management approvals. Proposed changes are compared to the baseline, which is the standard.</p><p>Opportunity costs are those costs inherent in selecting one option in favor of another. When a software package's implementation</p><p>is delayed, inherent costs of other projects being deferred during its implementation is an example of opportunity cost. The time lost</p><p>due to delayed implementation of a current project could have been applied to developing a new project. Opportunity costs are hard</p><p>to quantify precisely, but can be among the most important factors in software selection</p><p>Maintenance costs are the costs to update and adapt software to match changing organizational needs. The maintenance costs of</p><p>a system will vary widely, depending upon such factors as the type of application, the complexity of the system, and the need for</p><p>periodic updates</p><p>If the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization is</p><p>recommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigation</p><p>takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.</p><p>Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack</p><p>originates from the external network, but uses an internal network address, the attacker is most likely trying to bypass firewalls and</p><p>other network security controls by impersonating (or spoofing) the payroll server's internal network address.</p><p>DoS attack is designed to limit the availability of a resource and is characterized by a high number of requests which require</p><p>response from the resource (usually a web site). The target spends so many resources responding to the attack requests that</p><p>legitimate requests are not serviced.</p><p>An application-layer gateway, or proxy firewall, and stateful inspection firewalls provide the greatest degree of protection</p><p>and control because both firewall technologies inspect all seven OSI layers of network traffic.</p><p>Control objectives are developed to achieve acceptable levels of risk. To the extent that is achieved is a good measure of the</p><p>effectiveness of the strategy.</p><p>Attribute sampling is the primary sampling method used for compliance testing.</p><p>Social engineering include : impersonation through a telephone call, dumpster diving and shoulder surfing.</p><p>Downtime reports: Track the availability of telecommunication lines and circuits. Interruptions due to power/line failure, traffic</p><p>overload, operator error or other anomalous conditions are identified in a downtime report.</p><p>The first step in implementing information security governance is to define the security strategy based on which security baselines</p><p>are determined</p><p>Risk created by a reciprocal agreement for disaster recovery = may result in hardware and software incompatibility</p><p>Information Management and Auditing CISA 2019</p><p>6 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal</p><p>situation is restored. This is directly related to the business needs = the minimum acceptable operational capability.</p><p>Assigning accountability to individuals is most likely to ensure that duties are properly carried out.</p><p>An Uninterruptible Power Supply (UPS) system is a backup power system that utilizes batteries to provide short-term power</p><p>when a power losses such as a black out or a brownout is detected. Power conditioner devices assist in keeping the electrical service</p><p>constant by monitoring and regulating the power in the building. These devices can activate backup power supplies.</p><p>Surge protectors are passive devices that are used to protect electrical components from spikes in the power line. Surge protectors</p><p>usually utilize Metal Oxide Varistors (MOVs) to shunt the voltage spike to ground.</p><p>Background checks of prospective employees best prevents attacks from originating within an organization.</p><p>There are two modes for biometric recognition: verification and identification. In verification, an identity is claimed and the</p><p>comparison process is limited to checking the reference corresponding to this identity. In identification, no claim of identity is</p><p>necessary and the system searches its reference database to find if a stored reference matches the biometric characteristics</p><p>recorded.</p><p>Generator is used when a continuous power supply is needed in power loss situations and is activated when a loss in power</p><p>is detected. It does not protect electrical components from spikes in the power line.</p><p>IT assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect</p><p>changes in the IT infrastructure. The other choices are procedures required to update the disaster recovery plan after having</p><p>updated the required assets inventory.</p><p>Outsourcing of some information security activities can cut costs and increase resources for other security activities in a</p><p>proactive manner, as can automation of some security procedures</p><p>IT steering Committee - The role of an IT steering committee is to ensure that the IS department is in harmony with the</p><p>organization's mission and objectives</p><p>Change control board (CCB): A management review to ensure awareness and management control of changes in the IT</p><p>environment.</p><p>Abrupt change over – stop the existing system abruptly to shift over to new one</p><p>Phased change over – Both are run but output of both the systems is used since functions performed are different.</p><p>Parallel change over – Both systems are run simultaneously for a period of time and output of</p><p>Emissions can be detected by sophisticated equipment and displayed, thus giving access to data to unauthorized persons. They</p><p>should not cause disruption of CPUs or effect noise pollution</p><p>Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access</p><p>authorization for users and administrators, disable insecure options and uninstall unused services) to prevent non-privileged users</p><p>from gaining the right to execute privileged instructions</p><p>Pilot conversion involves setting up the new system for a small group of users and participants, while the remaining</p><p>majority of users and participants still interact with the current system. At some pre‐determined period in time, the pilot</p><p>system is installed for all users and participants and the current system is then switched off.</p><p>Mandatory access controls MAC are filters that cannot be altered by normal users and data owners, and they act by default to</p><p>enforce a base level of security</p><p>Privilege escalation attack in the question I asked is a type of attack where higher level system authority is obtained by various</p><p>methods in this example the task scheduler service runs with administrator permissions and a security flaw allows programs</p><p>launched by the scheduler</p><p>Load testing is usually defined as the process of exercising the system under test by feeding it the largest tasks it can operate with.</p><p>Load testing is sometimes called volume testing, or longevity/endurance testing.</p><p>Stress testing tries to break the system under test by overwhelming its resources or by taking resources away from it (in which</p><p>case it is sometimes called negative testing). The main purpose behind this madness is to make sure that the system fails and</p><p>recovers gracefully -- this quality is known as recoverability.</p><p>Gap analysis in business continuity planning is to identify deficiencies in a plan.</p><p>Fidelity insurance: covers the loss arising from dishonest or fraudulent acts by employees.</p><p>Business interruption insurance: loss of profit due to the disruption in the operations of an organization</p><p>Information Management and Auditing CISA 2019</p><p>52 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>IS steering committee A committee composed of business executives for the purpose of conveying current business priorities and</p><p>objectives to IT management. The steering committee provides governance for major projects and the IT budget.</p><p>IS policies, IS procedures, standards and guidelines are all structured to support the overall strategic plan.</p><p>Load testing- test of applications with large quantities of data to evaluate its performance = DB application concurrently</p><p>Volume-testing with an incremental volume of records to determine maximum volume of records (data) that appn can process</p><p>Errors & omissions insurance: legal liability protection in the event that the professional practitioner commits an act that results</p><p>in financial loss to a client.</p><p>Extra expense insurance: designed to cover the extra costs of continuing operations following a disaster/disruption within an</p><p>organization.</p><p>Stockholders interview = simplicity of the BCP</p><p>Review plan and compare it with standards = adequacy of the BCP</p><p>(ROI) should be re-performed to verify that the original business case benefits are delivered.</p><p>Review result from previous test = Effectiveness of the BCP</p><p>In RAD model the functional modules are developed in parallel as prototypes and are integrated to make the complete</p><p>product for faster product delivery.</p><p>Something with DB architectures as a data-oriented structured database (DOSD) and an object-oriented structured database (OOSD)</p><p>Compliance testing determines whether controls are being applied in compliance with policy.</p><p>Variable sampling is used to estimate numerical values such as dollar values.</p><p>Substantive testing substantiates the integrity of actual processing such as balances of financial statements.</p><p>Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have</p><p>been followed.</p><p>Substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual</p><p>transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test.</p><p>Attribute sampling primary sampling method used for compliance testing.</p><p>Prevent DOS = filter outgoing traffic with IP source addresses external to the network.</p><p>Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality in a population and is</p><p>used in compliance testing to confirm whether the quality exists.</p><p>An audit charter should state management’s objectives for the delegation of authority to IS audit.</p><p>The IS auditor needs to perform substantive testing and an additional analysis in order to determine why the approval and</p><p>workflow processes are not working as intended.</p><p>By evaluating the organization's development projects against the CMM, an IS auditor determines whether the</p><p>development organization follows a stable, predictable software process.</p><p>CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other</p><p>application controls.</p><p>Tracing involves following the transaction from the original source through to its final destination. In EFT transactions, the</p><p>direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally</p><p>checking the master file records for daily transactions</p><p>MIS an organized assembly of resources and procedures required to collect process and distribute data for use in decision making</p><p>DATA Mapping: diagramming data that are to be exchanged electronically, including how they are to be used and what business</p><p>management systems need them.</p><p>Refers to a point backward in time to which the loss of data is acceptable. This means work created since the last data backup will be</p><p>lost; RPO</p><p>Masking: A computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal</p><p>or report</p><p>Information Management and Auditing CISA 2019</p><p>53 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>War driving is a term used to describe the process of a hacker who, armed with a laptop and a wireless adapter card and traveling</p><p>via a car, bus, subway train, or other form of mechanized transport, goes around sniffing for WLANs.</p><p>War walking refers to the same process, commonly in public areas like malls, hotels, or city streets, but using shoe leather instead</p><p>of the transportation methods listed above.</p><p>Pandemic planning: presents unique challenges; unlike natural disasters, technical disasters, malicious acts or terrorist events, the</p><p>impact of a pandemic is much more difficult to determine because of the anticipated difference in scale and duration</p><p>If the IS plan is a separate plan, it must be consistent with and support the corporate BCP.</p><p>A risk-based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize</p><p>risk. Business risks impact the long-term viability of a specific business. Thus an IS auditor using a risk-based audit approach must</p><p>be able to understand business processes.</p><p>Symmetric-key encryption= WEP</p><p>Master file: A file of semi-permanent information that is used frequently for processing data or for more than one purpose</p><p>Contraband software: At government offices, any system utility or special software not required in the specific performance of a</p><p>person's job duties</p><p>Administrative process of being able to prove the documented design as built, by verifying the correct version of all the</p><p>individual components used in final construction: Configuration management</p><p>Materiality: An auditing concept regarding the importance of an item of information with regard to its impact or effect on the</p><p>functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context</p><p>of the enterprise as a whole.</p><p>Maturity: In business, indicates the degree of reliability or dependency that the business can place on a process achieving the</p><p>desired goals or objectives</p><p>Media access control: Applied to the hardware at the factory and cannot be modified, MAC is a unique, 48-bit, hard-coded address</p><p>of a physical layer device, such as an Ethernet local area network (LAN) or a wireless network card</p><p>Media oxidation: The deterioration of the media on which data are digitally stored due to exposure to oxygen and moisture</p><p>Memory dump: The act</p><p>of copying raw data from one place to another with little or no formatting for readability</p><p>Microwave transmission: A high-capacity line-of-sight transmission of data signals through the atmosphere which often requires</p><p>relay stations</p><p>Monetary unit sampling: a sampling technique that estimates the amount of overstatement in an account balance</p><p>The inclusion of technical information in error messages</p><p>Mobile code: software modules obtained from remote systems, transferred across a network, and then downloaded and executed</p><p>on local systems without explicit installation or execution by the recipient.</p><p>When reviewing system parameters, an IS auditor's PRIMARY concern should be that: they are set to meet security and</p><p>performance requirements.</p><p>CMM is a qualitative approach typically using a 0 to 5 scale with each value assigned a set of attributes or characteristics to</p><p>determine a relative level of competency and proficiency.</p><p>In symmetric-key cryptography, symbols are permuted or substituted: in asymmetric-key cryptography, numbers are</p><p>manipulated</p><p>Digital signature needs a public-key system. The signer signs with her private key, the verifier verifies with the signer’s public key.</p><p>Cryptosystem uses the private and public keys of the recipient: a digital signature uses the private and public keys of the sender.</p><p>SSL: Asymmetric encryption is necessary to verify the others identity and then symmetric encryption gets data.</p><p>SSL use to privately share the session key = Asymmetric</p><p>SSL use to encrypt the session data = Symmetric</p><p>SSL use Asymmetric and symmetric</p><p>Enabling audit trials helps in establishing the accountability and responsibility of processed transactions by tracing transactions</p><p>through the system.</p><p>Information Management and Auditing CISA 2019</p><p>54 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>In business process control assurance you should look for: process map, process controls, benchmarking, roles and</p><p>responsibilities and data restrictions.</p><p>When designing an audit plan, it is important to identity the areas of highest risk to determine the areas to be audited.</p><p>Control Self Assessment (CSA) is predicated on the review of high-risk areas that either need immediate attention or a more</p><p>thorough review at a later date.</p><p>CSA is the review of business objectives and internal controls in a formal and documented collaborative process.</p><p>The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor’s by the auditor’s</p><p>familiarity with the area being audited.</p><p>An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the</p><p>audit work.</p><p>Audit risk is the combination of detection, control and inherent risks for a given audit assignment.</p><p>Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of</p><p>internal controls.</p><p>Substantive Testing: Are transactions processed accurately? Are data correct and accurate? Double check processing, Calculation</p><p>validation, Error checking, Operational documentation, If Compliance results are poor, Substantive testing should increase in type</p><p>and sample number.</p><p>Inherent risk is the risk that an error exists in the absence of any compensating controls.</p><p>RTO: how long business can afford the downtime or crisis</p><p>RPO: till what point of time you want the data to be recovered</p><p>BSC does not measure financial growth</p><p>The primary objective of forensic software is to preserve electronic evidence to meet the rules of evidence.</p><p>Generalized audit software feature include mathematical computations, stratification, statistical analysis, sequence checking,</p><p>duplicate checking and recomputations.</p><p>The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to</p><p>agree on corrective action.</p><p>Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to</p><p>destination, highlighting the paths and storage of data.</p><p>If the RTO is high, then the acceptable downtime is high. A cold site will be appropriate in such situations.</p><p>Audit program: A step-by-step set of audit procedures and instructions that should be performed to complete an audit.</p><p>A directory server makes other users’ certificates available to applications.</p><p>A method of selecting a portion of a population, by means of mathematical calculations and probabilities, for the purpose of making</p><p>scientifically and mathematically sound inferences regarding the characteristics of the entire population; Statistical sampling.</p><p>Understanding the business process is the first step an IS auditor needs to perform.</p><p>Confidentiality of customer data = IMPORTANT</p><p>Reciprocal agreement; hardware and software compatibility.</p><p>A testing approach that uses knowledge of a program/module's underlying implementation and code intervals to verify its expected</p><p>behavior: White box testing</p><p>Compares data to predefined reasonability limits or occurrence rates established for the data; Reasonableness check</p><p>Preparedness test involve simulation of the entire environment and help the team to better understand and prepare for the actual</p><p>test scenario; Preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system</p><p>crash. This test is performed regularly on different aspects of the plan</p><p>Potential business impact is only one part of the cost-benefit analysis.</p><p>OOB: Out-of-band authentication means that a transaction that is initiated via one delivery channel (e.g., Internet) must be re-</p><p>authenticated or verified via an independent delivery channel (e.g., telephone) in order for the transaction to be completed. Out-of-</p><p>band authentication is becoming more popular given that customer PCs are increasingly vulnerable to malware attacks.</p><p>Information Management and Auditing CISA 2019</p><p>55 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Integrity of transaction process is ensured by database commits and rollbacks.</p><p>A telecommunications methodology that controls traffic in which a complete message is sent to a concentration point and stored until</p><p>the communications path is established. Message switching</p><p>A warm site has the basic infrastructure facilities implemented, such as power, air conditioning</p><p>and networking. But is normally lacking computing equipment.</p><p>Compliance tests are performed primarily to verify whether controls, as chosen by management, are implemented.</p><p>Verification of documents is not directly related to compliance testing. Verifying whether access to users is provided is an</p><p>example of compliance testing. Data validation procedures are part of application controls. Testing whether these are set as</p><p>parameters and working as envisaged is compliance testing.</p><p>Application Controls are usually classified in three categories, Preventive, Corrective, or Directive. No control is gained by a routine</p><p>that analyses an exposure.</p><p>Implement a properly documented process for application role change requests.</p><p>Hot site: An alternate processing facility that is fully equipped with all the necessary computer equipment and capable of</p><p>commencing operation as soon as the latest data files have been loaded. Capable of being in full operation within minutes or</p><p>hours.</p><p>BIA will identify the diverse events that could impact the continuity of the operations of an organization. Recovery managers should</p><p>be rotated to ensure the experience of the recovery plan is spread among the managers.</p><p>Proceeding with restore procedures of DB is a corrective control. Restore procedures can be used to recover databases to their last-</p><p>known archived version.</p><p>Establishing standards is a preventive control</p><p>Monitoring for compliance is a detective control</p><p>Ensuring that only authorized personnel can update the database is a preventive control.</p><p>Establishing controls to handle concurrent access problems is a preventive control.</p><p>FPA: A software estimation method used to forecast development, based on the number of system inputs, outputs, and complexity.</p><p>Used in the SDLC feasibility study to calculate resources and time required.</p><p>DRP is the technological aspect of business continuity planning (BCP). Business resumption planning addresses the operational part</p><p>of BCP.</p><p>The first concern of an IS auditor should be to establish that the proposal meets the needs of the business, and this should be</p><p>established by a clear business case.</p><p>RTO is an important parameter used when creating prioritization plans during the business continuity management process and is</p><p>derived as a result of a business impact analysis (BIA). RTO is best utilized to determine recovery prioritization. A system that has</p><p>a low level of confidentiality of information could have immediate recovery requirements.</p><p>The internal control objectives apply to all areas, whether manual or automated. But the common control objectives in an</p><p>IS environment remains unchanged from a manual environment.</p><p>The identification of key deliverables required to deliver business value is a key element of project planning. It provides the initial</p><p>basis for planning and should be done during initial planning</p><p>HIPAA handles health care information of an organization.</p><p>Succession planning is a process for identifying and developing internal people with the potential to fill key business leadership</p><p>positions in the company. Succession planning increases the availability of experienced and capable employees that are prepared to</p><p>assume these roles as they become available</p><p>If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and</p><p>exposures</p><p>Procedures that verify that only approved program changes are implemented</p><p>Long haul network diversity Providing diverse long distance network availability utilizing T-1 circuits among major long distance</p><p>carriers.</p><p>It is common for system development and maintenance to be undertaken by the same person.</p><p>Information Management and Auditing CISA 2019</p><p>56 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Diverse Routing: Routing traffic through split-cable facilities or duplicate-cable facilities is called diverse routing.</p><p>CRL: list maintained by the certificate authority indicating certificates that are revoked or expired</p><p>Compliance test is deals with test of details; Substantive deals with test of controls</p><p>Alternate routing: method of routing information via an alternative medium such as copper cable or fiber optics.</p><p>Intrusion detection systems detect intrusion activity based on the intrusion rules. It can detect both, external and internal</p><p>intrusion activity and send an automated alarm message.</p><p>Firewalls and routers prevent the unwanted and well-defined communications between the internal and external networks. They</p><p>do not have any automatic alarm messaging systems.</p><p>System utilities may enable unauthorized changes to be made to data on the client-server database. In an audit of database</p><p>security, the controls over such utilities would be the primary concern of the IS auditor.</p><p>Application program generators are an intrinsic part of client-server technology, and the IS auditor would evaluate the controls</p><p>over the generators access rights to the database rather than their availability.</p><p>Security documentation should be restricted to authorized security staff, but this is not a primary concern, nor is access to stored</p><p>procedures.</p><p>The services in the agreement are based on an analysis of business needs.</p><p>BCP Process: BIA => develop recovery strategy => developed, tested and implemented specific plans.</p><p>Shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are</p><p>processed concurrently.</p><p>What is the name of leftover disk space that may contain old deleted data that has not yet been overwritten: Slack space</p><p>Dumpster diving: The process of digging through trash to recover evidence or improperly disposed-of records. The same process is</p><p>frequently used by government agents and law enforcement to gather evidence; therefore, it's completely legal unless the person is</p><p>trespassing.</p><p>CA maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle,</p><p>including certificate directory maintenance and certificate revocation list maintenance and publication.</p><p>Registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end</p><p>entity that is the subject of the certificate issued by the CA.</p><p>CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility.</p><p>Default database configurations, such as default passwords and services, need to be changed; otherwise, the database could be</p><p>easily compromised by malicious code and by intruders.</p><p>Senior executives with full delegation of authority during business continuity events or disaster recovery to make decisions on behalf</p><p>of the entire organization without additional delays or approval of other executives: EMT</p><p>Electronic vaulting electronically transmits data either to direct access storage, an optical disk or another storage medium; this is a</p><p>method used by banks.</p><p>Parallel redundant UPS configuration requires models of the same capacity from the same manufacturer and isolated redundant</p><p>does not.</p><p>Isolated redundant UPS design concept does not require a paralleling bus, nor does it require that the modules have to be the</p><p>same capacity, or even from the same manufacturer.</p><p>Hard-disk mirroring provide redundancy in case the primary hard disk fails. All transactions and operations occur on two hard</p><p>disks in the same server.</p><p>The process of removing duplicate, redundant data from a database; Normalization</p><p>To commit fraud by masquerading as a legitimate user or another system; Spoofing</p><p>The recovery point objective (RPO) is the earliest point in time at which it is acceptable to recover the data. A high RPO means that</p><p>the process can wait for a longer time. A high Recovery time objective (RTO) means that additional time would be available for the</p><p>recovery strategy, thus making other recovery alternatives.</p><p>Data integrity: the goal is to ensure that data is accurate and safely stored</p><p>Information Management and Auditing CISA 2019</p><p>57 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Backup and restoration: what are the plans and procedures for data backup and restoration? The number one issue in IT is loss of</p><p>data due to faulty backup</p><p>Security management: Without security controls, ensuring data integrity is impossible.</p><p>Internal controls prevent unauthorized</p><p>modifications.</p><p>Mandatory versus Discretionary controls: The organization needs to clearly identify its management directives for</p><p>implementation of controls.</p><p>Mandatory control: the strongest type of control. The implementation may be administrative or technical. It is designed to force</p><p>compliance without exception.</p><p>Discretionary controls: the weakest type of control is discretionary. In a discretionary control, the user or delegated person</p><p>of authority determines what is acceptable.</p><p>The lower the RTO is the lower the disaster tolerance.</p><p>Risk assessment and business impact assessment are tools for understanding business-for business continuity planning.</p><p>IT steering committee or IT strategy committee is used to convey the current business requirements from business executives</p><p>to IT executive. It should have a formal charter designating the participation of each member. This charter grants responsibility and</p><p>authority in a concept similar to an audit charter.</p><p>The auditor should remain aware that a shadow organization represents a genuine control failure. This lack of integration</p><p>represents an ongoing concern in the areas of cost control, duplication of effort, or a political difference in both direction and</p><p>objectives.</p><p>The users of a biometrics device must first be enrolled in the device. The device captures a physical or behavioral image of</p><p>the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be</p><p>used in the matching processes.</p><p>Business continuity self audit is a tool for evaluating the adequacy of the business continuity plan.</p><p>Resource recovery analysis is a tool for identifying a business resumption strategy.</p><p>Gap analysis in business continuity planning is to identify deficiencies in a plan.</p><p>Fidelity insurance > covers the loss arising from dishonest or fraudulent acts by employees.</p><p>Business interruption insurance: loss of profit due to the disruption in the operations of an organization.</p><p>Errors & omissions insurance: legal liability protection in the event that the professional practitioner commits an act that results</p><p>in financial loss to a client.</p><p>Extra expense insurance > designed to cover the extra costs of continuing operations following a disaster/disruption within an</p><p>organization.</p><p>ECC was designed for appliances with low computing power such as mobile phones</p><p>Stockholders interview > simplicity of the BCP</p><p>Review plan and compare it with standards > adequacy of the BCP</p><p>Review result from previous test > Effectiveness of the BCP</p><p>Bank Wire Transfer: Integrity represents accuracy of data. Because this data is required by law, it must be accurate and</p><p>validated.</p><p>Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain</p><p>personally identifiable information (PII). There may be legal compliance issues if these data are stored in a country with different</p><p>laws regarding data privacy</p><p>PERT chart > will help determine project duration once all the activities and the work involved with those activities are know.</p><p>Function point analysis: is a technique for determining the size of a development task based on the number of function points.</p><p>Function points are factors such as inputs, outputs, inquiries, logical internal files.</p><p>Standardized infrastructure may simplify testing of changes, but it does not reduce the need for such testing.</p><p>Standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization.</p><p>This standardization reduces the time and effort required to manage a set of disparate platforms and operating systems. It can</p><p>help the organization reduce the cost of IT service delivery and operational support</p><p>Rapid Application Development: is a methodology that enables organizations to develop strategically important systems faster</p><p>while reducing development costs and maintaining quality.</p><p>Information Management and Auditing CISA 2019</p><p>58 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Object-oriented system development: is the process of solution specification and modeling.</p><p>Completeness check: is used to determine if a field contains data and not zeros or blanks.</p><p>Check digit: is a digit calculated mathematically to ensure original data where not altered.</p><p>Existence check: checks entered data for agreement to predetermined criteria.</p><p>Reasonableness check: matches input to predetermined reasonable limits or occurrence rates.</p><p>Functional acknowledgements are standard electronic data interchange (EDI) transactions that tell trading partners that their</p><p>electronic documents are received.</p><p>Risk within the process of decision support systems (DSSs) => Inability to specify purpose and usage patterns</p><p>Base case system evaluation uses test data sets developed as part of comprehensive testing programs. It is used to verify</p><p>correct systems operations before acceptance as well as periodic validation.</p><p>Wet pipes have water right up to the sprinkler heads; that is, the pipes are “wet.” The sprinkler head contains a metal (common in</p><p>older sprinklers) or small glass bulb designed to melt or break at a specific temperature.</p><p>Storing certificate revocation lists (CRLs) is a role performed by a security server.</p><p>Redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data.</p><p>Reasonableness check compare data to predefined reasonability limits or occurrence rates established for the data.</p><p>Parity check: hardware control that detects data errors when data are read from one computer to another.</p><p>Generally a cold site is contracted for a longer period at a lower cost.</p><p>A hot site is contracted for a shorter time period at a higher cost and is better suited for recovery of vital and critical</p><p>applications.</p><p>Compliance Testing: Are controls in place and consistently applied? Access control, Program change control, Procedure</p><p>documentation, Program documentation, Software license audits</p><p>System log reviews, Exception follow-ups</p><p>In general, an audit charter describes all the scopes of audit activities of an organization, whereas an engagement letter</p><p>describes a particular audit activity that needs to be undertaken to achieve a specific objective of an Audit</p><p>Check digits: detect transposition and transcription errors.</p><p>Prototype system: provide significant time and cost savings. Also have several disadvantages like poor internal controls, change</p><p>control becomes much more complicated and it often leads to functions or extras being added.</p><p>Isolation: while in an intermediate state, the transaction data are invisible to external operations.</p><p>To ensure authenticity and confidentiality, two encryption operations are required. First the hash of the message will be</p><p>encrypted with the sender’s private key. This creates a digital signature of the message which proves message integrity and the</p><p>sender’s authenticity. Then the message must be encrypted with the receiver’s public key, which provides message confidentiality</p><p>Encrypting a message with the recipient’s public key and decrypting it with the recipient’s private key ensures message</p><p>confidentiality. Conversely, encrypting a message with the sender’s private key and decrypting it with the sender’s public key</p><p>ensures that the message came from the sender; however, it does not guarantee message encryption. With public key</p><p>infrastructure (PKI), a message encrypted with a private key must be decrypted with the responding public key, and vice versa.</p><p>Unregulated compliance issues are a risk but do not measure</p><p>the effectiveness of the controls.</p><p>Durability Guarantees that a successful transaction will persist, and cannot be undone. Hardware maintenance program should be</p><p>validated against vendor specifications. Maintenance schedules normally are not approved by the steering committee. Unplanned</p><p>maintenance can’t be scheduled.</p><p>Library control software should be used to separate test from production libraries in mainframe and / or client server</p><p>environments. The main objective of library control software is to provide assurance that program changes have been authorized.</p><p>Library control software is concerned with authorized program changes and would not automatically move modified</p><p>programs into production and can’t determine whether programs have been thoroughly tested.</p><p>Referential integrity is provided by foreign key.</p><p>Post-incident review improve internal control procedures.</p><p>Information Management and Auditing CISA 2019</p><p>59 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used</p><p>efficiently and effectively.</p><p>Determine unauthorized changes made to production code the auditor examine object code to find instances of changes and trace</p><p>them back to change control records.</p><p>Normalization: is the removal of redundant data elements from the database structure. Disabling normalization in relational</p><p>databases will create redundancy and risk of not maintaining consistency of data, with the consequent loss of data integrity.</p><p>Software development project: the users should be involved in the requirements definition phase of a development project and</p><p>user acceptance test specification should be developed during this phase</p><p>Compensating Controls – They are internal controls that are intended to reduce the risk of an existing or potential control</p><p>weakness when duties cannot be appropriately segregated.</p><p>Preventive Controls - These are controls that prevent the loss or harm from occurring. For example, a control that enforces</p><p>segregation of responsibilities (one person can submit a payment request, but a second person must authorize it), minimizes the</p><p>chance an employee can issue fraudulent payments.</p><p>Determine future capacity, is the first step in the capacity planning process.</p><p>Before implementing an IT balanced scorecard, an organization must define key performance indicators.</p><p>To assist an organization in planning for IT investments, the IS auditor should recommend the use of enterprise architecture.</p><p>Controls are basically to mitigate the risk.</p><p>Real time Data Synchronization between DC and DR systems is done to avoid any data loss. This can be measured by the RPO as a</p><p>parameter</p><p>Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is</p><p>used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm</p><p>whether the quality exists.</p><p>capacity cushion: Extra amount of capacity intended to offset uncertainty in demand</p><p>The production libraries represent executables that are approved and authorized to process organizational data.</p><p>IS audit services can be provided externally or internally.</p><p>The role of IS internal audit function should be established by an audit charter approved by senior management.</p><p>If IS audit services are provided externally, then it should be documented in a formal contract or statement of work</p><p>between the contracting org. and the service provider.</p><p>Swim lane is a visual element used in process flow diagrams, or flowcharts, that visually distinguishes job sharing and</p><p>responsibilities for sub-processes of a business process. Swim lanes may be arranged either horizontally or vertically. In the</p><p>accompanying example, the swim lanes are named Customer, Sales, Contracts, Legal, and Fulfillment, and are arranged vertically.</p><p>CSA techniques = identify high-risk areas that might need a detailed review later.</p><p>An IS auditor should expect References from other customers (an item) to be included in the request for proposal (RFP) when</p><p>IS is procuring services from an independent service provider (ISP).</p><p>Screened subnet (also known as a "triple-homed firewall") is a network architecture that uses a single firewall with three network</p><p>interfaces (External, Internal, DMZ).</p><p>Maintaining the integrity of the evidence should be the foremost goal</p><p>IT governance ensures that an organization aligns its IT strategy with enterprise objectives.</p><p>To propagate itself to the host systems, a worm typically exploits security weaknesses in operating systems' configurations. These</p><p>problems are particularly severe in today's highly decentralized client-server environments.</p><p>COSO –They provide internal Control framework.</p><p>Basel II Accord – It regulates the minimum amount of capital 4 financial org. based on the level of risk faced by these org.</p><p>An IS auditor should ensure that IT governance performance measures evaluate the activities of IT oversight committees.</p><p>IS strategic plans would include analysis of future business objectives.</p><p>It’s a file backup method that copies every file that has been added or changed since the last full backup. This type of backup does</p><p>not set the final archive bit flag; Diff Backup</p><p>Information Management and Auditing CISA 2019</p><p>60 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Scope Creep - Scope creep (also called requirement creep and feature creep) in project management refers to</p><p>uncontrolled changes or continuous growth in a project’s scope. This phenomenon can occur when the scope of a project is not</p><p>properly defined, documented, or controlled. It is generally considered a negative occurrence, to be avoided.</p><p>Discovery sampling: The process of searching 100 percent of the available records for specific attributes to determine the</p><p>probability of occurrence</p><p>Foreign key: Data in the database is stored in separate tables to improve speed. This provides a link between data in two different</p><p>database tables.</p><p>Waterfall model : An early software development model that cascades the completion of each phase into the next phase</p><p>Trapdoor: A hidden software-access mechanism that will bypass normal security controls to grant access into the program</p><p>Time bomb: Technique used by programmers in computer software to disable the functionality of the program based on a specific</p><p>date</p><p>Compliance audit: A type of audit to determine whether internal controls are present and functioning effectively.</p><p>The attack that has not been seen before called; Zero-day attack</p><p>Access control model allows the system owner to establish access privileges to the system = DAC</p><p>The protection of information held in secret for the benefit of authorized users > Confidentiality</p><p>Hardware Configuration Analysis is critical to the selection and acquisition of the correct operating system software.</p><p>When conducting a review of business process reengineering, IS auditor found that a key preventive control had been removed. The</p><p>IS auditor should inform management of the finding and determine whether management is willing to accept the</p><p>potential material risk of not having that preventive control.</p><p>Data sanitization is the process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory</p><p>device.</p><p>When evaluating</p><p>the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:</p><p>of the point at which controls are exercised as data flow through the system; An IS auditor should focus on when</p><p>controls are exercised as data flow through a computer system</p><p>Online vendor provides the use of commercial software through subscription; SAAS</p><p>Eavesdropping and other covert techniques used to collect information; Passive attack</p><p>Worms are malicious programs that operate independently exploiting authentication holes between systems.</p><p>Viruses attach to programs or files and travel when the host file is transferred.</p><p>Information in the computer's working memory (RAM) that will be lost when the power is shut off; Volatile data</p><p>Network diagram is the most important first step in understanding the auditee's IT infrastructure</p><p>A planned method of testing and tracking minor software updates prior to implementing them into production. The cost of separate</p><p>testing can be justified by using the price of failure (price of nonconformance); Patch management</p><p>Proxy server = circuit-level firewall</p><p>What do you call a set of commands and macros developed into a custom template inside an integrated development environment</p><p>(IDE) programming tool? Pseudocode</p><p>An organization decides to purchase a package instead of developing it. In such a case, the design and development phases of a</p><p>traditional software development life cycle (SDLC) would be replaced with selection and configuration phases.</p><p>The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving,</p><p>recovering, analyzing and presenting facts and opinions about the information.</p><p>If you use an HTTPS connection to a web site, then the data is encrypted with a public key before it ever leaves the computer. So if</p><p>someone is sniffing the connection with promiscuous WiFi, then it's useless data to them unless they have the private key.</p><p>A newer security protocol used in wireless networks with automatic encryption-key generation and authentication EAP</p><p>Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice</p><p>numbers.</p><p>Trend/variance detection tools look for anomalies in user or system behavior, for example, determining whether the numbers for</p><p>pre-numbered documents are sequential or increasing.</p><p>https://en.wikipedia.org/wiki/Project_management</p><p>https://en.wikipedia.org/wiki/Project</p><p>https://en.wikipedia.org/wiki/Scope_(project_management)</p><p>Information Management and Auditing CISA 2019</p><p>61 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>CASE tools are used to assist software development.</p><p>Embedded (audit) data collection software is used for sampling and to provide production statistics.</p><p>Heuristic scanning tools can be used to scan for viruses to indicate possible infected code.</p><p>CASE tools are used to assist in software development.</p><p>The process of determining risks affecting the actual steps necessary to produce the desired product or service, as in use by the</p><p>organization; BIA</p><p>Embedded (audit) data collection software, such as systems control audit review file (SCARF) or systems audit review file</p><p>(SARF), is used to provide sampling and production statistics, but not to conduct an audit log analysis.</p><p>Information held in computer resources, such as the contents of a server's random access memory (RAM) memory, is the best</p><p>information source when investigating a server compromise.</p><p>Wet stacking: If this happens too often, generator fires can occur, usually when the generator is put under load due to a utility</p><p>outage.</p><p>UPS system is an alternate or backup source of power with the electric utility company being the primary source. The UPS provides</p><p>protection of load against line frequency variations, elimination of power line noise and voltage transients, voltage regulation, and</p><p>uninterruptible power for critical loads during failures of normal utility source. An UPS can be considered a source of standby power</p><p>or emergency power depending on the nature of the critical loads.</p><p>The objectives of CSA programs include education for line management in control responsibility and monitoring and concentration by</p><p>all on areas of high risk</p><p>Used in disaster recovery testing to simulate the basic recovery process in order to clean any errors from the procedure; Functional</p><p>testing</p><p>To sharpen the details of an average population by using a stratified mean (such as demographics) to further define the data into</p><p>small units; Defuzzification</p><p>The risk that errors may be introduced or may not be identified and corrected in a timely manner; Control risk</p><p>Faster restoration of data files: differential backup</p><p>The probability of error; A rating of 95 percent is considered a Confidence Coefficient in IS auditing.</p><p>A standardized reference listing of all the programmer's data descriptions and files used in a computer program; Data dictionary</p><p>A secret point of entry into a system; usually a hidden access technique left in the software by the developer for future use by their</p><p>technical support staff; Trapdoor</p><p>A historical score of business process performance; Unfortunately, the score may indicate that a failure has occurred before</p><p>corrective action can be taken. KPI</p><p>The process of streamlining existing operations in an effort to improve efficiency and reduce cost; Benefits may be derived by</p><p>eliminating unnecessary steps as the organization has progressed through the learning curve, or by expanding capability for more</p><p>work. BPR</p><p>A malicious hacker program designed to unsuspectingly install a backdoor without the consent of the system user. This will subvert</p><p>the operating system kernel security and operate in stealth to hide its existence. ROOTKIT</p><p>Data tables is valid across the links inside the database; Referential integrity</p><p>A system development technique used to create initial versions of software functionality. Focused on proving a method or gaining</p><p>early user acceptance, usually without any internal controls; Prototype</p><p>Access control model grants a user a predetermined level of access based on the role the user holds in the organization; RBAC</p><p>A device used in forensic investigations to prevent any changes to the original data on the hard disk or media during bitstream</p><p>imaging; Write blocker</p><p>Capacity Management process used to manage information technology (IT). Its primary goal is to ensure that IT capacity meets</p><p>current and future business requirements in a cost-effective manner.</p><p>Persistent data retained on the hard disk and other storage media after system shutdown; Nonvolatile data</p><p>Eliminating the opportunity for a person to reject or renounce their participation; Nonrepudiation</p><p>Information Management and Auditing CISA 2019</p><p>62 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Used to determine the critical path and to forecast the time and resources necessary to complete a project; PERT</p><p>Used to designate a prorated dollar amount or weight of effectiveness to an entire subject population; Variable sampling</p><p>A physical distance between two doorways that is designed to trap an unauthorized individual between the closed doors. Fully caged</p><p>turnstiles can provide a similar means to capture potential intruders; Mantrap</p><p>Evidence that can be reassembled in chronological order</p><p>to retrace a transaction or series of transactions; Audit trail</p><p>Low voltage for an extended period of time; Brownout</p><p>A technique used by antivirus software to replace the original end-of-file (EOF) marker with a new EOF marker generated by the</p><p>antivirus program. Anything attempting to attach itself to the new EOF marker indicates a virus attack;</p><p>Inoculation//Immunization</p><p>A unique entry into a database record that is required for the record to be valid; Primary key</p><p>Adjusting the sensitivity of a biometric system to use a 50/50 compromise of false acceptance and false rejection; EER</p><p>The process of physically marking insecure wireless access points to the Internet; War chalking</p><p>A special template of biometric data converted into a count of specific characteristics that are unique to each user; Minutiae</p><p>The database administrator has decided to disable certain normalization controls in the database management system (DBMS)</p><p>software to provide users with increased query performance. This will MOST likely increase the risk of redundancy of data.</p><p>Full risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approach</p><p>merely applies a standard set of protection regardless of risk.</p><p>Resilience - The ability to recover quickly from illness, change, or misfortune; buoyancy.</p><p>Certification practice statement (CPS); In public key infrastructure (PKI) elements provides detailed descriptions for dealing</p><p>with a compromised private key</p><p>Input Authorization: Online Access Controls, Signature on batch, unique password, terminal, source document.</p><p>High humidity = Corrosion</p><p>Low humidity = generate static electricity</p><p>Above raised floor: Humidity</p><p>Under raised floor: Detecting water leaks</p><p>Library control software - to provide reasonable assurance that program changes have been authorized.</p><p>Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions</p><p>through the system.</p><p>Preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash.</p><p>Walk-through is a test involving a simulated disaster situation that tests the preparedness and understanding of management and</p><p>staff rather than the actual resources.</p><p>Benchmarking provides the BEST method for determining the level of performance provided by similar information-processing-</p><p>facility environments.</p><p>Traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through</p><p>an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place.</p><p>Naming conventions for system resources are important for access control because they reduce the number of rules required to</p><p>adequately protect resources.</p><p>Social engineering: art of manipulating people into performing actions or divulging confidential information.</p><p>Security awareness training is the most effective way to reduce social engineering incidents.</p><p>The IS auditor must examine the database initialization parameters.</p><p>Preparedness test— Usually a localized version of a full test, wherein actual resources are expended in the simulation of a system</p><p>crash.</p><p>EDI translator— This device translates the data between the standard format (ANSI X12) and a trading partner’s proprietary</p><p>format.</p><p>http://en.wikipedia.org/wiki/Psychological_manipulation</p><p>Information Management and Auditing CISA 2019</p><p>63 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Digital signatures are used for (authentication and nonrepudiation)</p><p>Insurance coverage = reflect the actual cost of recovery, coverage for media damage, business interruption, equipment</p><p>replacement and business continuity processing should be reviewed for adequacy</p><p>The data dictionary contains an index and description of all of the items stored in the database.</p><p>The directory system describes the location of the data and the access method</p><p>Effective security management = Resource mangmnt + Process Intg. + Performance mangmnt.</p><p>Inherent risks exist independently of an audit and can occur because of the nature of the business</p><p>Risk appetite is the amount of risk that an enterprise is willing to take</p><p>Risk appetite is about the pursuit of risk while risk tolerance is about what the organization can deal with. Risk tolerance should</p><p>therefore be within risk appetite levels. They are two different though closely related concepts</p><p>Computer-assisted audit technique (CAAT)— Any automated audit technique, such as generalized audit software (GAS), test</p><p>data generators, computerized audit programs and specialized audit utilities</p><p>Diff. backup: A restore requires more media capacity</p><p>Middleware = transaction monitoring + remote call + object request + messaging server</p><p>The risk level or exposure without taking into account the actions that management has taken or might take is inherent risk</p><p>Generally Accepted Accounting Principles (GAAP) A well-recognized set of agreed-upon procedures for auditing financial</p><p>records and information systems.</p><p>RPO indicates the latest point in time at which it is acceptable to recover the data.</p><p>Reviewing the conceptual data model or the stored procedures will not provide information about normalization.</p><p>Certificate Authority: A CA is a network authority that issues and manages security credentials and public keys for message</p><p>encryption.</p><p>Sniffing vs Spoofing - sniffing: to gather information without actually touching it (or being detected or in hiding), e.g., network</p><p>packet sniffing. Sniffing is "listening" to network traffic to collect information. A common usage of sniffing is to listen to network</p><p>traffic to look for patterns of a worm spreading itself.</p><p>Spoofing : is sending network traffic that's pretending to come from someone else. a common usage for spoofing is sending an</p><p>email message, but to reformat the header so it looks like it comes from someone else, like their boss.</p><p>Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the</p><p>system, etc.</p><p>Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to</p><p>decrypt it.</p><p>Concerns in BCP; if nobody declares the disaster, the response and recovery plan would not be invoked</p><p>Application run manuals should include actions to be taken by an operator when an error occurs. Source documents and source</p><p>code are irrelevant to the operator. Although data flow diagrams may be useful, detailed program diagrams and file definitions are</p><p>not.</p><p>Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historical data</p><p>Avoid out-of-range data = integrity constraints in the database</p><p>NDMP is more or less network attached storage-centric (NAS-centric) and defines a way to back up and restore data from a device,</p><p>NDMP defines three kind of services: data service + tape service + translator service performing</p><p>Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to</p><p>decrypt it.</p><p>The creation of an electronic signature does not in itself encrypt the message or secure it from compromise. It only verifies the</p><p>message's origination.</p><p>Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS</p><p>The most reliable sender authentication method is Digital Certificates.</p><p>http://en.wikipedia.org/wiki/Hosts_file</p><p>http://en.wikipedia.org/wiki/Exploit_(computer_security)</p><p>http://en.wikipedia.org/wiki/Vulnerability_(computing)</p><p>Information Management and Auditing CISA 2019</p><p>64 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Digital certificates are issued by a trusted third party</p><p>BEST risk response to the risk of loss of confidentiality in cloud computing = Public key infrastructure</p><p>Software size estimation: Lines of code – SLOC (# of lines of source code), better for basic or Cobol//Function Point analysis –</p><p>used to estimate complexity in developing large apps. Software Cost estimates directly related to software size estimates.</p><p>Tape backup = preventive control</p><p>Verify the backup = detective control</p><p>Detective = fix problem after it's found</p><p>Verification and audits = detective controls</p><p>An integrated test facility is a type of substantive test that uses data represented by fake entities such as products, items, or</p><p>departments</p><p>An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe</p><p>the type of user or connection that is or is not permitted.</p><p>Firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by</p><p>analyzing the data packets and determining whether they should be allowed through or not, based on a rule set.</p><p>Operating systems include software-based firewalls</p><p>Data integrity testing is a set of substantive tests that examines accuracy, completeness, consistency and authorization of data</p><p>presently held in a system (Relational integrity tests + Referential integrity tests)</p><p>Routers that pass data between networks contain firewall components</p><p>Cold start: procedure for initially keying crypto-equipment</p><p>Cold Site: does not have the computer equipment in place</p><p>Completeness check: ensure no fields are missing from the record</p><p>Compensating control: internal control that reduce the risk of a potential control weakness</p><p>False rejection rate or false non-match rate (FRR or FNMR): he probability that the system fails to detect a match between the</p><p>input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected.</p><p>ITAF includes three categories of standards – general, performance and reporting.</p><p>Current ISACA IT audit and assurance standards include the following general standards: S2 Independence //S3 Professional</p><p>Ethics and Standards//S4 Competence//S6 Performance of Audit work</p><p>A Session Border Controller (SBC) protects a VoIP infrastructure against a DOS.</p><p>Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.</p><p>VOIP: A DDoS attack would potentially disrupt the organization's ability to communicate among its offices and have the highest</p><p>impact.</p><p>Open Source: Mitigation of the risk of being locked into a single provider</p><p>To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution</p><p>is to provide the vendor with a secure shell (SSH-2) tunnel for the duration of the problem.</p><p>Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote</p><p>command execution, and other secure network services between two networked computers that connects, via a secure channel over</p><p>an insecure network.</p><p>Substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual</p><p>transactions, data or other information.</p><p>Who verifies that system changes are authorized, tested, and implemented in a controlled manner prior to being introduced into the</p><p>production environment according to company's change and release management policies? Quality Assurance Personnel</p><p>Conducting a physical count of the tape inventory is a substantive test.</p><p>http://en.wikipedia.org/wiki/Operating_system</p><p>http://en.wikipedia.org/wiki/Trap_(tactic)</p><p>http://en.wikipedia.org/wiki/Information_systems</p><p>http://en.wikipedia.org/wiki/Network_protocol</p><p>http://en.wikipedia.org/wiki/Command-line_interface</p><p>http://en.wikipedia.org/wiki/Login</p><p>http://en.wikipedia.org/wiki/Network_service</p><p>http://en.wikipedia.org/wiki/Secure_channel</p><p>Information Management and Auditing CISA 2019</p><p>65 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>CSA require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and</p><p>internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner</p><p>(detect Risk SOONER)</p><p>MOST appropriate to ensure the confidentiality of transactions initiated via the Internet is the public key encryption.</p><p>In the event of a data center disaster, the MOST appropriate strategy to enable complete recovery of a critical database is Real-</p><p>time replication to a remote site.</p><p>Feasibility Study: Once the initial approval has been given to move forward with a project, an analysis begins to clearly define the</p><p>need and to identify alternatives for addressing the need. This analysis is known as the feasibility study.</p><p>At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been</p><p>corrected. No action has been taken to resolve the error. The IS auditor should: recommend that problem resolution be</p><p>escalated</p><p>Batch Controls: total monetary amount, total items, total documents, hash totals.</p><p>Two roles of audit: assurance and consulting Management implements controls; audit provides assurance they are effective and</p><p>strong enough.</p><p>Authority of the board of directors delegated to audit through the charter.</p><p>Audit committee determines what will be audited but senior management has ultimate say on what will be</p><p>audited and can change priorities.</p><p>RPO indicates the latest point in time at which it is acceptable to recover the data. If the RPO is low, data mirroring should be</p><p>implemented as the data recovery strategy. The RTO is an indicator of the disaster tolerance; the lower RTO, the lower the disaster</p><p>tolerance.</p><p>Provisioning access to data on a need-to-know basis is the primary way to ensure data confidentiality.</p><p>If management disagrees with audit findings, audit explains the risk of the missing controls.</p><p>Risk: any event that may negatively affect the accomplishment of business objectives.</p><p>The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user</p><p>and user management of the risk and the need to eliminate the risk.</p><p>Software piracy can result in exposure and severe fines.</p><p>The potential or likelihood that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to</p><p>the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated</p><p>frequency of the threat. Elements of Risk: threats, vulnerabilities, impact, likelihood Controls can reduce the risk down to acceptable</p><p>levels.</p><p>Risk assessment: identify risk, vulnerabilities and threats // evaluate controls // determine audit objectives // supports risk based</p><p>audit decision.</p><p>Preventive (strongest) – prevents threat from exploiting vulnerability</p><p>Detective – detects that a control has failed</p><p>Corrective – corrects situation and mitigates risk</p><p>Compensating controls – if another</p><p>control fails or not possible, can mitigate risk through</p><p>Internal Accounting Controls – safeguarding assets and reliability of financial records</p><p>Operational Controls - protecting day to day operations</p><p>Administrative Controls – adherence to mgmt policies</p><p>One of the basic purposes of any IS audit is to identify control objective. and the related controls that address</p><p>objective.</p><p>Financial Audit– correctness of financial statements</p><p>Operational Audit– evaluate internal control structure of a given process or area – app controls, logical security systems would be</p><p>examples</p><p>Integrated Audit– combines financial and operational and looks at overall objectives of organization.</p><p>Administrative Audit– looks at issues related to efficiency of operational productivity</p><p>Information Management and Auditing CISA 2019</p><p>66 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>IS Audit– looks at systems to make sure assets safeguarded properly</p><p>Forensic Audit– fraud investigations</p><p>Antispam filtering techniques prevent a valid, variable-length email message containing a heavily weighted spam = Bayesian</p><p>(statistical)</p><p>An audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. Its components are a</p><p>statement of scope, statement of audit objectives and a statement of work programs.</p><p>Audit Risk is defined as the risk that the information/financial report may contain material error that may go</p><p>undetected during the course of the audit.</p><p>The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is</p><p>a control concern; thus, it is always critical.</p><p>The IS auditor should perform additional testing to ensure that it is a finding. An auditor can lose credibility if it is later</p><p>discovered that the finding was not justified.</p><p>Materiality, this refers to an error that should be considered significant to any party concerned with the item in question.</p><p>SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality.</p><p>Validity check would be the most useful for the verification of passwords</p><p>Materiality considerations combined with an understanding of audit risk are essential concepts for planning areas to be audited.</p><p>Best method for mitigating against network denial of service attacks? Employ packet filtering to drop suspect packets</p><p>Threats are negative events that cause a loss if they occur. Vulnerabilities are paths that allow a threat to occur.</p><p>An intervention as required to stop, modify, or fix failures as they occur corrective action.</p><p>Substantive Testing: substantiates the integrity of actual processing – provides evidence of the validity and integrity of the</p><p>balances in financial statements and the transactions that support these balances. Can include a count of physical items etc.</p><p>If results of compliance testing reveals the presence of adequate internal controls the confidence coefficient can be lowered and</p><p>the auditor can minimize the amount of substantive testing required.</p><p>Sampling Statistical: objective method of determining sample size and selection criteria. Uses the mathematical laws of probability</p><p>to calculate sample size, select sample items and evaluate sample results.</p><p>Sampling Nonstatistical – subjective aka judgment sampling; Uses auditor judgment to determine method of sampling.</p><p>Variable sampling – used for substantive testing; Deals with population characteristics like monetary values and weights.</p><p>Integrity of the data – is the data correct.</p><p>Attribute sampling – looking for a % of occurrence - used to estimate the rate (percent) of occurrence of a</p><p>specific quality (attribute) in a given population.</p><p>Stop or go sampling – prevents excessive sampling of an attribute that allows the test to stop at any time</p><p>Discovery sampling – used when the expected occurrence rate is low</p><p>Variable Sampling: Different types of quantitative sampling models – all the mathematical stuff.</p><p>CAAT: Used to gather information and collect evidence during an audit; can be used in continuous audit situations.</p><p>Risk reduction lowers risk to a level commensurate with the organization's risk appetite.</p><p>Risk transfer does not always address compliance risk.</p><p>Provide a mirror image of the hard drive = evidence collection</p><p>Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk,while</p><p>compliance risk continues to exist.</p><p>An ongoing audit program is part of the risk-mitigation strategy</p><p>Risk avoidance does not expose the organization to compliance risk because the business practice that caused the inherent</p><p>risk to exist is no longer being pursued.</p><p>Mitigating risk will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate</p><p>with the organization's risk appetite.</p><p>Information Management and Auditing CISA 2019</p><p>67 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.</p><p>BCM represents the overall management of the project meant to ensure the continuity or uninterrupted provision of operations and</p><p>services. It is an ongoing process that includes the processes of disaster recovery, business recovery, business resumption and</p><p>contingency planning.</p><p>GAS Generalized audit software: can read and directly access data from databases and do all sorts of</p><p>tests on the data collected</p><p>Continuous audits – usually done in parallel with normal operations, captures internal control problems as they occur. Used in</p><p>critical, complex systems that can’t be shut down.</p><p>In the business environment, a disaster is any event that creates an inability on an organization's part to support critical business</p><p>functions for some predetermined period of time.</p><p>A business continuity plan is an approved set of advance arrangements and procedures that enable an organization to ensure the</p><p>safety of its personnel, minimize loss, facilitate recovery of business operations and repair or replace the damaged facilities as soon</p><p>as possible.</p><p>Business continuity management is a comprehensive and ongoing process to ensure the continuation of critical business</p><p>operations in the face of whatever challenges the organization may face. It provides a strategic and operational framework for</p><p>reviewing the way an organization provides its products and services, while increasing its resilience to disruption, interruption or</p><p>loss.</p><p>CSA (control self assessment) – auditor is facilitator, early detection of risk; line managers involved and</p><p>helps educate and motivate people. Helps focus on areas of high risk.</p><p>IT Governance concerned with two issues: that IT delivers value to the business and that IT risks are mitigated. The second is</p><p>driven by embedding accountability into the enterprise thus, also ensuring achievement of the first objective.</p><p>Governance helps ensure the alignment of IT and business objectives.</p><p>IT governance is a subset of corporate governance.</p><p>Bayesian is looking at how often special words are used, and in what order, to make a determination.</p><p>Audit provides recommendations to senior management to help improve the quality and effectiveness of the IT governance</p><p>initiatives.</p><p>BoD and Executive Management are responsible for IT Governance.</p><p>Steering</p><p>committee more technical in nature – oversees the project</p><p>Strategic plan is more 3-5 years and based on mission, vision and business objectives.</p><p>A project steering committee is ultimately responsible for all deliverables, project costs and schedules</p><p>Senior management: demonstrates commitment to the project and approves the necessary resources to complete the project.</p><p>This commitment from senior management helps ensure involvement by those who are needed to complete the project</p><p>User management: review and approve system deliverables as they are defined and accomplished to ensure the successful</p><p>completion and implementation of a new business system application</p><p>Data Dictionary: The data dictionary is a central repository of data elements and their relationships. The Data Dictionary includes</p><p>definitions of views, data sources, relationships, tables, indexes, etc. When new tables, new views or new schema are added, the</p><p>data dictionary is updated to reflect this.</p><p>Referential Integrity: No record can contain a reference to a primary key of a non-existing record or NULL value. Database must</p><p>also not contain unmatched foreign key values.</p><p>The 4GL provides screen-authoring and report-writing utilities that automate database access. The 4GL tools do not create the</p><p>business logic necessary for data transformation.</p><p>Key logging can circumvent normal authentication but not two factor authentications</p><p>Creating individual’s accountability is dependent on OS control function but not a database access control</p><p>Two factor authentication can be compromised by man-in-the-middle attack</p><p>IS short term plans are more operational or tactical in nature – specific, short term requirements that are not necessarily</p><p>strategic in nature.</p><p>Risk Mgmt process - Board and executive mgmt choose risk management strategy and action which may be mitigating the risk,</p><p>Information Management and Auditing CISA 2019</p><p>68 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>transferring the risk or accepting the risk.</p><p>DDE enables different applications to share data by providing IPC. DDE is a communication mechanism that enables direct</p><p>connection between two applications.</p><p>IT Balanced Scorecard is used to measure effectiveness of IT.</p><p>Pre-requisite for balanced scorecard are key performance indicators (KPI) which should be applicable in the organizational</p><p>context and have to be known what is being measured.</p><p>Balanced Scorecard used by strategy committee and management to achieve IT and business alignment.</p><p>Risk Management Process: Identification and classification of information resources or assets that need protection; Assess the</p><p>threats and vulnerabilities associated with the assets and likelihood of occurrence. It includes impact analysis. Evaluate existing</p><p>controls or new controls designed to address vulnerabilities.</p><p>Increase overhead/cost = long asymmetric encryption key</p><p>In HTTPS protocol, the types of data encrypted include URL, HTTP header, cookies, and data submitted through forms.</p><p>Preparedness tests involve simulation of the entire environment (in phases) at relatively low cost and help the team to better</p><p>understand and prepare for the actual test scenario.</p><p>Quantitative risk analysis Objective: This is based on numbers – Wants to assign numeric values to the elements of the risk</p><p>assessment and the potential losses; requires a lot of time and resources to do. Estimate potential loss // Conduct a threat</p><p>analysis // Determine annual loss expectancy</p><p>The major difference between a router and a Layer 3 switch is that a router performs packet switching using a microprocessor,</p><p>whereas a Layer 3 switch performs the switching using application ASIC hardware</p><p>SLE: Single loss expectancy Dollar amount of potential loss to an organization if a specific threat took place.</p><p>EF: Exposure factor Percentage of asset loss if threat is successful. Asset value * Exposure factor (EF) = SLE</p><p>ARO: Annual rate of occurrence # of incidents or exposure that could be expected per year.</p><p>Firewall mechanisms that are in place to mediate between the public network (the Internet) and an organization's private Network.</p><p>The IT steering committee typically serves as a general review board for major IT projects and should not become involved in</p><p>routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and</p><p>budgets.</p><p>Observation is the best and most effective method to test changes to ensure that the process is effectively designed.</p><p>The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is</p><p>necessary to ensure alignment between IT and corporate governance.</p><p>ALE – Annual loss expectancy</p><p>Annual Loss Expectancy = Single Loss Expectancy SLE x Annual Rate of Occurrence ARO</p><p>Safeguard value (ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard value</p><p>Qualitative Risk Analysis: subjective – based on high, medium, low ratings.</p><p>Obtain evidence: Inspection; Observation; Inquiry and confirmation; Reperformance; Recalculation; Computation; Analytical</p><p>procedures</p><p>Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised</p><p>benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.</p><p>In performing detailed network assessments and access control reviews, IS auditor should first determine the points of entry</p><p>Inherent risk: assumes an absence of compensating controls in the area being reviewed</p><p>An information security manager should be involved in the earliest phase of the application development life cycle to effectively</p><p>influence the outcome of the development effort.</p><p>Worms: Reproduce on their own with no need for a host application.</p><p>Due Diligence = did careful risk assessment (RA); so org. has implemented risk management and established necessary controls</p><p>Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken</p><p>Downtime can be assessed only during BIA</p><p>Information Management and Auditing CISA 2019</p><p>69 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Defined maturity level is the best overall indicator of the state of information security governance. The maturity level indicates</p><p>how mature a process is on a scale from 0 (incomplete process) to 5 (optimizing process).</p><p>Logic Bomb: Will execute certain code when a specific event happens.</p><p>Trojan Horse: Program disguised as another program.</p><p>Outsourcing: goal is to achieve lasting, meaningful improvement in business processes and services. But, requires management to</p><p>actively manage the relationship and outsourced services.</p><p>Auditors are concerned with SLAs.</p><p>SLA should serve as an instrument of control. SLAs set the baseline by which the outsourcers perform the IS function (these are</p><p>based on business requirements).</p><p>When contracting with a service provider, it is a best practice to enter into an SLA with the provider.</p><p>If outsource software development, source code escrow is critical as, in case company goes out of business, who owns the</p><p>intellectual property is a concern to the auditor. BCP is also a concern. Also concerned about cross border issues (data) and if core</p><p>business processes are being outsourced.</p><p>Risk Management:</p><p>Risk Management</p><p>to run at the same permission level</p><p>Non-repudiation—The assurance that a party cannot later deny originating data, that is, the provision of proof of the integrity and</p><p>origin of the data that can be verified by a third party. A digital signature can provide non-repudiation.</p><p>To address an organization's disaster recovery requirements, backup intervals should not exceed the: RPO</p><p>Resource Management: the optimal investment it, and the proper management of, critical IT resources: applications, information,</p><p>infrastructure and people</p><p>Multiple components (N) have at least one (+1) independent backup component available = N+1</p><p>Ad hoc networks are a dynamic grouping of devices in ever-changing configurations. Imagine the wireless devices connecting via</p><p>Bluetooth when you enter a coffee shop, client’s office, or your own automobile. As you move though your activities each day, the</p><p>configuration of this overall network is changing. Ad hoc means unstructured and ever changing.</p><p>Information Management and Auditing CISA 2019</p><p>7 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>When an organization is outsourcing their information security function, which of the following should be kept in the organization;</p><p>Accountability for the corporate security policy</p><p>An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring</p><p>services from an independent service provider (ISP); References from other customers</p><p>Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review</p><p>system to a third-party service provider? The provider: agrees to be subject to external security reviews.</p><p>Segregation of Duties = Compensating Controls</p><p>Incident response: A response is required for skilled individuals to deal with technical problems or the failure of internal controls.</p><p>When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the</p><p>risk is of limited benefit if the cost of that control is more than the cost of the risk itself.</p><p>The purpose of the audit committee is to provide advice to the executive accounting officer concerning internal control strategies,</p><p>priorities, and assurances.</p><p>The audit committee manages planned audit activities and the results of both internal and external audits. The committee is</p><p>authorized to engage outside experts for independent assurance.</p><p>Inherent risk: These are natural or built-in risks that always exist.</p><p>Detection risks: these are the risks that an auditor will not be able to detect what is being sought. It would be terrible to report no</p><p>negative results when material condition (faults) actually exist. Detection risks include sampling and nonsampling risks.</p><p>Sampling risks: these are the risks that an auditor will falsely accept or erroneously reject an audit sample (evidence).</p><p>Nonsampling risks: these are the risks that an auditor will fail to detect a condition because of not applying the appropriate</p><p>procedure or using procedures inconsistent with the audit objective (detection fault)</p><p>Data transmitted between the biometric scanners and the access control system should use a securely encrypted tunnel to protect</p><p>the confidentially of the biometric data.</p><p>To maximize the value an organization obtains from its BI initiatives, an effective BI governance process needs to be in place.</p><p>Control risks: that an auditor loses control, errors could be introduced, or errors may not be corrected in a timely manner.</p><p>Business risks: these are risks that are inherent in the business or industry itself (regulatory, contractual, financial)</p><p>Technological risks: these are inherent risks of using automated technology</p><p>Operational risks: these are the risks that a process or procedure will not perform correctly</p><p>Residual risks: these are the risks that remain after all mitigation efforts are performed</p><p>Audit risks: the combination of inherent, detection, control , and residual risks. These are the same risks facing normal business</p><p>operations.</p><p>No computers or IT systems in places – Cold Site</p><p>Yes Computers or IT systems are in place but partially configured network – Warm site</p><p>Taking real time backup of applications – Hot site (Note: key word here is backup)</p><p>Taking real time replication of data – Mirrored site (Note: Key word here is replication)</p><p>Bottom-up vs. a top-down = errors in critical modules are detected earlier.</p><p>Remote processing site prior to transmission of the data to the central processing site</p><p>Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether</p><p>program statements have been executed</p><p>Check digit = detect data transposition errors</p><p>To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS)</p><p>patch logs as a starting point and then check to see if change control documents are on file for each of these changes</p><p>If the RPO is low, data mirroring should be implemented as the data recovery strategy</p><p>Is developed for the organization as a whole – Top Down</p><p>Information Management and Auditing CISA 2019</p><p>8 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Is more likely to be derived as a result of a risk assessment – Bottom Up</p><p>Top Down: will not conflict with overall corporate policy - ensures consistency across the organization.</p><p>Risk management ->> Security policy decisions</p><p>Determine the RPO for a critical process in an enterprise = Extent of data loss that is acceptable</p><p>Security Baseline – Sufficiency of control, doc, Implementation, Compliance</p><p>MOST important element for the successful implementation of IT governance = Identifying organizational strategies</p><p>Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods</p><p>include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and</p><p>memory dump analysis.</p><p>After a disaster declaration, the media creation date at a warm recovery site is based on the = RPO</p><p>Using data collection techniques: Staff observation; Document review; Interviews; Workshop; CAAT; Surveys</p><p>Classification of Audit: Financial audit; Operational audit; Integrated audit (combines both financial and operational audit</p><p>To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements</p><p>first.</p><p>Transborder data flow refers to data transmission between two countries</p><p>A password vault is a software program that keeps a number of passwords in a secure digital location.</p><p>Rapid elasticity is a cloud computing term for scalable provisioning, or the ability to provide scalable services. Experts point to this</p><p>kind of scalable model as one of five fundamental aspects of cloud computing</p><p>The critical processes will change as the business changes with new products and customers.</p><p>Two groups that have offered a baseline of definitions for Cloud NIST and Cloud Security Alliance</p><p>PaaS: Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming</p><p>languages and tools supported by the provider</p><p>Phlashing: Permanent denial-of-service (PDoS) attack, Damages a system hardware</p><p>is aligned with business strategy & direction</p><p>Risk mgmt must be a joint effort between all key business units & IS</p><p>Business-Driven (not Technology-Driven)</p><p>Reducing the number of defects encountered during software development projects = Implement formal software inspections</p><p>Steering Committee:</p><p>Sets risk management priorities</p><p>Define Risk management objectives to achieve business strategy</p><p>References = part of the RFP.</p><p>Accountability = can never be outsourced</p><p>Risk arising out of outsourcing can be mitigated if outsource to more than one vendor.</p><p>Quality Management is the means by which IS department based processes are controlled, measured and improved.</p><p>A quality management system is based on a set of documents, manuals and records.</p><p>Problem: The test environment is not configured with the same access controls that are enabled in the production</p><p>environment.</p><p>Gap analysis needed to check company against the requirements in the standards and then company can fill the gaps; part of ISO</p><p>9001 quality management best practices.</p><p>Several control mechanisms can be used to enforce SOD.</p><p>Residual risk: After eliminating, mitigating, and transferring risk, residual risk remains; the risk that is assumed after implementing</p><p>controls is known as residual risk.</p><p>Offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications</p><p>equipment COLD SITE; its ready to receive equipment but does not offer any components at the site in advance of the need.</p><p>Warm site is an offsite backup facility that is partially configured with network connections and selected peripheral equipment—</p><p>such as disk and tape units, controllers and central processing units (CPUs)—to operate an information processing facility.</p><p>Compensating controls for lack of segregation of duties (mostly detective in nature):</p><p>Audit trails//Reconciliation//Exception reporting //Transaction logs //Supervisory reviews//Independent reviews</p><p>Hybrid sourcing A combination of using in-house workers and outsourcing selected processes.</p><p>Education of users is more important to the successful implementation and maintenance of a security policy than</p><p>management support.</p><p>Compliance responsibilities are usually shared across organizational (ALL) units and the results shared with executive</p><p>management and the board of director’s audit or compliance committee</p><p>Email retention is an important focus.</p><p>Lack of security controls is vulnerability.</p><p>The following functions is performed by a (VPN); Hiding information from sniffers on the net</p><p>Projects are unique, temporary and are developed progressively.</p><p>Information Management and Auditing CISA 2019</p><p>70 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Business case – shows benefits to be achieved for the business and must be kept for lifecycle of project</p><p>Influence – Project Manager has no formal authority.</p><p>Pure project – Project Manager has formal authority over those taking part in project.</p><p>Matrix project – Project Manager Share authority with functional managers.</p><p>Duration of a project: since adding resources may change the route of the critical path, the critical path must be reevaluated to</p><p>ensure that additional resources will in fact shorten the project duration.</p><p>Project objectives must be SMART: Specific // Measurable //Achievable // Relevant // Time bound</p><p>Discovers that there is no documented security procedures => next step would be to identify and evaluate the practices used by</p><p>the organization.</p><p>Project roles and responsibilities – purpose is to show accountability</p><p>Senior Mgmt - approves the resources for the project</p><p>User Mgmt – assumes ownership of project and resulting system</p><p>Project steering committee – overall direction and ensures stakeholders represented.</p><p>Project sponsor – provides funding and works with Project Manager to define critical success factors and metrics.</p><p>Data and application ownership assigned to sponsor</p><p>System dev mgmt – provides tech support</p><p>Project manager – provides day to day mgmt of project.</p><p>Three critical elements to projects: Time-duration: how long will it take? // Cost-resources : how much will it cost //</p><p>Deliverables-scope : what is to be done</p><p>The data owner specifies controls, is responsible for acceptable use</p><p>The auditor may discover information that could cause some level of damage to the client if disclosed. In addition, the</p><p>auditor shall implement controls to ensure security and data backup of their work.</p><p>Valid audit types are financial, operational (SAS-70), integrated (SAS-94), compliance, administrative, forensic, and information</p><p>systems.</p><p>A forensic audit is used to discover information about a possible crime.</p><p>Critical Path – Longest path through the network;</p><p>No slack time for any activity on critical path and any activities with no slack time are on the critical path.</p><p>Every project schedule must have at least one critical path. Every activity that resides in the critical path has no (zero) slack</p><p>time. If an activity has slack time then that is not part of the critical path.</p><p>GANTT charts: aid in scheduling of activities/tasks. Charts show when activities start and end and dependencies. Used for</p><p>checkpoints/milestones too.</p><p>PERT – network management technique Shows relationships between various tasks and shows estimates/scenarios for completing</p><p>tasks – three estimates shown – optimistic, most likely and pessimistic. It doesn’t talk about costs.</p><p>Time box: project management technique for defining and deploying software deliverables within a short and fixed period of time</p><p>with pre-determined resources. Must be a software baseline.</p><p>Traditional SDLC aka waterfall</p><p>Data Conversion: risk is you will not convert all the data – some will be missed. You also need to make sure that you are</p><p>comparing control totals before and after conversion to avoid this.</p><p>Control totals can be used to compare batches too.</p><p>If purchasing a system, need to make sure decision makers are involved at all steps. Need to consider many things as part of</p><p>acquisition including turnaround time (time to fix an issue from when it is first logged) and response time (the time a system takes</p><p>to respond to a query by a user).</p><p>Information Management and Auditing CISA 2019</p><p>71 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>SMALL BIZ = > Supervision of computer usage.</p><p>Asset mgmt – assets stand by themselves</p><p>Configuration management – interrelationships between assets.</p><p>Quality assurance is responsible for ensuring that programs and program changes and documentation adhere to established</p><p>standards.</p><p>Early engagement of key users will help ensure business requirements will be met in software development process.</p><p>The mean time between failures that are first reported represents flaws in the software that are reported by users in the</p><p>production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and</p><p>implemented.</p><p>Regression testing a regression test means to run a particular test once again to make sure that the modification of the software</p><p>has not introduced any new errors.</p><p>All the data used in the original test need to be used in the regression test.</p><p>Project steering committee approves the RFPs for software acquisitions. It is responsible for all costs and timetables.</p><p>Bottom up – begin</p><p>testing each module and work your way up until whole system tested. Finds critical errors earlier because can</p><p>start before system done – sort of white box testing.</p><p>Top down – start at interfaces of entire system and work your way down to each</p><p>function/component – like black box testing – functional.</p><p>Total Quality Management purpose is end user satisfaction</p><p>A standard is implemented to ensure a minimum level of uniform compliance. Guidelines are advisory information used in the</p><p>absence of a standard. Compliance to standards is mandatory; compliance to guidelines is discretionary.</p><p>The policy should be signed and enforced by the highest level of management.</p><p>Unit testing – testing of individual programs or modules – usually white box testing.</p><p>System testing – making sure that all modules function together properly.</p><p>Integration testing – evaluates connection of components that pass info to each other.</p><p>Final acceptance testing – done during implementation phase by QA and then UAT.</p><p>White box – assess effectiveness of software program logic.</p><p>Black box – testing of interfaces and general function – doesn’t care about internal structure.</p><p>Function/validation – is similar to system testing, but often used to test the functionality of the system against requirements.</p><p>Regression testing – rerunning a portion of a test scenario to make sure that changes have not introduced new errors in other</p><p>parts of app</p><p>UDDI – universal description, discovery and integration – acts as an electronic directory accessible via corporate intranet or internet</p><p>and allows interested parties to learn of the existence of web services.</p><p>After an IS auditor has identified threats and potential impacts, the auditor should then identify and evaluate the existing</p><p>controls.</p><p>The primary purpose of audit trails is to establish accountability and responsibility for processed transactions.</p><p>Reengineering – process of updating an existing system by extracting and reusing design and program components.</p><p>Reverse engineering – process of taking apart an app to see how it functions; can be done by decompiling code.</p><p>Configuration management – version control software and check out process. Used for software dev and for other stuff –</p><p>programs, documentation, data. Change control works off of config mgmt.</p><p>Logical path monitor – reports on the sequence of steps executed by a programmer.</p><p>QA = UT + FT + IT + RT + UAT</p><p>UNIT -> INTEGRATION -> SYSTEM -> AT</p><p>Information Management and Auditing CISA 2019</p><p>72 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Program maintenance is facilitated by more cohesive (the performance of a single, dedicated function by a program) and more</p><p>loosely coupled (independence of the comparable units) programs.</p><p>Structured walk through is a management tool – it involves peer reviews to detect software errors during a program development</p><p>activity.</p><p>Salami technique: It truncates the last few digits from a transaction. For instance, changing the value 125.39 into 125.30 or into</p><p>125.00 is an example of salami technique.</p><p>Functional or validation testing: it tests the detailed functionality of the system to ensure that if system is right for the</p><p>customers. It is comparable to system testing.</p><p>Parallel testing: this test is done by feeding the same test data to the original system and the newly designed system to compare</p><p>the results.</p><p>Wi-Fi Protected Access (WPA2) implements most security for WiFi.</p><p>First concern of an auditor is does the application meet business requirements; close second is there adequate controls in</p><p>place.</p><p>CSE: Automated tools to aid in the software development process. Their use may include the application of software tools for</p><p>requirements analysis, software design, code generation, testing, documentation generation. Can enforce uniform approach to</p><p>software dev, reduces manual effort.</p><p>digital signature mechanism ensures the integrity of the message content by creating a one-way hash at both the source</p><p>and destination and then comparing the two.</p><p>CASE: Don’t guarantee that software will meet user requirements or be correct.</p><p>Integrating BCP into the development process ensures complete coverage of the requirements through each phase of the project</p><p>An excessive number of users with privileged access is not necessarily an issue if compensating controls are in place.</p><p>Quantitative Risk: Overall business risk takes into consideration the likelihood and magnitude of the impact when a threat exploits</p><p>vulnerability, and provides the best measure of the risk to an asset.</p><p>(Sharing Password) users need to be aware of company policy and the risk that may arise from sharing passwords. Awareness</p><p>training would help to address this issue.</p><p>Business Process Re-engineering BPR: this is the process of responding to competitive and economic pressures and customer</p><p>demands to survive in a business environment. Important for the auditor to understand the flow charts showing the before and after</p><p>processes to make sure appropriate controls in place.</p><p>Selenium: This is an open source tool used for automating web applications. Selenium can be used for browser based regression</p><p>testing. It’s tool used for both functional and regression testing. This is an open source tool used for automating web applications.</p><p>Selenium can be used for browser based regression testing.</p><p>Benchmarking: improving business process – BPR technique (PROAAI) – SWOR, Comparing, Merge, Investment, Process design,</p><p>BPR.</p><p>Regression Testing is required when there is a</p><p>Change in requirements and code is modified according to the requirement</p><p>New feature is added to the software</p><p>Defect fixing</p><p>Performance issue fix</p><p>Run-to-run totals A process that tracks the total number of submissions to ensure that all transactions have been processed.</p><p>Sequence Check: Sequence number use causes out-of-sequence and duplicate numbers to be rejected.</p><p>Limit or Range Check: Valid numbers are below or between a maximum values. E.g., checks should not exceed $</p><p>Validity Check or Table Lookup: Only certain values are accepted: Sex=M/F.</p><p>Reasonableness Check: Values entered are reasonable: A takeout order of 100 pizzas???</p><p>Existence Check: Required fields are entered correctly.</p><p>Key Verification: Input is double checked via second person OR all digits are entered twice.</p><p>Check Digit: A digit may verify the correct entry of other digits.</p><p>Information Management and Auditing CISA 2019</p><p>73 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Completeness Check: Complete input is provided: zeros or spaces are checked for each required letter or digit</p><p>Duplicate Check: Duplicate transactions or transactions with duplicate IDs are checked for and rejected.</p><p>Data owners are primarily responsible for authorizing access to production data on a need-to-know basis</p><p>Termination checklist requiring that keys and company property be returned and all access permissions revoked upon termination.</p><p>A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data;</p><p>Parity check just tells you if the data you send was an even or odd number of bits. A reasonableness check compares data</p><p>to predefined reasonability limits or occurrence rates established for the data.</p><p>Parity check is a hardware control that detects data errors when data are read from one computer to another,</p><p>from memory or</p><p>during transmission.</p><p>Check digits detect transposition and transcription errors.</p><p>Application Controls: to ensure the completeness and accuracy of the records and the validity of the entries made.</p><p>The use of a digital signature verifies the identity of the sender</p><p>The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It</p><p>indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of</p><p>data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO.</p><p>The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a</p><p>disaster occurs.</p><p>The service delivery objective (SDO) illustrates the expected level of service during recovery. The organization may have several</p><p>SDO targets based on the different phases of recovery. RTO is the recovery time objective, and RPO is the recovery point objective.</p><p>ITO is a distractor.</p><p>The service delivery objective (SDO) is directly related to the business needs, and is the level of service to be reached during the</p><p>alternate process mode until the normal situation is restored.</p><p>Compliance test is deals with test of details;</p><p>Substantive deals with test of controls;</p><p>MTO is the maximum time that an organization can support processing in alternate mode.</p><p>Total Monetary amount – total monetary amount of items processed = total monetary value of batch docs</p><p>Total items – total number of items on each doc in the batch = total number of items processed</p><p>Data Validation identifies data errors, incomplete or missing data or inconsistencies among related items and edit controls are</p><p>preventive controls used before data is processed. Input data should be evaluated as close to the time and point of origination as</p><p>possible</p><p>Structured walkthrough = a tabletop exercise.</p><p>Batch total checks provide a reasonably good test for completeness and accuracy of input.</p><p>Sequence check – is everything in sequence</p><p>Limit check – data should not exceed a certain predetermined limit</p><p>Range check – data should be within the range of predetermined values</p><p>Validity check – record should be rejected if anything but a valid entry is made – like marital status should not be entered into</p><p>employee number field.</p><p>Reasonableness check – input data matched to predetermined reasonable limits or occurrence rates – normally receive 20 orders,</p><p>if receive 25 then that’s a problem</p><p>Table lookups – input data compared to predetermined criteria maintained in a lookup table.</p><p>Hot sites can be made ready for operation normally within hours</p><p>Substantive confirms integrity of a process. This test will determine whether tape library records are stated in a correct manner</p><p>Information Management and Auditing CISA 2019</p><p>74 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>The purpose of the batch controls is to ensure that the batch is not changed during processing.</p><p>Existence check – data entered correctly and meet predetermined criteria – valid transaction code must be entered in the</p><p>transaction code field.</p><p>Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process</p><p>over time.</p><p>To proactively detect emerging risk in large volume of transaction you need to use “continuous auditing” technique, which</p><p>feeds real-time data to management so as a quick corrective action can be taken soon after the detection of any anomalies.</p><p>The first step before creating a risk ranking is to define the audit universe, which takes into account of organizational structure,</p><p>authorization matrix and IT strategic plan</p><p>Database normalization minimizes duplication of data through standardization of the database table layout. Increased speed is</p><p>obtained by reducing the size of individual tables to allow a faster search.</p><p>Attribute sampling, used in compliance testing, can effectively determine whether a purchase order has been authorized</p><p>according to authorization matrix.</p><p>A change management process developed = Design phase</p><p>Resource pooling: Resources are pooled across multiple customers</p><p>Rapid elasticity: Capability can scale to cope with demand peaks</p><p>SaaS: applications are designed for end-users, delivered over the web</p><p>PaaS: is the set of tools and services designed to make coding and deploying those applications quick and efficient</p><p>IaaS: is the hardware and software that powers it all – servers, storage, networks, operating systems</p><p>White box testing is performed much earlier in the software development life cycle than alpha or beta testing.</p><p>White box testing is used to assess the effectiveness of software program logic.</p><p>The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS</p><p>auditor can advise as to the completeness of the test cases.</p><p>Key verification – keying in process repeated by two different people</p><p>Check digit – a numeric value that has been calculated mathematically is added to data to ensure that the original data have not</p><p>been altered or an incorrect value submitted.</p><p>Database normalization minimizes duplication of data through standardization of the database table layout. Increased speed is</p><p>obtained by reducing the size of individual tables to allow a faster search.</p><p>Detects transposition and transcription errors, Verifies data accuracy/integrity; (checksum)</p><p>The inference engine uses rules, also known as heuristics, to sort through the knowledge base in search of possible answers. The</p><p>meaning of information in the knowledge base can be recorded in objects and symbols known as semantic networks.</p><p>Completeness check – a field should always contain data and not zeros or nulls</p><p></p><p>Duplicate check – new transactions matched to those previously input to make sure they were not entered previously.</p><p></p><p>Domain integrity test – verify that the edit and validation routines are working satisfactorily, all data items are in the correct</p><p>domain.</p><p>The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the</p><p>audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also</p><p>documenting and validating them. Complying with regulatory requirements, ensuring coverage and the execution of audit are all</p><p>relevant to an audit but are not the reason why sufficient and relevant evidence is required.</p><p>Run-to-run totals – can verify the data through the stages of application processing.</p><p>Programmed controls – software can be used to detect and initiate corrective action for errors in data and processing.</p><p>Parity checking – checks for completeness of data transmissions/transmission errors.</p><p>Redundancy check - appends calculated bits onto the end of each segment of data to detect transmission</p><p>CA is a trusted third party that attests to the authenticity of a user's public key by digitally signing it with the CA's private key.</p><p>Information Management and Auditing CISA 2019</p><p>75 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM): Embedding specific written audit software in</p><p>organization’s</p><p>host application system; regular processing cannot be interrupted; complex High</p><p>Integrated Test Facility (ITF): Dummy entries are set up and include auditor's production file; it’s not beneficial to use test data;</p><p>Complex High</p><p>Snapshots: Pictures of the processes’ path; An audit trail is required; Complex Medium</p><p>Audit Hooks: Embedding hooks in applications; Only select transactions or processes need to be examined; complex Low</p><p>When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fit the entire system</p><p>together. This will provide greater assurance of quality results.</p><p>Continuous & Intermittent Simulation (CIS): Simulates the instructions executed of the application; Transactions meeting</p><p>certain criteria need to be examined; Complex Medium</p><p>Preparedness test = using actual resources to simulate a system crash.</p><p>Relational integrity tests – performed at the data element and record level – enforced through data validation routines or by</p><p>defining input condition constraints and data characteristics or both. Is the data ok?</p><p>Referential integrity tests- these define existence relationships between entities in a database that need to be maintained by the</p><p>DBMS. These relationships maintained through referential constraints (primary and foreign key). It is necessary that references be</p><p>kept consistent in the event of insertions, deletions, updates to these relationships.</p><p>Atomicity – transaction either completed in its entirety or not at all</p><p>Consistency – all integrity conditions (consistent state) with each transaction – so database moves from one consistent state to</p><p>another.</p><p>Isolation – each transaction isolated from other transactions so each transaction only accesses data that are part of a consistent</p><p>database state</p><p>Implementing risk management, as one of the outcomes of effective information security governance, would require a collective</p><p>understanding of the organization’s threat, vulnerability and risk profile as a first step.</p><p>Durability – if a transaction has been reported back to the user as complete, the resulting changes will persist even if the database</p><p>falls over.</p><p>Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the</p><p>resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that</p><p>represents the optimal balance.</p><p>Encrypting and decrypting data using an asymmetric encryption algorithm by using the receiver's private key to decrypt data</p><p>encrypted by the receiver's public key.</p><p>Snapshot – take snapshots of data as flows through the app. Very useful as an audit trail.</p><p>Mapping – identifies unused code and helps identify potential exposures</p><p>Tracing/Tagging – shows exact picture of sequence of events – shows trail of instructions executed during application</p><p>processing. Tagging involves placing a flag on selected transactions at input and using tracing to track them.</p><p>BIA will give the impact of the loss of each application. A BIA is conducted with representatives of the business that can accurately</p><p>describe the criticality of a system and its importance to the business.</p><p>A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation</p><p>project is responsible for reviewing the project’s progress to ensure that it will deliver the expected results.</p><p>Test data/deck – simulates transactions through real programs.</p><p>Base case system evaluation – uses test data sets developed as part of comprehensive testing programs; used to verify correct</p><p>system operation before acceptance.</p><p>Parallel operation – put prod data through existing and new system and compare Integrated test facility – creates test file in prod</p><p>system and those test transactions get processed along with the live data.</p><p>The IT steering committee provides open communication of business objectives for IT to support. The steering committee builds</p><p>awareness and facilitates user cooperation. Focus is placed on fulfillment of the business objectives.</p><p>CMM is commonly used by entities to measure their existing state and then determine the desired one</p><p>Use of statistical sample for tape library inventory” is an example of Substantive type of sampling technique.</p><p>Information Management and Auditing CISA 2019</p><p>76 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its benefit and that the best safeguard</p><p>is provided for the cost of implementation.</p><p>Extended records – gathers all data that haven’t been affected by a particular program.</p><p>GAS –includes mathematical computations, stratifications, statistical analysis, sequence and duplicate checking and recompilations;</p><p>transactions that exceed predetermined thresholds.</p><p>Regression testing is a type of software testing that seeks to uncover new software bugs, or regressions, in existing functional and</p><p>non-functional areas of a system after changes such as enhancements, patches or configuration changes, have been made to them</p><p>The sender's private key is required to generate a digital signature. The recipient uses the sender's public key to validate the</p><p>digital signature.</p><p>Protect confidentiality = Encryption</p><p>Project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor</p><p>provides funding for the project.</p><p>Audit hooks – embed hooks in app systems to function as red flags and to induce IS auditors to act before an error or irregularity</p><p>gets out of hand. Useful when only select transactions need to be examined.</p><p>ITF: Continuous and intermittent simulation – as each transaction is entered, simulator decides whether transaction meets certain</p><p>criteria and if so audits it.</p><p>Data dictionary: A database that contains the name, type, range of values, source and authorization for access for each data</p><p>element in a database.</p><p>Vulnerabilities are a key element in the conduct of a risk analysis.</p><p>Audit planning consists of short- and long-term processes that may detect threats to the information assets.</p><p>Controls mitigate risks associated with specific threats.</p><p>Liabilities are part of business and are not inherently a risk.</p><p>An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall</p><p>authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if</p><p>available, by the audit committee.</p><p>BCP refers to the businesses ability to continue its fundamental functions in the event something deters (Org. issue), DR would be</p><p>more for the planning for how to address the situations where accesses to crucial systems are unavailable. When systems are down</p><p>and how to restore those systems (IT Department issue)</p><p>Audit charter should state management’s objectives for and delegation of authority to IS audit. This charter should not significantly</p><p>change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and,</p><p>therefore, would not include specific audit objectives or procedures. So outline the overall authority, scope and responsibilities of the</p><p>audit function.</p><p>Detects transmission errors by appending calculated bits onto the end of each segment of data; Redundancy check</p><p>Range check: Range checks ensure that data fall within a predetermined range.</p><p>Application controls: The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to</p><p>a</p><p>given automated solution (application) are achieved..</p><p>Communications software/handler: process for transmitting and receiving electronic documents between trading partners.</p><p>Risk mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. By</p><p>requiring the system’s administrator to sign off on the completion of the backups, this is an administrative control that can be</p><p>validated for compliance.</p><p>The resumption of critical processes has the highest priority because it enables business processes to begin immediately after</p><p>the interruption and not later than the maximum tolerable period of disruption (MTPD) or maximum tolerable downtime (MTD).</p><p>BoD = determining business goals</p><p>Computer-aided software engineering (CASE): The use of software packages that aid in the development of all phases of an</p><p>information system.</p><p>Receipt of inbound transactions: Controls should ensure that all inbound EDI transactions are accurately and completely</p><p>received, translated and passed into an application, as well as processed only once.</p><p>Information Management and Auditing CISA 2019</p><p>77 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Outbound transactions: Controls should ensure that only properly authorized outbound transactions are processed. This includes</p><p>objectives that outbound EDI messages are initiated upon authorization, that they contain only pre-approved transaction types and</p><p>that they are only sent to valid trading partners.</p><p>Data dictionary: A database that contains the name, type, range of values, source and authorization for access for each data</p><p>element in a database.</p><p>Digital signatures good way of getting rid of spam in email system</p><p>Payment systems: Two parties involved in these – issuers (operates payment service) and the users (send and receive</p><p>payments).</p><p>Overall business risk for a particular threat can be expressed as: A product of the probability and the magnitude of the impact</p><p>if a threat successfully exploits vulnerability.</p><p>The recovery time objective (RTO) is the deadline for when the user must be processing again. IT is expected to have completed</p><p>the necessary level of technical recovery. The user is able to resume processing work unless that RTO has failed</p><p>For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each</p><p>office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an</p><p>acceptable level of confidence.</p><p>The effectiveness of the BCP can best be evaluated by reviewing the results from previous business continuity tests for</p><p>thoroughness and accuracy in accomplishing their stated objectives</p><p>EMM – electronic money model – emulates physical cash – payer does not have to be online at the time of purchase, payer can</p><p>have unconditional intractability.</p><p>Content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites.</p><p>Electronic Funds Transfer: EFT is the exchange of money via telecommunications without currency actually changing hands. It is</p><p>the electronic transfer of funds between a buyer, a seller and his/her respective financial institution.</p><p>EFT refers to any Electronic financial transaction that transfers a sum of money from one account to another electronically. In</p><p>the settlement between parties, EFT transactions usually function via an internal bank transfer from one party’s account to another</p><p>via a clearinghouse network. Usually, transactions originate from a computer at one institution and are transmitted to another</p><p>computer at another institution with the monetary amount recorded in the respective organization’s accounts. Very high risk</p><p>systems.</p><p>Completely connected (mesh) configuration: A network topology in which devices are connected with many redundant</p><p>interconnections between network nodes (primarily used for backbone networks).</p><p>Integrated customer file – where all the info about a given customer combined together into one file.</p><p>ATM = POS = point of sale devices.</p><p>Management should review administrator level activity to ensure that personnel with administrator access are not performing</p><p>unauthorized functions; SOD in small Organization</p><p>ISO9126: Software Quality ISO Standards = Functionality, Reliability, Usability, Re-Usability, Efficiency, Maintainability, Portability</p><p>ISO9126: focuses on the end result of good software processes</p><p>RFID uses radio frequency to identify objects that is tagged. A tag consists of a chip and an antenna. The chip stores the ID of</p><p>the object, and the antenna receives signal.</p><p>RFP: A document distributed to software vendors requesting them to submit a proposal to develop or provide a software product.</p><p>Compliance testing: Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation</p><p>during the audit period.</p><p>Data warehouse – once data in warehouse, should not be modified</p><p></p><p>Memory dump: The act of copying raw data from one place to another with little or no formatting for readability.</p><p>Supply Chain Management = SCM = is about linking the business processes between the related entities (buyer and seller).</p><p>Important for just in time inventory – store does not keep inventory – stuff comes as you need it – should have multiple</p><p>suppliers in case one fails or you could be in trouble.</p><p>Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine</p><p>whether new accounts were appropriately authorized.</p><p>Information Management and Auditing CISA 2019</p><p>78 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Variable sampling is used to estimate numerical values, such as dollar values.</p><p>Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development</p><p>of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are</p><p>adequate internal controls, then substantive tests can be minimized.</p><p>DID = Simply because more than one security layer are implemented we are not satisfied by one of them we do use two or often</p><p>more than two to achieve the most secure solution we can</p><p>Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have</p><p>been followed.</p><p>Application is critical, the patch should not be applied without regard for the application; business requirements must be</p><p>considered</p><p>A government regulation is a mandatory control that forces compliance.</p><p>Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff</p><p>have completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT),</p><p>although not combined.</p><p>Nonworking processes, whether manual or automated, are usually the highest priority if their business value can be justified.</p><p>The compliance test uses precision to describe the rate of occurrence out of the sample population.</p><p>Strategy defines the primary business we are in for the next three to five years. Using this information, the business can</p><p>develop or adopt supporting standards and then create low-level procedures to accomplish the strategic</p><p>objective.</p><p>The primary risks during the BPR design phase are improper scope, lack of necessary skills, political resistance, and a failure by</p><p>management to support the project.</p><p>Strategy defines the primary business we are in for the next three to five years. Using this information, the business can</p><p>develop or adopt supporting standards and then create low-level procedures to accomplish the strategic objective.</p><p>PERT analysis shows the critical path to illustrate the minimum specific tasks necessary to complete the project’s</p><p>objective. The CPM technique is a valuable tool for demonstrating what must be accomplished versus what was requested. High-</p><p>dependency tasks get performed, while low-dependency tasks may be cancelled from the project.</p><p>System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts</p><p>correctly with other components. System testing references the functional requirements of the system.</p><p>Integration testing evaluates the connection of two or more components that pass information from one area to another. The</p><p>objective is to utilize unit-tested modules, thus building an integrated structure according to the design.</p><p>Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the</p><p>procedural design to ensure that the internal operation of the program performs according to specification.</p><p>Change management: Changes must be requested, approved, documented and controlled. Changes to system parameters and</p><p>libraries must be controlled.</p><p>Monitoring: Effective monitoring is a process that assesses the quality of the system’s performance over time. It includes the</p><p>regular management and supervisory activities as well as separate evaluations by central units, Internal Audit, or other independent</p><p>parties.</p><p>Audit charter outline the responsibility, authority and accountability of auditor prior to commencing the audit assignment ant this</p><p>must be agreed upon</p><p>The engagement letter is used with independent auditors to define the relationship. This letter serves as a record to document the</p><p>understanding and agreement between the audit committee and the independent auditor. It provides the independent auditor the</p><p>responsibility, accountability, and authority to conduct the audit.</p><p>Help desk: No. of issues successfully resolved on first call is indicator of success.</p><p>Patch management – first thing is to verify the validity of the patch first – that it came from the right place.</p><p>Program Library Management software – program library management facilitate effective and efficient management of data</p><p>center software inventory. Includes, application and system software program code, job control statements</p><p>Library control software is used to separate test libraries from production libraries in mainframe and client server environment.</p><p>The Capability Maturity Model creates a baseline reference to chart current progress or regression. It provides a guideline for</p><p>developing the maturity of systems and management procedures.</p><p>Information Management and Auditing CISA 2019</p><p>79 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Grid computing: apps can be designed to use processing power of many computers.</p><p>Audit charter’s purpose is to grant the right to audit and delegate responsibility, authority, and accountability</p><p>Detection risk is the risk that the IS auditor uses an inadequate test procedure and concludes that material errors do not exist,</p><p>when in fact they do. Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population</p><p>and quantify the probability of error. Sampling risk is the risk that incorrect assumptions will be made about the characteristics of a</p><p>population from which a sample is selected. Assuming there are no related compensating controls, inherent risk is the risk that an</p><p>error exists, which could be material or significant when combined with other errors found during the audit. Statistical sampling will</p><p>not minimize this.</p><p>Control risk is the risk that a material error exists, which will not be prevented or detected on timely basis by the system of internal</p><p>controls. This cannot be minimized using statistical sampling</p><p>Capacity management: the planning and monitoring of computing resources to ensure that available resources are used efficiently</p><p>and effectively.</p><p>Detection Risk = material error</p><p>Substantive tests and Compliance tests, using variable and attribute sampling methods</p><p>Compliance testing uses discovery sampling to detect fraud.</p><p>Sampling, control, detection, inherent = interest to an IS auditor</p><p>Traditional independent audits are conducted with formality and adherence to standards necessary for regulatory licensing and</p><p>external reporting.</p><p>Protocol analyzer: network diagnostic tool that monitors and records network information.</p><p>Access control software: designed to prevent unauthorized access to data and objects, unauthorized use of system functions or</p><p>programs, unauthorized modification of data or unauthorized attempts to access computer resources.</p><p>Commitment and rollback controls are directly relevant to integrity.</p><p>Previous test results will provide evidence of the effectiveness of the business continuity plan.</p><p>BCP: comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but</p><p>will not reveal anything about its effectiveness.</p><p>Sequential – good for batch processing.</p><p>Indexed sequential – records are logically ordered according to a data related key and can be accessed based on that key; Very</p><p>fast.</p><p>Direct random access – records are addressed individually based on a key not related to the data. Based on hashing.</p><p>Metadata – data about the data.</p><p>Reliability - A set of attributes that bear on the capability of software to maintain its level of performance under stated conditions</p><p>for a stated period of time.</p><p>Functionality - A set of attributes that bear on the existence of a set of functions and their specified properties. The functions are</p><p>those that satisfy stated or implied needs.</p><p>Usability - A set of attributes that bear on the effort needed for use, and on the individual assessment of such use, by a stated or</p><p>implied set of users.</p><p>Efficiency - A set of attributes that bear on the relationship between the level of performance of the software and the amount of</p><p>resources used, under stated conditions.</p><p>Maintainability - A set of attributes that bear on the effort needed to make specified modifications.</p><p>Portability - A set of attributes that bear on the ability of software to be transferred from one environment to another</p><p>Data Dictionary/Directory System – data dictionary contains an index and description of all items stored in the database. The DS</p><p>describes the location of the data and the access method; it helps maintain integrity of the data and controls unauthorized access.</p><p></p><p>Database structure – can be hierarchical (tree), network – not really used, or relational</p><p>Key feature of relational databases – normalization – minimizes duplication of data (but can cause performance degradation, but</p><p>if don’t do it then you can have data integrity issues).</p><p>Information Management and Auditing CISA 2019</p><p>80 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Database controls: Authorized access</p><p>only // Concurrent access handling // Data accuracy and completeness // Database</p><p>checkpoints – to minimize data loss // Database backup</p><p>The IT BSC is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional</p><p>financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. (Effectiveness</p><p>of an organization's planning and management of investments in IT assets)</p><p>Encryption is frequently used for authentication.</p><p>By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development</p><p>organization follows a stable, predictable software process.</p><p>Successful attacks start by gathering information about the target system.</p><p>The IS department should specifically consider the manner in which resources are allocated in the short term.</p><p>An essential part of designing a database for parallel processing is the partitioning scheme. Because large databases are indexed,</p><p>independent indexes must also be partitioned to maximize performance. Hashing is a method used for index partitioning. It</p><p>associates data to disk based on a hash key.</p><p>In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are</p><p>weighted against the total expected benefits in order to choose the best technical, most profitable, least expensive, or acceptable</p><p>risk option.</p><p>CMMI useful: evaluate management of computer center, development function management process, implement and measure</p><p>change management.</p><p>The ALE is the expected monetary loss that is estimated for an asset over a one-year period.</p><p>Potential business impact is only one part of the cost-benefit analysis.</p><p>Digital Right Management (DRM): allow access to digital contents to the users. DRM helps to assign controls to the</p><p>computer program to the usage of digital contents</p><p>What is DDL (data definition language)? This is a standard language to define data schema and object. Example of DDL</p><p>statements or commands: CREATE, ALTER etc</p><p>Program interface tests (integration test)</p><p>Performing a walk through of the process/procedure allows the IS auditor to gain evidence of compliance and observe deviations, if</p><p>any.</p><p>WAN: Message switching / Packet switching / Circuit switching / Virtual circuits / Dial up service</p><p>A VPN is a technology that uses encryption to make a secure virtual connection over public networks to extend the corporate</p><p>network. It is a cost effective way to extend LANs across different parts of the world.</p><p>Logging in using the named user account before using the DBA account provides accountability by noting the person</p><p>making the changes.</p><p>The ability to recognize a potential security incident is: required of all personnel.</p><p>Security Policy: No shared accounts. This is typically a security policy in many organizations. Each account only has the minimal</p><p>permissions it needs to perform the task.</p><p>A relational database uses normalization rules. The purpose of normalization rules is to get rid of the unnecessary data</p><p>and to reduce the amount of data required to fulfill the requirements of users’ queries. Each data instance will have unique value</p><p>for each attribute.</p><p>Referential integrity constraints ensure that a change in a primary key of one table is automatically updated in the matching</p><p>foreign keys of other tables. This is done using triggers.</p><p>Utility programs – these leave no audit trail.</p><p>Packet Switching - pay by amount, not by distance.</p><p>An IS auditor reviewing a database discovers that the current configuration does not match the originally designed structure: IS</p><p>auditor should first determine whether the modifications were properly approved.</p><p>Layers of IT environment: Network - Operating system – Database - application</p><p>IPS (intrusion prevention system): it can block unauthorized access attempts to a system. IPS works with routers, firewalls,</p><p>proxy server and other access control devices. Once an IPS detects an illegal activity or access attempt, it sends notification to the</p><p>Information Management and Auditing CISA 2019</p><p>81 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>device to block that access attempt. The only problem with IPS is that it can block legitimate traffic presuming it to be an illegal</p><p>activity.</p><p>Logical access exposures – list out all the various computer attacks like salami, smurf, logic bombs etc.</p><p>CGI: It is a program that runs on the server, and the web server can call it to perform a set of tasks such as verifying users input</p><p>in web forms. CGI scripts (normally written in C or Perl) must be written carefully because they run on the server. A simple error in</p><p>the script can give unauthorized person access to the server.</p><p>Value delivery means that good rates of return and a high utilization of resources are achieved</p><p>SSL or secure socket layer only provides data confidentially. It does not ensure integrity of the message.</p><p>The advantage of steganography is that the intended secret message does not attract attention to itself as an object of scrutiny;</p><p>it’s a practice of concealing a file, message, image, or video within another file, message, image, or video; so the existence of</p><p>messages is hidden when using steganography.</p><p>Confidentiality — information classification</p><p>Availability – fault tolerance, backups</p><p>Threat: Hazard, potential loss</p><p>Risk: likelihood of potential loss</p><p>Weakness: risk not reduced to a low level by internal controls</p><p>Exposure: Size of potential loss associated with a control problem</p><p>Expected loss = exposure X risk</p><p>Objective of Controls: Minimize losses to organization resulting from threats</p><p>Firewall implementation methods Screened-host firewall //Dual-homed firewall//DMZ or screened subnet firewall.</p><p>Screened host firewall: this is the simplest method among all. It uses a packet filter router and a bastion host. No direct traffic</p><p>from internal to the external network is allowed.</p><p>Equal Error rate (ERR) - % showing when false reject and acceptance are equal. The lower the better.</p><p>Biometrics in order of effectiveness:</p><p>1. Palm</p><p>2. Hand geometry</p><p>3. Iris</p><p>4. Retina – lowest FAR</p><p>5. Fingerprint</p><p>6. Face</p><p>7. Signature</p><p>8. Voice recognition</p><p>PERT chart will help determine project duration once all the activities and the work involved with those activities are known.</p><p>Four objectives for controls</p><p> authorization (all transactions are authorized)</p><p> recording (all transactions are recorded)</p><p> access (allow access to assets only for authorized purposes)</p><p> asset accountability (ensure that accounting records describe only real assets)</p><p> In addition, accounting and data processing must be operationally efficient.</p><p>The purpose of the change management process is to ensure that:</p><p> Standardized methods and procedures are used for efficient and prompt handling of all changes</p><p> All changes to service assets and configuration items are recorded in the configuration management system</p><p> Business risk is managed and minimized</p><p> Addressing risk scenarios at various information system life cycle stages</p><p> All authorized changes support business needs and goals</p><p> All emergency changes should still undergo the formal change management process after the fact</p><p>Function point analysis is a technique for determining the size of a development task based on the number of function points.</p><p>Function points are factors such as inputs, outputs, inquiries, logical internal files, etc</p><p>The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a</p><p>financially sound vendor</p><p>would be in business for a long period of time and thereby more likely to be capable of providing long-term</p><p>support for the purchased product.</p><p>Information Management and Auditing CISA 2019</p><p>82 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Discovery sampling = fraud has taken place or not.</p><p>SOD: Ensure that no single individual is given too much responsibility; no employee should be in a position to both perpetrate and</p><p>conceal irregularities</p><p>ISO/IEC 15504 is the reference model for the maturity models (consisting of capability levels which in turn consist of the process</p><p>attributes and further consist of generic practices) against which the assessors can place the evidence that they collect during their</p><p>assessment, so that the assessors can give an overall determination of the organization's capabilities for delivering products</p><p>An enterprise's risk appetite is BEST established by: the steering committee.</p><p>Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help increase the</p><p>understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk</p><p>in a timelier manner</p><p>Hot site — a fully configured computer facility with electrical power, heating, ventilation, and air conditioning (HVAC) and</p><p>functioning file/print servers and workstations</p><p>Warm site — computer facility available with electrical power, heating, ventilation, and air conditioning (HVAC), limited file/print</p><p>servers and workstations</p><p>Cold site — computer facility available with electrical power, heating, ventilation, and air conditioning (HVAC) – no computer</p><p>hardware</p><p>"ROM" indicates a non-volatile memory</p><p>Electronic Vaulting – transfer of backup data to an offsite location — Done batch over telecom lines to alternate location</p><p>BIA has three goals: criticality prioritization, maximum tolerable downtime estimation, resource requirements</p><p>Effectively reduces the risk of piggybacking = Deadman doors</p><p>The use of statistical sampling procedures helps minimize = Detection risk</p><p>The security strategy will be most useful if there is a direct traceable connection with business objectives. Inferred connections to</p><p>business objectives are not as good as traceable connections</p><p>The purpose of a deadman door controlling access to a computer facility is primarily intended to prevent piggybacking</p><p>Steering committee is to bring the awareness of business issues and objectives to IT management. An effective steering</p><p>committee will focus on the service level necessary to support the business strategy.</p><p>Release management is the process to manage risk scenarios of production system deployment and is a component of change</p><p>management. Also the BEST way to ensure that the tested code that is moved into production is the same use Release management</p><p>software.</p><p>Incident management addresses impacts when or after they occur.</p><p>Configuration management is the specific process to manage risk scenarios associated with systems configuration and is a</p><p>component of change management.</p><p>Classification allows the appropriate protection level to be assigned to the asset.</p><p>Audit logging – tools for audit trail (log) analysis</p><p>• Audit reduction tools – remove stuff that is not an issue from the logs before the auditor looks at it</p><p>• Trend/variance detection – looks for anomalies in user or system behavior</p><p>• Attack signature-detection – look for attack signatures.</p><p>Naming conventions for system resources are an important pre-requisite for efficient administration of security controls (aka</p><p>logical access controls)</p><p>Some of the benefits of blade servers include: Reduced energy costs; Reduced power and cooling expenses; Space savings;</p><p>Reduced cabling; Redundancy; Increased storage capacity; Reduced data center footprint; Minimum administration; Low total cost of</p><p>ownership</p><p>Virtual private network (VPN) concentrator: A system used to establish VPN tunnels and handle large numbers of simultaneous</p><p>connections. This system provides authentication, authorization and accounting services. It is a type of router device, built</p><p>specifically for creating and managing VPN communication infrastructures. A VPN concentrator is typically used for creating</p><p>site-to-site VPN architectures.</p><p>Prevention (prevent threats from occuring)</p><p>Detection (detect problems if they occur)</p><p>Information Management and Auditing CISA 2019</p><p>83 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Correction (change the system so problems do not reoccur)</p><p>The ideal length of passwords should be at least eight characters long. A passphrase is generally considered as a more secure</p><p>form of password</p><p>The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit.</p><p>Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and</p><p>validating them (provide a basis for drawing reasonable conclusions).</p><p>Client server security has to do with identifying all the access points.</p><p>Firewalls control traffic between two or more networks.</p><p>Sociability testing: it confirms that if a new system can perform in the target platforms and environment without causing any</p><p>problem to existing system.</p><p>While developing a risk-based audit program, which of the following would the IS auditor MOST likely focus on? Business</p><p>processes</p><p>Sequence check - numerical or alphabetical order</p><p>Field check - Proper type of data (numeric vs alphabetic), category, or length</p><p>Sign check - appropriate arithmetic sign</p><p>Validity check - already authorized account number</p><p>Limit or range check - does not exceed limit</p><p>Logical reasonableness -- debit vs credit accounts</p><p>Redundant data cross-check -- enter account number & name, look up account number and cross-check name for match (valid-</p><p>combinations test)</p><p>Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and computing the</p><p>results in parallel. In this approach, the old and new systems operate concurrently for a period of time and perform the same</p><p>processing functions.</p><p>Integration testing is a hardware or software test that evaluates the connection of two or more components that pass information</p><p>from one area to another. The objective is to take unit-tested modules and build an integrated structure. In this case, the tests are</p><p>not necessarily between systems that interact with one another so sociability testing is a better answer.</p><p>Reviewing data and time stamp is the most effective control to make sure that both the source and object codes are</p><p>synchronized.</p><p>An accreditation is senior management’s decision which authorize IS operation and accept the risks (risks in IT assets, operation,</p><p>individuals). It is considered as a form of quality control, which challenges IS managers and staff to implement highly effective</p><p>security controls in the organization’s IT systems.</p><p>Firewall rules are derived from company policies and standards; One of first steps in setting up a firewallis to see what apps need</p><p>to be externally accessed. The security administrator should perform periodic reviews to validate firewall rules.</p><p>Router/packet filtering – simplest – operates at layer three, examines the header for IP info. Has filtering rules and vulnerable to</p><p>attacks from</p><p>misconfigured filters.</p><p>Application firewalls – application and circuit level – act kind of like proxies, but operate at higher L7. Hide internal network from</p><p>outside, separate proxy needed for each app (circuit level does not require this). Can be slow, but allow most granular control.</p><p>Stateful inspection – keeps track of communications in a state table. More efficient than app ones and better than packet filtering.</p><p>can be complex to administer. Layer 4</p><p>IDS = • Sensors • Analyzers • Admin Console • User interface</p><p>The following actions should take place immediately after a security breach is reported to an information security manager =></p><p>Confirm the incident</p><p>Network performance metric is throughput. It is the number of bytes transmitted by a communication channel in a second.</p><p>Worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email.</p><p>Information Management and Auditing CISA 2019</p><p>84 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Private key cryptography (secret key) – symmetric encryption. Key exchange is the big problem. – DES, AES, 3DES; Fast and</p><p>efficient.</p><p>Techniques useful for verification: static analysis, reviews, inspections, walkthroughs</p><p>Public key cryptography – created to solve key distribution issues – RSA, ECC (elliptical curve cryptography).</p><p>While undertaking an audit, if the auditor suspects that an attack or any suspicious activity is going on, at first he should inform the</p><p>management about the incident.</p><p>When developing audit plan an auditor need to identify the highest-risk system and plan the audit accordingly. The auditor should</p><p>never rely on the report of the previous year’s audit plan since it may not have been designed on risk-based audit approach.</p><p>The main advantage of continuous auditing is that it improves security of time-sharing system that process large number of</p><p>transactions.</p><p>IT Governance =value delivery+ risk management</p><p>Audit Risk: It is the risk that Information may contain material error that may go undetected during the course of audit.</p><p>Control Risk example: Manual reviews of computer logs can be high because activities requiring investigation are often easily</p><p>missed due to the volume of logged information.</p><p>The objectives of BSC are to establish a vehicle for management to report to the board, to foster consensus among key</p><p>stakeholders about strategic aims of IT, to demonstrate the effectiveness and benefits of IT, and to communicate the performance of</p><p>IT, the risks and capabilities of IT.</p><p>Data mining uses rules to drill down through the data in the data warehouse for correlations. The results of data mining are stored</p><p>in the data mart. The DSS presentation program may display data from the data mart in a graphical format.</p><p>Risk analysis methods: Qualitative analysis; Semi-qualitative analysis( descriptive ranking( e.g. low, medium, high)+ numeric</p><p>scale) ; Quantitative analysis(numeric value only)</p><p>Quantitative risk is preferred over qualitative approach. It gives assumption that is more objective</p><p>ALE= value (v) x probability (p)</p><p>Board of director and senior management are responsible for IT security governance, which can be delegated to CEO</p><p>Board of directors is primarily responsible for IT governance</p><p>When we fail to apply SOD properly, we need to use compensating controls (an internal control) in order to reduce the existing</p><p>control weakness.</p><p>IT governance implementation = Determine stakeholder requirements and involvement.</p><p>Integrity of a new staff can be best assured by background checking</p><p>Database administrators are the custodian for organization’s data. They are also responsible for defining and maintaining</p><p>database structure</p><p>The advantage of using bottom-up approach to develop organizational policy is that the policy will be derived from the outcome of</p><p>risk assessment process</p><p>Matrix project management: In this project organization forms, both the project manager and the department heads share the</p><p>authority over the project.</p><p>Function Point Analysis: It measures software size indirectly. Function point analysis is used to estimate the complexity of large</p><p>application programs used in businesses, it considers the following parameters: Number of user input - Number of outputs - Number</p><p>of user inquiries - Number of files - Number of external interfaces.</p><p>Scalability is the ability to move application software source code and data into systems and environments that have a variety of</p><p>performance characteristics and capabilities without significant modification. It entails determining the, impact of increased scale on</p><p>client performance. A system that scales well should degrade gracefully as saturation is reached.</p><p>Only the activities that are not in the critical path have the slack time. Each activity outside the critical path has the earliest and</p><p>the latest completion time, considering the latest completion time does not affect the overall project completion time. The difference</p><p>between latest and the earliest completion time called slack time</p><p>This Gantt chart helps to schedule a project, from starting to the end, along a time line. It also shows what percentage of resources</p><p>is allocated to each task. With Gantt chart, a project progress can be tracked including milestones and major achievements.</p><p>Information Management and Auditing CISA 2019</p><p>85 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Bottom up: it starts from small units such a programs or module and go upward until the entire system has been tested. It helps to</p><p>identify errors before all the modules or program of a system get completed.</p><p>Top down: it is the opposite approach of bottom-up testing. It helps to test critical functions early and to detect interface errors</p><p>sooner. It also raises developers’ confidence since it shows that the system is working.</p><p>The bottom-up approach is used to test large application systems.</p><p>Negotiation and signing a contract is the last step in software acquisition process.</p><p>BIA helps to determine maximum downtime possible for a particular application and that amount of data that could be lost without</p><p>causing major impact</p><p>Digital signature: Create a hash of the entire message, encrypts that hash with sender’s private key. Provides integrity,</p><p>authentication, non-repudiation, but not confidentiality</p><p>Digital envelope - Sender encrypts the message with a symmetric key (session key). The session key is encrypted with the</p><p>receiver’s public key and sent. Provides confidentiality.</p><p>Digital Certificate A digital credential which is composed of public key and identifying information about the owner of the public</p><p>key. These certificates are signed by a trusted 3rd party like verisign using verisign’s private key.</p><p>Referential integrity means a valid link exists between data in different tables.</p><p>Objects contain both methods and data to perform a desired task. The object can delegate to another object.</p><p>Certificate Authority: authority in a network that issues and manages security credentials and public keys for message signature</p><p>verification or encryption</p><p>RA – takes some of the administrative functions from CA</p><p>Certification practice statement (CPS) – details set of rules governing CA operations.</p><p>Major system migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risk.</p><p>Decommissioning</p><p>or disposing of the old hardware would complicate any fallback strategy, should the new system not operate</p><p>correctly.</p><p>It essential to have copies of all BCPs stored onsite and offsite for ease of access and readability.</p><p>Anti-malware – scanner - Active monitor - Integrity CRC checkers - Behavior Blockers - Immunizer</p><p>SSL and TLS – SSL provides point to point authentication and communications privacy over the internet using cryptography. Server</p><p>authenticated, but client usually not.</p><p>SHTTP – similar to SSL, but not session oriented – does it based on message</p><p>IPSEC – VPN – tunneling (more secure – with AH and ESP) whole packet encrypted and transport (header not encrypted)</p><p>Increasing the length of an asymmetric key can increase processing time more than the use of a symmetric algorithm.</p><p>Digital certificates are better than digital signatures because digital certificates are issued by trusted third parties.</p><p>Humidity – too much get corrosion/condensation, too little and get static electricity.</p><p>ISO15504: level0 incomplete process, level1 performed process, level2 managed process, level3 establish process, level4</p><p>predictable process, level5 optimal process.</p><p>Business continuity recovery of the business processes so business can operate and can survive as a company.</p><p>"due diligence" can be rephrased as "do check" and "due care" can be rephrased as "do act".</p><p>A company will perform due diligence when they are evaluating a new product or new vendor. Does the new product or</p><p>vendor meet the business requirements, security requirements? A company will perform due care when they are securing</p><p>systems or applications to adequately protect customer or company data.</p><p>Security is also the best in the three-tier architecture because the middle tier protects the database tier.</p><p>There is one major drawback to the N-tier architecture and that is that the additional tiers increase the complexity and cost of the</p><p>installation.</p><p>BCP is the most critical corrective control. The plan is a corrective control.</p><p>A recovery strategy is a combination of preventive, detective and corrective measures.</p><p>Information Management and Auditing CISA 2019</p><p>86 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Business continuity has to be aligned to change management process – for updating the plan.</p><p>BCP focuses on availability and is primarily the responsibility of senior management.</p><p>BIA – business impact analysis is a critical step in this process. – need to understand the organization, business processes in order</p><p>to be able to do this properly. Outputs are RPO and RTO.</p><p>Different BIA approaches Questionnaire // Interview key users // Work group – bring people together to discuss</p><p>The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS</p><p>auditor should verify that legal counsel reviewed and approved the contract before management signs the contract</p><p>BIA = defining the recovery strategies.</p><p>Could be used to provide automated assurance that proper data files are being used during processing Internal labeling, including</p><p>file header records</p><p>The common practice, when it is difficult to calculate the financial losses, is to take a qualitative risk approach</p><p>Auditor can review past transaction volume to determine impact to the business if the system was unavailable.</p><p>Two cost factors associated with this: Down time cost // Recovery</p><p>Risk based auditing approach does not consider detection risk, inherent risk and control risk as a major concern.</p><p>Replay attacks: An attack in which the attacker records data and later replays it in an attempt to deceive the recipient.</p><p>Parity check just tells you if the data you send was an even or odd number of bits. It was great in the days of old modems. While</p><p>you are used to seeing CRC, it is just a particular type of Redundancy check. The CRC or Cyclic Redundancy Check is based on a</p><p>different algorithm and is used to ensure that data hasn't been altered in the process of transmission or writing to storage.</p><p>Smurf: A malicious attack where the hacker sends a large number of spoofed ping packets to broadcast addresses, with the intent</p><p>that these packets will be magnified and sent to the spoofed addresses. This has exponential possibilities, depending on how many</p><p>hosts respond.</p><p>The chair of the steering committee should be a senior person (executive level manager) with the authority to make decisions</p><p>relating to the business requirements, resources, priority and deliverables of the system.</p><p>Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached.</p><p>Encryption: The process of taking an unencrypted message (plaintext); applying a mathematical function to it (encryption algorithm</p><p>with a key) and producing an encrypted message (cipher text)</p><p>Encryption key: A piece of information; in a digitized form; used by an encryption algorithm to convert the plaintext to the cipher</p><p>text</p><p>Postimplementation review collects evidence to determine whether the organizational objectives have been fulfilled. The review</p><p>would include verification that internal controls are present and in use.</p><p>Waterfall model has been best suited to stable conditions and well-defined requirements; Finish-To-Start</p><p>Fraggle: the same as Smurf attack but uses UDP</p><p>Teardrop: sending smaller size packet or fragmented packets</p><p>DoS: Action(s) that prevent any part of an information system from functioning in accordance with its intended purpose. usually</p><p>flooding a system to prevent it from servicing normal and legitimate requests.</p><p>DDoS: same as DoS but uses several systems to flood. Password sniffing: Attack in which someone examines data traffic that</p><p>includes secret passwords in order to recover the passwords, presumably to use them later in masquerades.</p><p>IP spoofing: An attack whereby a system attempts to illicitly impersonate another system by using its IP network address. Routers</p><p>and other firewall implementations can be programmed to identify this discrepancy.</p><p>Dumpster diving: going through trash to find information</p><p>Wiretapping: attaching a special device to the line so that the person can secretly listen to a conversation.</p><p>Scanning attack: hacking technique checking ports to reveal what services are available in order to plan an exploit those services,</p><p>and to determine the OS of a particular computer.</p><p>Parallel operation = provide assurance that a new system meets its functional requirements.</p><p>Information Management and Auditing CISA 2019</p><p>87 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>The purpose of regression testing is to ensure that a change does not create a new problem with other functions in the</p><p>program. After a change is made, all of the validation tests are run from beginning to end to discover any conflicts or failures.</p><p>Regression testing is part of the quality control process.</p><p>Synchronous – distances shorter, but no data loss (two systems are synchronized). Asynchronous – can be data loss, but distance</p><p>is greater, systems not synchronized and data transferred at set times or when possible..</p><p>Recovery Time objective (MTD – maximum tolerable downtime); Acceptable downtime for a given app. The lower the RTO, the</p><p>lower the disaster tolerance; can’t meet RTO unless you have met RPO.</p><p>Recovery Strategies: First approach in a recovery strategy is to see if built</p><p>, Hardware Replacement</p><p>If the outsourcing vendor is from another country, the organization should be aware of Cross-border legislation</p><p>IaaS = cloud services puts IT operations into the hands of a third party.</p><p>Security labels are used in Mandatory access control model</p><p>DRP has a reciprocal agreement = Mitigation</p><p>Preventive: IDS= Installing an intrusion detection system (IDS), will make it possible to pinpoint the source of the attack, so that</p><p>counter-measures may then be taken. An IDS is not limited to detection of attacks originating externally.</p><p>Detective: hash, checkpoints, echo, error messages, internal audit, performance log etc.</p><p>Corrective: BCP, backup, rerun procedures etc.</p><p>Cell sampling: random selection is performed at predefined intervals.</p><p>Fixed Interval Sampling: The sample existing at every n+ interval increment is selected for testing.</p><p>RBAC: create Matrix that documents the functions associated with particular kinds of work, typically referred to as a segregation of</p><p>duties (SoD) matrix, shows which roles are required or permitted to have which permissions.</p><p>Real time Data Synchronization between DC and DR systems is done to avoid any data loss; measured by the RPO as a parameter</p><p>SOD is a basic, key internal control and one of the most difficult to achieve. It is used to ensure that errors or irregularities are</p><p>prevented or detected on a timely basis by employees in the normal course of business.</p><p>If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor</p><p>should expand the scope of testing the controls and include additional substantive tests.</p><p>Information Management and Auditing CISA 2019</p><p>9 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a</p><p>lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions</p><p>and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected.</p><p>The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted</p><p>early.</p><p>Reverse engineering is the process of studying and analyzing an application, a software application or a product to see how it</p><p>functions and to use that information to develop a similar system</p><p>The Unified Modeling Language (UML) is a general-purpose, developmental, modeling language in the field of software engineering,</p><p>that is intended to provide a standard way to visualize the design of a system.</p><p>Simula 67 is seen as the first object oriented language.</p><p>In object-oriented programming, polymorphism refers to a programming language's ability to process objects differently</p><p>depending on their data type or class. More specifically, it is the ability to redefine methods for derived classes</p><p>Objects usually are created from a general template called a class</p><p>RAD provides a means for developing systems faster while reducing cost and increasing quality.</p><p>Scrum aims to move planning and directing tasks from the project manager to the team</p><p>Agile: The use of small, time-boxed subprojects or iterations.</p><p>CAAT = meet predetermined criteria =>CIS</p><p>Integrity: The accuracy, completeness and validity of information</p><p>COSO: provides guidance and a comprehensive framework of internal control for all organizations</p><p>Fault-tolerance enables a system to continue operating properly in the event of the failure of some parts of it. It avoids total</p><p>breakdown, and is particularly sought-after in high-availability environment full of business critical systems.</p><p>Regression testing is done in case of application programs in order to retest the program after making correction, in order to see</p><p>that there is no other error cropping up.</p><p>Sociability testing is done for both hardware and software to assure that the program works well with the target system.</p><p>Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval.</p><p>Risk Management: the process of identifying vulnerabilities and threats to the information resources used by an organization in</p><p>achieving business objectives and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on</p><p>the value of the information resource to the organization</p><p>Variable sampling is used in substantive testing situations and deals with population characteristics that vary, such as monetary</p><p>values and weights.</p><p>Stop-or-go sampling is used when the expected occurrence rate is extremely low.</p><p>Judgment sampling refers to a subjective approach of determining sample size and selection criteria of elements of the sample.</p><p>Abnormal server communication from inside the organization to external parties may be monitored to: should be</p><p>recorded via APT.</p><p>Full — backups all files, modified or not and removes the archive attribute</p><p>Incremental – backs up only those files that have been modified since the previous backup and removes the archive attribute</p><p>Differential – backs up files that have been modified since last full backup and does not touch the archive attribute</p><p>ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that</p><p>periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be</p><p>isolated from production data.</p><p>Attribute sampling: Determine whether an attribute is present or absent in the subject sample; The result is specified by the rate</p><p>of occurrence-for example, the presence of 1 in 100 units would be 1%</p><p>Stop-and-Go Sampling: Used when few errors are expected. Stop-and-go allows the test to occur without excessive effort in</p><p>sampling and provides the opportunity to stop testing at the earliest possible opportunity.</p><p>Information Management and Auditing CISA 2019</p><p>10 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Discovery sampling: This 100% percent is used to detect fraud or when the likelihood of evidence existing is low. Forensics is an</p><p>excellent example of discovery sampling.</p><p>Precision, or Expected Error Rate: The precision rate indicates the acceptable margin of error between audit samples and the</p><p>total quantity of the subject population. Precision is usually expressed as a percentage.</p><p>Interviewing selected personnel is the best technique. Surveys, document review, and observations generate a lower yield.</p><p>The compliance test uses precision to describe the rate of occurrence out of the sample population. The compliance testing uses</p><p>precision to describe the expected error rate of the sample compared to total population. Precision is usually expressed as a</p><p>percentage.</p><p>The audit committee’s purpose is to review and challenge assurances made, and to maintain a positive working relationship with</p><p>management and the auditors.</p><p>Standards are mandatory, and any deviation would require justification.</p><p>Periodic testing does not require separate test processes= ITF</p><p>Purpose of Risk Analysis, helps auditors to Identify threats to organizations to have controls in place//Evaluate</p><p>countermeasures//Decide on auditing objectives//Support risk based auditing decision//Lead to implementation of internal</p><p>in resilience can be implemented. A disaster recovery</p><p>procedure will address everything not covered by resilience.</p><p>Preparedness tests involve simulation of the entire environment (in phases) and help the team to better understand and prepare</p><p>for the actual test scenario. (Efficient way to determine the effectiveness of the plan)</p><p>Hot sites – can be ready in minutes or hours</p><p>Warm sites – don’t have computers, but have basic network and some peripheral equipment</p><p>Cold sites – have very basic stuff – facility, environmental controls</p><p>Mobile sites – for branches</p><p>Reciprocal arrangements – not good because software changes between companies and might cause incompatibility issues</p><p>Incident response team – respond to incidents and do reporting and investigation</p><p>Emergency action team – first responders</p><p>Damage assessment – assesses the extent of the damage</p><p>Emergency management team: responsible for coordination of activities in disaster.</p><p>Alternative routing – using an alternative cable medium like copper instead of fiber.</p><p>Diverse routing – method of routing traffic through split cable or duplicates cable facilities.</p><p>Paper test – paper walk through of the plan with major players.</p><p>Preparedness test – usually a localized version of a full test – simulated system crash</p><p>Full operational test – shutting down a data center etc.</p><p>Backup – son is daily backup, father end of week, grandfather end of month.</p><p>Disaster starts when the disaster starts. IT does not declare disaster.</p><p>Not testing your BCP plan is one of the worst things you can do.</p><p>Fidelity coverage against fraud =bonding</p><p>Which of the following should an incident response team address FIRST after a major incident in an information processing facility;</p><p>Containment at the facility Which of the following should the IS auditor review to ensure that servers are optimally configured to</p><p>support processing requirements? Server utilization data</p><p>Business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along</p><p>with a cost-benefit analysis, management can make an informed decision.</p><p>Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control</p><p>Accurately capture data from the organization’s systems without causing excessive performance problems.</p><p>People and then data are the most important things.</p><p>Logical access controls: securing software+ data within an IPF. (LAC = collection of policies + procedures)</p><p>Call back features: hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the</p><p>follow-up and further review of potential breaches.</p><p>Call forwarding: bypassing callback control.</p><p>Information Management and Auditing CISA 2019</p><p>88 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Dumpster diving: looking through an organization’s trash for valuable information.</p><p>Data diddling: changing data before they are entered into the computer.</p><p>Poor biometric implementations are vulnerable to spoofing and mimicry attacks.</p><p>Accountability = implement a log management process</p><p>Data, voice and video throughput requirements for all users will define the business needs on which one can base the design of the</p><p>appropriate LAN technology</p><p>Steganography: digital right management (DRM)</p><p>Remote booting is a method of preventing viruses, and can be implemented through hardware.</p><p>Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and</p><p>sent the message.</p><p>Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made.</p><p>Authentication is necessary to establish the identification of all parties to a communication.</p><p>Integrity ensures that transactions are accurate but does not provide the identification of the customer.</p><p>Hashing is irreversible.</p><p>Encryption is reversible.</p><p>Hashing creates an output that is smaller than the original message and encryption creates an output of the same length as the</p><p>original message.</p><p>Mandatory vacations help uncover potential fraud or inconsistencies. Ensuring that people who have access to sensitive internal</p><p>controls or processes take a mandatory vacation annually is often a regulatory requirement and, a good way to uncover fraud.</p><p>Asymmetric algorithm requires more processing time than symmetric algorithms</p><p>Immunizers defend against viruses by appending sections of themselves to files.</p><p>Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record.</p><p>Cyclical redundancy checkers (CRC) compute a binary number on a known virus-free that is then stored in a database file.</p><p>CA is a trusted third party that ensures the authenticity of the owner of the certificate.</p><p>Out-of-band connectivity: OOB is something that is not in the same channel of communication. Common example is the OTP that</p><p>you receive on your mobile, for authorization of any payment that you make online.</p><p>IDEA (International Data Encryption Algorithm) is a symmetric encryption used in PGP software. This 64-bit block cipher uses a</p><p>128-bit key. Although it has been patented by a Swiss company, it is freely available for noncommercial use. It is considered a</p><p>secure encryption standard, and there have been no known attacks against it. DES, SHA, and Tiger typically are not used in PGP.</p><p>Kerberos Authentication system the function of a key distribution center by generating tickets to define the facilities on</p><p>networked machines which are accessible to each user (Network Authentication Protocol based on ticketing)</p><p>All the decisions regarding purchasing existing software or building a custom application should be made by using data from the</p><p>feasibility study and business specifications</p><p>Replay attack: residual biometric characteristics, such as fingerprints left on a biometric capture device may be reused to gain</p><p>access.</p><p>The IS steering committee is a decision-making body composed of top-level functional managers and IS specialists that provides</p><p>planning and control for the organization’s IS function.</p><p>SAN is a special-purpose network in which different types of data storage are associated with servers and users. A SAN can either</p><p>interconnect attached storage on servers into a storage array or connect the servers and users to a storage device that contains disk</p><p>arrays.</p><p>Brute force: feeding the biometric capture device numerous different biometric samples.</p><p>Cryptographic attack: Targets the algorithm or the encrypted data</p><p>Mimic Attack: reproduce characteristics similar to those of the enrolled user such as forging a signature or imitating a voice.</p><p>Information Management and Auditing CISA 2019</p><p>89 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Professional ethics: Encourage compliance with standards, Be objective, Serve in the interest of stakeholders in a lawful and</p><p>honest manner, Maintain privacy and confidentiality</p><p>Elements of Risk: threats, vulnerabilities, impact, likelihood</p><p>Controls can reduce the risk down to acceptable levels.</p><p>Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk,</p><p>while compliance risk continues to exist.</p><p>Metadata – data elements required to define a database</p><p>controls</p><p>Preventative: determine issues, monitor operations; Prevents malicious acts.</p><p>Detective: mechanisms of reporting malicious act.</p><p>PERT will display the complete project and illustrate the various interdependencies between tasks</p><p>Corrective: basically minimizes the impact after the fact. Some type of Intrusion detention control, quarantine and remove the</p><p>problem. Modify the system to make changes to take contingency planning and testing.</p><p>Knowledge of information technology helps the information security manager understand how changes in the technical</p><p>environment affect the security posture.</p><p>High risk tolerance (i.e., a high degree of variability in acceptable risk) addresses the issue of uncertainty in the risk assessment</p><p>process itself.</p><p>Sociability testing is used in Situation when one wants to see how the Software performs with other applications.</p><p>System Programmer = software installation.</p><p>Objective of value delivery is to optimize security investments in support of business objectives.</p><p>Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk analysis is conducted to</p><p>ensure that the information assets with the greatest risk likelihood and impact are managed before addressing risk with a lower</p><p>likelihood and impact. Prioritization of IT risk helps maximize return on investment for risk responses.</p><p>Risk analysis = enable the prioritization of risk responses.</p><p>Define the audit universe; FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan</p><p>Project steering committee; PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in</p><p>accordance with the project plan and that it will deliver the expected results</p><p>Raid7; to be configured into one large virtual disk partition using high-speed asynchronous data transfer</p><p>Dissemination of Tacit knowledge is done in, Agile development</p><p>Model does not support Planning: RAD Model</p><p>Prototyping as its core development tool is used in RAD completeness of inbound transactions via electronic data interchange</p><p>(EDI); Segment counts built into the transaction set trailer</p><p>Thin client architecture = Availability</p><p>Risk Appetite: The extent to which the organization can take Risk and this is calculated without proper figures. Its "subjective".</p><p>Risk Tolerance: This is same as Appetite but calculated in "measurable units". Say, a stakeholder can take Risk up to some USD</p><p>(with actual figures).</p><p>Defining and then building the system, in a top down fashion is followed in structured analysis, design and development</p><p>Risk reduction mechanism by controlled trial and error procedures is found in Prototyping evolutionary development</p><p>Information Management and Auditing CISA 2019</p><p>11 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Project steering committee is ultimately responsible for all deliverables, project costs and schedules.</p><p>Gantt chart to determine whether the project is behind, ahead or on schedule compared to baseline project plan</p><p>BCP test uses actual resources to simulate a system crash and validate the plan’s effectiveness; Preparedness</p><p>Residual Risk the remaining level of risk once controls have been applied; can be used by management to further reduce risk by</p><p>identifying those areas in which more control is needed</p><p>SLA a document that provides a company with a performance guarantee for services outsourced to a vendor mechanisms of risk</p><p>allocation</p><p>Benchmarking: A process of continuously measuring system results, comparing those results to optimal system performance</p><p>(industry standards or best practices), and identifying steps and procedures to improve system performance</p><p>The risks associated with electronic evidence gathering would MOST likely be reduced by an e- mail: archive policy.</p><p>Segregation of duties provides two benefits; first, a deliberate fraud is more difficult because it requires collusion of two or more</p><p>persons, and second, it is much more likely that innocent errors will be found. At the most basic level, it means that no single</p><p>individual should have control over two or more phases of a transaction or operation.</p><p>An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall</p><p>authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if</p><p>available, by the audit committee.</p><p>Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill.</p><p>In the design phase, security checkpoints are defined and a test plan is developed.</p><p>Governance of Outsourcing the set of responsibilities, roles, objectives, interfaces and controls required to anticipate change and</p><p>manage the introduction, maintenance, performance, costs and control of third-party provided services</p><p>Audit trails retrace the flow of a transaction; recreates the actual transaction flow from the point of origination to its existence on</p><p>an updated file</p><p>Management should assign responsibilities to ensure a crosscheck of duties.</p><p>Library control software is concerned with authorized program changes and would not move modified program changes into</p><p>production unless and until the changes are authorized, which is what the software is designed to track.</p><p>Preventive — Designed to lower amount and impact of unintentional errors entering the system and to prevent unauthorized</p><p>intruders from internally or externally accessing the system — actions to reduce risk Data validation, pre-numbered forms, and</p><p>review for duplications.</p><p>SSL is a cryptographic protocol that provides secure communications providing end point authentication and communications privacy</p><p>over the Internet</p><p>SSL: confidentiality of a message through symmetric encryption.</p><p>Regression testing is done in case of application programs in order to retest the program after making correction, in order to see</p><p>that there is no other error cropping up.</p><p>The RPO is “the earliest point in time to which it is acceptable to recover the data.” If backups are not performed frequently</p><p>enough to meet the new RPO, a risk is created that the company will not have adequate backup data in the event of a disaster.</p><p>Photoelectric effect is the observation that many metals emit electrons when light shines upon them. Electrons emitted in this</p><p>manner can be called photoelectrons. According to classical electromagnetic theory, this effect can be attributed to the transfer of</p><p>energy from the light to an electron in the metal.</p><p>Sociability testing is done for both hardware and software to assure that the program works well with the target system.</p><p>When several applications are hosted on a server, the server's RTO must be determined by taking the RTO of the most critical</p><p>application, which is the shortest RTO.</p><p>Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of</p><p>system conversion testing because, if the new system fails, the old system is ready for production use.</p><p>Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated.</p><p>By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development</p><p>organization follows a stable, predictable software process. Although the likelihood of success should increase as the software</p><p>processes mature toward the optimizing level, mature processes do not guarantee a reliable product.</p><p>Information Management and Auditing CISA</p><p>2019</p><p>12 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application</p><p>controls.</p><p>Application controls consist of edit tests, totals, reconciliations, and identification and reporting of incorrect missing or exception</p><p>data.</p><p>Decision support system: Interactive system that provides the user with easy access to decision models and data from a wide</p><p>range of sources – supports managers in decision making tasks for business purposes. Concentrates less on efficiency than on</p><p>effectiveness (performing the right task). Usually based on 4GL languages. Improves managers decision making ability, but hard to</p><p>measure. Implementation risk is inability to specify purpose and usage.</p><p>Risk analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are managed before</p><p>addressing risk with a lower likelihood and impact.</p><p>Prioritization of IT risk helps maximize return on investment for risk responses</p><p>A secure web connection or firewall is considered an external defense.</p><p>A firewall will find it more difficult to filter a specific file from a trusted source.</p><p>Inherent risk - Inherent risk is normally high due to the number of users and business areas that may be affected</p><p>Residual risk-- Residual risk is the remaining risk after management has implemented a risk response,</p><p>Compliance testing --unauthorized modification</p><p>Cost-effective approach to test the security of a legacy application; Conduct a vulnerability assessment to detect application</p><p>weaknesses</p><p>The FIRST step in data classification is to establish ownership.</p><p>Disk-to-disk (D2D) backup should not be seen as a direct replacement for backup to tape; rather, it should be viewed as part of</p><p>a multitier backup architecture that takes advantage of the best features of both tape and disk technologies. Backups to disks are</p><p>not dramatically faster than backups to tapes in a balanced environment.</p><p>CAATS - AUDIT PROGRAM</p><p>CASE TOOLS - AUDIT TRAIL</p><p>Approve changes to the audit charter = Audit committee</p><p>Project steering committee: PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in</p><p>accordance with the project plan and that it will deliver the expected results.</p><p>BCP should be tested = whenever there are significant changes in the organization and annually</p><p>Library control software restricts source code to Read-only access</p><p>The process of comparing the business processes and performance metrics including cost, cycle time, productivity, or quality =</p><p>Benchmarking</p><p>Parity bits are a control used to validate Data completeness</p><p>Run-to-run totals can verify data through which stage(s) of application processing = various</p><p>Data dictionary/directory system (DD/DS) helps define and store source and object forms of all data definitions for external</p><p>schemas, conceptual schemas, the internal schema and all associated mappings. The data dictionary (DD) contains an index and</p><p>description of all of the items stored in the database. The directory (DS) describes the location of the data and the access method.</p><p>Important step in maintaining a BCP is to update and test it whenever relevant changes take place within the organization</p><p>Balanced scorecard is: to measure organizational performance and effectiveness against strategic</p><p>Business understanding= Obtain an understanding by reviewing relevant docs, inquiries, and conduct risk assessment.</p><p>Operational test = Simulation Test</p><p>The first steps in developing a business continuity plan = Perform BIA</p><p>Snapshot tool is most useful when an audit trail is required.</p><p>Full operational test one step away from an actual service disruption; a full test of the BCP</p><p>Information Management and Auditing CISA 2019</p><p>13 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>News media attention should be => Directed to a single designated spokesperson</p><p>BCP = regularly reviewed and updated.</p><p>BCP should be reviewed quarterly and updated at least annually. Updates should occur after each test, changes in personnel, or</p><p>changes in business direction. Plans are often updated for changes in key customers and products.</p><p>MAO is the maximum acceptable outage that can occur before critical deadlines are missed or recovery is no longer feasible because</p><p>of the amount of time lapsed. MAO also may be referred to as maximum tolerable downtime (MTD)</p><p>FIRST step in managing the risk of a cyberattack is to: identify critical information assets.</p><p>ITF can be used to incorporate test transactions into a normal production run of a system.</p><p>CIS is useful when transactions meeting certain criteria need to be examined.</p><p>Inherent risk: it is a probability of risk because of an existing situation, considering that there is no compensation controls. For</p><p>instance, money is more likely to be stolen than the power generators. These types of risks are independent of audit.</p><p>Control risk: it is a risk that an error cannot be prevented or detected by the existing controls. For instance, reviewing computer log</p><p>manual is a control against unauthorized access. However, the manual review has a risk of missing or overlooking some activities</p><p>because of human errors. Therefore, manual review always has a control risk.</p><p>Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.</p><p>To ensure alignment, the information security program should establish a steering committee that includes all business areas.</p><p>Dual Power Leads: The best way to prevent power outages is to install power leads from two different power substations.</p><p>To collect evidence while transactions are processed = embedding audit module = EAM</p><p>Detection risk: it occurs when an IS auditor uses inadequate test procedures to detect a material error. If the error exists, the</p><p>auditor will not find it because of using wrong test procedures. An auditor’s ability to identify the detection risk enhances the</p><p>probability of rectifying the material errors. The probability of detection risk can be minimized by choosing the right sampling</p><p>procedures.</p><p>Remember that the audit risks are not the same as statistical sampling risks. Sampling risk means selecting the incorrect</p><p>samples.</p><p>The RPO is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in</p><p>time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case</p><p>of interruption.</p><p>Audit hooks are useful when only select transactions or processes need to be examined.</p><p>There are costs associated with all activities and a disaster recovery plan is not an exception. Although there are costs</p><p>associated with a disaster recovery plan, there are unknown costs that are incurred if a disaster recovery plan is not implemented.</p><p>Audit charter establishes the role of the information systems audit function</p><p>An advantage of using sanitized live transactions in test data is that: test transactions are representative of live processing.</p><p>Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof</p><p>counterparts, i.e., proof of submission, proof of delivery and message origin authentication. However, nonrepudiation provides</p><p>stronger evidence because the proof can be demonstrated to a third party.</p><p>Digital signatures provide nonrepudiation.</p><p>Message origination authentication will only confirm the source</p><p>of the message and does not confirm the specific action that has</p><p>been completed.</p><p>Continuous audit approach - time sharing environments</p><p>OTP: A security system that requires a new password every time a user authenticates themselves, thus protecting against an</p><p>intruder replaying an intercepted password. OTP generates passwords using either the MD4 or MD5 hashing algorithms.</p><p>Structured programming is a programming discipline that employs a top-down strategy, a single-entry module, a single-exist</p><p>module, and the exclusive use of three basic programs constructs. These constructs include sequence, selection, and repetition.</p><p>Domain Integrity Test / INTEGRATED TEST FACILITY --- Effectiveness of the routines/ operations - The major objective of this</p><p>exercise is to verify that the edit and validation (VERIFICATION/COMPARING) routines are working satisfactorily.</p><p>Information Management and Auditing CISA 2019</p><p>14 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Relational integrity tests - Calculations / Statistical - Relational integrity tests are performed at the record level and usually</p><p>involve calculating and verifying various calculated fields, such as control totals.</p><p>Referential integrity tests - Bench marking - involve ensuring that all references to a primary key from another file actually exist</p><p>in their original file test data DISAVANTAGE - Creating test data that covers all possible valid and invalid conditions</p><p>When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the</p><p>message being decrypted.</p><p>A classification schema is developed to define the various degrees of sensitivity and/or criticality of information that is in the care,</p><p>control or custody of an organization</p><p>Important when an operating system (OS) patch is to be applied to a production environment = Approval from the information</p><p>asset owner</p><p>Encryption with static keys—using the same key for a long period of time—risks that the key would be compromised.</p><p>Encryption of the data on the connected device (laptop, personal digital assistant [PDA], etc.) addresses the confidentiality of</p><p>the data on the device, not the wireless session.</p><p>The goal of IT risk analysis is to enable the prioritization of risk responses.</p><p>Business interruption it covers the loss of profit due to the disruption of the activity of the company caused by any</p><p>malfunction of the IS organization</p><p>Types of batch balancing include: Batch registers + Control accounts + Computer agreement</p><p>Information is gathered through inquiry, observation and interviews, and analysis of data using computer-assisted auditing</p><p>techniques (CAATs).</p><p>Data owners are concerned with and responsible for who has access to their resources and therefore need</p><p>to be concerned with the strategy of how to mitigate risk of data resource usage.</p><p>Quantitative</p><p>• Objective</p><p>• Based on probability</p><p>• Annual loss expect</p><p>• ALE = SLE X ARO</p><p>Data flow diagrams - graphically summarize data paths and storage. (WORK FLOWS)</p><p>Mantrap system of two doorways may be used to prevent multiple persons from entering and exiting at the same time. A mantrap</p><p>allows one person to enter and requires the door to be closed behind the person. After the first door is closed, a second door can be</p><p>opened. The mantrap allows only one person to enter and exit at a time.</p><p>Certification Practice Statement (CPS) - it defines how to proceed in the invent of a compromised private key</p><p>ORGANISATIONAL CHART - RESPOSNISBILITIES/ DUTIES OF INDIVUUDLAS</p><p>Encryption = confidentiality</p><p>The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies and the</p><p>resources required to address such attacks.</p><p>Validated digital signatures in an email = help detect spam.</p><p>A bastion host does not provide information about an attack.</p><p>IDS/IPS are designed to detect and address an attack in progress and stop it as soon as possible.</p><p>Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and</p><p>sent the message. (identification of the customer)</p><p>Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made.</p><p>Are developed for the organization as a whole. – Top Down</p><p>Are more likely to be derived as a result of a risk assessment. – Bottom Up</p><p>Will not conflict with overall corporate policy. - Top Down</p><p>Ensure consistency across the organization. - Top Down</p><p>Information Management and Auditing CISA 2019</p><p>15 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Audit trails can assist in detecting security violations, performance problems, and flaws in applications.</p><p>Audit trails are considered only after a problem occurs.</p><p>Compensating controls would include: Audit trails + Reconciliation + Exception reporting + Transaction logs + Supervisory</p><p>reviews + Independent reviews</p><p>To achieve value delivery, consider a continuous improvement (i.e., Kaizen) culture based on the understanding that security is a</p><p>process, not an event</p><p>Characteristics of a DSS : Aims at solving less-structured - Combines the use of models - Emphasizes flexibility and adaptability to</p><p>accommodate changes</p><p>CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes</p><p>testing the design of automated application controls</p><p>Authentication is necessary to establish the identification of all parties to a communication.</p><p>Data confidentiality is achieved through authorized restrictions on access and disclosure, including a means for protecting privacy</p><p>and proprietary data. Provisioning access to data on a need-to-know basis is the primary way to ensure data</p><p>confidentiality.</p><p>Diverse Routing means one provider, but multiple routes (or paths).</p><p>Alternate Routing means multiple network providers, and/or multiple mediums (fiber, cable, radio)</p><p>Integrity ensures that transactions are accurate but does not provide the identification of the customer.</p><p>Honeypot obtain information about the hacker's strategy and methods.</p><p>DSS developed using 4GL tools</p><p>AUDIT RISK: The risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially</p><p>misstated is called audit risk. This risk is reduced by designing and performing audit procedures to obtain sufficient appropriate audit</p><p>evidence.</p><p>Inherent risk: Inherent risk is the susceptibility of an account balance or class of transaction to misstatement that could be material</p><p>individually or collectively. Accounts derived from complex estimates are subject to greater uncertainty than accounts from simple,</p><p>factual data.</p><p>Control risk: Control risk is the risk that a material misstatement would not be prevented, detected, or corrected by the accounting</p><p>and internal control systems. The risk is the function of the effectiveness of the design and operation of internal control system in</p><p>achieving the entity’s objectives relevant to the preparation of financial statements.</p><p>Detection risk: The risk that auditor will fail to detect material misstatement is known as detection risk. This risk related to auditor.</p><p>Detection risk is the function of the effectiveness of the audit procedures and of its application by the auditor. Due to sampling</p><p>procedures, this risk cannot be reduced to ZERO.</p><p>The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line</p><p>managers to detect and respond to control errors promptly.</p><p>Employee Termination: In order to protect IT assets, terminating logical access to IT resources is the first and most important</p><p>action to take once management has confirmed the employee's clear intention to leave the enterprise.</p><p>Maintenance and protection of data = Data custodian</p><p>Organizational assets, including information = board of directors</p><p>Providing access to systems = Data custodians</p><p>Approving access to systems = Data Owner</p><p>Establishing authorization and authentication = Data custodians</p><p>Handling identity management = Information security staff</p><p>Steering committee should be in place to approve all security projects.</p><p>System owner to take corrective action => vulnerability in the security of a critical web server</p><p>Cyberattack: identify critical information assets -> evaluate the likelihood of threats -> assess the vulnerability impact-> estimate</p><p>potential damage.</p><p>Information Management and Auditing CISA 2019</p><p>16 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>EDI usually decreases the time necessary for review.</p><p>Always tested in this order: Desk-Based Evaluation/Paper Test: A group steps through a paper procedure and mentally performs</p><p>each step. Preparedness Test: Part of the full test is performed. Different parts are tested regularly. Full Operational Test:</p><p>Simulation of a full disaster</p><p>Critical: Cannot be performed manually. Tolerance to interruption is very low</p><p>Vital: Can be performed manually for very short time</p><p>Sensitive: Can be performed manually for a period of time, but may cost more in staff</p><p>Non-sensitive: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort</p><p>RISK= Threat+ Vulnerability + Exposure</p><p>SCARF works using predetermined exceptions. The constituents of “exceptions” have to be defined for the software to trap.</p><p>GAS is a data analytic tool that does not require preset information.</p><p>The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions.</p><p>Snapshots take pictures of information observed in the execution of program logic.</p><p>The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management</p><p>to agree on corrective action.</p><p>The optimal business continuity strategy for an entity is determined by the: lowest sum of downtime cost and recovery cost.</p><p>Rollback procedures involve restoring all systems to their previous working state.</p><p>Parallel changeover involves first running the old system, then running both the old and new systems in parallel, and finally fully</p><p>changing to the new system after gaining confidence in the functionality of the new system.</p><p>Level 3 = Defined</p><p>Algorithms is set of procedure to achieve certain objective</p><p>Protection of specific sensitive information stored in the data warehouse => Implement column- and row-level permissions</p><p>Compliance testing determines whether controls are being applied in compliance with policy.</p><p>Variable sampling is used to estimate numerical values such as dollar values.</p><p>Substantive testing substantiates the integrity of actual processing such as balances of financial statements.</p><p>BCP should be reviewed every time a risk assessment is completed</p><p>Stop-or-go sampling allows a test to be stopped as early as possible and is no appropriate for checking whether procedures have</p><p>been followed.</p><p>Attribute sampling is the primary sampling method used for compliance testing.</p><p>Data mart: stores result from data mining. Data Mart The data mart is a repository of the results from data mining the warehouse.</p><p>Likelihood = Impact</p><p>The risk appetite of an organization shows how much an organization is willing to take a risk in order to grow itself. It is the</p><p>amount of risk that an organization is willing to accept to attain its business objective."</p><p>JAD It is the people that are designing the computer systems, and therefore, getting the right people in the JAD meeting with high</p><p>motivation levels is essential. People are more important than things.</p><p>Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality in a population and is</p><p>used in compliance testing to confirm whether the quality exists.</p><p>Discovery sampling is used to find 100 percent of everything possible when fraud is suspected or the likelihood of finding evidence</p><p>is low.</p><p>Expert systems benefits: Capturing the knowledge and experience of individuals + Sharing knowledge and experience</p><p>Most insurance covers only financial losses based on the historical level of performance and not the existing level of performance</p><p>Information Management and Auditing CISA 2019</p><p>17 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE</p><p>Sampling methods used in compliance testing: Attribute; Stop-and-go; Cell</p><p>SNAPSHOT = Require an AUDIT TRAIL</p><p>CIS = Require EXAMINATION</p><p>Audit hoots = meet specific criteria</p><p>Policies are high-level documents that represent the corporate philosophy of an organization</p><p>The purpose of the out of scope section is to make clear to readers what items are not considered project objectives so that all</p><p>project stakeholders understand the project boundaries and what is in scope vs. out of scope.</p><p>CA: Continuous Auditing is a method used to perform audit-related activities on a continuous basis that covers control and risk</p><p>assessment. Is generally carried out by Internal Audit and uses CA/CCM software.</p><p>CCM: Continuous (Controls) Monitoring are processes to ensure that policies/processes are operating effectively and to assess</p><p>adequacy/effectiveness of controls; Is generally carried out by operational/financial management. Audit will independently evaluate.</p><p>Continuous Auditing: • Provide assurance in high risk areas • Increase audit oversight and detect issues sooner rather than later</p><p>Out of scope items are not part of the project, while nice to have items may be included in the project objectives. However, they</p><p>may be the last priority on the list of all project objectives.</p><p>Once the interdependencies or critical path has been determined then a realistic assessment can be made of the project schedule</p><p>Proper IT management focuses on proactive discovery of inconsistencies, errors, and processing failures. The results can be</p><p>used for secondary value in trend analysis and SLA reporting.</p><p>Problem escalation is used to ensure that the problem is analyzed by a competent individual with the proper training.</p><p>Layer 3: This layer handles the routing of the data (sending it in the right direction to the right destination on outgoing</p><p>transmissions and receiving incoming transmissions at the packet level). The network layer does routing and forwarding.</p><p>The primary responsibility of the IT information security person is to ensure the proper implementation of data security policies</p><p>and to monitor the level of compliance.</p><p>Short-term and long-term planning is the responsibility of audit management.</p><p>Audit trail It's a series of logged events that can be followed back with relevant information alongside each event.</p><p>From a control perspective, a job description should establish responsibility and accountability.</p>