WIXLIB

Information Management and AuditingCISA2019Prototyping: The process of quickly putting together a working model (a prototype) in order to test various aspects of a design,illustrate ideas or features and gather early user feedback.Unsuccessful logon monitored by the security administrator.The majority of project risk can typically be identified before a project begins, allowing mitigation/avoidance plans to be put inplace to deal with this risk.Frame Relay is more efficient than X.25ATM is asynchronous, time slots are available on demand with information identifying the source of the transmission contained inthe header of each ATM cellHash totals: Verification that the total in a batch agrees with the total calculated by the system.The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project managementpractices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementingrisk management.Race conditions occur due to interferences caused by the following conditions: Sequence or nonatomiclocking failure. Deadlock, live lock, orPrior to implementing new technology, an organization should perform a risk assessment, which would then be presented tobusiness unit management for review and acceptanceConfiguration management accounts for all IT components, including software. Project management is about scheduling, resourcemanagement and progress tracking of software development. Problem management records and monitors incidents. Riskmanagement involves risk identification, impact analysis, an action plan, etc.Penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially.What is the difference between the false acceptance rate and false rejection rate?False acceptance means unauthorized user is permitted access FAR-UPFalse rejection is when authorized person is denied access FRR- ADIaaS: company is trying to reduce it's sever environment footprint, so the in-house application servers were moved to anotherlocation, hosted by a 3rd party. So the application software, application servers were being moved and supported by anothercompany which is IaaS.Having access to the database could provide access to database utilities, which can update the database without an audit trailand without using the application. Using SQL only provides read access to information.VPN data confidentialityAn Audit charter should state management’s objectives for and delegation of authority to IS auditors.Provisioning access to data on a need-to-know basis PRIMARILY ensures Data confidentialityface to face communications are an example of informal methods of monitoring and controlling a system development life cycleproject since it is hard to document the communication all the time. Evidence is hard in informal methodsLOG can be maintained in a manual or automated form where activities are logged with a sequential control number for trackingpurposes.ESCROW: The client is entitled to the benefit of only using the software and not owning it, unless they pay more money. Escrowmay provide some protection if the vendor goes out of business, but does not prevent software from being discontinued.4GL provides screen-authoring and report-writing utilities that automate database access.4GL tools do not create the business logic necessary for data transformation.Flowchart is used to document internal program logic.Feasibility study should be the basis for management’s decision to buy available software or to build a custom softwareapplicationRecovery managers should be rotated to ensure the experience of the recovery plan DRP is spread among the managers.Entity-relationship diagram (ERD) is used to help define the database schema.Function point analysis is used for estimation of work during the feasibility study.4Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE

Information Management and AuditingCISA2019Parallel migration increases support requirements but lowers the overall risk. The old and new systems are run in parallel to verifyintegrity while building user familiarity with the new system.Phased Changeover In larger systems, converting to the new system in small steps or phases may be possible. This may take anextended period of time. The concept is best suited to either an upgrade of an existing system, or to the conversion of onedepartment at a time. The phased approach creates a support burden similar to that of parallel operation. A well-managed phasedchangeover presents a moderate level of risk.Data-oriented databases (DODBs) are designed for predictable data that has a consistent structure and a known or fixed length.Object-oriented databases (OODBs) are designed for data that has a variety of possible data formats.Hard Changeover In certain environments, executing an abrupt change to the new system may be necessary. This is known as ahard changeover, a full change occurring at a particular cutoff date and time. The purpose is to force migration of all the users atonce. A hard changeover may be used after successful parallel operation or in times of emergencyChecklists are an example of a formal method of communication between the affected parties. A checklist provides guidelines forreviewing functions and activities for assurance and evaluative purposes. Checklists can detect whether activities were performedaccording to plans, policies, and proceduresAgile method places greater reliance on the undocumented knowledge contained in a person’s head. Agile is the direct opposite ofcapturing knowledge through project documentation.in the SDLC, Approval by management to proceed to the next phase or possibly kill the project; i.e. The review at the endof every SDLC phase is intended to prevent the project from proceeding unless it receives management’s approval.The ACID principle of database transaction refers to atomicity (all or nothing), consistency, isolation (transactions operateindependently), and durability (data is maintained).Major activities in software quality assurance include project management, software verification and validation, softwareconfiguration management, and software quality assurance. These activities become a baseline and any subsequent changes requiremanagement approvals. Proposed changes are compared to the baseline, which is the standard.Opportunity costs are those costs inherent in selecting one option in favor of another. When a software package's implementationis delayed, inherent costs of other projects being deferred during its implementation is an example of opportunity cost. The time lostdue to delayed implementation of a current project could have been applied to developing a new project. Opportunity costs are hardto quantify precisely, but can be among the most important factors in software selectionMaintenance costs are the costs to update and adapt software to match changing organizational needs. The maintenance costs ofa system will vary widely, depending upon such factors as the type of application, the complexity of the system, and the need forperiodic updatesIf the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization isrecommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigationtakes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attackoriginates from the external network, but uses an internal network address, the attacker is most likely trying to bypass firewalls andother network security controls by impersonating (or spoofing) the payroll server's internal network address.DoS attack is designed to limit the availability of a resource and is characterized by a high number of requests which requireresponse from the resource (usually a web site). The target spends so many resources responding to the attack requests thatlegitimate requests are not serviced.An application-layer gateway, or proxy firewall, and stateful inspection firewalls provide the greatest degree of protectionand control because both firewall technologies inspect all seven OSI layers of network traffic.Control objectives are developed to achieve acceptable levels of risk. To the extent that is achieved is a good measure of theeffectiveness of the strategy.Attribute sampling is the primary sampling method used for compliance testing.Social engineering include : impersonation through a telephone call, dumpster diving and shoulder surfing.Downtime reports: Track the availability of telecommunication lines and circuits. Interruptions due to power/line failure, trafficoverload, operator error or other anomalous conditions are identified in a downtime report.The first step in implementing information security governance is to define the security strategy based on which security baselinesare determinedRisk created by a reciprocal agreement for disaster recovery may result in hardware and software incompatibility5Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE

Information Management and AuditingCISA2019The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normalsituation is restored. This is directly related to the business needs the minimum acceptable operational capability.Assigning accountability to individuals is most likely to ensure that duties are properly carried out.An Uninterruptible Power Supply (UPS) system is a backup power system that utilizes batteries to provide short-term powerwhen a power losses such as a black out or a brownout is detected. Power conditioner devices assist in keeping the electrical serviceconstant by monitoring and regulating the power in the building. These devices can activate backup power supplies.Surge protectors are passive devices that are used to protect electrical components from spikes in the power line. Surge protectorsusually utilize Metal Oxide Varistors (MOVs) to shunt the voltage spike to ground.Background checks of prospective employees best prevents attacks from originating within an organization.There are two modes for biometric recognition: verification and identification. In verification, an identity is claimed and thecomparison process is limited to checking the reference corresponding to this identity. In identification, no claim of identity isnecessary and the system searches its reference database to find if a stored reference matches the biometric characteristicsrecorded.Generator is used when a continuous power supply is needed in power loss situations and is activated when a loss in poweris detected. It does not protect electrical components from spikes in the power line.IT assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflectchanges in the IT infrastructure. The other choices are procedures required to update the disaster recovery plan after havingupdated the required assets inventory.Outsourcing of some information security activities can cut costs and increase resources for other security activities in aproactive manner, as can automation of some security proceduresIT steering Committee - The role of an IT steering committee is to ensure that the IS department is in harmony with theorganization's mission and objectivesChange control board (CCB): A management review to ensure awareness and management control of changes in the ITenvironment.Abrupt change over – stop the existing system abruptly to shift over to new onePhased change over – Both are run but output of both the systems is used since functions performed are different.Parallel change over – Both systems are run simultaneously for a period of time and output ofEmissions can be detected by sophisticated equipment and displayed, thus giving access to data to unauthorized persons. Theyshould not cause disruption of CPUs or effect noise pollutionHardening a system means to configure it in the most secure manner (install latest security patches, properly define accessauthorization for users and administrators, disable insecure options and uninstall unused services) to prevent non-privileged usersfrom gaining the right to execute privileged instructionsPilot conversion involves setting up the new system for a small group of users and participants, while the remainingmajority of users and participants still interact with the current system. At some pre‐determined period in time, the pilotsystem is installed for all users and participants and the current system is then switched off.Mandatory access controls MAC are filters that cannot be altered by normal users and data owners, and they act by default toenforce a base level of securityPrivilege escalation attack in the question I asked is a type of attack where higher level system authority is obtained by variousmethods in this example the task scheduler service runs with administrator permissions and a security flaw allows programslaunched by the scheduler to run at the same permission levelNon-repudiation—The assurance that a party cannot later deny originating data, that is, the provision of proof of the integrity andorigin of the data that can be verified by a third party. A digital signature can provide non-repudiation.To address an organization's disaster recovery requirements, backup intervals should not exceed the: RPOResource Management: the optimal investment it, and the proper management of, critical IT resources: applications, information,infrastructure and peopleMultiple components (N) have at least one ( 1) independent backup component available N 1Ad hoc networks are a dynamic grouping of devices in ever-changing configurations. Imagine the wireless devices connecting viaBluetooth when you enter a coffee shop, client’s office, or your own automobile. As you move though your activities each day, theconfiguration of this overall network is changing. Ad hoc means unstructured and ever changing.6Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE

Information Management and AuditingCISA2019When an organization is outsourcing their information security function, which of the following should be kept in the organization;Accountability for the corporate security policyAn IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuringservices from an independent service provider (ISP); References from other customersWhich of the following is the MOST important IS audit consideration when an organization outsources a customer credit reviewsystem to a third-party service provider? The provider: agrees to be subject to external security reviews.Segregation of Duties Compensating ControlsIncident response: A response is required for skilled individuals to deal with technical problems or the failure of internal controls.When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating therisk is of limited benefit if the cost of that control is more than the cost of the risk itself.The purpose of the audit committee is to provide advice to the executive accounting officer concerning internal control strategies,priorities, and assurances.The audit committee manages planned audit activities and the results of both internal and external audits. The committee isauthorized to engage outside experts for independent assurance.Inherent risk: These are natural or built-in risks that always exist.Detection risks: these are the risks that an auditor will not be able to detect what is being sought. It would be terrible to report nonegative results when material condition (faults) actually exist. Detection risks include sampling and nonsampling risks.Sampling risks: these are the risks that an auditor will falsely accept or erroneously reject an audit sample (evidence).Nonsampling risks: these are the risks that an auditor will fail to detect a condition because of not applying the appropriateprocedure or using procedures inconsistent with the audit objective (detection fault)Data transmitted between the biometric scanners and the access control system should use a securely encrypted tunnel to protectthe confidentially of the biometric data.To maximize the value an organization obtains from its BI initiatives, an effective BI governance process needs to be in place.Control risks: that an auditor loses control, errors could be introduced, or errors may not be corrected in a timely manner.Business risks: these are risks that are inherent in the business or industry itself (regulatory, contractual, financial)Technological risks: these are inherent risks of using automated technologyOperational risks: these are the risks that a process or procedure will not perform correctlyResidual risks: these are the risks that remain after all mitigation efforts are performedAudit risks: the combination of inherent, detection, control , and residual risks. These are the same risks facing normal businessoperations.No computers or IT systems in places – Cold SiteYes Computers or IT systems are in place but partially configured network – Warm siteTaking real time backup of applications – Hot site (Note: key word here is backup)Taking real time replication of data – Mirrored site (Note: Key word here is replication)Bottom-up vs. a top-down errors in critical modules are detected earlier.Remote processing site prior to transmission of the data to the central processing siteMapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whetherprogram statements have been executedCheck digit detect data transposition errorsTo ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS)patch logs as a starting point and then check to see if change control documents are on file for each of these changesIf the RPO is low, data mirroring should be implemented as the data recovery strategyIs developed for the organization as a whole – Top Down7Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE

Information Management and AuditingCISA2019Is more likely to be derived as a result of a risk assessment – Bottom UpTop Down: will not conflict with overall corporate policy - ensures consistency across the organization.Risk management - Security policy decisionsDetermine the RPO for a critical process in an enterprise Extent of data loss that is acceptableSecurity Baseline – Sufficiency of control, doc, Implementation, ComplianceMOST important element for the successful implementation of IT governance Identifying organizational strategiesRootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methodsinclude using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, andmemory dump analysis.After a disaster declaration, the media creation date at a warm recovery site is based on the RPOUsing data collection techniques: Staff observation; Document review; Interviews; Workshop; CAAT; SurveysClassification of Audit: Financial audit; Operational audit; Integrated audit (combines both financial and operational auditTo ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirementsfirst.Transborder data flow refers to data transmission between two countriesA password vault is a software program that keeps a number of passwords in a secure digital location.Rapid elasticity is a cloud computing term for scalable provisioning, or the ability to provide scalable services. Experts point to thiskind of scalable model as one of five fundamental aspects of cloud computingThe critical processes will change as the business changes with new products and customers.Two groups that have offered a baseline of definitions for Cloud NIST and Cloud Security AlliancePaaS: Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programminglanguages and tools supported by the providerPhlashing: Permanent denial-of-service (PDoS) attack, Damages a system hardware , Hardware ReplacementIf the outsourcing vendor is from another country, the organization should be aware of Cross-border legislationIaaS cloud services puts IT operations into the hands of a third party.Security labels are used in Mandatory access control modelDRP has a reciprocal agreement MitigationPreventive: IDS Installing an intrusion detection system (IDS), will make it possible to pinpoint the source of the attack, so thatcounter-measures may then be taken. An IDS is not limited to detection of attacks originating externally.Detective: hash, checkpoints, echo, error messages, internal audit, performance log etc.Corrective: BCP, backup, rerun procedures etc.Cell sampling: random selection is performed at predefined intervals.Fixed Interval Sampl

Information Management and Auditing CISA 2019 4 Prepared by: madunix CCNA, CCNP, CCIP, CISA, CISSP, CFR, CSC, CIoTSP, CISM, eJPT, SCSC, KCSP, KCTP and ICATE Prototyping : The process of quickly putting together a working model (a