Вы находитесь на странице: 1из 8

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

1 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

Total Marks = 80

Q.2 (a)

Traditional System Development Life Cycle Approach


SDLC Phase
Phase 1:
Feasibility Study

Phase 2:
Requirements
Definition
Phase 3A:
Software
Selection &
Acquisition
(purchased
systems)
Phase 3B:
Design (inhouse
development)
Phase 4A:
Development
(in-house
development)
Phase 4B:
Configuration
(purchased
systems)
Phase 5:
Final Testing &
Implementation

Phase 6:
Post
implementation

General Description
Determine the strategic benefits of implementing the system either in productivity
gains or in future cost avoidance, identify and quantify the cost savings of a new
system, and estimate a payback schedule for costs incurred in implementing the
system.
Define the problem or need that requires resolution and define the functional and
quality requirements of the solution system. This can be either a customized
approach or vendor-supplied software package, which would entail following a
defined and documented acquisition process.
Based on the requirements defined, prepare an RFP from suppliers of purchased
systems. In addition to the functionality requirements, there will be operational,
support and technical requirements, and these, together with considerations of the
suppliers financial viability and provision for escrow, will be used to select the
purchased system that best meets the organizations total requirements.
Based on the requirements defined, establish a baseline of system and subsystem
specifications that describe the parts of the system, how they interface, and how the
system will be implemented using the chosen hardware, software and network
facilities.
Use the design specifications to begin programming and formalizing supporting
operational processes of the system. Various levels of testing also occur in this
phase to verify and validate what has been developed. This would generally include
all unit and system testing, as well as several iterations of user acceptance testing.
Configure the system, if it is a packaged system, to tailor it to the organizations
requirements. This is best done through the configuration of system control
parameters, rather than changing program code. Modern software Packages are
extremely flexible, making it possible for one package to suit many organizations
simply by switching functionality on or off and setting parameters in tables.
Establish the actual operation of the new information system, with the final iteration
of user acceptance testing and user sign-off conducted in this phase. The system
also may go through a certification and accreditation process to assess the
effectiveness of the business application in mitigating risks to an appropriate level
and providing management accountability over effectiveness of the system in
meeting its intended objectives and in establishing an appropriate level of internal
control.
Following the successful implementation of a new or extensively modified system,
implement a formal process that assesses the adequacy of the system and
projected cost-benefit or ROI measurements vis--vis the feasibility stage findings
and deviations.

(b) Methods for Accessing Data in a Computer System


A computer system finds stored data either by knowing its exact location or by searching for
the data. Different DBMs contain different internal methods for storing and retrieving data.
Three methods that could be used sequential Access, Direct access and Indexed Access.
Programmers set up DBMs whatever method is appropriate for the situation and shield users
from technical details of data access.
Sequential Access
The earliest computerized data processing used sequential access in which individual records
within a single file are processed in a sequence until all records have been processed or unit
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

2 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

the processing is terminated for some other reason. Sequential access is the only method for
data stored on Tape, but it can also be used for data on a direct access device such as a disc.
Sequential processing makes it unnecessary to know the exact location of each data item
because data are processed according to the order in which they are sorted.
Direct Access
Processing events as they occur requires direct access, the ability to find an individual item in a
file immediately. Magnetic disc storage was developed to provide this capability. To understand
how direct access works, imagine that the phone directory is stored on a hard disk.
Indexed Access
A third method for finding data is to use Indexed Access. An index is a table used to find the
location of data. The index indicates where alphabetical groups of names are stored. The user
enters the name Sam Patterson. The program uses the index to decide where to start
searching for phone number.
Q.3 (a) E-Commerce Models:
E-commerce models include the following:

Business-to-consumer (B-to-C) relationships: The greatest potential power of ecommerce comes from its ability to redefine the relationship with customers in creating
a new convenient, low-cost channel to transact business.

Business-to-business (B-to-B) relationships: The relationship among the selling


services of two or more businesses opens up the possibility of reengineering business
processes across the boundaries that have traditionally separated external entities from
each other.

Business-to-employee (B-to-E) relationships: Web technologies also assist in the


dissemination of information to and among an organizations employees.

Business-to-government (B-to-G) relationships: Covers all transactions between


companies and government organization. Currently this category is in its infancy, but it
could expand quite rapidly as governments use their own operations to promote
awareness and growth of e-commerce.

E-commerce Risks:
Some of the most important elements at risk are:

Confidentiality. Potential consumer are concerned about providing unknown vendors with
personal (sometimes sensitive) information for a number of reasons including the possible
theft of credit card information from the vendor following a purchase.

Integrity. Data, both in transit and in storage, could be susceptible to unauthorized


alternation or deletion (i.e., hacking or the e-business system itself could have design or
configuration problems).

DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

3 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

Availability. The Internet holds out the promise of doing business on a 24-hour, sevenday-a-week basis. Hence high availability is important with any systems failure becoming
immediately apparent to customers or business partners.

Authentication and nonrepudiation. The parties to an electronic transaction should be in


a known and trusted business relationship, which requires that they prove their respective
identities before executing the transaction in preventing man-in-the-middle attacks (i.e.,
preventing the seller from being an impostor.

Power shift to customer. The Internet gives consumers unparalleled access to market
information and generally makes it easier to shift between suppliers. Firms participating in
e-business need to make their offerings attractive and seamless in terms of service
delivery. This will involve not only system design, but also reengineering of business
processes.

b) Wireless Transmission:
Wireless transmission does not need a fixed physical connection because it sends signals
through air or space. All wireless transmission uses a particular frequency in the
electromagnetic spectrum, regardless of whether the transmission is a television program, a
cellular telephone call, or computerized data. To prevent different uses of wireless transmission
from interfering with each other, governments allocate specific frequency ranges to specific
uses. Within those ranges, the governments allocate specific frequencies to individual user,
including radio and television broadcasters and businesses that use certain frequencies for
data communications.

DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

4 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

Cordless and cellular phones both achieve portability by moving from wired to wireless
channels. Cordless phones for a home transmit to a base unit within a small radius, such as
100 feet. Cell phones transmit signal to a grid of cellular stations that are linked to the wirebased telephone network. Cell phones originally operated only within metropolitan areas with
nearby cellular stations, but many cellular networks have now expanded outside these areas.
Although not as visible in everyday life, microwave transmission was the earliest of the four
types of wireless transmission. It has been used for several decades to transmit both voice and
data. Because earth-based microwave transmission is restricted to line of sight, microwave
towers must be placed no more than 30 miles apart unless they are located on mountains or
tall buildings. The line of sight restriction limits the use of microwave transmission within city
centers. Microwave transmission can also be disrupted by atmospheric conditions and is
comparatively easy to intercept.
Telecommunications satellites move in geostationary orbits that remain 22,300 miles above the
same part of the earth. At this altitude, the satellite can send signals to earth stations up to
11,000 miles apart. These satellites can carry 40,000 simultaneous telephone calls or 200
television channels. Satellite communication has many advantages. Because it doesnt use a
wire channel and doesnt need earth-bound relay towers, it can be used in remote areas.
Unlike undersea telephone cables, satellite earth stations can be placed near the people who
use them and are therefore easier to maintain and repair. Unlike wired transmission, the cost of
satellite communication is the same regardless of the distance between the sender and
receiver on earth.

Q.4 (a)

Cloud Computing Service Models


Service Model
Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Software as a Service (SaaS)

Definition
Capability to provision processing, storage, networks and other
fundamental computing resources, offering the customer the
ability to deploy and run arbitrary software, which can include
operating systems and applications. IaaS puts these IT operations
into the hands of a third party.
Capability to deploy onto the cloud infrastructure customercreated or acquired applications created using programming
languages and tools supported by the provider
Capability to use the providers applications running on cloud
infrastructure. The applications are accessible from various client
devices through a thin interface such as a web browser (e.g.,
web-based e-mail).

Advantages, Disadvantages and Business Risks and Risk Reduction Options Related to Outsourcing
Possible Advantages
Possible Disadvantages and Business Risks
Commercial outsourcing companies
Costs exceeding customer expectations
can achieve economies of scale
Loss of internal IS experience
through the deployment of reusable
Loss of control over IS
component software.
Vendor failure (ongoing concern)
Outsourcing vendors are likely to be
Limited product access
able to devote more time and to focus
Difficulty in reversing or changing outsourced
more effectively and efficiently on a
arrangements
DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

5 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

given project than in-house staff.


Outsourcing vendors are likely to have
more experience with a wider array of
problems, issues and techniques than
in-house staff.
The act of developing specifications
and contractual agreements using
outsourcing services is like to result in
better specifications than if developed
only by in-house staff.
Because vendors are highly sensitive
to time consuming diversions and
changes, feature creep or scope creep
is substantially less likely with
outsourcing vendors.

Deficient compliance with legal and regulatory


requirements
Contract terms not being met
Lack of loyalty of contractor personnel toward the
customer
Disgruntled customers/employees as a result of the
outsource arrangement
Service costs not being competitive over the period of
the entire contract
Obsolescence of vendor IT systems
Failure of either company to receive the anticipated
benefits of the outsourcing arrangement
Reputational damage to either or both companies due
to project failures
Lengthy, expensive litigation
Loss or leakage of information or processes

b) Classification of Audits:
The IS auditor should understand the various types of audits.

Compliance audits. Compliance audits include specific tests of controls to


demonstrate adherence to specific regulatory or industry standards. These audits often
overlap traditional audits, but may focus on particular systems or data.

Financial audits. The purpose of a financial audit is to assess the accuracy of financial
reporting. A financial audit will often involve detailed, substantive testing, although
increasingly, auditors are placing more emphasis on a risk-and control-based audit
approach.

Operational audits. An operational audit is designed to evaluate the internal control


structure in a given process or area IS audits of application controls or logical security
systems are some examples of operational audits.

Integrated audits. An integrated audit combines financial and operational audit steps.
An integrated audit is also performed to assess the overall objectives within an
organization, related to financial information and assets safeguarding, efficiency and
compliance.

Administrative audits. These are oriented to assess issues related to the efficiency of
operational productivity within an organization.

IS audits. This process collects and evaluates evidence to determine whether the
information systems and related resources adequately safeguard assets, maintain data
and system integrity and availability, provide relevant and reliable information, achieve
organizational goals effectively, consume resources efficiently, and have, in effect,
internal controls that provide reasonable assurance that business, operational and
control objectives will be met and that undesired events will be prevented, or detected
and corrected, in a timely manner.

Specialized audits. Within the category of IS audits, there are a number of specialized

DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

6 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

reviews that examine areas such as services performed by third parties. Because
business are becoming increasingly reliant on third-party service providers, it is
important that internal controls be evaluated in these environments.

Forensic audits. Forensic auditing has been defined as auditing specialized in


discovering, disclosing and following up on frauds and crimes. The primary purpose of
such a review is the development of evidence for review by law enforcement and
judicial authorities.

Q.5 (a) Recovery Alternatives:


i)

Cold sites are facilities with the space and basic infrastructure adequate to support
resumption of operations, but lacking any IT or communications equipment, programs,
data or office support. A plan that specifies that a cold site will be utilized must also
include provision to acquire and install the requisite hardware, software and office
equipment to support the critical applications when the plan is activated.

ii)

Mobile sites are packaged, modular procession facilities mounted on transportable


vehicles and kept ready to be delivered and set up at a location that may be specified
upon activation. A plan to utilize mobile processing must specify the site locations that
may be used. The plan must provide right-of-access to the selected site by the vendor
and the company. The plan must also provide for any required ancillary infrastructure
necessary to support the site such as access roads, water, waste disposal, power and
communications.

iii)

Warm sites are facilities with space and basic infrastructure, and some or all of the
required IT and communications equipment installed. The equipment may be less
capable than the normal production equipment yet still be adequate to sustain critical
applications on an interim basis. Typically, employees would be transferred to the warm
site and current versions of programs and data would need to be loaded before
operations could resume at the warm site.

iv)

Reciprocal agreements are agreements between separate, but similar, companies to


temporarily share their IT facilities in the event that one company loses processing
capability. Reciprocal agreements are not considered a viable option due to the
constraining burden of maintaining hardware and software compatibility between the
companies, the complications of maintaining security and privacy compliance during
shared operations, and the difficulty of enforcing the agreements should a disagreement
arise at the time the plan is activated.

v)

Hot sites are facilities with space and basic infrastructure and all of the IT and
communications equipment required to support the critical applications, along with office
furniture and equipment for use by the staff. Hot sites usually maintain installed versions

DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

7 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

of the programs required to support critical applications. The most recent backup copies
of data would need to be loaded before critical applications could be resumed. Although
hot sites may have a small staff assigned, employees are usually transferred to the hot
site from the primary site to support operations upon activation.
vi)

Mirrored sites are fully redundant sites with real-time data replication from the
production site. They are fully equipped and staffed, and can assume critical processing
with no interruption noticeable by the users.

vii)

Reciprocal agreements with other organizations. Although a less frequently used


method, this is an agreement between two or more organizations with unique equipment
or applications. Under the typical agreement, participants promise to provide assistance
to each other when an emergency arises.

b) Sourcing Practices
Where the organizations functions in-house, it may choose to move IS functions offsite or
Offshore. The IS auditor can assist in this process by ensuring that IS management considers
the following risks and audit concerns when defining the globalization strategy and completing
the subsequent transition to remote offshore locations:
Legal, regulatory and tax issues- Operating in a different country or region may introduce
new risks about which the organization may have limited knowledge.
Continuity of operations- Business continuity and disaster recovery may not be adequately
provided for and tested.
Personnel- Needed modifications to personnel policies may not be considered.
Telecommunication issues- Network controls and access from remote or offshore locations
may be subject to more frequent outages or a larger number of security exposures.
Cross-border and cross-cultural issues-Managing people and processes across multiple time
zones, languages and cultures may present unplanned challenges and problems.

Q.6

Key Elements of Information Security Management System:


Senior

Commitment and support from senior management are important for successful

management

establishment and continuance of an information security management program.

commitment and
support
Policies and

The policy framework should be established with a concise top management

procedures

declaration of direction, addressing the value of information assets, the need for
security, and the importance of defining a hierarchy of classes of sensitive and
critical assets. After approval by the governing body of the organization and by
related roles and responsibilities, the information security program will be
substantiated with the following:

DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

SUGGESTED ANSWERS EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

8 of 8

INFORMATION SYSTEMS AND I.T. AUDIT SEMESTER-3

Standards to develop minimum security baselines

Measurement criteria and methods

Specific guidelines, practices and procedures

The policy should ensure resource conformity with laws and regulations. Security
policies and procedures must be up to date and reflect business objectives, as well
as generally accepted security standards and practices.
Organization

Responsibilities for the protection of individual assets should be clearly defined.


The information security policy should provide general guidance on the allocation
of security roles and responsibilities in the organization and, where necessary,
detailed guidance for specific sites, assets, services and related security
processes, such as IT recovery and business continuity planning.

Security

All employees of an organization and, where relevant, third-party users should

awareness and

receive appropriate training and regular updates to foster security awareness and

education

compliance with written security policies and procedures. For new employees, this
training should occur before access to information or service is granted. A number
of different mechanisms available for raising security awareness include:

Regular updates to written security policies and procedures

Formal information security training

Internal certification program for relevant personnel

Statements signed by employees and contractors agreeing to follow the written


security policy and procedures, including nondisclosure obligations

Use of appropriate publication media for distribution of security-related material


(e.g., company newsletter, web page, videos, etc.)

Visible enforcement of security rules and periodic audits

Security drills and simulated security incidents

Monitoring and

IS auditors are usually charged to assess, on a regular basis, the effectiveness of

compliance

an organizations security program(s). To fulfil this task, they must have and
understanding of the protection schemes, the security framework and the related
issues, including compliance with applicable laws and regulations. As an example,
these issues may relate to organizational due diligence for security and privacy of
sensitive information, particularly as it relates to specific industries (e.g., banking
and financial institutions, health care).

Incident

A computer security incident is an event adversely affecting the processing of

handling and

computer usage. This includes loss of confidentiality of information, compromise of

response

integrity of information, denial of service, unauthorized access to systems, misuse


of systems or information, theft and damage to systems. Other incidents include
virus attacks and intrusion by humans within or outside the organization.

THE END

DISCLAIMER: The suggested answers provided on and made available through the Institutes website may only be referred, relied upon or treated as a guide and substitute for
professional advice. The Institute does not take any responsibility about the accuracy, completeness or currency of the information provided in the suggested answers.
Therefore, the Institute is not liable to attend or receive any comments, observations or critics related to the suggested answers.

Вам также может понравиться