Flashcards in CISA Refresher 5 Deck (131):
List and explain the considerations that go into any sourcing decision.
A company's preference to insource, outsource, or hybrid source will be based on several different factors; the benefits of insourcing versus those of outsourcing; the competitive advantage provided by each type of sourcing; the location where the work will be performed: the benefits of going offshore; and, the disadvantages of bringing work back from an offshore location. Although companies are seeking skilled labor at low wages when they move off shore, they should also consider factors such as the taxation practices, exchange rates, legal restrictions, and cultural differences of other countries. These can undermine any advantage gained by cheap labor. For instance, when a company chooses to outsource, it increases turnaround and cycle time. It also may alienate its American clientele.
An operation is any procedure intended to create a pre defined result. The goal of operations management is addressing user requests in a consistent and effective manner, and remedying the problems encountered during daily business operations. When evaluating operations management, IS auditors should ensure that operation managers and their staff are directly supporting the technical responses set forth by middle management. In turn, these technical responses should be supporting the strategic objectives created by executive management. Auditors must be able to differentiate between volume of work and effectiveness of work; even the busiest workers are of little help to the organization if their work is not supporting business objectives. Auditors should also ensure the organization is capable of sustaining its processes, which is only possible if three factors are
Organizational charts normally include the following IT positions;
Explain insourcing, outsourcing, and hybrid sourcing.
Every company must address the sourcing issue, which involves determining a location and a method for performing key work functions, such as manufacturing, customer support, accounting, payroll, printing, human resources, record management, and software development. These work functions can be performed either on-site or off-site by means of insourcing, outsourcing, or hybrid sourcing. When a company chooses insourcing, its own personnel will perform the work function. If the company chooses outsourcing, it contracts a third-party vendor to perform the work function. Outsourcing often involves using !cheaper labor at an offshore location, such as India, China, or Russia. Yet another method is hybrid sourcing, which combines characteristics of insourcing and outsourcing: companies maintain control over the work function while contracting any collateral work over to third-party vendors. This method is particularly useful when a company lacks the resources to take full advantage of an economic opportunity and must embark on a joint venture.
Explain the organizational chart. Then, explain the responsibilities of the following IT positions: IT director and IT operations manager.
An organizational chart is essential in defining roles and responsibilities. It lists each position and describes its corresponding job function within the organization. It also identifies the person in charge for every level, and explains the reporting relationships between positions. Auditors should ensure that an auditee's organizational chart is both current and accurate. Inaccurate or out-of-date charts reveal internal control problems. Most organizational charts include the following IT positions:
Explain the responsibilities of the following IT positions: applications programmer, information security manager, and change control manager.
Organizational charts normally include the following IT positions:
Explain change control. Then, explain the auditor's expectations for IT controls.
Change control includes processes for managing the implementation of change. It enables change to occur in an orderly and regulated manner, thereby minimizing confusion and resistance among organizational personnel. It also allows the organization to monitor and respond to any
Explain the first and second component groups of a computer.
A computer's first component group includes three types of devices: CPU (Central Processing Unit), high-speed CPU memory cache, and RAM (Random Access Memory). The CPU is the central component in this group, and is supported by the other two. Using an arithmetic logic unit, it performs complex calculations far more quickly and accurately than any human can. The high-speed memory cache serves as a buffer between the CPU and RAM, and enables the CPU to operate at the highest possible speed and efficiency. RAM is solid-state memory, considerably slower than the other components but necessary to the CPU's
positions: data entry staff and help desk.
Organizational charts normally include the following IT positions:
Explain compensating controls. Include a discussion of the importance of clearly defining and separating IT roles. Then, explain the following compensating controls: auditing, and job rotation.
By clearly defining and separating IT roles, the organization ensures that every person is answerable to someone else, and that no one is capable of arbitrarily carrying out an action or taking assets. Organizational charts help define and maintain separation between IT roles; however,
transaction logs, reconciliation, exception report, and supervisor review.
Compensating controls include the following activities:
Multiprocessor computers contain multiple CPUs. Through a technique known as pipelining, they alleviate the problems associated with time
describe mainframe computers.
Computers can be classified in four primary categories based on their size, processing power, and throughput, which indicates the amount of information they can process over a specific time interval. The categories are: mainframe computers, supercomputers, minicomputers, and microcomputers.
Explain supervisory state and problem state.
Supervisory state and problem state are the two basic modes under which most computers operate. The supervisory state is reserved for supervisory users, also known as administrators, superusers, or root users. It removes security controls and allows the highest level of access to programs and processing requests. Without this unrestricted level of access, the supervisory user would be unable to perform his primary job tasks, which include managing change, configuring and maintaining the system, and performing administrative functions. Every other user must operate under the problem state, which activates all security controls and denies access to high-level programs and processing requests. In
functional roles that computers are expected to fulfill in an IT environment
Any computer purchased commercially should perform the following tasks: interact with peripheral devices; run a common software program and operating system; store and retrieve data via a file system; manage communications and work allocation between the CPU and programs; regulate access to secure systems and information; and provide a shell,
Describe miniccomputers, microcomputers, and supercomputers.
Minicomputers (or midrange computers) lack the processing power and throughput of a mainframe, but provide a cheaper alternative for organizations of limited size and financial means. Although midrangec omputers have security controls that are inferior to mainframes, they
following data storage media: magnetic tape.
Tape management systems and disk management systems help ensure that data is securely stored and controlled. They automate the process of tracking and labeling data files, enabling a user to quickly identify the contents, status, and location of every data storage device.
Explain the following data storage medium: magnetic hard disk. Include a discussion of RAID.
Magnetic hard disks are capable of storing anywhere between megabytes and terabytes of information, and are the most prevalent online storage media. A single disk may be permanently contained within a closed disk drive, or several disks may be grouped in a storage
Explain the following data storage media: magnetic soft disk, optical CD-ROM, optical CD-RW, and optical DVD
Magnetic soft disks are small, removable, and portable devices such as floppy disks and Zip drives, in which a reprogrammable disk is contained In a hard, plastic casing. Disks can hold between 1 megabyte and multiple gigabytes of data.
Explain Open Systems Interconnect Model (or OSI) and list each OSI layer. Then, explain the Transmission Control Protocol/Internet Protocol (TCP/IP).
Open System Interconnect Model, or OSI, is a network training model that separates data communication into multiple networking layers. Each layer of the network has its own special role, and supports the layer above it Transmission Control Protocol/internet Protocol, or TCP/IP, is a networking protocol. Like the OSI model, TCP/IP stratifies the network into multiple layers:
Explain the following data storage media: read-only memory and flash memory.
Read-only memory, or ROM, contains data that has been permanently programmed on semiconductor chips by fusing microscopic, integrated circuits. These chips cannot be transferred, nor can they be upgraded unless they are removed and replaced. ROM provides solid-state storage that is both nonvolatile and incapable of being altered or erased; consequently, it provides excellent security, but may prove very limiting if constant upgrades are necessary. The greatest benefit of ROM is extremely quick loading time.
Explain the security problems associated with RAID
Every computer has a set of physical input/output ports (I/O), which enable communication with other computers and storage devices. Unfortunately, a person can use these ports to bypass security controls and gain an unrestricted level of access to the system; therefore, organizations must implement port controls. These include physical security controls, which safeguard physical access to the ports, and logical controls, which are software programs designed to protect data transfers. PCs are especially vulnerable because they have so many different ports; USB, RS-232, keyboard, expansion slots, disk channels, etc. Mainframes are vulnerable through their terminal, modem, and LAN ports. To ensure that the organization has implemented all necessary
Explain Layer 1 and Layer 2 of the OSI model.
Layer 1, or the physical layer, identifies the wiring and voltages necessary to establish, sustain, and break off an electrical connection between multiple computers or systems. Essentially, this layer is a description of functional specifications.
Explain Layer 3 of the OSl model.
Layer 3, or the network layer, includes protocols that direct a data transmission along a speciflc path and to a specific destination using an Internet Protocol (IP) address. Each system on the network has a unique IP address, and multiple systems can be grouped together to form larger IP subnetworks, or subnets. When sending information to a specific location, a computer first determines the IP address of that location. Then, the computer combines the IP address with its own MAC address.
Explain Layer 4 of the OSI model. Then, define unicast and multicast.
Layer 4, or the transport layer, includes protocols that encapsulate the data for transport along the network. TCP (Transmission Control Protocol) is one such protocol. It methodically breaks down the data transmission into manageable segments. Each segment contains a sequencing number, which enables the destination computer to reconstruct the message. TCP is known as a reliable transport method because it provides delivery confirmation to the computer that sent the data. Other transport protocols, such as UDP (User Datagram Protocol),
Explain Local Area Network, or LAN.
Loacal Area Networks, or LANS are simply localized computer networks, usually covering a home, office, building, or other small geographical area. LANs allow multiple computers to exchange information and partake in certain services, such as email, file sharing, and printing. Data is transmitted through the network using one of th following methods:
Explain network routing, static routing, and dynamic routing.
Network routing is the method by which routers direct traffic to the correct locations along the network. There are two methods of routing: static and dynamic. In static routing, the network administrator manually enters a TO-FROM map containing every IP address into the routing table of each router. Although static routing is very secure, it is impractical for networks with complex or unpredictable traffic.
Explain Layers 5, 6, and 7 of the OSl model.
Layer 5, or the session layer, includes the protocols that initiate and manage communication sessions between systems on the network. Using these protocols (such as SQL net database and Network File System), the user's system will set up, govern, and terminate data transmissions to other systems.
An Ethernet is a type of network usually configured with a bus or star topology. It is most often used when network traffic consists of voice or data transmissions and all network media are confined to one location .
Because collisions are so common, Ethernets have two primary mechanisms designed to preserve data integrity: CSMA/CD and CSMA/CA. CSMA/CD enables network devices to detect collisions and
Explain star topology. Then, explain the relationship between routers and LANs.
A star topology connects every network node (computer workstations and other devices) to a central hub or switch. These hubs/switches
Explain network meshing.
Meshing increases redundancy by creating additional connections between critical backbone points on a network. Meshing is very common in star topoiogies; the IT department identifies all links across the network, and determines which alternate link should be used when the primary one is severed. This information is then entered into the router. Networks can be meshed using two primary methods:
Network topology describes the configuration of all network components, including its computers, cables, routers, hubs, switches, and other devices. Most networks will follow one of three standard topologies: bus, star, or ring. IS auditors should ensure that networks have the following controls:
Explain ring topology.
A ring topology links all network devices in a closed loop, creating high speed and high performance. Because there is no hub or switch linking the network nodes (computer workstations and other devices), they rely on each other for communication; consequently, in a simple ring topology, a single malfunctioning device can disrupt the entire network.
Explain cable plant. Then, explain unshielded twisted pair cable.
A cable plant is simply another name for a network cable installation. Although auditing does not require the ability to design a network, auditors should have a basic understanding of the three different cable types—UTP, coaxial, and fiber-optic—and their respective strengths and weaknesses .
Explain coaxial cable and fiber-optic cable.
Coaxial cable contains a mesh shielding that protects it from electrical interference. It is an older form of cable used in earlier bus topology Ethernets, and has largely been replaced by faster cables, such as UTP.
Explain the following network components: hubs, switches, and routerrs.
A hub links a group of network devices. It amplifies, sends, and retimes the electrical signals of each device across all access ports. In this way, data traffic is spread over the entire network. Hubs are included in layer 2 of the OSI model.
Explain Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP).
Domain Name Service, or DNS, enables a user to access a website even if he does not know its IP address. He simply types in a fully qualified
Explain the following network components: Wi-Fi transmitter, rpeaters and bridges.
Wi-Fi transmitters are short-range, wireless communications devices. They link laptops, PDAs, and other handheld devices to the network.
Explain virtual LANs, or VLANs.
A virtual LAN, or VLAN, simulates a subnetwork for a group of computers. It is created using the following techniques:
List and explain the steps of Dynamic Host Configuration Protocol (DHCP).
The Dynamic Host Configuration Protocol, or DHCP, involves the following steps:
Explain Wide Area Network, or WAN.
A Wide Area Network, or WAN, is simply a computer network capable of covering a much wider geographical region than a LAN. Organizations implement WAN equipment and protocols at OSl layers 1,2, and 3 (physical, data link, and network), and may rent communication lines from the telecommunications industry, creating networks that span multiple states. Public Switched Telephone Networks (PSTN) and Integrated Services Digital Network (ISDN) can provide dialup services for WANs, which can also utilize message switching, circuit switching, and packet switching. WANs communicate using three possible methods; simplex, meaning one direction; half-duplex, meaning one direction at a time; and, full duplex, meaning both directions simultaneously using separate circuits. WANs use both switch and dedicated circuits, and follow the same communication protocols that LANs follow.
Users can access a network using the following wired connections:
Explain the following wired network devices: X.25 and frame-relay.
Users can access a network using the following wired connections:
A LAN can acquire access to a WAN using the following dialup devices:
Users can access a network using the following wired connections:
radio and Satellite radio.
Users can access a network using the following wireless connections:
Explain the following wireless network devices: microwaves and lasers
Users can access a network using the following wireless connections:
Explain radio frequency identification (RFID) tags.
A radio frequency identification (RFID) tag is a short-range wireless communication device that consists of silicon chips and antennas. It enables automated tracking of products and inventory. IS auditors should be aware of the basic kinds of RFID tags. Passive tags, for instance, are detected by scanners at a certain distance, and are frequently used to track inventory. Some passive tags are small enough to be constructed into products or implanted into living hosts. Despite the privacy issues raised by such devices, hospitals have considered using them to track newborn children and elderly patients. Other, nonpassive RFID devices may have the ability to broadcast signals. These tags receive queries from a broadcast source and then transmit a response using an imbedded transponder. Non-passive RFID devices
Explain simple network management protocol, or SNMP.
Using a simple network management protocol (SNMP), a network administrator monitors and checks the status of routers, servers,
Metropolitan area networks (MANs) link computers located in different buildings within the same city. They are larger than a LAN and smaller than a WAN.
Explain syslog and automated cable tester.
The syslog and automated cable tester are tools of network management, and assist the network administrator as he monitors
Explain protocol analyzer and remote monitoring protocol version 2 or RMON2.
A protocol analyzer, also known as a packet sniffer, is another software tool that assists network administrators as they monitor and manage a network. It records all data transmissions and communications passing through a specific segment of the network, including the passwords used to gain access. A packet sniffer helps identify potential problems, but cannot see beyond the individual segment it is monitoring. Because sniffers capture passwords and user IDs, they can become major security risks if accessed by a hacker. The remote monitoring protocol version 2, or RMON2, can monitor every layer of the OSl network model simultaneously, recording hours or even years of transmissions and communication. This information is usually stored long-term within an SQL database. By contrast, a pocket sniffer can only monitor the first three layers of the OSl network model for a time period exceeding no more than several hours.
Firewalls protect a network against unauthorized access by another network. They can consist of either hardware or software, and can be
Compare and contrast strategic systems and traditional systems.
Strategic systems enable an organization to drastically alter the manner in which its business is run, improve its business performance,
Explain ISO 9001 and ISO 9126.
According to ISO standard 9001:2000 (which was updated in the year 2000), an organization cannot claim ISO compliance unless it writes and
List and explain the access requirements of most firewalls. Then, explain the auditor's role in firewalls.
Most firewalls evaluate incoming traffic against the following criteria;
Explain International Organization for Standardization Then, explain ISO 15504, or Spice.
International Organization for Standardization, also known as ISO, incorporates and promotes many American best practices for quality in manufacturing. Following the teachings of Joseph Juran, Philip Crosby, and W. Edwards Deming, ISO seeks to reduce the number of product defects in all processes. Software development usually follows one of three possible ISO standards: ISO 15504, ISO 9001, and ISO 9126. ISO 15504, or Spice, is simply a variation on CMM. It rates processes according to five levels:
Explain critical Success factor and scenario approach.
The IT steering committee must select and design software that best supports and aligns with the organization's strategic objectives. When
Explain business justification.
An organization will not undertake a project unless it produces a quantifiable financial benefit This benefit is known as a business Justification. Before any project can commence, the organization must prove a justification by undertaking the foliowing steps;
Explain request for proposal (RFP).
A request for proposal, or RFP, becomes necessary when an organization is required to design and write custom software. The organization appoints a project team, who distributes RFPs to a select
Explain the two primary philosophies of managing software development.
Auditors should understand the two primary organizational
impact, and buy vs. build.
Alignment occurs when organizational software supports business objectives.
The process of selecting a vendor proposal should be as fair and unbiased as possible; for this reason, auditors ensure that each proposal is weighed against the following criteria:
Development L Ife Cycle, or SDLC.
According to ISACA, the lifecycle of every software program follows six
the auditor's responsibilities during phase 1.
Phase 1, or the feasibiliQr study phase, involves determining and
the auditor's responsibility at phase 2.
Phase 2, or the requirements definition phase, identifies and documents a list of specific business requirements for the proposed software. This list includes the inputs and outputs of the program, as
the auditor's responsibility during phase 3.
Phase 3, or the system design phase, develops the work breakdown structure for the project as well as the basic plan and design for the software prototype, which will be written in phase 4. Any plan should create a separation of duties by implementing preventive controls, detective controls, and corrective controls. During phase 3, the project team decompiles flowcharts into separate program modules, and may use techniques such as reverse engineering, reengineering, and software baseline. Auditors at this phase should perform the following tasks:
Explain constructive cost model.
The constructive cost model, or COCOMO, estimates the cost, schedule, and resource requirements of acquiring new software. It was created by
The entity-relationship diagram technique, or ERD, is used during phase 2 of the SDLC. It helps identify and define software requirements by determining the relationships between entities. An entity is simply a database containing various data storage mediums (reports, memos, disks, etc.) relevant to the software project. A relationship may involve information, concepts, and personnel. An ERD first identifies information that will be used by the software. Then, it creates a data dictionary, which includes reference terms for each database element. Using this dictionary, it structures all information contained in the database within a database schema. With this information, the project team can create high-level flowcharts, which illustrate business logic, and
the auditor's responsibility during phase 4.
During phase 4, or the development phase, the software is written (coded), tested, and debugged. Programmers may use a number of programming languages (such as BASIC, Java, COBOL, etc.), depending on organizational preference, and are supported by systems analysts, who provide ideas and insight. At this phase, an auditor has the following responsibilities:
scheduling in software development.
Programmers must implement quality control standards and maintain a
Explain integrated development environment, or IDE.
Integrated development environment or IDE, is a type of fourth generation programming tool. It creates an environment within which software can be designed, coded, and debugged. IDE is important because most modem-day programmers do not write code manually;
A software program can take two forms: source code or object code.
Programming languages have become increasingly user-friendly with
Explain agile development method and rapid application development (RAD).
The agile development method and rapid application development
Explain version control and configuration management.
Version control and configuration management are techniques for
SDLC phase 4.
Software is subjected to numerous tests during SDLC phase 4, and
the auditor's responsibility during phase 5.
Phase 5, or the implementation phase, prepares the new, fully
Changeover (also known as going live or cutting over) occurs during
Explain white-box testing and black-box testing.
Software is subjected to numerous tests during SDLC phase 4, and
Certification indicates that the software fulfills a certain standard, and
the auditor's re sponsibility at phase 6.
Phase 6, or the post-implementation phase, closes out the project and
E-commerce describes business transactions that are conducted
referential integrity and relational integrity.
Databases are only effective if their information is accurate, complete,
Explain decision support system.
When deciding an issue, a user may rely on a decision support system, which is a database containing information relevant to the issue in question. Decision support systems find the necessary information using heuristics (or a set of program rules), and include three basic categories:
A database provides a structured and organized medium for storing
Normalization seeks to eliminate any duplications or inconsistencies within the database. It is achieved by ensuring the following:
as they relate to decision support systems.
Data mining is the process of searching data stored within numerous
Explain the balanced scorecard
The goal of the balanced scorecard is to eliminate wasteful activities and, in the case of IT, to create better alignment between IT activities and business objectives. A balanced scorecard relies on metrics created from the following organizational objectives: business processes (critical success factors, key performance indicators, and business mission]; growth and learning (organizational growth plans, training that enables workers and employees to fulfill organizational objectives); financial (financial and stakeholder goals]; and, customer (organizational image within marketplace). According to ISACA, an IT balanced scorecard should apply these organizational objectives across the following IT scoring layers:
Explain service-level agreement or SLA
A service-level agreement (or SLA] is a formal contract between an organization and a vendor. It specifies the desired service, its quality and quantity, coverage periods, and renewal options. An SLA has the
Explain the following system access controls: user login account
A user login account is type of system access control in which an ID and password are distributed to each system user. An employee's login
Explain metrics. Then list and explain the types of metrics
Metrics are quantifiable standards for evaluating organizational
List and briefly explain the four types of security controls for information assets
Auditors must understand the four types of controls protecting information assets:
Explain the following system access controls: privileged login accounts and maintenance login accounts
Privileged login accounts are reserved for system administrators, who should also possess a conventional login for their daily work functions. Administrators should only access their privileged login account when performing administrative or maintenance duties; for any other work,
processing controls, and system control parameters.
Standing data controls prevent unauthorized access to data stored
Explain the following type of application processing controls: processing controls.
Processing controls maintain data accuracy and transaction validity by
List the most common types of threats and crimes confronting organizations.
Organizations should implement administrative, technical, and physical
input controls and output controls.
Input controls prevent data transactions from accepting unauthorized
and recovery, and project management.
System maintenance should not begin until backup and recovery plans
Define and explain hacker. Include a discussion of white hat.
A hacker, also known as a cracker, is a computer programmer seeking
Explain passive attack. Then, list and explain the types of passive attacks
Active attacks seek to steal organizational resources or disrupt normal
Explain teh following active attacks: social engineering, phishing and denial of service (Dos)
Dumpster diving is the act of sorting through an organization's garbage
Explain teh following attacks: brute force, crash-restart, and salami technique
Remote access is the act of accessing an insecure computer network
Explain active attack. Then, list and explain the following active attacks: viruses, worms, and logic bombs
Passive attacks acquire important information by monitoring an
Explain the following active attacks: dumpster diving, trapdoor, and IP fragmentation
Social engineering is the act of gaining access by misrepresenting one's
Explain the following active attack: remote access
- Brute force: a method of attack that brings overwhelming
accounts and cross-network connectivity
Email spamming is the act of distributing large quantities of identical
and message modification.
Information security management seeks to maintain the
Context describes the manner in which information is used, and helps
Explain the folic wing active attacks: email spamming, email spoofing, and packet replay
Maintenance accounts facilitate system support As a feature of many
Source routing is a special protocol that enables a data transmission to
Explain context Then, explain data retention.
An important aspect of IT security governance is categorizing
Physical protection includes any harriers or controls designed to
the types of technical controls.
Locks safeguard doorways, and include the follovnng:
explain the three types of authentication.
Fingerprints are commpnly used to authenticate a user's identity. In
television, guards, and burglar alarms.
Auditors should identify who has been granted physical access to IT
locks and biometrics
Technical (or logical) protection restricts data access. It is
palm print, hand geometry, and face scan.
When a user is trying to gain access to certain data systems or
retina scans, voice patterns, and signature dynamics.
Iris scans authenticate users according to the characteristics of their
Explain Kerberos single sign-on system,
The Kerberos single sign-on system is a security system implemented
Explain virtual private network, or VPN.
Through a virtual private network, users can gain remote access and
Biometric systems pose a number of problems. They often encounter
three basic firewall configurations.
Although a firewall reduces the number of external attacks, it cannot
and explain the two types of IDS.
An intrusion detection system (IDS) alerts the administrator when
and honey nets.
An intrusion detection system (IDS) can use three technical methods for
with encryption keys.
A digital signature is unique to a specific person, much like a written
transaction, or SET. Then, explain S/MIME.
The following network security protocols help ensure the safety of ec
List and explain the two primary encryption systems.
The first encryption method is the private-key system, which uses
Explain public-key infrastructure, or PKI
Using a public key infrastructure (PKI), multiple users can share