Flashcards in CISA Refresher 5 Deck (131)
List and explain the considerations that go into any sourcing decision.
A company's preference to insource, outsource, or hybrid source will be based on several different factors; the benefits of insourcing versus those of outsourcing; the competitive advantage provided by each type of sourcing; the location where the work will be performed: the benefits of going offshore; and, the disadvantages of bringing work back from an offshore location. Although companies are seeking skilled labor at low wages when they move off shore, they should also consider factors such as the taxation practices, exchange rates, legal restrictions, and cultural differences of other countries. These can undermine any advantage gained by cheap labor. For instance, when a company chooses to outsource, it increases turnaround and cycle time. It also may alienate its American clientele.
An operation is any procedure intended to create a pre defined result. The goal of operations management is addressing user requests in a consistent and effective manner, and remedying the problems encountered during daily business operations. When evaluating operations management, IS auditors should ensure that operation managers and their staff are directly supporting the technical responses set forth by middle management. In turn, these technical responses should be supporting the strategic objectives created by executive management. Auditors must be able to differentiate between volume of work and effectiveness of work; even the busiest workers are of little help to the organization if their work is not supporting business objectives. Auditors should also ensure the organization is capable of sustaining its processes, which is only possible if three factors are
Organizational charts normally include the following IT positions;
Explain insourcing, outsourcing, and hybrid sourcing.
Every company must address the sourcing issue, which involves determining a location and a method for performing key work functions, such as manufacturing, customer support, accounting, payroll, printing, human resources, record management, and software development. These work functions can be performed either on-site or off-site by means of insourcing, outsourcing, or hybrid sourcing. When a company chooses insourcing, its own personnel will perform the work function. If the company chooses outsourcing, it contracts a third-party vendor to perform the work function. Outsourcing often involves using !cheaper labor at an offshore location, such as India, China, or Russia. Yet another method is hybrid sourcing, which combines characteristics of insourcing and outsourcing: companies maintain control over the work function while contracting any collateral work over to third-party vendors. This method is particularly useful when a company lacks the resources to take full advantage of an economic opportunity and must embark on a joint venture.
Explain the organizational chart. Then, explain the responsibilities of the following IT positions: IT director and IT operations manager.
An organizational chart is essential in defining roles and responsibilities. It lists each position and describes its corresponding job function within the organization. It also identifies the person in charge for every level, and explains the reporting relationships between positions. Auditors should ensure that an auditee's organizational chart is both current and accurate. Inaccurate or out-of-date charts reveal internal control problems. Most organizational charts include the following IT positions:
Explain the responsibilities of the following IT positions: applications programmer, information security manager, and change control manager.
Organizational charts normally include the following IT positions:
Explain change control. Then, explain the auditor's expectations for IT controls.
Change control includes processes for managing the implementation of change. It enables change to occur in an orderly and regulated manner, thereby minimizing confusion and resistance among organizational personnel. It also allows the organization to monitor and respond to any
Explain the first and second component groups of a computer.
A computer's first component group includes three types of devices: CPU (Central Processing Unit), high-speed CPU memory cache, and RAM (Random Access Memory). The CPU is the central component in this group, and is supported by the other two. Using an arithmetic logic unit, it performs complex calculations far more quickly and accurately than any human can. The high-speed memory cache serves as a buffer between the CPU and RAM, and enables the CPU to operate at the highest possible speed and efficiency. RAM is solid-state memory, considerably slower than the other components but necessary to the CPU's
positions: data entry staff and help desk.
Organizational charts normally include the following IT positions:
Explain compensating controls. Include a discussion of the importance of clearly defining and separating IT roles. Then, explain the following compensating controls: auditing, and job rotation.
By clearly defining and separating IT roles, the organization ensures that every person is answerable to someone else, and that no one is capable of arbitrarily carrying out an action or taking assets. Organizational charts help define and maintain separation between IT roles; however,
transaction logs, reconciliation, exception report, and supervisor review.
Compensating controls include the following activities:
Multiprocessor computers contain multiple CPUs. Through a technique known as pipelining, they alleviate the problems associated with time
describe mainframe computers.
Computers can be classified in four primary categories based on their size, processing power, and throughput, which indicates the amount of information they can process over a specific time interval. The categories are: mainframe computers, supercomputers, minicomputers, and microcomputers.
Explain supervisory state and problem state.
Supervisory state and problem state are the two basic modes under which most computers operate. The supervisory state is reserved for supervisory users, also known as administrators, superusers, or root users. It removes security controls and allows the highest level of access to programs and processing requests. Without this unrestricted level of access, the supervisory user would be unable to perform his primary job tasks, which include managing change, configuring and maintaining the system, and performing administrative functions. Every other user must operate under the problem state, which activates all security controls and denies access to high-level programs and processing requests. In
functional roles that computers are expected to fulfill in an IT environment
Any computer purchased commercially should perform the following tasks: interact with peripheral devices; run a common software program and operating system; store and retrieve data via a file system; manage communications and work allocation between the CPU and programs; regulate access to secure systems and information; and provide a shell,
Describe miniccomputers, microcomputers, and supercomputers.
Minicomputers (or midrange computers) lack the processing power and throughput of a mainframe, but provide a cheaper alternative for organizations of limited size and financial means. Although midrangec omputers have security controls that are inferior to mainframes, they
following data storage media: magnetic tape.
Tape management systems and disk management systems help ensure that data is securely stored and controlled. They automate the process of tracking and labeling data files, enabling a user to quickly identify the contents, status, and location of every data storage device.
Explain the following data storage medium: magnetic hard disk. Include a discussion of RAID.
Magnetic hard disks are capable of storing anywhere between megabytes and terabytes of information, and are the most prevalent online storage media. A single disk may be permanently contained within a closed disk drive, or several disks may be grouped in a storage
Explain the following data storage media: magnetic soft disk, optical CD-ROM, optical CD-RW, and optical DVD
Magnetic soft disks are small, removable, and portable devices such as floppy disks and Zip drives, in which a reprogrammable disk is contained In a hard, plastic casing. Disks can hold between 1 megabyte and multiple gigabytes of data.
Explain Open Systems Interconnect Model (or OSI) and list each OSI layer. Then, explain the Transmission Control Protocol/Internet Protocol (TCP/IP).
Open System Interconnect Model, or OSI, is a network training model that separates data communication into multiple networking layers. Each layer of the network has its own special role, and supports the layer above it Transmission Control Protocol/internet Protocol, or TCP/IP, is a networking protocol. Like the OSI model, TCP/IP stratifies the network into multiple layers:
Explain the following data storage media: read-only memory and flash memory.
Read-only memory, or ROM, contains data that has been permanently programmed on semiconductor chips by fusing microscopic, integrated circuits. These chips cannot be transferred, nor can they be upgraded unless they are removed and replaced. ROM provides solid-state storage that is both nonvolatile and incapable of being altered or erased; consequently, it provides excellent security, but may prove very limiting if constant upgrades are necessary. The greatest benefit of ROM is extremely quick loading time.
Explain the security problems associated with RAID
Every computer has a set of physical input/output ports (I/O), which enable communication with other computers and storage devices. Unfortunately, a person can use these ports to bypass security controls and gain an unrestricted level of access to the system; therefore, organizations must implement port controls. These include physical security controls, which safeguard physical access to the ports, and logical controls, which are software programs designed to protect data transfers. PCs are especially vulnerable because they have so many different ports; USB, RS-232, keyboard, expansion slots, disk channels, etc. Mainframes are vulnerable through their terminal, modem, and LAN ports. To ensure that the organization has implemented all necessary
Explain Layer 1 and Layer 2 of the OSI model.
Layer 1, or the physical layer, identifies the wiring and voltages necessary to establish, sustain, and break off an electrical connection between multiple computers or systems. Essentially, this layer is a description of functional specifications.
Explain Layer 3 of the OSl model.
Layer 3, or the network layer, includes protocols that direct a data transmission along a speciflc path and to a specific destination using an Internet Protocol (IP) address. Each system on the network has a unique IP address, and multiple systems can be grouped together to form larger IP subnetworks, or subnets. When sending information to a specific location, a computer first determines the IP address of that location. Then, the computer combines the IP address with its own MAC address.
Explain Layer 4 of the OSI model. Then, define unicast and multicast.
Layer 4, or the transport layer, includes protocols that encapsulate the data for transport along the network. TCP (Transmission Control Protocol) is one such protocol. It methodically breaks down the data transmission into manageable segments. Each segment contains a sequencing number, which enables the destination computer to reconstruct the message. TCP is known as a reliable transport method because it provides delivery confirmation to the computer that sent the data. Other transport protocols, such as UDP (User Datagram Protocol),
Explain Local Area Network, or LAN.
Loacal Area Networks, or LANS are simply localized computer networks, usually covering a home, office, building, or other small geographical area. LANs allow multiple computers to exchange information and partake in certain services, such as email, file sharing, and printing. Data is transmitted through the network using one of th following methods:
Explain network routing, static routing, and dynamic routing.
Network routing is the method by which routers direct traffic to the correct locations along the network. There are two methods of routing: static and dynamic. In static routing, the network administrator manually enters a TO-FROM map containing every IP address into the routing table of each router. Although static routing is very secure, it is impractical for networks with complex or unpredictable traffic.
Explain Layers 5, 6, and 7 of the OSl model.
Layer 5, or the session layer, includes the protocols that initiate and manage communication sessions between systems on the network. Using these protocols (such as SQL net database and Network File System), the user's system will set up, govern, and terminate data transmissions to other systems.
An Ethernet is a type of network usually configured with a bus or star topology. It is most often used when network traffic consists of voice or data transmissions and all network media are confined to one location .