Flashcards in CISA Revision Deck (105)
The audit charter should state management's objectives for and delegation of authority to IS audit. Should be approved at the highest levels of management, and should outline the overall authority scope, and responsibilities of the audit function. Should not significantly change over time.
IT Balanced Scorecard
An IT business governance tool aimed at monitoring IT performance evaluation indicators OTHER THAN financial results. It considers other key success factors such as customer satisfaction, innovation capacity, and processing.
Stop or Freezing Point during New System Design
Requires that changes made after that point be evaluated for cost-effectiveness. Used to allow for a review of the cost-benefits and the payback period.
Clustered Server Setup
Makes the entire network vulnerable to natural disasters or other disruptive events. Not recommended for high-availability network configurations.
Logical Access Controls
The PRIMARY safeguard for securing software and data within an information processing facility.
The most important criterion when selecting a location for an offsite storage facility for IS backup files.
The offsite facility must be PHYSICALLY SEPARATED from the data center and not subject to the same risks as the primary data center.
The primary sampling method used for compliance testing. AS is used to estimate the rate of occurance of a specific quality (attribute) AND is used in compliance testing to confirm whether the quality exists.
Monitoring an outsourced provider's performance.
The MOST important function to be performed by IS management when a service has been outsourced. This is critical to ensure that services are delivered to the company as required.
The system and data conversion strategy that provides the GREATEST redundancy. The safest and the most expensive approach.
Adequate and most appropriate compensating control to track after-hours database changes.
Use the DBA user account to make changes. Log the changes and review the change log the following day.
Intrusion Detection System (IDS)
Gathers evidence on intrusive attack or penetration attempt activity.
Business Continuity Plan (BCP) covers only critical processes. The IT auditor should:
Revisit and/or update the Business Impact Analysis (BIA) to assess the risk of not covering all processes in the plan.
Audit Planning : Assessment of Risk
Should be made to provide REASONABLE ASSURANCE that the audit will cover MATERIAL items.
Training provided on a regular basis to all current and new employees.
The MOST LIKELY element of a security awareness program.
Function Point Analysis
An indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs, and files. Is useful for evaluating complex applications.
PERT (Program evaluation review technique)
A project management technique that helps with both planning and control.
SLOC (Counting source lines of code)
A direct measure of program size. Does NOT allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs.
White Box Testing
Involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development.
Security patch installations
Should always be part of a good change management process.
Degaussing obsolete magnetic tapes
The best way to remove data from magnetic tapes. Leaves a very low residue of magnetic induction. Overwriting or erasing tapes may cause magnetic errors but may not remove the data completely. Tape label initialization does not remove the data that follows the label.
The MOST important concern when auditing backup, recovery, and the offsite storage vault
That the data files stored in the vault are synchronized.
When evaluating the collective effort of preventive, detective, or corrective controls within a process, an IS auditor should be aware of:
The point at which controls are EXERCISED as data flow through the system.
The BEST audit technique to use to determine whether there have been unauthorized program changes since the last authorized program update
Automated code comparision: automated, efficient technique to determine whether the two versions correspond. Test data runs only allow for processing verification. Code review will only detect potential errors or inefficient statements.
IT Control Objectives
The statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
The PRIMARY purpose for conducting parallel testing is:
To ensure that the implementation of a new system will meet user requirements.
An analysis of peaking/saturated WAN links should result in:
Analysis to establish whether this is a regular pattern and what causes this behavior before expenditure on a larger line capacity is recomended.
Defends against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior.
Focus on detecting potentially abnormal behavior, such as writing to the boot sector or MBR, or making changes to EXEs.
CRCs (Cyclical Redundancy Checkers)
Compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare them to the database, and report possible infection if changes have occurred.