0:00:00.000,0:00:01.900


0:00:01.900,0:00:04.750
[AUDIO LOGO]

0:00:04.750,0:00:06.650


0:00:06.650,0:00:07.440
Hi all.

0:00:07.440,0:00:10.190
Good morning to[br]the session today.

0:00:10.190,0:00:14.570
So this session is basically for[br]the CISA, certified information

0:00:14.570,0:00:15.540
systems auditor.

0:00:15.540,0:00:18.890
And we will be discussing[br]on the question and answers,

0:00:18.890,0:00:22.370
and basically on how to[br]approach the exam questions.

0:00:22.370,0:00:25.130
This is in line with the[br]ISACA's thought process

0:00:25.130,0:00:27.210
or how you need to[br]approach a question,

0:00:27.210,0:00:29.270
how you need to answer[br]a question while you

0:00:29.270,0:00:30.960
are taking the real exam.

0:00:30.960,0:00:34.400
So we will be having the[br]questions taken from the CRM,

0:00:34.400,0:00:36.260
as an extract, and[br]we will be discussing

0:00:36.260,0:00:39.680
in detail what is the[br]mode of a thought process

0:00:39.680,0:00:43.220
that you need to inculcate while[br]you are preparing for the exam,

0:00:43.220,0:00:45.230
as well as when you are in exam.

0:00:45.230,0:00:48.650
So if I start off with,[br]we will have this,

0:00:48.650,0:00:52.160
the agenda would be the small[br]introduction about myself

0:00:52.160,0:00:54.740
and you, and I'll[br]tell a brief note

0:00:54.740,0:00:57.750
on how you need to approach[br]the CISA questions.

0:00:57.750,0:01:00.830
And we will be discussing[br]domain 1 to 5 questions

0:01:00.830,0:01:03.860
and how we need to think[br]like an IS auditor.

0:01:03.860,0:01:08.362
That will be going in line with[br]the 1 to 5 domain questions

0:01:08.362,0:01:09.320
that we are discussing.

0:01:09.320,0:01:10.970
That will be in parallel.

0:01:10.970,0:01:14.570
And a final Q&A[br]will be for you all

0:01:14.570,0:01:18.140
to openly ask some[br]questions regarding CISA.

0:01:18.140,0:01:19.560
That is the end of the session.

0:01:19.560,0:01:22.640
So the introduction about[br]myself is that my name

0:01:22.640,0:01:23.670
is Krishnan Ramani.

0:01:23.670,0:01:26.130
I think some of you would[br]have seen me in LinkedIn.

0:01:26.130,0:01:29.120
So I'm an information security[br]and an IT audit expert,

0:01:29.120,0:01:30.890
with a total of 13[br]years experience

0:01:30.890,0:01:33.680
into IT auditing,[br]information security domain,

0:01:33.680,0:01:36.740
out of which eight years[br]is solely dedicated.

0:01:36.740,0:01:38.750
I have a wide[br]variety of experience

0:01:38.750,0:01:44.510
in IT audits, IT security, GRC,[br]ITGC, and IT security strategy.

0:01:44.510,0:01:49.400
So my certifications[br]are CISSP, CISA,

0:01:49.400,0:01:53.840
for which I was a chapter[br]rank holder, a first rank

0:01:53.840,0:01:57.300
holder, and CEH, which[br]is the Certified Ethical

0:01:57.300,0:01:59.940
Hacking, version 10, and[br]I'm a Lean Six Sigma Black

0:01:59.940,0:02:02.910
Belt certified, and I have[br]done business analytics.

0:02:02.910,0:02:07.380
And I am also into a certified[br]cybercrime intervening officer.

0:02:07.380,0:02:11.340
So let us start with[br]this thought process, why

0:02:11.340,0:02:13.030
we are coming for CISA.

0:02:13.030,0:02:15.040
Let me pause here for a moment.

0:02:15.040,0:02:18.420
So what is the objective?

0:02:18.420,0:02:21.430
So there is a[br]practical relevance.

0:02:21.430,0:02:24.370
So every detail given[br]in the CRM book,

0:02:24.370,0:02:26.220
which is the CISA[br]review manual, there

0:02:26.220,0:02:28.810
is a practical[br]relevance for you to do.

0:02:28.810,0:02:33.460
And while you are working as[br]an auditor or an IT auditor,

0:02:33.460,0:02:36.420
even when you are working[br]as an ITGC person, which

0:02:36.420,0:02:40.530
is the general controls,[br]and any line of defense,

0:02:40.530,0:02:44.830
from CRM or PRC technology,[br]risk management and everything.

0:02:44.830,0:02:46.710
So probably what[br]happens is there

0:02:46.710,0:02:49.890
is a pure practical relevance[br]in terms of understanding

0:02:49.890,0:02:53.050
these controls, what[br]IT audit is all about,

0:02:53.050,0:02:54.810
how do we preserve[br]things, how do we

0:02:54.810,0:02:57.120
maintain staffs, what[br]are all the things.

0:02:57.120,0:02:59.940
Because as an IS auditor, you[br]will be reading this book.

0:02:59.940,0:03:03.585
But once when it comes to the[br]implementation part as well,

0:03:03.585,0:03:05.960
there are a lot of clues that[br]has been given in the book,

0:03:05.960,0:03:07.850
in terms of how do[br]you preserve stuff

0:03:07.850,0:03:11.010
so that it will be good for[br]an audit and everything.

0:03:11.010,0:03:15.170
So in that mode, it is very[br]relevant to the present day

0:03:15.170,0:03:15.900
world.

0:03:15.900,0:03:18.260
And as we see, the[br]technology is also

0:03:18.260,0:03:20.160
emerging at this point in time.

0:03:20.160,0:03:22.470
So today, there is[br]something called cloud.

0:03:22.470,0:03:24.000
Tomorrow there[br]will be something--

0:03:24.000,0:03:25.490
a new technology[br]will be arriving,

0:03:25.490,0:03:27.600
and everything will[br]be changing overnight.

0:03:27.600,0:03:31.193
But what we need to do is the[br]fundamentals remain the same.

0:03:31.193,0:03:33.360
So what are all the things[br]that we are going to see?

0:03:33.360,0:03:34.850
What are all the[br]things that we are

0:03:34.850,0:03:37.220
going to look whenever[br]we are auditing

0:03:37.220,0:03:41.030
or whenever we are performing[br]the role of information security

0:03:41.030,0:03:42.540
analyst or any other thing?

0:03:42.540,0:03:47.270
But this book is purely based,[br]purely focused on the IS auditor

0:03:47.270,0:03:48.540
side of things.

0:03:48.540,0:03:52.670
So the prism of optics is[br]purely from the IS auditor

0:03:52.670,0:03:53.400
point of view.

0:03:53.400,0:03:55.780
Because the moment[br]you start thinking

0:03:55.780,0:04:00.180
as IS security analyst[br]for this exam, that

0:04:00.180,0:04:02.920
will not be the correct[br]thing that we will be doing.

0:04:02.920,0:04:07.410
So what we need to approach,[br]how we need to approach

0:04:07.410,0:04:09.870
and what we need to[br]do is exactly what

0:04:09.870,0:04:11.200
I am going to tell here.

0:04:11.200,0:04:13.980
So the questions will[br]be-- each question

0:04:13.980,0:04:17.010
has a stem question, which[br]will be a basic question, which

0:04:17.010,0:04:19.079
will be having four options.

0:04:19.079,0:04:21.990
Choose the correct[br]or the best option.

0:04:21.990,0:04:25.140
So as I was telling,[br]so the scenarios

0:04:25.140,0:04:28.980
will be completely related[br]to the IS audit scenarios.

0:04:28.980,0:04:30.850
You will be presented[br]a situation.

0:04:30.850,0:04:32.820
You will need to think[br]like an IS auditor

0:04:32.820,0:04:35.230
and answer like an IS auditor.

0:04:35.230,0:04:37.470
So there are some[br]helpful instances

0:04:37.470,0:04:40.690
where you know how you[br]will be approaching.

0:04:40.690,0:04:42.998
So every questions will be--

0:04:42.998,0:04:44.790
most of the questions,[br]not every questions,

0:04:44.790,0:04:49.060
will be having something[br]called the best, most,

0:04:49.060,0:04:51.580
and these kind of wordings[br]will be definitely there.

0:04:51.580,0:04:55.540
So you need to understand what[br]they are asking in the question.

0:04:55.540,0:05:00.250
Because the moment they say,[br]choose for the best option,

0:05:00.250,0:05:02.110
choose for the most[br]relevant option,

0:05:02.110,0:05:04.960
choose for the primary option,[br]choose for the first option,

0:05:04.960,0:05:08.910
so it means that two or more[br]options that is being given

0:05:08.910,0:05:11.770
are right in the[br]context of the question,

0:05:11.770,0:05:14.230
but only one thing[br]can be the best.

0:05:14.230,0:05:16.330
Only one thing can[br]be the primary.

0:05:16.330,0:05:18.070
Only one thing can be the first.

0:05:18.070,0:05:20.770
So you need to choose[br]the answers accordingly.

0:05:20.770,0:05:25.050
So say for an example, if there[br]is a given scenario of a BCP

0:05:25.050,0:05:27.390
process, how it comes[br]to the business impact

0:05:27.390,0:05:30.972
analysis and everything, so[br]once you start the question,

0:05:30.972,0:05:33.180
you will need to know what[br]are all the steps involved

0:05:33.180,0:05:34.660
in the BCP process.

0:05:34.660,0:05:37.570
How do you conduct the[br]business impact analysis?

0:05:37.570,0:05:39.150
How do you identify[br]the business?

0:05:39.150,0:05:41.910
These step-by-step[br]process is definitely

0:05:41.910,0:05:44.070
essential in order[br]for you to understand

0:05:44.070,0:05:47.700
what is the first most[br]option that the IS auditor

0:05:47.700,0:05:48.700
will be choosing.

0:05:48.700,0:05:51.460
But it will not be as[br]straightforward as,

0:05:51.460,0:05:53.560
what is the first[br]option in the BCP?

0:05:53.560,0:05:56.680
There will be a presentation[br]in terms of a scenario given.

0:05:56.680,0:05:59.400
So you need to[br]understand the scenario,

0:05:59.400,0:06:02.160
and you need to[br]answer accordingly.

0:06:02.160,0:06:05.430
So read all the options[br]and read the stem again,

0:06:05.430,0:06:07.270
if you can eliminate[br]two options.

0:06:07.270,0:06:09.070
So that is very important.

0:06:09.070,0:06:10.690
Read all the options.

0:06:10.690,0:06:13.990
And so if you can eliminate two[br]options, that will be great.

0:06:13.990,0:06:16.500
So in the context[br]of the question

0:06:16.500,0:06:19.140
and answers in multiple[br]choice questions,

0:06:19.140,0:06:21.970
there is always a method[br]called elimination method.

0:06:21.970,0:06:25.260
So in terms of how do[br]you answer a question,

0:06:25.260,0:06:29.590
elimination method is really[br]a good method to start with.

0:06:29.590,0:06:32.220
Because once you[br]start eliminating

0:06:32.220,0:06:34.800
two incorrect[br]answers, so you will

0:06:34.800,0:06:37.410
have a 50% chance[br]of clearing the exam

0:06:37.410,0:06:41.380
or clearing the particular[br]question correctly.

0:06:41.380,0:06:45.720
Because what you have is a 100[br]percentage, and out of which,

0:06:45.720,0:06:48.480
you know you have already[br]eliminated two irrelevant

0:06:48.480,0:06:49.580
relevant answers.

0:06:49.580,0:06:51.940
In most of the cases,[br]two irrelevant answers

0:06:51.940,0:06:53.950
will be definitely visible.

0:06:53.950,0:06:55.630
Once you have read[br]the CRM and you

0:06:55.630,0:06:57.950
have answered sufficient[br]number of questions,

0:06:57.950,0:06:59.950
you will be able[br]to identify what

0:06:59.950,0:07:02.380
are the two irrelevant[br]answers, and you

0:07:02.380,0:07:06.220
will be able to straight away[br]eliminate it and focus your time

0:07:06.220,0:07:07.690
and efforts only[br]on the two, which

0:07:07.690,0:07:11.290
has been most relevant for[br]that particular context.

0:07:11.290,0:07:15.550
So reread the remaining[br]options and bring

0:07:15.550,0:07:18.200
in any personal experience[br]that you may have to determine.

0:07:18.200,0:07:21.190
So the bringing the[br]personal experience,

0:07:21.190,0:07:23.080
I would say it is with a caveat.

0:07:23.080,0:07:26.840
Because in terms of bringing[br]your personal experience,

0:07:26.840,0:07:30.610
sometimes what happens is you[br]need to think like an IS auditor

0:07:30.610,0:07:32.360
from ISACA's point of view.

0:07:32.360,0:07:34.972
So the moment you start thinking[br]from your company's point

0:07:34.972,0:07:36.430
of view, probably[br]some of you would

0:07:36.430,0:07:38.890
have had a seasoned[br]experience in terms

0:07:38.890,0:07:41.380
of doing the IS audit[br]and the IT auditing

0:07:41.380,0:07:43.430
or whatever the[br]security or whatever.

0:07:43.430,0:07:45.820
But the moment you start[br]thinking from your company's

0:07:45.820,0:07:49.230
perspective, things might go[br]a little bit wrong because

0:07:49.230,0:07:53.140
of the fact that the companies[br]or the organizations,

0:07:53.140,0:07:55.590
they actually[br]tailor the controls

0:07:55.590,0:07:58.290
according to their[br]requirement, and they customize

0:07:58.290,0:08:02.170
it, which in case is not[br]in ISACA's point of view

0:08:02.170,0:08:06.540
because ISACA's point of view[br]is, I would call it as more

0:08:06.540,0:08:10.800
raw because it is a theoretical[br]and practical knowledge of how

0:08:10.800,0:08:15.330
you need to apply, but it is not[br]in any specific contextual-based

0:08:15.330,0:08:17.020
or organization-based controls.

0:08:17.020,0:08:20.400
Because banking will be having[br]a different set of approach

0:08:20.400,0:08:23.877
towards the same control,[br]and another industry

0:08:23.877,0:08:25.710
will be having--[br]healthcare for that matter,

0:08:25.710,0:08:28.630
will be having a different[br]approach to the same control.

0:08:28.630,0:08:30.790
So think like an IS auditor.

0:08:30.790,0:08:33.210
Of course, a little bit of[br]n percentage of your work

0:08:33.210,0:08:34.230
experience also.

0:08:34.230,0:08:37.720
That is a logical mind,[br]that will also help,

0:08:37.720,0:08:42.870
but in my best opinion, I[br]would suggest that let's not

0:08:42.870,0:08:48.070
think that over the board and[br]think like 100% as an IT auditor

0:08:48.070,0:08:50.070
because we'll be having[br]a specific industry

0:08:50.070,0:08:52.140
experience wherein the[br]controls might be having

0:08:52.140,0:08:55.230
a different approach,[br]and sometimes the answers

0:08:55.230,0:08:57.270
can go incorrect.

0:08:57.270,0:09:00.040
So the next thing is[br]that domain 1 question.

0:09:00.040,0:09:02.730
So first question is, so[br]which of the following

0:09:02.730,0:09:05.490
outlines the overall authority[br]to perform an IS audit?

0:09:05.490,0:09:08.280
The audit scope or the goals[br]and objectives, a request

0:09:08.280,0:09:12.240
form in the form of management[br]to perform an audit, C, an audit

0:09:12.240,0:09:14.200
charter, D, an approved[br]audit schedule.

0:09:14.200,0:09:16.950
I think this is very[br]easy question, I think.

0:09:16.950,0:09:19.150
What defines the[br]overall authority?

0:09:19.150,0:09:21.570
I think the chapter[br]1, the domain 1

0:09:21.570,0:09:23.400
gives you a very[br]decent information

0:09:23.400,0:09:25.770
on the overall authority.

0:09:25.770,0:09:28.720
Because once you see[br]the question authority,

0:09:28.720,0:09:33.460
the answer is always[br]the approved charter

0:09:33.460,0:09:35.830
because let's look[br]at the reasoning.

0:09:35.830,0:09:38.140
The audit scope is[br]specific to a single audit,

0:09:38.140,0:09:41.070
and it does not grant[br]authority to perform an audit.

0:09:41.070,0:09:44.470
B, the request from[br]management to perform an audit

0:09:44.470,0:09:47.360
is not sufficient because it[br]relates to specific audit.

0:09:47.360,0:09:49.360
The approved audit[br]charter outlines

0:09:49.360,0:09:52.700
the auditor's responsibility,[br]authority and accountability.

0:09:52.700,0:09:55.540
So as I told, this[br]is the only document

0:09:55.540,0:09:59.110
which gives you an end-to-end[br]perspective on what

0:09:59.110,0:10:01.690
it is for an auditor, why[br]the auditor is there, what

0:10:01.690,0:10:03.890
is the authority that[br]the auditor is having,

0:10:03.890,0:10:06.110
what are all the things[br]that the auditor can do.

0:10:06.110,0:10:10.370
So everything is given or[br]entitled in one document.

0:10:10.370,0:10:12.370
That is the reason[br]we need to have

0:10:12.370,0:10:15.640
selected option C. The approved[br]audit schedule does not

0:10:15.640,0:10:17.380
grant the authority.

0:10:17.380,0:10:21.190
The whole point is why this[br]was a very easy question.

0:10:21.190,0:10:24.430
But again, so the[br]point of this question

0:10:24.430,0:10:27.250
is to give you a[br]perspective on what you

0:10:27.250,0:10:28.610
need to look into a question.

0:10:28.610,0:10:31.220
So when you start[br]looking into a question,

0:10:31.220,0:10:33.770
so let me tell you[br]what is very important.

0:10:33.770,0:10:39.580
If you see over here, so the[br]overall authority over here,

0:10:39.580,0:10:43.360
that is the key word[br]because every question,

0:10:43.360,0:10:47.560
and even in the exam, will[br]be having some key word that

0:10:47.560,0:10:49.130
defines the answer correctly.

0:10:49.130,0:10:50.590
Because as I told.

0:10:50.590,0:10:52.340
You need to[br]eliminate two things.

0:10:52.340,0:10:54.400
So in this, I will[br]be eliminating

0:10:54.400,0:10:55.960
a request form,[br]which is definitely

0:10:55.960,0:10:58.850
not an overall authority, and[br]an approved audit schedule.

0:10:58.850,0:11:01.690
Audit schedule is[br]only in terms of what

0:11:01.690,0:11:03.673
is the timeline that they[br]are going to work on,

0:11:03.673,0:11:06.340
then they are going to carry on[br]the planning work, when they are

0:11:06.340,0:11:08.632
going to carry on the field[br]work, when the reporting is

0:11:08.632,0:11:11.920
going to be done, what is the[br]timeline for remediation and all

0:11:11.920,0:11:12.560
those stuff.

0:11:12.560,0:11:14.920
But in terms of a[br]request form, that

0:11:14.920,0:11:19.210
is in terms of just defining[br]what the management is going

0:11:19.210,0:11:22.810
to look out for and[br]a permission letter

0:11:22.810,0:11:24.080
or something of that sort.

0:11:24.080,0:11:27.160
But the two options,[br]again, as I told,

0:11:27.160,0:11:30.160
the closest that[br]relates to this question

0:11:30.160,0:11:32.450
will be the option[br]A and option C.

0:11:32.450,0:11:37.360
Because once I say that option[br]A-- but again, as I told,

0:11:37.360,0:11:40.510
the overall authority is[br]the word that defines,

0:11:40.510,0:11:44.290
in terms of what is going to[br]be the primary thing that you

0:11:44.290,0:11:47.170
are going to look[br]out for over here.

0:11:47.170,0:11:51.170
So the next question, so in[br]performing a risk-based audit,

0:11:51.170,0:11:54.010
which risk assessment[br]is completed first

0:11:54.010,0:11:55.250
by an IS auditor?

0:11:55.250,0:11:58.300
So detection risk assessment,[br]control risk assessment,

0:11:58.300,0:12:01.870
inherent risk assessment,[br]and fraud risk assessment.

0:12:01.870,0:12:04.900
So again, the question[br]is very clear in terms

0:12:04.900,0:12:08.290
of what an IS auditor,[br]which risk assessment

0:12:08.290,0:12:09.910
comes in the first?

0:12:09.910,0:12:12.260
Let's look at the[br]correct answer now.

0:12:12.260,0:12:14.620
So the correct[br]answer is actually

0:12:14.620,0:12:16.190
inherent risk assessment.

0:12:16.190,0:12:19.570
So why inherent risk[br]assessment is important?

0:12:19.570,0:12:21.800
So let us look at the[br]reasons over here.

0:12:21.800,0:12:25.300
So detection of risk[br]assessment is performed only

0:12:25.300,0:12:26.420
after the inherent risk.

0:12:26.420,0:12:30.800
So as again I told, the stepwise[br]answer is very important.

0:12:30.800,0:12:31.880
What is the first?

0:12:31.880,0:12:32.960
What is the first?

0:12:32.960,0:12:35.080
So you need to[br]know which is going

0:12:35.080,0:12:37.150
to come in the first[br]order, which is going

0:12:37.150,0:12:39.590
to come in the second order?

0:12:39.590,0:12:41.620
So the detection[br]risk assessment is

0:12:41.620,0:12:43.538
performed only after[br]the inherent risk

0:12:43.538,0:12:45.830
and the controlled risk[br]assessment have been performed.

0:12:45.830,0:12:48.470
So definitely this[br]answer can be eliminated.

0:12:48.470,0:12:51.010
And control risk[br]assessment is performed

0:12:51.010,0:12:53.690
after the inherent risk[br]assessment has been completed.

0:12:53.690,0:12:56.410
And it is to determine[br]the level of risk

0:12:56.410,0:12:58.640
that remains after the[br]controls have been applied.

0:12:58.640,0:13:01.390
So say for an example, this[br]control risk assessment

0:13:01.390,0:13:01.910
is right.

0:13:01.910,0:13:05.180
So it is going to give[br]you what is left over.

0:13:05.180,0:13:07.690
So even after applying[br]all the controls,

0:13:07.690,0:13:10.640
what is the risk that[br]is going to remain?

0:13:10.640,0:13:13.420
And that option D, the[br]fraud risk assessment,

0:13:13.420,0:13:15.680
are a subset of control[br]risk assessment.

0:13:15.680,0:13:18.160
It is important,[br]but again, it is not

0:13:18.160,0:13:21.500
as important or the first[br]task of the inherent risk.

0:13:21.500,0:13:24.860
Because whenever you take[br]any process, for that matter,

0:13:24.860,0:13:27.460
there will be a form[br]of inherent risk, which

0:13:27.460,0:13:29.710
has to be taken into[br]consideration before doing

0:13:29.710,0:13:30.350
anything.

0:13:30.350,0:13:33.880
Because inherent risk exists[br]independently of an audit

0:13:33.880,0:13:36.410
and can occur because of[br]the nature of the business.

0:13:36.410,0:13:37.970
So to successfully[br]conduct an audit,

0:13:37.970,0:13:41.230
it is important to be aware of[br]the related business processes.

0:13:41.230,0:13:43.720
To perform the[br]audit, an IS auditor

0:13:43.720,0:13:45.550
needs to understand[br]the business processes.

0:13:45.550,0:13:47.500
By understanding the[br]business process,

0:13:47.500,0:13:51.050
an IS auditor better[br]understands the inherent risk.

0:13:51.050,0:13:54.010
So inherent risk gives[br]you an overall idea.

0:13:54.010,0:13:56.500
for an example, if[br]the IS auditor is

0:13:56.500,0:13:58.840
performing an inherent risk--

0:13:58.840,0:14:01.600
an audit in a[br]banking sector, they

0:14:01.600,0:14:04.030
will be having certain sets[br]of inherent risks according

0:14:04.030,0:14:04.580
to them.

0:14:04.580,0:14:07.460
And if they are doing some kind[br]of audits in the health sector,

0:14:07.460,0:14:10.720
they will be again having[br]some set of inherent risk

0:14:10.720,0:14:12.020
in that particular sector.

0:14:12.020,0:14:14.020
So that is the reason[br]we need to know

0:14:14.020,0:14:16.540
the inherent risk of[br]that particular industry

0:14:16.540,0:14:18.040
or the particular[br]business process

0:14:18.040,0:14:19.370
that they are performing.

0:14:19.370,0:14:22.480
Then they come into the process[br]of fraud risk or the control

0:14:22.480,0:14:26.020
risk, which is the second or[br]third option that will be.

0:14:26.020,0:14:29.260
So again, as I told, the[br]logic behind the question

0:14:29.260,0:14:32.500
is that to understand[br]which comes first.

0:14:32.500,0:14:35.230
And so also one of[br]the other key things

0:14:35.230,0:14:38.650
that is very important when[br]you are preparing for the exam,

0:14:38.650,0:14:41.860
not only from the exam[br]stand point of view,

0:14:41.860,0:14:44.560
I would suggest everybody to--

0:14:44.560,0:14:48.710
so what happens is, once you[br]know the answer is correct,

0:14:48.710,0:14:51.220
check the reason why you[br]have selected that answer

0:14:51.220,0:14:52.520
and why it is correct.

0:14:52.520,0:14:55.420
Because 90% of the[br]time, you might

0:14:55.420,0:14:57.890
have selected an answer[br]for some other reason,

0:14:57.890,0:14:59.710
but it happens to[br]be coincidentally

0:14:59.710,0:15:01.880
correct with the ISACA.

0:15:01.880,0:15:04.960
But what I require[br]everybody to do

0:15:04.960,0:15:07.760
is that you need to check the[br]thinking process of ISACA.

0:15:07.760,0:15:11.210
That is very important in terms[br]of understanding the concepts.

0:15:11.210,0:15:14.210
And also, even if you have[br]made the answer correct,

0:15:14.210,0:15:18.710
I would require you to check[br]every options available, A,

0:15:18.710,0:15:20.860
B, C, and D, why[br]it is not correct

0:15:20.860,0:15:23.380
and why the answer that[br]you have chosen is correct.

0:15:23.380,0:15:26.830
Even in case if you have not[br]selected the correct answer,

0:15:26.830,0:15:29.270
please still go and[br]check all these options,

0:15:29.270,0:15:30.940
why the answer that[br]you have selected

0:15:30.940,0:15:34.370
is not the correct answer and[br]why the other answer remains

0:15:34.370,0:15:36.050
the correct option.

0:15:36.050,0:15:39.000
So this question is, again,[br]an interesting question.

0:15:39.000,0:15:41.240
So as an IS auditor[br]is performing

0:15:41.240,0:15:44.360
a review of an application's[br]control fields,

0:15:44.360,0:15:46.460
he finds a weakness[br]in the software system

0:15:46.460,0:15:48.560
and could materially[br]impact the application.

0:15:48.560,0:15:51.060
In this situation, an[br]IS auditor should--

0:15:51.060,0:15:52.470
Again, this is not a question.

0:15:52.470,0:15:54.440
This is just a statement.

0:15:54.440,0:15:56.390
We need to complete[br]the statement.

0:15:56.390,0:15:58.483
Disregard these[br]controls weakness

0:15:58.483,0:15:59.900
because the system[br]software review

0:15:59.900,0:16:01.560
is beyond the scope[br]of this review.

0:16:01.560,0:16:04.580
Conduct a detailed[br]system software review

0:16:04.580,0:16:06.420
and report the control weakness.

0:16:06.420,0:16:09.110
Include in the report[br]statement that the audit

0:16:09.110,0:16:12.270
was limited to review the[br]application's control weakness.

0:16:12.270,0:16:14.880
Review the system software[br]controls as relevant,

0:16:14.880,0:16:18.320
and recommend a detailed[br]system software review.

0:16:18.320,0:16:22.520
I think everyone is going[br]with the option of B

0:16:22.520,0:16:25.070
But sorry to disappoint,[br]the answer is actually

0:16:25.070,0:16:29.510
D. Before going into the[br]complete detailed review,

0:16:29.510,0:16:34.010
as given here, the[br]appropriate option would

0:16:34.010,0:16:37.190
be to review the system software[br]as relevant to the review,

0:16:37.190,0:16:40.610
and recommend a[br]detailed system software

0:16:40.610,0:16:44.610
review for which an additional[br]resources may be recommended.

0:16:44.610,0:16:48.960
So the answer might be[br]extremely similar to what B is,

0:16:48.960,0:16:50.720
but the difference[br]is that you need

0:16:50.720,0:16:53.390
to know where your[br]scope is going to go

0:16:53.390,0:16:57.180
and how you are going to[br]plan the audit accordingly.

0:16:57.180,0:17:00.620
So that is what is the defining[br]moment for answer B and answer

0:17:00.620,0:17:01.130
D.

0:17:01.130,0:17:05.550
So again, answer A and answer[br]C is completely irrelevant.

0:17:05.550,0:17:07.609
You can take it off the radar.

0:17:07.609,0:17:09.710
Definitely nobody[br]has given answer

0:17:09.710,0:17:11.569
A or C. That is a good sign.

0:17:11.569,0:17:16.400
Because as I told, we need to[br]eliminate these two options

0:17:16.400,0:17:19.190
very clearly, in terms[br]of how we are going

0:17:19.190,0:17:21.470
to understand this whole thing.

0:17:21.470,0:17:24.560
So which of the following[br]is the most important reason

0:17:24.560,0:17:28.190
why an audit planning[br]process should be reviewed

0:17:28.190,0:17:30.230
at a periodic interval?

0:17:30.230,0:17:33.170
To plan for a deployment of[br]available audit resources,

0:17:33.170,0:17:35.700
to consider changes to[br]the risk environment,

0:17:35.700,0:17:38.510
to provide inputs for[br]documentation of audit charter,

0:17:38.510,0:17:42.380
to identify applicable[br]IS standards.

0:17:42.380,0:17:47.810
So again, the answer is B. Let[br]us look at the explanation that

0:17:47.810,0:17:49.020
is given over here.

0:17:49.020,0:17:52.190
So short-term and[br]long-term issues

0:17:52.190,0:17:54.680
drive the audit planning[br]can be heavily impacted

0:17:54.680,0:17:58.880
to the changes in the risk[br]environment, technologies,

0:17:58.880,0:18:00.690
business processes[br]of the enterprise.

0:18:00.690,0:18:03.950
This is well set, in terms[br]of the risk environment

0:18:03.950,0:18:07.230
changes quite dynamically[br]for some businesses.

0:18:07.230,0:18:09.920
So what might be considered[br]as a risk today might not

0:18:09.920,0:18:10.800
be risk tomorrow.

0:18:10.800,0:18:13.250
What might be not[br]considered as risk today

0:18:13.250,0:18:15.170
will be a risk tomorrow.

0:18:15.170,0:18:19.040
So in terms of planning for the[br]document of available resources,

0:18:19.040,0:18:21.240
it's determined by the[br]audit assignments plan.

0:18:21.240,0:18:23.450
The option is[br]completely not relevant.

0:18:23.450,0:18:25.820
Again, the option[br]C is something--

0:18:25.820,0:18:28.920
is a mandate from[br]the top management.

0:18:28.920,0:18:32.930
It is not something-- the[br]risk assessment, or any kind

0:18:32.930,0:18:35.690
of things is not[br]going to-- planning

0:18:35.690,0:18:38.210
is not going to have any[br]impact on the audit trail

0:18:38.210,0:18:40.860
because it's a top[br]management mandate.

0:18:40.860,0:18:44.180
And D, applicability of[br]IS standards, guidelines

0:18:44.180,0:18:47.760
and procedures is universal[br]to any audit engagement.

0:18:47.760,0:18:50.000
It is not specific[br]to any audit and not

0:18:50.000,0:18:52.320
influenced by the short-term[br]and long-term issues.

0:18:52.320,0:18:55.050
Again, when I talk about[br]short-term and long-term issues,

0:18:55.050,0:18:59.670
so probably we might be having[br]some IT deployment happening,

0:18:59.670,0:19:01.760
so which might change[br]the risk posture.

0:19:01.760,0:19:04.710
And classic example[br]is the COVID.

0:19:04.710,0:19:07.770
So in COVID, people[br]are working from home.

0:19:07.770,0:19:11.990
The risk environment changes[br]from being in the office space

0:19:11.990,0:19:13.080
to home space.

0:19:13.080,0:19:14.570
What are all the[br]risk environment

0:19:14.570,0:19:15.780
that is going to happen?

0:19:15.780,0:19:19.272
So if anybody has access to[br]printers, say for an example,

0:19:19.272,0:19:21.230
a person might be connecting[br]their home printer

0:19:21.230,0:19:25.380
to their laptop or PC, print[br]some confidential documents,

0:19:25.380,0:19:27.690
so the risk posture is[br]completely changing.

0:19:27.690,0:19:29.420
So that is the[br]reason why we need

0:19:29.420,0:19:32.180
to have planning, that[br]needs to be detailed,

0:19:32.180,0:19:33.530
done before the audit.

0:19:33.530,0:19:36.560
So which of the following[br]is the most effective

0:19:36.560,0:19:38.810
for implementing[br]control self-assessment

0:19:38.810,0:19:40.530
within small business unit?

0:19:40.530,0:19:43.530
Informal peer reviews,[br]facilitated workshops,

0:19:43.530,0:19:47.150
process flow narratives,[br]data flow diagrams?

0:19:47.150,0:19:50.000
So say for an example,[br]so I will tell you

0:19:50.000,0:19:52.670
the correct answer,[br]which is B. So when

0:19:52.670,0:19:55.830
we are going-- you know the[br]answer reasoning over here,

0:19:55.830,0:19:56.880
let me not explain it.

0:19:56.880,0:19:59.900
But I'll give you a different[br]perspective over here.

0:19:59.900,0:20:02.180
Out of the four[br]options actually, I

0:20:02.180,0:20:04.160
feel that three are[br]actually correct

0:20:04.160,0:20:07.190
for this particular[br]question because not at two,

0:20:07.190,0:20:08.610
but three are correct.

0:20:08.610,0:20:10.310
But which is the most important?

0:20:10.310,0:20:13.190
When you say is that,[br]the facilitated workshop

0:20:13.190,0:20:16.310
comes into the mind because[br]of very simple fact,

0:20:16.310,0:20:19.070
because the control[br]self assessments are not

0:20:19.070,0:20:23.030
performed by a seasoned auditor[br]or by a seasoned or a control

0:20:23.030,0:20:23.910
of people.

0:20:23.910,0:20:26.960
They are being performed by the[br]business themselves directly,

0:20:26.960,0:20:29.150
to assess how the control[br]posture is there, how

0:20:29.150,0:20:30.690
the risk posture is everything.

0:20:30.690,0:20:34.440
So what happens here is[br]you need to train them.

0:20:34.440,0:20:38.030
We have to train them[br]correctly to identify

0:20:38.030,0:20:40.100
what they are[br]supposed to do, how

0:20:40.100,0:20:42.360
they are supposed to[br]check for control weakness

0:20:42.360,0:20:43.860
and how they are[br]going to report it.

0:20:43.860,0:20:46.470
And that is by far the[br]most effective way.

0:20:46.470,0:20:50.390
But again, the process[br]flow diagrams is important.

0:20:50.390,0:20:52.950
While doing this[br]facilitated workshops,

0:20:52.950,0:20:56.990
there will be process flow[br]diagrams and data flow diagrams

0:20:56.990,0:20:58.520
and narratives.

0:20:58.520,0:21:00.725
These things are very[br]important in terms of,

0:21:00.725,0:21:03.330
to give more added perspective.

0:21:03.330,0:21:05.570
But again, that is[br]not the only thing

0:21:05.570,0:21:07.530
that is required over here.

0:21:07.530,0:21:11.540
What we require over here[br]is in terms of identifying

0:21:11.540,0:21:13.640
the most best option.

0:21:13.640,0:21:16.100
So the next question.

0:21:16.100,0:21:20.300
So which of the following would[br]an IS auditor perform the first

0:21:20.300,0:21:21.620
when planning an IS audit?

0:21:21.620,0:21:25.830
Define the audit deliverables,[br]finalize the scope and the audit

0:21:25.830,0:21:28.530
objectives, gain an[br]understanding of the business

0:21:28.530,0:21:31.140
objectives and purpose,[br]develop the audit approach

0:21:31.140,0:21:33.240
of the strategy?

0:21:33.240,0:21:35.310
The C is correct answer,[br]gain an understanding

0:21:35.310,0:21:36.970
of business objectives[br]and purpose.

0:21:36.970,0:21:38.740
So the reason is very simple.

0:21:38.740,0:21:41.970
So what we need to understand,[br]in terms of business mission

0:21:41.970,0:21:45.150
objectives, purpose,[br]which in turn

0:21:45.150,0:21:47.860
identifies to the policy,[br]standards, guidelines,

0:21:47.860,0:21:52.380
procedures, everything, because[br]it is very important to gain

0:21:52.380,0:21:53.860
an understanding of business.

0:21:53.860,0:21:57.600
Say for an example, if we are[br]in a pen drive manufacturing

0:21:57.600,0:22:02.010
company, their core mission[br]is to manufacture a pen drive

0:22:02.010,0:22:03.790
and test pen drive[br]and use pen drive.

0:22:03.790,0:22:08.310
And you cannot say that the use[br]of pen drive or external drives

0:22:08.310,0:22:10.270
is prohibited inside[br]the organization.

0:22:10.270,0:22:12.060
That will be the[br]most absurd thing.

0:22:12.060,0:22:14.560
And in Facebook, if you[br]are auditing Facebook,

0:22:14.560,0:22:16.800
you cannot go and say that[br]viewing Facebook inside

0:22:16.800,0:22:18.690
the Facebook office[br]is restricted.

0:22:18.690,0:22:22.560
Of course, it can be[br]limited to view and to view

0:22:22.560,0:22:23.530
your personal account.

0:22:23.530,0:22:25.410
But it will be so[br]absurd when we say

0:22:25.410,0:22:26.850
all these things[br]inside the office

0:22:26.850,0:22:28.183
that they are trying to work on.

0:22:28.183,0:22:30.120
So that can be an[br]explanation that

0:22:30.120,0:22:31.480
can be given to this answer.

0:22:31.480,0:22:35.270
But again, I would like everyone[br]to go through the other options

0:22:35.270,0:22:35.770
as well.

0:22:35.770,0:22:38.580
Defining the audit[br]deliverables is

0:22:38.580,0:22:41.280
dependent upon a thorough[br]understanding of business

0:22:41.280,0:22:45.060
objects, A, B, and[br]D. Because as I told,

0:22:45.060,0:22:48.450
every option is important,[br]though it may not

0:22:48.450,0:22:50.560
be relevant to this[br]particular question,

0:22:50.560,0:22:52.140
some other question[br]that might be

0:22:52.140,0:22:55.740
relevant to this particular[br]option will be arising tomorrow.

0:22:55.740,0:22:58.560
So the last question[br]in the domain 1

0:22:58.560,0:23:01.380
is, again, the next question.

0:23:01.380,0:23:05.640
An organization performs a[br]daily backup of critical data

0:23:05.640,0:23:07.800
and software files and[br]stores in the backup tapes

0:23:07.800,0:23:09.250
at an offsite location.

0:23:09.250,0:23:12.600
The backup tapes are used[br]to restore the software

0:23:12.600,0:23:14.200
in case of disruption.

0:23:14.200,0:23:17.220
This is an example of a[br]preventive control, management

0:23:17.220,0:23:21.660
control, corrective control,[br]and detective control?

0:23:21.660,0:23:23.250
The correct answer[br]is actually C.

0:23:23.250,0:23:27.000
So you cannot avert a particular[br]disaster being happening.

0:23:27.000,0:23:29.680
If you can avert that particular[br]disaster being happening,

0:23:29.680,0:23:31.090
that is a preventive control.

0:23:31.090,0:23:35.880
But a corrective control is[br]set up-- a BCP is a critical--

0:23:35.880,0:23:38.910
a DRP and a BCP are[br]the best examples

0:23:38.910,0:23:40.230
that I can give over here.

0:23:40.230,0:23:41.980
It is actually a[br]corrective control.

0:23:41.980,0:23:43.330
It is not a preventive control.

0:23:43.330,0:23:46.020
So say for an example, a[br]couple of years, Chennai

0:23:46.020,0:23:48.490
floods happened in 2015.

0:23:48.490,0:23:50.128
That cannot be averted.

0:23:50.128,0:23:52.170
And the pandemic, right[br]now we are in a pandemic,

0:23:52.170,0:23:53.290
that cannot be averted.

0:23:53.290,0:23:58.470
But what we can do is a[br]corrective control and approach

0:23:58.470,0:23:59.020
towards it.

0:23:59.020,0:24:01.890
So as the answer[br]outlines over here, A,

0:24:01.890,0:24:04.470
preventive controls are[br]those that avert the problems

0:24:04.470,0:24:05.500
before they arise.

0:24:05.500,0:24:09.407
Backup tapes cannot be used to[br]prevent damages for the files

0:24:09.407,0:24:11.490
and therefore cannot be[br]classified as a preventive

0:24:11.490,0:24:12.220
control.

0:24:12.220,0:24:15.010
Management controls modify[br]and processing systems,

0:24:15.010,0:24:18.240
which is completely[br]irrelevant to this context.

0:24:18.240,0:24:21.480
C, a corrective control[br]helps to correct or minimize

0:24:21.480,0:24:22.990
the impact of a problem.

0:24:22.990,0:24:24.330
Backup tapes are such.

0:24:24.330,0:24:26.972
So detective controls,[br]again, it is not

0:24:26.972,0:24:28.680
completely relevant[br]to this answer, which

0:24:28.680,0:24:31.590
is going to only help in[br]terms of detecting a problem

0:24:31.590,0:24:32.740
after it has arised.

0:24:32.740,0:24:35.260
So detective controls[br]can be in auditing.

0:24:35.260,0:24:36.640
Auditing is a detective control.

0:24:36.640,0:24:38.380
Best detective control[br]is an auditing.

0:24:38.380,0:24:40.540
And a management[br]control is something--

0:24:40.540,0:24:43.890
if I can give an[br]example of, in terms

0:24:43.890,0:24:46.870
of recurrence of a problem,[br]a processing system.

0:24:46.870,0:24:48.900
Say for an example, that's--

0:24:48.900,0:24:50.790
it is management controls again.

0:24:50.790,0:24:53.790
The management controls are put[br]in place so that you cannot edit

0:24:53.790,0:24:56.140
few items or view-only options.

0:24:56.140,0:24:57.900
And those kind of[br]controls are also

0:24:57.900,0:24:59.880
called as a management[br]control, that is,

0:24:59.880,0:25:01.870
to repeat the[br]occurrence of a problem.

0:25:01.870,0:25:04.890
So that nobody even[br]touches something

0:25:04.890,0:25:06.930
so that it doesn't[br]go wrong again.

0:25:06.930,0:25:10.290
So this is the end of domain 1.

0:25:10.290,0:25:14.760
So now we are going[br]into the domain 2.

0:25:14.760,0:25:17.330
So now we are able to see[br]the domain to first question.

0:25:17.330,0:25:20.620
So in order for the management[br]to effectively monitor

0:25:20.620,0:25:23.022
and compliance of the[br]processes, applications,

0:25:23.022,0:25:24.980
which of the following[br]would be the most ideal?

0:25:24.980,0:25:27.650
A central document repository,[br]a knowledge management system,

0:25:27.650,0:25:30.220
a dashboard, and a benchmarking?

0:25:30.220,0:25:32.570
So the correct answer[br]is C, dashboard.

0:25:32.570,0:25:35.200
So dashboard provides[br]a set of information

0:25:35.200,0:25:37.390
to illustrate compliance[br]of the processes,

0:25:37.390,0:25:40.570
like how KRAs, KPIs[br]are going to be

0:25:40.570,0:25:42.790
there, and the configurable[br]elements to keep

0:25:42.790,0:25:43.970
the enterprise on course.

0:25:43.970,0:25:47.630
So if you are going to deviate[br]if the matrix is not achieved,

0:25:47.630,0:25:50.030
so the management will[br]be definitely informed.

0:25:50.030,0:25:53.800
So why not A, B and D?

0:25:53.800,0:25:55.070
Any perspective?

0:25:55.070,0:25:57.610
Again, that is given over here.

0:25:57.610,0:25:59.740
In terms of[br]benchmarking, option D,

0:25:59.740,0:26:01.810
it provides an information[br]to help the management

0:26:01.810,0:26:04.030
to adapt the organization[br]in a timely manner,

0:26:04.030,0:26:05.990
according to the trends[br]and the environment,

0:26:05.990,0:26:08.090
so what the other[br]organization is doing.

0:26:08.090,0:26:10.520
So if I am in a big[br]four organization,

0:26:10.520,0:26:13.630
so what my peers are, what[br]my competitors are doing,

0:26:13.630,0:26:17.670
EY, Deloitte, KPMG, and PWC,[br]what they are going to do.

0:26:17.670,0:26:23.550
And that will be the context in[br]which I will be benchmarking.

0:26:23.550,0:26:26.220
And A and B, A is nothing[br]but a document repository.

0:26:26.220,0:26:29.400
That doesn't provide[br]any specific information

0:26:29.400,0:26:31.950
on how the controls are[br]being performed, how

0:26:31.950,0:26:33.730
the compliance is being done.

0:26:33.730,0:26:37.420
A knowledge management system[br]provides a valuable information,

0:26:37.420,0:26:40.020
but it is generally not used by[br]the management for compliance

0:26:40.020,0:26:40.690
purposes.

0:26:40.690,0:26:44.010
Again, a KMS is nothing,[br]but in terms of--

0:26:44.010,0:26:45.930
it will not provide[br]any specifics

0:26:45.930,0:26:48.280
on how the control[br]is being performing,

0:26:48.280,0:26:50.020
how the compliance[br]has been performing.

0:26:50.020,0:26:52.590
So that again, the important[br]thing in this question

0:26:52.590,0:26:55.660
is that, effectively[br]monitor and the most ideal.

0:26:55.660,0:26:59.010
So when I say most ideal, most[br]ideal, I think benchmarking

0:26:59.010,0:27:01.860
and dashboard is the[br]two options, which

0:27:01.860,0:27:03.400
I will be choosing in the last.

0:27:03.400,0:27:05.730
But again, among[br]these C and D, what

0:27:05.730,0:27:07.830
is an important thing[br]will be the D because it

0:27:07.830,0:27:11.560
gives the accurate information[br]on how my organization is doing.

0:27:11.560,0:27:15.560
But the next question will be,[br]my organization is doing good,

0:27:15.560,0:27:17.540
but what about[br]rest of the others?

0:27:17.540,0:27:21.310
That is where the benchmarking[br]comes into the picture.

0:27:21.310,0:27:24.010
The next question is,[br]which of the following

0:27:24.010,0:27:27.290
best describes the IT department[br]strategic planning process?

0:27:27.290,0:27:30.670
An IT department will have[br]either short and long-range

0:27:30.670,0:27:33.550
plans, depending upon[br]organization's broader

0:27:33.550,0:27:35.090
plans and objectives.

0:27:35.090,0:27:36.820
IT department[br]strategic plan must

0:27:36.820,0:27:38.810
be time- and project-oriented.

0:27:38.810,0:27:43.120
So not detailed plans to address[br]and help determine priorities

0:27:43.120,0:27:44.950
to meet the business needs.

0:27:44.950,0:27:47.710
Long-range planning[br]for IT department

0:27:47.710,0:27:49.700
should recognize the[br]organizational goals,

0:27:49.700,0:27:53.170
technological advances and[br]regulatory requirements.

0:27:53.170,0:27:56.410
And D will be[br]short-range planning

0:27:56.410,0:27:58.450
for the IT department[br]does not need

0:27:58.450,0:28:01.210
to be integrated to[br]the short-range plans

0:28:01.210,0:28:03.850
of the organization since[br]technological advances will

0:28:03.850,0:28:07.060
drive the IT organization's[br]plans much quicker

0:28:07.060,0:28:08.830
than the organization plans.

0:28:08.830,0:28:11.760
I think this is a little[br]bit complicated questions.

0:28:11.760,0:28:15.020
But the answer is[br]very, very simple.

0:28:15.020,0:28:17.330
So in order for[br]this to understand--

0:28:17.330,0:28:20.300
the correct answer is,[br]of course, C. So in order

0:28:20.300,0:28:23.070
for you to understand[br]this particular question,

0:28:23.070,0:28:25.157
you need to understand[br]two things over here.

0:28:25.157,0:28:27.740
You need to understand what does[br]the strategic planning refers

0:28:27.740,0:28:28.240
to.

0:28:28.240,0:28:30.360
A strategic planning is[br]always a long-term plan,

0:28:30.360,0:28:32.280
which is more than--

0:28:32.280,0:28:36.980
it has been more than one year[br]and derived for five years.

0:28:36.980,0:28:38.790
So that is strategic planning.

0:28:38.790,0:28:40.503
There is always a[br]tactical planning.

0:28:40.503,0:28:42.170
Tactical planning[br]refers to what you are

0:28:42.170,0:28:43.460
going to achieve in one year.

0:28:43.460,0:28:46.820
And operational planning, it[br]is anything below one year.

0:28:46.820,0:28:49.740
so for a few months,[br]for few quarters,

0:28:49.740,0:28:51.660
that is going to be your[br]operational planning.

0:28:51.660,0:28:54.590
So what happens here is the[br]question specifically asked

0:28:54.590,0:28:56.430
about strategic planning.

0:28:56.430,0:28:59.810
In that context,[br]option A or B is

0:28:59.810,0:29:02.300
going to be[br]definitely eliminated

0:29:02.300,0:29:05.270
because option A talks[br]about short and long range.

0:29:05.270,0:29:07.100
Short-term plans[br]are either going

0:29:07.100,0:29:09.500
to be operational or[br]tactical plans, which

0:29:09.500,0:29:11.660
is not in this context[br]of this question.

0:29:11.660,0:29:13.990
And again, these again[br]are eliminated because

0:29:13.990,0:29:15.170
of the short-range planning.

0:29:15.170,0:29:16.795
Because short-range[br]planning is, again,

0:29:16.795,0:29:20.320
going to be only there for[br]the operational and tactical,

0:29:20.320,0:29:21.530
and not for the strategic.

0:29:21.530,0:29:23.830
So the only answer that[br]remains in this question

0:29:23.830,0:29:26.710
will be a long-range[br]planning, which should always

0:29:26.710,0:29:28.370
emphasize on[br]organizational goals,

0:29:28.370,0:29:31.190
technological advancements,[br]and regulatory requirements.

0:29:31.190,0:29:34.280
So that is in terms with[br]this correct answer.

0:29:34.280,0:29:37.510
Again, you need to[br]understand one thing

0:29:37.510,0:29:38.900
before answering a question.

0:29:38.900,0:29:42.310
Whenever you have[br]a question, try

0:29:42.310,0:29:45.800
to understand which domain[br]they are coming in primarily.

0:29:45.800,0:29:47.350
There might be a[br]situation of two

0:29:47.350,0:29:50.000
or three domains culminating[br]in one question itself,

0:29:50.000,0:29:52.990
but there will be a primary[br]essence of one domain, which

0:29:52.990,0:29:53.770
will be focused.

0:29:53.770,0:29:57.520
In this particular question,[br]the domain focus is only,

0:29:57.520,0:30:00.350
of course, it is domain 2,[br]and the focus is domain 2.

0:30:00.350,0:30:05.120
The domain 2 focuses only[br]on one bang-on agenda.

0:30:05.120,0:30:10.320
That is in terms of organization[br]goals, organization's missions,

0:30:10.320,0:30:11.970
organization's thing.

0:30:11.970,0:30:14.150
So everything that[br]the IT revolves--

0:30:14.150,0:30:16.190
IT cannot work as a silo.

0:30:16.190,0:30:17.730
It cannot work as a silo.

0:30:17.730,0:30:20.420
Say for example, if your[br]organization is selling

0:30:20.420,0:30:24.350
vegetables and fruits, your IT[br]organization cannot talk about

0:30:24.350,0:30:26.750
implementing a[br]cloud for clients.

0:30:26.750,0:30:28.740
So that is not going to happen.

0:30:28.740,0:30:31.580
So that is not the[br]way the business runs.

0:30:31.580,0:30:35.480
Your optimization[br]should run in terms

0:30:35.480,0:30:38.030
of how your organization is[br]going to sell your fruits

0:30:38.030,0:30:38.850
and vegetables.

0:30:38.850,0:30:42.440
They will be an[br]organic business, so

0:30:42.440,0:30:44.550
how an IT acts as an enabler.

0:30:44.550,0:30:47.370
So IT is only an enabler[br]of the organization.

0:30:47.370,0:30:49.580
It is not something,[br]which is completely

0:30:49.580,0:30:50.670
driving the organization.

0:30:50.670,0:30:53.600
The business priorities are[br]completely different from what

0:30:53.600,0:30:54.750
IT priorities are.

0:30:54.750,0:30:57.570
So we need to align[br]our IT priorities

0:30:57.570,0:31:00.440
so that the organizational[br]goals, technological advancement

0:31:00.440,0:31:03.890
and even the regulatory[br]requirements are complied with.

0:31:03.890,0:31:05.960
So the most important[br]responsibility

0:31:05.960,0:31:08.440
of data security officer[br]in an organization

0:31:08.440,0:31:10.600
is, A, recommending[br]and monitoring

0:31:10.600,0:31:13.900
data security policies, B,[br]promoting security awareness

0:31:13.900,0:31:16.540
within the organization,[br]establishing procedures

0:31:16.540,0:31:19.690
for IT security[br]policies, administering

0:31:19.690,0:31:22.870
physical and logical[br]access controls.

0:31:22.870,0:31:24.615
The answer is A.

0:31:24.615,0:31:25.990
But when I come[br]to this question,

0:31:25.990,0:31:31.090
this is, again, a tricky[br]question because the question

0:31:31.090,0:31:32.510
outlines the most important.

0:31:32.510,0:31:34.960
So when we say most[br]important, there

0:31:34.960,0:31:37.090
is always considered[br]that there are

0:31:37.090,0:31:39.400
two options which is correct,[br]two or more options which

0:31:39.400,0:31:40.790
is correct for this question.

0:31:40.790,0:31:44.800
But in terms of B, C, and D,[br]why it is not correct instead?

0:31:44.800,0:31:49.100
B, anybody in the organization[br]can do the security awareness.

0:31:49.100,0:31:51.550
And it is not the only[br]responsibility of a data

0:31:51.550,0:31:53.840
security officer, though it[br]might be a responsibility,

0:31:53.840,0:31:56.000
but it is not the[br]only responsibility.

0:31:56.000,0:32:00.550
And C and D, they are all more[br]of establishing procedures.

0:32:00.550,0:32:02.140
Establishing a[br]procedures anybody

0:32:02.140,0:32:03.850
can do in an IT organization.

0:32:03.850,0:32:06.710
And administering physical[br]and logical access control,

0:32:06.710,0:32:08.630
again, specific to[br]the application.

0:32:08.630,0:32:11.500
Say for an example, if they are[br]administering the SAP, if they

0:32:11.500,0:32:13.720
are administering the[br]Oracle, the specific team

0:32:13.720,0:32:15.730
related to the SAP[br]or the Oracle will

0:32:15.730,0:32:18.740
administer these controls, and[br]not the data security officer.

0:32:18.740,0:32:23.240
But data security officer in a[br]top level, at a very high level,

0:32:23.240,0:32:26.890
they will define in terms of[br]what is recommended in terms

0:32:26.890,0:32:28.280
of protecting their data.

0:32:28.280,0:32:30.160
Say for an example,[br]if the data is

0:32:30.160,0:32:33.410
coming for the GDPR regulation.

0:32:33.410,0:32:35.620
So what is required[br]in terms of them

0:32:35.620,0:32:37.490
to protect the particular data?

0:32:37.490,0:32:40.190
Mere implementation part[br]is done by the IT team.

0:32:40.190,0:32:43.610
And in terms of promoting[br]the security awareness,

0:32:43.610,0:32:48.310
it can be done by anybody[br]in the organization.

0:32:48.310,0:32:51.580
Now, we go to the next question.

0:32:51.580,0:32:53.830
What is considered[br]most critical element

0:32:53.830,0:32:55.870
for the successful[br]implementation of information

0:32:55.870,0:32:57.160
security program?

0:32:57.160,0:32:59.690
An effective enterprise[br]risk management framework,

0:32:59.690,0:33:04.430
senior management commitment,[br]an adequate budgeting process,

0:33:04.430,0:33:06.950
meticulous program planning?

0:33:06.950,0:33:11.670
So the correct answer is B. And[br]you can go through this option,

0:33:11.670,0:33:14.150
while the other options[br]are not correct.

0:33:14.150,0:33:17.010
Let me just give you one[br]important perspective over here.

0:33:17.010,0:33:19.490
Couple of years[br]back, when IT was not

0:33:19.490,0:33:22.160
seen as a big enabler[br]for the organizations,

0:33:22.160,0:33:24.530
in the board meetings,[br]only five minutes

0:33:24.530,0:33:27.980
will be spared for any kind[br]of security or IT security

0:33:27.980,0:33:30.300
related issues to be discussed.

0:33:30.300,0:33:34.290
Nowadays, organizations have[br]started prioritizing this,

0:33:34.290,0:33:38.070
and there is a very detailed[br]discussion on the whole thing

0:33:38.070,0:33:40.230
because most of[br]the organizations,

0:33:40.230,0:33:43.070
including a small scale[br]enterprises or the medium scale

0:33:43.070,0:33:47.720
enterprises, have shifted their[br]focus only towards an IT because

0:33:47.720,0:33:48.600
of the pandemic.

0:33:48.600,0:33:52.770
And they have started even[br]seeing the benefits out of it.

0:33:52.770,0:33:55.190
And it is important[br]for an organization

0:33:55.190,0:33:58.850
to protect their[br]information security assets.

0:33:58.850,0:34:01.490
And management has[br]started putting

0:34:01.490,0:34:04.730
lot of efforts in terms of[br]how this is going to happen.

0:34:04.730,0:34:07.520
The next question is, which[br]of the following tasks

0:34:07.520,0:34:10.250
may be performed[br]by the same person

0:34:10.250,0:34:13.170
in a well-controlled information[br]processing computer center?

0:34:13.170,0:34:15.960
Security administrator[br]and change management,

0:34:15.960,0:34:18.050
computer operations[br]and system development,

0:34:18.050,0:34:20.540
system development[br]and change management,

0:34:20.540,0:34:23.989
system development and[br]system maintenance?

0:34:23.989,0:34:26.060
The correct answer[br]is actually D.

0:34:26.060,0:34:28.639
The whole point of[br]this question is

0:34:28.639,0:34:33.780
that when you look at the option[br]A and option C and option B,

0:34:33.780,0:34:35.810
why it is not correct is that--

0:34:35.810,0:34:39.050
the first option, security[br]administration and change

0:34:39.050,0:34:40.040
management.

0:34:40.040,0:34:41.370
So what is change management?

0:34:41.370,0:34:44.659
So change management[br]is in terms of there

0:34:44.659,0:34:48.530
is a established change[br]management process saying

0:34:48.530,0:34:50.330
that whenever you[br]apply any changes

0:34:50.330,0:34:54.110
to a particular system or[br]a functionality hardening

0:34:54.110,0:34:56.179
or anything, anything[br]of that sort,

0:34:56.179,0:34:58.380
any functionality[br]for that matter,

0:34:58.380,0:35:01.700
it needs to be promoted[br]in a certain set manner,

0:35:01.700,0:35:03.810
by having an approval[br]and everything.

0:35:03.810,0:35:07.070
But when the person is having[br]security administration

0:35:07.070,0:35:09.960
as a task and having[br]a change management,

0:35:09.960,0:35:11.990
they will be completely[br]bypassing this

0:35:11.990,0:35:14.960
into the whole thing,[br]and people will not

0:35:14.960,0:35:17.810
be able to know who has[br]done that particular change,

0:35:17.810,0:35:20.270
and there are chances[br]of malpractices.

0:35:20.270,0:35:22.080
And C, again, the same thing.

0:35:22.080,0:35:25.650
You develop a system and you are[br]responsible also for the change

0:35:25.650,0:35:27.380
management, is again a conflict.

0:35:27.380,0:35:31.050
So change management, somebody[br]has to promote the change.

0:35:31.050,0:35:32.610
Somebody has to[br]develop the changes.

0:35:32.610,0:35:34.110
Somebody has to[br]approve the changes.

0:35:34.110,0:35:37.340
Somebody has to promote the[br]changes into the production.

0:35:37.340,0:35:40.910
So again, so you cannot develop[br]and also you cannot change

0:35:40.910,0:35:41.700
at the same time.

0:35:41.700,0:35:43.410
That is, again, a[br]very important thing.

0:35:43.410,0:35:46.400
So option B, the[br]computer operations

0:35:46.400,0:35:47.520
and system development.

0:35:47.520,0:35:51.840
So the option B and D are[br]little bit closely related.

0:35:51.840,0:35:54.240
That is where the[br]confusion starts over here.

0:35:54.240,0:35:56.150
Because as many[br]of you have told,

0:35:56.150,0:35:59.060
the options computer[br]operations refers

0:35:59.060,0:36:02.130
to just the operations[br]and the system development

0:36:02.130,0:36:04.340
because it would be--

0:36:04.340,0:36:06.380
computer operations[br]and system development

0:36:06.380,0:36:08.480
is incorrect choice[br]because this would

0:36:08.480,0:36:12.530
make it possible for an operator[br]to run a program that she

0:36:12.530,0:36:13.620
or he has amended.

0:36:13.620,0:36:16.400
So say for an example, if the[br]particular person is having

0:36:16.400,0:36:19.550
both these access, they[br]can run the program

0:36:19.550,0:36:22.220
without having any kind[br]of additional controls

0:36:22.220,0:36:23.040
being required.

0:36:23.040,0:36:25.580
So that is the problem that[br]the operations and the system

0:36:25.580,0:36:27.390
development cannot[br]be at the same time.

0:36:27.390,0:36:30.200
But option D, the[br]maintenance, maintenance

0:36:30.200,0:36:31.680
can be done by the same person.

0:36:31.680,0:36:33.230
Why it can be done[br]by the same person

0:36:33.230,0:36:35.780
is that during the[br]maintenance, the performance,

0:36:35.780,0:36:37.850
the person requires[br]access to the source code,

0:36:37.850,0:36:40.700
and the person who[br]has developed it

0:36:40.700,0:36:42.840
will be having an access[br]to the source code.

0:36:42.840,0:36:47.340
That is why in a[br]production, they can--

0:36:47.340,0:36:50.630
and that is the reason they[br]can promote these things

0:36:50.630,0:36:52.640
into maintenance, as well[br]as system development

0:36:52.640,0:36:53.610
at the same place.

0:36:53.610,0:36:56.040
But again, this is a[br]very tricky question.

0:36:56.040,0:36:59.510
Exam question can be[br]similar to this one.

0:36:59.510,0:37:01.830
And the domain 2,[br]the next question is,

0:37:01.830,0:37:05.960
which of the following is most[br]critical control over database

0:37:05.960,0:37:09.030
administration, which is the[br]DBA, approval of DBA activities,

0:37:09.030,0:37:11.720
segregation of duties in[br]regard to the rights and access

0:37:11.720,0:37:14.660
are granting and revoking,[br]evoking of access logs

0:37:14.660,0:37:16.640
and activities-- sorry,[br]review of access logs

0:37:16.640,0:37:21.230
and activities, review[br]of use of database tools?

0:37:21.230,0:37:25.350
So the correct answer is[br]option B. So why important?

0:37:25.350,0:37:30.500
It is important for a DBA to[br]do this-- sorry, conflicting,

0:37:30.500,0:37:34.610
rather than any of these three[br]is that other three option does

0:37:34.610,0:37:37.290
not reduce the risk.

0:37:37.290,0:37:40.110
This is the only preventative[br]control that they can apply.

0:37:40.110,0:37:44.900
So as an auditor, when I'm[br]coming and seeing the process

0:37:44.900,0:37:48.510
and saying that the DBA[br]is reviewing the logs,

0:37:48.510,0:37:50.430
the DBA is using[br]the database files,

0:37:50.430,0:37:53.250
the DBA is using approval[br]activities, everything is fine.

0:37:53.250,0:37:58.040
But does he or she deliver[br]on the fundamental issue

0:37:58.040,0:37:59.730
in the segregation of duties?

0:37:59.730,0:38:02.990
That is what will be[br]my auditor's question.

0:38:02.990,0:38:04.910
This is where it[br]is very important.

0:38:04.910,0:38:08.090
Because as an IS auditor,[br]you need to think and deliver

0:38:08.090,0:38:08.670
the answer.

0:38:08.670,0:38:11.310
Because if you are thinking[br]as a security analyst,

0:38:11.310,0:38:15.510
this was a typical security[br]mind question and answer.

0:38:15.510,0:38:18.240
I understand from guru's[br]perspective, he is right.

0:38:18.240,0:38:20.210
But as an auditor,[br]you need to think

0:38:20.210,0:38:23.977
from the other side of the[br]table, how an auditor will

0:38:23.977,0:38:24.810
approach this thing.

0:38:24.810,0:38:27.980
That is where this question[br]is going to be answered.

0:38:27.980,0:38:32.460
You can just read the A, C, and[br]D, why they are not correct.

0:38:32.460,0:38:35.120
So approval of a database[br]administration activities

0:38:35.120,0:38:38.450
does not prevent the combination[br]of conflicting things.

0:38:38.450,0:38:42.680
And the C option is, if DBA[br]activities are improperly

0:38:42.680,0:38:44.540
approved, review of[br]access would be--

0:38:44.540,0:38:46.890
again, that may not[br]be reducing the risk.

0:38:46.890,0:38:49.580
Say for an example, if you[br]have fundamentally approved

0:38:49.580,0:38:51.630
the access of some[br]person incorrectly,

0:38:51.630,0:38:53.950
though you may be monitoring[br]his or her activities,

0:38:53.950,0:38:56.700
but the problem is that it will[br]not be addressed because you

0:38:56.700,0:38:59.470
have already done something[br]wrong in the first place,

0:38:59.470,0:39:02.910
and you cannot correct it just[br]by monitoring or taking actions

0:39:02.910,0:39:03.600
of it.

0:39:03.600,0:39:05.700
And reviewing of the[br]use of database tools

0:39:05.700,0:39:06.880
does not reduce the risk.

0:39:06.880,0:39:08.460
Because it is only[br]a detective tool.

0:39:08.460,0:39:10.170
It is only a detective[br]tool, it is not

0:39:10.170,0:39:13.060
a preventive or any other[br]conflicting combination.

0:39:13.060,0:39:16.020
It will not prevent any[br]conflict combination.

0:39:16.020,0:39:18.660
In a small organization[br]where a segregation of duties

0:39:18.660,0:39:22.950
is not practical,[br]an employee performs

0:39:22.950,0:39:25.660
a function of computer operator[br]and application programmer.

0:39:25.660,0:39:30.030
Which of the following controls[br]should the IS auditor recommend?

0:39:30.030,0:39:32.610
Automated logging of[br]changes and development

0:39:32.610,0:39:34.710
of libraries, additional[br]staff to provide

0:39:34.710,0:39:38.550
SoD, procedures that verify only[br]approved program changes are

0:39:38.550,0:39:41.400
implemented, access[br]controls to prevent operator

0:39:41.400,0:39:43.360
from making program[br]modifications?

0:39:43.360,0:39:45.840
Again, this is one of[br]the trickiest question.

0:39:45.840,0:39:49.830
The whole point is that whenever[br]you see some questions relating

0:39:49.830,0:39:54.030
to the organization size, even[br]in the exam, make it very clear

0:39:54.030,0:39:57.120
that the answer might be[br]dependent upon the size

0:39:57.120,0:39:58.300
of the organization.

0:39:58.300,0:40:01.230
If you are a large[br]organization, like Google

0:40:01.230,0:40:04.410
or Apple or Facebook, you[br]can do any of these things.

0:40:04.410,0:40:07.120
B can be done, A can be done.

0:40:07.120,0:40:10.390
Of course, D is something[br]that also can be considered.

0:40:10.390,0:40:12.280
But it is a small organization.

0:40:12.280,0:40:15.700
Only a programmer is[br]dependent upon an operator.

0:40:15.700,0:40:17.700
performing the multiple tasks.

0:40:17.700,0:40:20.010
What an IS auditor[br]would recommend

0:40:20.010,0:40:26.110
will be very, very simple in[br]terms of procedures that exist,

0:40:26.110,0:40:29.940
at least in paper, are to say[br]that only the approved program

0:40:29.940,0:40:31.110
changes are implemented.

0:40:31.110,0:40:36.660
Because whenever we see[br]any question relating

0:40:36.660,0:40:38.760
to the organization[br]size, the answers

0:40:38.760,0:40:41.860
will be highly dependent on[br]the size of the organization.

0:40:41.860,0:40:44.280
What might be the best[br]treatmeant for a large size

0:40:44.280,0:40:47.430
organization may not be the[br]best treatment for a mid-size

0:40:47.430,0:40:49.360
and a small-size organization.

0:40:49.360,0:40:51.940
So we need to be very careful[br]in choosing the answer

0:40:51.940,0:40:55.690
because two or more options[br]will look extremely correct

0:40:55.690,0:40:57.750
because the size[br]of the organization

0:40:57.750,0:41:00.690
is going to be very dependent[br]particular question.

0:41:00.690,0:41:03.270
We are end of domain 2, and[br]we will be having three more

0:41:03.270,0:41:04.980
domains to cover.

0:41:04.980,0:41:07.390
So the next question[br]is from domain 3.

0:41:07.390,0:41:11.790
To assist in testing an[br]essential banking system being

0:41:11.790,0:41:13.260
acquired, an[br]organization has been

0:41:13.260,0:41:15.570
provided the vendor[br]with sensitive data

0:41:15.570,0:41:18.100
from its existing[br]production system.

0:41:18.100,0:41:21.180
As an IS auditor, the[br]primary concern that the data

0:41:21.180,0:41:22.830
should be what?

0:41:22.830,0:41:29.640
A, sanitized, B, complete, C,[br]representative, and D, current?

0:41:29.640,0:41:34.590
Whenever an asset goes out,[br]even if an asset is sunsetting,

0:41:34.590,0:41:37.560
if a technology asset[br]decommissioning is happening,

0:41:37.560,0:41:40.050
the sanitization part[br]is an important thing.

0:41:40.050,0:41:43.110
You don't want the data[br]or the production data

0:41:43.110,0:41:44.760
to be visible to[br]others whenever they

0:41:44.760,0:41:47.040
are doing the testing,[br]which might give

0:41:47.040,0:41:49.560
some opinions about how[br]the organization is working

0:41:49.560,0:41:52.150
and what are all the data that[br]the organization is having.

0:41:52.150,0:41:55.440
So it is important that we[br]need definitely or should

0:41:55.440,0:41:58.360
be opting for A because[br]it is very important.

0:41:58.360,0:42:00.720
And test data[br]should be sanitized

0:42:00.720,0:42:04.510
to prevent sensitive data from[br]leaking to unauthorized persons.

0:42:04.510,0:42:07.470
All the other three options,[br]although it may seem little bit

0:42:07.470,0:42:09.970
relevant, but it is[br]completely not relevant,

0:42:09.970,0:42:12.098
it is completely incorrect.

0:42:12.098,0:42:13.890
Which of the following[br]is a primary purpose

0:42:13.890,0:42:15.610
for conducting parallel testing?

0:42:15.610,0:42:20.430
To determine whether the system[br]is cost effective, to enable

0:42:20.430,0:42:22.258
comprehensive unit[br]and system testing,

0:42:22.258,0:42:24.300
to highlight the errors[br]in the program interfaces

0:42:24.300,0:42:25.967
with the files, to[br]ensure the new system

0:42:25.967,0:42:28.770
meets the user requirements?

0:42:28.770,0:42:32.310
It is very simple,[br]the answer is D. Let

0:42:32.310,0:42:34.570
me put a perspective over here.

0:42:34.570,0:42:36.880
So when we have two[br]systems, say for an example,

0:42:36.880,0:42:40.560
we have a tally system that's[br]running currently my accounting

0:42:40.560,0:42:42.820
things, and we are[br]going to implement SAP.

0:42:42.820,0:42:45.938
So tally is perfect[br]for my organization,

0:42:45.938,0:42:47.730
but my organization is[br]going into a billion

0:42:47.730,0:42:48.897
and a trillion organization.

0:42:48.897,0:42:49.720
I wish it could.

0:42:49.720,0:42:52.620
And the whole thing[br]is that, so in terms

0:42:52.620,0:42:55.660
with, if the new system[br]is being implemented,

0:42:55.660,0:42:58.020
is everything is[br]being aligned and is

0:42:58.020,0:43:00.070
everything is as[br]per the requirement,

0:43:00.070,0:43:03.160
is everything working as[br]it was working entirely?

0:43:03.160,0:43:06.430
That is the primary thing[br]that I will be looking at it.

0:43:06.430,0:43:09.907
So that is the reason that[br]we are going with the option

0:43:09.907,0:43:11.490
D. The purpose of[br]the parallel testing

0:43:11.490,0:43:14.370
is to ensure that the[br]implementation of new system

0:43:14.370,0:43:16.480
will meet the user requirements.

0:43:16.480,0:43:19.630
It can be identified in[br]the UAT testing itself,

0:43:19.630,0:43:21.180
but the parallel[br]testing gives you

0:43:21.180,0:43:23.760
an idea both the systems[br]are running in parallel

0:43:23.760,0:43:27.210
with each other, will give a[br]fair enough understanding on how

0:43:27.210,0:43:28.650
the new system is working.

0:43:28.650,0:43:31.440
In case if there are any[br]deficiencies in the new system

0:43:31.440,0:43:33.780
compared to the old[br]system, how it can be fixed

0:43:33.780,0:43:34.840
and stuff like that.

0:43:34.840,0:43:37.440
See all the other testings,[br]unit and system testings

0:43:37.440,0:43:39.690
are completed before the[br]parallel testing, program

0:43:39.690,0:43:41.190
interfaces with the[br]files are tested

0:43:41.190,0:43:43.890
for errors during the system[br]testing itself and not--

0:43:43.890,0:43:47.130
and then the parallel testing[br]because parallel testing happens

0:43:47.130,0:43:49.600
at the last stage during[br]the implementation stage,

0:43:49.600,0:43:52.170
and it's not at the first stage.

0:43:52.170,0:43:55.570
When conducting a review of the[br]business re-engineering process,

0:43:55.570,0:43:58.350
an IS auditor found that[br]an important preventive

0:43:58.350,0:43:59.500
control had been removed.

0:43:59.500,0:44:01.860
In this case, an IS[br]auditor should, A,

0:44:01.860,0:44:03.535
inform the management[br]of the findings

0:44:03.535,0:44:05.160
and determine whether[br]the management is

0:44:05.160,0:44:08.280
willing to accept the risk[br]potential, B, determine

0:44:08.280,0:44:10.740
if a detective control has[br]replaced the preventive control

0:44:10.740,0:44:15.720
during the process, and C,[br]recommended that all the control

0:44:15.720,0:44:19.440
procedures have existed before[br]the process was re-engineered

0:44:19.440,0:44:22.830
and included in the new process,[br]develop continuous audit

0:44:22.830,0:44:25.470
approach to monitor[br]the effects of removal

0:44:25.470,0:44:28.770
of the preventive control?

0:44:28.770,0:44:32.400
Whatever happens, when you[br]stumble upon something that

0:44:32.400,0:44:35.970
is not of what is[br]as expected, you

0:44:35.970,0:44:38.620
are supposed to inform the[br]management then and now.

0:44:38.620,0:44:40.800
Then look for the[br]other alternatives

0:44:40.800,0:44:43.390
or other remedial measures[br]because the management

0:44:43.390,0:44:45.140
needs to be informed[br]that there is a risk,

0:44:45.140,0:44:48.160
and whether they are willing to[br]accept this risk of not having

0:44:48.160,0:44:49.730
a preventive control in place.

0:44:49.730,0:44:52.160
So in this case, that's[br]a classic example.

0:44:52.160,0:44:55.150
And if you see[br]here, the existence

0:44:55.150,0:44:58.090
of a detective control instead[br]of a preventive control

0:44:58.090,0:45:01.210
usually increases the[br]risk that the management--

0:45:01.210,0:45:04.130
increases the risk that the[br]material problem may occur.

0:45:04.130,0:45:08.980
So say for an example, if there[br]is also a detective control,

0:45:08.980,0:45:11.680
that should be in place.

0:45:11.680,0:45:14.380
There is a high probability[br]that the particular process

0:45:14.380,0:45:16.120
is prone to having[br]some kind of a control

0:45:16.120,0:45:19.130
issues and the preventive[br]control that has been removed.

0:45:19.130,0:45:21.850
So that is the reason[br]you need to just inform

0:45:21.850,0:45:25.300
the management at the first,[br]and then look for other options.

0:45:25.300,0:45:27.160
Is it clear?

0:45:27.160,0:45:28.580
Let me go to the next question.

0:45:28.580,0:45:32.470
Which of the following[br]will be considered

0:45:32.470,0:45:34.720
as the most serious in[br]an enterprise resource

0:45:34.720,0:45:37.490
planning software used by[br]financial organizations?

0:45:37.490,0:45:39.950
Access controls have[br]not been reviewed,

0:45:39.950,0:45:41.870
limited documentation[br]is available,

0:45:41.870,0:45:44.330
two-year backup tapes[br]have not been replaced,

0:45:44.330,0:45:47.030
database backups are[br]performed once a day?

0:45:47.030,0:45:49.600


0:45:49.600,0:45:51.520
Give you the correct[br]answer, which is A,

0:45:51.520,0:45:56.080
and you can see the explanation.

0:45:56.080,0:45:59.260
When auditing the requirements[br]phase of a software acquisition,

0:45:59.260,0:46:00.670
an IS auditor should--

0:46:00.670,0:46:03.440
assess the responsibility[br]of the project timetable,

0:46:03.440,0:46:05.870
assess the vendor's[br]proposed quality processes,

0:46:05.870,0:46:08.120
ensure that the best[br]software package is acquired,

0:46:08.120,0:46:11.950
review the completeness[br]of the specification?

0:46:11.950,0:46:14.528
The review of the completeness[br]of the specifications.

0:46:14.528,0:46:16.070
Whenever you talk[br]about requirements,

0:46:16.070,0:46:17.440
there is a specification.

0:46:17.440,0:46:20.230
So that is what is our[br]answer talks about.

0:46:20.230,0:46:21.940
The purpose of the[br]requirements phase

0:46:21.940,0:46:27.680
is to specify the functionality[br]of the proposed system.

0:46:27.680,0:46:30.070
Therefore, an IS auditor[br]would concentrate more

0:46:30.070,0:46:32.680
on the completeness[br]of the specification.

0:46:32.680,0:46:34.300
Assessing vendor[br]quality process would

0:46:34.300,0:46:35.840
come after the requirements.

0:46:35.840,0:46:38.360
So you have analyzed[br]the requirements,

0:46:38.360,0:46:40.330
then you are going[br]for the vendor,

0:46:40.330,0:46:42.350
this A vendor or B vendor.

0:46:42.350,0:46:45.250
That is where your things[br]will come into the picture.

0:46:45.250,0:46:47.660
Analyzing the[br]organization's ability,

0:46:47.660,0:46:49.840
whether they are able to[br]support, whether they are

0:46:49.840,0:46:52.510
a big organization, like[br]a Microsoft or Oracle

0:46:52.510,0:46:56.470
or they are a small[br]organization, of something

0:46:56.470,0:46:58.930
happening out of[br]somewhere in the world,

0:46:58.930,0:47:01.670
or whether they are able[br]to fulfill the obligations,

0:47:01.670,0:47:04.660
whether the quality process[br]is good and everything.

0:47:04.660,0:47:07.810
So this is how you critically[br]think because this is a stepped

0:47:07.810,0:47:08.500
approach.

0:47:08.500,0:47:11.920
As I told, if there is a stepped[br]approach in some process,

0:47:11.920,0:47:13.790
say for an example,[br]change management,

0:47:13.790,0:47:15.260
how do you promote the changes?

0:47:15.260,0:47:19.210
I think the CRM gives you[br]a very detailed explanation

0:47:19.210,0:47:22.030
on how the changes are being[br]promoted, change management,

0:47:22.030,0:47:24.820
and how RFP is raised.

0:47:24.820,0:47:27.460
In the domain 3, it[br]talks about the RFPs,

0:47:27.460,0:47:29.090
how a software is[br]being acquired,

0:47:29.090,0:47:32.650
how off-the-shelf software[br]is being acquired,

0:47:32.650,0:47:35.560
how the requirements are built,[br]how the requisition for proposal

0:47:35.560,0:47:39.260
is built. So these kind of[br]things are phased approaches,

0:47:39.260,0:47:44.410
and you have to bound the answer[br]only to the phased approaches.

0:47:44.410,0:47:47.020
So the next question[br]is, an organization

0:47:47.020,0:47:49.630
decides to purchase a[br]software package instead

0:47:49.630,0:47:50.510
of developing it.

0:47:50.510,0:47:52.548
In such case, the design[br]and development phases

0:47:52.548,0:47:54.340
of a traditional software[br]development cycle

0:47:54.340,0:47:55.750
would be replaced with--

0:47:55.750,0:47:58.310
selection and[br]configuration phases,

0:47:58.310,0:48:00.110
feasibility and[br]requirements phases,

0:48:00.110,0:48:03.160
implementation and testing[br]phases, nothing, as replacement

0:48:03.160,0:48:05.620
is not required?

0:48:05.620,0:48:07.040
It is very simple question.

0:48:07.040,0:48:12.310
Just now I told about[br]the steps involved.

0:48:12.310,0:48:15.040
This question, the option[br]A is the correct answer

0:48:15.040,0:48:19.240
because of the fact that the[br]design element is taken out.

0:48:19.240,0:48:22.120
Instead of developing it,[br]you're going to buy outside.

0:48:22.120,0:48:26.500
So what happens is the selection[br]and the configuration phases

0:48:26.500,0:48:27.730
come into the picture.

0:48:27.730,0:48:30.190
Feasibility and the[br]requirements comes only

0:48:30.190,0:48:32.030
in terms of design requirements.

0:48:32.030,0:48:34.930
So if you see the answer[br]reasoning over here,

0:48:34.930,0:48:38.050
with the purchase purchased[br]package software, design

0:48:38.050,0:48:41.200
and development phases[br]of a traditional.

0:48:41.200,0:48:43.630
life cycle have[br]become replaceable

0:48:43.630,0:48:45.820
with selection and[br]configuration phases.

0:48:45.820,0:48:47.530
A request for[br]proposal form, which

0:48:47.530,0:48:51.160
is the RFP I was talking about,[br]from the supplier package

0:48:51.160,0:48:55.090
is called for and evaluated[br]against the predefined criteria

0:48:55.090,0:48:57.370
for selection[br]before a decision is

0:48:57.370,0:48:59.200
made to purchase the software.

0:48:59.200,0:49:02.950
Thereafter, the configuration is[br]to meet with the organization's

0:49:02.950,0:49:03.740
requirements.

0:49:03.740,0:49:06.670
If you take the option B, the[br]other phases of the system

0:49:06.670,0:49:10.070
development, SDLC, such as[br]feasibility study, requirements,

0:49:10.070,0:49:12.400
definition, implementation[br]and post-implementation,

0:49:12.400,0:49:15.880
remain unaltered because[br]it is very simple.

0:49:15.880,0:49:17.930
You are not going to[br]define any requirements.

0:49:17.930,0:49:20.690
Say for an example, if[br]I am going to Subway,

0:49:20.690,0:49:25.030
I am going to say very clearly[br]that you need to put me

0:49:25.030,0:49:27.230
these toppings, like jalapenos.

0:49:27.230,0:49:30.500
I don't want to trigger any[br]kind of hunger mode over here.

0:49:30.500,0:49:34.090
But I am just telling for an[br]example over here because this

0:49:34.090,0:49:38.530
is as simple as going to a[br]Subway versus McDonald's.

0:49:38.530,0:49:41.740
So if I go to Subway, I[br]customize my bread, along

0:49:41.740,0:49:44.270
with the toppings[br]that I require.

0:49:44.270,0:49:45.590
These are the sausages.

0:49:45.590,0:49:47.660
These are the toppings[br]that I require.

0:49:47.660,0:49:50.920
But if I go to make[br][INAUDIBLE], that

0:49:50.920,0:49:54.980
is very clear that they[br]have a predefined elements.

0:49:54.980,0:49:58.090
And among the predefined[br]things, what is closely

0:49:58.090,0:49:59.450
matching with my requirements?

0:49:59.450,0:50:00.190
I need to choose.

0:50:00.190,0:50:01.700
Probably I can customize it.

0:50:01.700,0:50:03.680
I can say, please[br]don't add mushrooms.

0:50:03.680,0:50:04.640
I don't like mushrooms.

0:50:04.640,0:50:05.940
I can say that.

0:50:05.940,0:50:07.970
That is to do with the[br]configuration part.

0:50:07.970,0:50:11.230
But again, I cannot completely[br]design some new product

0:50:11.230,0:50:13.310
and the requirements[br]and the feasibility.

0:50:13.310,0:50:16.235
Everything has been[br]taken off the shelf.

0:50:16.235,0:50:17.860
Which of the following[br]procedure should

0:50:17.860,0:50:19.750
be implemented to help[br]to ensure completeness

0:50:19.750,0:50:23.090
of inbound transactions via[br]electronic data interchange?

0:50:23.090,0:50:26.590
I think the EDI topic, you will[br]be seeing quite a lot in the CRM

0:50:26.590,0:50:28.580
as well, as sometimes[br]in the exams as well.

0:50:28.580,0:50:29.930
So this is a hint.

0:50:29.930,0:50:33.090
So segment counts to built-in[br]transactions set earlier.

0:50:33.090,0:50:35.870
A log of number of messages[br]received periodically

0:50:35.870,0:50:37.860
verify that the[br]transaction originator.

0:50:37.860,0:50:40.460
An electronic audit trail of[br]accountability in tracking.

0:50:40.460,0:50:42.140
Matching the[br]acknowledgment transactions

0:50:42.140,0:50:45.980
received to the log[br]of EDI messages sent.

0:50:45.980,0:50:49.470
The EDI is one of my[br]favorite topics, I would say.

0:50:49.470,0:50:51.540
Because while I was[br]studying for the exams,

0:50:51.540,0:50:54.565
I did a very hard work to[br]understand this EDI concept.

0:50:54.565,0:50:57.290


0:50:57.290,0:51:01.220
So all the other options, if[br]you see one way or the other,

0:51:01.220,0:51:04.040
talks about some form of[br]auditing methodologies

0:51:04.040,0:51:06.480
and acknowledgment of[br]transactions received.

0:51:06.480,0:51:08.450
Acknowledgment of[br]transactions is just

0:51:08.450,0:51:11.090
to verify whether it has been--

0:51:11.090,0:51:12.920
to check the originator[br]or origination

0:51:12.920,0:51:14.540
of that particular transaction.

0:51:14.540,0:51:17.430
An electronic audit trail is[br]an accountability in tracking.

0:51:17.430,0:51:19.440
Yes, of course, it[br]tracks the audit trail

0:51:19.440,0:51:22.380
of the account for auditability.

0:51:22.380,0:51:24.450
Sorry, for accountability[br]and tracking.

0:51:24.450,0:51:27.380
But none of the options[br]are actually close to A

0:51:27.380,0:51:30.350
because A is the correct answer.

0:51:30.350,0:51:32.450
Controls total built[br]into the trailer record

0:51:32.450,0:51:34.430
of each transaction[br]or each segment

0:51:34.430,0:51:36.020
is the only option[br]that will ensure

0:51:36.020,0:51:39.540
that individual transactions[br]are sent or received completely.

0:51:39.540,0:51:43.220
So electronic data[br]interchange is one concept

0:51:43.220,0:51:46.970
that you need to be very,[br]very familiar with because EDI

0:51:46.970,0:51:49.692
is being used at[br]every ERP, everything

0:51:49.692,0:51:51.150
that you see in[br]the current system.

0:51:51.150,0:51:53.940
Because if one system is[br]talking, say for an example,

0:51:53.940,0:51:57.860
if [INAUDIBLE] is talking[br]to Oracle or JD Edwards

0:51:57.860,0:51:59.930
or any other things[br]for that matter,

0:51:59.930,0:52:02.790
they are talking in the language[br]of EDI with an XML file.

0:52:02.790,0:52:04.790
So each transaction[br]that is being

0:52:04.790,0:52:06.890
sent as an inbound[br]transaction and sent

0:52:06.890,0:52:09.690
as an outbound transaction from[br]one system to another system,

0:52:09.690,0:52:11.750
they need to have[br]an individual count,

0:52:11.750,0:52:14.240
and they need to have[br]an individual receipt

0:52:14.240,0:52:15.180
of transaction.

0:52:15.180,0:52:18.590
That is the reason why we[br]need to match it accordingly.

0:52:18.590,0:52:20.790
Let me move on to[br]the next question.

0:52:20.790,0:52:25.010
So that ends the domain 3,[br]and we are now into domain 4.

0:52:25.010,0:52:27.320
So the domain 4 starts--

0:52:27.320,0:52:30.800
I think domain 4 is all about[br]the information security assets,

0:52:30.800,0:52:33.210
different types of[br]information security assets,

0:52:33.210,0:52:34.710
and BCP and BRP.

0:52:34.710,0:52:37.400
So which one of the following[br]provides the best method

0:52:37.400,0:52:39.920
for determining the[br]level of performance

0:52:39.920,0:52:42.350
by similar information[br]processing facility

0:52:42.350,0:52:43.400
environments?

0:52:43.400,0:52:47.960
User satisfaction, B, goal[br]accomplishment, C, benchmarking,

0:52:47.960,0:52:51.680
and D, capacity and[br]growth planning?

0:52:51.680,0:52:54.080
So it is actually[br]the C, benchmarking,

0:52:54.080,0:52:56.960
because whenever we[br]wanted to ascertain

0:52:56.960,0:53:00.090
any level of performance--[br]we talked about dashboards.

0:53:00.090,0:53:04.260
Dashboards gives us what our[br]organization is performing.

0:53:04.260,0:53:07.800
And in terms of what the[br]other organizations are doing,

0:53:07.800,0:53:10.380
the best way to identify[br]is to benchmark.

0:53:10.380,0:53:13.220
Say for an example, I[br]am working in a big 4,

0:53:13.220,0:53:15.230
and I want to[br]ascertain the value

0:53:15.230,0:53:19.770
of what others are doing, what[br]I am doing compared to others.

0:53:19.770,0:53:22.670
The only thing that we need[br]to do is the benchmarking.

0:53:22.670,0:53:25.940
So that is very important,[br]that we do the benchmarking

0:53:25.940,0:53:30.560
among our competitors and[br]similar facility environments.

0:53:30.560,0:53:33.140
Let me move on to[br]the next slide.

0:53:33.140,0:53:35.720
So which one of the following[br]is the most effective method

0:53:35.720,0:53:40.220
for IS auditor to use in testing[br]the program change management

0:53:40.220,0:53:41.510
process?

0:53:41.510,0:53:44.390
Trace from system-generated[br]information

0:53:44.390,0:53:46.410
to the change management[br]documentation.

0:53:46.410,0:53:48.350
Examine change[br]management documentation

0:53:48.350,0:53:50.180
for the evidence of accuracy.

0:53:50.180,0:53:52.190
Trace from change[br]management documentation

0:53:52.190,0:53:54.380
to a system-generated[br]audit trail.

0:53:54.380,0:53:56.390
Or examine change[br]management documentation

0:53:56.390,0:53:57.810
for evidence of completeness.

0:53:57.810,0:53:59.500
So this is a very[br]tricky question again.

0:53:59.500,0:54:02.180


0:54:02.180,0:54:05.030
The correct answer[br]is A, trace from

0:54:05.030,0:54:07.310
system-generated information[br]to the change management

0:54:07.310,0:54:09.170
documentation.

0:54:09.170,0:54:12.950
They are talking about[br]most effective method.

0:54:12.950,0:54:14.990
By virtue of saying that[br]most effective method,

0:54:14.990,0:54:15.995
two options are correct.

0:54:15.995,0:54:18.530
A and C are extremely correct.

0:54:18.530,0:54:21.745
B and D are extremely incorrect[br]because of the fact that when

0:54:21.745,0:54:23.120
you check the[br]documentation only,

0:54:23.120,0:54:25.650
you cannot derive any[br]accuracy out of it,

0:54:25.650,0:54:27.120
derive any[br]completeness out of it.

0:54:27.120,0:54:30.300
So B and D, or C or D is[br]a straight elimination.

0:54:30.300,0:54:32.540
But what happens[br]with the A and C

0:54:32.540,0:54:35.870
is that when you do it from[br]the documentation perspective

0:54:35.870,0:54:38.328
and then go to the system audit[br]trail, it is still correct.

0:54:38.328,0:54:40.203
It is still correct,[br]and some of the auditors

0:54:40.203,0:54:41.100
do still practice it.

0:54:41.100,0:54:43.010
But what happens[br]is, you sometimes

0:54:43.010,0:54:45.440
miss the perspective[br]out of it, and your mind

0:54:45.440,0:54:49.730
starts to think why a specific[br]thing that we will start

0:54:49.730,0:54:51.390
thinking, it needs to be there.

0:54:51.390,0:54:55.520
But when you extract the[br]system-generated information

0:54:55.520,0:54:57.260
and then check with[br]the documentation,

0:54:57.260,0:55:01.250
whether this is the correct[br]way of doing things or not,

0:55:01.250,0:55:04.350
then that is the[br]most probable factor

0:55:04.350,0:55:06.050
you will stumble upon any gaps.

0:55:06.050,0:55:08.240
So when testing the[br]change management,

0:55:08.240,0:55:09.890
IS auditor should[br]always start with

0:55:09.890,0:55:14.120
the system-generated evidences,[br]information containing the date

0:55:14.120,0:55:15.710
and time module[br]last it was updated,

0:55:15.710,0:55:18.540
and trace it back to the[br]documentation authorizing it.

0:55:18.540,0:55:21.870
Because, see, it is like[br]finding a needle in a haystack.

0:55:21.870,0:55:24.742
So what happens is,[br]for every transaction,

0:55:24.742,0:55:25.950
you need to have an approval.

0:55:25.950,0:55:28.422
It is not like for every[br]transaction approval,

0:55:28.422,0:55:30.630
whether there is a corresponding[br]system entry or not.

0:55:30.630,0:55:33.500
Some might have even[br]not been deployed.

0:55:33.500,0:55:36.260
So what happens[br]is the risk of not

0:55:36.260,0:55:37.920
detecting undocumented changes.

0:55:37.920,0:55:41.090
That is what is the problem[br]here because whatever is there

0:55:41.090,0:55:44.070
in the documentation is[br]documented, and it is fine.

0:55:44.070,0:55:47.780
That is the difference[br]between C and D.

0:55:47.780,0:55:50.660
The classification based on[br]the criticality of a software

0:55:50.660,0:55:53.480
application is a part of IS[br]business activity continuity

0:55:53.480,0:55:55.460
plan determined by the--

0:55:55.460,0:55:56.960
nature of the[br]business and the value

0:55:56.960,0:55:58.520
of the application[br]to the business,

0:55:58.520,0:56:00.540
replacement cost[br]of the application,

0:56:00.540,0:56:02.547
vendor support available[br]for the application,

0:56:02.547,0:56:04.130
associated threats[br]and vulnerabilities

0:56:04.130,0:56:06.560
of the application.

0:56:06.560,0:56:09.690
So the correct answer is A,[br]so the nature of the business

0:56:09.690,0:56:11.940
and the value of the application[br]towards the business.

0:56:11.940,0:56:15.440
So rest of the[br]other options seems

0:56:15.440,0:56:17.870
a little bit irrelevant to[br]this question, the replacement

0:56:17.870,0:56:19.170
cost of the application.

0:56:19.170,0:56:22.030
So why it is even[br]important to understand?

0:56:22.030,0:56:24.510
And the vendor support[br]is not a relevant factor

0:56:24.510,0:56:27.650
because determining the[br]criticality classification.

0:56:27.650,0:56:29.400
The associated threats[br]and vulnerabilities

0:56:29.400,0:56:32.670
will be evaluated only if[br]the application is deemed

0:56:32.670,0:56:34.090
to be critical to the business.

0:56:34.090,0:56:37.870
So rest of the other[br]options are not correct.

0:56:37.870,0:56:40.290
The next question is, when[br]conducting an audit of a client

0:56:40.290,0:56:42.360
server database[br]security, the IS auditor

0:56:42.360,0:56:45.300
should be most concerned[br]about the availability of--

0:56:45.300,0:56:47.890
system utilities, application[br]program generators,

0:56:47.890,0:56:53.490
system security documentation,[br]access to stored procedures.

0:56:53.490,0:56:57.190
So the whole point is[br]availability of what?

0:56:57.190,0:57:00.970
So the point is system security[br]documentation, of course,

0:57:00.970,0:57:01.660
it is required.

0:57:01.660,0:57:04.590
The problem here is that[br]it should be required only

0:57:04.590,0:57:08.280
for a few specific set of people[br]whom the organization wants

0:57:08.280,0:57:10.030
to give the access[br]to the documentation.

0:57:10.030,0:57:12.840
Not every junior level employee[br]cannot have the security

0:57:12.840,0:57:15.090
documentation in place.

0:57:15.090,0:57:18.210
And B is completely irrelevant[br]because application program

0:57:18.210,0:57:20.460
generators, it's not.

0:57:20.460,0:57:23.010
In the correct shop,[br]actually the correct option

0:57:23.010,0:57:26.790
is option A, system utilities.

0:57:26.790,0:57:29.310
System utilities may[br]enable unauthorized changes

0:57:29.310,0:57:31.960
to be made to the data[br]on a client server model.

0:57:31.960,0:57:34.973
Because if you read the[br]database model very clearly,

0:57:34.973,0:57:36.390
there are certain[br]system utilities

0:57:36.390,0:57:39.630
you should not give access to,[br]because the system utilities

0:57:39.630,0:57:41.340
will bypass the[br]security controls

0:57:41.340,0:57:44.940
and the access[br]controls, and the person

0:57:44.940,0:57:48.360
will be still having ability to[br]make some unauthorized changes.

0:57:48.360,0:57:50.948
People who have read the[br]database of security model,

0:57:50.948,0:57:52.740
I think they will be[br]clear with this answer

0:57:52.740,0:57:55.990
because the fundamental thing[br]is that it's a system utility.

0:57:55.990,0:57:58.830
Say for an example, that[br]is the reason why we

0:57:58.830,0:58:00.390
do the hardening of the system.

0:58:00.390,0:58:04.350
We will delete access[br]to the unwanted things

0:58:04.350,0:58:08.460
that is not required as[br]a part of the system.

0:58:08.460,0:58:10.350
Let me move on to[br]the next question.

0:58:10.350,0:58:13.600
When reviewing a network used[br]for internet connections,

0:58:13.600,0:58:15.930
an IS auditor will[br]first examine the what?

0:58:15.930,0:58:18.120
Validity of the password[br]changes occurrence,

0:58:18.120,0:58:20.170
architecture of the[br]client server application,

0:58:20.170,0:58:22.200
network architecture[br]design, firewall protection

0:58:22.200,0:58:25.380
and proxy servers?

0:58:25.380,0:58:27.930
So I think unanimously[br]people are answering

0:58:27.930,0:58:31.650
for C. That is the correct[br]answer as well because you need

0:58:31.650,0:58:34.230
to understand what a network[br]architecture and design is all

0:58:34.230,0:58:36.370
about, about that[br]particular communication.

0:58:36.370,0:58:39.030
So B may seem a[br]little bit irrelevant

0:58:39.030,0:58:41.160
to this particular[br]thing because firewall

0:58:41.160,0:58:43.500
comes after the whole thing[br]of understanding network

0:58:43.500,0:58:44.110
architecture.

0:58:44.110,0:58:47.550
And B is also the[br]second, but it's not

0:58:47.550,0:58:49.950
as the first important thing, C.

0:58:49.950,0:58:52.950
I will tell you the difference[br]between C and B. Understanding

0:58:52.950,0:58:55.740
the network architecture design[br]is starting point of identifying

0:58:55.740,0:58:58.170
various layers of the[br]security architecture

0:58:58.170,0:59:00.910
across the various layers, such[br]as client server applications.

0:59:00.910,0:59:02.955
But in first or[br]in principle, what

0:59:02.955,0:59:04.330
you need to do is[br]the first step,

0:59:04.330,0:59:07.240
we need to understand the[br]network architecture as a whole.

0:59:07.240,0:59:09.940
Then you go to the client server[br]model, how it is designed.

0:59:09.940,0:59:11.650
That is how you[br]need to take things.

0:59:11.650,0:59:13.505
Again, this is a[br]step-based approach,

0:59:13.505,0:59:18.220
like how you approach BCP,[br]DRP, and change management.

0:59:18.220,0:59:21.780
This is, again a[br]step-based approach.

0:59:21.780,0:59:23.280
Data measuring[br]should be implemented

0:59:23.280,0:59:25.530
as a recovery strategy when?

0:59:25.530,0:59:27.750
Data mirroring[br]should be implemented

0:59:27.750,0:59:30.270
as a recovery strategy when?

0:59:30.270,0:59:33.310
RPO is low, RPO is[br]high, RTO is high,

0:59:33.310,0:59:34.870
disaster tolerance is high?

0:59:34.870,0:59:37.500


0:59:37.500,0:59:38.860
It is a very easy question.

0:59:38.860,0:59:42.340
If you have understood[br]The concept of RPO or RTO,

0:59:42.340,0:59:45.450
this is a very easy question.

0:59:45.450,0:59:49.360
So the correct answer[br]is RPO, B, which is low.

0:59:49.360,0:59:53.370
So recovery point[br]objective is the earliest

0:59:53.370,0:59:56.160
in the point in which it[br]is acceptable to recover.

0:59:56.160,0:59:59.280
So recover the data,[br]in other words,

0:59:59.280,1:00:01.900
RPO indicates the age[br]of recovered data.

1:00:01.900,1:00:05.100
And so what happens is the[br]organization cannot afford

1:00:05.100,1:00:07.210
to lose even a few[br]minutes of data.

1:00:07.210,1:00:11.160
In such case, data mirroring[br]should be used, usually used

1:00:11.160,1:00:13.230
as a recovery strategy.

1:00:13.230,1:00:17.355
So I think one of the last[br]questions with domain 4 will be,

1:00:17.355,1:00:18.730
which of the[br]following components

1:00:18.730,1:00:20.620
of business continuity[br]plan primarily

1:00:20.620,1:00:23.020
responsible for[br]organizational IS department?

1:00:23.020,1:00:25.100
Developing the business[br]continuity plan,

1:00:25.100,1:00:27.190
selecting and approving[br]the recovery strategies

1:00:27.190,1:00:30.195
used for business continuity[br]plan, declaring a disaster,

1:00:30.195,1:00:34.870
or restoring the IT systems[br]and data after disaster?

1:00:34.870,1:00:37.660
Following components of[br]primarily the responsibility

1:00:37.660,1:00:42.940
of the organization's[br]IS department primarily?

1:00:42.940,1:00:45.940
So when you see[br]the primarily, what

1:00:45.940,1:00:51.190
is the primarily objective of[br]the IS department in relation

1:00:51.190,1:00:52.870
with the business[br]continuity plan?

1:00:52.870,1:00:55.630
So restore the data is[br]very, very important.

1:00:55.630,1:00:58.580
At the end of the day, what[br]is the end game of that?

1:00:58.580,1:01:02.360
Whenever a disaster struck--

1:01:02.360,1:01:05.423
disasters has[br]already struck, fine,

1:01:05.423,1:01:06.590
what we are going to do now?

1:01:06.590,1:01:08.420
Now we are going to[br]temporarily run the business

1:01:08.420,1:01:10.753
on the other show, with the[br]backups and stuff like that,

1:01:10.753,1:01:12.950
with the skeleton[br]staff, whatever.

1:01:12.950,1:01:14.790
But maybe the[br]primary objective is

1:01:14.790,1:01:16.950
that it is always to[br]restore the IT systems

1:01:16.950,1:01:18.130
and data after a disaster.

1:01:18.130,1:01:20.790
That is what is correct[br]and also [INAUDIBLE].

1:01:20.790,1:01:24.090
You can see the[br]explanation over here.

1:01:24.090,1:01:27.030
Members of the organization's[br]most senior management

1:01:27.030,1:01:28.920
are primarily responsible[br]for overseeing

1:01:28.920,1:01:31.770
the development of the[br]business continuity plan

1:01:31.770,1:01:33.310
and are accountable[br]for the results.

1:01:33.310,1:01:36.057
So IS team is not[br]responsible for that.

1:01:36.057,1:01:37.890
It is the business and[br]the senior management

1:01:37.890,1:01:41.280
who is responsible for[br]because that's their business.

1:01:41.280,1:01:43.890
Management is also accountable[br]for selecting and approving

1:01:43.890,1:01:45.060
all strategies.

1:01:45.060,1:01:49.380
That is, again, to do with[br]the individual business.

1:01:49.380,1:01:49.900
Cool.

1:01:49.900,1:01:54.460
So that brings me to the domain[br]5, the most technical domain,

1:01:54.460,1:01:55.390
if I'm not wrong.

1:01:55.390,1:01:59.280
The longest domain[br]in the book as well.

1:01:59.280,1:02:03.390
The first question[br]is, an IS auditor

1:02:03.390,1:02:06.090
is reviewing the configuration[br]of a signature-based intrusion

1:02:06.090,1:02:07.860
detection system,[br]which is the IDS,

1:02:07.860,1:02:10.500
would be the most concerned[br]if which of the following

1:02:10.500,1:02:11.530
is discovered?

1:02:11.530,1:02:14.200
Auto update is turned off,[br]scanning for application

1:02:14.200,1:02:17.230
vulnerability is disabled,[br]analysis of encrypted data

1:02:17.230,1:02:19.150
packets are disabled,[br]IDS is placed

1:02:19.150,1:02:23.094
between a demilitarized[br]zone and the firewall?

1:02:23.094,1:02:25.300
A, auto update is turned off.

1:02:25.300,1:02:28.060
So even in our home,[br]when we are running

1:02:28.060,1:02:33.370
Kaspersky, Norton or whatever[br]security thing, the intrusion--

1:02:33.370,1:02:35.480
not intrusion, but[br]antivirus software,

1:02:35.480,1:02:37.850
the signature is very important.

1:02:37.850,1:02:40.570
It will get updated twice[br]or thrice or even five

1:02:40.570,1:02:43.580
times in a day, depending[br]upon what is the situation.

1:02:43.580,1:02:46.438
So what happens is, when[br]you have turned this off--

1:02:46.438,1:02:47.980
God knows when you[br]have turned it off

1:02:47.980,1:02:50.420
and how many days the[br]system is not updated.

1:02:50.420,1:02:54.920
That is the most important risk[br]in anything, whenever the IDS--

1:02:54.920,1:02:58.930
because when a signature-based[br]IDS is looking for patterns

1:02:58.930,1:03:01.630
and the pattern is not[br]recently updated for a recent

1:03:01.630,1:03:03.680
vulnerability, what happens?

1:03:03.680,1:03:06.550
Your system is as good[br]as it is not protected.

1:03:06.550,1:03:10.480
Whenever you are reading[br]this answer reasoning, even

1:03:10.480,1:03:13.510
in the CRM, even in the[br]question and answers bank,

1:03:13.510,1:03:16.700
I request you all to read[br]all the four options,

1:03:16.700,1:03:18.640
why it is correct,[br]why it is not correct,

1:03:18.640,1:03:20.540
and to get familiarized.

1:03:20.540,1:03:24.430
Say for an example, in this, the[br]complete irrelevant option is B.

1:03:24.430,1:03:26.500
But they have given[br]a good information

1:03:26.500,1:03:28.960
on a demilitarized zone or DMZ.

1:03:28.960,1:03:31.180
So this can be used in[br]some other question, which

1:03:31.180,1:03:34.210
might be all dealing with DMZ.

1:03:34.210,1:03:35.930
Let me move on to[br]the next question.

1:03:35.930,1:03:38.800
An IS auditor has just completed[br]a review of organization

1:03:38.800,1:03:42.400
that has mainframe computer[br]and two database servers where

1:03:42.400,1:03:44.210
all the production data reside.

1:03:44.210,1:03:45.880
Which one of the[br]following weakness

1:03:45.880,1:03:50.440
should the IS auditor be[br]considered the most serious?

1:03:50.440,1:03:53.387
The security officer also serves[br]as a database administrator.

1:03:53.387,1:03:54.970
Password controls[br]are not administered

1:03:54.970,1:03:56.540
over 2 database servers.

1:03:56.540,1:03:59.420
There is no business continuity[br]plan for the mainframe system's

1:03:59.420,1:04:01.060
non-critical applications.

1:04:01.060,1:04:05.180
Most local data networks do[br]not have backup file server

1:04:05.180,1:04:06.590
fixed disk regularly.

1:04:06.590,1:04:09.400


1:04:09.400,1:04:11.830
So the correct answer[br]is B, password controls

1:04:11.830,1:04:16.360
are not administered over[br]two database servers.

1:04:16.360,1:04:18.790
So the absence of password[br]controls on the two database

1:04:18.790,1:04:20.745
servers, where the[br]production data resides,

1:04:20.745,1:04:21.620
is the most critical.

1:04:21.620,1:04:25.300
Because again, this question[br]talks about the most.

1:04:25.300,1:04:27.470
There are two options,[br]which is correct, of course.

1:04:27.470,1:04:29.860
And what you need to[br]look for is the one

1:04:29.860,1:04:35.094
which is most apt given the[br]situation and the scenario.

1:04:35.094,1:04:38.050
So let me go on to[br]the next question.

1:04:38.050,1:04:40.660
The insurance company is using[br]the public cloud computing

1:04:40.660,1:04:43.940
for one of its critical[br]applications to reduce the cost.

1:04:43.940,1:04:46.240
Which of the following[br]would be the most

1:04:46.240,1:04:48.350
concern to the IS auditor?

1:04:48.350,1:04:49.990
The inability to[br]recover the service

1:04:49.990,1:04:51.860
in a major technical[br]failure scenario.

1:04:51.860,1:04:54.190
The data in shared[br]environment being

1:04:54.190,1:04:56.290
accessed by other companies.

1:04:56.290,1:04:58.820
The service provider not[br]including investigative support

1:04:58.820,1:04:59.575
for incidents.

1:04:59.575,1:05:02.200
The long-term viability of the[br]service if the provider goes out

1:05:02.200,1:05:02.760
of business.

1:05:02.760,1:05:06.040


1:05:06.040,1:05:10.018
So that is actually[br]the correct answer.

1:05:10.018,1:05:11.560
Considering that an[br]insurance company

1:05:11.560,1:05:15.010
must preserve the privacy and[br]confidentiality of the customer

1:05:15.010,1:05:17.920
information, unauthorized access[br]to the information and the data

1:05:17.920,1:05:21.820
leakage are the[br]two major concerns.

1:05:21.820,1:05:23.020
The next question.

1:05:23.020,1:05:26.212
Which one of the[br]following best determines

1:05:26.212,1:05:28.420
whether the complete encryption[br]or the authentication

1:05:28.420,1:05:30.340
protocol for[br]protecting information

1:05:30.340,1:05:33.490
while being transmitted exist?

1:05:33.490,1:05:36.200
A digital signature with the[br]RSA that has been implemented.

1:05:36.200,1:05:38.643
Work has been done in[br]the tunnel mode nested

1:05:38.643,1:05:40.810
with the services of AH,[br]which is the authentication

1:05:40.810,1:05:43.720
header, and encapsulating[br]security payload, which

1:05:43.720,1:05:45.010
is the ESP.

1:05:45.010,1:05:47.530
Digital certificates[br]with the RSA being used.

1:05:47.530,1:05:50.830
Work is being done in transport[br]mode of the nested services

1:05:50.830,1:05:53.230
of AH and ESP.

1:05:53.230,1:05:56.950
Quite a tricky technical[br]question, I would say.

1:05:56.950,1:06:00.790
And to remind you, I[br]have studied these things

1:06:00.790,1:06:03.700
quite cumbersomely[br]because I didn't even

1:06:03.700,1:06:06.400
understand a single word when[br]I was doing it the first time.

1:06:06.400,1:06:09.370
Transport mode, tunnel[br]mode, everything

1:06:09.370,1:06:11.310
was Greek and Latin for me.

1:06:11.310,1:06:14.380


1:06:14.380,1:06:15.730
B is the correct answer.

1:06:15.730,1:06:18.190
Tunnel mode provides[br]encryption and authentication

1:06:18.190,1:06:22.450
of complete IP package,[br]including the authentication

1:06:22.450,1:06:25.810
header and the encapsulating[br]security payload, which is ESP.

1:06:25.810,1:06:30.970
For transport mode provides[br]only at higher layers, like data

1:06:30.970,1:06:33.260
fields and the payload[br]of an IP package.

1:06:33.260,1:06:35.630
So those are the[br]two differences.

1:06:35.630,1:06:38.770
Actually, as I told,[br]a digital certificate

1:06:38.770,1:06:40.750
provides only the[br]authentication and integrity,

1:06:40.750,1:06:42.730
does not provide[br]anything beyond that.

1:06:42.730,1:06:46.100
And whenever you see any digital[br]signature versus encryption,

1:06:46.100,1:06:50.110
I think digital certificate[br]is only to provide

1:06:50.110,1:06:50.930
an authentication.

1:06:50.930,1:06:52.388
It doesn't provide[br]any other thing.

1:06:52.388,1:06:54.350
It doesn't provide[br]even confidentiality.

1:06:54.350,1:06:57.010
It doesn't provide[br]any availability

1:06:57.010,1:06:59.950
or any of the things.

1:06:59.950,1:07:03.970
Which one of the following[br]characterizes distributed denial

1:07:03.970,1:07:06.220
of service attack, DDoS?

1:07:06.220,1:07:09.460
Central initiation of[br]intermediary computers

1:07:09.460,1:07:12.400
to detect simultaneous attacks,[br]surplus message traffic

1:07:12.400,1:07:14.020
and specified target site.

1:07:14.020,1:07:16.630
Local initiation of[br]intermediary computers

1:07:16.630,1:07:19.540
to detect simultaneous and[br]spurious of message traffic

1:07:19.540,1:07:21.250
at specific target site.

1:07:21.250,1:07:23.560
Central initiation[br]of primary computer

1:07:23.560,1:07:28.030
to detect spurious message[br]traffic at multiple sites.

1:07:28.030,1:07:33.010
And local initiation of[br]intermediary computers to direct

1:07:33.010,1:07:36.610
staggered spurious[br]message traffic

1:07:36.610,1:07:38.030
at a specific target site.

1:07:38.030,1:07:40.900


1:07:40.900,1:07:42.830
Again, this is a[br]confusing question,

1:07:42.830,1:07:44.100
but the answer is very simple.

1:07:44.100,1:07:48.640


1:07:48.640,1:07:51.130
That is the correct[br]answer as well.

1:07:51.130,1:07:53.500
So what happens with[br]the DDoS attack is

1:07:53.500,1:07:58.750
that one controller system[br]or one primary system

1:07:58.750,1:08:01.980
will be controlling so[br]many zombie computers,

1:08:01.980,1:08:04.800
and the administrator will[br]launch an attack on these zombie

1:08:04.800,1:08:07.950
computers, will start sending[br]packets to the primary target.

1:08:07.950,1:08:11.040
And by flooding their[br]traffic, and they will

1:08:11.040,1:08:12.310
be having some kind of issue.

1:08:12.310,1:08:16.300
Say for an example, if Amazon is[br]putting a Independence Day sale,

1:08:16.300,1:08:20.319
I want to affect this sales[br]by targeting their servers.

1:08:20.319,1:08:22.740
I can launch this attack[br]using the zombie computers,

1:08:22.740,1:08:25.479
and they will attack on[br]behalf of [INAUDIBLE],

1:08:25.479,1:08:27.850
and I will be controlling[br]the zombie computers.

1:08:27.850,1:08:31.120
And what happens[br]next is God knows.

1:08:31.120,1:08:34.392
So again, our DDoS attacks[br]are not locally initiated.

1:08:34.392,1:08:35.350
They are not staggered.

1:08:35.350,1:08:39.270
They are not initiated[br]using a primary computer.

1:08:39.270,1:08:43.229
So last question for this[br]day, which of the following

1:08:43.229,1:08:45.729
is the most effective[br]preventive antivirus control?

1:08:45.729,1:08:46.600
Scanning the emails.

1:08:46.600,1:08:47.850
Attachment on the mail server.

1:08:47.850,1:08:50.590
Restoring the systems[br]from clean copies.

1:08:50.590,1:08:54.060
Disabling universal serial[br]bus ports, which is the USB.

1:08:54.060,1:08:57.029
An online antivirus scan[br]with up-to-date antivirus

1:08:57.029,1:09:00.170
definitions.

1:09:00.170,1:09:04.729
Correct answer is actually[br]D. But why not C. B and D?

1:09:04.729,1:09:06.840
It is completely irrelevant.

1:09:06.840,1:09:09.649
It doesn't talk anything[br]about antivirus or anything

1:09:09.649,1:09:12.200
because it's just[br]restoring systems

1:09:12.200,1:09:16.710
from clean copies, which is[br]most baseline thing that we do.

1:09:16.710,1:09:19.100
And disabling USB.

1:09:19.100,1:09:23.330
I think disabling USB should[br]be an incorrect option again.

1:09:23.330,1:09:26.720
You can disable the[br]USB, but still system

1:09:26.720,1:09:32.510
can read the USB file when[br]it is having [INAUDIBLE].

1:09:32.510,1:09:35.300
So D would be the most[br]appropriate answer

1:09:35.300,1:09:39.290
for this one because of the[br]fact that antivirus can be

1:09:39.290,1:09:40.970
used to prevent virus attacks.

1:09:40.970,1:09:42.612
By running regular[br]scans, it can also

1:09:42.612,1:09:44.779
be used to detect virus[br]infections that have already

1:09:44.779,1:09:45.710
been occurred.

1:09:45.710,1:09:47.149
Regular updates[br]of the software is

1:09:47.149,1:09:50.810
required to ensure it is able[br]to update, detect and correct

1:09:50.810,1:09:52.490
viruses as they emerge.

1:09:52.490,1:09:55.100
So again, the important[br]thing that you need to know

1:09:55.100,1:09:57.740
is that the signature-based[br]system, as always,

1:09:57.740,1:09:59.460
it should be kept up to date.

1:09:59.460,1:10:01.680
But not a heuristic--

1:10:01.680,1:10:04.620
not a knowledge-based system.

1:10:04.620,1:10:06.470
Sometimes you'll be[br]having a conflict

1:10:06.470,1:10:10.040
between heuristic and[br]signature-based and all

1:10:10.040,1:10:10.970
those stuffs.

1:10:10.970,1:10:13.500
You need to be very clear[br]which system talks about what.

1:10:13.500,1:10:17.370
Because some systems, like IDPs,[br]which talks about the anomalies,

1:10:17.370,1:10:20.210
it will not talk about[br]system signature.

1:10:20.210,1:10:22.140
It will talk about[br]only the anomalies.

1:10:22.140,1:10:23.960
Say for an example,[br]these anomalies

1:10:23.960,1:10:26.900
will be studied[br]for certain dates

1:10:26.900,1:10:29.490
so that the regular[br]traffic will be like this.

1:10:29.490,1:10:31.370
And anything beyond[br]this regular traffic

1:10:31.370,1:10:34.040
will be flagged as[br]incorrect traffic

1:10:34.040,1:10:35.460
or the non-relevant traffic.

1:10:35.460,1:10:38.755
And it will be quarantined,[br]and it will not

1:10:38.755,1:10:40.380
be allowed, intrusion[br]detection system.

1:10:40.380,1:10:42.710
And sometimes it can be[br]prevented from entering

1:10:42.710,1:10:44.270
our servers as well.

1:10:44.270,1:10:47.990
So that brings me to[br]the end of this session.

1:10:47.990,1:10:49.080
Thanks a lot everybody.

1:10:49.080,1:10:50.700
I'll wind up the session.

1:10:50.700,1:10:53.550
Thank you for your patience[br]and listening to me.

1:10:53.550,1:10:55.590
And it was a very[br]fruitful session.

1:10:55.590,1:10:57.820
I appreciate.