1 00:00:00,000 --> 00:00:01,900 2 00:00:01,900 --> 00:00:04,750 [AUDIO LOGO] 3 00:00:04,750 --> 00:00:06,650 4 00:00:06,650 --> 00:00:07,440 Hi all. 5 00:00:07,440 --> 00:00:10,190 Good morning to the session today. 6 00:00:10,190 --> 00:00:14,570 So this session is basically for the CISA, certified information 7 00:00:14,570 --> 00:00:15,540 systems auditor. 8 00:00:15,540 --> 00:00:18,890 And we will be discussing on the question and answers, 9 00:00:18,890 --> 00:00:22,370 and basically on how to approach the exam questions. 10 00:00:22,370 --> 00:00:25,130 This is in line with the ISACA's thought process 11 00:00:25,130 --> 00:00:27,210 or how you need to approach a question, 12 00:00:27,210 --> 00:00:29,270 how you need to answer a question while you 13 00:00:29,270 --> 00:00:30,960 are taking the real exam. 14 00:00:30,960 --> 00:00:34,400 So we will be having the questions taken from the CRM, 15 00:00:34,400 --> 00:00:36,260 as an extract, and we will be discussing 16 00:00:36,260 --> 00:00:39,680 in detail what is the mode of a thought process 17 00:00:39,680 --> 00:00:43,220 that you need to inculcate while you are preparing for the exam, 18 00:00:43,220 --> 00:00:45,230 as well as when you are in exam. 19 00:00:45,230 --> 00:00:48,650 So if I start off with, we will have this, 20 00:00:48,650 --> 00:00:52,160 the agenda would be the small introduction about myself 21 00:00:52,160 --> 00:00:54,740 and you, and I'll tell a brief note 22 00:00:54,740 --> 00:00:57,750 on how you need to approach the CISA questions. 23 00:00:57,750 --> 00:01:00,830 And we will be discussing domain 1 to 5 questions 24 00:01:00,830 --> 00:01:03,860 and how we need to think like an IS auditor. 25 00:01:03,860 --> 00:01:08,362 That will be going in line with the 1 to 5 domain questions 26 00:01:08,362 --> 00:01:09,320 that we are discussing. 27 00:01:09,320 --> 00:01:10,970 That will be in parallel. 28 00:01:10,970 --> 00:01:14,570 And a final Q&A will be for you all 29 00:01:14,570 --> 00:01:18,140 to openly ask some questions regarding CISA. 30 00:01:18,140 --> 00:01:19,560 That is the end of the session. 31 00:01:19,560 --> 00:01:22,640 So the introduction about myself is that my name 32 00:01:22,640 --> 00:01:23,670 is Krishnan Ramani. 33 00:01:23,670 --> 00:01:26,130 I think some of you would have seen me in LinkedIn. 34 00:01:26,130 --> 00:01:29,120 So I'm an information security and an IT audit expert, 35 00:01:29,120 --> 00:01:30,890 with a total of 13 years experience 36 00:01:30,890 --> 00:01:33,680 into IT auditing, information security domain, 37 00:01:33,680 --> 00:01:36,740 out of which eight years is solely dedicated. 38 00:01:36,740 --> 00:01:38,750 I have a wide variety of experience 39 00:01:38,750 --> 00:01:44,510 in IT audits, IT security, GRC, ITGC, and IT security strategy. 40 00:01:44,510 --> 00:01:49,400 So my certifications are CISSP, CISA, 41 00:01:49,400 --> 00:01:53,840 for which I was a chapter rank holder, a first rank 42 00:01:53,840 --> 00:01:57,300 holder, and CEH, which is the Certified Ethical 43 00:01:57,300 --> 00:01:59,940 Hacking, version 10, and I'm a Lean Six Sigma Black 44 00:01:59,940 --> 00:02:02,910 Belt certified, and I have done business analytics. 45 00:02:02,910 --> 00:02:07,380 And I am also into a certified cybercrime intervening officer. 46 00:02:07,380 --> 00:02:11,340 So let us start with this thought process, why 47 00:02:11,340 --> 00:02:13,030 we are coming for CISA. 48 00:02:13,030 --> 00:02:15,040 Let me pause here for a moment. 49 00:02:15,040 --> 00:02:18,420 So what is the objective? 50 00:02:18,420 --> 00:02:21,430 So there is a practical relevance. 51 00:02:21,430 --> 00:02:24,370 So every detail given in the CRM book, 52 00:02:24,370 --> 00:02:26,220 which is the CISA review manual, there 53 00:02:26,220 --> 00:02:28,810 is a practical relevance for you to do. 54 00:02:28,810 --> 00:02:33,460 And while you are working as an auditor or an IT auditor, 55 00:02:33,460 --> 00:02:36,420 even when you are working as an ITGC person, which 56 00:02:36,420 --> 00:02:40,530 is the general controls, and any line of defense, 57 00:02:40,530 --> 00:02:44,830 from CRM or PRC technology, risk management and everything. 58 00:02:44,830 --> 00:02:46,710 So probably what happens is there 59 00:02:46,710 --> 00:02:49,890 is a pure practical relevance in terms of understanding 60 00:02:49,890 --> 00:02:53,050 these controls, what IT audit is all about, 61 00:02:53,050 --> 00:02:54,810 how do we preserve things, how do we 62 00:02:54,810 --> 00:02:57,120 maintain staffs, what are all the things. 63 00:02:57,120 --> 00:02:59,940 Because as an IS auditor, you will be reading this book. 64 00:02:59,940 --> 00:03:03,585 But once when it comes to the implementation part as well, 65 00:03:03,585 --> 00:03:05,960 there are a lot of clues that has been given in the book, 66 00:03:05,960 --> 00:03:07,850 in terms of how do you preserve stuff 67 00:03:07,850 --> 00:03:11,010 so that it will be good for an audit and everything. 68 00:03:11,010 --> 00:03:15,170 So in that mode, it is very relevant to the present day 69 00:03:15,170 --> 00:03:15,900 world. 70 00:03:15,900 --> 00:03:18,260 And as we see, the technology is also 71 00:03:18,260 --> 00:03:20,160 emerging at this point in time. 72 00:03:20,160 --> 00:03:22,470 So today, there is something called cloud. 73 00:03:22,470 --> 00:03:24,000 Tomorrow there will be something-- 74 00:03:24,000 --> 00:03:25,490 a new technology will be arriving, 75 00:03:25,490 --> 00:03:27,600 and everything will be changing overnight. 76 00:03:27,600 --> 00:03:31,193 But what we need to do is the fundamentals remain the same. 77 00:03:31,193 --> 00:03:33,360 So what are all the things that we are going to see? 78 00:03:33,360 --> 00:03:34,850 What are all the things that we are 79 00:03:34,850 --> 00:03:37,220 going to look whenever we are auditing 80 00:03:37,220 --> 00:03:41,030 or whenever we are performing the role of information security 81 00:03:41,030 --> 00:03:42,540 analyst or any other thing? 82 00:03:42,540 --> 00:03:47,270 But this book is purely based, purely focused on the IS auditor 83 00:03:47,270 --> 00:03:48,540 side of things. 84 00:03:48,540 --> 00:03:52,670 So the prism of optics is purely from the IS auditor 85 00:03:52,670 --> 00:03:53,400 point of view. 86 00:03:53,400 --> 00:03:55,780 Because the moment you start thinking 87 00:03:55,780 --> 00:04:00,180 as IS security analyst for this exam, that 88 00:04:00,180 --> 00:04:02,920 will not be the correct thing that we will be doing. 89 00:04:02,920 --> 00:04:07,410 So what we need to approach, how we need to approach 90 00:04:07,410 --> 00:04:09,870 and what we need to do is exactly what 91 00:04:09,870 --> 00:04:11,200 I am going to tell here. 92 00:04:11,200 --> 00:04:13,980 So the questions will be-- each question 93 00:04:13,980 --> 00:04:17,010 has a stem question, which will be a basic question, which 94 00:04:17,010 --> 00:04:19,079 will be having four options. 95 00:04:19,079 --> 00:04:21,990 Choose the correct or the best option. 96 00:04:21,990 --> 00:04:25,140 So as I was telling, so the scenarios 97 00:04:25,140 --> 00:04:28,980 will be completely related to the IS audit scenarios. 98 00:04:28,980 --> 00:04:30,850 You will be presented a situation. 99 00:04:30,850 --> 00:04:32,820 You will need to think like an IS auditor 100 00:04:32,820 --> 00:04:35,230 and answer like an IS auditor. 101 00:04:35,230 --> 00:04:37,470 So there are some helpful instances 102 00:04:37,470 --> 00:04:40,690 where you know how you will be approaching. 103 00:04:40,690 --> 00:04:42,998 So every questions will be-- 104 00:04:42,998 --> 00:04:44,790 most of the questions, not every questions, 105 00:04:44,790 --> 00:04:49,060 will be having something called the best, most, 106 00:04:49,060 --> 00:04:51,580 and these kind of wordings will be definitely there. 107 00:04:51,580 --> 00:04:55,540 So you need to understand what they are asking in the question. 108 00:04:55,540 --> 00:05:00,250 Because the moment they say, choose for the best option, 109 00:05:00,250 --> 00:05:02,110 choose for the most relevant option, 110 00:05:02,110 --> 00:05:04,960 choose for the primary option, choose for the first option, 111 00:05:04,960 --> 00:05:08,910 so it means that two or more options that is being given 112 00:05:08,910 --> 00:05:11,770 are right in the context of the question, 113 00:05:11,770 --> 00:05:14,230 but only one thing can be the best. 114 00:05:14,230 --> 00:05:16,330 Only one thing can be the primary. 115 00:05:16,330 --> 00:05:18,070 Only one thing can be the first. 116 00:05:18,070 --> 00:05:20,770 So you need to choose the answers accordingly. 117 00:05:20,770 --> 00:05:25,050 So say for an example, if there is a given scenario of a BCP 118 00:05:25,050 --> 00:05:27,390 process, how it comes to the business impact 119 00:05:27,390 --> 00:05:30,972 analysis and everything, so once you start the question, 120 00:05:30,972 --> 00:05:33,180 you will need to know what are all the steps involved 121 00:05:33,180 --> 00:05:34,660 in the BCP process. 122 00:05:34,660 --> 00:05:37,570 How do you conduct the business impact analysis? 123 00:05:37,570 --> 00:05:39,150 How do you identify the business? 124 00:05:39,150 --> 00:05:41,910 These step-by-step process is definitely 125 00:05:41,910 --> 00:05:44,070 essential in order for you to understand 126 00:05:44,070 --> 00:05:47,700 what is the first most option that the IS auditor 127 00:05:47,700 --> 00:05:48,700 will be choosing. 128 00:05:48,700 --> 00:05:51,460 But it will not be as straightforward as, 129 00:05:51,460 --> 00:05:53,560 what is the first option in the BCP? 130 00:05:53,560 --> 00:05:56,680 There will be a presentation in terms of a scenario given. 131 00:05:56,680 --> 00:05:59,400 So you need to understand the scenario, 132 00:05:59,400 --> 00:06:02,160 and you need to answer accordingly. 133 00:06:02,160 --> 00:06:05,430 So read all the options and read the stem again, 134 00:06:05,430 --> 00:06:07,270 if you can eliminate two options. 135 00:06:07,270 --> 00:06:09,070 So that is very important. 136 00:06:09,070 --> 00:06:10,690 Read all the options. 137 00:06:10,690 --> 00:06:13,990 And so if you can eliminate two options, that will be great. 138 00:06:13,990 --> 00:06:16,500 So in the context of the question 139 00:06:16,500 --> 00:06:19,140 and answers in multiple choice questions, 140 00:06:19,140 --> 00:06:21,970 there is always a method called elimination method. 141 00:06:21,970 --> 00:06:25,260 So in terms of how do you answer a question, 142 00:06:25,260 --> 00:06:29,590 elimination method is really a good method to start with. 143 00:06:29,590 --> 00:06:32,220 Because once you start eliminating 144 00:06:32,220 --> 00:06:34,800 two incorrect answers, so you will 145 00:06:34,800 --> 00:06:37,410 have a 50% chance of clearing the exam 146 00:06:37,410 --> 00:06:41,380 or clearing the particular question correctly. 147 00:06:41,380 --> 00:06:45,720 Because what you have is a 100 percentage, and out of which, 148 00:06:45,720 --> 00:06:48,480 you know you have already eliminated two irrelevant 149 00:06:48,480 --> 00:06:49,580 relevant answers. 150 00:06:49,580 --> 00:06:51,940 In most of the cases, two irrelevant answers 151 00:06:51,940 --> 00:06:53,950 will be definitely visible. 152 00:06:53,950 --> 00:06:55,630 Once you have read the CRM and you 153 00:06:55,630 --> 00:06:57,950 have answered sufficient number of questions, 154 00:06:57,950 --> 00:06:59,950 you will be able to identify what 155 00:06:59,950 --> 00:07:02,380 are the two irrelevant answers, and you 156 00:07:02,380 --> 00:07:06,220 will be able to straight away eliminate it and focus your time 157 00:07:06,220 --> 00:07:07,690 and efforts only on the two, which 158 00:07:07,690 --> 00:07:11,290 has been most relevant for that particular context. 159 00:07:11,290 --> 00:07:15,550 So reread the remaining options and bring 160 00:07:15,550 --> 00:07:18,200 in any personal experience that you may have to determine. 161 00:07:18,200 --> 00:07:21,190 So the bringing the personal experience, 162 00:07:21,190 --> 00:07:23,080 I would say it is with a caveat. 163 00:07:23,080 --> 00:07:26,840 Because in terms of bringing your personal experience, 164 00:07:26,840 --> 00:07:30,610 sometimes what happens is you need to think like an IS auditor 165 00:07:30,610 --> 00:07:32,360 from ISACA's point of view. 166 00:07:32,360 --> 00:07:34,972 So the moment you start thinking from your company's point 167 00:07:34,972 --> 00:07:36,430 of view, probably some of you would 168 00:07:36,430 --> 00:07:38,890 have had a seasoned experience in terms 169 00:07:38,890 --> 00:07:41,380 of doing the IS audit and the IT auditing 170 00:07:41,380 --> 00:07:43,430 or whatever the security or whatever. 171 00:07:43,430 --> 00:07:45,820 But the moment you start thinking from your company's 172 00:07:45,820 --> 00:07:49,230 perspective, things might go a little bit wrong because 173 00:07:49,230 --> 00:07:53,140 of the fact that the companies or the organizations, 174 00:07:53,140 --> 00:07:55,590 they actually tailor the controls 175 00:07:55,590 --> 00:07:58,290 according to their requirement, and they customize 176 00:07:58,290 --> 00:08:02,170 it, which in case is not in ISACA's point of view 177 00:08:02,170 --> 00:08:06,540 because ISACA's point of view is, I would call it as more 178 00:08:06,540 --> 00:08:10,800 raw because it is a theoretical and practical knowledge of how 179 00:08:10,800 --> 00:08:15,330 you need to apply, but it is not in any specific contextual-based 180 00:08:15,330 --> 00:08:17,020 or organization-based controls. 181 00:08:17,020 --> 00:08:20,400 Because banking will be having a different set of approach 182 00:08:20,400 --> 00:08:23,877 towards the same control, and another industry 183 00:08:23,877 --> 00:08:25,710 will be having-- healthcare for that matter, 184 00:08:25,710 --> 00:08:28,630 will be having a different approach to the same control. 185 00:08:28,630 --> 00:08:30,790 So think like an IS auditor. 186 00:08:30,790 --> 00:08:33,210 Of course, a little bit of n percentage of your work 187 00:08:33,210 --> 00:08:34,230 experience also. 188 00:08:34,230 --> 00:08:37,720 That is a logical mind, that will also help, 189 00:08:37,720 --> 00:08:42,870 but in my best opinion, I would suggest that let's not 190 00:08:42,870 --> 00:08:48,070 think that over the board and think like 100% as an IT auditor 191 00:08:48,070 --> 00:08:50,070 because we'll be having a specific industry 192 00:08:50,070 --> 00:08:52,140 experience wherein the controls might be having 193 00:08:52,140 --> 00:08:55,230 a different approach, and sometimes the answers 194 00:08:55,230 --> 00:08:57,270 can go incorrect. 195 00:08:57,270 --> 00:09:00,040 So the next thing is that domain 1 question. 196 00:09:00,040 --> 00:09:02,730 So first question is, so which of the following 197 00:09:02,730 --> 00:09:05,490 outlines the overall authority to perform an IS audit? 198 00:09:05,490 --> 00:09:08,280 The audit scope or the goals and objectives, a request 199 00:09:08,280 --> 00:09:12,240 form in the form of management to perform an audit, C, an audit 200 00:09:12,240 --> 00:09:14,200 charter, D, an approved audit schedule. 201 00:09:14,200 --> 00:09:16,950 I think this is very easy question, I think. 202 00:09:16,950 --> 00:09:19,150 What defines the overall authority? 203 00:09:19,150 --> 00:09:21,570 I think the chapter 1, the domain 1 204 00:09:21,570 --> 00:09:23,400 gives you a very decent information 205 00:09:23,400 --> 00:09:25,770 on the overall authority. 206 00:09:25,770 --> 00:09:28,720 Because once you see the question authority, 207 00:09:28,720 --> 00:09:33,460 the answer is always the approved charter 208 00:09:33,460 --> 00:09:35,830 because let's look at the reasoning. 209 00:09:35,830 --> 00:09:38,140 The audit scope is specific to a single audit, 210 00:09:38,140 --> 00:09:41,070 and it does not grant authority to perform an audit. 211 00:09:41,070 --> 00:09:44,470 B, the request from management to perform an audit 212 00:09:44,470 --> 00:09:47,360 is not sufficient because it relates to specific audit. 213 00:09:47,360 --> 00:09:49,360 The approved audit charter outlines 214 00:09:49,360 --> 00:09:52,700 the auditor's responsibility, authority and accountability. 215 00:09:52,700 --> 00:09:55,540 So as I told, this is the only document 216 00:09:55,540 --> 00:09:59,110 which gives you an end-to-end perspective on what 217 00:09:59,110 --> 00:10:01,690 it is for an auditor, why the auditor is there, what 218 00:10:01,690 --> 00:10:03,890 is the authority that the auditor is having, 219 00:10:03,890 --> 00:10:06,110 what are all the things that the auditor can do. 220 00:10:06,110 --> 00:10:10,370 So everything is given or entitled in one document. 221 00:10:10,370 --> 00:10:12,370 That is the reason we need to have 222 00:10:12,370 --> 00:10:15,640 selected option C. The approved audit schedule does not 223 00:10:15,640 --> 00:10:17,380 grant the authority. 224 00:10:17,380 --> 00:10:21,190 The whole point is why this was a very easy question. 225 00:10:21,190 --> 00:10:24,430 But again, so the point of this question 226 00:10:24,430 --> 00:10:27,250 is to give you a perspective on what you 227 00:10:27,250 --> 00:10:28,610 need to look into a question. 228 00:10:28,610 --> 00:10:31,220 So when you start looking into a question, 229 00:10:31,220 --> 00:10:33,770 so let me tell you what is very important. 230 00:10:33,770 --> 00:10:39,580 If you see over here, so the overall authority over here, 231 00:10:39,580 --> 00:10:43,360 that is the key word because every question, 232 00:10:43,360 --> 00:10:47,560 and even in the exam, will be having some key word that 233 00:10:47,560 --> 00:10:49,130 defines the answer correctly. 234 00:10:49,130 --> 00:10:50,590 Because as I told. 235 00:10:50,590 --> 00:10:52,340 You need to eliminate two things. 236 00:10:52,340 --> 00:10:54,400 So in this, I will be eliminating 237 00:10:54,400 --> 00:10:55,960 a request form, which is definitely 238 00:10:55,960 --> 00:10:58,850 not an overall authority, and an approved audit schedule. 239 00:10:58,850 --> 00:11:01,690 Audit schedule is only in terms of what 240 00:11:01,690 --> 00:11:03,673 is the timeline that they are going to work on, 241 00:11:03,673 --> 00:11:06,340 then they are going to carry on the planning work, when they are 242 00:11:06,340 --> 00:11:08,632 going to carry on the field work, when the reporting is 243 00:11:08,632 --> 00:11:11,920 going to be done, what is the timeline for remediation and all 244 00:11:11,920 --> 00:11:12,560 those stuff. 245 00:11:12,560 --> 00:11:14,920 But in terms of a request form, that 246 00:11:14,920 --> 00:11:19,210 is in terms of just defining what the management is going 247 00:11:19,210 --> 00:11:22,810 to look out for and a permission letter 248 00:11:22,810 --> 00:11:24,080 or something of that sort. 249 00:11:24,080 --> 00:11:27,160 But the two options, again, as I told, 250 00:11:27,160 --> 00:11:30,160 the closest that relates to this question 251 00:11:30,160 --> 00:11:32,450 will be the option A and option C. 252 00:11:32,450 --> 00:11:37,360 Because once I say that option A-- but again, as I told, 253 00:11:37,360 --> 00:11:40,510 the overall authority is the word that defines, 254 00:11:40,510 --> 00:11:44,290 in terms of what is going to be the primary thing that you 255 00:11:44,290 --> 00:11:47,170 are going to look out for over here. 256 00:11:47,170 --> 00:11:51,170 So the next question, so in performing a risk-based audit, 257 00:11:51,170 --> 00:11:54,010 which risk assessment is completed first 258 00:11:54,010 --> 00:11:55,250 by an IS auditor? 259 00:11:55,250 --> 00:11:58,300 So detection risk assessment, control risk assessment, 260 00:11:58,300 --> 00:12:01,870 inherent risk assessment, and fraud risk assessment. 261 00:12:01,870 --> 00:12:04,900 So again, the question is very clear in terms 262 00:12:04,900 --> 00:12:08,290 of what an IS auditor, which risk assessment 263 00:12:08,290 --> 00:12:09,910 comes in the first? 264 00:12:09,910 --> 00:12:12,260 Let's look at the correct answer now. 265 00:12:12,260 --> 00:12:14,620 So the correct answer is actually 266 00:12:14,620 --> 00:12:16,190 inherent risk assessment. 267 00:12:16,190 --> 00:12:19,570 So why inherent risk assessment is important? 268 00:12:19,570 --> 00:12:21,800 So let us look at the reasons over here. 269 00:12:21,800 --> 00:12:25,300 So detection of risk assessment is performed only 270 00:12:25,300 --> 00:12:26,420 after the inherent risk. 271 00:12:26,420 --> 00:12:30,800 So as again I told, the stepwise answer is very important. 272 00:12:30,800 --> 00:12:31,880 What is the first? 273 00:12:31,880 --> 00:12:32,960 What is the first? 274 00:12:32,960 --> 00:12:35,080 So you need to know which is going 275 00:12:35,080 --> 00:12:37,150 to come in the first order, which is going 276 00:12:37,150 --> 00:12:39,590 to come in the second order? 277 00:12:39,590 --> 00:12:41,620 So the detection risk assessment is 278 00:12:41,620 --> 00:12:43,538 performed only after the inherent risk 279 00:12:43,538 --> 00:12:45,830 and the controlled risk assessment have been performed. 280 00:12:45,830 --> 00:12:48,470 So definitely this answer can be eliminated. 281 00:12:48,470 --> 00:12:51,010 And control risk assessment is performed 282 00:12:51,010 --> 00:12:53,690 after the inherent risk assessment has been completed. 283 00:12:53,690 --> 00:12:56,410 And it is to determine the level of risk 284 00:12:56,410 --> 00:12:58,640 that remains after the controls have been applied. 285 00:12:58,640 --> 00:13:01,390 So say for an example, this control risk assessment 286 00:13:01,390 --> 00:13:01,910 is right. 287 00:13:01,910 --> 00:13:05,180 So it is going to give you what is left over. 288 00:13:05,180 --> 00:13:07,690 So even after applying all the controls, 289 00:13:07,690 --> 00:13:10,640 what is the risk that is going to remain? 290 00:13:10,640 --> 00:13:13,420 And that option D, the fraud risk assessment, 291 00:13:13,420 --> 00:13:15,680 are a subset of control risk assessment. 292 00:13:15,680 --> 00:13:18,160 It is important, but again, it is not 293 00:13:18,160 --> 00:13:21,500 as important or the first task of the inherent risk. 294 00:13:21,500 --> 00:13:24,860 Because whenever you take any process, for that matter, 295 00:13:24,860 --> 00:13:27,460 there will be a form of inherent risk, which 296 00:13:27,460 --> 00:13:29,710 has to be taken into consideration before doing 297 00:13:29,710 --> 00:13:30,350 anything. 298 00:13:30,350 --> 00:13:33,880 Because inherent risk exists independently of an audit 299 00:13:33,880 --> 00:13:36,410 and can occur because of the nature of the business. 300 00:13:36,410 --> 00:13:37,970 So to successfully conduct an audit, 301 00:13:37,970 --> 00:13:41,230 it is important to be aware of the related business processes. 302 00:13:41,230 --> 00:13:43,720 To perform the audit, an IS auditor 303 00:13:43,720 --> 00:13:45,550 needs to understand the business processes. 304 00:13:45,550 --> 00:13:47,500 By understanding the business process, 305 00:13:47,500 --> 00:13:51,050 an IS auditor better understands the inherent risk. 306 00:13:51,050 --> 00:13:54,010 So inherent risk gives you an overall idea. 307 00:13:54,010 --> 00:13:56,500 for an example, if the IS auditor is 308 00:13:56,500 --> 00:13:58,840 performing an inherent risk-- 309 00:13:58,840 --> 00:14:01,600 an audit in a banking sector, they 310 00:14:01,600 --> 00:14:04,030 will be having certain sets of inherent risks according 311 00:14:04,030 --> 00:14:04,580 to them. 312 00:14:04,580 --> 00:14:07,460 And if they are doing some kind of audits in the health sector, 313 00:14:07,460 --> 00:14:10,720 they will be again having some set of inherent risk 314 00:14:10,720 --> 00:14:12,020 in that particular sector. 315 00:14:12,020 --> 00:14:14,020 So that is the reason we need to know 316 00:14:14,020 --> 00:14:16,540 the inherent risk of that particular industry 317 00:14:16,540 --> 00:14:18,040 or the particular business process 318 00:14:18,040 --> 00:14:19,370 that they are performing. 319 00:14:19,370 --> 00:14:22,480 Then they come into the process of fraud risk or the control 320 00:14:22,480 --> 00:14:26,020 risk, which is the second or third option that will be. 321 00:14:26,020 --> 00:14:29,260 So again, as I told, the logic behind the question 322 00:14:29,260 --> 00:14:32,500 is that to understand which comes first. 323 00:14:32,500 --> 00:14:35,230 And so also one of the other key things 324 00:14:35,230 --> 00:14:38,650 that is very important when you are preparing for the exam, 325 00:14:38,650 --> 00:14:41,860 not only from the exam stand point of view, 326 00:14:41,860 --> 00:14:44,560 I would suggest everybody to-- 327 00:14:44,560 --> 00:14:48,710 so what happens is, once you know the answer is correct, 328 00:14:48,710 --> 00:14:51,220 check the reason why you have selected that answer 329 00:14:51,220 --> 00:14:52,520 and why it is correct. 330 00:14:52,520 --> 00:14:55,420 Because 90% of the time, you might 331 00:14:55,420 --> 00:14:57,890 have selected an answer for some other reason, 332 00:14:57,890 --> 00:14:59,710 but it happens to be coincidentally 333 00:14:59,710 --> 00:15:01,880 correct with the ISACA. 334 00:15:01,880 --> 00:15:04,960 But what I require everybody to do 335 00:15:04,960 --> 00:15:07,760 is that you need to check the thinking process of ISACA. 336 00:15:07,760 --> 00:15:11,210 That is very important in terms of understanding the concepts. 337 00:15:11,210 --> 00:15:14,210 And also, even if you have made the answer correct, 338 00:15:14,210 --> 00:15:18,710 I would require you to check every options available, A, 339 00:15:18,710 --> 00:15:20,860 B, C, and D, why it is not correct 340 00:15:20,860 --> 00:15:23,380 and why the answer that you have chosen is correct. 341 00:15:23,380 --> 00:15:26,830 Even in case if you have not selected the correct answer, 342 00:15:26,830 --> 00:15:29,270 please still go and check all these options, 343 00:15:29,270 --> 00:15:30,940 why the answer that you have selected 344 00:15:30,940 --> 00:15:34,370 is not the correct answer and why the other answer remains 345 00:15:34,370 --> 00:15:36,050 the correct option. 346 00:15:36,050 --> 00:15:39,000 So this question is, again, an interesting question. 347 00:15:39,000 --> 00:15:41,240 So as an IS auditor is performing 348 00:15:41,240 --> 00:15:44,360 a review of an application's control fields, 349 00:15:44,360 --> 00:15:46,460 he finds a weakness in the software system 350 00:15:46,460 --> 00:15:48,560 and could materially impact the application. 351 00:15:48,560 --> 00:15:51,060 In this situation, an IS auditor should-- 352 00:15:51,060 --> 00:15:52,470 Again, this is not a question. 353 00:15:52,470 --> 00:15:54,440 This is just a statement. 354 00:15:54,440 --> 00:15:56,390 We need to complete the statement. 355 00:15:56,390 --> 00:15:58,483 Disregard these controls weakness 356 00:15:58,483 --> 00:15:59,900 because the system software review 357 00:15:59,900 --> 00:16:01,560 is beyond the scope of this review. 358 00:16:01,560 --> 00:16:04,580 Conduct a detailed system software review 359 00:16:04,580 --> 00:16:06,420 and report the control weakness. 360 00:16:06,420 --> 00:16:09,110 Include in the report statement that the audit 361 00:16:09,110 --> 00:16:12,270 was limited to review the application's control weakness. 362 00:16:12,270 --> 00:16:14,880 Review the system software controls as relevant, 363 00:16:14,880 --> 00:16:18,320 and recommend a detailed system software review. 364 00:16:18,320 --> 00:16:22,520 I think everyone is going with the option of B 365 00:16:22,520 --> 00:16:25,070 But sorry to disappoint, the answer is actually 366 00:16:25,070 --> 00:16:29,510 D. Before going into the complete detailed review, 367 00:16:29,510 --> 00:16:34,010 as given here, the appropriate option would 368 00:16:34,010 --> 00:16:37,190 be to review the system software as relevant to the review, 369 00:16:37,190 --> 00:16:40,610 and recommend a detailed system software 370 00:16:40,610 --> 00:16:44,610 review for which an additional resources may be recommended. 371 00:16:44,610 --> 00:16:48,960 So the answer might be extremely similar to what B is, 372 00:16:48,960 --> 00:16:50,720 but the difference is that you need 373 00:16:50,720 --> 00:16:53,390 to know where your scope is going to go 374 00:16:53,390 --> 00:16:57,180 and how you are going to plan the audit accordingly. 375 00:16:57,180 --> 00:17:00,620 So that is what is the defining moment for answer B and answer 376 00:17:00,620 --> 00:17:01,130 D. 377 00:17:01,130 --> 00:17:05,550 So again, answer A and answer C is completely irrelevant. 378 00:17:05,550 --> 00:17:07,609 You can take it off the radar. 379 00:17:07,609 --> 00:17:09,710 Definitely nobody has given answer 380 00:17:09,710 --> 00:17:11,569 A or C. That is a good sign. 381 00:17:11,569 --> 00:17:16,400 Because as I told, we need to eliminate these two options 382 00:17:16,400 --> 00:17:19,190 very clearly, in terms of how we are going 383 00:17:19,190 --> 00:17:21,470 to understand this whole thing. 384 00:17:21,470 --> 00:17:24,560 So which of the following is the most important reason 385 00:17:24,560 --> 00:17:28,190 why an audit planning process should be reviewed 386 00:17:28,190 --> 00:17:30,230 at a periodic interval? 387 00:17:30,230 --> 00:17:33,170 To plan for a deployment of available audit resources, 388 00:17:33,170 --> 00:17:35,700 to consider changes to the risk environment, 389 00:17:35,700 --> 00:17:38,510 to provide inputs for documentation of audit charter, 390 00:17:38,510 --> 00:17:42,380 to identify applicable IS standards. 391 00:17:42,380 --> 00:17:47,810 So again, the answer is B. Let us look at the explanation that 392 00:17:47,810 --> 00:17:49,020 is given over here. 393 00:17:49,020 --> 00:17:52,190 So short-term and long-term issues 394 00:17:52,190 --> 00:17:54,680 drive the audit planning can be heavily impacted 395 00:17:54,680 --> 00:17:58,880 to the changes in the risk environment, technologies, 396 00:17:58,880 --> 00:18:00,690 business processes of the enterprise. 397 00:18:00,690 --> 00:18:03,950 This is well set, in terms of the risk environment 398 00:18:03,950 --> 00:18:07,230 changes quite dynamically for some businesses. 399 00:18:07,230 --> 00:18:09,920 So what might be considered as a risk today might not 400 00:18:09,920 --> 00:18:10,800 be risk tomorrow. 401 00:18:10,800 --> 00:18:13,250 What might be not considered as risk today 402 00:18:13,250 --> 00:18:15,170 will be a risk tomorrow. 403 00:18:15,170 --> 00:18:19,040 So in terms of planning for the document of available resources, 404 00:18:19,040 --> 00:18:21,240 it's determined by the audit assignments plan. 405 00:18:21,240 --> 00:18:23,450 The option is completely not relevant. 406 00:18:23,450 --> 00:18:25,820 Again, the option C is something-- 407 00:18:25,820 --> 00:18:28,920 is a mandate from the top management. 408 00:18:28,920 --> 00:18:32,930 It is not something-- the risk assessment, or any kind 409 00:18:32,930 --> 00:18:35,690 of things is not going to-- planning 410 00:18:35,690 --> 00:18:38,210 is not going to have any impact on the audit trail 411 00:18:38,210 --> 00:18:40,860 because it's a top management mandate. 412 00:18:40,860 --> 00:18:44,180 And D, applicability of IS standards, guidelines 413 00:18:44,180 --> 00:18:47,760 and procedures is universal to any audit engagement. 414 00:18:47,760 --> 00:18:50,000 It is not specific to any audit and not 415 00:18:50,000 --> 00:18:52,320 influenced by the short-term and long-term issues. 416 00:18:52,320 --> 00:18:55,050 Again, when I talk about short-term and long-term issues, 417 00:18:55,050 --> 00:18:59,670 so probably we might be having some IT deployment happening, 418 00:18:59,670 --> 00:19:01,760 so which might change the risk posture. 419 00:19:01,760 --> 00:19:04,710 And classic example is the COVID. 420 00:19:04,710 --> 00:19:07,770 So in COVID, people are working from home. 421 00:19:07,770 --> 00:19:11,990 The risk environment changes from being in the office space 422 00:19:11,990 --> 00:19:13,080 to home space. 423 00:19:13,080 --> 00:19:14,570 What are all the risk environment 424 00:19:14,570 --> 00:19:15,780 that is going to happen? 425 00:19:15,780 --> 00:19:19,272 So if anybody has access to printers, say for an example, 426 00:19:19,272 --> 00:19:21,230 a person might be connecting their home printer 427 00:19:21,230 --> 00:19:25,380 to their laptop or PC, print some confidential documents, 428 00:19:25,380 --> 00:19:27,690 so the risk posture is completely changing. 429 00:19:27,690 --> 00:19:29,420 So that is the reason why we need 430 00:19:29,420 --> 00:19:32,180 to have planning, that needs to be detailed, 431 00:19:32,180 --> 00:19:33,530 done before the audit. 432 00:19:33,530 --> 00:19:36,560 So which of the following is the most effective 433 00:19:36,560 --> 00:19:38,810 for implementing control self-assessment 434 00:19:38,810 --> 00:19:40,530 within small business unit? 435 00:19:40,530 --> 00:19:43,530 Informal peer reviews, facilitated workshops, 436 00:19:43,530 --> 00:19:47,150 process flow narratives, data flow diagrams? 437 00:19:47,150 --> 00:19:50,000 So say for an example, so I will tell you 438 00:19:50,000 --> 00:19:52,670 the correct answer, which is B. So when 439 00:19:52,670 --> 00:19:55,830 we are going-- you know the answer reasoning over here, 440 00:19:55,830 --> 00:19:56,880 let me not explain it. 441 00:19:56,880 --> 00:19:59,900 But I'll give you a different perspective over here. 442 00:19:59,900 --> 00:20:02,180 Out of the four options actually, I 443 00:20:02,180 --> 00:20:04,160 feel that three are actually correct 444 00:20:04,160 --> 00:20:07,190 for this particular question because not at two, 445 00:20:07,190 --> 00:20:08,610 but three are correct. 446 00:20:08,610 --> 00:20:10,310 But which is the most important? 447 00:20:10,310 --> 00:20:13,190 When you say is that, the facilitated workshop 448 00:20:13,190 --> 00:20:16,310 comes into the mind because of very simple fact, 449 00:20:16,310 --> 00:20:19,070 because the control self assessments are not 450 00:20:19,070 --> 00:20:23,030 performed by a seasoned auditor or by a seasoned or a control 451 00:20:23,030 --> 00:20:23,910 of people. 452 00:20:23,910 --> 00:20:26,960 They are being performed by the business themselves directly, 453 00:20:26,960 --> 00:20:29,150 to assess how the control posture is there, how 454 00:20:29,150 --> 00:20:30,690 the risk posture is everything. 455 00:20:30,690 --> 00:20:34,440 So what happens here is you need to train them. 456 00:20:34,440 --> 00:20:38,030 We have to train them correctly to identify 457 00:20:38,030 --> 00:20:40,100 what they are supposed to do, how 458 00:20:40,100 --> 00:20:42,360 they are supposed to check for control weakness 459 00:20:42,360 --> 00:20:43,860 and how they are going to report it. 460 00:20:43,860 --> 00:20:46,470 And that is by far the most effective way. 461 00:20:46,470 --> 00:20:50,390 But again, the process flow diagrams is important. 462 00:20:50,390 --> 00:20:52,950 While doing this facilitated workshops, 463 00:20:52,950 --> 00:20:56,990 there will be process flow diagrams and data flow diagrams 464 00:20:56,990 --> 00:20:58,520 and narratives. 465 00:20:58,520 --> 00:21:00,725 These things are very important in terms of, 466 00:21:00,725 --> 00:21:03,330 to give more added perspective. 467 00:21:03,330 --> 00:21:05,570 But again, that is not the only thing 468 00:21:05,570 --> 00:21:07,530 that is required over here. 469 00:21:07,530 --> 00:21:11,540 What we require over here is in terms of identifying 470 00:21:11,540 --> 00:21:13,640 the most best option. 471 00:21:13,640 --> 00:21:16,100 So the next question. 472 00:21:16,100 --> 00:21:20,300 So which of the following would an IS auditor perform the first 473 00:21:20,300 --> 00:21:21,620 when planning an IS audit? 474 00:21:21,620 --> 00:21:25,830 Define the audit deliverables, finalize the scope and the audit 475 00:21:25,830 --> 00:21:28,530 objectives, gain an understanding of the business 476 00:21:28,530 --> 00:21:31,140 objectives and purpose, develop the audit approach 477 00:21:31,140 --> 00:21:33,240 of the strategy? 478 00:21:33,240 --> 00:21:35,310 The C is correct answer, gain an understanding 479 00:21:35,310 --> 00:21:36,970 of business objectives and purpose. 480 00:21:36,970 --> 00:21:38,740 So the reason is very simple. 481 00:21:38,740 --> 00:21:41,970 So what we need to understand, in terms of business mission 482 00:21:41,970 --> 00:21:45,150 objectives, purpose, which in turn 483 00:21:45,150 --> 00:21:47,860 identifies to the policy, standards, guidelines, 484 00:21:47,860 --> 00:21:52,380 procedures, everything, because it is very important to gain 485 00:21:52,380 --> 00:21:53,860 an understanding of business. 486 00:21:53,860 --> 00:21:57,600 Say for an example, if we are in a pen drive manufacturing 487 00:21:57,600 --> 00:22:02,010 company, their core mission is to manufacture a pen drive 488 00:22:02,010 --> 00:22:03,790 and test pen drive and use pen drive. 489 00:22:03,790 --> 00:22:08,310 And you cannot say that the use of pen drive or external drives 490 00:22:08,310 --> 00:22:10,270 is prohibited inside the organization. 491 00:22:10,270 --> 00:22:12,060 That will be the most absurd thing. 492 00:22:12,060 --> 00:22:14,560 And in Facebook, if you are auditing Facebook, 493 00:22:14,560 --> 00:22:16,800 you cannot go and say that viewing Facebook inside 494 00:22:16,800 --> 00:22:18,690 the Facebook office is restricted. 495 00:22:18,690 --> 00:22:22,560 Of course, it can be limited to view and to view 496 00:22:22,560 --> 00:22:23,530 your personal account. 497 00:22:23,530 --> 00:22:25,410 But it will be so absurd when we say 498 00:22:25,410 --> 00:22:26,850 all these things inside the office 499 00:22:26,850 --> 00:22:28,183 that they are trying to work on. 500 00:22:28,183 --> 00:22:30,120 So that can be an explanation that 501 00:22:30,120 --> 00:22:31,480 can be given to this answer. 502 00:22:31,480 --> 00:22:35,270 But again, I would like everyone to go through the other options 503 00:22:35,270 --> 00:22:35,770 as well. 504 00:22:35,770 --> 00:22:38,580 Defining the audit deliverables is 505 00:22:38,580 --> 00:22:41,280 dependent upon a thorough understanding of business 506 00:22:41,280 --> 00:22:45,060 objects, A, B, and D. Because as I told, 507 00:22:45,060 --> 00:22:48,450 every option is important, though it may not 508 00:22:48,450 --> 00:22:50,560 be relevant to this particular question, 509 00:22:50,560 --> 00:22:52,140 some other question that might be 510 00:22:52,140 --> 00:22:55,740 relevant to this particular option will be arising tomorrow. 511 00:22:55,740 --> 00:22:58,560 So the last question in the domain 1 512 00:22:58,560 --> 00:23:01,380 is, again, the next question. 513 00:23:01,380 --> 00:23:05,640 An organization performs a daily backup of critical data 514 00:23:05,640 --> 00:23:07,800 and software files and stores in the backup tapes 515 00:23:07,800 --> 00:23:09,250 at an offsite location. 516 00:23:09,250 --> 00:23:12,600 The backup tapes are used to restore the software 517 00:23:12,600 --> 00:23:14,200 in case of disruption. 518 00:23:14,200 --> 00:23:17,220 This is an example of a preventive control, management 519 00:23:17,220 --> 00:23:21,660 control, corrective control, and detective control? 520 00:23:21,660 --> 00:23:23,250 The correct answer is actually C. 521 00:23:23,250 --> 00:23:27,000 So you cannot avert a particular disaster being happening. 522 00:23:27,000 --> 00:23:29,680 If you can avert that particular disaster being happening, 523 00:23:29,680 --> 00:23:31,090 that is a preventive control. 524 00:23:31,090 --> 00:23:35,880 But a corrective control is set up-- a BCP is a critical-- 525 00:23:35,880 --> 00:23:38,910 a DRP and a BCP are the best examples 526 00:23:38,910 --> 00:23:40,230 that I can give over here. 527 00:23:40,230 --> 00:23:41,980 It is actually a corrective control. 528 00:23:41,980 --> 00:23:43,330 It is not a preventive control. 529 00:23:43,330 --> 00:23:46,020 So say for an example, a couple of years, Chennai 530 00:23:46,020 --> 00:23:48,490 floods happened in 2015. 531 00:23:48,490 --> 00:23:50,128 That cannot be averted. 532 00:23:50,128 --> 00:23:52,170 And the pandemic, right now we are in a pandemic, 533 00:23:52,170 --> 00:23:53,290 that cannot be averted. 534 00:23:53,290 --> 00:23:58,470 But what we can do is a corrective control and approach 535 00:23:58,470 --> 00:23:59,020 towards it. 536 00:23:59,020 --> 00:24:01,890 So as the answer outlines over here, A, 537 00:24:01,890 --> 00:24:04,470 preventive controls are those that avert the problems 538 00:24:04,470 --> 00:24:05,500 before they arise. 539 00:24:05,500 --> 00:24:09,407 Backup tapes cannot be used to prevent damages for the files 540 00:24:09,407 --> 00:24:11,490 and therefore cannot be classified as a preventive 541 00:24:11,490 --> 00:24:12,220 control. 542 00:24:12,220 --> 00:24:15,010 Management controls modify and processing systems, 543 00:24:15,010 --> 00:24:18,240 which is completely irrelevant to this context. 544 00:24:18,240 --> 00:24:21,480 C, a corrective control helps to correct or minimize 545 00:24:21,480 --> 00:24:22,990 the impact of a problem. 546 00:24:22,990 --> 00:24:24,330 Backup tapes are such. 547 00:24:24,330 --> 00:24:26,972 So detective controls, again, it is not 548 00:24:26,972 --> 00:24:28,680 completely relevant to this answer, which 549 00:24:28,680 --> 00:24:31,590 is going to only help in terms of detecting a problem 550 00:24:31,590 --> 00:24:32,740 after it has arised. 551 00:24:32,740 --> 00:24:35,260 So detective controls can be in auditing. 552 00:24:35,260 --> 00:24:36,640 Auditing is a detective control. 553 00:24:36,640 --> 00:24:38,380 Best detective control is an auditing. 554 00:24:38,380 --> 00:24:40,540 And a management control is something-- 555 00:24:40,540 --> 00:24:43,890 if I can give an example of, in terms 556 00:24:43,890 --> 00:24:46,870 of recurrence of a problem, a processing system. 557 00:24:46,870 --> 00:24:48,900 Say for an example, that's-- 558 00:24:48,900 --> 00:24:50,790 it is management controls again. 559 00:24:50,790 --> 00:24:53,790 The management controls are put in place so that you cannot edit 560 00:24:53,790 --> 00:24:56,140 few items or view-only options. 561 00:24:56,140 --> 00:24:57,900 And those kind of controls are also 562 00:24:57,900 --> 00:24:59,880 called as a management control, that is, 563 00:24:59,880 --> 00:25:01,870 to repeat the occurrence of a problem. 564 00:25:01,870 --> 00:25:04,890 So that nobody even touches something 565 00:25:04,890 --> 00:25:06,930 so that it doesn't go wrong again. 566 00:25:06,930 --> 00:25:10,290 So this is the end of domain 1. 567 00:25:10,290 --> 00:25:14,760 So now we are going into the domain 2. 568 00:25:14,760 --> 00:25:17,330 So now we are able to see the domain to first question. 569 00:25:17,330 --> 00:25:20,620 So in order for the management to effectively monitor 570 00:25:20,620 --> 00:25:23,022 and compliance of the processes, applications, 571 00:25:23,022 --> 00:25:24,980 which of the following would be the most ideal? 572 00:25:24,980 --> 00:25:27,650 A central document repository, a knowledge management system, 573 00:25:27,650 --> 00:25:30,220 a dashboard, and a benchmarking? 574 00:25:30,220 --> 00:25:32,570 So the correct answer is C, dashboard. 575 00:25:32,570 --> 00:25:35,200 So dashboard provides a set of information 576 00:25:35,200 --> 00:25:37,390 to illustrate compliance of the processes, 577 00:25:37,390 --> 00:25:40,570 like how KRAs, KPIs are going to be 578 00:25:40,570 --> 00:25:42,790 there, and the configurable elements to keep 579 00:25:42,790 --> 00:25:43,970 the enterprise on course. 580 00:25:43,970 --> 00:25:47,630 So if you are going to deviate if the matrix is not achieved, 581 00:25:47,630 --> 00:25:50,030 so the management will be definitely informed. 582 00:25:50,030 --> 00:25:53,800 So why not A, B and D? 583 00:25:53,800 --> 00:25:55,070 Any perspective? 584 00:25:55,070 --> 00:25:57,610 Again, that is given over here. 585 00:25:57,610 --> 00:25:59,740 In terms of benchmarking, option D, 586 00:25:59,740 --> 00:26:01,810 it provides an information to help the management 587 00:26:01,810 --> 00:26:04,030 to adapt the organization in a timely manner, 588 00:26:04,030 --> 00:26:05,990 according to the trends and the environment, 589 00:26:05,990 --> 00:26:08,090 so what the other organization is doing. 590 00:26:08,090 --> 00:26:10,520 So if I am in a big four organization, 591 00:26:10,520 --> 00:26:13,630 so what my peers are, what my competitors are doing, 592 00:26:13,630 --> 00:26:17,670 EY, Deloitte, KPMG, and PWC, what they are going to do. 593 00:26:17,670 --> 00:26:23,550 And that will be the context in which I will be benchmarking. 594 00:26:23,550 --> 00:26:26,220 And A and B, A is nothing but a document repository. 595 00:26:26,220 --> 00:26:29,400 That doesn't provide any specific information 596 00:26:29,400 --> 00:26:31,950 on how the controls are being performed, how 597 00:26:31,950 --> 00:26:33,730 the compliance is being done. 598 00:26:33,730 --> 00:26:37,420 A knowledge management system provides a valuable information, 599 00:26:37,420 --> 00:26:40,020 but it is generally not used by the management for compliance 600 00:26:40,020 --> 00:26:40,690 purposes. 601 00:26:40,690 --> 00:26:44,010 Again, a KMS is nothing, but in terms of-- 602 00:26:44,010 --> 00:26:45,930 it will not provide any specifics 603 00:26:45,930 --> 00:26:48,280 on how the control is being performing, 604 00:26:48,280 --> 00:26:50,020 how the compliance has been performing. 605 00:26:50,020 --> 00:26:52,590 So that again, the important thing in this question 606 00:26:52,590 --> 00:26:55,660 is that, effectively monitor and the most ideal. 607 00:26:55,660 --> 00:26:59,010 So when I say most ideal, most ideal, I think benchmarking 608 00:26:59,010 --> 00:27:01,860 and dashboard is the two options, which 609 00:27:01,860 --> 00:27:03,400 I will be choosing in the last. 610 00:27:03,400 --> 00:27:05,730 But again, among these C and D, what 611 00:27:05,730 --> 00:27:07,830 is an important thing will be the D because it 612 00:27:07,830 --> 00:27:11,560 gives the accurate information on how my organization is doing. 613 00:27:11,560 --> 00:27:15,560 But the next question will be, my organization is doing good, 614 00:27:15,560 --> 00:27:17,540 but what about rest of the others? 615 00:27:17,540 --> 00:27:21,310 That is where the benchmarking comes into the picture. 616 00:27:21,310 --> 00:27:24,010 The next question is, which of the following 617 00:27:24,010 --> 00:27:27,290 best describes the IT department strategic planning process? 618 00:27:27,290 --> 00:27:30,670 An IT department will have either short and long-range 619 00:27:30,670 --> 00:27:33,550 plans, depending upon organization's broader 620 00:27:33,550 --> 00:27:35,090 plans and objectives. 621 00:27:35,090 --> 00:27:36,820 IT department strategic plan must 622 00:27:36,820 --> 00:27:38,810 be time- and project-oriented. 623 00:27:38,810 --> 00:27:43,120 So not detailed plans to address and help determine priorities 624 00:27:43,120 --> 00:27:44,950 to meet the business needs. 625 00:27:44,950 --> 00:27:47,710 Long-range planning for IT department 626 00:27:47,710 --> 00:27:49,700 should recognize the organizational goals, 627 00:27:49,700 --> 00:27:53,170 technological advances and regulatory requirements. 628 00:27:53,170 --> 00:27:56,410 And D will be short-range planning 629 00:27:56,410 --> 00:27:58,450 for the IT department does not need 630 00:27:58,450 --> 00:28:01,210 to be integrated to the short-range plans 631 00:28:01,210 --> 00:28:03,850 of the organization since technological advances will 632 00:28:03,850 --> 00:28:07,060 drive the IT organization's plans much quicker 633 00:28:07,060 --> 00:28:08,830 than the organization plans. 634 00:28:08,830 --> 00:28:11,760 I think this is a little bit complicated questions. 635 00:28:11,760 --> 00:28:15,020 But the answer is very, very simple. 636 00:28:15,020 --> 00:28:17,330 So in order for this to understand-- 637 00:28:17,330 --> 00:28:20,300 the correct answer is, of course, C. So in order 638 00:28:20,300 --> 00:28:23,070 for you to understand this particular question, 639 00:28:23,070 --> 00:28:25,157 you need to understand two things over here. 640 00:28:25,157 --> 00:28:27,740 You need to understand what does the strategic planning refers 641 00:28:27,740 --> 00:28:28,240 to. 642 00:28:28,240 --> 00:28:30,360 A strategic planning is always a long-term plan, 643 00:28:30,360 --> 00:28:32,280 which is more than-- 644 00:28:32,280 --> 00:28:36,980 it has been more than one year and derived for five years. 645 00:28:36,980 --> 00:28:38,790 So that is strategic planning. 646 00:28:38,790 --> 00:28:40,503 There is always a tactical planning. 647 00:28:40,503 --> 00:28:42,170 Tactical planning refers to what you are 648 00:28:42,170 --> 00:28:43,460 going to achieve in one year. 649 00:28:43,460 --> 00:28:46,820 And operational planning, it is anything below one year. 650 00:28:46,820 --> 00:28:49,740 so for a few months, for few quarters, 651 00:28:49,740 --> 00:28:51,660 that is going to be your operational planning. 652 00:28:51,660 --> 00:28:54,590 So what happens here is the question specifically asked 653 00:28:54,590 --> 00:28:56,430 about strategic planning. 654 00:28:56,430 --> 00:28:59,810 In that context, option A or B is 655 00:28:59,810 --> 00:29:02,300 going to be definitely eliminated 656 00:29:02,300 --> 00:29:05,270 because option A talks about short and long range. 657 00:29:05,270 --> 00:29:07,100 Short-term plans are either going 658 00:29:07,100 --> 00:29:09,500 to be operational or tactical plans, which 659 00:29:09,500 --> 00:29:11,660 is not in this context of this question. 660 00:29:11,660 --> 00:29:13,990 And again, these again are eliminated because 661 00:29:13,990 --> 00:29:15,170 of the short-range planning. 662 00:29:15,170 --> 00:29:16,795 Because short-range planning is, again, 663 00:29:16,795 --> 00:29:20,320 going to be only there for the operational and tactical, 664 00:29:20,320 --> 00:29:21,530 and not for the strategic. 665 00:29:21,530 --> 00:29:23,830 So the only answer that remains in this question 666 00:29:23,830 --> 00:29:26,710 will be a long-range planning, which should always 667 00:29:26,710 --> 00:29:28,370 emphasize on organizational goals, 668 00:29:28,370 --> 00:29:31,190 technological advancements, and regulatory requirements. 669 00:29:31,190 --> 00:29:34,280 So that is in terms with this correct answer. 670 00:29:34,280 --> 00:29:37,510 Again, you need to understand one thing 671 00:29:37,510 --> 00:29:38,900 before answering a question. 672 00:29:38,900 --> 00:29:42,310 Whenever you have a question, try 673 00:29:42,310 --> 00:29:45,800 to understand which domain they are coming in primarily. 674 00:29:45,800 --> 00:29:47,350 There might be a situation of two 675 00:29:47,350 --> 00:29:50,000 or three domains culminating in one question itself, 676 00:29:50,000 --> 00:29:52,990 but there will be a primary essence of one domain, which 677 00:29:52,990 --> 00:29:53,770 will be focused. 678 00:29:53,770 --> 00:29:57,520 In this particular question, the domain focus is only, 679 00:29:57,520 --> 00:30:00,350 of course, it is domain 2, and the focus is domain 2. 680 00:30:00,350 --> 00:30:05,120 The domain 2 focuses only on one bang-on agenda. 681 00:30:05,120 --> 00:30:10,320 That is in terms of organization goals, organization's missions, 682 00:30:10,320 --> 00:30:11,970 organization's thing. 683 00:30:11,970 --> 00:30:14,150 So everything that the IT revolves-- 684 00:30:14,150 --> 00:30:16,190 IT cannot work as a silo. 685 00:30:16,190 --> 00:30:17,730 It cannot work as a silo. 686 00:30:17,730 --> 00:30:20,420 Say for example, if your organization is selling 687 00:30:20,420 --> 00:30:24,350 vegetables and fruits, your IT organization cannot talk about 688 00:30:24,350 --> 00:30:26,750 implementing a cloud for clients. 689 00:30:26,750 --> 00:30:28,740 So that is not going to happen. 690 00:30:28,740 --> 00:30:31,580 So that is not the way the business runs. 691 00:30:31,580 --> 00:30:35,480 Your optimization should run in terms 692 00:30:35,480 --> 00:30:38,030 of how your organization is going to sell your fruits 693 00:30:38,030 --> 00:30:38,850 and vegetables. 694 00:30:38,850 --> 00:30:42,440 They will be an organic business, so 695 00:30:42,440 --> 00:30:44,550 how an IT acts as an enabler. 696 00:30:44,550 --> 00:30:47,370 So IT is only an enabler of the organization. 697 00:30:47,370 --> 00:30:49,580 It is not something, which is completely 698 00:30:49,580 --> 00:30:50,670 driving the organization. 699 00:30:50,670 --> 00:30:53,600 The business priorities are completely different from what 700 00:30:53,600 --> 00:30:54,750 IT priorities are. 701 00:30:54,750 --> 00:30:57,570 So we need to align our IT priorities 702 00:30:57,570 --> 00:31:00,440 so that the organizational goals, technological advancement 703 00:31:00,440 --> 00:31:03,890 and even the regulatory requirements are complied with. 704 00:31:03,890 --> 00:31:05,960 So the most important responsibility 705 00:31:05,960 --> 00:31:08,440 of data security officer in an organization 706 00:31:08,440 --> 00:31:10,600 is, A, recommending and monitoring 707 00:31:10,600 --> 00:31:13,900 data security policies, B, promoting security awareness 708 00:31:13,900 --> 00:31:16,540 within the organization, establishing procedures 709 00:31:16,540 --> 00:31:19,690 for IT security policies, administering 710 00:31:19,690 --> 00:31:22,870 physical and logical access controls. 711 00:31:22,870 --> 00:31:24,615 The answer is A. 712 00:31:24,615 --> 00:31:25,990 But when I come to this question, 713 00:31:25,990 --> 00:31:31,090 this is, again, a tricky question because the question 714 00:31:31,090 --> 00:31:32,510 outlines the most important. 715 00:31:32,510 --> 00:31:34,960 So when we say most important, there 716 00:31:34,960 --> 00:31:37,090 is always considered that there are 717 00:31:37,090 --> 00:31:39,400 two options which is correct, two or more options which 718 00:31:39,400 --> 00:31:40,790 is correct for this question. 719 00:31:40,790 --> 00:31:44,800 But in terms of B, C, and D, why it is not correct instead? 720 00:31:44,800 --> 00:31:49,100 B, anybody in the organization can do the security awareness. 721 00:31:49,100 --> 00:31:51,550 And it is not the only responsibility of a data 722 00:31:51,550 --> 00:31:53,840 security officer, though it might be a responsibility, 723 00:31:53,840 --> 00:31:56,000 but it is not the only responsibility. 724 00:31:56,000 --> 00:32:00,550 And C and D, they are all more of establishing procedures. 725 00:32:00,550 --> 00:32:02,140 Establishing a procedures anybody 726 00:32:02,140 --> 00:32:03,850 can do in an IT organization. 727 00:32:03,850 --> 00:32:06,710 And administering physical and logical access control, 728 00:32:06,710 --> 00:32:08,630 again, specific to the application. 729 00:32:08,630 --> 00:32:11,500 Say for an example, if they are administering the SAP, if they 730 00:32:11,500 --> 00:32:13,720 are administering the Oracle, the specific team 731 00:32:13,720 --> 00:32:15,730 related to the SAP or the Oracle will 732 00:32:15,730 --> 00:32:18,740 administer these controls, and not the data security officer. 733 00:32:18,740 --> 00:32:23,240 But data security officer in a top level, at a very high level, 734 00:32:23,240 --> 00:32:26,890 they will define in terms of what is recommended in terms 735 00:32:26,890 --> 00:32:28,280 of protecting their data. 736 00:32:28,280 --> 00:32:30,160 Say for an example, if the data is 737 00:32:30,160 --> 00:32:33,410 coming for the GDPR regulation. 738 00:32:33,410 --> 00:32:35,620 So what is required in terms of them 739 00:32:35,620 --> 00:32:37,490 to protect the particular data? 740 00:32:37,490 --> 00:32:40,190 Mere implementation part is done by the IT team. 741 00:32:40,190 --> 00:32:43,610 And in terms of promoting the security awareness, 742 00:32:43,610 --> 00:32:48,310 it can be done by anybody in the organization. 743 00:32:48,310 --> 00:32:51,580 Now, we go to the next question. 744 00:32:51,580 --> 00:32:53,830 What is considered most critical element 745 00:32:53,830 --> 00:32:55,870 for the successful implementation of information 746 00:32:55,870 --> 00:32:57,160 security program? 747 00:32:57,160 --> 00:32:59,690 An effective enterprise risk management framework, 748 00:32:59,690 --> 00:33:04,430 senior management commitment, an adequate budgeting process, 749 00:33:04,430 --> 00:33:06,950 meticulous program planning? 750 00:33:06,950 --> 00:33:11,670 So the correct answer is B. And you can go through this option, 751 00:33:11,670 --> 00:33:14,150 while the other options are not correct. 752 00:33:14,150 --> 00:33:17,010 Let me just give you one important perspective over here. 753 00:33:17,010 --> 00:33:19,490 Couple of years back, when IT was not 754 00:33:19,490 --> 00:33:22,160 seen as a big enabler for the organizations, 755 00:33:22,160 --> 00:33:24,530 in the board meetings, only five minutes 756 00:33:24,530 --> 00:33:27,980 will be spared for any kind of security or IT security 757 00:33:27,980 --> 00:33:30,300 related issues to be discussed. 758 00:33:30,300 --> 00:33:34,290 Nowadays, organizations have started prioritizing this, 759 00:33:34,290 --> 00:33:38,070 and there is a very detailed discussion on the whole thing 760 00:33:38,070 --> 00:33:40,230 because most of the organizations, 761 00:33:40,230 --> 00:33:43,070 including a small scale enterprises or the medium scale 762 00:33:43,070 --> 00:33:47,720 enterprises, have shifted their focus only towards an IT because 763 00:33:47,720 --> 00:33:48,600 of the pandemic. 764 00:33:48,600 --> 00:33:52,770 And they have started even seeing the benefits out of it. 765 00:33:52,770 --> 00:33:55,190 And it is important for an organization 766 00:33:55,190 --> 00:33:58,850 to protect their information security assets. 767 00:33:58,850 --> 00:34:01,490 And management has started putting 768 00:34:01,490 --> 00:34:04,730 lot of efforts in terms of how this is going to happen. 769 00:34:04,730 --> 00:34:07,520 The next question is, which of the following tasks 770 00:34:07,520 --> 00:34:10,250 may be performed by the same person 771 00:34:10,250 --> 00:34:13,170 in a well-controlled information processing computer center? 772 00:34:13,170 --> 00:34:15,960 Security administrator and change management, 773 00:34:15,960 --> 00:34:18,050 computer operations and system development, 774 00:34:18,050 --> 00:34:20,540 system development and change management, 775 00:34:20,540 --> 00:34:23,989 system development and system maintenance? 776 00:34:23,989 --> 00:34:26,060 The correct answer is actually D. 777 00:34:26,060 --> 00:34:28,639 The whole point of this question is 778 00:34:28,639 --> 00:34:33,780 that when you look at the option A and option C and option B, 779 00:34:33,780 --> 00:34:35,810 why it is not correct is that-- 780 00:34:35,810 --> 00:34:39,050 the first option, security administration and change 781 00:34:39,050 --> 00:34:40,040 management. 782 00:34:40,040 --> 00:34:41,370 So what is change management? 783 00:34:41,370 --> 00:34:44,659 So change management is in terms of there 784 00:34:44,659 --> 00:34:48,530 is a established change management process saying 785 00:34:48,530 --> 00:34:50,330 that whenever you apply any changes 786 00:34:50,330 --> 00:34:54,110 to a particular system or a functionality hardening 787 00:34:54,110 --> 00:34:56,179 or anything, anything of that sort, 788 00:34:56,179 --> 00:34:58,380 any functionality for that matter, 789 00:34:58,380 --> 00:35:01,700 it needs to be promoted in a certain set manner, 790 00:35:01,700 --> 00:35:03,810 by having an approval and everything. 791 00:35:03,810 --> 00:35:07,070 But when the person is having security administration 792 00:35:07,070 --> 00:35:09,960 as a task and having a change management, 793 00:35:09,960 --> 00:35:11,990 they will be completely bypassing this 794 00:35:11,990 --> 00:35:14,960 into the whole thing, and people will not 795 00:35:14,960 --> 00:35:17,810 be able to know who has done that particular change, 796 00:35:17,810 --> 00:35:20,270 and there are chances of malpractices. 797 00:35:20,270 --> 00:35:22,080 And C, again, the same thing. 798 00:35:22,080 --> 00:35:25,650 You develop a system and you are responsible also for the change 799 00:35:25,650 --> 00:35:27,380 management, is again a conflict. 800 00:35:27,380 --> 00:35:31,050 So change management, somebody has to promote the change. 801 00:35:31,050 --> 00:35:32,610 Somebody has to develop the changes. 802 00:35:32,610 --> 00:35:34,110 Somebody has to approve the changes. 803 00:35:34,110 --> 00:35:37,340 Somebody has to promote the changes into the production. 804 00:35:37,340 --> 00:35:40,910 So again, so you cannot develop and also you cannot change 805 00:35:40,910 --> 00:35:41,700 at the same time. 806 00:35:41,700 --> 00:35:43,410 That is, again, a very important thing. 807 00:35:43,410 --> 00:35:46,400 So option B, the computer operations 808 00:35:46,400 --> 00:35:47,520 and system development. 809 00:35:47,520 --> 00:35:51,840 So the option B and D are little bit closely related. 810 00:35:51,840 --> 00:35:54,240 That is where the confusion starts over here. 811 00:35:54,240 --> 00:35:56,150 Because as many of you have told, 812 00:35:56,150 --> 00:35:59,060 the options computer operations refers 813 00:35:59,060 --> 00:36:02,130 to just the operations and the system development 814 00:36:02,130 --> 00:36:04,340 because it would be-- 815 00:36:04,340 --> 00:36:06,380 computer operations and system development 816 00:36:06,380 --> 00:36:08,480 is incorrect choice because this would 817 00:36:08,480 --> 00:36:12,530 make it possible for an operator to run a program that she 818 00:36:12,530 --> 00:36:13,620 or he has amended. 819 00:36:13,620 --> 00:36:16,400 So say for an example, if the particular person is having 820 00:36:16,400 --> 00:36:19,550 both these access, they can run the program 821 00:36:19,550 --> 00:36:22,220 without having any kind of additional controls 822 00:36:22,220 --> 00:36:23,040 being required. 823 00:36:23,040 --> 00:36:25,580 So that is the problem that the operations and the system 824 00:36:25,580 --> 00:36:27,390 development cannot be at the same time. 825 00:36:27,390 --> 00:36:30,200 But option D, the maintenance, maintenance 826 00:36:30,200 --> 00:36:31,680 can be done by the same person. 827 00:36:31,680 --> 00:36:33,230 Why it can be done by the same person 828 00:36:33,230 --> 00:36:35,780 is that during the maintenance, the performance, 829 00:36:35,780 --> 00:36:37,850 the person requires access to the source code, 830 00:36:37,850 --> 00:36:40,700 and the person who has developed it 831 00:36:40,700 --> 00:36:42,840 will be having an access to the source code. 832 00:36:42,840 --> 00:36:47,340 That is why in a production, they can-- 833 00:36:47,340 --> 00:36:50,630 and that is the reason they can promote these things 834 00:36:50,630 --> 00:36:52,640 into maintenance, as well as system development 835 00:36:52,640 --> 00:36:53,610 at the same place. 836 00:36:53,610 --> 00:36:56,040 But again, this is a very tricky question. 837 00:36:56,040 --> 00:36:59,510 Exam question can be similar to this one. 838 00:36:59,510 --> 00:37:01,830 And the domain 2, the next question is, 839 00:37:01,830 --> 00:37:05,960 which of the following is most critical control over database 840 00:37:05,960 --> 00:37:09,030 administration, which is the DBA, approval of DBA activities, 841 00:37:09,030 --> 00:37:11,720 segregation of duties in regard to the rights and access 842 00:37:11,720 --> 00:37:14,660 are granting and revoking, evoking of access logs 843 00:37:14,660 --> 00:37:16,640 and activities-- sorry, review of access logs 844 00:37:16,640 --> 00:37:21,230 and activities, review of use of database tools? 845 00:37:21,230 --> 00:37:25,350 So the correct answer is option B. So why important? 846 00:37:25,350 --> 00:37:30,500 It is important for a DBA to do this-- sorry, conflicting, 847 00:37:30,500 --> 00:37:34,610 rather than any of these three is that other three option does 848 00:37:34,610 --> 00:37:37,290 not reduce the risk. 849 00:37:37,290 --> 00:37:40,110 This is the only preventative control that they can apply. 850 00:37:40,110 --> 00:37:44,900 So as an auditor, when I'm coming and seeing the process 851 00:37:44,900 --> 00:37:48,510 and saying that the DBA is reviewing the logs, 852 00:37:48,510 --> 00:37:50,430 the DBA is using the database files, 853 00:37:50,430 --> 00:37:53,250 the DBA is using approval activities, everything is fine. 854 00:37:53,250 --> 00:37:58,040 But does he or she deliver on the fundamental issue 855 00:37:58,040 --> 00:37:59,730 in the segregation of duties? 856 00:37:59,730 --> 00:38:02,990 That is what will be my auditor's question. 857 00:38:02,990 --> 00:38:04,910 This is where it is very important. 858 00:38:04,910 --> 00:38:08,090 Because as an IS auditor, you need to think and deliver 859 00:38:08,090 --> 00:38:08,670 the answer. 860 00:38:08,670 --> 00:38:11,310 Because if you are thinking as a security analyst, 861 00:38:11,310 --> 00:38:15,510 this was a typical security mind question and answer. 862 00:38:15,510 --> 00:38:18,240 I understand from guru's perspective, he is right. 863 00:38:18,240 --> 00:38:20,210 But as an auditor, you need to think 864 00:38:20,210 --> 00:38:23,977 from the other side of the table, how an auditor will 865 00:38:23,977 --> 00:38:24,810 approach this thing. 866 00:38:24,810 --> 00:38:27,980 That is where this question is going to be answered. 867 00:38:27,980 --> 00:38:32,460 You can just read the A, C, and D, why they are not correct. 868 00:38:32,460 --> 00:38:35,120 So approval of a database administration activities 869 00:38:35,120 --> 00:38:38,450 does not prevent the combination of conflicting things. 870 00:38:38,450 --> 00:38:42,680 And the C option is, if DBA activities are improperly 871 00:38:42,680 --> 00:38:44,540 approved, review of access would be-- 872 00:38:44,540 --> 00:38:46,890 again, that may not be reducing the risk. 873 00:38:46,890 --> 00:38:49,580 Say for an example, if you have fundamentally approved 874 00:38:49,580 --> 00:38:51,630 the access of some person incorrectly, 875 00:38:51,630 --> 00:38:53,950 though you may be monitoring his or her activities, 876 00:38:53,950 --> 00:38:56,700 but the problem is that it will not be addressed because you 877 00:38:56,700 --> 00:38:59,470 have already done something wrong in the first place, 878 00:38:59,470 --> 00:39:02,910 and you cannot correct it just by monitoring or taking actions 879 00:39:02,910 --> 00:39:03,600 of it. 880 00:39:03,600 --> 00:39:05,700 And reviewing of the use of database tools 881 00:39:05,700 --> 00:39:06,880 does not reduce the risk. 882 00:39:06,880 --> 00:39:08,460 Because it is only a detective tool. 883 00:39:08,460 --> 00:39:10,170 It is only a detective tool, it is not 884 00:39:10,170 --> 00:39:13,060 a preventive or any other conflicting combination. 885 00:39:13,060 --> 00:39:16,020 It will not prevent any conflict combination. 886 00:39:16,020 --> 00:39:18,660 In a small organization where a segregation of duties 887 00:39:18,660 --> 00:39:22,950 is not practical, an employee performs 888 00:39:22,950 --> 00:39:25,660 a function of computer operator and application programmer. 889 00:39:25,660 --> 00:39:30,030 Which of the following controls should the IS auditor recommend? 890 00:39:30,030 --> 00:39:32,610 Automated logging of changes and development 891 00:39:32,610 --> 00:39:34,710 of libraries, additional staff to provide 892 00:39:34,710 --> 00:39:38,550 SoD, procedures that verify only approved program changes are 893 00:39:38,550 --> 00:39:41,400 implemented, access controls to prevent operator 894 00:39:41,400 --> 00:39:43,360 from making program modifications? 895 00:39:43,360 --> 00:39:45,840 Again, this is one of the trickiest question. 896 00:39:45,840 --> 00:39:49,830 The whole point is that whenever you see some questions relating 897 00:39:49,830 --> 00:39:54,030 to the organization size, even in the exam, make it very clear 898 00:39:54,030 --> 00:39:57,120 that the answer might be dependent upon the size 899 00:39:57,120 --> 00:39:58,300 of the organization. 900 00:39:58,300 --> 00:40:01,230 If you are a large organization, like Google 901 00:40:01,230 --> 00:40:04,410 or Apple or Facebook, you can do any of these things. 902 00:40:04,410 --> 00:40:07,120 B can be done, A can be done. 903 00:40:07,120 --> 00:40:10,390 Of course, D is something that also can be considered. 904 00:40:10,390 --> 00:40:12,280 But it is a small organization. 905 00:40:12,280 --> 00:40:15,700 Only a programmer is dependent upon an operator. 906 00:40:15,700 --> 00:40:17,700 performing the multiple tasks. 907 00:40:17,700 --> 00:40:20,010 What an IS auditor would recommend 908 00:40:20,010 --> 00:40:26,110 will be very, very simple in terms of procedures that exist, 909 00:40:26,110 --> 00:40:29,940 at least in paper, are to say that only the approved program 910 00:40:29,940 --> 00:40:31,110 changes are implemented. 911 00:40:31,110 --> 00:40:36,660 Because whenever we see any question relating 912 00:40:36,660 --> 00:40:38,760 to the organization size, the answers 913 00:40:38,760 --> 00:40:41,860 will be highly dependent on the size of the organization. 914 00:40:41,860 --> 00:40:44,280 What might be the best treatmeant for a large size 915 00:40:44,280 --> 00:40:47,430 organization may not be the best treatment for a mid-size 916 00:40:47,430 --> 00:40:49,360 and a small-size organization. 917 00:40:49,360 --> 00:40:51,940 So we need to be very careful in choosing the answer 918 00:40:51,940 --> 00:40:55,690 because two or more options will look extremely correct 919 00:40:55,690 --> 00:40:57,750 because the size of the organization 920 00:40:57,750 --> 00:41:00,690 is going to be very dependent particular question. 921 00:41:00,690 --> 00:41:03,270 We are end of domain 2, and we will be having three more 922 00:41:03,270 --> 00:41:04,980 domains to cover. 923 00:41:04,980 --> 00:41:07,390 So the next question is from domain 3. 924 00:41:07,390 --> 00:41:11,790 To assist in testing an essential banking system being 925 00:41:11,790 --> 00:41:13,260 acquired, an organization has been 926 00:41:13,260 --> 00:41:15,570 provided the vendor with sensitive data 927 00:41:15,570 --> 00:41:18,100 from its existing production system. 928 00:41:18,100 --> 00:41:21,180 As an IS auditor, the primary concern that the data 929 00:41:21,180 --> 00:41:22,830 should be what? 930 00:41:22,830 --> 00:41:29,640 A, sanitized, B, complete, C, representative, and D, current? 931 00:41:29,640 --> 00:41:34,590 Whenever an asset goes out, even if an asset is sunsetting, 932 00:41:34,590 --> 00:41:37,560 if a technology asset decommissioning is happening, 933 00:41:37,560 --> 00:41:40,050 the sanitization part is an important thing. 934 00:41:40,050 --> 00:41:43,110 You don't want the data or the production data 935 00:41:43,110 --> 00:41:44,760 to be visible to others whenever they 936 00:41:44,760 --> 00:41:47,040 are doing the testing, which might give 937 00:41:47,040 --> 00:41:49,560 some opinions about how the organization is working 938 00:41:49,560 --> 00:41:52,150 and what are all the data that the organization is having. 939 00:41:52,150 --> 00:41:55,440 So it is important that we need definitely or should 940 00:41:55,440 --> 00:41:58,360 be opting for A because it is very important. 941 00:41:58,360 --> 00:42:00,720 And test data should be sanitized 942 00:42:00,720 --> 00:42:04,510 to prevent sensitive data from leaking to unauthorized persons. 943 00:42:04,510 --> 00:42:07,470 All the other three options, although it may seem little bit 944 00:42:07,470 --> 00:42:09,970 relevant, but it is completely not relevant, 945 00:42:09,970 --> 00:42:12,098 it is completely incorrect. 946 00:42:12,098 --> 00:42:13,890 Which of the following is a primary purpose 947 00:42:13,890 --> 00:42:15,610 for conducting parallel testing? 948 00:42:15,610 --> 00:42:20,430 To determine whether the system is cost effective, to enable 949 00:42:20,430 --> 00:42:22,258 comprehensive unit and system testing, 950 00:42:22,258 --> 00:42:24,300 to highlight the errors in the program interfaces 951 00:42:24,300 --> 00:42:25,967 with the files, to ensure the new system 952 00:42:25,967 --> 00:42:28,770 meets the user requirements? 953 00:42:28,770 --> 00:42:32,310 It is very simple, the answer is D. Let 954 00:42:32,310 --> 00:42:34,570 me put a perspective over here. 955 00:42:34,570 --> 00:42:36,880 So when we have two systems, say for an example, 956 00:42:36,880 --> 00:42:40,560 we have a tally system that's running currently my accounting 957 00:42:40,560 --> 00:42:42,820 things, and we are going to implement SAP. 958 00:42:42,820 --> 00:42:45,938 So tally is perfect for my organization, 959 00:42:45,938 --> 00:42:47,730 but my organization is going into a billion 960 00:42:47,730 --> 00:42:48,897 and a trillion organization. 961 00:42:48,897 --> 00:42:49,720 I wish it could. 962 00:42:49,720 --> 00:42:52,620 And the whole thing is that, so in terms 963 00:42:52,620 --> 00:42:55,660 with, if the new system is being implemented, 964 00:42:55,660 --> 00:42:58,020 is everything is being aligned and is 965 00:42:58,020 --> 00:43:00,070 everything is as per the requirement, 966 00:43:00,070 --> 00:43:03,160 is everything working as it was working entirely? 967 00:43:03,160 --> 00:43:06,430 That is the primary thing that I will be looking at it. 968 00:43:06,430 --> 00:43:09,907 So that is the reason that we are going with the option 969 00:43:09,907 --> 00:43:11,490 D. The purpose of the parallel testing 970 00:43:11,490 --> 00:43:14,370 is to ensure that the implementation of new system 971 00:43:14,370 --> 00:43:16,480 will meet the user requirements. 972 00:43:16,480 --> 00:43:19,630 It can be identified in the UAT testing itself, 973 00:43:19,630 --> 00:43:21,180 but the parallel testing gives you 974 00:43:21,180 --> 00:43:23,760 an idea both the systems are running in parallel 975 00:43:23,760 --> 00:43:27,210 with each other, will give a fair enough understanding on how 976 00:43:27,210 --> 00:43:28,650 the new system is working. 977 00:43:28,650 --> 00:43:31,440 In case if there are any deficiencies in the new system 978 00:43:31,440 --> 00:43:33,780 compared to the old system, how it can be fixed 979 00:43:33,780 --> 00:43:34,840 and stuff like that. 980 00:43:34,840 --> 00:43:37,440 See all the other testings, unit and system testings 981 00:43:37,440 --> 00:43:39,690 are completed before the parallel testing, program 982 00:43:39,690 --> 00:43:41,190 interfaces with the files are tested 983 00:43:41,190 --> 00:43:43,890 for errors during the system testing itself and not-- 984 00:43:43,890 --> 00:43:47,130 and then the parallel testing because parallel testing happens 985 00:43:47,130 --> 00:43:49,600 at the last stage during the implementation stage, 986 00:43:49,600 --> 00:43:52,170 and it's not at the first stage. 987 00:43:52,170 --> 00:43:55,570 When conducting a review of the business re-engineering process, 988 00:43:55,570 --> 00:43:58,350 an IS auditor found that an important preventive 989 00:43:58,350 --> 00:43:59,500 control had been removed. 990 00:43:59,500 --> 00:44:01,860 In this case, an IS auditor should, A, 991 00:44:01,860 --> 00:44:03,535 inform the management of the findings 992 00:44:03,535 --> 00:44:05,160 and determine whether the management is 993 00:44:05,160 --> 00:44:08,280 willing to accept the risk potential, B, determine 994 00:44:08,280 --> 00:44:10,740 if a detective control has replaced the preventive control 995 00:44:10,740 --> 00:44:15,720 during the process, and C, recommended that all the control 996 00:44:15,720 --> 00:44:19,440 procedures have existed before the process was re-engineered 997 00:44:19,440 --> 00:44:22,830 and included in the new process, develop continuous audit 998 00:44:22,830 --> 00:44:25,470 approach to monitor the effects of removal 999 00:44:25,470 --> 00:44:28,770 of the preventive control? 1000 00:44:28,770 --> 00:44:32,400 Whatever happens, when you stumble upon something that 1001 00:44:32,400 --> 00:44:35,970 is not of what is as expected, you 1002 00:44:35,970 --> 00:44:38,620 are supposed to inform the management then and now. 1003 00:44:38,620 --> 00:44:40,800 Then look for the other alternatives 1004 00:44:40,800 --> 00:44:43,390 or other remedial measures because the management 1005 00:44:43,390 --> 00:44:45,140 needs to be informed that there is a risk, 1006 00:44:45,140 --> 00:44:48,160 and whether they are willing to accept this risk of not having 1007 00:44:48,160 --> 00:44:49,730 a preventive control in place. 1008 00:44:49,730 --> 00:44:52,160 So in this case, that's a classic example. 1009 00:44:52,160 --> 00:44:55,150 And if you see here, the existence 1010 00:44:55,150 --> 00:44:58,090 of a detective control instead of a preventive control 1011 00:44:58,090 --> 00:45:01,210 usually increases the risk that the management-- 1012 00:45:01,210 --> 00:45:04,130 increases the risk that the material problem may occur. 1013 00:45:04,130 --> 00:45:08,980 So say for an example, if there is also a detective control, 1014 00:45:08,980 --> 00:45:11,680 that should be in place. 1015 00:45:11,680 --> 00:45:14,380 There is a high probability that the particular process 1016 00:45:14,380 --> 00:45:16,120 is prone to having some kind of a control 1017 00:45:16,120 --> 00:45:19,130 issues and the preventive control that has been removed. 1018 00:45:19,130 --> 00:45:21,850 So that is the reason you need to just inform 1019 00:45:21,850 --> 00:45:25,300 the management at the first, and then look for other options. 1020 00:45:25,300 --> 00:45:27,160 Is it clear? 1021 00:45:27,160 --> 00:45:28,580 Let me go to the next question. 1022 00:45:28,580 --> 00:45:32,470 Which of the following will be considered 1023 00:45:32,470 --> 00:45:34,720 as the most serious in an enterprise resource 1024 00:45:34,720 --> 00:45:37,490 planning software used by financial organizations? 1025 00:45:37,490 --> 00:45:39,950 Access controls have not been reviewed, 1026 00:45:39,950 --> 00:45:41,870 limited documentation is available, 1027 00:45:41,870 --> 00:45:44,330 two-year backup tapes have not been replaced, 1028 00:45:44,330 --> 00:45:47,030 database backups are performed once a day? 1029 00:45:47,030 --> 00:45:49,600 1030 00:45:49,600 --> 00:45:51,520 Give you the correct answer, which is A, 1031 00:45:51,520 --> 00:45:56,080 and you can see the explanation. 1032 00:45:56,080 --> 00:45:59,260 When auditing the requirements phase of a software acquisition, 1033 00:45:59,260 --> 00:46:00,670 an IS auditor should-- 1034 00:46:00,670 --> 00:46:03,440 assess the responsibility of the project timetable, 1035 00:46:03,440 --> 00:46:05,870 assess the vendor's proposed quality processes, 1036 00:46:05,870 --> 00:46:08,120 ensure that the best software package is acquired, 1037 00:46:08,120 --> 00:46:11,950 review the completeness of the specification? 1038 00:46:11,950 --> 00:46:14,528 The review of the completeness of the specifications. 1039 00:46:14,528 --> 00:46:16,070 Whenever you talk about requirements, 1040 00:46:16,070 --> 00:46:17,440 there is a specification. 1041 00:46:17,440 --> 00:46:20,230 So that is what is our answer talks about. 1042 00:46:20,230 --> 00:46:21,940 The purpose of the requirements phase 1043 00:46:21,940 --> 00:46:27,680 is to specify the functionality of the proposed system. 1044 00:46:27,680 --> 00:46:30,070 Therefore, an IS auditor would concentrate more 1045 00:46:30,070 --> 00:46:32,680 on the completeness of the specification. 1046 00:46:32,680 --> 00:46:34,300 Assessing vendor quality process would 1047 00:46:34,300 --> 00:46:35,840 come after the requirements. 1048 00:46:35,840 --> 00:46:38,360 So you have analyzed the requirements, 1049 00:46:38,360 --> 00:46:40,330 then you are going for the vendor, 1050 00:46:40,330 --> 00:46:42,350 this A vendor or B vendor. 1051 00:46:42,350 --> 00:46:45,250 That is where your things will come into the picture. 1052 00:46:45,250 --> 00:46:47,660 Analyzing the organization's ability, 1053 00:46:47,660 --> 00:46:49,840 whether they are able to support, whether they are 1054 00:46:49,840 --> 00:46:52,510 a big organization, like a Microsoft or Oracle 1055 00:46:52,510 --> 00:46:56,470 or they are a small organization, of something 1056 00:46:56,470 --> 00:46:58,930 happening out of somewhere in the world, 1057 00:46:58,930 --> 00:47:01,670 or whether they are able to fulfill the obligations, 1058 00:47:01,670 --> 00:47:04,660 whether the quality process is good and everything. 1059 00:47:04,660 --> 00:47:07,810 So this is how you critically think because this is a stepped 1060 00:47:07,810 --> 00:47:08,500 approach. 1061 00:47:08,500 --> 00:47:11,920 As I told, if there is a stepped approach in some process, 1062 00:47:11,920 --> 00:47:13,790 say for an example, change management, 1063 00:47:13,790 --> 00:47:15,260 how do you promote the changes? 1064 00:47:15,260 --> 00:47:19,210 I think the CRM gives you a very detailed explanation 1065 00:47:19,210 --> 00:47:22,030 on how the changes are being promoted, change management, 1066 00:47:22,030 --> 00:47:24,820 and how RFP is raised. 1067 00:47:24,820 --> 00:47:27,460 In the domain 3, it talks about the RFPs, 1068 00:47:27,460 --> 00:47:29,090 how a software is being acquired, 1069 00:47:29,090 --> 00:47:32,650 how off-the-shelf software is being acquired, 1070 00:47:32,650 --> 00:47:35,560 how the requirements are built, how the requisition for proposal 1071 00:47:35,560 --> 00:47:39,260 is built. So these kind of things are phased approaches, 1072 00:47:39,260 --> 00:47:44,410 and you have to bound the answer only to the phased approaches. 1073 00:47:44,410 --> 00:47:47,020 So the next question is, an organization 1074 00:47:47,020 --> 00:47:49,630 decides to purchase a software package instead 1075 00:47:49,630 --> 00:47:50,510 of developing it. 1076 00:47:50,510 --> 00:47:52,548 In such case, the design and development phases 1077 00:47:52,548 --> 00:47:54,340 of a traditional software development cycle 1078 00:47:54,340 --> 00:47:55,750 would be replaced with-- 1079 00:47:55,750 --> 00:47:58,310 selection and configuration phases, 1080 00:47:58,310 --> 00:48:00,110 feasibility and requirements phases, 1081 00:48:00,110 --> 00:48:03,160 implementation and testing phases, nothing, as replacement 1082 00:48:03,160 --> 00:48:05,620 is not required? 1083 00:48:05,620 --> 00:48:07,040 It is very simple question. 1084 00:48:07,040 --> 00:48:12,310 Just now I told about the steps involved. 1085 00:48:12,310 --> 00:48:15,040 This question, the option A is the correct answer 1086 00:48:15,040 --> 00:48:19,240 because of the fact that the design element is taken out. 1087 00:48:19,240 --> 00:48:22,120 Instead of developing it, you're going to buy outside. 1088 00:48:22,120 --> 00:48:26,500 So what happens is the selection and the configuration phases 1089 00:48:26,500 --> 00:48:27,730 come into the picture. 1090 00:48:27,730 --> 00:48:30,190 Feasibility and the requirements comes only 1091 00:48:30,190 --> 00:48:32,030 in terms of design requirements. 1092 00:48:32,030 --> 00:48:34,930 So if you see the answer reasoning over here, 1093 00:48:34,930 --> 00:48:38,050 with the purchase purchased package software, design 1094 00:48:38,050 --> 00:48:41,200 and development phases of a traditional. 1095 00:48:41,200 --> 00:48:43,630 life cycle have become replaceable 1096 00:48:43,630 --> 00:48:45,820 with selection and configuration phases. 1097 00:48:45,820 --> 00:48:47,530 A request for proposal form, which 1098 00:48:47,530 --> 00:48:51,160 is the RFP I was talking about, from the supplier package 1099 00:48:51,160 --> 00:48:55,090 is called for and evaluated against the predefined criteria 1100 00:48:55,090 --> 00:48:57,370 for selection before a decision is 1101 00:48:57,370 --> 00:48:59,200 made to purchase the software. 1102 00:48:59,200 --> 00:49:02,950 Thereafter, the configuration is to meet with the organization's 1103 00:49:02,950 --> 00:49:03,740 requirements. 1104 00:49:03,740 --> 00:49:06,670 If you take the option B, the other phases of the system 1105 00:49:06,670 --> 00:49:10,070 development, SDLC, such as feasibility study, requirements, 1106 00:49:10,070 --> 00:49:12,400 definition, implementation and post-implementation, 1107 00:49:12,400 --> 00:49:15,880 remain unaltered because it is very simple. 1108 00:49:15,880 --> 00:49:17,930 You are not going to define any requirements. 1109 00:49:17,930 --> 00:49:20,690 Say for an example, if I am going to Subway, 1110 00:49:20,690 --> 00:49:25,030 I am going to say very clearly that you need to put me 1111 00:49:25,030 --> 00:49:27,230 these toppings, like jalapenos. 1112 00:49:27,230 --> 00:49:30,500 I don't want to trigger any kind of hunger mode over here. 1113 00:49:30,500 --> 00:49:34,090 But I am just telling for an example over here because this 1114 00:49:34,090 --> 00:49:38,530 is as simple as going to a Subway versus McDonald's. 1115 00:49:38,530 --> 00:49:41,740 So if I go to Subway, I customize my bread, along 1116 00:49:41,740 --> 00:49:44,270 with the toppings that I require. 1117 00:49:44,270 --> 00:49:45,590 These are the sausages. 1118 00:49:45,590 --> 00:49:47,660 These are the toppings that I require. 1119 00:49:47,660 --> 00:49:50,920 But if I go to make [INAUDIBLE], that 1120 00:49:50,920 --> 00:49:54,980 is very clear that they have a predefined elements. 1121 00:49:54,980 --> 00:49:58,090 And among the predefined things, what is closely 1122 00:49:58,090 --> 00:49:59,450 matching with my requirements? 1123 00:49:59,450 --> 00:50:00,190 I need to choose. 1124 00:50:00,190 --> 00:50:01,700 Probably I can customize it. 1125 00:50:01,700 --> 00:50:03,680 I can say, please don't add mushrooms. 1126 00:50:03,680 --> 00:50:04,640 I don't like mushrooms. 1127 00:50:04,640 --> 00:50:05,940 I can say that. 1128 00:50:05,940 --> 00:50:07,970 That is to do with the configuration part. 1129 00:50:07,970 --> 00:50:11,230 But again, I cannot completely design some new product 1130 00:50:11,230 --> 00:50:13,310 and the requirements and the feasibility. 1131 00:50:13,310 --> 00:50:16,235 Everything has been taken off the shelf. 1132 00:50:16,235 --> 00:50:17,860 Which of the following procedure should 1133 00:50:17,860 --> 00:50:19,750 be implemented to help to ensure completeness 1134 00:50:19,750 --> 00:50:23,090 of inbound transactions via electronic data interchange? 1135 00:50:23,090 --> 00:50:26,590 I think the EDI topic, you will be seeing quite a lot in the CRM 1136 00:50:26,590 --> 00:50:28,580 as well, as sometimes in the exams as well. 1137 00:50:28,580 --> 00:50:29,930 So this is a hint. 1138 00:50:29,930 --> 00:50:33,090 So segment counts to built-in transactions set earlier. 1139 00:50:33,090 --> 00:50:35,870 A log of number of messages received periodically 1140 00:50:35,870 --> 00:50:37,860 verify that the transaction originator. 1141 00:50:37,860 --> 00:50:40,460 An electronic audit trail of accountability in tracking. 1142 00:50:40,460 --> 00:50:42,140 Matching the acknowledgment transactions 1143 00:50:42,140 --> 00:50:45,980 received to the log of EDI messages sent. 1144 00:50:45,980 --> 00:50:49,470 The EDI is one of my favorite topics, I would say. 1145 00:50:49,470 --> 00:50:51,540 Because while I was studying for the exams, 1146 00:50:51,540 --> 00:50:54,565 I did a very hard work to understand this EDI concept. 1147 00:50:54,565 --> 00:50:57,290 1148 00:50:57,290 --> 00:51:01,220 So all the other options, if you see one way or the other, 1149 00:51:01,220 --> 00:51:04,040 talks about some form of auditing methodologies 1150 00:51:04,040 --> 00:51:06,480 and acknowledgment of transactions received. 1151 00:51:06,480 --> 00:51:08,450 Acknowledgment of transactions is just 1152 00:51:08,450 --> 00:51:11,090 to verify whether it has been-- 1153 00:51:11,090 --> 00:51:12,920 to check the originator or origination 1154 00:51:12,920 --> 00:51:14,540 of that particular transaction. 1155 00:51:14,540 --> 00:51:17,430 An electronic audit trail is an accountability in tracking. 1156 00:51:17,430 --> 00:51:19,440 Yes, of course, it tracks the audit trail 1157 00:51:19,440 --> 00:51:22,380 of the account for auditability. 1158 00:51:22,380 --> 00:51:24,450 Sorry, for accountability and tracking. 1159 00:51:24,450 --> 00:51:27,380 But none of the options are actually close to A 1160 00:51:27,380 --> 00:51:30,350 because A is the correct answer. 1161 00:51:30,350 --> 00:51:32,450 Controls total built into the trailer record 1162 00:51:32,450 --> 00:51:34,430 of each transaction or each segment 1163 00:51:34,430 --> 00:51:36,020 is the only option that will ensure 1164 00:51:36,020 --> 00:51:39,540 that individual transactions are sent or received completely. 1165 00:51:39,540 --> 00:51:43,220 So electronic data interchange is one concept 1166 00:51:43,220 --> 00:51:46,970 that you need to be very, very familiar with because EDI 1167 00:51:46,970 --> 00:51:49,692 is being used at every ERP, everything 1168 00:51:49,692 --> 00:51:51,150 that you see in the current system. 1169 00:51:51,150 --> 00:51:53,940 Because if one system is talking, say for an example, 1170 00:51:53,940 --> 00:51:57,860 if [INAUDIBLE] is talking to Oracle or JD Edwards 1171 00:51:57,860 --> 00:51:59,930 or any other things for that matter, 1172 00:51:59,930 --> 00:52:02,790 they are talking in the language of EDI with an XML file. 1173 00:52:02,790 --> 00:52:04,790 So each transaction that is being 1174 00:52:04,790 --> 00:52:06,890 sent as an inbound transaction and sent 1175 00:52:06,890 --> 00:52:09,690 as an outbound transaction from one system to another system, 1176 00:52:09,690 --> 00:52:11,750 they need to have an individual count, 1177 00:52:11,750 --> 00:52:14,240 and they need to have an individual receipt 1178 00:52:14,240 --> 00:52:15,180 of transaction. 1179 00:52:15,180 --> 00:52:18,590 That is the reason why we need to match it accordingly. 1180 00:52:18,590 --> 00:52:20,790 Let me move on to the next question. 1181 00:52:20,790 --> 00:52:25,010 So that ends the domain 3, and we are now into domain 4. 1182 00:52:25,010 --> 00:52:27,320 So the domain 4 starts-- 1183 00:52:27,320 --> 00:52:30,800 I think domain 4 is all about the information security assets, 1184 00:52:30,800 --> 00:52:33,210 different types of information security assets, 1185 00:52:33,210 --> 00:52:34,710 and BCP and BRP. 1186 00:52:34,710 --> 00:52:37,400 So which one of the following provides the best method 1187 00:52:37,400 --> 00:52:39,920 for determining the level of performance 1188 00:52:39,920 --> 00:52:42,350 by similar information processing facility 1189 00:52:42,350 --> 00:52:43,400 environments? 1190 00:52:43,400 --> 00:52:47,960 User satisfaction, B, goal accomplishment, C, benchmarking, 1191 00:52:47,960 --> 00:52:51,680 and D, capacity and growth planning? 1192 00:52:51,680 --> 00:52:54,080 So it is actually the C, benchmarking, 1193 00:52:54,080 --> 00:52:56,960 because whenever we wanted to ascertain 1194 00:52:56,960 --> 00:53:00,090 any level of performance-- we talked about dashboards. 1195 00:53:00,090 --> 00:53:04,260 Dashboards gives us what our organization is performing. 1196 00:53:04,260 --> 00:53:07,800 And in terms of what the other organizations are doing, 1197 00:53:07,800 --> 00:53:10,380 the best way to identify is to benchmark. 1198 00:53:10,380 --> 00:53:13,220 Say for an example, I am working in a big 4, 1199 00:53:13,220 --> 00:53:15,230 and I want to ascertain the value 1200 00:53:15,230 --> 00:53:19,770 of what others are doing, what I am doing compared to others. 1201 00:53:19,770 --> 00:53:22,670 The only thing that we need to do is the benchmarking. 1202 00:53:22,670 --> 00:53:25,940 So that is very important, that we do the benchmarking 1203 00:53:25,940 --> 00:53:30,560 among our competitors and similar facility environments. 1204 00:53:30,560 --> 00:53:33,140 Let me move on to the next slide. 1205 00:53:33,140 --> 00:53:35,720 So which one of the following is the most effective method 1206 00:53:35,720 --> 00:53:40,220 for IS auditor to use in testing the program change management 1207 00:53:40,220 --> 00:53:41,510 process? 1208 00:53:41,510 --> 00:53:44,390 Trace from system-generated information 1209 00:53:44,390 --> 00:53:46,410 to the change management documentation. 1210 00:53:46,410 --> 00:53:48,350 Examine change management documentation 1211 00:53:48,350 --> 00:53:50,180 for the evidence of accuracy. 1212 00:53:50,180 --> 00:53:52,190 Trace from change management documentation 1213 00:53:52,190 --> 00:53:54,380 to a system-generated audit trail. 1214 00:53:54,380 --> 00:53:56,390 Or examine change management documentation 1215 00:53:56,390 --> 00:53:57,810 for evidence of completeness. 1216 00:53:57,810 --> 00:53:59,500 So this is a very tricky question again. 1217 00:53:59,500 --> 00:54:02,180 1218 00:54:02,180 --> 00:54:05,030 The correct answer is A, trace from 1219 00:54:05,030 --> 00:54:07,310 system-generated information to the change management 1220 00:54:07,310 --> 00:54:09,170 documentation. 1221 00:54:09,170 --> 00:54:12,950 They are talking about most effective method. 1222 00:54:12,950 --> 00:54:14,990 By virtue of saying that most effective method, 1223 00:54:14,990 --> 00:54:15,995 two options are correct. 1224 00:54:15,995 --> 00:54:18,530 A and C are extremely correct. 1225 00:54:18,530 --> 00:54:21,745 B and D are extremely incorrect because of the fact that when 1226 00:54:21,745 --> 00:54:23,120 you check the documentation only, 1227 00:54:23,120 --> 00:54:25,650 you cannot derive any accuracy out of it, 1228 00:54:25,650 --> 00:54:27,120 derive any completeness out of it. 1229 00:54:27,120 --> 00:54:30,300 So B and D, or C or D is a straight elimination. 1230 00:54:30,300 --> 00:54:32,540 But what happens with the A and C 1231 00:54:32,540 --> 00:54:35,870 is that when you do it from the documentation perspective 1232 00:54:35,870 --> 00:54:38,328 and then go to the system audit trail, it is still correct. 1233 00:54:38,328 --> 00:54:40,203 It is still correct, and some of the auditors 1234 00:54:40,203 --> 00:54:41,100 do still practice it. 1235 00:54:41,100 --> 00:54:43,010 But what happens is, you sometimes 1236 00:54:43,010 --> 00:54:45,440 miss the perspective out of it, and your mind 1237 00:54:45,440 --> 00:54:49,730 starts to think why a specific thing that we will start 1238 00:54:49,730 --> 00:54:51,390 thinking, it needs to be there. 1239 00:54:51,390 --> 00:54:55,520 But when you extract the system-generated information 1240 00:54:55,520 --> 00:54:57,260 and then check with the documentation, 1241 00:54:57,260 --> 00:55:01,250 whether this is the correct way of doing things or not, 1242 00:55:01,250 --> 00:55:04,350 then that is the most probable factor 1243 00:55:04,350 --> 00:55:06,050 you will stumble upon any gaps. 1244 00:55:06,050 --> 00:55:08,240 So when testing the change management, 1245 00:55:08,240 --> 00:55:09,890 IS auditor should always start with 1246 00:55:09,890 --> 00:55:14,120 the system-generated evidences, information containing the date 1247 00:55:14,120 --> 00:55:15,710 and time module last it was updated, 1248 00:55:15,710 --> 00:55:18,540 and trace it back to the documentation authorizing it. 1249 00:55:18,540 --> 00:55:21,870 Because, see, it is like finding a needle in a haystack. 1250 00:55:21,870 --> 00:55:24,742 So what happens is, for every transaction, 1251 00:55:24,742 --> 00:55:25,950 you need to have an approval. 1252 00:55:25,950 --> 00:55:28,422 It is not like for every transaction approval, 1253 00:55:28,422 --> 00:55:30,630 whether there is a corresponding system entry or not. 1254 00:55:30,630 --> 00:55:33,500 Some might have even not been deployed. 1255 00:55:33,500 --> 00:55:36,260 So what happens is the risk of not 1256 00:55:36,260 --> 00:55:37,920 detecting undocumented changes. 1257 00:55:37,920 --> 00:55:41,090 That is what is the problem here because whatever is there 1258 00:55:41,090 --> 00:55:44,070 in the documentation is documented, and it is fine. 1259 00:55:44,070 --> 00:55:47,780 That is the difference between C and D. 1260 00:55:47,780 --> 00:55:50,660 The classification based on the criticality of a software 1261 00:55:50,660 --> 00:55:53,480 application is a part of IS business activity continuity 1262 00:55:53,480 --> 00:55:55,460 plan determined by the-- 1263 00:55:55,460 --> 00:55:56,960 nature of the business and the value 1264 00:55:56,960 --> 00:55:58,520 of the application to the business, 1265 00:55:58,520 --> 00:56:00,540 replacement cost of the application, 1266 00:56:00,540 --> 00:56:02,547 vendor support available for the application, 1267 00:56:02,547 --> 00:56:04,130 associated threats and vulnerabilities 1268 00:56:04,130 --> 00:56:06,560 of the application. 1269 00:56:06,560 --> 00:56:09,690 So the correct answer is A, so the nature of the business 1270 00:56:09,690 --> 00:56:11,940 and the value of the application towards the business. 1271 00:56:11,940 --> 00:56:15,440 So rest of the other options seems 1272 00:56:15,440 --> 00:56:17,870 a little bit irrelevant to this question, the replacement 1273 00:56:17,870 --> 00:56:19,170 cost of the application. 1274 00:56:19,170 --> 00:56:22,030 So why it is even important to understand? 1275 00:56:22,030 --> 00:56:24,510 And the vendor support is not a relevant factor 1276 00:56:24,510 --> 00:56:27,650 because determining the criticality classification. 1277 00:56:27,650 --> 00:56:29,400 The associated threats and vulnerabilities 1278 00:56:29,400 --> 00:56:32,670 will be evaluated only if the application is deemed 1279 00:56:32,670 --> 00:56:34,090 to be critical to the business. 1280 00:56:34,090 --> 00:56:37,870 So rest of the other options are not correct. 1281 00:56:37,870 --> 00:56:40,290 The next question is, when conducting an audit of a client 1282 00:56:40,290 --> 00:56:42,360 server database security, the IS auditor 1283 00:56:42,360 --> 00:56:45,300 should be most concerned about the availability of-- 1284 00:56:45,300 --> 00:56:47,890 system utilities, application program generators, 1285 00:56:47,890 --> 00:56:53,490 system security documentation, access to stored procedures. 1286 00:56:53,490 --> 00:56:57,190 So the whole point is availability of what? 1287 00:56:57,190 --> 00:57:00,970 So the point is system security documentation, of course, 1288 00:57:00,970 --> 00:57:01,660 it is required. 1289 00:57:01,660 --> 00:57:04,590 The problem here is that it should be required only 1290 00:57:04,590 --> 00:57:08,280 for a few specific set of people whom the organization wants 1291 00:57:08,280 --> 00:57:10,030 to give the access to the documentation. 1292 00:57:10,030 --> 00:57:12,840 Not every junior level employee cannot have the security 1293 00:57:12,840 --> 00:57:15,090 documentation in place. 1294 00:57:15,090 --> 00:57:18,210 And B is completely irrelevant because application program 1295 00:57:18,210 --> 00:57:20,460 generators, it's not. 1296 00:57:20,460 --> 00:57:23,010 In the correct shop, actually the correct option 1297 00:57:23,010 --> 00:57:26,790 is option A, system utilities. 1298 00:57:26,790 --> 00:57:29,310 System utilities may enable unauthorized changes 1299 00:57:29,310 --> 00:57:31,960 to be made to the data on a client server model. 1300 00:57:31,960 --> 00:57:34,973 Because if you read the database model very clearly, 1301 00:57:34,973 --> 00:57:36,390 there are certain system utilities 1302 00:57:36,390 --> 00:57:39,630 you should not give access to, because the system utilities 1303 00:57:39,630 --> 00:57:41,340 will bypass the security controls 1304 00:57:41,340 --> 00:57:44,940 and the access controls, and the person 1305 00:57:44,940 --> 00:57:48,360 will be still having ability to make some unauthorized changes. 1306 00:57:48,360 --> 00:57:50,948 People who have read the database of security model, 1307 00:57:50,948 --> 00:57:52,740 I think they will be clear with this answer 1308 00:57:52,740 --> 00:57:55,990 because the fundamental thing is that it's a system utility. 1309 00:57:55,990 --> 00:57:58,830 Say for an example, that is the reason why we 1310 00:57:58,830 --> 00:58:00,390 do the hardening of the system. 1311 00:58:00,390 --> 00:58:04,350 We will delete access to the unwanted things 1312 00:58:04,350 --> 00:58:08,460 that is not required as a part of the system. 1313 00:58:08,460 --> 00:58:10,350 Let me move on to the next question. 1314 00:58:10,350 --> 00:58:13,600 When reviewing a network used for internet connections, 1315 00:58:13,600 --> 00:58:15,930 an IS auditor will first examine the what? 1316 00:58:15,930 --> 00:58:18,120 Validity of the password changes occurrence, 1317 00:58:18,120 --> 00:58:20,170 architecture of the client server application, 1318 00:58:20,170 --> 00:58:22,200 network architecture design, firewall protection 1319 00:58:22,200 --> 00:58:25,380 and proxy servers? 1320 00:58:25,380 --> 00:58:27,930 So I think unanimously people are answering 1321 00:58:27,930 --> 00:58:31,650 for C. That is the correct answer as well because you need 1322 00:58:31,650 --> 00:58:34,230 to understand what a network architecture and design is all 1323 00:58:34,230 --> 00:58:36,370 about, about that particular communication. 1324 00:58:36,370 --> 00:58:39,030 So B may seem a little bit irrelevant 1325 00:58:39,030 --> 00:58:41,160 to this particular thing because firewall 1326 00:58:41,160 --> 00:58:43,500 comes after the whole thing of understanding network 1327 00:58:43,500 --> 00:58:44,110 architecture. 1328 00:58:44,110 --> 00:58:47,550 And B is also the second, but it's not 1329 00:58:47,550 --> 00:58:49,950 as the first important thing, C. 1330 00:58:49,950 --> 00:58:52,950 I will tell you the difference between C and B. Understanding 1331 00:58:52,950 --> 00:58:55,740 the network architecture design is starting point of identifying 1332 00:58:55,740 --> 00:58:58,170 various layers of the security architecture 1333 00:58:58,170 --> 00:59:00,910 across the various layers, such as client server applications. 1334 00:59:00,910 --> 00:59:02,955 But in first or in principle, what 1335 00:59:02,955 --> 00:59:04,330 you need to do is the first step, 1336 00:59:04,330 --> 00:59:07,240 we need to understand the network architecture as a whole. 1337 00:59:07,240 --> 00:59:09,940 Then you go to the client server model, how it is designed. 1338 00:59:09,940 --> 00:59:11,650 That is how you need to take things. 1339 00:59:11,650 --> 00:59:13,505 Again, this is a step-based approach, 1340 00:59:13,505 --> 00:59:18,220 like how you approach BCP, DRP, and change management. 1341 00:59:18,220 --> 00:59:21,780 This is, again a step-based approach. 1342 00:59:21,780 --> 00:59:23,280 Data measuring should be implemented 1343 00:59:23,280 --> 00:59:25,530 as a recovery strategy when? 1344 00:59:25,530 --> 00:59:27,750 Data mirroring should be implemented 1345 00:59:27,750 --> 00:59:30,270 as a recovery strategy when? 1346 00:59:30,270 --> 00:59:33,310 RPO is low, RPO is high, RTO is high, 1347 00:59:33,310 --> 00:59:34,870 disaster tolerance is high? 1348 00:59:34,870 --> 00:59:37,500 1349 00:59:37,500 --> 00:59:38,860 It is a very easy question. 1350 00:59:38,860 --> 00:59:42,340 If you have understood The concept of RPO or RTO, 1351 00:59:42,340 --> 00:59:45,450 this is a very easy question. 1352 00:59:45,450 --> 00:59:49,360 So the correct answer is RPO, B, which is low. 1353 00:59:49,360 --> 00:59:53,370 So recovery point objective is the earliest 1354 00:59:53,370 --> 00:59:56,160 in the point in which it is acceptable to recover. 1355 00:59:56,160 --> 00:59:59,280 So recover the data, in other words, 1356 00:59:59,280 --> 01:00:01,900 RPO indicates the age of recovered data. 1357 01:00:01,900 --> 01:00:05,100 And so what happens is the organization cannot afford 1358 01:00:05,100 --> 01:00:07,210 to lose even a few minutes of data. 1359 01:00:07,210 --> 01:00:11,160 In such case, data mirroring should be used, usually used 1360 01:00:11,160 --> 01:00:13,230 as a recovery strategy. 1361 01:00:13,230 --> 01:00:17,355 So I think one of the last questions with domain 4 will be, 1362 01:00:17,355 --> 01:00:18,730 which of the following components 1363 01:00:18,730 --> 01:00:20,620 of business continuity plan primarily 1364 01:00:20,620 --> 01:00:23,020 responsible for organizational IS department? 1365 01:00:23,020 --> 01:00:25,100 Developing the business continuity plan, 1366 01:00:25,100 --> 01:00:27,190 selecting and approving the recovery strategies 1367 01:00:27,190 --> 01:00:30,195 used for business continuity plan, declaring a disaster, 1368 01:00:30,195 --> 01:00:34,870 or restoring the IT systems and data after disaster? 1369 01:00:34,870 --> 01:00:37,660 Following components of primarily the responsibility 1370 01:00:37,660 --> 01:00:42,940 of the organization's IS department primarily? 1371 01:00:42,940 --> 01:00:45,940 So when you see the primarily, what 1372 01:00:45,940 --> 01:00:51,190 is the primarily objective of the IS department in relation 1373 01:00:51,190 --> 01:00:52,870 with the business continuity plan? 1374 01:00:52,870 --> 01:00:55,630 So restore the data is very, very important. 1375 01:00:55,630 --> 01:00:58,580 At the end of the day, what is the end game of that? 1376 01:00:58,580 --> 01:01:02,360 Whenever a disaster struck-- 1377 01:01:02,360 --> 01:01:05,423 disasters has already struck, fine, 1378 01:01:05,423 --> 01:01:06,590 what we are going to do now? 1379 01:01:06,590 --> 01:01:08,420 Now we are going to temporarily run the business 1380 01:01:08,420 --> 01:01:10,753 on the other show, with the backups and stuff like that, 1381 01:01:10,753 --> 01:01:12,950 with the skeleton staff, whatever. 1382 01:01:12,950 --> 01:01:14,790 But maybe the primary objective is 1383 01:01:14,790 --> 01:01:16,950 that it is always to restore the IT systems 1384 01:01:16,950 --> 01:01:18,130 and data after a disaster. 1385 01:01:18,130 --> 01:01:20,790 That is what is correct and also [INAUDIBLE]. 1386 01:01:20,790 --> 01:01:24,090 You can see the explanation over here. 1387 01:01:24,090 --> 01:01:27,030 Members of the organization's most senior management 1388 01:01:27,030 --> 01:01:28,920 are primarily responsible for overseeing 1389 01:01:28,920 --> 01:01:31,770 the development of the business continuity plan 1390 01:01:31,770 --> 01:01:33,310 and are accountable for the results. 1391 01:01:33,310 --> 01:01:36,057 So IS team is not responsible for that. 1392 01:01:36,057 --> 01:01:37,890 It is the business and the senior management 1393 01:01:37,890 --> 01:01:41,280 who is responsible for because that's their business. 1394 01:01:41,280 --> 01:01:43,890 Management is also accountable for selecting and approving 1395 01:01:43,890 --> 01:01:45,060 all strategies. 1396 01:01:45,060 --> 01:01:49,380 That is, again, to do with the individual business. 1397 01:01:49,380 --> 01:01:49,900 Cool. 1398 01:01:49,900 --> 01:01:54,460 So that brings me to the domain 5, the most technical domain, 1399 01:01:54,460 --> 01:01:55,390 if I'm not wrong. 1400 01:01:55,390 --> 01:01:59,280 The longest domain in the book as well. 1401 01:01:59,280 --> 01:02:03,390 The first question is, an IS auditor 1402 01:02:03,390 --> 01:02:06,090 is reviewing the configuration of a signature-based intrusion 1403 01:02:06,090 --> 01:02:07,860 detection system, which is the IDS, 1404 01:02:07,860 --> 01:02:10,500 would be the most concerned if which of the following 1405 01:02:10,500 --> 01:02:11,530 is discovered? 1406 01:02:11,530 --> 01:02:14,200 Auto update is turned off, scanning for application 1407 01:02:14,200 --> 01:02:17,230 vulnerability is disabled, analysis of encrypted data 1408 01:02:17,230 --> 01:02:19,150 packets are disabled, IDS is placed 1409 01:02:19,150 --> 01:02:23,094 between a demilitarized zone and the firewall? 1410 01:02:23,094 --> 01:02:25,300 A, auto update is turned off. 1411 01:02:25,300 --> 01:02:28,060 So even in our home, when we are running 1412 01:02:28,060 --> 01:02:33,370 Kaspersky, Norton or whatever security thing, the intrusion-- 1413 01:02:33,370 --> 01:02:35,480 not intrusion, but antivirus software, 1414 01:02:35,480 --> 01:02:37,850 the signature is very important. 1415 01:02:37,850 --> 01:02:40,570 It will get updated twice or thrice or even five 1416 01:02:40,570 --> 01:02:43,580 times in a day, depending upon what is the situation. 1417 01:02:43,580 --> 01:02:46,438 So what happens is, when you have turned this off-- 1418 01:02:46,438 --> 01:02:47,980 God knows when you have turned it off 1419 01:02:47,980 --> 01:02:50,420 and how many days the system is not updated. 1420 01:02:50,420 --> 01:02:54,920 That is the most important risk in anything, whenever the IDS-- 1421 01:02:54,920 --> 01:02:58,930 because when a signature-based IDS is looking for patterns 1422 01:02:58,930 --> 01:03:01,630 and the pattern is not recently updated for a recent 1423 01:03:01,630 --> 01:03:03,680 vulnerability, what happens? 1424 01:03:03,680 --> 01:03:06,550 Your system is as good as it is not protected. 1425 01:03:06,550 --> 01:03:10,480 Whenever you are reading this answer reasoning, even 1426 01:03:10,480 --> 01:03:13,510 in the CRM, even in the question and answers bank, 1427 01:03:13,510 --> 01:03:16,700 I request you all to read all the four options, 1428 01:03:16,700 --> 01:03:18,640 why it is correct, why it is not correct, 1429 01:03:18,640 --> 01:03:20,540 and to get familiarized. 1430 01:03:20,540 --> 01:03:24,430 Say for an example, in this, the complete irrelevant option is B. 1431 01:03:24,430 --> 01:03:26,500 But they have given a good information 1432 01:03:26,500 --> 01:03:28,960 on a demilitarized zone or DMZ. 1433 01:03:28,960 --> 01:03:31,180 So this can be used in some other question, which 1434 01:03:31,180 --> 01:03:34,210 might be all dealing with DMZ. 1435 01:03:34,210 --> 01:03:35,930 Let me move on to the next question. 1436 01:03:35,930 --> 01:03:38,800 An IS auditor has just completed a review of organization 1437 01:03:38,800 --> 01:03:42,400 that has mainframe computer and two database servers where 1438 01:03:42,400 --> 01:03:44,210 all the production data reside. 1439 01:03:44,210 --> 01:03:45,880 Which one of the following weakness 1440 01:03:45,880 --> 01:03:50,440 should the IS auditor be considered the most serious? 1441 01:03:50,440 --> 01:03:53,387 The security officer also serves as a database administrator. 1442 01:03:53,387 --> 01:03:54,970 Password controls are not administered 1443 01:03:54,970 --> 01:03:56,540 over 2 database servers. 1444 01:03:56,540 --> 01:03:59,420 There is no business continuity plan for the mainframe system's 1445 01:03:59,420 --> 01:04:01,060 non-critical applications. 1446 01:04:01,060 --> 01:04:05,180 Most local data networks do not have backup file server 1447 01:04:05,180 --> 01:04:06,590 fixed disk regularly. 1448 01:04:06,590 --> 01:04:09,400 1449 01:04:09,400 --> 01:04:11,830 So the correct answer is B, password controls 1450 01:04:11,830 --> 01:04:16,360 are not administered over two database servers. 1451 01:04:16,360 --> 01:04:18,790 So the absence of password controls on the two database 1452 01:04:18,790 --> 01:04:20,745 servers, where the production data resides, 1453 01:04:20,745 --> 01:04:21,620 is the most critical. 1454 01:04:21,620 --> 01:04:25,300 Because again, this question talks about the most. 1455 01:04:25,300 --> 01:04:27,470 There are two options, which is correct, of course. 1456 01:04:27,470 --> 01:04:29,860 And what you need to look for is the one 1457 01:04:29,860 --> 01:04:35,094 which is most apt given the situation and the scenario. 1458 01:04:35,094 --> 01:04:38,050 So let me go on to the next question. 1459 01:04:38,050 --> 01:04:40,660 The insurance company is using the public cloud computing 1460 01:04:40,660 --> 01:04:43,940 for one of its critical applications to reduce the cost. 1461 01:04:43,940 --> 01:04:46,240 Which of the following would be the most 1462 01:04:46,240 --> 01:04:48,350 concern to the IS auditor? 1463 01:04:48,350 --> 01:04:49,990 The inability to recover the service 1464 01:04:49,990 --> 01:04:51,860 in a major technical failure scenario. 1465 01:04:51,860 --> 01:04:54,190 The data in shared environment being 1466 01:04:54,190 --> 01:04:56,290 accessed by other companies. 1467 01:04:56,290 --> 01:04:58,820 The service provider not including investigative support 1468 01:04:58,820 --> 01:04:59,575 for incidents. 1469 01:04:59,575 --> 01:05:02,200 The long-term viability of the service if the provider goes out 1470 01:05:02,200 --> 01:05:02,760 of business. 1471 01:05:02,760 --> 01:05:06,040 1472 01:05:06,040 --> 01:05:10,018 So that is actually the correct answer. 1473 01:05:10,018 --> 01:05:11,560 Considering that an insurance company 1474 01:05:11,560 --> 01:05:15,010 must preserve the privacy and confidentiality of the customer 1475 01:05:15,010 --> 01:05:17,920 information, unauthorized access to the information and the data 1476 01:05:17,920 --> 01:05:21,820 leakage are the two major concerns. 1477 01:05:21,820 --> 01:05:23,020 The next question. 1478 01:05:23,020 --> 01:05:26,212 Which one of the following best determines 1479 01:05:26,212 --> 01:05:28,420 whether the complete encryption or the authentication 1480 01:05:28,420 --> 01:05:30,340 protocol for protecting information 1481 01:05:30,340 --> 01:05:33,490 while being transmitted exist? 1482 01:05:33,490 --> 01:05:36,200 A digital signature with the RSA that has been implemented. 1483 01:05:36,200 --> 01:05:38,643 Work has been done in the tunnel mode nested 1484 01:05:38,643 --> 01:05:40,810 with the services of AH, which is the authentication 1485 01:05:40,810 --> 01:05:43,720 header, and encapsulating security payload, which 1486 01:05:43,720 --> 01:05:45,010 is the ESP. 1487 01:05:45,010 --> 01:05:47,530 Digital certificates with the RSA being used. 1488 01:05:47,530 --> 01:05:50,830 Work is being done in transport mode of the nested services 1489 01:05:50,830 --> 01:05:53,230 of AH and ESP. 1490 01:05:53,230 --> 01:05:56,950 Quite a tricky technical question, I would say. 1491 01:05:56,950 --> 01:06:00,790 And to remind you, I have studied these things 1492 01:06:00,790 --> 01:06:03,700 quite cumbersomely because I didn't even 1493 01:06:03,700 --> 01:06:06,400 understand a single word when I was doing it the first time. 1494 01:06:06,400 --> 01:06:09,370 Transport mode, tunnel mode, everything 1495 01:06:09,370 --> 01:06:11,310 was Greek and Latin for me. 1496 01:06:11,310 --> 01:06:14,380 1497 01:06:14,380 --> 01:06:15,730 B is the correct answer. 1498 01:06:15,730 --> 01:06:18,190 Tunnel mode provides encryption and authentication 1499 01:06:18,190 --> 01:06:22,450 of complete IP package, including the authentication 1500 01:06:22,450 --> 01:06:25,810 header and the encapsulating security payload, which is ESP. 1501 01:06:25,810 --> 01:06:30,970 For transport mode provides only at higher layers, like data 1502 01:06:30,970 --> 01:06:33,260 fields and the payload of an IP package. 1503 01:06:33,260 --> 01:06:35,630 So those are the two differences. 1504 01:06:35,630 --> 01:06:38,770 Actually, as I told, a digital certificate 1505 01:06:38,770 --> 01:06:40,750 provides only the authentication and integrity, 1506 01:06:40,750 --> 01:06:42,730 does not provide anything beyond that. 1507 01:06:42,730 --> 01:06:46,100 And whenever you see any digital signature versus encryption, 1508 01:06:46,100 --> 01:06:50,110 I think digital certificate is only to provide 1509 01:06:50,110 --> 01:06:50,930 an authentication. 1510 01:06:50,930 --> 01:06:52,388 It doesn't provide any other thing. 1511 01:06:52,388 --> 01:06:54,350 It doesn't provide even confidentiality. 1512 01:06:54,350 --> 01:06:57,010 It doesn't provide any availability 1513 01:06:57,010 --> 01:06:59,950 or any of the things. 1514 01:06:59,950 --> 01:07:03,970 Which one of the following characterizes distributed denial 1515 01:07:03,970 --> 01:07:06,220 of service attack, DDoS? 1516 01:07:06,220 --> 01:07:09,460 Central initiation of intermediary computers 1517 01:07:09,460 --> 01:07:12,400 to detect simultaneous attacks, surplus message traffic 1518 01:07:12,400 --> 01:07:14,020 and specified target site. 1519 01:07:14,020 --> 01:07:16,630 Local initiation of intermediary computers 1520 01:07:16,630 --> 01:07:19,540 to detect simultaneous and spurious of message traffic 1521 01:07:19,540 --> 01:07:21,250 at specific target site. 1522 01:07:21,250 --> 01:07:23,560 Central initiation of primary computer 1523 01:07:23,560 --> 01:07:28,030 to detect spurious message traffic at multiple sites. 1524 01:07:28,030 --> 01:07:33,010 And local initiation of intermediary computers to direct 1525 01:07:33,010 --> 01:07:36,610 staggered spurious message traffic 1526 01:07:36,610 --> 01:07:38,030 at a specific target site. 1527 01:07:38,030 --> 01:07:40,900 1528 01:07:40,900 --> 01:07:42,830 Again, this is a confusing question, 1529 01:07:42,830 --> 01:07:44,100 but the answer is very simple. 1530 01:07:44,100 --> 01:07:48,640 1531 01:07:48,640 --> 01:07:51,130 That is the correct answer as well. 1532 01:07:51,130 --> 01:07:53,500 So what happens with the DDoS attack is 1533 01:07:53,500 --> 01:07:58,750 that one controller system or one primary system 1534 01:07:58,750 --> 01:08:01,980 will be controlling so many zombie computers, 1535 01:08:01,980 --> 01:08:04,800 and the administrator will launch an attack on these zombie 1536 01:08:04,800 --> 01:08:07,950 computers, will start sending packets to the primary target. 1537 01:08:07,950 --> 01:08:11,040 And by flooding their traffic, and they will 1538 01:08:11,040 --> 01:08:12,310 be having some kind of issue. 1539 01:08:12,310 --> 01:08:16,300 Say for an example, if Amazon is putting a Independence Day sale, 1540 01:08:16,300 --> 01:08:20,319 I want to affect this sales by targeting their servers. 1541 01:08:20,319 --> 01:08:22,740 I can launch this attack using the zombie computers, 1542 01:08:22,740 --> 01:08:25,479 and they will attack on behalf of [INAUDIBLE], 1543 01:08:25,479 --> 01:08:27,850 and I will be controlling the zombie computers. 1544 01:08:27,850 --> 01:08:31,120 And what happens next is God knows. 1545 01:08:31,120 --> 01:08:34,392 So again, our DDoS attacks are not locally initiated. 1546 01:08:34,392 --> 01:08:35,350 They are not staggered. 1547 01:08:35,350 --> 01:08:39,270 They are not initiated using a primary computer. 1548 01:08:39,270 --> 01:08:43,229 So last question for this day, which of the following 1549 01:08:43,229 --> 01:08:45,729 is the most effective preventive antivirus control? 1550 01:08:45,729 --> 01:08:46,600 Scanning the emails. 1551 01:08:46,600 --> 01:08:47,850 Attachment on the mail server. 1552 01:08:47,850 --> 01:08:50,590 Restoring the systems from clean copies. 1553 01:08:50,590 --> 01:08:54,060 Disabling universal serial bus ports, which is the USB. 1554 01:08:54,060 --> 01:08:57,029 An online antivirus scan with up-to-date antivirus 1555 01:08:57,029 --> 01:09:00,170 definitions. 1556 01:09:00,170 --> 01:09:04,729 Correct answer is actually D. But why not C. B and D? 1557 01:09:04,729 --> 01:09:06,840 It is completely irrelevant. 1558 01:09:06,840 --> 01:09:09,649 It doesn't talk anything about antivirus or anything 1559 01:09:09,649 --> 01:09:12,200 because it's just restoring systems 1560 01:09:12,200 --> 01:09:16,710 from clean copies, which is most baseline thing that we do. 1561 01:09:16,710 --> 01:09:19,100 And disabling USB. 1562 01:09:19,100 --> 01:09:23,330 I think disabling USB should be an incorrect option again. 1563 01:09:23,330 --> 01:09:26,720 You can disable the USB, but still system 1564 01:09:26,720 --> 01:09:32,510 can read the USB file when it is having [INAUDIBLE]. 1565 01:09:32,510 --> 01:09:35,300 So D would be the most appropriate answer 1566 01:09:35,300 --> 01:09:39,290 for this one because of the fact that antivirus can be 1567 01:09:39,290 --> 01:09:40,970 used to prevent virus attacks. 1568 01:09:40,970 --> 01:09:42,612 By running regular scans, it can also 1569 01:09:42,612 --> 01:09:44,779 be used to detect virus infections that have already 1570 01:09:44,779 --> 01:09:45,710 been occurred. 1571 01:09:45,710 --> 01:09:47,149 Regular updates of the software is 1572 01:09:47,149 --> 01:09:50,810 required to ensure it is able to update, detect and correct 1573 01:09:50,810 --> 01:09:52,490 viruses as they emerge. 1574 01:09:52,490 --> 01:09:55,100 So again, the important thing that you need to know 1575 01:09:55,100 --> 01:09:57,740 is that the signature-based system, as always, 1576 01:09:57,740 --> 01:09:59,460 it should be kept up to date. 1577 01:09:59,460 --> 01:10:01,680 But not a heuristic-- 1578 01:10:01,680 --> 01:10:04,620 not a knowledge-based system. 1579 01:10:04,620 --> 01:10:06,470 Sometimes you'll be having a conflict 1580 01:10:06,470 --> 01:10:10,040 between heuristic and signature-based and all 1581 01:10:10,040 --> 01:10:10,970 those stuffs. 1582 01:10:10,970 --> 01:10:13,500 You need to be very clear which system talks about what. 1583 01:10:13,500 --> 01:10:17,370 Because some systems, like IDPs, which talks about the anomalies, 1584 01:10:17,370 --> 01:10:20,210 it will not talk about system signature. 1585 01:10:20,210 --> 01:10:22,140 It will talk about only the anomalies. 1586 01:10:22,140 --> 01:10:23,960 Say for an example, these anomalies 1587 01:10:23,960 --> 01:10:26,900 will be studied for certain dates 1588 01:10:26,900 --> 01:10:29,490 so that the regular traffic will be like this. 1589 01:10:29,490 --> 01:10:31,370 And anything beyond this regular traffic 1590 01:10:31,370 --> 01:10:34,040 will be flagged as incorrect traffic 1591 01:10:34,040 --> 01:10:35,460 or the non-relevant traffic. 1592 01:10:35,460 --> 01:10:38,755 And it will be quarantined, and it will not 1593 01:10:38,755 --> 01:10:40,380 be allowed, intrusion detection system. 1594 01:10:40,380 --> 01:10:42,710 And sometimes it can be prevented from entering 1595 01:10:42,710 --> 01:10:44,270 our servers as well. 1596 01:10:44,270 --> 01:10:47,990 So that brings me to the end of this session. 1597 01:10:47,990 --> 01:10:49,080 Thanks a lot everybody. 1598 01:10:49,080 --> 01:10:50,700 I'll wind up the session. 1599 01:10:50,700 --> 01:10:53,550 Thank you for your patience and listening to me. 1600 01:10:53,550 --> 01:10:55,590 And it was a very fruitful session. 1601 01:10:55,590 --> 01:10:57,820 I appreciate.