-
-
[AUDIO LOGO]
-
-
Hi all.
-
Good morning to
the session today.
-
So this session is basically for
the CISA, certified information
-
systems auditor.
-
And we will be discussing
on the question and answers,
-
and basically on how to
approach the exam questions.
-
This is in line with the
ISACA's thought process
-
or how you need to
approach a question,
-
how you need to answer
a question while you
-
are taking the real exam.
-
So we will be having the
questions taken from the CRM,
-
as an extract, and
we will be discussing
-
in detail what is the
mode of a thought process
-
that you need to inculcate while
you are preparing for the exam,
-
as well as when you are in exam.
-
So if I start off with,
we will have this,
-
the agenda would be the small
introduction about myself
-
and you, and I'll
tell a brief note
-
on how you need to approach
the CISA questions.
-
And we will be discussing
domain 1 to 5 questions
-
and how we need to think
like an IS auditor.
-
That will be going in line with
the 1 to 5 domain questions
-
that we are discussing.
-
That will be in parallel.
-
And a final Q&A
will be for you all
-
to openly ask some
questions regarding CISA.
-
That is the end of the session.
-
So the introduction about
myself is that my name
-
is Krishnan Ramani.
-
I think some of you would
have seen me in LinkedIn.
-
So I'm an information security
and an IT audit expert,
-
with a total of 13
years experience
-
into IT auditing,
information security domain,
-
out of which eight years
is solely dedicated.
-
I have a wide
variety of experience
-
in IT audits, IT security, GRC,
ITGC, and IT security strategy.
-
So my certifications
are CISSP, CISA,
-
for which I was a chapter
rank holder, a first rank
-
holder, and CEH, which
is the Certified Ethical
-
Hacking, version 10, and
I'm a Lean Six Sigma Black
-
Belt certified, and I have
done business analytics.
-
And I am also into a certified
cybercrime intervening officer.
-
So let us start with
this thought process, why
-
we are coming for CISA.
-
Let me pause here for a moment.
-
So what is the objective?
-
So there is a
practical relevance.
-
So every detail given
in the CRM book,
-
which is the CISA
review manual, there
-
is a practical
relevance for you to do.
-
And while you are working as
an auditor or an IT auditor,
-
even when you are working
as an ITGC person, which
-
is the general controls,
and any line of defense,
-
from CRM or PRC technology,
risk management and everything.
-
So probably what
happens is there
-
is a pure practical relevance
in terms of understanding
-
these controls, what
IT audit is all about,
-
how do we preserve
things, how do we
-
maintain staffs, what
are all the things.
-
Because as an IS auditor, you
will be reading this book.
-
But once when it comes to the
implementation part as well,
-
there are a lot of clues that
has been given in the book,
-
in terms of how do
you preserve stuff
-
so that it will be good for
an audit and everything.
-
So in that mode, it is very
relevant to the present day
-
world.
-
And as we see, the
technology is also
-
emerging at this point in time.
-
So today, there is
something called cloud.
-
Tomorrow there
will be something--
-
a new technology
will be arriving,
-
and everything will
be changing overnight.
-
But what we need to do is the
fundamentals remain the same.
-
So what are all the things
that we are going to see?
-
What are all the
things that we are
-
going to look whenever
we are auditing
-
or whenever we are performing
the role of information security
-
analyst or any other thing?
-
But this book is purely based,
purely focused on the IS auditor
-
side of things.
-
So the prism of optics is
purely from the IS auditor
-
point of view.
-
Because the moment
you start thinking
-
as IS security analyst
for this exam, that
-
will not be the correct
thing that we will be doing.
-
So what we need to approach,
how we need to approach
-
and what we need to
do is exactly what
-
I am going to tell here.
-
So the questions will
be-- each question
-
has a stem question, which
will be a basic question, which
-
will be having four options.
-
Choose the correct
or the best option.
-
So as I was telling,
so the scenarios
-
will be completely related
to the IS audit scenarios.
-
You will be presented
a situation.
-
You will need to think
like an IS auditor
-
and answer like an IS auditor.
-
So there are some
helpful instances
-
where you know how you
will be approaching.
-
So every questions will be--
-
most of the questions,
not every questions,
-
will be having something
called the best, most,
-
and these kind of wordings
will be definitely there.
-
So you need to understand what
they are asking in the question.
-
Because the moment they say,
choose for the best option,
-
choose for the most
relevant option,
-
choose for the primary option,
choose for the first option,
-
so it means that two or more
options that is being given
-
are right in the
context of the question,
-
but only one thing
can be the best.
-
Only one thing can
be the primary.
-
Only one thing can be the first.
-
So you need to choose
the answers accordingly.
-
So say for an example, if there
is a given scenario of a BCP
-
process, how it comes
to the business impact
-
analysis and everything, so
once you start the question,
-
you will need to know what
are all the steps involved
-
in the BCP process.
-
How do you conduct the
business impact analysis?
-
How do you identify
the business?
-
These step-by-step
process is definitely
-
essential in order
for you to understand
-
what is the first most
option that the IS auditor
-
will be choosing.
-
But it will not be as
straightforward as,
-
what is the first
option in the BCP?
-
There will be a presentation
in terms of a scenario given.
-
So you need to
understand the scenario,
-
and you need to
answer accordingly.
-
So read all the options
and read the stem again,
-
if you can eliminate
two options.
-
So that is very important.
-
Read all the options.
-
And so if you can eliminate two
options, that will be great.
-
So in the context
of the question
-
and answers in multiple
choice questions,
-
there is always a method
called elimination method.
-
So in terms of how do
you answer a question,
-
elimination method is really
a good method to start with.
-
Because once you
start eliminating
-
two incorrect
answers, so you will
-
have a 50% chance
of clearing the exam
-
or clearing the particular
question correctly.
-
Because what you have is a 100
percentage, and out of which,
-
you know you have already
eliminated two irrelevant
-
relevant answers.
-
In most of the cases,
two irrelevant answers
-
will be definitely visible.
-
Once you have read
the CRM and you
-
have answered sufficient
number of questions,
-
you will be able
to identify what
-
are the two irrelevant
answers, and you
-
will be able to straight away
eliminate it and focus your time
-
and efforts only
on the two, which
-
has been most relevant for
that particular context.
-
So reread the remaining
options and bring
-
in any personal experience
that you may have to determine.
-
So the bringing the
personal experience,
-
I would say it is with a caveat.
-
Because in terms of bringing
your personal experience,
-
sometimes what happens is you
need to think like an IS auditor
-
from ISACA's point of view.
-
So the moment you start thinking
from your company's point
-
of view, probably
some of you would
-
have had a seasoned
experience in terms
-
of doing the IS audit
and the IT auditing
-
or whatever the
security or whatever.
-
But the moment you start
thinking from your company's
-
perspective, things might go
a little bit wrong because
-
of the fact that the companies
or the organizations,
-
they actually
tailor the controls
-
according to their
requirement, and they customize
-
it, which in case is not
in ISACA's point of view
-
because ISACA's point of view
is, I would call it as more
-
raw because it is a theoretical
and practical knowledge of how
-
you need to apply, but it is not
in any specific contextual-based
-
or organization-based controls.
-
Because banking will be having
a different set of approach
-
towards the same control,
and another industry
-
will be having--
healthcare for that matter,
-
will be having a different
approach to the same control.
-
So think like an IS auditor.
-
Of course, a little bit of
n percentage of your work
-
experience also.
-
That is a logical mind,
that will also help,
-
but in my best opinion, I
would suggest that let's not
-
think that over the board and
think like 100% as an IT auditor
-
because we'll be having
a specific industry
-
experience wherein the
controls might be having
-
a different approach,
and sometimes the answers
-
can go incorrect.
-
So the next thing is
that domain 1 question.
-
So first question is, so
which of the following
-
outlines the overall authority
to perform an IS audit?
-
The audit scope or the goals
and objectives, a request
-
form in the form of management
to perform an audit, C, an audit
-
charter, D, an approved
audit schedule.
-
I think this is very
easy question, I think.
-
What defines the
overall authority?
-
I think the chapter
1, the domain 1
-
gives you a very
decent information
-
on the overall authority.
-
Because once you see
the question authority,
-
the answer is always
the approved charter
-
because let's look
at the reasoning.
-
The audit scope is
specific to a single audit,
-
and it does not grant
authority to perform an audit.
-
B, the request from
management to perform an audit
-
is not sufficient because it
relates to specific audit.
-
The approved audit
charter outlines
-
the auditor's responsibility,
authority and accountability.
-
So as I told, this
is the only document
-
which gives you an end-to-end
perspective on what
-
it is for an auditor, why
the auditor is there, what
-
is the authority that
the auditor is having,
-
what are all the things
that the auditor can do.
-
So everything is given or
entitled in one document.
-
That is the reason
we need to have
-
selected option C. The approved
audit schedule does not
-
grant the authority.
-
The whole point is why this
was a very easy question.
-
But again, so the
point of this question
-
is to give you a
perspective on what you
-
need to look into a question.
-
So when you start
looking into a question,
-
so let me tell you
what is very important.
-
If you see over here, so the
overall authority over here,
-
that is the key word
because every question,
-
and even in the exam, will
be having some key word that
-
defines the answer correctly.
-
Because as I told.
-
You need to
eliminate two things.
-
So in this, I will
be eliminating
-
a request form,
which is definitely
-
not an overall authority, and
an approved audit schedule.
-
Audit schedule is
only in terms of what
-
is the timeline that they
are going to work on,
-
then they are going to carry on
the planning work, when they are
-
going to carry on the field
work, when the reporting is
-
going to be done, what is the
timeline for remediation and all
-
those stuff.
-
But in terms of a
request form, that
-
is in terms of just defining
what the management is going
-
to look out for and
a permission letter
-
or something of that sort.
-
But the two options,
again, as I told,
-
the closest that
relates to this question
-
will be the option
A and option C.
-
Because once I say that option
A-- but again, as I told,
-
the overall authority is
the word that defines,
-
in terms of what is going to
be the primary thing that you
-
are going to look
out for over here.
-
So the next question, so in
performing a risk-based audit,
-
which risk assessment
is completed first
-
by an IS auditor?
-
So detection risk assessment,
control risk assessment,
-
inherent risk assessment,
and fraud risk assessment.
-
So again, the question
is very clear in terms
-
of what an IS auditor,
which risk assessment
-
comes in the first?
-
Let's look at the
correct answer now.
-
So the correct
answer is actually
-
inherent risk assessment.
-
So why inherent risk
assessment is important?
-
So let us look at the
reasons over here.
-
So detection of risk
assessment is performed only
-
after the inherent risk.
-
So as again I told, the stepwise
answer is very important.
-
What is the first?
-
What is the first?
-
So you need to
know which is going
-
to come in the first
order, which is going
-
to come in the second order?
-
So the detection
risk assessment is
-
performed only after
the inherent risk
-
and the controlled risk
assessment have been performed.
-
So definitely this
answer can be eliminated.
-
And control risk
assessment is performed
-
after the inherent risk
assessment has been completed.
-
And it is to determine
the level of risk
-
that remains after the
controls have been applied.
-
So say for an example, this
control risk assessment
-
is right.
-
So it is going to give
you what is left over.
-
So even after applying
all the controls,
-
what is the risk that
is going to remain?
-
And that option D, the
fraud risk assessment,
-
are a subset of control
risk assessment.
-
It is important,
but again, it is not
-
as important or the first
task of the inherent risk.
-
Because whenever you take
any process, for that matter,
-
there will be a form
of inherent risk, which
-
has to be taken into
consideration before doing
-
anything.
-
Because inherent risk exists
independently of an audit
-
and can occur because of
the nature of the business.
-
So to successfully
conduct an audit,
-
it is important to be aware of
the related business processes.
-
To perform the
audit, an IS auditor
-
needs to understand
the business processes.
-
By understanding the
business process,
-
an IS auditor better
understands the inherent risk.
-
So inherent risk gives
you an overall idea.
-
for an example, if
the IS auditor is
-
performing an inherent risk--
-
an audit in a
banking sector, they
-
will be having certain sets
of inherent risks according
-
to them.
-
And if they are doing some kind
of audits in the health sector,
-
they will be again having
some set of inherent risk
-
in that particular sector.
-
So that is the reason
we need to know
-
the inherent risk of
that particular industry
-
or the particular
business process
-
that they are performing.
-
Then they come into the process
of fraud risk or the control
-
risk, which is the second or
third option that will be.
-
So again, as I told, the
logic behind the question
-
is that to understand
which comes first.
-
And so also one of
the other key things
-
that is very important when
you are preparing for the exam,
-
not only from the exam
stand point of view,
-
I would suggest everybody to--
-
so what happens is, once you
know the answer is correct,
-
check the reason why you
have selected that answer
-
and why it is correct.
-
Because 90% of the
time, you might
-
have selected an answer
for some other reason,
-
but it happens to
be coincidentally
-
correct with the ISACA.
-
But what I require
everybody to do
-
is that you need to check the
thinking process of ISACA.
-
That is very important in terms
of understanding the concepts.
-
And also, even if you have
made the answer correct,
-
I would require you to check
every options available, A,
-
B, C, and D, why
it is not correct
-
and why the answer that
you have chosen is correct.
-
Even in case if you have not
selected the correct answer,
-
please still go and
check all these options,
-
why the answer that
you have selected
-
is not the correct answer and
why the other answer remains
-
the correct option.
-
So this question is, again,
an interesting question.
-
So as an IS auditor
is performing
-
a review of an application's
control fields,
-
he finds a weakness
in the software system
-
and could materially
impact the application.
-
In this situation, an
IS auditor should--
-
Again, this is not a question.
-
This is just a statement.
-
We need to complete
the statement.
-
Disregard these
controls weakness
-
because the system
software review
-
is beyond the scope
of this review.
-
Conduct a detailed
system software review
-
and report the control weakness.
-
Include in the report
statement that the audit
-
was limited to review the
application's control weakness.
-
Review the system software
controls as relevant,
-
and recommend a detailed
system software review.
-
I think everyone is going
with the option of B
-
But sorry to disappoint,
the answer is actually
-
D. Before going into the
complete detailed review,
-
as given here, the
appropriate option would
-
be to review the system software
as relevant to the review,
-
and recommend a
detailed system software
-
review for which an additional
resources may be recommended.
-
So the answer might be
extremely similar to what B is,
-
but the difference
is that you need
-
to know where your
scope is going to go
-
and how you are going to
plan the audit accordingly.
-
So that is what is the defining
moment for answer B and answer
-
D.
-
So again, answer A and answer
C is completely irrelevant.
-
You can take it off the radar.
-
Definitely nobody
has given answer
-
A or C. That is a good sign.
-
Because as I told, we need to
eliminate these two options
-
very clearly, in terms
of how we are going
-
to understand this whole thing.
-
So which of the following
is the most important reason
-
why an audit planning
process should be reviewed
-
at a periodic interval?
-
To plan for a deployment of
available audit resources,
-
to consider changes to
the risk environment,
-
to provide inputs for
documentation of audit charter,
-
to identify applicable
IS standards.
-
So again, the answer is B. Let
us look at the explanation that
-
is given over here.
-
So short-term and
long-term issues
-
drive the audit planning
can be heavily impacted
-
to the changes in the risk
environment, technologies,
-
business processes
of the enterprise.
-
This is well set, in terms
of the risk environment
-
changes quite dynamically
for some businesses.
-
So what might be considered
as a risk today might not
-
be risk tomorrow.
-
What might be not
considered as risk today
-
will be a risk tomorrow.
-
So in terms of planning for the
document of available resources,
-
it's determined by the
audit assignments plan.
-
The option is
completely not relevant.
-
Again, the option
C is something--
-
is a mandate from
the top management.
-
It is not something-- the
risk assessment, or any kind
-
of things is not
going to-- planning
-
is not going to have any
impact on the audit trail
-
because it's a top
management mandate.
-
And D, applicability of
IS standards, guidelines
-
and procedures is universal
to any audit engagement.
-
It is not specific
to any audit and not
-
influenced by the short-term
and long-term issues.
-
Again, when I talk about
short-term and long-term issues,
-
so probably we might be having
some IT deployment happening,
-
so which might change
the risk posture.
-
And classic example
is the COVID.
-
So in COVID, people
are working from home.
-
The risk environment changes
from being in the office space
-
to home space.
-
What are all the
risk environment
-
that is going to happen?
-
So if anybody has access to
printers, say for an example,
-
a person might be connecting
their home printer
-
to their laptop or PC, print
some confidential documents,
-
so the risk posture is
completely changing.
-
So that is the
reason why we need
-
to have planning, that
needs to be detailed,
-
done before the audit.
-
So which of the following
is the most effective
-
for implementing
control self-assessment
-
within small business unit?
-
Informal peer reviews,
facilitated workshops,
-
process flow narratives,
data flow diagrams?
-
So say for an example,
so I will tell you
-
the correct answer,
which is B. So when
-
we are going-- you know the
answer reasoning over here,
-
let me not explain it.
-
But I'll give you a different
perspective over here.
-
Out of the four
options actually, I
-
feel that three are
actually correct
-
for this particular
question because not at two,
-
but three are correct.
-
But which is the most important?
-
When you say is that,
the facilitated workshop
-
comes into the mind because
of very simple fact,
-
because the control
self assessments are not
-
performed by a seasoned auditor
or by a seasoned or a control
-
of people.
-
They are being performed by the
business themselves directly,
-
to assess how the control
posture is there, how
-
the risk posture is everything.
-
So what happens here is
you need to train them.
-
We have to train them
correctly to identify
-
what they are
supposed to do, how
-
they are supposed to
check for control weakness
-
and how they are
going to report it.
-
And that is by far the
most effective way.
-
But again, the process
flow diagrams is important.
-
While doing this
facilitated workshops,
-
there will be process flow
diagrams and data flow diagrams
-
and narratives.
-
These things are very
important in terms of,
-
to give more added perspective.
-
But again, that is
not the only thing
-
that is required over here.
-
What we require over here
is in terms of identifying
-
the most best option.
-
So the next question.
-
So which of the following would
an IS auditor perform the first
-
when planning an IS audit?
-
Define the audit deliverables,
finalize the scope and the audit
-
objectives, gain an
understanding of the business
-
objectives and purpose,
develop the audit approach
-
of the strategy?
-
The C is correct answer,
gain an understanding
-
of business objectives
and purpose.
-
So the reason is very simple.
-
So what we need to understand,
in terms of business mission
-
objectives, purpose,
which in turn
-
identifies to the policy,
standards, guidelines,
-
procedures, everything, because
it is very important to gain
-
an understanding of business.
-
Say for an example, if we are
in a pen drive manufacturing
-
company, their core mission
is to manufacture a pen drive
-
and test pen drive
and use pen drive.
-
And you cannot say that the use
of pen drive or external drives
-
is prohibited inside
the organization.
-
That will be the
most absurd thing.
-
And in Facebook, if you
are auditing Facebook,
-
you cannot go and say that
viewing Facebook inside
-
the Facebook office
is restricted.
-
Of course, it can be
limited to view and to view
-
your personal account.
-
But it will be so
absurd when we say
-
all these things
inside the office
-
that they are trying to work on.
-
So that can be an
explanation that
-
can be given to this answer.
-
But again, I would like everyone
to go through the other options
-
as well.
-
Defining the audit
deliverables is
-
dependent upon a thorough
understanding of business
-
objects, A, B, and
D. Because as I told,
-
every option is important,
though it may not
-
be relevant to this
particular question,
-
some other question
that might be
-
relevant to this particular
option will be arising tomorrow.
-
So the last question
in the domain 1
-
is, again, the next question.
-
An organization performs a
daily backup of critical data
-
and software files and
stores in the backup tapes
-
at an offsite location.
-
The backup tapes are used
to restore the software
-
in case of disruption.
-
This is an example of a
preventive control, management
-
control, corrective control,
and detective control?
-
The correct answer
is actually C.
-
So you cannot avert a particular
disaster being happening.
-
If you can avert that particular
disaster being happening,
-
that is a preventive control.
-
But a corrective control is
set up-- a BCP is a critical--
-
a DRP and a BCP are
the best examples
-
that I can give over here.
-
It is actually a
corrective control.
-
It is not a preventive control.
-
So say for an example, a
couple of years, Chennai
-
floods happened in 2015.
-
That cannot be averted.
-
And the pandemic, right
now we are in a pandemic,
-
that cannot be averted.
-
But what we can do is a
corrective control and approach
-
towards it.
-
So as the answer
outlines over here, A,
-
preventive controls are
those that avert the problems
-
before they arise.
-
Backup tapes cannot be used to
prevent damages for the files
-
and therefore cannot be
classified as a preventive
-
control.
-
Management controls modify
and processing systems,
-
which is completely
irrelevant to this context.
-
C, a corrective control
helps to correct or minimize
-
the impact of a problem.
-
Backup tapes are such.
-
So detective controls,
again, it is not
-
completely relevant
to this answer, which
-
is going to only help in
terms of detecting a problem
-
after it has arised.
-
So detective controls
can be in auditing.
-
Auditing is a detective control.
-
Best detective control
is an auditing.
-
And a management
control is something--
-
if I can give an
example of, in terms
-
of recurrence of a problem,
a processing system.
-
Say for an example, that's--
-
it is management controls again.
-
The management controls are put
in place so that you cannot edit
-
few items or view-only options.
-
And those kind of
controls are also
-
called as a management
control, that is,
-
to repeat the
occurrence of a problem.
-
So that nobody even
touches something
-
so that it doesn't
go wrong again.
-
So this is the end of domain 1.
-
So now we are going
into the domain 2.
-
So now we are able to see
the domain to first question.
-
So in order for the management
to effectively monitor
-
and compliance of the
processes, applications,
-
which of the following
would be the most ideal?
-
A central document repository,
a knowledge management system,
-
a dashboard, and a benchmarking?
-
So the correct answer
is C, dashboard.
-
So dashboard provides
a set of information
-
to illustrate compliance
of the processes,
-
like how KRAs, KPIs
are going to be
-
there, and the configurable
elements to keep
-
the enterprise on course.
-
So if you are going to deviate
if the matrix is not achieved,
-
so the management will
be definitely informed.
-
So why not A, B and D?
-
Any perspective?
-
Again, that is given over here.
-
In terms of
benchmarking, option D,
-
it provides an information
to help the management
-
to adapt the organization
in a timely manner,
-
according to the trends
and the environment,
-
so what the other
organization is doing.
-
So if I am in a big
four organization,
-
so what my peers are, what
my competitors are doing,
-
EY, Deloitte, KPMG, and PWC,
what they are going to do.
-
And that will be the context in
which I will be benchmarking.
-
And A and B, A is nothing
but a document repository.
-
That doesn't provide
any specific information
-
on how the controls are
being performed, how
-
the compliance is being done.
-
A knowledge management system
provides a valuable information,
-
but it is generally not used by
the management for compliance
-
purposes.
-
Again, a KMS is nothing,
but in terms of--
-
it will not provide
any specifics
-
on how the control
is being performing,
-
how the compliance
has been performing.
-
So that again, the important
thing in this question
-
is that, effectively
monitor and the most ideal.
-
So when I say most ideal, most
ideal, I think benchmarking
-
and dashboard is the
two options, which
-
I will be choosing in the last.
-
But again, among
these C and D, what
-
is an important thing
will be the D because it
-
gives the accurate information
on how my organization is doing.
-
But the next question will be,
my organization is doing good,
-
but what about
rest of the others?
-
That is where the benchmarking
comes into the picture.
-
The next question is,
which of the following
-
best describes the IT department
strategic planning process?
-
An IT department will have
either short and long-range
-
plans, depending upon
organization's broader
-
plans and objectives.
-
IT department
strategic plan must
-
be time- and project-oriented.
-
So not detailed plans to address
and help determine priorities
-
to meet the business needs.
-
Long-range planning
for IT department
-
should recognize the
organizational goals,
-
technological advances and
regulatory requirements.
-
And D will be
short-range planning
-
for the IT department
does not need
-
to be integrated to
the short-range plans
-
of the organization since
technological advances will
-
drive the IT organization's
plans much quicker
-
than the organization plans.
-
I think this is a little
bit complicated questions.
-
But the answer is
very, very simple.
-
So in order for
this to understand--
-
the correct answer is,
of course, C. So in order
-
for you to understand
this particular question,
-
you need to understand
two things over here.
-
You need to understand what does
the strategic planning refers
-
to.
-
A strategic planning is
always a long-term plan,
-
which is more than--
-
it has been more than one year
and derived for five years.
-
So that is strategic planning.
-
There is always a
tactical planning.
-
Tactical planning
refers to what you are
-
going to achieve in one year.
-
And operational planning, it
is anything below one year.
-
so for a few months,
for few quarters,
-
that is going to be your
operational planning.
-
So what happens here is the
question specifically asked
-
about strategic planning.
-
In that context,
option A or B is
-
going to be
definitely eliminated
-
because option A talks
about short and long range.
-
Short-term plans
are either going
-
to be operational or
tactical plans, which
-
is not in this context
of this question.
-
And again, these again
are eliminated because
-
of the short-range planning.
-
Because short-range
planning is, again,
-
going to be only there for
the operational and tactical,
-
and not for the strategic.
-
So the only answer that
remains in this question
-
will be a long-range
planning, which should always
-
emphasize on
organizational goals,
-
technological advancements,
and regulatory requirements.
-
So that is in terms with
this correct answer.
-
Again, you need to
understand one thing
-
before answering a question.
-
Whenever you have
a question, try
-
to understand which domain
they are coming in primarily.
-
There might be a
situation of two
-
or three domains culminating
in one question itself,
-
but there will be a primary
essence of one domain, which
-
will be focused.
-
In this particular question,
the domain focus is only,
-
of course, it is domain 2,
and the focus is domain 2.
-
The domain 2 focuses only
on one bang-on agenda.
-
That is in terms of organization
goals, organization's missions,
-
organization's thing.
-
So everything that
the IT revolves--
-
IT cannot work as a silo.
-
It cannot work as a silo.
-
Say for example, if your
organization is selling
-
vegetables and fruits, your IT
organization cannot talk about
-
implementing a
cloud for clients.
-
So that is not going to happen.
-
So that is not the
way the business runs.
-
Your optimization
should run in terms
-
of how your organization is
going to sell your fruits
-
and vegetables.
-
They will be an
organic business, so
-
how an IT acts as an enabler.
-
So IT is only an enabler
of the organization.
-
It is not something,
which is completely
-
driving the organization.
-
The business priorities are
completely different from what
-
IT priorities are.
-
So we need to align
our IT priorities
-
so that the organizational
goals, technological advancement
-
and even the regulatory
requirements are complied with.
-
So the most important
responsibility
-
of data security officer
in an organization
-
is, A, recommending
and monitoring
-
data security policies, B,
promoting security awareness
-
within the organization,
establishing procedures
-
for IT security
policies, administering
-
physical and logical
access controls.
-
The answer is A.
-
But when I come
to this question,
-
this is, again, a tricky
question because the question
-
outlines the most important.
-
So when we say most
important, there
-
is always considered
that there are
-
two options which is correct,
two or more options which
-
is correct for this question.
-
But in terms of B, C, and D,
why it is not correct instead?
-
B, anybody in the organization
can do the security awareness.
-
And it is not the only
responsibility of a data
-
security officer, though it
might be a responsibility,
-
but it is not the
only responsibility.
-
And C and D, they are all more
of establishing procedures.
-
Establishing a
procedures anybody
-
can do in an IT organization.
-
And administering physical
and logical access control,
-
again, specific to
the application.
-
Say for an example, if they are
administering the SAP, if they
-
are administering the
Oracle, the specific team
-
related to the SAP
or the Oracle will
-
administer these controls, and
not the data security officer.
-
But data security officer in a
top level, at a very high level,
-
they will define in terms of
what is recommended in terms
-
of protecting their data.
-
Say for an example,
if the data is
-
coming for the GDPR regulation.
-
So what is required
in terms of them
-
to protect the particular data?
-
Mere implementation part
is done by the IT team.
-
And in terms of promoting
the security awareness,
-
it can be done by anybody
in the organization.
-
Now, we go to the next question.
-
What is considered
most critical element
-
for the successful
implementation of information
-
security program?
-
An effective enterprise
risk management framework,
-
senior management commitment,
an adequate budgeting process,
-
meticulous program planning?
-
So the correct answer is B. And
you can go through this option,
-
while the other options
are not correct.
-
Let me just give you one
important perspective over here.
-
Couple of years
back, when IT was not
-
seen as a big enabler
for the organizations,
-
in the board meetings,
only five minutes
-
will be spared for any kind
of security or IT security
-
related issues to be discussed.
-
Nowadays, organizations have
started prioritizing this,
-
and there is a very detailed
discussion on the whole thing
-
because most of
the organizations,
-
including a small scale
enterprises or the medium scale
-
enterprises, have shifted their
focus only towards an IT because
-
of the pandemic.
-
And they have started even
seeing the benefits out of it.
-
And it is important
for an organization
-
to protect their
information security assets.
-
And management has
started putting
-
lot of efforts in terms of
how this is going to happen.
-
The next question is, which
of the following tasks
-
may be performed
by the same person
-
in a well-controlled information
processing computer center?
-
Security administrator
and change management,
-
computer operations
and system development,
-
system development
and change management,
-
system development and
system maintenance?
-
The correct answer
is actually D.
-
The whole point of
this question is
-
that when you look at the option
A and option C and option B,
-
why it is not correct is that--
-
the first option, security
administration and change
-
management.
-
So what is change management?
-
So change management
is in terms of there
-
is a established change
management process saying
-
that whenever you
apply any changes
-
to a particular system or
a functionality hardening
-
or anything, anything
of that sort,
-
any functionality
for that matter,
-
it needs to be promoted
in a certain set manner,
-
by having an approval
and everything.
-
But when the person is having
security administration
-
as a task and having
a change management,
-
they will be completely
bypassing this
-
into the whole thing,
and people will not
-
be able to know who has
done that particular change,
-
and there are chances
of malpractices.
-
And C, again, the same thing.
-
You develop a system and you are
responsible also for the change
-
management, is again a conflict.
-
So change management, somebody
has to promote the change.
-
Somebody has to
develop the changes.
-
Somebody has to
approve the changes.
-
Somebody has to promote the
changes into the production.
-
So again, so you cannot develop
and also you cannot change
-
at the same time.
-
That is, again, a
very important thing.
-
So option B, the
computer operations
-
and system development.
-
So the option B and D are
little bit closely related.
-
That is where the
confusion starts over here.
-
Because as many
of you have told,
-
the options computer
operations refers
-
to just the operations
and the system development
-
because it would be--
-
computer operations
and system development
-
is incorrect choice
because this would
-
make it possible for an operator
to run a program that she
-
or he has amended.
-
So say for an example, if the
particular person is having
-
both these access, they
can run the program
-
without having any kind
of additional controls
-
being required.
-
So that is the problem that
the operations and the system
-
development cannot
be at the same time.
-
But option D, the
maintenance, maintenance
-
can be done by the same person.
-
Why it can be done
by the same person
-
is that during the
maintenance, the performance,
-
the person requires
access to the source code,
-
and the person who
has developed it
-
will be having an access
to the source code.
-
That is why in a
production, they can--
-
and that is the reason they
can promote these things
-
into maintenance, as well
as system development
-
at the same place.
-
But again, this is a
very tricky question.
-
Exam question can be
similar to this one.
-
And the domain 2,
the next question is,
-
which of the following is most
critical control over database
-
administration, which is the
DBA, approval of DBA activities,
-
segregation of duties in
regard to the rights and access
-
are granting and revoking,
evoking of access logs
-
and activities-- sorry,
review of access logs
-
and activities, review
of use of database tools?
-
So the correct answer is
option B. So why important?
-
It is important for a DBA to
do this-- sorry, conflicting,
-
rather than any of these three
is that other three option does
-
not reduce the risk.
-
This is the only preventative
control that they can apply.
-
So as an auditor, when I'm
coming and seeing the process
-
and saying that the DBA
is reviewing the logs,
-
the DBA is using
the database files,
-
the DBA is using approval
activities, everything is fine.
-
But does he or she deliver
on the fundamental issue
-
in the segregation of duties?
-
That is what will be
my auditor's question.
-
This is where it
is very important.
-
Because as an IS auditor,
you need to think and deliver
-
the answer.
-
Because if you are thinking
as a security analyst,
-
this was a typical security
mind question and answer.
-
I understand from guru's
perspective, he is right.
-
But as an auditor,
you need to think
-
from the other side of the
table, how an auditor will
-
approach this thing.
-
That is where this question
is going to be answered.
-
You can just read the A, C, and
D, why they are not correct.
-
So approval of a database
administration activities
-
does not prevent the combination
of conflicting things.
-
And the C option is, if DBA
activities are improperly
-
approved, review of
access would be--
-
again, that may not
be reducing the risk.
-
Say for an example, if you
have fundamentally approved
-
the access of some
person incorrectly,
-
though you may be monitoring
his or her activities,
-
but the problem is that it will
not be addressed because you
-
have already done something
wrong in the first place,
-
and you cannot correct it just
by monitoring or taking actions
-
of it.
-
And reviewing of the
use of database tools
-
does not reduce the risk.
-
Because it is only
a detective tool.
-
It is only a detective
tool, it is not
-
a preventive or any other
conflicting combination.
-
It will not prevent any
conflict combination.
-
In a small organization
where a segregation of duties
-
is not practical,
an employee performs
-
a function of computer operator
and application programmer.
-
Which of the following controls
should the IS auditor recommend?
-
Automated logging of
changes and development
-
of libraries, additional
staff to provide
-
SoD, procedures that verify only
approved program changes are
-
implemented, access
controls to prevent operator
-
from making program
modifications?
-
Again, this is one of
the trickiest question.
-
The whole point is that whenever
you see some questions relating
-
to the organization size, even
in the exam, make it very clear
-
that the answer might be
dependent upon the size
-
of the organization.
-
If you are a large
organization, like Google
-
or Apple or Facebook, you
can do any of these things.
-
B can be done, A can be done.
-
Of course, D is something
that also can be considered.
-
But it is a small organization.
-
Only a programmer is
dependent upon an operator.
-
performing the multiple tasks.
-
What an IS auditor
would recommend
-
will be very, very simple in
terms of procedures that exist,
-
at least in paper, are to say
that only the approved program
-
changes are implemented.
-
Because whenever we see
any question relating
-
to the organization
size, the answers
-
will be highly dependent on
the size of the organization.
-
What might be the best
treatmeant for a large size
-
organization may not be the
best treatment for a mid-size
-
and a small-size organization.
-
So we need to be very careful
in choosing the answer
-
because two or more options
will look extremely correct
-
because the size
of the organization
-
is going to be very dependent
particular question.
-
We are end of domain 2, and
we will be having three more
-
domains to cover.
-
So the next question
is from domain 3.
-
To assist in testing an
essential banking system being
-
acquired, an
organization has been
-
provided the vendor
with sensitive data
-
from its existing
production system.
-
As an IS auditor, the
primary concern that the data
-
should be what?
-
A, sanitized, B, complete, C,
representative, and D, current?
-
Whenever an asset goes out,
even if an asset is sunsetting,
-
if a technology asset
decommissioning is happening,
-
the sanitization part
is an important thing.
-
You don't want the data
or the production data
-
to be visible to
others whenever they
-
are doing the testing,
which might give
-
some opinions about how
the organization is working
-
and what are all the data that
the organization is having.
-
So it is important that we
need definitely or should
-
be opting for A because
it is very important.
-
And test data
should be sanitized
-
to prevent sensitive data from
leaking to unauthorized persons.
-
All the other three options,
although it may seem little bit
-
relevant, but it is
completely not relevant,
-
it is completely incorrect.
-
Which of the following
is a primary purpose
-
for conducting parallel testing?
-
To determine whether the system
is cost effective, to enable
-
comprehensive unit
and system testing,
-
to highlight the errors
in the program interfaces
-
with the files, to
ensure the new system
-
meets the user requirements?
-
It is very simple,
the answer is D. Let
-
me put a perspective over here.
-
So when we have two
systems, say for an example,
-
we have a tally system that's
running currently my accounting
-
things, and we are
going to implement SAP.
-
So tally is perfect
for my organization,
-
but my organization is
going into a billion
-
and a trillion organization.
-
I wish it could.
-
And the whole thing
is that, so in terms
-
with, if the new system
is being implemented,
-
is everything is
being aligned and is
-
everything is as
per the requirement,
-
is everything working as
it was working entirely?
-
That is the primary thing
that I will be looking at it.
-
So that is the reason that
we are going with the option
-
D. The purpose of
the parallel testing
-
is to ensure that the
implementation of new system
-
will meet the user requirements.
-
It can be identified in
the UAT testing itself,
-
but the parallel
testing gives you
-
an idea both the systems
are running in parallel
-
with each other, will give a
fair enough understanding on how
-
the new system is working.
-
In case if there are any
deficiencies in the new system
-
compared to the old
system, how it can be fixed
-
and stuff like that.
-
See all the other testings,
unit and system testings
-
are completed before the
parallel testing, program
-
interfaces with the
files are tested
-
for errors during the system
testing itself and not--
-
and then the parallel testing
because parallel testing happens
-
at the last stage during
the implementation stage,
-
and it's not at the first stage.
-
When conducting a review of the
business re-engineering process,
-
an IS auditor found that
an important preventive
-
control had been removed.
-
In this case, an IS
auditor should, A,
-
inform the management
of the findings
-
and determine whether
the management is
-
willing to accept the risk
potential, B, determine
-
if a detective control has
replaced the preventive control
-
during the process, and C,
recommended that all the control
-
procedures have existed before
the process was re-engineered
-
and included in the new process,
develop continuous audit
-
approach to monitor
the effects of removal
-
of the preventive control?
-
Whatever happens, when you
stumble upon something that
-
is not of what is
as expected, you
-
are supposed to inform the
management then and now.
-
Then look for the
other alternatives
-
or other remedial measures
because the management
-
needs to be informed
that there is a risk,
-
and whether they are willing to
accept this risk of not having
-
a preventive control in place.
-
So in this case, that's
a classic example.
-
And if you see
here, the existence
-
of a detective control instead
of a preventive control
-
usually increases the
risk that the management--
-
increases the risk that the
material problem may occur.
-
So say for an example, if there
is also a detective control,
-
that should be in place.
-
There is a high probability
that the particular process
-
is prone to having
some kind of a control
-
issues and the preventive
control that has been removed.
-
So that is the reason
you need to just inform
-
the management at the first,
and then look for other options.
-
Is it clear?
-
Let me go to the next question.
-
Which of the following
will be considered
-
as the most serious in
an enterprise resource
-
planning software used by
financial organizations?
-
Access controls have
not been reviewed,
-
limited documentation
is available,
-
two-year backup tapes
have not been replaced,
-
database backups are
performed once a day?
-
-
Give you the correct
answer, which is A,
-
and you can see the explanation.
-
When auditing the requirements
phase of a software acquisition,
-
an IS auditor should--
-
assess the responsibility
of the project timetable,
-
assess the vendor's
proposed quality processes,
-
ensure that the best
software package is acquired,
-
review the completeness
of the specification?
-
The review of the completeness
of the specifications.
-
Whenever you talk
about requirements,
-
there is a specification.
-
So that is what is our
answer talks about.
-
The purpose of the
requirements phase
-
is to specify the functionality
of the proposed system.
-
Therefore, an IS auditor
would concentrate more
-
on the completeness
of the specification.
-
Assessing vendor
quality process would
-
come after the requirements.
-
So you have analyzed
the requirements,
-
then you are going
for the vendor,
-
this A vendor or B vendor.
-
That is where your things
will come into the picture.
-
Analyzing the
organization's ability,
-
whether they are able to
support, whether they are
-
a big organization, like
a Microsoft or Oracle
-
or they are a small
organization, of something
-
happening out of
somewhere in the world,
-
or whether they are able
to fulfill the obligations,
-
whether the quality process
is good and everything.
-
So this is how you critically
think because this is a stepped
-
approach.
-
As I told, if there is a stepped
approach in some process,
-
say for an example,
change management,
-
how do you promote the changes?
-
I think the CRM gives you
a very detailed explanation
-
on how the changes are being
promoted, change management,
-
and how RFP is raised.
-
In the domain 3, it
talks about the RFPs,
-
how a software is
being acquired,
-
how off-the-shelf software
is being acquired,
-
how the requirements are built,
how the requisition for proposal
-
is built. So these kind of
things are phased approaches,
-
and you have to bound the answer
only to the phased approaches.
-
So the next question
is, an organization
-
decides to purchase a
software package instead
-
of developing it.
-
In such case, the design
and development phases
-
of a traditional software
development cycle
-
would be replaced with--
-
selection and
configuration phases,
-
feasibility and
requirements phases,
-
implementation and testing
phases, nothing, as replacement
-
is not required?
-
It is very simple question.
-
Just now I told about
the steps involved.
-
This question, the option
A is the correct answer
-
because of the fact that the
design element is taken out.
-
Instead of developing it,
you're going to buy outside.
-
So what happens is the selection
and the configuration phases
-
come into the picture.
-
Feasibility and the
requirements comes only
-
in terms of design requirements.
-
So if you see the answer
reasoning over here,
-
with the purchase purchased
package software, design
-
and development phases
of a traditional.
-
life cycle have
become replaceable
-
with selection and
configuration phases.
-
A request for
proposal form, which
-
is the RFP I was talking about,
from the supplier package
-
is called for and evaluated
against the predefined criteria
-
for selection
before a decision is
-
made to purchase the software.
-
Thereafter, the configuration is
to meet with the organization's
-
requirements.
-
If you take the option B, the
other phases of the system
-
development, SDLC, such as
feasibility study, requirements,
-
definition, implementation
and post-implementation,
-
remain unaltered because
it is very simple.
-
You are not going to
define any requirements.
-
Say for an example, if
I am going to Subway,
-
I am going to say very clearly
that you need to put me
-
these toppings, like jalapenos.
-
I don't want to trigger any
kind of hunger mode over here.
-
But I am just telling for an
example over here because this
-
is as simple as going to a
Subway versus McDonald's.
-
So if I go to Subway, I
customize my bread, along
-
with the toppings
that I require.
-
These are the sausages.
-
These are the toppings
that I require.
-
But if I go to make
[INAUDIBLE], that
-
is very clear that they
have a predefined elements.
-
And among the predefined
things, what is closely
-
matching with my requirements?
-
I need to choose.
-
Probably I can customize it.
-
I can say, please
don't add mushrooms.
-
I don't like mushrooms.
-
I can say that.
-
That is to do with the
configuration part.
-
But again, I cannot completely
design some new product
-
and the requirements
and the feasibility.
-
Everything has been
taken off the shelf.
-
Which of the following
procedure should
-
be implemented to help
to ensure completeness
-
of inbound transactions via
electronic data interchange?
-
I think the EDI topic, you will
be seeing quite a lot in the CRM
-
as well, as sometimes
in the exams as well.
-
So this is a hint.
-
So segment counts to built-in
transactions set earlier.
-
A log of number of messages
received periodically
-
verify that the
transaction originator.
-
An electronic audit trail of
accountability in tracking.
-
Matching the
acknowledgment transactions
-
received to the log
of EDI messages sent.
-
The EDI is one of my
favorite topics, I would say.
-
Because while I was
studying for the exams,
-
I did a very hard work to
understand this EDI concept.
-
-
So all the other options, if
you see one way or the other,
-
talks about some form of
auditing methodologies
-
and acknowledgment of
transactions received.
-
Acknowledgment of
transactions is just
-
to verify whether it has been--
-
to check the originator
or origination
-
of that particular transaction.
-
An electronic audit trail is
an accountability in tracking.
-
Yes, of course, it
tracks the audit trail
-
of the account for auditability.
-
Sorry, for accountability
and tracking.
-
But none of the options
are actually close to A
-
because A is the correct answer.
-
Controls total built
into the trailer record
-
of each transaction
or each segment
-
is the only option
that will ensure
-
that individual transactions
are sent or received completely.
-
So electronic data
interchange is one concept
-
that you need to be very,
very familiar with because EDI
-
is being used at
every ERP, everything
-
that you see in
the current system.
-
Because if one system is
talking, say for an example,
-
if [INAUDIBLE] is talking
to Oracle or JD Edwards
-
or any other things
for that matter,
-
they are talking in the language
of EDI with an XML file.
-
So each transaction
that is being
-
sent as an inbound
transaction and sent
-
as an outbound transaction from
one system to another system,
-
they need to have
an individual count,
-
and they need to have
an individual receipt
-
of transaction.
-
That is the reason why we
need to match it accordingly.
-
Let me move on to
the next question.
-
So that ends the domain 3,
and we are now into domain 4.
-
So the domain 4 starts--
-
I think domain 4 is all about
the information security assets,
-
different types of
information security assets,
-
and BCP and BRP.
-
So which one of the following
provides the best method
-
for determining the
level of performance
-
by similar information
processing facility
-
environments?
-
User satisfaction, B, goal
accomplishment, C, benchmarking,
-
and D, capacity and
growth planning?
-
So it is actually
the C, benchmarking,
-
because whenever we
wanted to ascertain
-
any level of performance--
we talked about dashboards.
-
Dashboards gives us what our
organization is performing.
-
And in terms of what the
other organizations are doing,
-
the best way to identify
is to benchmark.
-
Say for an example, I
am working in a big 4,
-
and I want to
ascertain the value
-
of what others are doing, what
I am doing compared to others.
-
The only thing that we need
to do is the benchmarking.
-
So that is very important,
that we do the benchmarking
-
among our competitors and
similar facility environments.
-
Let me move on to
the next slide.
-
So which one of the following
is the most effective method
-
for IS auditor to use in testing
the program change management
-
process?
-
Trace from system-generated
information
-
to the change management
documentation.
-
Examine change
management documentation
-
for the evidence of accuracy.
-
Trace from change
management documentation
-
to a system-generated
audit trail.
-
Or examine change
management documentation
-
for evidence of completeness.
-
So this is a very
tricky question again.
-
-
The correct answer
is A, trace from
-
system-generated information
to the change management
-
documentation.
-
They are talking about
most effective method.
-
By virtue of saying that
most effective method,
-
two options are correct.
-
A and C are extremely correct.
-
B and D are extremely incorrect
because of the fact that when
-
you check the
documentation only,
-
you cannot derive any
accuracy out of it,
-
derive any
completeness out of it.
-
So B and D, or C or D is
a straight elimination.
-
But what happens
with the A and C
-
is that when you do it from
the documentation perspective
-
and then go to the system audit
trail, it is still correct.
-
It is still correct,
and some of the auditors
-
do still practice it.
-
But what happens
is, you sometimes
-
miss the perspective
out of it, and your mind
-
starts to think why a specific
thing that we will start
-
thinking, it needs to be there.
-
But when you extract the
system-generated information
-
and then check with
the documentation,
-
whether this is the correct
way of doing things or not,
-
then that is the
most probable factor
-
you will stumble upon any gaps.
-
So when testing the
change management,
-
IS auditor should
always start with
-
the system-generated evidences,
information containing the date
-
and time module
last it was updated,
-
and trace it back to the
documentation authorizing it.
-
Because, see, it is like
finding a needle in a haystack.
-
So what happens is,
for every transaction,
-
you need to have an approval.
-
It is not like for every
transaction approval,
-
whether there is a corresponding
system entry or not.
-
Some might have even
not been deployed.
-
So what happens
is the risk of not
-
detecting undocumented changes.
-
That is what is the problem
here because whatever is there
-
in the documentation is
documented, and it is fine.
-
That is the difference
between C and D.
-
The classification based on
the criticality of a software
-
application is a part of IS
business activity continuity
-
plan determined by the--
-
nature of the
business and the value
-
of the application
to the business,
-
replacement cost
of the application,
-
vendor support available
for the application,
-
associated threats
and vulnerabilities
-
of the application.
-
So the correct answer is A,
so the nature of the business
-
and the value of the application
towards the business.
-
So rest of the
other options seems
-
a little bit irrelevant to
this question, the replacement
-
cost of the application.
-
So why it is even
important to understand?
-
And the vendor support
is not a relevant factor
-
because determining the
criticality classification.
-
The associated threats
and vulnerabilities
-
will be evaluated only if
the application is deemed
-
to be critical to the business.
-
So rest of the other
options are not correct.
-
The next question is, when
conducting an audit of a client
-
server database
security, the IS auditor
-
should be most concerned
about the availability of--
-
system utilities, application
program generators,
-
system security documentation,
access to stored procedures.
-
So the whole point is
availability of what?
-
So the point is system security
documentation, of course,
-
it is required.
-
The problem here is that
it should be required only
-
for a few specific set of people
whom the organization wants
-
to give the access
to the documentation.
-
Not every junior level employee
cannot have the security
-
documentation in place.
-
And B is completely irrelevant
because application program
-
generators, it's not.
-
In the correct shop,
actually the correct option
-
is option A, system utilities.
-
System utilities may
enable unauthorized changes
-
to be made to the data
on a client server model.
-
Because if you read the
database model very clearly,
-
there are certain
system utilities
-
you should not give access to,
because the system utilities
-
will bypass the
security controls
-
and the access
controls, and the person
-
will be still having ability to
make some unauthorized changes.
-
People who have read the
database of security model,
-
I think they will be
clear with this answer
-
because the fundamental thing
is that it's a system utility.
-
Say for an example, that
is the reason why we
-
do the hardening of the system.
-
We will delete access
to the unwanted things
-
that is not required as
a part of the system.
-
Let me move on to
the next question.
-
When reviewing a network used
for internet connections,
-
an IS auditor will
first examine the what?
-
Validity of the password
changes occurrence,
-
architecture of the
client server application,
-
network architecture
design, firewall protection
-
and proxy servers?
-
So I think unanimously
people are answering
-
for C. That is the correct
answer as well because you need
-
to understand what a network
architecture and design is all
-
about, about that
particular communication.
-
So B may seem a
little bit irrelevant
-
to this particular
thing because firewall
-
comes after the whole thing
of understanding network
-
architecture.
-
And B is also the
second, but it's not
-
as the first important thing, C.
-
I will tell you the difference
between C and B. Understanding
-
the network architecture design
is starting point of identifying
-
various layers of the
security architecture
-
across the various layers, such
as client server applications.
-
But in first or
in principle, what
-
you need to do is
the first step,
-
we need to understand the
network architecture as a whole.
-
Then you go to the client server
model, how it is designed.
-
That is how you
need to take things.
-
Again, this is a
step-based approach,
-
like how you approach BCP,
DRP, and change management.
-
This is, again a
step-based approach.
-
Data measuring
should be implemented
-
as a recovery strategy when?
-
Data mirroring
should be implemented
-
as a recovery strategy when?
-
RPO is low, RPO is
high, RTO is high,
-
disaster tolerance is high?
-
-
It is a very easy question.
-
If you have understood
The concept of RPO or RTO,
-
this is a very easy question.
-
So the correct answer
is RPO, B, which is low.
-
So recovery point
objective is the earliest
-
in the point in which it
is acceptable to recover.
-
So recover the data,
in other words,
-
RPO indicates the age
of recovered data.
-
And so what happens is the
organization cannot afford
-
to lose even a few
minutes of data.
-
In such case, data mirroring
should be used, usually used
-
as a recovery strategy.
-
So I think one of the last
questions with domain 4 will be,
-
which of the
following components
-
of business continuity
plan primarily
-
responsible for
organizational IS department?
-
Developing the business
continuity plan,
-
selecting and approving
the recovery strategies
-
used for business continuity
plan, declaring a disaster,
-
or restoring the IT systems
and data after disaster?
-
Following components of
primarily the responsibility
-
of the organization's
IS department primarily?
-
So when you see
the primarily, what
-
is the primarily objective of
the IS department in relation
-
with the business
continuity plan?
-
So restore the data is
very, very important.
-
At the end of the day, what
is the end game of that?
-
Whenever a disaster struck--
-
disasters has
already struck, fine,
-
what we are going to do now?
-
Now we are going to
temporarily run the business
-
on the other show, with the
backups and stuff like that,
-
with the skeleton
staff, whatever.
-
But maybe the
primary objective is
-
that it is always to
restore the IT systems
-
and data after a disaster.
-
That is what is correct
and also [INAUDIBLE].
-
You can see the
explanation over here.
-
Members of the organization's
most senior management
-
are primarily responsible
for overseeing
-
the development of the
business continuity plan
-
and are accountable
for the results.
-
So IS team is not
responsible for that.
-
It is the business and
the senior management
-
who is responsible for
because that's their business.
-
Management is also accountable
for selecting and approving
-
all strategies.
-
That is, again, to do with
the individual business.
-
Cool.
-
So that brings me to the domain
5, the most technical domain,
-
if I'm not wrong.
-
The longest domain
in the book as well.
-
The first question
is, an IS auditor
-
is reviewing the configuration
of a signature-based intrusion
-
detection system,
which is the IDS,
-
would be the most concerned
if which of the following
-
is discovered?
-
Auto update is turned off,
scanning for application
-
vulnerability is disabled,
analysis of encrypted data
-
packets are disabled,
IDS is placed
-
between a demilitarized
zone and the firewall?
-
A, auto update is turned off.
-
So even in our home,
when we are running
-
Kaspersky, Norton or whatever
security thing, the intrusion--
-
not intrusion, but
antivirus software,
-
the signature is very important.
-
It will get updated twice
or thrice or even five
-
times in a day, depending
upon what is the situation.
-
So what happens is, when
you have turned this off--
-
God knows when you
have turned it off
-
and how many days the
system is not updated.
-
That is the most important risk
in anything, whenever the IDS--
-
because when a signature-based
IDS is looking for patterns
-
and the pattern is not
recently updated for a recent
-
vulnerability, what happens?
-
Your system is as good
as it is not protected.
-
Whenever you are reading
this answer reasoning, even
-
in the CRM, even in the
question and answers bank,
-
I request you all to read
all the four options,
-
why it is correct,
why it is not correct,
-
and to get familiarized.
-
Say for an example, in this, the
complete irrelevant option is B.
-
But they have given
a good information
-
on a demilitarized zone or DMZ.
-
So this can be used in
some other question, which
-
might be all dealing with DMZ.
-
Let me move on to
the next question.
-
An IS auditor has just completed
a review of organization
-
that has mainframe computer
and two database servers where
-
all the production data reside.
-
Which one of the
following weakness
-
should the IS auditor be
considered the most serious?
-
The security officer also serves
as a database administrator.
-
Password controls
are not administered
-
over 2 database servers.
-
There is no business continuity
plan for the mainframe system's
-
non-critical applications.
-
Most local data networks do
not have backup file server
-
fixed disk regularly.
-
-
So the correct answer
is B, password controls
-
are not administered over
two database servers.
-
So the absence of password
controls on the two database
-
servers, where the
production data resides,
-
is the most critical.
-
Because again, this question
talks about the most.
-
There are two options,
which is correct, of course.
-
And what you need to
look for is the one
-
which is most apt given the
situation and the scenario.
-
So let me go on to
the next question.
-
The insurance company is using
the public cloud computing
-
for one of its critical
applications to reduce the cost.
-
Which of the following
would be the most
-
concern to the IS auditor?
-
The inability to
recover the service
-
in a major technical
failure scenario.
-
The data in shared
environment being
-
accessed by other companies.
-
The service provider not
including investigative support
-
for incidents.
-
The long-term viability of the
service if the provider goes out
-
of business.
-
-
So that is actually
the correct answer.
-
Considering that an
insurance company
-
must preserve the privacy and
confidentiality of the customer
-
information, unauthorized access
to the information and the data
-
leakage are the
two major concerns.
-
The next question.
-
Which one of the
following best determines
-
whether the complete encryption
or the authentication
-
protocol for
protecting information
-
while being transmitted exist?
-
A digital signature with the
RSA that has been implemented.
-
Work has been done in
the tunnel mode nested
-
with the services of AH,
which is the authentication
-
header, and encapsulating
security payload, which
-
is the ESP.
-
Digital certificates
with the RSA being used.
-
Work is being done in transport
mode of the nested services
-
of AH and ESP.
-
Quite a tricky technical
question, I would say.
-
And to remind you, I
have studied these things
-
quite cumbersomely
because I didn't even
-
understand a single word when
I was doing it the first time.
-
Transport mode, tunnel
mode, everything
-
was Greek and Latin for me.
-
-
B is the correct answer.
-
Tunnel mode provides
encryption and authentication
-
of complete IP package,
including the authentication
-
header and the encapsulating
security payload, which is ESP.
-
For transport mode provides
only at higher layers, like data
-
fields and the payload
of an IP package.
-
So those are the
two differences.
-
Actually, as I told,
a digital certificate
-
provides only the
authentication and integrity,
-
does not provide
anything beyond that.
-
And whenever you see any digital
signature versus encryption,
-
I think digital certificate
is only to provide
-
an authentication.
-
It doesn't provide
any other thing.
-
It doesn't provide
even confidentiality.
-
It doesn't provide
any availability
-
or any of the things.
-
Which one of the following
characterizes distributed denial
-
of service attack, DDoS?
-
Central initiation of
intermediary computers
-
to detect simultaneous attacks,
surplus message traffic
-
and specified target site.
-
Local initiation of
intermediary computers
-
to detect simultaneous and
spurious of message traffic
-
at specific target site.
-
Central initiation
of primary computer
-
to detect spurious message
traffic at multiple sites.
-
And local initiation of
intermediary computers to direct
-
staggered spurious
message traffic
-
at a specific target site.
-
-
Again, this is a
confusing question,
-
but the answer is very simple.
-
-
That is the correct
answer as well.
-
So what happens with
the DDoS attack is
-
that one controller system
or one primary system
-
will be controlling so
many zombie computers,
-
and the administrator will
launch an attack on these zombie
-
computers, will start sending
packets to the primary target.
-
And by flooding their
traffic, and they will
-
be having some kind of issue.
-
Say for an example, if Amazon is
putting a Independence Day sale,
-
I want to affect this sales
by targeting their servers.
-
I can launch this attack
using the zombie computers,
-
and they will attack on
behalf of [INAUDIBLE],
-
and I will be controlling
the zombie computers.
-
And what happens
next is God knows.
-
So again, our DDoS attacks
are not locally initiated.
-
They are not staggered.
-
They are not initiated
using a primary computer.
-
So last question for this
day, which of the following
-
is the most effective
preventive antivirus control?
-
Scanning the emails.
-
Attachment on the mail server.
-
Restoring the systems
from clean copies.
-
Disabling universal serial
bus ports, which is the USB.
-
An online antivirus scan
with up-to-date antivirus
-
definitions.
-
Correct answer is actually
D. But why not C. B and D?
-
It is completely irrelevant.
-
It doesn't talk anything
about antivirus or anything
-
because it's just
restoring systems
-
from clean copies, which is
most baseline thing that we do.
-
And disabling USB.
-
I think disabling USB should
be an incorrect option again.
-
You can disable the
USB, but still system
-
can read the USB file when
it is having [INAUDIBLE].
-
So D would be the most
appropriate answer
-
for this one because of the
fact that antivirus can be
-
used to prevent virus attacks.
-
By running regular
scans, it can also
-
be used to detect virus
infections that have already
-
been occurred.
-
Regular updates
of the software is
-
required to ensure it is able
to update, detect and correct
-
viruses as they emerge.
-
So again, the important
thing that you need to know
-
is that the signature-based
system, as always,
-
it should be kept up to date.
-
But not a heuristic--
-
not a knowledge-based system.
-
Sometimes you'll be
having a conflict
-
between heuristic and
signature-based and all
-
those stuffs.
-
You need to be very clear
which system talks about what.
-
Because some systems, like IDPs,
which talks about the anomalies,
-
it will not talk about
system signature.
-
It will talk about
only the anomalies.
-
Say for an example,
these anomalies
-
will be studied
for certain dates
-
so that the regular
traffic will be like this.
-
And anything beyond
this regular traffic
-
will be flagged as
incorrect traffic
-
or the non-relevant traffic.
-
And it will be quarantined,
and it will not
-
be allowed, intrusion
detection system.
-
And sometimes it can be
prevented from entering
-
our servers as well.
-
So that brings me to
the end of this session.
-
Thanks a lot everybody.
-
I'll wind up the session.
-
Thank you for your patience
and listening to me.
-
And it was a very
fruitful session.
-
I appreciate.
