Information Security Auditing

Unit 1

1. How does an auditor understand and cater to the increasing demand for information system
audits in an organization

Ans Understanding the Demand for IS Audits

Modern business culture is moving rapidly with requirements for more visible transparency into an
organization’s inner workings. With all the fraud, corruption, and controversy, there is far less trust
now. Dramatically more testing is being required to reduce the chances of new and recurring insider
corruption. Greed is a powerful motivator to some individuals in authority. Bad underwriting creates
profits today with bonuses in executive pay, which will result in financial losses in a distant tomorrow.

For decades, the dominant control placed upon an organization was the financial audit. Although
theft and fraud have always existed, the general expectation was that almost all organizations could
be trusted without additional regulations. We expected management to be honest. Well, those naive
days are over. Welcome to the new world, which has a growing number of intrusive regulations.
Modern business culture is moving rapidly to less trust and more testing.

More than 1,000 successful corporate fraud convictions by the U.S. Securities and Exchange
Commission (SEC) from 2002–2005 include the following:

• 92 corporate presidents

• 86 chief executive officers (CEOs)

• 40 chief financial officers (CFOs)

• 14 chief operating officers (COOs)

• 98 vice presidents (VPs)

• 17 attorneys (lawyers serving as corporate council)

All regulations require businesses to possess two simple components:

• Evidence of business integrity

• Evidence of internal controls to protect valuable assets

An asset is defined as anything of value, including trademarks, patents, secret recipes, durable goods,
data files, competent personnel, and clients. Although people are not listed as corporate assets, the
loss of key individuals is a genuine business threat.

We can define a threat as a negative event that would cause a loss if it occurred. The path that allows
a threat to occur is referred to as vulnerability. Your job as an IS auditor is to verify that assets,
threats, and vulnerabilities are properly identified and managed to reduce risk.

As an IS auditor, you must be familiar with the various policies, standards, and procedures of any
organization or company that you are auditing. In addition, you must understand the purpose of your
audit.
2. How does a professional auditor navigate the complexities of ethical consideration within the
auditing process?

Ans Understanding Professional Ethics

Ethics is about knowing what is right versus what is wrong and doing the right thing each time.
Ethical professionals will place the client’s interest ahead of their own provided the client is
acting in a forthright, honest manner. Auditors are usually bound by more than one set of
professional standards. An auditor is expected to honor the laws plus abide by the rules of their
professional certification. Every CISA is required to follow ISACA’s code of ethics in addition to
those of any other organization to which the auditor belongs.

Following the ISACA Professional Code

The Information Systems Audit and Control Association (ISACA) set forth a code governing the
professional conduct and ethics of all certified IS auditors and members of Understanding
Professional Ethics the association. It’s basically the same for any type of industry auditor. As a
CISA, you agree to be bound to upholding this code. The following eight points represent the
true spirit and intent of this code:

•Auditors agree to support the implementation of appropriate policies, standards, and

procedures for information systems.

• Auditors agree to perform their duties with objectivity, professional care, and due diligence in
accordance with professional standards implementing the use of best practices. Auditors’ duty is
to provide consistency in measurement, testing, and reporting of test results.

• Auditors agree to serve the interests of stakeholders in an honest and lawful manner that
reflects a credible image upon their profession. The public expects and trusts auditors to conduct
their work in an ethical and honest manner.

• Auditors promise to maintain privacy and confidentiality of information obtained during their
audit except for required disclosure to legal authorities. Information they obtain during the audit
will not be used for personal benefit.

• Auditors agree to undertake only those activities in which they are professionally competent
and will strive to improve their competency. Auditors normally function as project coordinators
and analysts using the work of technically qualified specialists not involved in the items being
audited. The effectiveness in auditing depends on how evidence samples are gathered, the
analysis procedure used, independence from the decision, and how test results are reported.

• Auditors are obligated to report the current state as it existed prior to the start of the audit.
When they find something wrong, they report the finding and whether it’s been fixed yet. They
promise to disclose accurate results of all work and significant facts to the appropriate parties.

• Auditors agree to support ongoing professional education to help stakeholders enhance their
understanding of information systems security and control. Facilitating the use of control self‐
assessment (CSA) is a good way to help educate stakeholders to see their problems. Auditors
never have any role in remediating the problems discovered.

• The failure of a CISA to comply with this code of professional ethics may result in an
investigation with possible sanctions or disciplinary measures.
Ethics statements are necessary to demonstrate the level of honesty and professionalism
expected in the industry. Overall, professional responsibility requires you to be honest and
fair in all representations you make. The goal is to build trust with clients. Your behavior
should reflect a positive image on your profession.
3. What consideration go into preplanning specific audits and how does it set the stage for a
successful audit?

Ans the stages of Audit process.

There are 10 audit stages to be aware of when performing an audit. CISAs need to be aware of their
duties in each of these stages:

■ Approving the audit charter or engagement letter

■ Preplanning the audit

■ Performing a risk assessment

■ Determining whether an audit is possible

■ Performing the actual audit

■ Gathering evidence

■ Performing audit tests

■ Analyzing the results

■ Reporting the results

■ Conducting any follow‐up activities

Define and explain in details about Establishing and Approving an Audit Charter

The first audit objective is to establish an audit charter, which gives you the authority to perform an
audit. The audit charter is issued by executive management or the board of directors.

The audit charter should clearly state management’s assertion of responsibility, their objectives, and
delegation of authority.

An audit charter outlines your responsibility, authority, and accountability: Responsibility Provides
scope with goals and objectives Authority Grants the right to perform an audit and the right to
obtain access relevant to the audit Accountability Defines mutually agreed‐upon actions between
the audit committee and the auditor, complete with reporting requirements.

Explain Role of the Audit Committee

Each organization should have an audit committee composed of business executives. Each audit
committee member is required to be financially literate, with the ability to read and understand
financial statements, including balance sheets, income statements, and cashflow statements. The
audit committee members are expected to have past employment experience in accounting or
finance and have held certification in accounting (certified public accountant, or CPA). An investor or
chief executive officer with comparable financial sophistication may be a member of an audit
committee.

The purpose of the audit committee is to provide advice to the executive accounting officer
concerning internal control strategies, priorities, and assurances. It is unlikely that an executive
officer will know every detail about the activities within their organization. In spite of this, executive
officers are held accountable for any internal control failures. Audit committees are not a substitute
for executives who must govern, control, and manage their organization. The audit committee has
delegated the authority to review and challenge the assurances of internal controls made by
executive management.

The audit committee is expected to maintain a positive working relationship with management,
internal auditors, and independent auditors. The committee manages planned audit activities and
the results of both internal and external audits. The committee is authorized to engage outside
experts for independent assurance. Both internal auditors and external auditors will have escalation
procedures designed to communicate significant weaknesses that have been identified

The audit committee is responsible for issuing the audit charter to grant the authority for internal
audits. The audit charter should be approved by the highest level of management as well as the audit
committee. Authority also needs to be granted for an independent audit. A document called an
engagement letter grants authority for an independent external audit.
4. What steps are involved in generating and reporting audit findings, and how does this contribute
to the overall audit overcome?

Ans What is the Report Findings?

Reporting is the process by which the auditor conveys to management their findings, including the
following:

• Audit scope

• Audit objectives

• Methods and criteria used

• Nature of findings

• Extent of work performed

• Applicable dates of coverage

In addition, your final report should state any restrictions, reservations, or qualifications (concerns)
that you have in relation to the audit. You may provide a final opinion or no opinion based on these
potential limitations. If you offer an opinion, it may be qualified or unqualified:

 A qualified opinion means there are restrictions on the nature or the content of the findings.

 An unqualified opinion has no restrictions on its use because the findings have no reservations.

Statement on Auditing Standards (SAS), the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) internal controls framework, and the IT Governance Institute (ISACA‐ITGI)
publish several points of information that should be included in the final report. Consult their
publications for specific details. In summary, the recommendations include the following:

 A title that includes the word independent (for an external audit)

 The applicable date of the report

 Identification of the parties and subject matter

 An executive summary

 Any visual representations, charts, graphs, or diagrams

 A statement of the standards followed during the audit

 A statement of the procedures performed, and whether they were agreed to by the specified
parties

 Any necessary disclaimers

 A statement of additional procedures, if performed

 A statement of restrictions on the use of the report

 A statement of any auditor concerns, reservations, or qualifications to the audit

 Detailed findings and your opinion

 Your signature and contact information

 After producing the final report, you will need to meet with the auditee and management to
review the findings.

 The primary purpose of this meeting is not to change your findings but to obtain acceptance and
agreement by the auditee.

 This is the final quality‐control check before issuing your final report. You want to ensure that the
facts are correctly presented in your report.

 A final copy of this report and of your working notes will need to be placed into the audit archive
for document retention.

Unit 2
 1. How does the process of information system acquisition and development contribute to an
organization's overall strategic objective?

Ans Information Systems Development & Acquisition

The Need for Structured Systems Development

Systems analysis and design – the process of designing, building, and maintaining information
systems The individual who performs this task is called Systems analyst. Organization wants to hire
System analyst because they have both technical and managerial expertise.

Evolution of IS development

•From “art” to a “discipline”: In the early days of computing it was considered an art that a very few
people could master

• Standardized development methods: The techniques used to build an IS varies greatly from
individual to individual. It was very difficult to integrate and maintain. To address this problem, info.
Sys. professionals decided to use a disciplined approach of introducing common methods,
techniques, and tools for building information systems

• Software engineering: This evolution led to the use of the term software engineering to define
what system analyst & programmer do.

Options for Obtaining Information Systems

1. Build your own

2. Buy a prepackaged system from a software development company or consulting firm. Example:
Payroll system.

3. Outsource development to a 3rd party: outside organization custom build a system to an

organization’s specifications. Good option when an organization does not have adequate resources
or expertise.

4. End user development: Individual users and departments build their own custom systems to
support their individuals. Example MS. Excel.

System Construction Process

1. Identify a large IT problem to solve

2. Break the large problem into several smaller, more manageable pieces

3. Translate each “piece” (small problem) into computer programs

4. Piece together each program into an overall comprehensive IS that solves the problem Systems
Development Process
 2. What strategic and methodologies are employed in the testing phase to ensure the reliability
and functionality of informations system under development? From chatpgt

Ans ensuring the reliability and functionality of an information system during its development phase
requires a meticulously planned and executed testing strategy. This process integrates various
methodologies to comprehensively assess both the functional aspects of the system and its ability to
withstand security threats. Below is an in-depth exploration of these strategies and methodologies.

Comprehensive Test Planning

The foundation of a successful testing phase in information security auditing is comprehensive test
planning. This begins with defining a clear Test Strategy that outlines the objectives, scope,
approach, and resources required. The strategy should align with the overall security policies of the
organization and the specific security requirements of the system under development. The Test Plan
derived from this strategy should detail the test items, features to be tested, the testing tasks,
resource allocation, schedule, and deliverables. This document serves as a roadmap, ensuring that all
security and functional requirements are thoroughly tested.

Requirement Analysis

Requirement Analysis is critical to understanding what needs to be tested. In information security

auditing, this involves scrutinizing security requirements to ensure they are complete, unambiguous,
and testable. The use of a Requirement Traceability Matrix (RTM) is common practice, mapping
each requirement to its corresponding test cases. This ensures comprehensive test coverage and
facilitates traceability throughout the testing lifecycle.

Test Case Design

In the Test Case Design phase, detailed test cases are developed to validate the system's
functionality and security. Test cases should cover various scenarios, including typical use cases, edge
cases, and misuse cases to ensure robustness. Functional Testing involves verifying that the system
operates according to the specified requirements, while Non-functional Testing assesses attributes
such as performance, reliability, and security.

Techniques such as Boundary Value Analysis and Equivalence Partitioning are employed to create
effective test cases that uncover defects at input boundaries and within equivalent data partitions.
Security-specific Test Cases are designed to test for vulnerabilities, including input validation issues,
authentication and authorization mechanisms, encryption and data protection measures, and more.
 3. How does effective infrastructure deployment contribute to the success of an information
system projects and what factors are critical to consider?

Ans System Migration, Infrastructure Deployment and Data Conversion

System migration involves moving a set of instructions or programs, e.g., PLC (programmable logic
controller) programs, from one platform to another, minimizing reengineering. Migration of systems
can also involve downtime, while the old system is replaced with a new one.

A system migration might involve physical migration of computing assets, like when older hardware
can no longer provide the required level of performance and meet the business needs of the
organization. Sometimes only data and applications need to be migrated to a new system or
platform, which may reside on the same hardware infrastructure, but the reason behind it would still
be the same: because the new system is perceived to be better than the old one

When the migration only involves data and software, the move can be automated using migration
software. Especially with the rising popularity of cloud computing, many business are migrating their
systems into the cloud, which is usually done using automated tools in quite a short period.

The main drivers of system migration include:

• The current system no longer performs as expected.

• A new technology which drives processes faster becomes available.

• The old system becomes deprecated and support is no longer available for it.

• The company is taking a change in direction.

 4. What criteria and metrics are used to evaluate the success or failure of an information
system project during the post-implementation review?

Ans Information system infrastructure and architecture

A well-designed information system rests on a coherent foundation that supports responsive

changeand, thus, the organization’s agility-as new business or administrative initiatives arise. Known
as the information system infrastructure, the foundation consists of core telecommunications
networks, databases and data warehouses, software, hardware, and procedures managed by various
specialists.

Post-Implementation Reviews

"Completing a project" is not the same thing as ending the project management process. Simply
finishing doesn't ensure that the organization benefits from the project's outcome.

For example, after completing a year-long project to establish a new quality management process for
your organization, you want to make sure that what you set out to do was actually achieved. Your
objective wasn't to simply deliver a process – but rather, to deliver the process that addresses the
specific business need you intended to meet. This is the real measure of success.

To make the most of the benefits that the project can deliver, however, you also need to check to see
if further improvements will deliver still greater benefit.

This is where the process of Post-Implementation Review (PIR) is helpful. It helps you answer the
following key questions:

• Did the project fully solve the problem that it was designed to address?

• Can we take things further, and deliver even bigger benefits?

• What lessons did we learn that we can apply to future projects?

When to Review

A good time to start thinking about the Post Implementation Review is when members of the
project team remember the most – shortly after the project has been delivered, and when most of
the problems have been ironed out. Start to list ideas and observations while they are still fresh in
people's minds.

What to Review

Here are some tips for conducting the PIR:

• Ask for openness – Emphasize the importance of being open and honest in your assessment, and
make sure that people aren't in any way punished for being open.

• Be objective – Describe what has happened in objective terms, and then focus on improvements.

• Document success – Document practices and procedures that led to project successes, and make
recommendations for applying them to similar future projects.

• Look with hindsight – Pay attention to the "unknowns" (now known!) that may have increased
implementation risks. Develop a way of looking out for these in future projects.
• Be future-focused – Remember, the purpose is to focus on the future, not to assign blame for what
happened in the past. This is not the time to focus on any one person or team.

• Look at both positives and negatives – Identify positive as well as negative lessons.
Unit 3

1. What are the key common technology components that form the backbone of information
system operating, and how do they contribute to system functionality?

Ans COMMON TECHNOLOGY COMPONENTS

This section introduces:

• Technology components

• Hardware platforms

• Basic concepts of, and history behind, the different types of computers

• Advances in IT

Also discussed are the key audit considerations, such as capacity management, system monitoring,
maintenance of hardware and typical steps in the acquisition of new hardware.

COMMON ENTERPRISE BACK-END DEVICES

In a distributed environment, many different devices are used to deliver application services. One
factor that has significantly changed in recent years is the rapid growth of the Internet of Things
(IoT).

Organizations need to know and embrace the many connected items in use, including cars,
thermostats, video cameras, mattresses and medical equipment, and understand how they are
affecting operations. Although increased innovation, productivity and services offer benefits, IoT use
also risks data leakage and privacy issues, among others.

Following are some of the most common devices encountered:

• Print servers—Businesses of all sizes require that printing capability be made available to users
across multiple sites and domains. Generally, a network printer is configured based on where the
printer is physically located and who within the organization needs to use it. Print servers allow
businesses to consolidate printing resources for cost savings.

• File servers—File servers provide for organization wide access to files and programs. Document
repositories can be centralized to a few locations within the organization and controlled with an
access-control matrix. Group collaboration and document management are easier when a document
repository is used, rather than dispersed storage across multiple workstations.

• Application (program) servers—Application servers typically host the software programs that
provide application access to client computers, including processing the application business logic
and communication with the application’s database. Consolidation of applications and licenses in
servers enables centralized management and a more secure environment.

• Web servers—Web servers provide information and services to external customers and internal
employees through web pages. They are normally accessed by their uniform resource locators
(URLs).
 2. What role does job scheduling play in information system operation and how does
production process automation enhance operational efficiency?

Ans JOB SCHEDULING AND PRODUCTION PROCESS AUTOMATION

In complex IS environments, computer systems transfer hundreds to thousands of data files daily. A
job schedule is typically created that lists the jobs that must be run and the order in which they are
run, including any dependencies. Due to the inherent complexity of this process, automated job
scheduling software provides control over the scheduling process. In addition to the scheduling of
batch jobs, job scheduling software can be used to schedule tape backups and other maintenance
activities. Job scheduling is a major function within the IT department. The schedule includes the
jobs that must be run, the sequence of job execution and the conditions that cause program
execution. Low priority jobs can also be scheduled, if time becomes available.

High-priority jobs should be given optimal resource availability, and maintenance functions (such as
backup and system reorganization) should, if possible, be performed during nonpeak times.
Schedules provide a means of keeping customer demand at a manageable level and permit
unexpected or on request jobs to be processed without unnecessary delay.

Job scheduling procedures are necessary to ensure that IS resources are used optimally, based on
processing requirements. Applications are increasingly required to be continually available;
therefore, job scheduling (maintenance or long processing times) represents a greater challenge than
before.

JOB SCHEDULING SOFTWARE

Job scheduling software is system software used by installations that process a large number of batch
routines. The scheduling software sets up daily work schedules and automatically determines which
jobs are to be submitted to the system for processing.

The advantages of using job scheduling software include:

• Job information is set up only once, reducing the probability of an error.

• Job dependencies are defined so that if a job fails, subsequent jobs relying on its output will not be
processed.

• Records are maintained of all job successes and failures.

• Security over access to production data can be provided.

• Reliance on operators is reduced.

 3. Why is data governance crucial in information system operation and hoe does it contribute
to data quality, security and compliance?

Ans DATA GOVERNANCE

With ever-changing data environments—such as the cloud—and data requirements, data

maintenance and management are becoming increasingly complicated. Data also exists in many
forms, such as text, numbers, graphics and video. After data are made meaningful, they become
information, which is crucial to the operation of an enterprise.

Data governance ensures that:

• Stakeholder needs, conditions and options are evaluated to determine balanced, mutually agreed
enterprise objectives to be achieved through the acquisition and management of data/ information
resources.

• Direction is set for data/information management capabilities through prioritization and decision
making.

• Performance and compliance of data/information resources are monitored and evaluated relative
to mutually agreed-upon (by all stakeholders) direction and objectives.

Data governance also involves monitoring the performance of IT operations, specifically those areas
that relate to data and its availability, integrity and confidentiality

Data Quality

Data quality is key to data management. There are three sub dimensions of quality: intrinsic,
contextual and security/accessibility. Each sub dimension is divided further into several quality
criteria

Data Life Cycle

A life cycle describes a series of stages that characterize the course of existence of an organizational
investment. Data life cycle management describes the stages that data go through in the course of
existence in an organization.

The data life cycle includes the following elements:

• Plan—The phase in which the creation, acquisition and use of the information resource is
prepared. Activities in this phase include understanding information use in the respective business
processes, determining the value of the information asset and its associated classification, identifying
objectives and planning the information architecture.

• Design—The phase in which more detailed work is done in specifying how the information will
look and how systems processing the information will have to work. Activities in this phase may refer
to the development of standards and definitions (e.g., data definitions, data collection, access,
storage procedures, metadata characteristics and data classification).

• Build/acquire—The phase in which the information resource is acquired. Activities in this phase
may refer to the creation of data records, the purchase of data and the loading of external files.

• Monitor—The phase in which it is ensured that the information resource continues to work
properly (i.e., to be valuable). Activities in this phase may refer to keeping information up to date and
other kinds of information management activities (e.g., enhancing, cleansing, merging and removing
duplicate information in data warehouses).

• Dispose—The phase in which the information resource is transferred or retained for a defined
period, destroyed, or handled as part of an archive as needed. Activities in this phase may refer to
information retention, archiving or destroying
 4. How is business resilience achieved within information system operation, and what
strategies are employed to mitigate potential disruptions?

Ans BUSINESS RESILIENCE

Business resilience describes an organization’s ability to adapt to disruptions and incidents in order
to maintain continuous operations and to protect the organization’s assets. Most organizations have
some degree of DRPs in place for the recovery of IT infrastructure, critical systems and associated
data. However, many organizations have not taken the next step and developed plans for how key
business units will function during a period of IT disruption. CISA candidates should be aware of the
components of disaster recovery and business continuity plans, the importance of aligning one with
the other, and aligning DRPs and business continuity plans (BCPs) with the organization’s goals and
risk tolerance. Also of importance are data backup, storage and retention and restoration.

SYSTEM RESILIENCY

System resilience is the ability of a system to withstand a major disruption within set metrics and
recovery times. This can include the ability to maintain capability during the disruption.

Protecting an application against a disaster entails providing a way to restore it as quickly as possible.
Clustering makes it possible to do so. A cluster is a type of software (agent) that is installed on every
server (node) in which the application runs and includes management software that permits control
of and tuning the cluster behavior. Clustering protects against single points of failure (a resource
whose loss would result in the loss of service or production). The main purpose of clustering is higher
availability.

There are two major types of application clusters: active-passive and active active. In activepassive
clusters, the application runs on only one (active) node, while other (passive) nodes are used only if
the application fails on the active node. In this case, cluster agents constantly watch the protected
application and quickly restart it on one of the remaining nodes. This type of cluster does not require
any special setup from the application side (i.e., the application does not need to be cluster-aware).
Hence, it is one of the major ways to ensure application availability and disaster recovery. In active-
active clusters, the application runs on every node of the cluster.

With this setup, cluster agents coordinate the information processing between all of the nodes,
providing load balancing and coordinating concurrent data access. When an application in such a
cluster fails, users normally do not experience any downtime at all (possibly missing uncompleted
transactions).

Active-active clusters require that the application be built to utilize the cluster capabilities (for
instance, if the transaction is not completed on the node that failed, some other remaining node will
try to rerun the transaction). Such clusters are less common than active-passive and provide quick
application recovery, load balancing and scalability.

This type of cluster puts a greater demand on network latency. Very often, organizations use a
combination of cluster setups; for instance, active-active for a particular processing site and active
passive between the sites. This combination protects applications against local software or hardware
failure (active-active) and against site failure (active-passive). The clusters with a span of one city are
called metro clusters, while clusters spanning between cities, countries and continents are called
geo-clusters.
Unit 4

1. What are the key stages in the information system life cycle, and how does a structured life
cycle approach contribute to successful system development?

Ans Information Systems Life Cycle

Governance in Software Development

Every organization strives to balance expenditures against revenue. The objective is to increase
revenue and reduce operating costs. The most common method you will encounter is for the auditee
to secretly take inappropriate shortcuts. Questionable shortcuts are referred to as their “risk
appetite” in business. Overall the most effective method for reducing operating costs is to actually
improve software automation.

Computer programs may be custom‐built or purchased in an effort to improve automation. The

initial buy or build decision is made by the internal sponsor at a very high level. Usually decisions are
based on a theme of “I saw,” “I read,” or “I/We used.” Auditors should never assume the decision was
based on detailed requirements unless you see the actual series of details and reviews in documents.
All business applications undergo a common process of needs analysis, functional design, software
development, implementation, production use, and ongoing maintenance in a never‐ending series of
patch updates and retesting of system integrity. In the end, every program will be replaced by a
newer version, and the old version will be retired. This is what is referred to as the life cycle.

A strategic system fundamentally changes the way the organization conducts business or competes
in the marketplace. A strategic system significantly improves overall business performance with
results that can be measured by multiple indicators. These multiple indicators include measured
performance increases and noticeable improvement on the organization’s financial statement. An
organization might, for example, successfully attain a dramatic increase in sales volume as a direct
result of implementing a strategic system. The strategic system may create an entirely new sales
channel to reach customers. Auction software implemented and marketed by eBay is an example of a
strategic system

Tactical systems (a.k.a. traditional) provide support functions aligned to fulfill the needs of an
individual or department. Examples of tactical systems include general office productivity and
departmental databases for helpdesk, sales relationship, marketing blasts, human resource
compliance, and so on. The tactical system might provide 18 percent return on investment for the
department, whereas a strategic system might have a return of more than 10 times the investment
for the whole organization.
 2. What is the significance of change management in the context of information system life
cycle, and how does it impact project outcomes?

Ans Change Management

The accepted method of controlling changes to the RFP or application software is to use a change
control board (CCB). Members of the change control board include IT managers, quality control, user
liaisons from the business units, and internal auditors. A vice president, director, or senior manager
presides as the chairperson. The purpose of the board is to review all change requests before
determining whether authorization should be granted. This fulfills the desired separation of duties.
Change control review must include input from business users. Every request should be weighed to
determine business need, required scope, level of risk, and preparations necessary to prevent failure.
You can refer to the client organization’s policies concerning change control. You should be able to
determine whether separation of duties is properly enforced. Every meeting should include a
complete tracking of current activities and the minutes of the meetings. Approval should be a formal
process. The ultimate goal is to prevent business interruption.

Significance of Change Management

1. Ensures System Integrity and Stability

Change management helps maintain the integrity and stability of an information system. By
systematically evaluating and managing changes, organizations can avoid unintended consequences
that might arise from ad hoc modifications. This includes assessing the potential impact of changes
on existing systems, processes, and users.

2. Facilitates Smooth Transitions

Change management ensures that transitions between different phases of the information system
life cycle, such as from development to testing or from deployment to maintenance, are handled
smoothly. This reduces the likelihood of disruptions and ensures continuity in operations.

3. Enhances Risk Management

Managing changes systematically helps identify potential risks associated with modifications early in
the process. This proactive approach allows for the implementation of risk mitigation strategies,
reducing the likelihood of negative impacts on the system and the organization.

4. Improves Communication and Collaboration

Change management promotes clear communication and collaboration among stakeholders,

including developers, users, managers, and other relevant parties. This ensures that everyone is
aware of upcoming changes, their reasons, and their potential impacts, which helps in aligning
expectations and reducing resistance.

5. Ensures Compliance and Governance

In many industries, compliance with regulatory requirements is crucial. Change management ensures
that changes are documented, reviewed, and approved according to established policies and
procedures, which helps maintain compliance with legal and regulatory standards.
Impact on Project Outcomes

1. Enhanced Project Success Rates

Projects that incorporate robust change management practices are more likely to succeed. By
systematically managing changes, projects can stay on track, within budget, and on schedule. This
reduces the risk of project failure due to unmanaged or poorly managed changes.

2. Improved Quality and Performance

Change management ensures that changes are thoroughly tested and validated before
implementation, leading to improved quality and performance of the information system. This
reduces the likelihood of defects, performance issues, or other problems that could negatively
impact users.

3. Higher User Satisfaction and Adoption

When changes are managed effectively, users are more likely to be satisfied with the system. Clear
communication, training, and support help users understand and adapt to changes, leading to higher
adoption rates and more effective use of the system.

4. Reduced Downtime and Disruptions

By planning and managing changes carefully, organizations can minimize downtime and disruptions.
This ensures that the system remains available and reliable, which is crucial for business continuity
and operational efficiency.

5. Better Decision-Making

Change management provides a structured approach for evaluating changes, including their benefits,
costs, and risks. This helps decision-makers make informed choices about which changes to
implement, leading to better overall project outcomes.
 3. How does electronic commerce impact the information system life cycle and what
considerations are unique to e-commerce system development?

Ans Electronic Commerce

Electronic commerce, also known worldwide as e‐commerce, is the conducting of business and
financial transactions electronically across the globe. This concept introduces the challenges of
maintaining confidentiality, integrity, and availability for every second of the entire year. An
additional challenge is to ensure regulatory compliance for each type of transaction that may occur
over the e‐commerce system.

Business‐to‐Business (B‐to‐B, or B2B) Business‐to‐business transactions take place between a

business and its vendors. This could include purchasing, accounts payable, payroll, and outsourcing
services. This type of transaction is governed by business contracts in accordance with federal law.

Business‐to‐Government (B‐to‐G, or B2G) Business‐to‐government transactions are the online filing

of legal documents and reports. In addition, this includes purchasing and vendor management for
the products and services used by the government. This type of transaction is governed by a variety
of government regulations. An example is the US Central Contractor Registration (CCR) system.
Vendors doing business with the US government are required to maintain their company profiles in
the CCR database.

Business‐to‐Consumer (B‐to‐C, or B2C) Business‐to‐consumer transactions are direct sales of

products and services to a consumer. B‐to‐C also includes providing customer support and product
information to the consumer. The payment transaction in this type of environment may be governed
by banking, privacy, and credit authorization laws. Business to‐consumer applications require
additional logging because the normal paper trail does not exist. As the auditor, you will be
interested in how the transactions are monitored and reviewed. Authorizations for processing online
payments will require special security measures

Business‐to‐Employee (B‐to‐E, or B2E) Business‐to‐employee transactions include the online

administration of employee services, including payroll and job benefits. This type of transaction is
governed by federal employment regulations and privacy regulations.
 4. What measures are taken in implementing physical protection for information system, and
how do they mitigate potential risks and threats?

Ans Implementing Physical Protection

The auditor should always remember electronic attacks are the greatest concern because the
intruder usually goes undetected and is almost never caught. Physical barriers are frequently used to
protect physical assets. Earlier in the chapter, we discussed the creation of a map displaying access
routes and locked doors. After risk assessment, the next step is to improve physical protection.

Let’s review a few of the common techniques for increasing physical protection:

1) Closed‐Circuit Television Closed‐circuit television can provide real‐time monitoring or audit logs of
past activity. Access routes are frequently monitored by using closed‐circuit television. The auditor
may be interested in the image quality and retention capabilities of the equipment. Some intrusions
may not be detected for several weeks. Does the organization have the ability to check for events
that occurred days or weeks ago?

2) Guards Security guards are an excellent defensive tool. Guards can observe details that the
computerized security system would ignore. Security guards can deal with exceptions and special
events. In an emergency, security guards can provide crowd control and direction. Closed‐circuit
television can extend the effective area of the security guard. The monitoring of remote areas should
reduce the potential for loss.

3) Electronic Lock Electronic locks can be used by security systems. The electronic line is frequently
coupled with a badge reader. Each user is given a unique ID badge, which will unlock the door. This
provides an audit trail of who has unlocked the door for each event. Electronic locks are usually
managed by a centralized security system. Unfortunately, electronic locks will not tell us how many
people went through the door when it was open. To solve that problem, it would be necessary to
combine the electronic lock with a mantrap passageway, in which one door must be closed before
the next door can be opened, and to use closed‐circuit television recording to serve as an audit log.

4) Cipher Lock Cipher locks may be electronic or mechanical. The purpose of the cipher lock is to
eliminate the brass key requirement. Access is granted by entering a particular combination on the
keypad. Low‐security cipher locks use a shared unlock code. Higher‐security cipher locks issue a
unique code for each individual. The FBI office in Dallas has a really slick electronic cipher lock using
an LCD touchpad. The user touches a combination of keys in sequence on the LCD keypad. Between
each physical touch, the key display changes to prevent an observer from detecting the actual code
used. This is an example of a higher‐security cipher lock.

5) Biometrics The next level of access control for locked doors is biometrics. Biometrics uses a
combination of human characteristics as the key to the door..

6) Burglar Alarm : The oldest method of detecting a physical breach is a burglar alarm. Alarm systems
are considered the absolute minimum for physical security. An alarm system may be installed for the
purpose of signaling that a particular door has been opened. Remote or unmanned facilities
frequently implement a burglar alarm to notify personnel of a potential breach. Burglar alarm
systems should be monitored to ensure appropriate response in a timely manner.

7) Environmental Sensor Technology is not tolerant of water or contaminants. Environmental controls

are used to regulate the temperature, humidity, and airflow. The failure of air‐conditioning or
humidity control can damage sensitive computer equipment. All the servers in the computer room
would overheat and crash without continuous air‐ conditioning. Environmental sensors should be
monitored with the same interest and response as a burglar alarm.
Unit 5

1. What role does technical protection play in safeguarding information assets, and what are
the key technologies involved in this process?

Ans Technical Protection

Technical protection is also referred to as logical protection. A simple way to recognize technical
protection is that technical controls typically involve a hardware or software process to operate. Let’s
start with technical controls, which are also known as automated controls.

Technical Control Classification Technical protection may be implemented by using a combination of

mandatory controls or discretionary controls. Technical controls are considered very strong if used in
combination with administrative and physical controls. Technical controls should always be active
and monitored and should block unauthorized access attempts. Any unauthorized attempt should
notify the security staff with both a log entry and matching alarm. Least privilege is supported by
using additional controls based on a person’s job role, job task, or specific attributes of the subject
requesting access to the data involved

• Mandatory Access Controls

• Discretionary Access Controls

• Role‐Based Access Controls

• Task‐Based Access Controls

• Attribute‐Based Access Controls

Authentication Methods

Type 1: Something a Person Knows – loginname,password

Type 2: Something a Person Has in Possession – ATM,RF CARD,PIN

Type 3: Physical Characteristic – Biomatric (Fingerprints, Palm Print, Hand Geometry, Retina Scan, Iris
Scan, Face Scan, DNA Analysis)

Network Access Protection

Kerberos Single Sign‐On

The Kerberos single sign‐on (SSO) system was developed to improve both security and user
satisfaction. The name Kerberos refers to the mythical three‐headed dog guarding the gates to the
underworld. Kerberos provides security when the end points of the network are safe but the
transmission path cannot be trusted—for example, when the servers and workstations are trusted
but the network is not. The concept of operation is for the user to log in once to Kerberos. After
login, the Kerberos system authenticates the user and grants access to all resources.

Encryption Methods

Private‐Key Encryption

Private‐key encryption systems use a secret key, which is shared between the authorized sender and
the intended receiver. Private‐key systems contain two basic components. The first component is the
mathematical algorithm for scrambling and unscrambling the message (encrypting and decrypting).
The second component is the mathematical key used as a randomizer in the encryption algorithm.
The longer the key length, the higher the security it will generate. A single secret key is carefully
shared between the sender and receiver. This is referred to as symmetric‐key cryptography.

Public‐Key Encryption

Asymmetrical cryptography is referred to as public‐key cryptography (a.k.a. publickey interchange,

or PKI). This design uses a separate pair of keys for encryption and decryption. The key pair is
composed of a secret key protected by the owner and a second public key that is freely distributed.
These two keys are mathematically related to each other. The secret key and public key are
generated from a supersized prime number. It is practically impossible for a cryptographic hacker to
derive the super prime number or related keys in use
 2. What are the five conflicting disciplines within business continuity, and how do organization
navigate these conflicts to ensure effective continuity planning?

Ans Understanding the Five Conflicting Disciplines Called Business Continuity

Business “Revenue” Continuity (BC) This is the most accurate definition of an executive’s interest in
both the business world and government agencies. An organization would be unable to survive
without revenue or funding. Money buys time and provides options.

Continuity of Operations (COOP) The goal is to continue uninterrupted operations with or without
funding. This is frequently the objective of social services or essential life support utility providers.
Electricity providers and telephone services are prime examples of essential services. Information
technology may find itself split between different priorities depending on whether it is simply the
record keeper or whether it directly generates 24‐hour revenue through high volume e ‐commerce
sites such as Travelocity, Amazon.com, eBay, and Apple iTunes. What about mission control at NASA?
Not all systems are created equal.

Emergency Management (EM) Rescue assistance may use offensive (fight) or defensive (protect)
strategy with medical aid. Emergency management is based on halting normal operations and
shutting down utilities while evacuating persons in the hope of saving lives. Its objective is to halt all
activity when something goes wrong. The primary goal is to rescue those who could not get out on
their own. So why would you ever wait to evacuate if the risks are increasing? Government’s
continual prayer is that business will be able to restart after enduring a major interruption, but
industry reports show that four out of five businesses never reopen after a major disaster. Their
brand name is resold, but the original executives and staffs are elsewhere.

Continuity of Government (COG) This discipline allows using or commandeering all available
resources to prevent the failure or overthrow of the existing government. Even if you buy extra
telecom lines, fuel, generators, and satellite frequencies, the agency official can take it away for use
by the government under COG authority. This is a very serious risk to business operations.

Disaster Recovery (DR) This is the process of rebuilding what was damaged to its previous historical
condition or of absorbing the damage impact in the case of business resilience. Frequently the scope
of disaster recovery ignores the disruption to people’s lives, financial hardship, and irreplaceable loss
of customer revenue. Sadly, this is the scope of most government recovery organizations such as the
US Federal Emergency Management Agency (FEMA). Most investors and several key personnel will
abandon organizations at the onset of a disaster condition. This is what led to the redefi nition of
business continuity as the uninterrupted stream of revenue or funding.

Developing a Business Continuity Plan There are several steps many companies must follow to
develop a solid BCP. They include:

• Business Impact Analysis: Here, the business will identify functions and related resources that are
time-sensitive. (More on this below.)

• Recovery: In this portion, the business must identify and implement steps to recover critical
business functions.

• Organization: A continuity team must be created. This team will devise a plan to manage the
disruption.

• Training: The continuity team must be trained and tested. Members of the team should also
complete exercises that go over the plan and strategies.
 3. What is the primary purpose of business continuity, and how does it align with an
organization’s border goals and objective?

Ans Defining the Purpose of Business Continuity

• Business continuity planning (BCP) is the process a company undergoes to create a prevention and
recovery system from potential threats such as natural disasters or cyberattacks.

• BCP is designed to protect personnel and assets and make sure they can function quickly when
disaster strikes.

• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.
An organization can use the principles of business continuity to accomplish the following:

Survive a Man‐Made or Natural Disaster Survival means sustaining control while ensuring that
enough revenue is flowing to the bank for the organization to keep running during and after the
event.

Acquire or Divest Business Units If properly executed, the business continuity planning process
creates an incredibly valuable set of documents, including a current risk analysis and a low‐level
“how‐to” blueprint of business processes currently in use. This information would be invaluable for
licensing, expansion, reorganization, and outsourcing or insourcing of operations.

Change to a Different Market Some markets are no longer profitable because of changes in consumer
attitude, cost/competition, or increasing regulatory law. Management may find a more profitable
market for their efforts. Eg: Instead of continue all store under company revenue, provide franchise
to stack share holder.

Improve Market Position by Demonstrating a Potential for Surviving or Profiting One of the reasons
an organization participates in business continuity planning is to attract better financial terms from
investors and to attract more clients. A good business continuity plan could attract new contracts and
revenue opportunities by demonstrating an organizational plan to fulfill contractual commitments.
 4. Why is it important for auditors to take a keen interest in business continuity and disaster
recovery plans, and what specific aspects do they typically assess?

Ans Understanding the Auditor Interests in BC/DR Plans

Let’s summarize with the points of interest that an IS auditor should look for. We have discussed the
basic objectives to be fulfilled by management. It is the auditor’s job to determine how well those
objectives have been served. The auditor can use the following points for evaluation:

■ Compare the results of the business impact and risk analysis to the various strategies selected for
each activity in the overall process timeline. Do the BIA research and workflow‐ based risk
assessment support management’s strategy?

■ Time delays are an absolute killer of business continuity plans. Has the client done a good job of
documenting the recovery time objectives (RTOs)? Are the RTOs well founded and realistic? Does the
organization have the hardware and skills necessary to recover data in sufficient time to meet each
RTO?

■ Ask whether the organization’s document outlines a 0‐ to 100‐hour timeline. This type of timeline
sequences and prioritizes the recovery by using RT, RP, RTO, RPO, LWIP, RWIP, SDO, and RO. The
presence of this document is a powerful statement in favor of the client. Absence of this document
foretells a questionable future.

■ Work backlogs exist every day in business. How does the organization intend to handle the
backlog when the processing capability is significantly diminished? Manual methods are usually
proposed because of the low cost; however, substantial testing would be required to prove that the
organization could manually keep up with the volume of work.

■ An audit of the vital records inventory will tell an interesting story. Well‐organized vital records
foretell the future of a successful recovery.

■ When was the most recent training exercise? It would be valuable to review the exercise plan, the
results, and the schedule of future exercises. Plans must be exercised regularly to remain effective.