1) Compensating Controls They are internal controls that are intended to reduce the risk of an existing or potential control

l weakness when duties cannot be appropriately segregated. (Pg-115 CRM12) 2) Preventive Controls - These are controls that prevent the loss or harm from occurring. For example, a control that enforces segregation of responsibilities (one person can submit a payment request, but a second person must authorize it), minimizes the chance an employee can issue fraudulent payments. 3) Overlapping Controls 4) Logical Access Controls - http://en.wikipedia.org/wiki/Logical_access_control 5) Before implementing an IT balanced scorecard, an organization must define key performance indicators. 6) To assist an organization in planning for IT investments, the IS auditor should recommend the use of enterprise architecture. 7) Controls are basically to mitigate the risk. 8) IS audit services can be provided externally or internally. The role of IS internal audit function should be established by an audit charter approved by senior management. If IS audit services are provided externally, then it should be documented in a formal contract or statement of work between the contracting org. and the service provider. 9) Audit Charter vs Engagement Letter (S1 Audit Charter) (Pg 33 CRM12) 10) S4 , Professional Competence ISACA IS Auditing Standards require that the IS auditors be technically competent, having the skills & knowledge to perform the auditors work. 11) A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it can identify high-risk areas that might need a detailed review later. 12) RFP - http://en.wikipedia.org/wiki/Request_for_proposal 13) An IS auditor should expect References from other customers (an item) to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP). 14) IT governance ensures that an organization aligns its IT strategy with enterprise objectives. 15) Legal issues also impact org.s business operations in terms of compliance with ergonomic (intended to provide optimum comfort and to avoid stress and injury, human factor) regulations, the US Health Insurance Portability and Accountability Act(HIPAA), etc. 16) US Sarbanes Oxley Act of 2002 It requires evaluating an org.s internal control. It provides regulations and standards for specified public companies including US SEC registrants. It requires org. to select and implement a suitable internal control framework. IS auditors have to consider the impact of Sarbanes-Oxley as part of audit planning. 17) COSO Committee of Sponsoring Org. of the Treadway Commission. They provide internal Control framework. 18) Basel II Accord It regulates the minimum amount of capital 4 financial org. based on the level of risk faced by these org. 19) Steps an IS auditor would perform to determine an org. level of compliance with external requirements (Pg 25 CRM12) 20) An IS auditor should ensure that IT governance performance measures evaluate the activities of IT oversight committees. 21) IS strategic plans would include analysis of future business objectives.

22) Scope Creep - Scope creep (also called requirement creep and feature creep) in project management refers to uncontrolled changes or continuous growth in a projects scope. This phenomenon can occur when the scope of a project is not properly defined, documented, or controlled. It is generally considered a negative occurrence, to be avoided. Typically, the scope increase consists of either new products or new features of already approved product designs, without corresponding increases in resources, schedule, or budget. As a result, the project team risks drifting away from its original purpose and scope into unplanned additions. As the scope of a project grows, more tasks must be completed within the budget and schedule originally designed for a smaller set of tasks. Accordingly, scope creep can result in a project team overrunning its original budget and schedule. If budget, resources, and schedule are increased along with the scope, the change is usually considered an acceptable addition to the project, and the term scope creep is not used.
23) Hardware Configuration Analysis is critical to the selection and acquisition of the correct operating system software. 24) When conducting a review of business process reengineering, an IS auditor found that a key preventive control had been removed. The IS auditor should inform management of the
finding and determine whether management is willing to accept the potential material risk of not having that preventive control. 25) Data Sanitization - Data sanitization is the process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device. A device that has been sanitized has no usable residual data and even advanced forensic tools should not ever be able recover erased data. Sanitization processes include using a software utility that completely erases the data, a separate hardware device that connects to the device being sanitized and erases the data, and/or a mechanism that physically destroys the device so its data cannot be recovered.

26) An organization decides to purchase a package instead of developing it. In such a case, the

design and development phases of a traditional software development life cycle (SDLC) would be replaced with selection and configuration phases.
27) G11 must read pg 39 (CRM12) ..The total population.. 28) Mobile Computing - Mobile computing is humancomputer interaction by which a

computer is expected to be transported during normal usage. Mobile computing involves mobile communication, mobile hardware, and mobile software. Communication issues include ad-hoc and infrastructure networks as well as communication properties, protocols, data formats and concrete technologies. Hardware includes mobile devices or device components. Mobile software deals with the characteristics and requirements of mobile applications.

29) Computer Forensics - Computer forensics (sometimes known as computer forensic science[1]) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information. Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems.
30) The IS auditor should consider on the use of internet as per G33 31) G38 Must Read Access Control Pg41 of CRM12 32) Capacity Management - Capacity Management is a process used to manage information technology (IT). Its primary goal is to ensure that IT capacity meets current and future business requirements in a cost-effective manner. One common interpretation of Capacity Management is described in the ITIL framework. ITIL version 3 views capacity management as comprising three sub-processes: business capacity management, service capacity management, and component capacity management (known as resource capacity management in ITIL version 2). Capacity monitoring software is MAINLY

used to ensure continuity of efficient operations.

33) The exposures associated with the spooling (transfer data intended for a peripheral device
(usually a printer) into temporary storage) of sensitive reports for offline printing should an

IS auditor consider to be the MOST serious?

Unauthorized report copies can be printed

34) Data Redundancy - Data redundancy occurs in database systems which have a field that is

35)

36) 37) 38)

39)

repeated in two or more tables. For instance, in case when customer data is duplicated and attached with each product bought then redundancy of data is a known source of inconsistency, since customer might appear with different values for given attribute.[1] Data redundancy leads to data anomalies and corruption and generally should be avoided by design. The database administrator has decided to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of redundancy of data. Resilience - The ability to recover quickly from illness, change, or misfortune; buoyancy. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if the network servers are clustered in a site. SLA (Service Level Agreement) - A service-level agreement (SLA) is a part of a service contract where a service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service or performance). As an example, internet service providers will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms. In this case the SLA will typically have a technical definition in terms of mean time between failures (MTBF), mean time to repair or mean time to recovery (MTTR); various data rates; throughput; jitter; or similar measurable details. When reviewing a service level agreement for an outsourced computer center, an IS auditor should FIRST determine that the services in the agreement are based on an analysis of
business needs.

40) An IS auditor should recommend the use of library control software to provide reasonable

assurance that program changes have been authorized. 41) Benchmarking provides the BEST method for determining the level of performance provided by similar information-processing-facility environments.

42) Two factor and three factor authentication - http://searchsecurity.techtarget.com/definition/twofactor-authentication 43) Naming conventions for system resources are important for access control because they
reduce the number of rules required to adequately protect resources.

44) Social engineering, in the context of information security, is understood to mean the art of

manipulating people into performing actions or divulging confidential information.[1] This is a type of confidence trick for the purpose of information gathering, fraud, or gaining computer system access. It differs from traditional cons in that often the attack is a mere step in a more complex fraud scheme. Security awareness training is the most effective way to reduce
social engineering incidents.

45) Important for exam perspective G5, G9/S9, G17/S2, G35 46) The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS
auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured? Database Initialization Parameters. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file (init.ora in the case of Oracle DBMS) which contains many settings. The system initialization parameters address many global database settings, including authentication, remote access and other critical security areas. In order to effectively audit a database implementation, the IS auditor must examine the database initialization parameters. Digital signatures are used for authentication and nonrepudiation, and are not commonly used in databases. As a result, this is not an area in which the IS auditor should investigate. A nonce is defined as a parameter that changes over time and is similar to a number generated to authenticate one specific user session. Nonces are not related to database security (they are commonly used in encryption schemes). A MAC address is the hardware address of a network interface. MAC address authentication is sometimes used with wireless local area network (WLAN) technology, but is not related to database security. 47) Upon receipt of the initial signed digital certificate the user will decrypt the certificate with the public key of the Certificate Authority. A CA is a network authority that issues and manages security credentials and public keys for message encryption. As a part of the public key infrastructure, a CA checks with an RA to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can issue a certificate. The CA signs the certificate with its private key for distribution to the user. Upon receipt, the user will decrypt the certificate with the CA's public key.

48) Sniffing vs Spoofing - sniffing : to gather information without actually touching it (or being detected or in hiding), e.g., network packet sniffing. Sniffing is "listening" to network traffic to collect information. A common usage of sniffing is to listen to network traffic to look for patterns of a worm spreading itself. spoofing : to mimic something and create an illusion of the presence of the original, e.g., email spoofing. spoofing is sending network traffic that's pretending to come from someone else. a common usage for spoofing is sending an email message, but to reformat the header so it looks like it comes from someone else, like their boss. 49) Network security reviews include reviewing router access control lists, port scanning, internal and
external connections to the system, etc. 50) Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it. 51) Difference between symmetric and assymetric encryption - Symmetric key encryption requires that the keys be distributed. The larger the user group, the more challenging the key distribution. Symmetric key cryptosystems are generally less complicated and, therefore, use less processing power than asymmetric techniques, thus making it ideal for encrypting a large volume of data. The major disadvantage is the need to get the keys into the hands of those with whom you want to exchange data, particularly in e-commerce environments, where customers are unknown, untrusted entities.

http://stackoverflow.com/questions/5478952/difference-between-asymmetric-andsymmetric-encryption-methods

52)

A digital signature contains a message digest to show if the message has been altered after transmission. The message digest is calculated and included in a digital signature to prove that the

message has not been altered. It should be the same value as a recalculation performed upon receipt. It does not define the algorithm or enable the transmission in digital format and has no effect on the identity of the user; it is there to ensure integrity rather than identity. 53) The best control to mitigate the risk of pharming attacks to an Internet banking application is Domain name system (DNS) server security hardening. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. In order to avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.

Pharming is an attacker's attack intended to redirect a website's traffic to another, bogus site. Pharming can be conducted either by changing the hosts file on a victim's computer or byexploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.

[p]

54) The most reliable sender authentication method is Digital Certificates. Digital certificates are
issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. Asymmetric cryptography, such as public key infrastructure (PKI), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. Digital signatures are used for both authentication and confidentiality, but the identity of the sender would still be confirmed by the digital certificate. Message authentication code is used for message integrity verification.

55) An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted. It analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol [HTTP], File Transfer Protocol [FTP], Simple Network Management Protocol [SNMP], etc.). For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping. 56) Firewall - In computing, a firewall is a software or hardware-based network security system

that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., [1] the Internet) that is not assumed to be secure and trusted. The objective of a firewall is to
protect a trusted network from an untrusted network; therefore, locations needing firewall implementations would be at the existence of the external connections.

Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Manyrouters that pass data between networks contain firewall [2] components and, conversely, many firewalls can perform basic routing functions.
57) Biometrics Terminolgy: a)

false acceptance rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted.

b)

c)

false rejection rate or false non-match rate (FRR or FNMR): he probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. A low EER is a combination of a low FRR and a low FAR. EER,
expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device. Low FRRs or low FARs alone do not measure the efficiency of the device.

Hence, the BEST overall quantitative measure of the performance of biometric control devices is
EER. 58) ITAF (IT Assurance Framework) Pg 42 of CRM12 ITAF includes three categories of standards general, performance and reporting. 59) Current ISACA IT audit and assurance standards include the following general standards: S2 Independence S3 Professional Ethics and Standards S4 Competence S6 Performance of Audit work

60) Current ISACA IT audit and assurance standards include the following performance standards: S1 Audit charter S5 Planning S9 Irregularities and Illegal Acts S10 IT Governance S11 Use of Risk Assessment in Audit Planning S12 Audit Materiality S13 Using the work of other experts S14 Audit Evidence S15 IT Controls S16 E-Commerce

61) Voice over IP (voice over Internet Protocol, VoIP) is a methodology and group of

technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. VoIP services that utilize existing broadband Internet access, by which subscribers place and receive telephone calls in much the same manner as they would via the public switched telephone network (PSTN). 62) A Session Border Controller (SBC) is a device regularly deployed in Voice over Internet Protocol (VoIP) networks to exert control over the signaling and usually also the media streams involved in setting up, conducting, and tearing down telephone calls or other interactive media communications. To protect a VoIP infrastructure against a denial-

of-service attack, it is MOST important to secure the SBC.

63) Honeypots - Honeypot is a trap set to detect, deflect, or in some manner counteract attempts

at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. Honeypots acts as a decoy to detect active internet attack. 64) Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages areencrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security.

65)

An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. The weakness that would be considered most serious is Password controls are not administered over the clientserver environment.

66)

A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the OS prompt or as one menu option in an application. The BEST control to mitigate the risk of unauthorized manipulation of data is to provide access to
the utility on a need-to-use basis.

67)

To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a
secure shell (SSH-2) tunnel for the duration of the problem.

Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers that connects, via a secure channel over an insecure network, a server and [1] a client (running SSH server and SSH client programs, respectively). The protocol specification distinguishes between two major versions that are referred to as SSH-1 and SSH-2.
68) 69) 70)

MOST appropriate to ensure the confidentiality of transactions initiated via the Internet is the public key encryption. In the event of a data center disaster, the MOST appropriate strategy to enable complete recovery of a critical database is Real-time replication to a remote site. A PRIMARY objective of testing a business continuity plan (BCP) is to identify limitations of the BCP.