! !"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/- .-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%: !"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%: ! TotaI Marks = 80 Q.2 Case: a) The hybrid nature of EDI adds a new dimension to the design and auditing of the EDl process. The traditional procedures for managed and controlled implementation of system software-such as requirements definition, version and release identification, testing and limited implementation with a fallback strategy- apply to software used for EDl. In addition, there are issues and risks unique to EDl. Foremost of these risks is transaction authorization. Since the interaction between parties is electronic, there is no inherent authentication occurring. Computerized data can look the same no matter what the source and do not include any distinguishing human element or signature. Where responsibilities of trading partners are not clearly defined by a trading partner agreement, there could be uncertainty related to specific, legal liability. Therefore, it is important that, to protect both parties, any agreement be codified legally in what is known as a trading partner agreement. Another risk is the loss of business continuity. Corruption of EDI applications, whether done innocently or deliberately, could affect every EDI transaction undertaken by a company. This would have a negative impact on both customer and vendor relations. In an extreme situation, it could ultimately affect the ability of a company to stay in business. Additional security risks include: Unauthorized access to electronic transactions Deletion or manipulation of transactions prior to or after establishment of application controls Loss or duplication of ED 1 transmissions Loss of confidentiality and improper distribution of EDI transactions while in the possession of third parties. b) Some of the concerns are: What are the applications running? What are the bandwidth needs? SUGGESTED ANSWERS MODEL PAPER 2 of 7 !"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01 ! !"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/- .-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%: !"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%: ! What is the area to be covered and what are the physical constraints? What is the budget? What are the remote management needs? What are the security needs? c) Since connectivity to the servers is over the Internet, the prohibition against strong encryption will place any transmitted data at risk. The limitation of liability is a standard industry practice. Standards should be set to indicate that the message format and content are valid to avoid transmission errors. Controls should be established to guard against manipulation of data. Attempts to change records should be recorded by the system for management review and attention. Procedures should be established to determine messages are only from authorized parties and transmissions are properly authorized. Data should be encrypted using algorithms agreed on by the parties involved. Electronic signatures should be in the transmissions to identify the source and destination. Message authentication codes should exist to ensure that what is sent is received. d) Effective IT governance can be accomplished only by involvement of the senior management in approving policy, appropriate monitoring and metrics as well as reporting and trend analysis. The tone at the top must be conducive to effective IT governance. It is unreasonable to expect lower-level personnel to abide by governance measures if they are not exercised by senior management. Executive management endorsement of intrinsic governance requirements provides the basis for ensuring that security expectations are met at all levels of the enterprise. Penalties for noncompliance must be defined, communicated and enforced from the senior management level down. e) Two-factor authentication involving the use of biometrics would be effective. Retina scanning may be highest in terms of effectiveness from a control perspective. f) Based on the inputs received from the BIA, criticality analysis and recovery strategy selected by management, a detailed BCP and DRP should be developed or reviewed. SUGGESTED ANSWERS MODEL PAPER 3 of 7 !"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01 ! !"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/- .-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%: !"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%: ! They should address all the issues included in the business continuity scope that are involved in interruption to business processes, including recovering from a disaster. Q.3 (a) Capacity planning should include projections substantiated by past experience, considering the growth of existing business as well as future expansions. The following information is key to the successful completion of this task: CPU utilization (e.g., SAN) Computer storage utilization Telecommunications, LAN and WAN bandwidth utilization VO channel utilization Number of users New technologies New applications SLAs. Q.3 (b) There are three major types of database structure: hierarchical, network and relational. Of these, the first two were mainly used prior to 1990 and have been mostly replaced by relational databases. HierarchicaI database modeI-In this model there is a hierarchy of parent and child data segments. To create links between them, this model uses parent-child relationships. These are I:N (one-to-many) mappings between record types represented by logical trees, as shown in exhibit 4.11. A child segment is restricted to having only one parent segment, so data duplication is necessary to express relationships to multiple parents. Subordinate segments are retrieved through the parent segment. Reverse pointers are not allowed. When the data relationships are hierarchical, the database is easy to implement, modify and search. Network database modeI-In the network model, the basic data modeling construct is called a set. A set is formed by an owner record type, a member record type and a name. A member record type can have that role in more than one set, so a multi-owner relationship is allowed. An owner record type can also be a member or owner in another set. Usually, a set defines a I:N relationship, although one-to-one (I: I) is permitted. A SUGGESTED ANSWERS MODEL PAPER 4 of 7 !"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01 ! !"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/- .-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%: !"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%: ! disadvantage of the network model is that such structures can be extremely complex and difficult to comprehend, modify or reconstruct in case of failure. This model is rarely used in current environments. The hierarchical and network models do not support high- level queries. The user programs have to navigate the data structures. ReIationaI database modeI- The relational model is based on the set theory and relational calculations. A relational database allows the definition of data structures, storage, retrieval operations and Integrity constraints. In such a database, the data and relationships among these data are organized in tables. A table is a collection of rows, also known as tuples, and each tuple in a table contains the same columns. Columns, called domains or attributes, correspond to fields. Tuples are equal to records in a conventional file structure. Q.4 (a) Some of the risks are: a) Organization may not achieve economies of scale through the deployment of reusable component software. b) In-house staff may not give much time and focus more effectively and efficiently on a given project because of other activities they are performing. c) In-house staff may not have the necessary experience with a wider 'array of problems, issues and techniques required to develop the software. ISACA IS Auditing Standards require that the responsibility, authority and accountability of the IS audit function are appropriately documented in an audit charter or engagement letter. It should be noted that an audit charter is an overarching document that covers the entire scope of audit activities in an entity while an engagement letter is more focused on a particular audit exercise that is sought to be initiated in an organization with a specific objective in mind. Q.4 (b) E-commerce, as any other form of commerce, depends on the existence of a level of trust between two parties. For example, the Internet presents a challenge between the buyer and seller, similar to those a catalog or direct-mail retailer faces. The challenges are proving to the buyer that the seller is who they say they are, proving to SUGGESTED ANSWERS MODEL PAPER 5 of 7 !"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01 ! !"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/- .-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%: !"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%: ! the buyer that their personal information such as credit card numbers (and other personally identifiable information) remains confidential and that the seller cannot later refute the occurrence of a valid transaction. Therefore some of the most important elements at risk are: ConfidentiaIity-Potential consumers are concerned about providing unknown vendors with personal (sometimes sensitive) information for a number of reasons including the possible theft of credit card information from the vendor following a purchase. Connecting to the Internet via a browser requires running software on the computer that has been developed by someone unknown to the organization. Moreover, the medium of the Internet is a broadcast network, which means that whatever is placed on it is routed over wide-ranging and essentially uncontrolled paths. Integrity-Data, both in transit and in storage, could be susceptible to unauthorized alteration or deletion (i.e., hacking or the e-business system itself could have design or configuration problems). AvaiIabiIity-The Internet holds out the promise of doing business on a 24-hour, seven- day-a-week basis. Hence high availability is important with any system's failure becoming immediately apparent to customers or business partners. Authentication and non repudiation-The parties to an electronic transaction should be in a known and trusted business relationship, which requires that they prove their respective identities before executing the transaction in preventing man-in-the-middle attacks (i.e., preventing the seller from being an impostor). Then, after the fact, there must be some manner of ensuring that the transacting parties cannot deny that the transaction was entered into and the terms on which it was completed. Power shift to customers-The Internet gives consumers unparalleled access to market information and generally makes it easier to shift between suppliers. Firms participating in e-business need to make their offerings attractive and seamless in terms of service delivery. This will involve not only system design, but also reengineering of business processes. Back-end support processes need to be as efficient as possible because, in many cases, doing business over the Internet forces down prices (e.g., online share brokering). To avoid losing their competitive advantage of doing business online, firms need to enhance their services, differentiate from the competition and build SUGGESTED ANSWERS MODEL PAPER 6 of 7 !"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01 ! !"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/- .-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%: !"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%: ! additional value. Hence the drive to personalize web sites by targeting content based on analyzed customer behavior and allowing direct contact with staff through instant messaging technology and other means. Q.5 (a) When acquiring a system, some of the issues to be considered include: a) Organizational descriptions indicating whether the computer facilities are centralized, distributed, outsourced, manned or lights-out. b) Information processing requirements. c) Hardware requirements. d) System software applications. e) Support requirements. f) Adaptability requirements. g) Conversion requirements. Q.5 (b) Actual job titles and organizational structures vary greatly from one organization to another depending on the size and nature of the business. However, it is important for an IS auditor to obtain information to assess the relationship among various job functions, responsibilities and authorities in assessing adequate segregation of duties. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated. The organization structure and roles should be taken into account in determining the appropriate controls for the relevant environment. For example, an organization may not have all the positions described in the matrix or one person may be responsible for many of the roles described. The size of the IT department may also be an important factor that should be considered; i.e., certain combinations of roles in an IT department of a certain size should never be used. However, if for some reason combined roles are required, then compensating controls should be described. Q.6 (a) The IS auditor can use the following: !" By identifying the significant application components and the flow of information through the system, and gaining a detailed understanding of the application by SUGGESTED ANSWERS MODEL PAPER 7 of 7 !"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01 ! !"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/- .-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%: !"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%: ! reviewing the available documentation and interviewing appropriate personnel. #" By identifying the application control strengths and evaluating the impact of the control weaknesses to develop a testing strategy by analyzing the accumulated information. $" By reviewing application system documentation to provide an understanding of the functionality of the application. In many cases-mainly in large systems or packaged software-it is not feasible to review the whole application documentation. Thus a selective review should be performed. If an application is vendor supplied, technical and user manuals should be reviewed. Any changes to applications should be documented properly. Q.6 (b) Some of the information protection measures are: Declaring ownership of programs, files and storage Limiting access to a read-only basis Implementing record and file locking to prevent simultaneous update Enforcing user ID/password sign-on procedures, including the rules relating to password length, format and change frequency Using switches to implement port security policies rather than hubs or non- manageable switches. This will prevent unauthorized hosts, with unknown MAC addresses, to connect to the LAN. Encrypting local traffic using IPSec (IP security) protocol. THE END