SUGGESTED ANSWERS MODEL PAPER 1 of 7

!"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01

!
!"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/-
.-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%:
!"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%:
!
TotaI Marks = 80
Q.2 Case:
a) The hybrid nature of EDI adds a new dimension to the design and auditing of the
EDl process. The traditional procedures for managed and controlled
implementation of system software-such as requirements definition, version and
release identification, testing and limited implementation with a fallback strategy-
apply to software used for EDl. In addition, there are issues and risks unique to
EDl.
Foremost of these risks is transaction authorization. Since the interaction between
parties is electronic, there is no inherent authentication occurring. Computerized data
can look the same no matter what the source and do not include any distinguishing
human element or signature.
Where responsibilities of trading partners are not clearly defined by a trading partner
agreement, there could be uncertainty related to specific, legal liability. Therefore, it is
important that, to protect both parties, any agreement be codified legally in what is
known as a trading partner agreement. Another risk is the loss of business continuity.
Corruption of EDI applications, whether done innocently or deliberately, could affect
every EDI transaction undertaken by a company. This would have a negative impact on
both customer and vendor relations. In an extreme situation, it could ultimately affect the
ability of a company to stay in business.
Additional security risks include:
Unauthorized access to electronic transactions
Deletion or manipulation of transactions prior to or after establishment of
application controls
Loss or duplication of ED 1 transmissions
Loss of confidentiality and improper distribution of EDI transactions while in the
possession of third parties.
b) Some of the concerns are:
What are the applications running?
What are the bandwidth needs?
SUGGESTED ANSWERS MODEL PAPER 2 of 7
!"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01
!
!"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/-
.-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%:
!"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%:
!
What is the area to be covered and what are the physical constraints?
What is the budget?
What are the remote management needs?
What are the security needs?
c) Since connectivity to the servers is over the Internet, the prohibition against strong
encryption will place any transmitted data at risk. The limitation of liability is a standard
industry practice. Standards should be set to indicate that the message format and
content are valid to avoid transmission errors. Controls should be established to guard
against manipulation of data. Attempts to change records should be recorded by the
system for management review and attention. Procedures should be established to
determine messages are only from authorized parties and transmissions are properly
authorized. Data should be encrypted using algorithms agreed on by the parties
involved. Electronic signatures should be in the transmissions to identify the source and
destination. Message authentication codes should exist to ensure that what is sent is
received.
d) Effective IT governance can be accomplished only by involvement of the senior
management in approving policy, appropriate monitoring and metrics as well as
reporting and trend analysis. The tone at the top must be conducive to effective IT
governance. It is unreasonable to expect lower-level personnel to abide by governance
measures if they are not exercised by senior management. Executive management
endorsement of intrinsic governance requirements provides the basis for ensuring that
security expectations are met at all levels of the enterprise. Penalties for noncompliance
must be defined, communicated and enforced from the senior management level down.
e) Two-factor authentication involving the use of biometrics would be effective. Retina
scanning may be highest in terms of effectiveness from a control perspective.
f) Based on the inputs received from the BIA, criticality analysis and recovery strategy
selected by management, a detailed BCP and DRP should be developed or reviewed.
SUGGESTED ANSWERS MODEL PAPER 3 of 7
!"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01
!
!"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/-
.-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%:
!"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%:
!
They should address all the issues included in the business continuity scope that are
involved in interruption to business processes, including recovering from a disaster.
Q.3 (a) Capacity planning should include projections substantiated by past experience,
considering the growth of existing business as well as future expansions. The following
information is key to the successful completion of this task:
CPU utilization (e.g., SAN)
Computer storage utilization
Telecommunications, LAN and WAN bandwidth utilization
VO channel utilization
Number of users
New technologies
New applications
SLAs.
Q.3 (b) There are three major types of database structure: hierarchical, network and relational.
Of these, the first two were mainly used prior to 1990 and have been mostly replaced by
relational databases.
HierarchicaI database modeI-In this model there is a hierarchy of parent and child data
segments. To create links between them, this model uses parent-child relationships.
These are I:N (one-to-many) mappings between record types represented by logical
trees, as shown in exhibit 4.11. A child segment is restricted to having only one parent
segment, so data duplication is necessary to express relationships to multiple parents.
Subordinate segments are retrieved through the parent segment. Reverse pointers are
not allowed. When the data relationships are hierarchical, the database is easy to
implement, modify and search.
Network database modeI-In the network model, the basic data modeling construct is
called a set. A set is formed by an owner record type, a member record type and a
name. A member record type can have that role in more than one set, so a multi-owner
relationship is allowed. An owner record type can also be a member or owner in another
set. Usually, a set defines a I:N relationship, although one-to-one (I: I) is permitted. A
SUGGESTED ANSWERS MODEL PAPER 4 of 7
!"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01
!
!"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/-
.-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%:
!"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%:
!
disadvantage of the network model is that such structures can be extremely complex
and difficult to comprehend, modify or reconstruct in case of failure. This model is rarely
used in current environments. The hierarchical and network models do not support high-
level queries. The user programs have to navigate the data structures.
ReIationaI database modeI- The relational model is based on the set theory and
relational calculations. A relational database allows the definition of data structures,
storage, retrieval operations and Integrity constraints. In such a database, the data and
relationships among these data are organized in tables. A table is a collection of rows,
also known as tuples, and each tuple in a table contains the same columns. Columns,
called domains or attributes, correspond to fields. Tuples are equal to records in a
conventional file structure.
Q.4 (a) Some of the risks are:
a) Organization may not achieve economies of scale through the deployment of
reusable component software.
b) In-house staff may not give much time and focus more effectively and
efficiently on a given project because of other activities they are
performing.
c) In-house staff may not have the necessary experience with a wider 'array of
problems, issues and techniques required to develop the software.
ISACA IS Auditing Standards require that the responsibility, authority and accountability
of the IS audit function are appropriately documented in an audit charter or engagement
letter. It should be noted that an audit charter is an overarching document that covers
the entire scope of audit activities in an entity while an engagement letter is more
focused on a particular audit exercise that is sought to be initiated in an organization
with a specific objective in mind.
Q.4 (b) E-commerce, as any other form of commerce, depends on the existence of a
level of trust between two parties. For example, the Internet presents a challenge
between the buyer and seller, similar to those a catalog or direct-mail retailer faces. The
challenges are proving to the buyer that the seller is who they say they are, proving to
SUGGESTED ANSWERS MODEL PAPER 5 of 7
!"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01
!
!"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/-
.-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%:
!"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%:
!
the buyer that their personal information such as credit card numbers (and other
personally identifiable information) remains confidential and that the seller cannot later
refute the occurrence of a valid transaction. Therefore some of the most important
elements at risk are:
ConfidentiaIity-Potential consumers are concerned about providing unknown vendors
with personal (sometimes sensitive) information for a number of reasons including the
possible theft of credit card information from the vendor following a purchase.
Connecting to the Internet via a browser requires running software on the computer that
has been developed by someone unknown to the organization. Moreover, the medium
of the Internet is a broadcast network, which means that whatever is placed on it is
routed over wide-ranging and essentially uncontrolled paths.
Integrity-Data, both in transit and in storage, could be susceptible to unauthorized
alteration or deletion (i.e., hacking or the e-business system itself could have design or
configuration problems).
AvaiIabiIity-The Internet holds out the promise of doing business on a 24-hour, seven-
day-a-week basis. Hence high availability is important with any system's failure
becoming immediately apparent to customers or business partners.
Authentication and non repudiation-The parties to an electronic transaction should
be in a known and trusted business relationship, which requires that they prove their
respective identities before executing the transaction in preventing man-in-the-middle
attacks (i.e., preventing the seller from being an impostor). Then, after the fact, there
must be some manner of ensuring that the transacting parties cannot deny that the
transaction was entered into and the terms on which it was completed.
Power shift to customers-The Internet gives consumers unparalleled access to
market information and generally makes it easier to shift between suppliers. Firms
participating in e-business need to make their offerings attractive and seamless in terms
of service delivery. This will involve not only system design, but also reengineering of
business processes. Back-end support processes need to be as efficient as possible
because, in many cases, doing business over the Internet forces down prices (e.g.,
online share brokering). To avoid losing their competitive advantage of doing business
online, firms need to enhance their services, differentiate from the competition and build
SUGGESTED ANSWERS MODEL PAPER 6 of 7
!"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01
!
!"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/-
.-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%:
!"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%:
!
additional value. Hence the drive to personalize web sites by targeting content based on
analyzed customer behavior and allowing direct contact with staff through instant
messaging technology and other means.
Q.5 (a) When acquiring a system, some of the issues to be considered include:
a) Organizational descriptions indicating whether the computer facilities are
centralized, distributed, outsourced, manned or lights-out.
b) Information processing requirements.
c) Hardware requirements.
d) System software applications.
e) Support requirements.
f) Adaptability requirements.
g) Conversion requirements.
Q.5 (b) Actual job titles and organizational structures vary greatly from one organization to
another depending on the size and nature of the business. However, it is important for
an IS auditor to obtain information to assess the relationship among various job
functions, responsibilities and authorities in assessing adequate segregation of duties.
Compensating controls are internal controls that are intended to reduce the risk of an
existing or potential control weakness when duties cannot be appropriately segregated.
The organization structure and roles should be taken into account in determining the
appropriate controls for the relevant environment. For example, an organization may not
have all the positions described in the matrix or one person may be responsible for
many of the roles described. The size of the IT department may also be an important
factor that should be considered; i.e., certain combinations of roles in an IT department
of a certain size should never be used. However, if for some reason combined roles are
required, then compensating controls should be described.
Q.6 (a) The IS auditor can use the following:
!" By identifying the significant application components and the flow of information
through the system, and gaining a detailed understanding of the application by
SUGGESTED ANSWERS MODEL PAPER 7 of 7
!"#$%&'(!$" *+*(,&* '"- !.(. '/-!( *,&,*(,%01
!
!"# %&''#%(#) *+%,#-% .-/01)#) /+ *+) 2*)# *0*13*43# ("-/&'" ("# 5+%(1(&(# % ,#4%1(# 2*6 /+36 4# -#7#--#)8 -#31#) &./+ /- (-#*(#) *% * '&1)# *+) %&4%(1(&(# 7/-
.-/7#%%1/+*3 *)019#: !"# 5+%(1(&(# )/#% +/( (*;# *+6 -#%./+%14131(6 *4/&( ("# *99&-*968 9/2.3#(#+#%% /- 9&--#+96 /7 ("# 1+7/-2*(1/+ .-/01)#) 1+ ("# %&''#%(#) *+%,#-%:
!"#-#7/-#8 ("# 5+%(1(&(# 1% +/( 31*43# (/ *((#+) /- -#9#10# *+6 9/22#+(%8 /4%#-0*(1/+% /- 9-1(19% -#3*(#) (/ ("# %&''#%(#) *+%,#-%:
!
reviewing the available documentation and interviewing appropriate personnel.
#" By identifying the application control strengths and evaluating the impact of the
control weaknesses to develop a testing strategy by analyzing the accumulated
information.
$" By reviewing application system documentation to provide an understanding of
the functionality of the application. In many cases-mainly in large systems or
packaged software-it is not feasible to review the whole application
documentation. Thus a selective review should be performed. If an application is
vendor supplied, technical and user manuals should be reviewed. Any changes
to applications should be documented properly.
Q.6 (b) Some of the information protection measures are:
Declaring ownership of programs, files and storage
Limiting access to a read-only basis
Implementing record and file locking to prevent simultaneous update
Enforcing user ID/password sign-on procedures, including the rules relating to
password length, format and change frequency
Using switches to implement port security policies rather than hubs or non-
manageable switches. This will prevent unauthorized hosts, with unknown MAC
addresses, to connect to the LAN.
Encrypting local traffic using IPSec (IP security) protocol.
THE END