Decision trees

Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships.

Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.

elliptic curve encryption over RSA

The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller.

Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per sec does not necessarily guarantee better performance, but rather the actual algorithm employed.

A comparison between traditional RSA and an elliptic curve cryptology would be helpful.
To begin with:

Advantage of RSA:

1. Well established.

Advantages of elliptic curve:

1. Shorter keys are as strong as long key for RSA (see the IEEE paper)
2. Low on CPU consumption.
3. Low on memory usage.

IPSec

IPSec works on two basic packet components—ESP and AH. ESP encrypts the data and stores them in an encapsulated security payload packet component for data protection. Though essential, AHs manage the authentication process, not the security of the data. Semantic nets are part of artificial intelligence and would not help in data protection. Digital signatures are not used in IPSec and, thus, will not provide data protection.

What is the ESP protocol?

Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity and confidentiality protection of packets.

 

The basic idea of IPsec is to provide security functions, authentication and encryption, at the IP (Internet Protocol) level. This requires a higher-level protocol (IKE) to set things up for the IP-level services (ESP and AH).

 

Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. 

Critical Success Factors(CSF) includes :

Identifying and engaging with key stakeholders (Who). •. 
Planning and communicating the in-scope processes (What). •. 
Determining assessment frequency and time to execute (When). •.
Employing a risk-based assessment approach with proper prioritization (How).
Continually tracking, reviewing and reporting performance to management.

Critical Success Factors for Continually Monitoring, Evaluating and Assessing Management of Enterprise IT

Documentation of a Business Case for IT Development Project should be retained until :

A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. actuals.
 Questions like, “why do we do that,”“what was the original intent” and “how did we perform against the plan” can be answered, and lessons for developing future business cases can be learned.
During the development phase of a project one should always validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference.

Electronic Data Interchange

EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization.

Foremost among the risk associated with EDI is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication.

Tasks of Different Team

User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented.

A project steering committee provides overall direction, ensures appropriate representation of the major stakeholders in the project's outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules.

Senior management demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project.

Quality assurance staff review results and deliverables within each phase, and at the end of each phase confirm compliance with requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation.

Software Escrow

A software escrow is a service that helps protect all parties involved in a software license by having a neutral 3rd party escrow agent hold source code, data, and documentation until a mutually-agreed-upon event occurs.



Source code escrow is the deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning.

Escrow Meaning: a bond, deed, or other document kept in the custody of a third party and taking effect only when a specified condition has been fulfilled.

Classification of Information Assets

(1)In any given scenario, following are the logical steps for data classification:

-First step is to have inventory of Information Assets.

-Second step is to establish ownership.

-Third step is classification of IS resources.

-Fourth step is labelling of IS resources.

-Fifth step is creation of access control list.

(2) In any given scenario, data owner/system owner is ultimately responsible for defining the access rules.

(3)In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner.

(4)In any given scenario, greatest benefit of well defined data classification policy is decreased cost of control.

(5)In any given scenario, most important objective of data protection is to (i) ensure integrity/confidentiality of data and (ii) establish appropriate access control guidelines.

(6)Data classification must take into account following requirements:

-Legal/Regulatory/Contractual

-Confidentiality

-Integrity

-Availability

Following table summarize the above provisions:

Elements of Public Key Infrastructure (PKI)

(1)In any given scenario, certifying authority (CA) is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle.

(2)In any given scenario, registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates.

(3)In any given scenario, a digital certificate is composed of public key and information about the owner of public key.

(4)In any given scenario, time gap between update of CRL (certificate revocation list) is critical and is also posses risk in certification verification.

IDS

(1)In any given scenario, out of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), neural network creates its own database.

(2)Of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), neural network is more effective in detecting fraud

(3)In any given scenario, out of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), statistical based IDS generates most false positives (false alarms).

(4)In any given scenario, out of four components of IDS (i.e. (i) sensor (ii) analyzer (iii) admin console and (iv) user interface) sensor collects the data and send to analyzer for data analysis.

(5)In any given scenario, most important concern of IDS implementation is that attacks not identified/detected by IDS.

Biometrics

(1) Three main accuracy measures used for a biometric solution are:

(i)False-Acceptance Rate (FAR) (i.e access given to unauthorised person)

(ii) False-Rejection Rate (FRR), (i.e. access rejected to authorised person)

(iii)Cross-Error Rate (CER) or Equal-Error Rate (EER) (i.e. rate at which FAR is equal to FRR)

(2)Both FAR & FRR are inversely proportionate. As a general rule when FAR decreases, FRR increases and vice versa. Similarly if FRR decreases, FAR increases and vice versa. Adjustment point where both errors are equal is known as cross-error rate or equal-error rate.

(3)In any given scenario, most important performance indicator for biometric system is false-acceptance rate (FAR).

(4)In any given scenario, most important overall quantitative performance indicator for biometric system is CER or EER.

(5)In any given scenario, ‘Retina Scan’ has the highest reliability and lowest false-acceptance rate (FAR) among the current biometric methods.

Asymmetric Encryption

When objective is to ensure ‘confidentiality’, message has to be encrypted using receiver’s public key.

When objective is to ensure ‘authentication’, HASH of the message has to be created and HASH to be encrypted using sender’s private key. Please note that hash is also known as message digest.

When objective is to ensure ‘integrity’, HASH of the message has to be created and HASH to be encrypted using sender’s private key. Please note that hash is also known as message digest.

When objective is to ensure ‘confidentiality & authentication’, following treatment is required

-Hash of the message to be encrypted using sender’s private key (to ensure authentication/non-repudiation)

-Message to be encrypted using receiver’s public key (to ensure confidentiality)

In any given scenario, when objective is to ensure ‘confidentiality & authentication & integrity’, following treatment is required:

-Message to be encrypted using receiver’s public key (to ensure confidentiality)

-Hash of the message to be encrypted using sender’s private key (to ensure authentication/non-repudiation and integrity)

OSI Layer

CISA aspirant should be aware about layer of OSI at which below devices operate.


Hub – Physical Layer (1st Layer)


Switch – Data Link Layer (2nd Layer)


Bridge – Data Link Layer (2nd Layer)


Router – Network Layer (3rd Layer)


Gateway-Application Layer (7th Layer)


It must be noted that higher the layer, more intelligent the devices will be. Out of above Hub (layer 1) is dumbest device and Gateway (layer 7) is the most intelligent device.

In a risk-based audit approach, the auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix.

Notes from Domain01

The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee.


Continuous Auditing is the Most appropriate for retail business with large volume of Transactions to address emerging risk proactively.

The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes to achieve quicker implementation of corrective actions by management.

Using software tools such as CAATs to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results.

Control self-assessment helps process owners assess the control environment and educates them on control design and monitoring.

The sampling of transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log and there may be a potential time lag in the analysis.

Primary benefit of CSA Techniques

Control Self Assessment is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date.

Encapsulation

Encapsulation is a property of objects, which prevents accessing either properties or methods, that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only whatever belongs to that interface can be accessed.

Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?
A. Inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism

Risk

The risk that an error exists that could be material or significant when combined with other errors encountered during the audit, there being no related compensating controls, is the inherent risk. 

Control risk is the risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls.   

Detection risk is the risk when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when they do.   

Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken.

Dead Man Doors

Only one can access at a time. Reduces risk of Piggy Backing. Unauthorized person follows authorized person into restricted area. It helps safe secure to confidential places. The security is comes under in Safety and Access Control Systems.

This Topic is regarding to Physical Access Control 

Physical Network Media

1)In any given situation, fiber-optic cables have proven to be more secure than the other media. They have very low transmission loss, not affected by EMI and preferred choice for high volumes and long distance calls.

2)When CISA question is about transmission error that can occur in wired as well as wireless communication, our answer should be attenuation.

3)It is essential to understand the difference between diverse routing and alternate routing. The method of routing traffic through split-cable facilities or duplicate-cable facilities is called diverse routing. Whereas the method of routing information via an alternative medium, such as copper cable or fiber optics is called alternate routing.

4)Also, CISA aspirant should be able to differentiate between last mile and long haul. Last mile provide redundancy for local loop whereas long haul provide redundancy for long distance availability.

Recovery Site

#In any given scenario, mirrored site is fastest mode of recovery and then hot site.

#In any given scenario, cold site is slowest mode of recovery.

#In any given scenario, for critical system, mirrored/hot sites are appropriate option.

#In any given scenario, for non-critical system, cold site is appropriate option.

#In any given scenario, reciprocal agreement will have lowest expenditure in terms of recovery arrangement.

Key Points of RTO & RPO

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

1) RTO of 2 hours indicates that organization needs to ensure that their system downtime should not exceed 2 hours.

(2) RPO of 2 hours indicates that organization needs to ensure that their data loss should not exceed 2 hours of data captured.

(3)In any given scenario, for critical systems, RTO is zero or near zero. Similarly, for critical data, RPO is zero or near zero.

(4)In any given scenario, lower the RTO/RPO, higher the cost of maintenance of environment.

(5)In any given scenario, low RTO/RPO indicates that disaster tolerance is low. Other way round, if disaster tolerance is low, RTO/RPO should be low.

(6)In any given scenario, when RTO is low, mirrored site or hot site is recommended. 

(7)In any given scenario, when RPO is low, mirror imaging or real time replication for data back-up is recommended. 

(8)In any given scenario, where RPO is zero, synchronous data backup strategy to be used. 

(9)Both RTO & RPO are based on time parameters. The lower the time requirements, the higher the cost of recovery strategies.

Testing

white box testing
White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. Verifying the program can operate successfully with other parts of the system is sociability testing.

Black Box Testing
Testing the program's functionality without knowledge of internal structures is black box testing.

sand box testing
Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing

Double-blind testing
Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are "blind" to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.

Blind testing
Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted.

targeted testing
Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point.

external testing
External testing refers to a test where the penetration tester launches attacks on the target's network perimeter from outside the target network (typically from the Internet).

Shadow file processing

In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking systems.

commits and rollbacks

Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing.



Commitment and rollback controls are directly relevant to integrity. These controls ensure that database operations that form a logical transaction unit will complete in its entirety or not at all; i.e., if, for some reason, a transaction cannot be fully completed, then incomplete inserts/updates/deletes are rolled back so that the database returns to its pre-transaction state.