Domain 3: Quick Review

The title for Domain 3 is Information Systems Acquisition, Development and Implementation.
There are 14 areas that you need to understand for Domain 3.

1)      Business realization

• Know the difference between portfolio management and program management
• Know the seven steps of benefit realization or benefits management (question might refer to either)

2)     Project Management Structure

• Know the three major forms of organizational alignment
• Know three different ways to communicate during project initiation
• Project objectives are aligned with what? Business objectives,of course
• Know the roles and responsibilities for project steering committee, project sponsor, and quality assurance

3)     Project Management Practices

• Know the three elements of a project and the effect of increasing or decreasing one of the elements
• Of the nine ways of project planning, concentrate on LOSC, FPA, CPM, GANTT, PERT and TBM

4)     Business Application Development

• What is the major risk of any software development project – final outcome does not meet all requirements.
• Understand the eight phases of the traditional SDLC approach
• In which phase does testing start
• In which phase does security start (control specs)
• In which phase does UAT occur
• What should be in an RFP
• What is software baselining and when does it occur
• What is the auditor’s focus in SDLC
• What’s an IDE
• Know the difference between Unit Testing, Interface/Integration Testing, System Testing and Final Acceptance Testing
• When is it the most, or least, expensive time to make changes (which phase for each condition)
• What’s a structured walkthrough test, white box test, black box test, blue team, red team, yellow box testing and regression testing
• When does data conversion occur in which phase
• Know the different types of cutover

5) Business Application Systems

• Be able to define authentication and nonrepudiation
• Know the difference between an RA and a CA
• If you are your own CA, who does the CRL and what is the biggest issue?
• In EDI what does the comm handler do?  The appl interface do?
• What is the biggest risk in EDI?
• How do we get positive assurance in an EDI transaction world?
• What is a digital signature when speaking of eMail?
• What’s the objective of EMM and how do you audit eCash?
• Don’t forget: Neural networks are —

6)     Alternative Forms of Software Project Organization

• What is SCRUM
• Know the difference between Incremental and Iterative development
• Know the variants (Evolutionary, Spiral, Agile)
• Speaking of which, what is AGILE DEV?
• What is prototyping
• What is RAD and JAD

7)     Alternative Development Methods

• What’s the major advantage of OOSD
• What’s the advantage of component based development
• What’s the difference between reengineering and reverse reengineering

8)    Infrastructure Development/Acquisition Practices

• What are the phases of Physical architecture analysis and what happens during the functional requirement phase
• What are the phases of “Planning the Implementation of Infrastructure” and know the details of each of the four phases.
• Understand why change control procedures are critical in the acquisition process.

9) Information Systems Maintenance Practices

• Why is change management important?
• How should emergency changes be handled?
• How do you audit for unauthorized changes?

10) System Development Tools and Productivity Aids

• Care should be taken when using fourth-generation languages since some of them lack the lower level detail commands necessary to perform some of the more intense data operations.

11) Process Improvement Practices

• Document the current existing baseline processes
• Major concern of BPR is that key controls may be reengineered out of a process.
• What does ISO 9126 define?
• Why was CMM by SEI developed?
• Need SPICE?

12) Application Controls

• What are the objectives of Application Controls?
• Batch header forms are what type of control?  Who uses batch anyway?
• There are two charts in this section.  The first one is on Data Validation Edits and Controls and the second is on Data File Controls.  You need to memorize both

13) Auditing Application Controls

• There’s a chart on testing application systems in the review manual which enumerates several different techniques – memorize this chart
• Know the difference between atomicity and consistency.
• There are five types of automated evaluation techniques applicable to continuous online auditing.  These you’ll need to know, particularly: SCARF, ITF, CIS, snapshots and audit hooks.

14) Auditing Systems Development, Acquisition and Maintenance

• What do you do if the development group is fast-tracking IV&V?  Let the project steering committee know what the risks are, of course.

Stateful vs Stateless

A firewall can be described as being either Stateful or Stateless.


STATELESS Firewalls

Stateless firewalls watch network traffic and restrict or block packets based on source and destination addresses or other static values. They’re not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall ‘pretending’ to be something you asked for.

A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections.

Purpose of Stateless Firewall Filters

The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.


STATEFUL Firewall

Stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established). It can tell if the MTU has changed and whether packets have fragmented. etc.

Neither is really superior and there are good arguments for both types of firewalls. Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications.

True False

1. An integrated test facility is not considered a useful audit tool because it cannot compare
processing output with independently calculated data. True or false?

2. Squid is an example of a caching proxy, not a security proxy. It has the main purpose of locally storing copies of web pages that are popular, with the benefit of saving bandwidth.

3. Fourth-Generation Languages (4GLs) are most appropriate for designing the application’s
graphical user interface (GUI). They are inappropriate for designing any intensive data- calculation procedures. True or false?

4. An off-site processing facility should be easily identifiable externally because easy identification helps ensure smoother recovery. True or false? 


5.Data diddling involves modifying data before or during systems data entry.




























1.False . An integrated test facility is considered a useful audit tool because it compares processing output with independently calculated datA.
2. True
3. True
4. False. An off-site processing facility should not be easily identifiable externally because easy identification would create an additional vulnerability for sabotage.
5. True

Domain-5 Questions Set02

• 20. 
  Which of the following technique is more relevant to test wireless (Wi-Fi) security of an organization?
  • A. 
    A. WPA-2
  • B. 
    B. War dialling
  • C. 
    C. War driving
  • D. 
    D. Social Engineering
 
• 21. 
  Which of the following should be a concern to an IS auditor reviewing a wireless network?
  • A. 
    A. System hardening of all wireless clients.
  • B. 
    B. SSID (service set identifier) broadcasting has been enabled.
  • C. 
    C. WPA-2 (Wi-Fi Protected Access Protocol) encryption is enabled.
  • D. 
    D. DHCP (Dynamic Host Configuration Protocol) is disabled at all wireless access points.
 
• 22. 
  Dynamic Host Configuration Protocol (DHCP)is disabled at all wireless access points. Which of the following statement is true when DHCP is disabled for wireless networks?
  • A. 
    A. increases the risk of unauthorized access to the network.
  • B. 
    B. decreases the risk of unauthorized access to the network.
  • C. 
    C. automatically provides an IP address to anyone.
  • D. 
    D. it disables SSID (Service Set Identifier).
 
• 23. 
  Best method to ensure confidentiality of the data transmitted in a wireless LAN is to:
  • A. 
    A. restrict access to predefined MAC addresses.
  • B. 
    B. protect the session by encrypting with use of static keys.
  • C. 
    C. protect the session by encrypting with use dynamic keys.
  • D. 
    D. initiate the session by encrypted device.
 
• 24. 
  Usage of wireless infrastructure for use of mobile devices within the organization, increases risk of which of the following attacks?
  • A. 
    A. Port scanning
  • B. 
    B. Social Engineering
  • C. 
    C. Piggybacking
  • D. 
    D. War driving
 
• 25. 
  For man-in-the-middle attach, which of the following encryption techniques will BEST protect a wireless network?
  • A. 
    A. Wired equivalent privacy (WEP)
  • B. 
    B. MAC-based pre-shared key (PSK)
  • C. 
    C. Randomly generated pre-shared key (PSK)
  • D. 
    D. Service set identifier (SSID)
 
• 26. 
  The most robust configuration in firewall rule base is:
  • A. 
    A. Allow all traffic and deny the specified traffic
  • B. 
    B. Deny all traffic and allow the specified traffic
  • C. 
    C. Dynamically decide based on traffic
  • D. 
    D.Control traffic on the basis of discretion of network administrator.
 
• 27. 
  A packet filtering firewall operates on which layer of following OSI model?
  Discuss
  • A. 
    A. Network layer
  • B. 
    B. Application layer
  • C. 
    C. Transport layer
  • D. 
    D. Session layer
 
• 28. 
  Which of the following would be the MOST secure firewall system implementation?
  • A. 
    A. Screened-host firewall
  • B. 
    B. Screened-subnet firewall
  • C. 
    C. Dual-homed firewall
  • D. 
    D. Stateful-inspection firewall
 
• 29. 
  Which of the following types of firewalls provide the MOST secured environment?
  • A. 
    A. Statefull Inspection
  • B. 
    B. Packet filter
  • C. 
    C. Application gateway
  • D. 
    D. Circuit gateway
 
• 30. 
  An organization wants to protect a network from Internet attack. Which of the following firewall structure would BEST ensure the protection?
  • A. 
    A. Screened subnet firewall
  • B. 
    B. Screened host firewall
  • C. 
    C. Packet filtering router
  • D. 
    D. Circuit-level gateway
 
• 31. 
  The firewall that allows traffic from outside only if it is in response to traffic from internal hosts, is
  • A. 
    A. Application level gateway firewall
  • B. 
    B. Stateful Inspection Firewall
  • C. 
    C. Packet filtering Router
  • D. 
    D. Circuit level gateway
 
• 32. 
  An organization with the objective of preventing downward of file through FTP (File Transfer Protocol) should configure which of the firewall types ?
  • A. 
    A. Stateful Inspection
  • B. 
    B. Application gateway
  • C. 
    C. Packet filter
  • D. 
    D. Circuit gateway
 
• 33. 
  An organization wants to connect a critical server to the internet. Which of the following would provide the BEST protection against hacking?
  • A. 
    A. Stateful Inspection
  • B. 
    B. A remote access server
  • C. 
    C. Application-level gateway
  • D. 
    D. Port scanning
 
• 34. 
  An IS auditor should be most concern about which of the following while reviewing a firewall?
  • A. 
    A. Properly defined security policy
  • B. 
    B Use of latest firewall structure with most secure algorithm.
  • C. 
    C. The effectiveness of the firewall in enforcing the security policy.
  • D. 
    D. Technical knowledge of users.
 
• 35. 
  An IS auditor conducting an access control review in a client-server environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that:
  • A. 
    A. exposure is greater, since information is available to unauthorized users.
  • B. 
    B. operating efficiency is enhanced, since anyone can print any report at any time.
  • C. 
    C. operating procedures are more effective, since information is easily available.
  • D. 
    D. user friendliness and flexibility is facilitated, since there is a smooth flow of information among users.
 
• 36. 
  Security administration procedures require read-only access to:
  • A. 
    A. access control tables.
  • B. 
    B. security log files.
  • C. 
    C. logging options.
  • D. 
    D. user profiles.
 
• 37. 
  Which of the following would MOST effectively reduce social engineering incidents?
  • A. 
    A. Security awareness training
  • B. 
    B. Increased physical security measures
  • C. 
    C. E-mail monitoring policy
  • D. 
    D. Intrusion detection systems
 
• 38. 
  Disabling which of the following would make wireless local area networks more secure against unauthorized access?
  • A. 
    A. MAC (Media Access Control) address filtering
  • B. 
    B. WPA (Wi-Fi Protected Access Protocol)
  • C. 
    C. LEAP (Lightweight Extensible Authentication Protocol)
  • D. 
    D. SSID (service set identifier) broadcasting
 
• 39. 
  During an audit of a telecommunications system, the IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:
  • A. 
    A. encryption.
  • B. 
    B. callback modems.
  • C. 
    C. message authentication.
  • D. 
    D. dedicated leased lines.
 
• 40. 
  To ensure compliance within security policy requiring that passwords be a combination of letters and numbers, the IS auditor should recommend that:
  • A. 
    A. the company policy be changed.
  • B. 
    B. passwords be periodically changed.
  • C. 
    C. an automated password management tool be used.
  • D. 
    D. security awareness training be delivered.

Domain-5 Questions

1.
Hash function will address which of the concerns about electronic message:

A. Message confidentiality
B. Message integrity
C. Message availability.
D. Message compression

2. Digital signature will address which of the concerns about electronic message:
A. Authentication and integrity of data
B. Authentication and confidentiality of data
C. Confidentiality and integrity of data
D. Authentication and availability of data

Digital signature provides integrity, authentication and non-repudiation for electronic message. It does not ensure message confidentiality or availability of data. Digital Signature is created in below two steps:Step 1: Create Hash (Message digest) of the message.Step 2: Encrypt the hash (as derived above) with private key of the sender. 

3.
A digital signature is created by the sender to prove message integrity by :

 A.encrypting the message with the sender's private key. Upon receiving the data, the recipient can decrypt the data using the sender's public key.
B. encrypting the message with the recipient's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's public key.
C. initially using a hashing algorithm to produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it.
D.encrypting the message with the sender's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's private key.

Digital Signature is created in below two steps:Step 1: Create Hash (Message digest) of the message.Step 2: Encrypt the hash (as derived above) with private key of the sender.

4.
Digital signature addresses which of the following concerns about electronic message?
A.


A. Unauthorized archiving
B.


B. Confidentiality
C.


C. Unauthorized copying
D.


D. Alteration

5.
Which of the following is used to address the risk of hash being compromised ?


A. Digital signatures


B. Message encryption


C. Email password

D. Disabling SSID broadcast.

Digital signature is created by encrypting hash of the message. Encrypted hash cannot be altered without knowing public key of sender. 

6.
Digital signature provides which of the following?


A. Non-repudiation, confidentiality and integrity

B. Integrity, privacy and non-repudiation


C. Integrity, authentication and non-repudiation

D. Confidentiality , privacy and non-repudiation

Digital signature provides integrity, authentication and non-repudiation for electronic message. It does not ensure message confidentiality or availability of data.

7.
The MAIN reason for using digital signatures is to ensure data:
A.


A. privacy.
B.


B. integrity.
C.


C. availability.
D.


D. confidentiality

Digital signatures provide integrity because hash of the message changes in case of any unauthorised changes in the data (file, mail, document, etc.) thus ensuring data integrity. 

8.
Which of the following message services provides the strongest evidence that a specific action has occurred?
A. Proof of delivery
B. Non-repudiation
C. Proof of submission
D. Authorization

Non-repudiation is the assurance that someone cannot deny something. Non-repudiation services provide evidence that a specific action occurred Typically, non-repudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.. Digital signatures are used to provide non-repudiation. 

9.
Which of the following ensures a sender's authenticity ?

A. Encrypting the hash of the message with the sender's private key

B. Encrypting the message with the receiver's Public key

C. Encrypting the hash of the message with the sender's public


D. Encrypting the message with the receiver's private key

Sender encrypts the hash of the message using his private key. The receiver can decrypt the same with the public key of the sender, ensuring authenticity of the message. If recipient is able to decrypt the message successfully with public key of sender, then it proves authentication i.e message is infact sent from the sender. It ensures non-repudiation i.e sender cannot repudiate having sent the message. 

10.
An organisation states that digital signatures are used when receiving communications from customers. This is done by :


A. A hash of the data that is transmitted and encrypted with the organisation’s private key


B. A hash of the data that is transmitted and encrypted with the customer's private key


C. A hash of the data that is transmitted and encrypted with the customer's public key


D. A hash of the data that is transmitted and encrypted with the organisation's public key

Digital Signature is created in below two steps:Step 1: Create Hash (Message digest) of the message.Step 2: Encrypt the hash (as derived above) with private key of the sender.In above scenario, sender is customer. Hence hash to be encrypted by using customer’s (sender’s) private key. 

11.
Digital signatures helps to:
A.


A. help detect spam.
B.


B. provide confidentiality.
C.


C. add to the workload of gateway servers.
D.


D. decreases available bandwidth.

12.
Basic difference between hashing & encryption is that hashing:
A. cannot be reversed.

B. can be reversed.

C. is concerned with integrity and security.

D. creates output of bigger length than original message. 

Hashing works one way. By applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption.  

13.
An organization is sharing critical information to vendors through email. Organization can ensure that the recipients of e-mails (i.e vendors) can authenticate the identity of the sender (i.e employees) by:

A. employees digitally signs their email messages.

B. employees encrypting their email messages.

C. employees compressing their email messages.

D. password protecting all e-mail messages. 

By digitally signing all e-mail messages, the receiver will be able to validate the authenticity of the sender. Encrypting all e-mail messages would not ensure the authenticity of the sender . 

14.
Digital signature ensures that the sender cannot later deny generating and sending the message. This is known as:
A.


A. Integrity.
B.


B. authentication.
C.


C. nonrepudiation.
D.


D. security.
15.
In an e-commerce application, which of the following should be rely on to prove that the transactions were actually made?
A.


A. Proof of delivery
B.


B. Authentication
C.


C. Encryption
D.


D. Non-repudiation
16.
Mr. A has sent a message along with encrypted (by A’s private key) hash of the message to Mr. B. This will ensure:
A. authenticity and integrity.
B. authenticity and confidentiality.
C. integrity and privacy.
D. privacy and nonrepudiation. 

Explanation: In the above case, message is not encrypted (only hash is encrypted) and hence it will not ensure privacy or confidentiality. Encryption of the hash will ensure authencity and integrity. 

17.
Digital signatures require the:

A. signer to have a public key of sender and the receiver to have a private key of the sender.
B. signer to have a private key of the sender and the receiver to have a public key of the sender.
C. signer and receiver to have a public key.
D. signer and receiver to have a private key. 


18.
A digital signature contains a hash value (message digest) to:

A. ensure message integrity.

B. define the encryption algorithm.

C. confirm the identity of the originator.

D. compress the message. 

The message digest is calculated and included in a digital signature to prove that the message has not been altered. It should be the same value as a recalculation performed upon receipt. Hence it helps to ensure message integrity. 


19.
Which of the following should be disabled to increase security of wireless network against unauthorized access?

A. MAC (Media Access Control) address filtering

B. Encryption

C. WPA-2 (Wi-Fi Protected Access Protocol)

D. SSID (service set identifier) broadcasting 

A Service Set Identifier (SSID) is the network name broadcasted by a router and it is visible for all wireless devices. When a device searches the area for wireless networks it will detect the SSID. Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the network.For better security controls, MAC filtering & WPA-2 should be enabled (and not disabled). 


20.
Which of the following technique is more relevant to test wireless (Wi-Fi) security of an organization?
 
A. WPA-2

B. War dialling

C. War driving

D. Social Engineering

‘War Driving’ technique is used by hacker for unauthorised access to wireless infrastructure. War driving is a technique in which wireless equipped computer is used to locate and gain access to wireless networks. Same is done by driving or walking in and around building. ‘War Driving’ is also used by auditors to test wireless.WPA-2 is an encryption standard and not a technique to test the security.War dialling is a technique for gaining access to a computer or a network through the dialling of defined blocks of telephone numbers.