Domain 3: Quick Review

The title for Domain 3 is Information Systems Acquisition, Development and Implementation.
There are 14 areas that you need to understand for Domain 3.

1)      Business realization

• Know the difference between portfolio management and program management
• Know the seven steps of benefit realization or benefits management (question might refer to either)

2)     Project Management Structure

• Know the three major forms of organizational alignment
• Know three different ways to communicate during project initiation
• Project objectives are aligned with what? Business objectives,of course
• Know the roles and responsibilities for project steering committee, project sponsor, and quality assurance

3)     Project Management Practices

• Know the three elements of a project and the effect of increasing or decreasing one of the elements
• Of the nine ways of project planning, concentrate on LOSC, FPA, CPM, GANTT, PERT and TBM

4)     Business Application Development

• What is the major risk of any software development project – final outcome does not meet all requirements.
• Understand the eight phases of the traditional SDLC approach
• In which phase does testing start
• In which phase does security start (control specs)
• In which phase does UAT occur
• What should be in an RFP
• What is software baselining and when does it occur
• What is the auditor’s focus in SDLC
• What’s an IDE
• Know the difference between Unit Testing, Interface/Integration Testing, System Testing and Final Acceptance Testing
• When is it the most, or least, expensive time to make changes (which phase for each condition)
• What’s a structured walkthrough test, white box test, black box test, blue team, red team, yellow box testing and regression testing
• When does data conversion occur in which phase
• Know the different types of cutover

5) Business Application Systems

• Be able to define authentication and nonrepudiation
• Know the difference between an RA and a CA
• If you are your own CA, who does the CRL and what is the biggest issue?
• In EDI what does the comm handler do?  The appl interface do?
• What is the biggest risk in EDI?
• How do we get positive assurance in an EDI transaction world?
• What is a digital signature when speaking of eMail?
• What’s the objective of EMM and how do you audit eCash?
• Don’t forget: Neural networks are —

6)     Alternative Forms of Software Project Organization

• What is SCRUM
• Know the difference between Incremental and Iterative development
• Know the variants (Evolutionary, Spiral, Agile)
• Speaking of which, what is AGILE DEV?
• What is prototyping
• What is RAD and JAD

7)     Alternative Development Methods

• What’s the major advantage of OOSD
• What’s the advantage of component based development
• What’s the difference between reengineering and reverse reengineering

8)    Infrastructure Development/Acquisition Practices

• What are the phases of Physical architecture analysis and what happens during the functional requirement phase
• What are the phases of “Planning the Implementation of Infrastructure” and know the details of each of the four phases.
• Understand why change control procedures are critical in the acquisition process.

9) Information Systems Maintenance Practices

• Why is change management important?
• How should emergency changes be handled?
• How do you audit for unauthorized changes?

10) System Development Tools and Productivity Aids

• Care should be taken when using fourth-generation languages since some of them lack the lower level detail commands necessary to perform some of the more intense data operations.

11) Process Improvement Practices

• Document the current existing baseline processes
• Major concern of BPR is that key controls may be reengineered out of a process.
• What does ISO 9126 define?
• Why was CMM by SEI developed?
• Need SPICE?

12) Application Controls

• What are the objectives of Application Controls?
• Batch header forms are what type of control?  Who uses batch anyway?
• There are two charts in this section.  The first one is on Data Validation Edits and Controls and the second is on Data File Controls.  You need to memorize both

13) Auditing Application Controls

• There’s a chart on testing application systems in the review manual which enumerates several different techniques – memorize this chart
• Know the difference between atomicity and consistency.
• There are five types of automated evaluation techniques applicable to continuous online auditing.  These you’ll need to know, particularly: SCARF, ITF, CIS, snapshots and audit hooks.

14) Auditing Systems Development, Acquisition and Maintenance

• What do you do if the development group is fast-tracking IV&V?  Let the project steering committee know what the risks are, of course.

Decision trees

Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships.

Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.

elliptic curve encryption over RSA

The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller.

Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per sec does not necessarily guarantee better performance, but rather the actual algorithm employed.

A comparison between traditional RSA and an elliptic curve cryptology would be helpful.
To begin with:

Advantage of RSA:

1. Well established.

Advantages of elliptic curve:

1. Shorter keys are as strong as long key for RSA (see the IEEE paper)
2. Low on CPU consumption.
3. Low on memory usage.

IPSec

IPSec works on two basic packet components—ESP and AH. ESP encrypts the data and stores them in an encapsulated security payload packet component for data protection. Though essential, AHs manage the authentication process, not the security of the data. Semantic nets are part of artificial intelligence and would not help in data protection. Digital signatures are not used in IPSec and, thus, will not provide data protection.

What is the ESP protocol?

Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity and confidentiality protection of packets.

 

The basic idea of IPsec is to provide security functions, authentication and encryption, at the IP (Internet Protocol) level. This requires a higher-level protocol (IKE) to set things up for the IP-level services (ESP and AH).

 

Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. 

Critical Success Factors(CSF) includes :

Identifying and engaging with key stakeholders (Who). •. 
Planning and communicating the in-scope processes (What). •. 
Determining assessment frequency and time to execute (When). •.
Employing a risk-based assessment approach with proper prioritization (How).
Continually tracking, reviewing and reporting performance to management.

Critical Success Factors for Continually Monitoring, Evaluating and Assessing Management of Enterprise IT

Documentation of a Business Case for IT Development Project should be retained until :

A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. actuals.
 Questions like, “why do we do that,”“what was the original intent” and “how did we perform against the plan” can be answered, and lessons for developing future business cases can be learned.
During the development phase of a project one should always validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference.

Electronic Data Interchange

EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization.

Foremost among the risk associated with EDI is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication.

Tasks of Different Team

User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented.

A project steering committee provides overall direction, ensures appropriate representation of the major stakeholders in the project's outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules.

Senior management demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project.

Quality assurance staff review results and deliverables within each phase, and at the end of each phase confirm compliance with requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation.