ISCA Nov 14 Solved

8/10/2019 ISCA Nov 14 Solved

1/15

ISCA

NOV 2014 SOLVED QUESTION PAPER

QUESTION NO 1

a) Data integrity policies:

1. Virus Signature updating: Must be updated automatically when they are made

available from vendor through enabling of automatic updates.

2. Software testing: All software must be tested in a suitable test environment

before installation on production systems

3. Division of environments: Into development, test and production is required

for critical systems.

4. Offsite backup storage: backups older than one month must be sent offsite for

permanent storage.

5. Quarter end and year end backups: Must be done separately from the normal

schedule, for accounting purposes.

6. Disaster recovery: A comprehensive disaster recovery plan must be used to

ensure continuity of corporate business in the event of an outage.

b) There are five categories of tests that a programmer typically performs on aprogram unit.

Such typical tests are described as follows:

Functional Tests: Functional Tests check whether programs do, what they aresupposed to do or not. The test plan specifies operating conditions, input values,and expected results, and as per this plan, programmer checks by inputting thevalues to see whether the actual result and expected result match.

Performance Tests: Performance Tests should be designed to verify theresponse time, the execution time, the throughput, primary and secondarymemory utilization and the traffic rates on data channels and communicationlinks.

Stress Tests: Stress testing is a form of testing that is used to determine thestability of a given system or entity. It involves testing beyond normal operationalcapacity, often to a breaking point, in order to observe the results. These tests are


2/15

designed to overload a program in various ways. The purpose of a stress test is todetermine the limitations of the program.

Structural Tests: Structural Tests are concerned with examining the internalprocessing logic of a software system. For example, if a function is responsible fortax calculation, the verification of the logic is a structural test.

Parallel Tests: In Parallel Tests, the same test data is used in the new and oldsystem and the output results are then compared

C) Critical controls required in a computerized environment are:

Management understanding of IS risks and related controls

Requirement of adequate IS control framework.

Presence of strong general controls and IS controls

Awareness and knowledge of IS risks and controls amongst the business

users and IT staff . Implementation of controls in distributed computing environments and

extended enterprises.

Implementation in highly technology driven environments and appropriate

technology implementations or adequate security functionality in

technologies implemented.

d) (MARKED AS IMPORTANT)

Recommendations for efficient use of computer and IT resources to achieve the

objective of green computing are:

1. Power down the CPU and all peripherals during the extended periods of

inactivity

2. Try to do computer related tasks during contagious, intensive blocks of

time, leaving hardware off at other times.

3. Power up and power down energy intensive peripherals such as laser

printers according to the need.

4. Use LCD instead of CRT monitors.

5. Use notebook computers rather than desktop computers whenever

possible.6. Use power management features to turn off hard drives and displays after

several minutes of inactivity.

7. Minimise the use of paper and properly recycle waste paper.

8. Dispose of e waste according to central, state and local regulations.

9. Employ alternative energy sources for computing workstations, servers,

networks and data centers.


3/15

QUESTION NO 2

a) ( MARKED AS IMPORTANT)

SEBI has mandated that exchanges shall conduct an annual system audit by

a reputed independent auditor

The audit shall be conducted according to the norms, terms of reference(TOR)

and guidelines issued by SEBI

Stock exchange/depository(Auditee) may negotiate and the board of stock

exchange/Depository shall appoint the auditors based on the prescribed

auditor selection norms and TOR . The auditors can perform a maximum of

3consequetive audits. The proposal from auditor must be submitted to SEBI

for records

Audit schedule must be submitted to SEBI at least 2months in advance, along

with the scope of current audit and previous audit.

The scope of audit may be extended by SEBI, considering the changes that

have taken place during the last year or post audit report. Audit has to be conducted and the audit report be submitted to the auditee.

The report should have specific compliance/non compliance issues,

observations from minor deviations as well as qualitative comments for scope

for improvement. The report should also take previous audit reports in

consideration and cover any open items therein.

The auditee management provides their comment about the non

conformities(Nc/s) and observations. For each NC, specific time bound (within

3months) corrective action must be taken and reported to SEBI. The auditor

should indicate if a follow-on audit is required to review the status of NCs.

The report along with management comments shall be submitted to SEBI

within 1 month of completion of the audit.

b) Pertinent issues to achieve the goals of cloud computing: (MARKED AS

IMPORTANT)

1. Threshold policy: Checking how the policy enables to detect the sudden

increase in demand and results in the creation of additional instances to fill

in the demand.

2. Interoperability issues: If a company outsources or creates applicationswith one cloud computing vendor, the company may find it is difficult tochange to another computing vendor that has proprietary APIs anddifferent formats for importing and exporting data.

3. Hidden costs: Cloud computing does not tell you what hidden costs are.For instance, companies could incur higher network charges from theirservice providers for storage and database applications containingterabytes of data in the cloud.


4/15

4. Unexpected behavior: It is important to test the application in the cloudwith a pilot study to check for unexpected behavior

5. Security issues: Instead of waiting for an outage to occur, consumersshould do security testing on their own checking how well a vendor canrecover data.

6. Software development in cloud: To develop software using high enddatabases, the most likely choice is to use cloud server pools at the internal

data corporate center and extend resources temporarily with Amazon Webservices for testing purposes. This allows project managers to bettercontrol costs, manage security, and allocate resources to clouds a project isassigned to.

7. Environmentally friendly cloud computing: One incentive for cloudcomputing is that it may be more environmentally friendly. First, reducingthe number of hardware components needed to run applications on thecompany's internal data center and replacing them with cloud computingsystems reduces energy for running and cooling hardware. By Consolidatingthese systems in remote centers, they can be handled more efficiently as agroup.

c) IS auditor reviews risks relating to IT systems and processes, some of them are: Review and check information security controls: (eg missing/out

of date antivirus controls, open ports, open systems withoutpassword or weak passwords etc)

Review and check efficient use of resources, or poor governance(eg-huge spending on unnecessary IT projects like printing resources,storage devices, high power servers and workstations etc)

Review and check of IT strategies, policies and practices( includinga lack of policy use of information and communication

technology(ICT) resources, internet usage policies, security practicesetc) Review and check IT related frauds(Including phishing,hacking)

QUESTION NO 3

a) Latest IT tools

Business website: by having website enterprise becomes reachable to largeamount of customers.

Internet and intranet: Time and space is no more an obstacle for

conducting meeting of people working in a team from multiple locations. Software and packages: DBMS, data warehousing, data mining tools,

knowledge discovery can be used for getting information that plays animportant role in decision making than can boost the business in thecompetitive world.

o Data Mining: An interdisciplinary subfield of computer science,is the computational process of discovering patterns in large


5/15

data sets involving methods at the intersection of artificialintelligence, machine learning. Statistics and database system.

The applications of data mining are: Text mining, web analysis, customer profiling: Lists out what type of customers buy

what products by using clustering .

Identifying Customer requirements. Provide summary information. Financial planning and assets evaluation Cross sectional and time series analysis Resource planning.

o Data warehousing: it is a central repository of data which iscreated by integrating data from one or more disparatesources.

b) Related Risks: (MARKED AS IMPORTANT)1. Personal computers are small in size and easy to connect & disconnect,

they are likely to be shifted from one location to another or even takenoutside the organization for theft of information.

2. Pen drives can be very conveniently transported from one place to another,as a result of which data theft may occur. Even hard disks can be portedeasily these days.

3. PC is generally a single user oriented machine and hence, does not provideinherent data safeguards. Problems can be caused by computer viruses andpirated software namely, data corruptions, slow operations etc.

4. Segregation of duty is not possible, owing to limited number of staff.

5. Due to vast number of installations, the staff mobility is higher and hencebecomes a source of leakage of information.6. The operating staff may not be adequately trained.7. Weak access control: Security software that provides log on procedures is

available for PCs. Most of these programs, however become active onlywhen the computer is booted from the hard drive.

Security measures (Any Two)1. Physically locking the system.2. Proper logging of equipment shifting must be done

3. Centralized purchase of hardware and software4. Standards set for developing, testing and documenting5. Usage of anti-malware software.6. The use of personal computer and their peripheral must be controlled.

C) IT Governance & Benefits (MARKED AS IMPORTANT)


6/15

IT governance can be defined as the system by which IT activities in acompany or enterprise are directed and controlled to achieve businessobjectives with the ultimate objective of meeting stakeholder needs.

It is the responsibility of executives and board of directors It governance is the subset of corporate governance

It encompasses the following:

Information systems Technology Communications Business legal and other issues All stakeholders- directors, senior management users etc

Benefits:1. Value enhancement: increased value delivered through enterprise IT2. Increased user satisfaction: With IT services3. Improved agility in supporting business needs.4. Cost performance:best cost performance of IT.5. Mitigate and manage IT risks: Improved management and mitigation of It

related risks.6. Enabler for change: It becoming an enabler for change rather than an

inhibitor7. Improved transparency: and understanding of ITs contribution to the

business.8. Compliance with laws: Improved compliance with relevant laws,

regulations and policies9. Optimum utilization of resources: more optimal utilization of IT resources.

QUESTION NO. 4

a) OUTPUT CONTROLS (MARKED AS IMPORTANT)

OUTPUT CONTROLS: Storage and logging of sensitive, critical forms: Pre-printed stationery should be

stored securely to prevent unauthorized destruction or removal and usage. Onlyauthorized persons should be allowed access to stationery supplies such assecurity forms, negotiable instruments, etc.

Logging of output program executions: When programs used for output of dataare executed, these should be logged and monitored; otherwise

confidentiality/integrity of the data may be compromised.

Spooling/queuing:Spool is an acronym for Simultaneous PeripheralsOperations Online. This is a process used to ensure that the user is able tocontinue working, while the print operation is getting completed. When a file is to

be printed, the operating system stores the data stream to be sent to the printerin a temporary file on the hard disk. This file is then spooled to the printer assoon as the printer is ready to accept the data. This intermediate storage ofoutput could lead to unauthorized disclosure and/or modification. A queue is the


7/15

list of documents waiting to be printed on a particular printer; this should not besubject to unauthorized modifications.

Controls over printing: Outputs should be made on the correct printer and itshould be ensured that unauthorized disclosure of information printed does nottake place. Users must be trained to select the correct printer and accessrestrictions may be placed on the workstations that can be used for

printing.

Report distribution and collection controls: Distribution of reports should bemade in a secure way to prevent unauthorized disclosure of data. It should bemade immediately after printing to ensure that the time gap between generationand distribution is reduced. A log should be maintained for reports that weregenerated and to whom these were distributed. Where users have tocollect reports the user should be responsible for timely collection of the report,especially if it is printed in a public area. A log should be maintained aboutreports that were printed and collected. Uncollected reports should be storedsecurely.

Retention controls: Retention controls consider the duration for which outputsshould be retained before being destroyed. Consideration should be given to thetype of medium on which the output is stored. Retention control requires that adate should be determined for each output item produced. Various factorsranging from the need of the output, use of the output, to legislativerequirements would affect the retention period

b)

COBIT 5 provides key management practices for ensuring compliance withexternal compliances as relevant to the enterprise. The practices are given asfollows: (MARKED AS IMPORTANT)

Identify External Compliance Requirements:On a continuous basis, identify and monitor for changes in local and internationallaws, regulations, and other external requirements that must be complied withfrom an IT perspective.

Optimize Response to External Requirements: Review and adjust policies,principles, standards, procedures and methodologies to ensure that legal,

regulatory and contractual requirements are addressed and communicated.Consider industry standards, codes of good practice, and best practice guidancefor adoption and adaptation.

Confirm External Compliance: Confirm compliance of policies, principles,standards, procedures and methodologies with legal, regulatory and contractualrequirements.


8/15


9/15

BCM strategies and plans incorporate improvements identified during incidentsand exercises and in the maintenance program;

The enterprise has an ongoing program for BCM training and awareness;

BCM procedures have been effectively communicated to relevant staff, and thatthose staff understand their roles and responsibilities; and

Change control processes are in place and operate effectively.

b) Expert Systems & Properties of Expert System (MARKED AS IMPORTANT)

Expert Systems- An Expert System is highly developed DSS that utilizes

knowledge generally possessed by an expert to share a problem. Expert Systems

are software systems that imitate the reasoning processes of human experts and

provide decision makers with the type of advice they would normally receive fromsuch expert systems.

Some of the properties that potential applications should possess to qualify forExpert System development are given as follows:

Availability One or more experts are capable of communicating how they goabout solving the problems to which the Expert System will be applied.

Complexity Solution of the problems for which the Expert Systems will beused is a complex task that requires logical inference processing, which would not

be easily handled by conventional information processing.

Domain The domain, or subject area, of the problem is relatively small andlimited to a relatively well-defined problem area.

ExpertiseSolutions to the problem require the efforts of experts. That is, only afew possess the knowledge, techniques, and intuition needed.

Structure The solution process must be able to cope with ill-structured,uncertain, missing, and conflicting data, and a dynamic problem-solvingSituation

C) Impact of Cyber Frauds on enterprises

The impact of cyber frauds on enterprises can be viewed under the following

dimensions:

Financial Loss: Cyber frauds lead to actual cash loss to targetcompany/organization.For example, wrongfully withdrawal of money from bank accounts.


10/15

Legal Repercussions: Entities hit by cyber frauds are caught in legal liabilities totheircustomers. Section 43A of the Information Technology Act, 2000, fixes liabilityfor companies/organizations having secured data of customers. These entitiesneed to ensure that such data is well protected. In case a fraudster breaks intosuch database, it adds to the liability of entities.

Loss of credibility or Competitive Edge: News that an organizations databasehas been hit by fraudsters, leads to loss of competitive advantage. This also leadsto lose credibility. There have been instances where share prices of suchcompanies went down, as the news of such attach percolated to the market.

Disclosure of Confidential, Sensitive or Embarrassing Information: Cyber-attack may expose critical information in public domain. For example, theinstances of individuals leaking information about governments secret programs.

Sabotage: The above situation may lead to misuse of such information by enemycountry.

QUESTION NO 6

a) Changes to Evidence Collection (MARKED AS IMPORTANT)

Changes to Evidence Collection: Existence of an audit trail is a key financial auditrequirement; since without an audit trail, the auditor may have extreme difficultyin gathering sufficient, appropriate audit evidence to validate the figures in theclients accounts. The performance of evidence collection and understanding

the reliability of controls involves issues like-

Data retention and storage: A clients storage capabilities may restrict theamount of historical data that can be retained on-lineand readily accessible tothe auditor. If the client has insufficient data retention capacities the auditor maynot be able to review a whole reporting period transactions on the computersystem. For example, the clients computer system may save data on detachablestorage device by summarizing transactions into monthly, weekly or period end

balances.Absence of input documents: Transaction data may be entered into thecomputer directly without the presence of supporting documentation e.g. input of

telephone orders into a telesales system. The increasing use of EDI will result inless paperwork being available for audit examination.

Non-availability of audit trail: The audit trails in some computer systems mayexist for only a short period of time. The absence of an audit trail will make theauditors job very difficult and may call for an audit approach which involvesauditing around the computer system by seeking other sources of evidence toprovide assurance that the computer input has been correctly processed andoutput.


11/15

Lack of availability of output: The results of transaction processing may notproduce a hard copy form of output, i.e. a printed record. In the absence ofphysical output it may be necessary for the auditor to directly access theelectronic data retained on the clients computer. This is normally achieved byhaving the client provide a computer terminal and being granted read access tothe required data files.Audit evidence. Certain transactions may be generated automatically by the

computer system. For example, a fixed asset system may automatically calculatedepreciation on assets at the end of each calendar month. The depreciationcharge may be automatically transferred (journalised) from the fixed assetsregister to the depreciation account and hence to the clients income andexpenditure account.Legal issues: The use of computers to carry out trading activities is alsoincreasing. More organizations in both the public and private sector intend tomake use of EDI and electronic trading over the Internet. This can createproblems with contracts, e.g. when is the contract made, where is it made (legal

jurisdiction), what are the terms of the contract and are the parties to thecontract.

b) Agile Methodology & Its Strengths (MARKED AS IMPORTANT)

Agile methodology: This is an organized set of software development

methodologies based on the iterative and incremental development, where

requirements and solutions evolve through collaboration between self-organizing,

cross functional teams. It promotes adaptive planning, evolutionary development

and delivery; time boxed iterative approach and encourages rapid and flexible

response to change

Strengths:Some of the strengths identified by the experts and practitioners include thefollowing:

Agile methodology has the concept of an adaptive team, which enables torespond to the changing requirements.

The team does not have to invest time and efforts and finally find that by the

time they delivered the product, the requirement of the customer has changed.

Face to face communication and continuous inputs from customerrepresentative leaves a little space for guesswork.

The documentation is crisp and to the point to save time.

The end result is generally the high quality software in least possible timeduration and satisfied customer


12/15

b) Objectives of BCM Policy

The objective of this policy is to provide a structure through which:

Critical services and activities undertaken by the enterprise operation for thecustomer will be identified.

Plans will be developed to ensure continuity of key service delivery following abusiness disruption, which may arise from the loss of facilities, personnel, ITand/or communication or failure within the supply and support chains.

Invocation of incident management and business continuity plans can bemanaged.

Incident Management Plans & Business Continuity Plans are subject to ongoingtesting, revision and updation as required.

Planning and management responsibility are assigned to a member of therelevant senior management team

QUESTION NO 7

a) Operating System Security: Operating system security involves policy,

procedure and controls that determine, who can access the operating system,

which resources they can access, and what action they can take.

The following security components are found in secure operating system:

Log-in Procedure: A log-in procedure is the first line of defense againstunauthorized access. When the user initiates the log-on process by entering user-id and password, the system compares the ID and password to a database of validusers. If the system finds a match, then log-on attempt is authorized. If passwordor user-id is entered incorrectly, then after a specified number of wrong attempts,the system should lock the user from the system.Access Token: If the log on attempt is successful, the Operating System createsan access token that contains key information about the user including user-id,password, user group and privileges granted to the user. The information in theaccess token is used to approve all actions attempted by the user during the

session.Access Control List: This list contains information that defines the accessprivilegesfor all valid users of the resource. When a user attempts to access a resource, thesystem compasses his or her user-id and privileges contained in the access tokenwith those contained in the access control list. If there is a match, the user isgranted access.Discretionary Access Control: The system administrator usually determines;who is granted access to specific resources and maintains the access control list.


13/15

However, in distributed systems, resources may be controlled by the end-user.Resource owners in this setting may be granted discretionary access control,which allows them to grant access privileges to other users. For example, thecontroller who is owner of the general ledger grants read only privilege to the

budgeting department while accounts payable manager is granted both read andwrite permission to the ledger.

b) Internal Controls as per COSO: (MARKED AS IMPORTANT)

According to COSO, Internal Control is comprised of five interrelatedcomponents:Control Environment: For each business process, an organization needs todevelop and maintain a control environment including categorizing the criticalityand materiality of each business process, plus the owners of the business process.Risk Assessment: Each business process comes with various risks. A controlenvironment must include an assessment of the risks associated with each

business process.

Control Activities: Control activities must be developed to manage, mitigate, andreduce the risks associated with each business process. It is unrealistic to expectto eliminate risks completely.Information and Communication: Associated with control activities areinformation and communication systems. These enable an organization tocapture and exchange the information needed to conduct, manage, and control its

business processes.Monitoring: The internal control process must be continuously monitored withmodifications made as warranted by changing conditions

Clause 49 of the listing agreements issued by SEBI in India is on similarlines of SOX regulation and mandates inter alia the implementation ofenterprise risk management and internal controls and holds the seniormanagement legally responsible for such implementation. Further, it alsoprovides for certification of these aspects by the external auditors.

C) Definitions of the Risk Related Terms

Vulnerability: Vulnerability is the weakness in the system safeguards thatexposes the system to threats. It may be a weakness in information system/s,cryptographic system (security systems), or other components (e.g. system

security procedures, hardware design, internal controls) that could be exploitedby a threat. Vulnerabilities potentially allow a threat to harm or exploit thesystem. For example, vulnerability could be a poor access control methodallowing dishonest employees (the threat) to exploit the system to adjust theirown records. Some examples of vulnerabilities are given as follows:

Leaving the front door unlocked makes the house vulnerable to unwantedvisitors.Short passwords (less than 6 characters) make the automated informationsystem vulnerable to password cracking or guessing routines.


14/15

Threat: Any entity, circumstance, or event with the potential to harm the softwaresystem or component through its unauthorized access, destruction, modification,and/or denial of service is called a threat. A threat is an action, event or conditionwhere there is a compromise in the system, its quality and ability to inflict harmto the organization.

Risk: Formally, risk can be defined as the potential harm caused if a particularthreat exploits a particular vulnerability to cause damage to an asset, and riskanalysis is defined as the process of identifying security risks and determiningtheir magnitude and impact on an organization. Risk assessment includes thefollowings:Identification of threats and vulnerabilities in the system;Potential impact or magnitude of harm that a loss of CIA, would have onenterprise operations or enterprise assets, should an identified vulnerability beexploited by a threat; andThe identification and analysis of security controls for the information system.

D) Types of Back up (MARKED AS IMPORTANT)

Full Backup: A full backup captures all files on the disk or within the folderselected for backup. With a full backup system, every backup generation containsevery file in the backup set. However, the amount of time and space such a

backup takes prevents it from being a realistic proposition for backing up a largeamount of data.Incremental Backup: An incremental backup captures files that were created orchanged since the last backup, regardless ofbackup type. This is the mosteconomical method, as only the files that changed since the last backup are

backed up. This saves a lot of backup time and space. Normally, incrementalbackup are very difficult to restore. One will have to start with recovering the lastfull backup, and then recovering from every incremental backup taken since.Differential Backup: A differential backup stores files that have changed sincethe last full backup. Therefore, if a file is changed after the previous full backup, adifferential backup takes less time to complete than a full back up.Mirror back-up:A mirror backup is identical to a full backup, with the exceptionthat the files are not compressed in zip files and they cannot be protected with apassword. A mirror backup is most frequently used to create an exact copy of the

backup data.

e) Design of Database

Design of Database :Design of the database involves determining its scope

ranging from local to global structure. The scope is decided on the basis of

interdependence among organizational units.

Conceptual Modeling: These describe the application domain via entities/objects,attributes of these entities/objects and static and dynamic constraints on theseentities/objects, their attributes, and their


15/15

relationships.

Data Modeling: Conceptual Models need to be translated into data models so thatthey can be accessed and manipulated by both high level and low levelprogramming languages

Storage Structure Design: Decisions must be made on how to linearize and

partition the data structure so that it can be stored on some device. For exampletuples (row) in a relational data model must be assigned to records, andrelationships among records might be established via symbolic pointer addresses.

Physical Layout Design: Decisions must be made on how to distribute the storagestructure across specific storage media and locations for example, the cylinders,tacks, and sectors on a disk and the computers in a LAN or WAN.

Documents

ISCA Nov 14 Solved