Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Suggested Answers
Final Examinations – Summer 2010
A.1 (a) The management of CNE should develop a strategy for information technology because:
(i) IT is a high cost activity and therefore lack of a coherent strategy is likely to lead to expensive
mistakes.
(ii) IT is critical to the success of CNE because IT is a strategic activity in CNE as most of its
departments are using IT for most of their work.
(iii) Proper management of IT could lead improved services for all levels of management as well as
other stakeholders.
(iv) It helps to align the IT function with overall business strategy of the company.
(v) It plays an important role in effective and efficient use of IT resources.
(vi) It helps in planning the flow of information and processes.
(vii) It helps in reducing the time and expense of the information systems life cycle.
Required Resources
(i) What hardware will be required? Has it been arranged?
(ii) What software would be required? Has it been purchased?
(iii) What type of communication service (Email, discussion board, phone, toll free number, postal
mail) would be used?
(iv) What type of security services/protocols would be required? (SSL, SET and IPSEC etc.)
(b) Suggested measures to ensure that website remains secure, update and available
Security
(i) If site maintenance and support is outsourced, get appropriate non-disclosure agreement
signed. If maintenance and support is in-sourced, get non-disclosure agreement signed by all
members of team.
(ii) For the security of customers’ transactions, implement appropriate standards and protocols
like Open Buying on the Internet (OBI), Open Trading Protocol(OTP), and Secure Electronic
Transaction (SET) Protocol etc.
(iii) Get the transaction area be protected with Secure Socket Layer (SSL).
(iv) Get the website security mechanism and related procedures certified by an independent audit
firm.
(v) Define appropriate policies and procedures for privacy and confidentiality issues.
(vi) Document the mechanism for securing the website and get it approved from appropriate
authority.
(vii) Appoint external information system auditors for periodic audits of website security.
Update
(i) Identify the events/activities/actions that require updating the website contents.
(ii) The departmental heads shall be made responsible for keeping the respective information on
the website updated.
(iii) A senior officer should be assigned the responsibility for periodic review of the website to
ensure that information given there is current.
Availability
(i) If maintenance and support is outsourced, get appropriate service level agreement signed. If
maintenance and support is in-sourced, appoint appropriate team for 24X7 schedule.
(ii) Make arrangements for a suitable help desk function.
(iii) Prepare and test disaster recovery and business continuity plans.
(iv) Periodically monitor website traffic and its response in peak hours.
A.3 To assess the post event BCP compliance by the concerned office, I would conduct users/staff interviews
and assess related documentary evidence to check:
(i) Whether the role and responsibilities assigned to various individuals, were duly carried out?
(ii) Whether the action plans forming part of the BCP were carried out as envisaged?
(iii) Whether the services were restored within the expected time as specified in the BCP?
(iv)
(v) Were appropriate mitigating exercises carried out?
(vi) The initiating merchant checks the transaction detail with the originating document before
finally submitting it to the bank’s website.
(vii) The system generates control totals for number and value of messages input, and checks
them against input records.
(viii) Sequence of fields on the form at the bank’s website should be same as in the printed form to
be filled by the sender.
(b) Transmission and system failures controls
We would evaluate whether the following types of controls are in place:
(i) In case of message interruption during transmission, whether the system provides a record /
acknowledgement of accepted messages.
(ii) Whether there are written procedures for the retransmission of non-accepted messages.
(iii) Whether list of all messages is reconciled with list of accepted and list of rejected messages.
(iv) Whether an incident log is kept for all interruptions.
(v) Whether there are controls to prevent duplication of message processing following system
recovery.
(vi) Are appropriate procedures in place to address an abrupt failure when the sender’s message is
being processed and the initiating merchant’s system is not restored within reasonable time.
(vii) Is proper helpline service available?
(viii) Whether interruptions are reviewed.
(ix) Whether the communications protocol uses error-detection/correction techniques.
(x) Whether the system generates any check-sums, control totals etc.
(xi) Whether UPS, alternative hardware resources and other necessary backup equipments are in
place?
The information resource or SSO server handling this function is referred to as the primary domain.
Every other information resource, application or platform that used those credentials is called a
secondary domain.
A.7 (a) Social Engineering is the act of interacting with people and deceiving them to obtain
important/sensitive information or perform any other act that is harmful.
Pg 1 of 7
Information Technology Management, Audit and Control
Suggested Answers
Final Examinations – Summer 2010
A social engineer can use the phone, the Internet, or even show up personally to induce a person to
disclose ID number, username, password, server name(s), machine name(s), remote connection
settings, schedules, credit card number(s) etc.
Piggybacking, shoulder surfing, faux service, dialing for passwords, bribery, fascination and
bullying are some examples of social engineering.
(b) Phishing attacks use email or malicious web sites to solicit personal, often financial, information
Attackers may send email seemingly from a reputable credit card company or financial institution
that requests account information, often suggesting that there is a problem. When users respond with
the requested information, attackers can use it to gain access to the accounts.
(ii) Users can change their This will allow users to Users should not be allowed to
passwords whenever they continue their single change their passwords before a
want. password by resetting specified number of days.
five different passwords For early change of password,
and reverting back to written request must be
the old one submitted to the system
immediately. This in administrator.
turn will increase the
probability of password
compromise.
(iii) There is no minimum limit Users may keep blank, Minimum password length
of characters in passwords. small or easy to guess should be defined, say up to 8
passwords. characters.
Passwords must meet complexity
requirements.
(iv) Users are allowed to log in Attempts of unauthorized Users, specifically senior
Pg 1 of 7
Information Technology Management, Audit and Control
Suggested Answers
Final Examinations – Summer 2010
from two terminals at a access to sensitive data management users should not be
time. remain undetected. allowed to login from more than
Senior management users one terminal at a time.
may share their Users should be restricted to log
passwords with their in from their allocated terminals
assistants/other users. only.
(v) Additional rights are Unauthorized access to Access to sensitive data in
allowed to users on verbal sensitive data may go violation of defined job
instructions of the CEO. undetected. description should not be
allowed.
Changes in access rights/job
description should be
documented.
(vi) Only CEO has the password The database may not be CEO should seal the database
to open the sensitive edited if the CEO forgets password and place it in a secure
database in edit mode. the password. place like a bank locker. The
password storage place should be
known to senior management.
(vii) After entering the database Unauthorized use of Database log should be maintained,
password, the necessary privileges by IT Manager reviewed and signed off by a senior
editing is carried out by the may remain undetected. management member.
IT Manager.
A.9 (a) The following are the potential benefits of Information Security Management System International
Standard.
(i) Assurance
Management can be assured of the security and reliability of the system, if a recognized
framework or approach is followed.
(ii) Competitive Advantage
Following an international standard will help to gain competitive advantage.
(iii) Bench Marking
It can be used as a benchmark for current position and progress within the peer community.
(iv) Awareness
Implementation of a standard results in greater awareness about information security practices
within an organization.
(v) Alignment
Pg 1 of 7
Information Technology Management, Audit and Control
Suggested Answers
Final Examinations – Summer 2010
Implementation of standards tends to involve both business management and technical staff,
therefore; greater IT and business alignment often results.
(vi) Interoperability
Systems from diverse parties are more likely to fit together if they follow a common guideline.
(b) I would take the following steps for getting WIJCO certified towards an international security
standard:
(i) Obtain understanding of security issues addressed in the international security standards.
(ii) Develop a business case.
(iii) Get management support.
(iv) Define scope and boundaries.
(v) Develop an implementation program.
(vi) Develop policies, procedures, standards as required.
(vii) Conduct risk assessment / gap analysis.
(viii) Implement controls to fill the gaps.
(ix) Conduct a pre-certification assessment and take corrective actions if any gaps still exist.
(x) Invite certification body for certification audit.
(THE END)
Pg 1 of 7