Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery,

risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. Value delivery provides a standard set of security practices, i.e., baseline security following best practices or institutionalized and commoditized solutions. Risk management provides an understanding of risk exposure

The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail.

While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a best practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded. It is possible that the programmers are trying to take advantage of the time system, but if they are not paid extra for overtime, they may not want to work the extra hours.

The involvement of user departments in the BCP is crucial for the identification of the business processing priorities.

Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application.

Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.

Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

ITBalanced Scorecard Financial: encourages the identification of a few relevant high-level financial measures. In particular, designers were encouraged to choose measures that helped inform the answer to the question "How do we look to shareholders?" Customer: encourages the identification of measures that answer the question "How do customers see us?" Internal business processes: encourages the identification of measures that answer the question "What must we excel at?" Learning and growth: encourages the identification of measures that answer the question "How can we continue to improve, create value and innovate

Stress testing should be carried out in a test environment using live workloads Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction.

In a risk-based audit approach, the auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix.
Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.

Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity.

Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data
Parallel runs are the safestthough the most expensiveapproach, because both the old and new systems are run, thus incurring what might appear to be double costs. Direct cutover is actually quite risky, since it does not provide for a shake down period nor does it provide an easy fallback option. Both a pilot study and a phased approach are performed incrementally, making rollback procedures difficult to execute

Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.

The information security policy should have an owner who has approved management responsibility for the development, review and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. While the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a best practice, the policy could be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. The lack of a revision history with respect to the IS policy document is an issue, but not as significant as not having it approved by management. An IS policy committee is not required to develop and enforce a good information security policy. The policy could be written by one person, as long as the person who approves the policy has the proper authority and knowledge to review and approve the policy. Although a policy committee drawn from across the company is a best practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.

Tracing involves following the transaction from the original source through to its final destination. In EFT transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally checking the master file records for daily transactions. Vouching is usually performed on manual or batch-processing systems. In this scenario, the funds are transferred electronically and there is no manual processing. In online processing, authorizations are normally done automatically by the system. Correction entries are normally done by an individual other than the person entrusted to do reconciliations

Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk.

Choice A specifically addresses the question of sensitive data by controlling what information users can access. Column-level security prevents users from seeing one or more attributes on a table. With row-level security a certain grouping of information on a table is restricted; e.g., if a table held details of employee salaries, then a restriction could be put in place to ensure that, unless specifically authorized, users could not view the salaries of executive staff. Column- and row-level security can be achieved in a relational database by allowing users to access logical representations of data rather than physical tables. This fine -grained security model is likely to offer the best balance between information protection while still supporting a wide range of analytical and reporting uses.
A determination of acceptable downtime is made only in a BIA.

The risk that could be most likely encountered in an SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. SaaS is provisioned on a usage basis, not a license basis; therefore, there should be no risk of noncompliance with software license agreements or licensing fees. Additionally, the open design and Internet connectivity allow most SaaS to run on virtually no hardware
The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. In order to avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning.

Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in an intermediate state,

the transaction data are invisible to external operations. Durability guarantees that a successful transaction will persist, and cannot be undone.

Applications that are exposed to the Internet should not include technical details in error messages because they could provide attackers with information about vulnerabilities.
Components written in one language can interact with components written in other languages or running on other machines, which can increase the speed of development. Software developers can then focus on business logic.

Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.

An organization's IS audit charter should specify the role of the IS audit function.

Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling.

Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order

Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and therefore this is the greatest concern

Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed. A snapshot records the flow of designated transactions through logic paths within programs. Tracing and tagging shows the trail of instructions executed during an application. Logging is the activity of recording specific tasks for future review SCARF works using predetermined exceptions. The constituents of exceptions have to be defined for the software to trap. GAS is a data analytic tool that does not require preset information. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions. Snapshots take pictures of information observed in the execution of program logic The process of managing the systems development of application systems is a component of the overall management of IT processes. The overall organizational environment has the most significant impact on the success of applications systems implemented. The methodology deployed cannot alone significantly have an impact on the success of the applications systems that are implemented. The prototyping application development technique reduces the time to deploy systems primarily by using faster development tools such as fourth-generation language (4GL) techniques that allow a user to see a high-level view of the workings of the proposed system within a short period of time. Compliance with applicable external requirements has an impact on the implementation success, but the impact is not as significant as the impact of the overall organizational environments. The software

reengineering technique is a process of updating an existing system by extracting and reusing design and program components. This is used to support major changes in the way an organization operates. Its impact on the success of the application systems that are implemented is small compared with the impact of the overall organizational environment

Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives

IPSs can prevent network connection to unknown hosts. Encryption of server data will render the data useless, but will not prevent its illegal flow. Updated antivirus software is not always effective in the detection of malware, but IDSs/IPSs are much more likely to detect data leak activity initiated by malware. SSL/TLS will provide confidentiality to data in transit, but will not prevent connection to unauthorized hosts.
PKI is the administrative infrastructure for digital certificates and encryption key pairs. The qualities of an acceptable digital signature are: it is unique to the person using it; it is capable of verification; it is under the sole control of the person using it; and it is linked to data in such a manner that if data are changed, the digital signature is invalidated. PKI meets these tests. DES is the most common private key cryptographic system. DES does not address nonrepudiation. A MAC is a cryptographic value calculated by passing an entire message through a cipher system. The sender attaches the MAC before transmission and the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not equal, this indicates that the message has been altered during transmission; it has nothing to do with nonrepudiation. A PIN is a type of password, a secret number assigned to an individual that, in conjunction with some other means of identification, serves to verify the authenticity of the individual

To ensure that quality of service requirements are achieved, the VoIP service over the WAN should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering. The standard bandwidth of an ISDN data link would not provide the quality of services required for corporate VoIP services. WEP is an encryption scheme related to wireless networking. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog
If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness and therefore all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity.